Data Protection and Privacy Enforcement: September 2018

October is nearly over and I am only now getting round to looking at the Information Commissioner’s data protection and privacy enforcement from September. As with most months, many of the key points drawn from September’s enforcement action will be familiar to regular reads of this feature. However, they are evidently worth repeating.

Key Points

  • Once again, it is clear that organisations engaged in direct marketing where they have obtained contact details from third parties are not carrying out sufficient due diligence checks on the data that is received by them. It is not going to be enough to simply rely upon an assurance from the supplier that all the contact details comply with the law; the recipient organisation needs to check this for themselves. Often the agreement that is obtained from the ultimate intended recipient of the marketing communications is not specific enough to enable the intended marketing to be undertaken lawfully. For example, these agreements often simply refer to “carefully selected partners” (or words of similar effect) – this is not specific enough and should not be relied upon.
  • The right of subject access is a fundamental right afforded to data subjects and data controllers should therefore ensure that they have in place sufficient processes to ensure that they can comply with subject access requests within the required time (one month under the GDPR). Data controller should also ensure that they have in place adequate resources (including resilience) to meet the tight deadlines.
  • It is important that organisations have in place processes to stop bulk extraction of personal data (where bulk extraction would not be legitimately required) or to ensure that unauthorised bulk extraction is either not able to take place or be spotted quickly when it has taken place. It is important that systems which contain personal data are monitored to identify unusual or suspicious activity.

Data Protection and Privacy Enforcement from September 2018

Everything DM Limited
Everything DM Limited was served with an Enforcement Notice [pdf] together with a monetary penalty in the amount of £60,000 [pdf]. The Commissioner found that Everything DM Limited had been responsible for the sending of 1.42 million E-mails without having in place appropriate consent, contrary to the requirements of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). The commissioner’s investigation revealed that EDML relied on the consent of third parties but didn’t take reasonable steps to make sure the data complied with the requirements of PECR.

London Borough of Lewisham
The Information Commissioner’s Office issued an Enforcement Notice to the London Borough of Lewisham council in respect of its outstanding subject access requests [pdf]. As at 29 March 2018, the council had a backlog of 113 unanswered subject access requests; including one request that was made to the council as far back as 2013. The Council had in place a recovery plan to eliminate the backlog by 31 July 2018, but it failed to meet that deadline. The notice records that there were still 19 requests that pre-dated the 25th May 2018. The Commissioner’s office considered that the Council had breached principles 6 and 7 and that the breach was one that was likely to cause distress to data subjects. The Council was required by the Notice to comply with the subject access requests by 15 October 2018.

Equifax Limited
Equifax Limited, a credit reference agency, was served with a monetary penalty in the sum of £500,000 after the Commissioner found that Equifax Limited had breached 5 of the 8 data protection principles in the Data Protection act 1998 [pdf].

Bupa Insurance Services Limited
Bupa Insurance Services Limited was served with a monetary penalty notice in the sum of £175,000 after it was discovered that personal data of Bupa Global’s customers was being offered for sale on the “dark web” [pdf]. The matter was investigated and it was discovered that a member of Bupa’s Partnership advisory Team had made unauthorised use of personal data accessed from a system they had access to. The Commissioner considered that Bupa failed to have in placed adequate technical organisational measures as required by the seventh data protection principle. Bupa was unaware of a defect in the system and was unable to detect unusual activity, such as bulk extractions of data; nor did Bupa routinely monitor the activity log of the relevant system.

Prosecutions
A former nurse at Southport and Ormskirk Hospital NHS Trust was prosecuted by the Information Commissioner’s Office after she unlawfully accessed patient’s records. The nurse accessed patients’ medical records outside of her role; in particular she inappropriately accessed the records of 5 patients, 17 times. The nurse admitted offences under section 55 of the Data Protection Act 1998 and was fined £400. She was also ordered to pay prosecution costs of £364.08 and a victim surcharge of £40.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Nefarious Endeavours and Vicarious Liability for Data Breaches: Round 2 (The Court of Appeal)

The England and Wales Court of Appeal has delivered its judgment in the appeal by Morrisons against a finding by the High Court that it was vicariously liable for breaches of the Data Protection Act 1998 by one of its former employees. I will not set out the facts in much detail and instead direct readers to the blog post that I wrote following the decision of the High Court. It should be noted that all references to the DPA in this blog post are to the Data Protection Act 1998 and not the Data Protection Act 2018. For the sake of this post all that is really necessary to say is that Mr. Skelton, a former employee of Morrisons, was rather disgruntled when his employment with Morrisons came to an end. Before leaving Morrisons’ employment he copied records of over 5,000 employees onto a personal memory stick with the intention of disclosing that personal data on the internet.

