The ICO has issued another set of fines for misuse of personal data and violations of the Data Protection Act. This instance, however, is clear cut criminal behavior rather than business misuse, or misunderstanding, of the act.

Also in this instance, it appears that the incident came to light after T-Mobile conducted an internal investigation and reported their findings to the ICO. This is always the best thing to do.

From the ICO’s press release:

Two former employees of UK mobile operator T-Mobile who illegally stole and sold select customer data from the company in 2008 have today been ordered to pay a total of £73,700 in fines and confiscation costs as part of a hearing at Chester Crown Court.

Fairly significant fines (yet even the total is less than the fine levied against Surrey County Council despite the apparent much greater severity of the crime here). It may have been that this fine was the result of a Proceeds of Crime Act recovery rather than a direct DPA-related fine, which may explain the difference in values.

From the ICO press release, it appears the two individuals were selling customer data (names, addresses, telephone numbers etc.) unlawfully to third parties. It is not clear if the recipients of this data were “legitimate” companies or criminal enterprises themselves, but one has to question the intent of companies purchasing data in this manner.

While it is never going to be possible to fully ensure that your employees do not mishandle customer data, it is essential that you have proper processes and controls in place to minimise the risk and identify any such behaviour in advance. By reporting this to the ICO, T-Mobile will have been able to discharge their responsibilities and, by having a robust security set up to detect such events, it is unlikely that they will suffer any sanction from the Commissioner.

If your business was in the same position, do  you think you would be able to detect your employee’s misbehaviour and be able to re-assure the ICO it was not a sign of systematic failings? If not, you need to address your security. Now.