Worker sent personal data to her own personal email account which is a data breach

Jeannette Baines, A Restorative Justice Caseworker, has been prosecuted by the UK’s Information Commissioner Office (ICO) for sending sensitive personal data to her own personal email account without authorisation.

Jeannette Baines had worked at Victim Support and sent spreadsheets containing a combination of victim and offender data from her work email address to her personal email address during her last week of employment.

This case has been dealt with under old Data Protection Act rules, but if it were under GDPR, Sending personal data from a computer or network which is being properly secured to an unsecured personal email address or computer off the secure network could be considered a breach of GDPR Article 32, security of processing, and  ununlawful obtaining of personal data is also a breach of GDPR.

Jeannette Baines, of Merseyside appeared before Blackpool Magistrates’ Court and was found guilty of obtaining personal data, in breach of s55 of the Data Protection Act 1998. She was sentenced to a 3 year conditional discharge, ordered to pay costs of £600 and a victim surcharge of £20.

If you’re not sure of your obligations around data security or obtaining of personal data, we’re here to support you.  See