Morrisey, of Milnrow, Rochdale, appeared at Preston Crown Court and admitted unlawfully obtaining personal data in breach of Section 55 of the Data Protection Act 1998.
He was given a conditional discharge for two years and was also ordered to pay prosecution costs of £1,845.25, as well as a victim surcharge of £15.
Rochdale Connections Trust declined to comment on the case.
The Information Commissioner’s Office, which bought the prosecution, has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
This includes criminal prosecution, non-criminal enforcement and audit, and the power to impose a monetary penalty on a data controller of up to £500,0000.
This power to levy fines and civil penalties will rise under the new GDPR in May 2018 to up to 4% of annual global turnover or €20 Million (whichever is greater) for the most serious breaches.
Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- fairly and lawfully processed;
- processed for limited purposes;
- adequate, relevant and not excessive;
- accurate and up to date;
- not kept for longer than is necessary;
- processed in line with your rights;
- secure; and
- not transferred to other countries without adequate protection.
These data protection principles will become even more important when the GDPR comes into force, when organisations will need to be able to demonstrate compliance through ‘privacy by design’.
Those policies must be understood and adhered to by employees and applied consistently by the employer to instill a culture of appropriate and lawful behaviour across its entire workforce.