Outcomes - Selected Case Summaries



Personal data transferred from company laptop

Informal Resolution | 12 October 2020

A local utility company became aware of a breach concerning data downloaded from an ex-employee’s work laptop, following the employee’s resignation. The data controller discovered the breach when the computer was returned to the company and analysis showed that data had been exported to an external drive. The company’s IT manager and CEO visited the home of the ex-employee to convey the seriousness of the matter. They ensured that the flash drive used to transfer the data was erased and verified that no data was left on any device owned by the ex-employee. The ex-employee signed a document to acknowledge and confirm that all the data had been returned or destroyed, and that no data had been transmitted to any third parties. The ex-employee explained that the data had been collected to support his anticipated consultancy for the company, and stated that his intention was not malicious.

As a result of the breach, the IT department changed its policy for the return of laptops on the termination of employment to ensure that this happens early in the termination process. The data controller also placed a ban on the use of flash drives for transferring data, and provided further employee training to ensure that all policies and laws are understood and applied. The monitoring service for data loss protection was reviewed to ensure early warning of the movement of personal data, in particular in relation to departing members of staff.