Mr Justice Langstaff, who heard the case in the High Court, on his own motion granted Morrisons leave to appeal the vicarious liability issue to the Court of Appeal. Morrisons took the opportunity granted to them by Mr Justice Langstaff and appealed to the Court of Appeal. When the case came before the Court of Appeal there were three grounds of appeal: (1) the Judge ought to have concluded that, in its proper interpretation and having regard to the nature and purposes of the statutory scheme, the DPA excludes the application of vicarious liability; (2) the Judge ought to have concluded that, on its proper interpretation, the DPA excludes the application of causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for breaches of the same; and (3) the Judge was wrong to conclude (a) that the wrongful acts of Mr Skelton occurred during the course of his employment by Morrisons, and, accordingly, (b) that Morrisons was vicariously liable for those wrongful acts.

The Court of Appeal took the first and second grounds of appeal together; they essentially constructed an argument that the DPA provides a comprehensive statutory code which prevents a finding of vicarious liability. The Appellants’ argued that the DPA indicated a position contrary to the common law position that vicarious liability holds good for a wrong comprising a breach of a statutory duty. The Court of Appeal disagreed concluding at paragraph 60 of its judgment that “the concession that the causes of action for misuse of private information and breach of confidentiality are not excluded by the DPA in respect of the wrongful processing of data within the ambit of the DPA, and the complete absence of any provision of the DPA addressing the situation of an employer where an employee data controller breaches the requirements of the DPA, lead inevitably to the conclusion that the Judge was correct to hold that the common law remedy of vicarious liability of the employer in such circumstances (if the common law requirements are otherwise satisfied) was not expressly or impliedly excluded by the DPA.”

In relation to the Appellants’ third ground of appeal, this was also refused by the Court of Appeal. The Court noted, at paragraph 66, that in this “case the claimants’ cause of action in tort against Mr Skelton were already established when he improperly downloaded their data onto his USB stick. At that stage, had any of them been aware of what happened, they could as a matter of law have claimed at least nominal damages and sought and injunction to prevent dissemination of the data.” The Appellants’ Senior Counsel, Anya Proops QC, argued that (relying upon authority from the Supreme Court in a case from the jurisdiction of England and Wales) what Mr. Skelton had done at work in November (that being the downloading of the data) was “past history by the time he distributed the data from his home in January” [para 67].

In essence the Appellants’ Senior Counsel was arguing that the law on vicarious liability only permitted the employer to be liable for the conduct of the employee if the employee was on the job at the time. In essence, Senior Counsel was arguing that the chain of liability ended at the same time as Mr. Skelton’s employment ended. However, that argument did not fair much better in the Court of Appeal than it did in the High Court.

This point which troubled Mr Justice Langatsff in the High Court the most features in ground of appeal three and that is this: the motivation of Mr. Skelton was to cause harm to Morrisons; by finding Morrisons vicariously liable renders the court an accessory in furthering Mr. Skelton’s criminal aims. It appears that it was this point that triggered Mr Justice Langstaff to grant permission to appeal to Morrisons. None of the cases to which the court was referred did the situation arise where the conduct for which the employer was to be held vicariously liable arose out of the employees settled determination to cause harm to the employer. However, it had been held in previous decisions that the motive of the employee was irrelevant in reaching a determination as to whether the employer was vicariously liable. The Appellants’ Senior Counsel argued that “there is an exception to the irrelevance of motive where the motive us, by causing harm to a third party, top cause financial or reputational damage to the employer.” [para 76] The Court of Appeal was, however, unpersuaded. [para 76]

The Appellants’ senior counsel also sought to argue that a finding of vicarious liability in this case would place an enormous burden upon Morrisons and on innocent employers in cases that could come in the future. However, the Court of Appeal was not persuaded by this argument. At paragraph 77 of its judgment the court states “[a]s it happens Mr Skelton’s Nefarious activities involved the data of a very large number of employees although, so far as we are aware, none of them has suffered financial loss. But suppose he had misused the data so as to steal a large sum of money from one employee’s bank account. If Morrisons’ arguments are correct, then (save for any possible claim against the bank) such a victim would have no remedy except against Mr Skelton personally.” The court compared that situation to the one which arose in what was described by the court as “the foundation of the modern law of vicarious liability” [para 76] In that case a solicitor’s clerk dishonestly procured a conveyance in his own favour of the client’s property.

The solution proposed by the Court of Appeal to any burden that might be placed upon employers arising out of data theft incidents was insurance. [para 78].

The appeal was therefore dismissed by the Court of Appeal. It remains to be seen whether this will be the end of this aspect of the proceedings, or whether Morrisons will seek to appeal the matter to the Supreme Court. The level of damages to be awarded is yet to be determined as that matter was split from the issue of liability when the case was before the High Court. Whether we will ever get to see any judicial writings on quantum will depend upon whether that can be agreed between the Claimants and Morrisons.

