There are few things that chill a compliance officer’s blood faster than the words “data breach” unless it’s “data breach caused by HR”.
That’s what happened in FCMB Bank (UK) Ltd v Collins (2025), where the High Court examined how an HR employee’s unauthorised disclosure of personal data landed their employer in serious hot water. The case is a timely reminder that even the departments we trust most with confidential information can, unintentionally or otherwise, become the source of a breach.
What happened?
An HR manager at FCMB Bank reportedly accessed and shared confidential employee information without proper authorisation. The disclosure wasn’t part of a hack, phishing scam, or system vulnerability, it was an inside job.
The employee had legitimate access to the data but used it inappropriately, breaching internal confidentiality obligations and the GDPR’s core principles of integrity and confidentiality (Article 5(1)(f)).
The legal fallout
The bank argued that the employee’s actions were a personal frolic, not something for which the employer should be liable. But the court was unmoved. It noted that:
- HR professionals are entrusted with large volumes of personal and often special category data;
- Employers remain the data controller, even when the harm comes from within; and
- “Rogue employee” defences are difficult to sustain where access and supervision could have been better managed.
In short: when HR goes rogue, the accountability trail still leads back to the business.
Key GDPR takeaways
- Access controls are your friend - Just because someone could access data doesn’t mean they should. Role-based access, permissions reviews, and audit trails are essential. “Need to know” should be a rule, not a slogan.
- Train for the human factor - Annual GDPR refreshers won’t cut it. Build scenario-based training that addresses insider risk, especially in HR, finance, and IT teams who handle sensitive data daily.
- Document everything - Under the accountability principle, you need evidence of policies, training, access logs, and responses. If you can’t show it, the ICO will assume it didn’t happen.
- Handle breaches transparently - If a rogue employee incident occurs, document it as a personal data breach, assess the risk, and, where required, notify the ICO and affected individuals promptly.
- Culture is compliance - Technology helps, but culture closes the gap. Encourage staff to question unusual data requests and to report inappropriate behaviour early.
The bigger picture
This case isn’t really about HR, it’s about trust and governance. The GDPR assumes that the greatest risk to personal data isn’t always external. Sometimes it’s sitting three desks away, with an access card and a password that’s been working a little too well.
The lesson? The next time someone says “HR is the safest pair of hands”, smile politely and check your audit logs.
“When HR goes rogue, accountability still leads back to the business.”
