Nilesh Morar worked for Leicester City Council in the Adult Social Care Department where he reportedly stole a wealth of personal sensitive data for personal financial gain.
He reportedly took the information belonging to vulnerable people without the Council’s knowledge or permission.
After he stole the personal data, Morar left his job with the Council to set up his own business, so the motives for stealing the data seem quite apparent.
A wealth of stolen information
Leicester City Council discovered that, before leaving, Morar stole information belonging to 394 service users and emailed them to a private email address over 34 emails so he could reportedly contact them for the purposes of his new business.
The emails included details about:
- Medical conditions
- Details of care
- Financial details
- Records of debt
The 43-year-old was charged for breaching his duties under section 55 of the Data Protection Act. He pleaded guilty at Nuneaton Magistrates Court and was given a fine of £160 with an additional £364.08 to pay in court costs and a £20 victim surcharge.
Head of enforcement at the Information Commissioner’s Office (ICO), Steve Eckersley, said:
“…employees need to understand the consequences of taking people’s personal information with them when they leave a job role. It’s illegal and when you’re caught, you will be prosecuted… People’s personal data is protected by law and employees should not be helping themselves to information if they decide to set up a new business or move to a new position.”
More awareness required
More needs to be done in raising awareness of data protection laws. In a world where digital information can be shared at the click of a button, all organisations and individuals need to take care not to breach the privacy rights of others. Sometimes it may not be easy to see the adverse impact of abusing data protection rules, but the harm is very real and the consequences that follow can be severe.
Organisations need to implement strong security systems and protocols to train and warn staff about the consequences of data breaches. A spokesperson at Leicester City Council explained that in this case, Morar did receive training in data protection and “the council had the correct policies and procedures in place, so this was a flagrant abuse of his position.”
As he had already resigned, the Council were unable to take disciplinary action against him but did report him to the ICO.
The ICO is rightfully frustrated at workers who disregard their duties and disrespect data protection rules for personal reasons. In illegally accessing and misusing personal data belonging to another, they’re taking away someone’s right to privacy.
In this case, adult social care users do not expect their private information – provided to the council in confidence and trust – to be stolen by a rogue employee and then used as part of a personal business venture.