Application in Scotland
This is, of course, a judgment of the England and Wales Court of Appeal; Scotland has a separate and distinct legal system meaning that English court judgments do not bind Scottish courts, but rather are of persuasive authority – especially when they deal with matters of law which are common across the whole of the UK (such as data protection law).

It should be noted that in Scotland there is no authority on whether breach of confidence is a delict (the Scottish equivalent of tort) or a unique obligation; nor, has there been any authority considering relationship between breach of confidence and “misuse of private information” in relation to Scots law. It has been argued by academics that the Scottish courts would likely follow the English position; however, this is yet to be tested in the law of Scotland (and, for what it’s worth, I agree with the position that the Scottish courts would likely follow the English courts on this matter). Therefore data controllers with a presence in Scotland should be careful when considering the Court of Appeal’s comments in relation to the tort of misuse of private information.

Data Controllers in Scotland should not ignore this judgment for various reasons. Firstly, it may be that although the controller is based in Scotland they may be processing the personal data of data subjects based in England who may, dependent upon the circumstances, be able to bring proceedings in an English court as opposed to a Scottish court. Secondly, it is only a matter of time before claims of this nature come before the English courts. Litigation of this nature has been rare in Scotland for a variety of reasons, but with the advent of Group Proceedings through the Civil Litigation (Expenses and Group Proceedings) (Scotland) Act 2018 it might well become much easier for large groups of data subjects to bring claims against data controllers.

Alistair Sloan

If you would like advice or assistance in connection with Data Protection/Privacy, or if you would like advice and assistance with any other Information Law matter we would be pleased to hear from you. You can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

Scottish Information Commissioner’s 2017/18 Annual Report

Friday 28 September 2018 was International right to Know Day, a day designed to highlight the public’s right to know and to campaign for FOI laws. Scotland has had Freedom of Information laws in place since January 2005 and a similar statutory regime entered into force on the same date for information held by UK public bodies. The Scottish Information Commissioner used International right to Know Day to launch his office’s annual report [pdf].

In 2017/2018 the Commissioner’s office received a total of 507 appeals, up from 425 in 2016/2017 (but not the highest number received in any one year). Of the appeals that were received the vast majority (75%) were classed by the commissioner’s office as coming directly from individuals with the media accounting for 11% and commercial/private enterprises accounting for 3%.

In terms of which public authorities have their responses appealed to the Commissioner; local authorities still make up the largest percentage (although there was a fairly significant decrease in the percentage share of appeals from the previous year). Local authorities are followed the Scottish Government and its agencies and the police.

30% of the appeals made to the Scottish Information Commissioner were deemed to be invalid appeals; that is to say they were appeals that the Commissioner’s office could not investigate. The annual report reveals that among the most common reasons why an appeal was not valid are that the applicant had not made a request for review to the Scottish public authority (an appeal can only be made to the Scottish Commissioner after the Scottish public authority has reviewed its initial decision or failed to carry out a review of its initial decision that has been requested) and that the timescales for making FOI appeals within the Act had not been met. Requesters should remember that they should make requests for review within 40 working days of the date that the authority issued its response or the date that it should have responded where no response has been received. Furthermore, it should be remembered that appeals to the Commissioner should normally be made within 6 months of the date on which the authority responded to the review request or, where no response has been recieved to a request for an internal review, within 6 months of the date that the authority should have responded to the internal review.

Failure to respond appeals, that is an appeal which concerns a failure by an authority to respond to a request and/or request for review, continue to be a problem. In 2017/18 19% of the appeals handled by the Commissioner concerned a failure to respond; this is down slightly from the 20% it was in 2016/17, but is up from the 16% figure in 2015/16. These are fairly clear-cut appeals as an authority has either responded within the statutory timeframe not and they should be appeals that authorities can avoid fairly easily. No authority can be perfect 100% of the time and there will be cases where the inflexibility of the 20 working-day rule, in particular cases where the public interest is finely balanced or where third party consultation is required, will mean that breaches will occur; however, staying in contact with the requester can help to avoid these appeals even where the authority is technically in breach of the law.

Of the decisions made by the Commissioner in response to appeals under section 47 of the Freedom of Information (Scotland) Act 2002, 65% resulted in a decision which was wholly or partially in favour of the requester.

