24 May 2018

A recruitment consultant who established his own business has been fined for stealing personal data from a former employer. Daniel Short set up VetSelect shortly after leaving VetPro Recruitment in October 2017.

An investigation by the Information Commissioner’s Office (ICO) found that he had stolen the details of 272 individuals from VetPro’s database for the purpose of commercial gain.

After Mr Short pleaded guilty to unlawfully obtaining personal data under section 55 of the Data Protection Act (DPA) 1998, Exeter Magistrates’ Court imposed a fine of £355 and ordered him to pay costs of £700 and a victim surcharge of £35.

“Short thought he could get away with stealing from his old employer to launch his own company,” ICO Criminal Investigations Manager Mike Shaw explained, “but data protection laws are there for a reason and the ICO will continue to take action against those who abuse their position.”

VetPro recruits vets and nurses and holds personal data of more than 16,000 people. It was reportedly concerned about the integrity of its database after it became aware of the new rival company. When contacted by VetPro, Mr Short admitted to having downloaded some personal data.

Giving details of the case, the ICO pointed out that the General Data Protection Regulation (GDPR), which applies in the UK from 25 May, requires anyone who processes personal information to comply with eight basic data protection principles.

Personal information must be: fairly and lawfully processed; adequate, relevant and not excessive; and processed for limited purposes. It must also be accurate and up-to-date, not kept for longer than is necessary, and processed in line with an individual’s rights.

Furthermore, it must be stored securely and not transferred to countries outside the EU unless they can show equivalent levels of protection to the GDPR.