An employee is about to leave for a new role at a rival firm. In their final week, they forward a client list to their personal email or download a folder of sales contacts to a USB drive. They think it will give them a head start. In reality, they have just made a serious legal misstep.
This scenario is alarmingly common, but the consequences are more severe than ever. The Information Commissioner’s Office (ICO), the UK’s data protection watchdog, has a history of prosecuting employees for this behaviour. In one well-known case, a former waste disposal employee was prosecuted and fined for emailing the details of nearly 1,000 clients to his personal address before joining a competitor.
While this case was tried under old legislation, the principle is now enforced by much stricter laws. Taking client information without permission is not just unethical—it’s a breach of data protection law and a violation of your employment contract.
What Does the Law Say in 2025? (UK GDPR & DPA 2018)
The legal landscape has changed significantly. The Data Protection Act 1998 has been replaced by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Under this modern framework, taking personal data is considered an unlawful and unauthorised processing of that data.
- Criminal Offence: Section 170 of the Data Protection Act 2018 makes it a criminal offence to knowingly or recklessly obtain, disclose, or retain personal data without the consent of the data controller (your former employer).
- Serious Penalties: The ICO has the power to issue significant fines. While fines for individuals in criminal cases may be smaller, companies can face fines of up to £17.5 million or 4% of their annual global turnover, whichever is higher, for serious data breaches. An employee’s actions could trigger a major investigation into both themselves and their former employer.
It’s Not Just Client Lists: What is ‘Confidential Information’?
Many employees mistakenly believe this only applies to large customer databases. However, ‘confidential information’ is a broad term that includes any data that is not public knowledge and has commercial value. This includes:
- Client and customer lists, including contact details and purchase history.
- Supplier details and pricing agreements.
- Strategic documents, such as business plans or marketing roadmaps.
- Financial data, profit margins, and pricing models.
- Intellectual property, such as source code, formulas, or designs.
Essentially, any document or data you produced or worked on as an employee is the property of your employer.
The Consequences for Employees: What’s at Risk?
Thinking of taking that data? Here’s what you could face:
- Urgent High Court Injunction: Your former employer can apply for an injunction—a court order that forces you to immediately return the data, delete all copies, and prevents you from using it. Breaching an injunction can lead to fines or even imprisonment.
- Claim for Damages: You, and potentially your new employer, can be sued for financial losses suffered by your old company as a result of your actions.
- ICO Prosecution: As mentioned, you could face a criminal investigation and a personal fine from the ICO.
- Professional Ruin: Being prosecuted for data theft is a permanent stain on your professional reputation.
- Trouble at the New Job: Your new employer will likely dismiss you to distance themselves from any legal action, especially if they were unaware of your actions.
A Guide for Employers: How to Protect Your Business
Prevention is the best defence. Employers should take these proactive steps:
- Robust Employment Contracts: Ensure contracts contain clear and legally enforceable confidentiality clauses and post-termination restrictive covenants that prevent employees from using or disclosing confidential information.
- Clear IT and Data Policies: Have a written policy that explicitly states that company data cannot be transferred to personal accounts or devices and outlines the consequences of doing so.
- Regular Staff Training: Train employees on their data protection responsibilities under UK GDPR. Don’t assume they know the rules.
- Rigorous Exit Procedures: When an employee leaves, have a clear process. Revoke all system access promptly, check for unusual data transfer activity, and conduct an exit interview to remind them of their contractual obligations.
“But They’re My LinkedIn Contacts!” – A Common Misconception
A frequent point of confusion is personal vs. company contacts. While your LinkedIn network feels personal, if you have systematically developed it for your employer’s benefit or exported contact lists from a company CRM, you are in a legal grey area. The safest approach is to not take any curated lists with you, digital or otherwise. Your skills and experience are what you take to a new job—not your former employer’s data.
Ultimately, the message is simple for both sides: confidential company information is exactly that—confidential. For employees, the short-term gain is never worth the immense personal and professional risk. For employers, proactive protection through clear contracts and policies is the only way to safeguard your most valuable assets.
Gorvins’ Approach to Settling Such Disputes
The important thing that any employee needs to know is that documents they have produced or worked on are the property of the company they work for and not their own to take; this is the law that needs to be abided by.
We have dealt with a number of cases where former employees have taken confidential information from employers before they have resigned and moved on. Depending on the circumstances of the case, normally this type of matter would be pursued through urgent Injunctive Proceedings in the High Court due to the seriousness of the case, preventing the former employee from using the confidential information followed by a claim against the former employee – and often the new employer too – for damages. An injunction is a court order that prohibits a person from taking a particular action or requires them to take a particular action.
To speak to a member of our fantastic Dispute Resolution Team about anything raised in this blog post or any other litigation matter, call us today on 0161 930 5151 or fill in the contact form on our website page.