Some interesting enforcement matters from within the report which are worthy of mention include:

  • Highland Council was issued with an Information Notice when it delayed in providing information to the Commissioner’s Office which was required in order to enable the Commissioner to investigate an appeal made to him by a requester.
  • The Commissioner also highlights that his office considered referring East Dunbartonshire Council to the Court of Session for failing to comply with one of his decisions (but in the end, it would appear that, such a step ultimately proved unnecessary).
  • The Commissioner refers to his high profile level 3 intervention in respect of the Scottish Government’s performance and culture in respect of FOI, which is still ongoing.
  • A less profile level 3 intervention by the Commissioner was the ongoing intervention in Police Scotland, which is now in the monitoring phase after an action plan was agreed between Police Scotland and the Commissioner. There were concerns about searching for and locating information to respond to information requests as well as concerns around record-keeping.
  • Two independent schools (which had become subject to FOI following the last extension of the Act by the Scottish Ministers) were subject to level 4 interventions where they had failed to adopt publication schemes as required by section 23 of the Freedom of Information (Scotland) Act 2002.

The Commissioner’s report makes reference to three Court of Session cases in respect of decisions that it had made, one of which Inksters were instructed in by one of the parties. The number of appeals against decisions of the Scottish Information Commissioner remain particularly low (both appeals taken by requesters and Scottish public authorities); whether this is because the Commissioner’s office is doing a good job in terms of interpreting the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004, or whether it has more to do with the significant costs to be faced by requesters and Scottish Public Authorities who decide to take an appeal to Scotland’s highest civil court is a matter which is very much open for debate.

There is lots of other useful information with the Commissioner’s annual report, but at the risk of this blog post becoming too unwieldy I shall leave it there.

Alistair Sloan

Whether you are a requester or a public authority we can provide you with advice and assistance on Freedom of Information matters. Contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated twitter account on information law matters.

 

Non-payment of Data Protection Fees: The ICO announces first steps in enforcement

Under the Data Protection Act 1998 it was an offence to process personal data without notifying with the Information Commissioner (and paying the required notification fee) unless you were exempt from having to notify. The position changed in May when the GDPR and Data Protection Act 2018 entered into force. The requirement to notify, which had its origin in the 1995 Data Protection Directive, was done away with. This left the UK with a particular problem: the Information Commissioner’s work in relation to the enforcement of data protection was funded entirely by the notification fees paid by data controllers. The solution was to introduce a system of fees which data controllers are required to pay to the Information Commissioner unless they are exempt from having to do so.

The law was also changed so that non payment of the data protection fee by a controller required to pay it is no longer a criminal offence. There are duplicate provisions in law which allow the Information Commissioner to charge these fees. The duplicate provisions are section 137 of the Data Protection Act 2018 and section 108 of the Digital Economy Act 2017. The fees payable are current specified within The Data Protection (Charges and Information) Regulations 2018, which were made exercising the powers under section 108 of the Digital Economy Act (the Regulations being made prior to the enactment of the Data Protection Act 2018 in May). There are, however, no provisions within the Digital Economy Act 2017 in respect of penalties for non-payment of these fees; the only provision which provides for non-payment of these fees is section 158 of the Data Protection Act 2018, which applies to fees made under section 137 of the Data Protection Act 2018.

In terms of section 158 of the Data Protection Act 2018, the maximum penalty for non-payment of the fee is 150% of the highest charge payable in accordance with the fees regulations, disregarding any discount available under the fees regulations.

It seems that a number of data controllers, who the Commissioner believes should be paying a fee, have not paid their fee. Earlier this week it was announced that the Information Commissioner’s Office had started to take enforcement action against 34 such organisations. The enforcement regime in section 158 of the Data protection Act 2018 applies to regulations made under section 108 of the Digital Economy Act 2017 by virtue of a provision within Schedule 20 to the Data Protection Act 2018 which provides that Regulations made under section 108 of the Digital Economy Act 2017 are to have effect as if they were Regulations made under section 137 of the Data Protection Act 2018 after the coming into force of section 137 of the Data Protection act 2018 (which happened on 25 May 2018).

The Notices of Intent, according to the ICO press release, have been issued to a range of controllers across the public and private sectors and that there are others in the process of being about to be issued. They act as a final warning by the ICO they if organisations don’t pay then they will be the recipient of a fixed penalty. It seems that the ICO is taking a relatively strong stance against non-payers from the outset and data controllers should therefore ensure that they pay their registration fees (where applicable) as and when their notification under the Data Protection Act 1998 comes to an end; or immediately where they were did not notify under the Data Protection Act 1998.

Alistair Sloan

If you would like advice on a data protection or privacy matter than contact Alistair on 0141 229 0880 or you can E-mail him directly. You can also follow our twitter account dedicated to the field of Information law

Data Protection/Privacy Enforcement: August 2018

August was another quiet month in terms of the data protection and privacy enforcement action published by the Information Commissioner’s Office. There were just two Monetary Penalty Notices published by the ICO last month. There are still a few key points to draw from last month’s published enforcement action – some of which are featured fairly regularly on these monthly blogposts, but are worthy of repitition.

