Introduction to this document

Letter to ex-employee threatening to contact ICO

Use our letter where you believe a former employee has taken personal data with them on leaving employment, such as client records, without your permission. Unlawfully obtaining personal data is a criminal offence prosecuted by the Information Commissioner’s Office (ICO), so threatening to contact the ICO should hopefully secure the return of the data.

Criminal offence

Under the Data Protection Act 2018 it's a criminal offence to knowingly or recklessly obtain or disclose personal data (or procure its disclosure to a third party) without the consent of the data controller. The offence is punishable by way of a fine on conviction and it could be committed where, for example, an ex-employee takes customer, client or other employee records that contain personal information to a new job without your express permission. It doesn't matter that they might have freely used that information as part of their job duties when working for you - it doesn't belong to them and they can't take it with them without your consent. It's also irrelevant how the personal data was removed, so the same would apply whether the employee had downloaded the data to a USB flash drive, sent it to their personal e-mail address or physically photocopied it.

Reporting threat

Where you reasonably suspect an employee has removed your confidential information on leaving employment and this includes third parties’ personal data, you might be able to obtain some leverage over them by threatening to report them to the ICO for criminal investigation and potential prosecution. This is where our new Letter to Ex-employee Threatening to Contact ICO comes in. It warns the ex-employee that you believe they’ve acted in breach of confidentiality by removing confidential information without your consent and states that, in addition to any civil action that you might take against them, unlawfully obtaining personal data is a criminal offence. Our letter therefore says that you’re considering reporting them to the ICO and asks them to return the confidential information (and to provide a written undertaking that they’ve not kept any copies, extracts or summaries in any format) within seven days. If they fail to do so, it provides that you’ll report them to the ICO forthwith and also instruct your solicitors to take any necessary civil action against them.