Key Points

  • When carrying out direct marketing by telephone it is important that you check the intended list against the list held by the Telephone Preference Service before undertaking the campaign. If any number you intend on calling appears on that list you must satisfy yourself that you have sufficient evidence to support that you can still call that number, despite it being on the TPS.
  • If you’re getting your telephone lists from a third party then you must still do your own due diligence. Ensure that you have received sufficient evidence from the seller that the persons on the list have, in fact, indicated that they don’t mind being marketed to.
  • When drafting a privacy notice which sets out that you may share personal data with third parties it is important to be as accurate and precise as possible. It is not enough to include something along the lines of that you will share personal data with “carefully selected partners” and if you have a detailed list of organisations (or categories of organisations) that you may share personal data with, it is important that you do not share personal data with third parties who do not fall within that list.

Enforcement action published by the ICO in August 2018

AMS Marketing Limited
AMS Marketing Limited was served with a Monetary Penalty Notice in the amount of £100,000 [pdf] after if breached Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003. AMS Marketing had made in excess of 75,000 calls to numbers which were listed with the Telephone Preference Service and were unable to demonstrate to the Commissioner that they had been notified by the subscriber that they did not object, for the time being, to receiving calls for the purpose of direct marketing.

Lifecycle Marketing (Mother and Baby) Ltd
Life Style Marketing (Mother and Baby) Ltd (also known as ‘Emma’s Diary’) was served with a Monetary Penalty Notice in the amount of £140,000 after it failed to comply with the first data protection principle in Schedule 1 to the Data Protection Act 1998 (“DPA1998”). The company sold the personal data of more than 1 million individuals to the Labour Party for use in its campaign during the General election that took place in 2017 without telling those individuals that this is something that it might do with their personal data. The company, the Commissioner found, had no lawful basis within Schedule 2 of the DPA1998 for processing the personal data of those individuals.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

 

 

Scottish Government’s Programme for Government: the information law perspective

Yesterday, the Scottish Government launched its Programme for Government [pdf] (the Scottish Government’s equivalent to the Queen’s Speech) for the coming Parliamentary year. There are three proposed Bills, which the Scottish Government plans to introduce in the coming year, that have a data protection and privacy angle to them. Those bills are: the Biometric Data Bill, the Disclosure Bill and the Census (Amendment) Bill.

Biometric Data Bill
This Bill will be designed to take forward the recommendations of the Independent Advisory Group on the use of Biometric Data which was chaired by John Scott QC. The Programme for Government document says of the Bill that it:

will enhance oversight of biometric data and  techniques used for the purposes of justice and community safety. It will include provision for the creation of a statutory code of practice covering the acquisition, use, retention and disposal of data including fingerprints, DNA and facial images. We will ensure an appropriately distinct and proportionate approach to capturing biometric data for children aged between 12 and 17.

Disclosure Bill
The Disclosure Bill will relate to the disclosure of criminal history data under the Disclosure Scotland schemes. The Bill will aim to “simplify the system and strike the right balance between strengthened safeguarding and helping people with convictions to get back into work.”

Census (Amendment) Bill
The Census (Amendment) Bill will be designed to bring changes which will permit the National Records of Scotland to ask questions on sexual orientation and transgender status beginning in the 2021 census. The questions will be voluntary.

There is no much in the way of detail in the full programme for government document, but it seems fairly clear that these three Bills will crossover into the world of data protection and privacy. Once the Bill’s are published we may have a better idea as to the nature of the data protection and privacy aspects to them.

Alistair Sloan

If you would like advice on a data protection or privacy matter than contact Alistair on 0141 229 0880 or you can E-mail him directly. You can also follow our twitter account dedicated to the field of Information law.

Data Protection/Privacy Enforcement: July 2018

The summer period can often be a bit quitter than normal and that was certainly true in terms of the volume of data protection and privacy enforcement action published by the Information Commissioner’s Office (but not so much for me, which is why this month’s look at the previous month’s enforcement action is coming later in the month than usual). There were just three pieces of enforcement action published on the ICO’s website during the month of July: two monetary penalty notices and information relating to the prosecution of one business. The key points for this month’s blog post will not be unfamiliar to people who regularly read this feature.

Key Points

  • Remember that if you wish to directly market individuals by electronic mail (which includes SMS) then, unless you are able to avail yourself of the very limited “soft opt-in”, then you must have received (and be able to demonstrate that you have received) consent from the individual. The GDPR has not changed the rules around direct marketing by electronic means (or, indeed, by telephone). These forms of direct marketing continue to be governed by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).
  • It is the responsibility of the person instigating direct marketing by electronic means to satisfy themselves that the campaign they are about to embark upon is lawful. Companies engaged in direct marketing campaigns where the data has come from a third party should undertake adequate checks to ensure that they can lawfully market to the intended recipients.
  • When sending out bulk E-mails it is important to ensure that proper procedures are in place and followed. Not placing the E-mail addresses into the “BCC” field is a fairly common error, which can be costly to an organisation (both in terms of the financial cost as well as reputation). If sending out bulk E-mails is going to be necessary, it may be worthwhile looking at investing in products and services which help to ensure that the personal data of the recipients is kept safe and secure.
  • It is important to ensure that data controllers comply with the terms of Information Notices served on them by the Commissioner. While it is no longer a criminal offence to fail to comply with an Information Notices (if it is served under the Data Protection Act 2018); the Commissioner can issue persons upon whom they are served with administrative fines should they fail to comply.
  • Notification is no longer required under the General Data Protection Regulation, but domestic law still requires data controllers (unless they fall into an exempt category) to pay a fee. The Commissioner has the power to issue a fixed penalty to controllers who have not paid a fee when they should have.

Enforcement action published during the month of July 2018

STS Commercial Limited
STS Commercial Limited, a welsh-based company, was served with a Monetary Penalty Notice in the sum of £60,000 [pdf] after it sent direct marketing by text message to over 270,000 people in contravention of Regulation 22 of PECR. The company was reliant upon consent which had been provided to a third party and carried out no due diligence of its own to ascertain that the consent met the requirements of PECR.

Independent Inquiry into Child Sex Abuse
The Independent Inquiry into Child Sex abuse was established by the Government to conduct an independent investigation into historic child sexual abuse. The Inquiry was served with a monetary penalty notice by the Information Commissioner in the amount of £200,000 [pdf] after it revealed the identities of abuse victims in a mass E-mail. The incident occurred after a member of the Inquiries staff entered the E-mail addresses of victims and survivors into the “to” field, instead of the “bcc” filed on more than one occasion. Each recipient of the E-mail therefore see the E-mail addresses of every other recipient, some of which contained the full name of the recipient (while others contained a partial name).

Prosecutions
Noble Design and Technology (based in Telford, Shropshire), was prosecuted by the Information Commissioner after it failed to comply with the terms of an Information Notice. The company had also failed to notify with the Information Commissioner, despite being required to do so. The company was convicted in its absence at Telford Magistrates’ Court and was fined £2,000 for failing to comply with an Information Notice. The company was also fined £2,500 for processing personal data without having notified (when it should have) and was also ordered to pay prosecution costs of £364.08 and a victim surcharge of £170.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Privacy and Data Protection: director disqualified

In September 2017 the Information Commissioner served a Monetary Penalty Notice on Easyleads Limited in the amount of £260,000 [pdf]; the company was also served with an Enforcement Notice by the Commissioner requiring the company to comply with the terms of the Privacy and Electronic Communications (EC Directive) Regulations 2003 [pdf]. It has since transpired that the company never paid the monetary penalty notice and the Information Commissioner petitioned the court to have the company wound-up. It is not unheard of for monetary penalty notices served by the Commissioner to go unpaid; however, where they do it is often because the company goes into liquidation. A copy of the order winding the company up following the petition by the Information Commissioner [pdf] can be found on the Companies House website.

What is interesting about this case though is an announcement by the Insolvency Service that the Secretary of State had accepted a disqualification undertaking from Shaun Harkin, the director of Easyleads Limited. The effect of the undertaking is to ban Mr. Harkin from “directly or indirectly becoming involved, without the permission of the court, in the promotion, formation or management of a company for six years”.

The announcement from the insolvency Service explains that the reason Mr Harkin is now banned from being a director of a company for 6 years is because he failed to ensure that the company complied with its statutory obligations, specifically that he failed to ensure that the company complied with the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 around undertaking direct marketing by telephone.

This is an important announcement from the Insolvency Service; it demonstrates that the effects of failing to comply with data protection and privacy law can be wide-ranging. There is the potential for directors running companies which fail to comply with data protection and privacy law facing being banned from being involved in the formation or management of companies for a not insignificant period of time. It remains to be seen whether this sort of action becomes much more frequent and it is not something that is directly in the control of the Information Commissioner herself, but if the Insolvency Service is starting to take seriously breaches of data protection and privacy law by companies and looking to disqualify directors (where it can within the parameters of the law) then this is clearly something that those involved in the formation and management of limited companies ought to bear in mind when considering data protection and privacy compliance.

Alistair Sloan

If you require advice or assistance on a matter relating to data protection or privacy law then you can contact Alistair Sloan on 0141 229 0880 or send him an E-mail. You can also follow our twitter account dedicated to information law matters.

Information Notices: UKIP -v- Information Commissioner

Last week the Information Commissioner published an update on her investigation into the use of personal data in political campaigning; it received much publicity and I wrote about the report on this blog. In the report it was revealed that the First-Tier Tribunal (Information Rights) (hereafter “FTT”) had dismissed an appeal by the United Kingdom Independence Party (“UKIP”) against an Information Notice served upon it by the Commissioner.

I have previously written on Information Notices more generally (which dealt with them under the Data Protection Act 1998 (”DPA98”), rather than the Data Protection Act 2018(“DPA18”)) and so I don’t propose to set out in any detail what an Information Notice is; however, in brief the Commissioner had the power to compel a person (not just a data controller) to provide her with certain information under section 43 of the DPA98; failure to comply with an Information Notice issued under the DPA98 is a criminal offence.

In my blog post last week I said that I would try and blog when the FTT published its decision in respect of UKIP’s appeal against the Information notice. The FTT has now published its decision in United Kingdom Independence Party (UKIP) –v– The Information Commissioner [pdf]. The background to the Information Notice is set out in the decision, but it appears that the Commissioner’s office wrote to UKIP asking it to provide certain information. UKIP responded, but did so in a very unsatisfactory manner. In particular the answers given were lacking in detail and contradicted information obtained by the Commissioner’s office from the Electoral commission website.  As a result, the Commissioner used her power to compel information from UKIP.

UKIP appealed on the grounds that the Information Notice was “unjust, disproportionate and unnecessary because the UKIP has never suggested it would not comply and that a preferable course of action would have been for the Commissioner to write seeking clarification and specific details.“ [para 13] It seems that the Tribunal issued Directions asking the Commissioner whether she could issue a fresh Information notice because the FTT was not clear on certain matters; however, it was pointed out that this was not open to either the FTT or the Commissioner and that the FTT must allow or dismiss the appeal by UKIP.

The matters upon which the FTT was uncertain were clarified by the Commissioner and ultimately the appeal was dismissed by the FTT. The appeal was considered, at the request of both parties, on the papers alone and therefore no hearing took place. The Tribunal concluded that “the expressed intention of UKIP to provide information and co-operate with the Commissioner is at odds with the information provided by UKIP.” [para 19] UKIP was not arguing that the Notice was not issued “in accordance with the Data Protection Act [1998]” [para 20].

It appears from the FTT’s decision that UKIP later did try to argue that it was not in accordance with the law founding upon the FTT’s own request for clarification; however, the FTT decided that the “notice, of itself, is clear”  and that the reasoning advanced by UKIP did “not provide grounds for allowing this appeal.” [para 25]

The Tribunal also concluded that the appeal had no merit [para 26] before unanimously dismissing the appeal [para 27].

Information Notices are not a common feature of the data protection enforcement landscape. UKIP could seek to appeal the FTT’s decision to dismiss its appeal and whether UKIP seek permission to appeal the decision to the Upper Tribunal remains to be seen. My own view, from the information available in the FTT’s judgment, is that the ultimate conclusion of the FTT was correct; however, the route by which the FTT arrived at that conclusion is unhelpful and may be enough to persuade either the FTT or the Upper Tribunal to grant permission to appeal.

From reading the FTT’s decision it appears that there might have been some confusion on the part of the FTT concerning what its functions were in respect of Information Notices and what the statutory scheme for such a notice was. Whether this was down to the way in which the Commissioner had presented the case on the papers or down to a genuine lack of understanding by the FTT is something that we might never know (especially if there is no appeal by UKIP to the Upper Tribunal)

In terms of the actual decision; it is not at all surprising that the FTT did not take UKIP’s assertion that it would co-operate with the Commissioner at face value when presented with its response to the Commissioner’s more informal request for information from them. It underlines the importance of genuinely engaging with the Commissioner when they are undertaking investigations – they do have certain powers to assist them with their investigation and they do seem willing to use those powers where they feel as though they need to do so.

The framework for Information Notices has changed slightly under the GDPR/DPA18 – it’s no longer a criminal offence to fail to comply with an Information Notice; however, the Commissioner could go to court and obtain an Information Order from the Court where an Information Notice is not complied with. A right of appeal to the FTT continues to exist against Information Notices issued under the DPA18.

Alistair Sloan

If you are facing an investigation by the Information Commissioner in respect of alleged failures to comply with privacy and data protection law, or if you require advice on any other information law matter you can contact Alistair Sloan on 0141 229 0880.  Alternatively you can contact him directly by E-mail.  We also have a dedicated information law twitter account which you can follow.

Facebook, Fines and Enforcement: ICO investigation into political campaigning

In March the Commissioner executed a warrant under the Data Protection Act 1998, to much fanfare and press coverage, on Cambridge Analytica – the data analytics firm who had been involved in the election campaign by US President Donald Trump and who had allegedly undertaken work for Leave.EU in the 2016 referendum on whether the UL should remain a member of the European Union or not. At the same time the Information commissioner announced a much wider investigation into compliance with data protection and privacy laws in political campaigning.

The Information Commissioner has today published a report giving an update on that wider investigation [pdf]. There has been much fanfare around this report and in particular a suggestion that Facebook has been served with a Monetary Penalty Notice in the amount of £500,000. This would be big news; it may not be a large sum of money to Facebook, but £500,000 is the maximum that the Information commissioner can serve a Monetary Penalty Notice for under the Data Protection Act 1998.

However, it has become clear that Facebook has not been served with a Monetary Penalty Notice in the amount of £500,000. The first thing to note here is that the Data Protection Act 1998 still applies; the alleged breaches of data protection law that the Commissioner is concerned with pre-dated 25 May 2018 and therefore the powers under the General Data Protection Regulation (GDPR) do not apply. What has happened is that the Information Commissioner has served a “Notice of Intent” on Facebook indicating that the Commissioner intends on serving Facebook with a Monetary Penalty Notice in the amount of £500,000. This is the first stage in the process of serving a Monetary Penalty Notice, but it is by no means guaranteed that (a) a Monetary Penalty Notice will be issued; and (b) that it will be in the amount of £500,000.

Facebook will have the opportunity to make written representations to the Information Commissioner on various matters, including whether the statutory tests for serving a Monetary Penalty Notice have been met and on the amount of the Penalty. The Commissioner must take account of these representations when making a final decision on serving the Monetary Penalty Notice: not to do so would likely result in an appeal against the Notice to the First-Tier Tribunal (Information Rights), which could ultimately result in the Monetary Penalty Notice being reduced in amount or quashed altogether. If Facebook brings forward evidence to the Commissioner that means she can no longer make certain findings in fact that will have an impact on both her ability to serve the Monetary Penalty Notice and the amount of that notice.

It could be many more weeks, if not months before we know whether a Monetary Penalty Notice is in fact being served on Facebook and how much it is for. The Commissioner must serve the Monetary Penalty Notice on Facebook within six month of serving the Notice of Intent.

There are some other aspects of the Commissioner’s report that are worthy of some brief consideration. The Commissioner has announced that she is intending on prosecuting SCL Elections Limited. The information given by the Commissioner suggests that this prosecution is to be limited to one very specific issue: their failure to comply with an Enforcement Notice previously served on the company. The Enforcement Notice was served on the company after they failed to comply with a subject access request received by them from a US academic. The company was in administration when the Enforcement Notice was served and remains in administration today. The Information Commissioner is able to prosecute offences under the legislation it is responsible for enforcing in its own right; except in Scotland where it requires to report the matter to the Procurator Fiscal in the same way as every other law enforcement agency is required. How successful that prosecution will be and what benefit it will bring remains to be seen given that the company is in administration. Even if the company is successfully

We have also seen what appears to be the first piece of enforcement action taken under the Data Protection Act 2018 and the General data Protection Regulation.  The Commissioner has served an Enforcement Notice on the Canadian company, Aggregate IQ [pdf]. This amounts to what could be termed as a “stop processing notice” and it requires Aggregate IQ to, within 30 days, “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning, or any other advertising.”

Failure to comply with an Enforcement Notice under the Data Protection Act 2018 and the GDPR is not (unlike under the Data Protection Act 1998) a criminal offence; however, a failure to comply can result in an administrative fine of up to €20 million or 4% of global turnover (whichever is the greater). How successful the ICO will be at enforcing this enforcement notice, given that the company is located in Canada and appears to have no established base in the UK, or any other EU member state, remains to be seen.

Other investigations are still ongoing. The Commissioner appears to be continuing to investigate whether there was any unlawful data sharing between Leave.EU and Eldon Insurance. Investigations are also being undertaken into the main ‘Remain’ campaign in the EU referendum and also into all of the UK’s main political parties. It remains to be seen what will happen there.

The Commissioner’s report also informs us that the appeal by the United Kingdom Independence Party (UKIP) against an Information Notice previously served upon them has been dismissed. The First-Tier Tribunal (Information Rights) has not yet published a decision in that case on its website, but should it do so I shall endeavour to blog on that decision (especially given that there has never to my knowledge been an appeal to the Tribunal against an Information Notice). Failure to comply with an Information Notice is a criminal offence, and a company was recently fined £2,000 at Telford Magistrates’ Court for that very offence.

Alistair Sloan

If you require advice or assistance on a matter relating to data protection or privacy law then you can contact Alistair Sloan on 0141 229 0880 or send him an E-mail. You can also follow our twitter account dedicated to information law matters.