February is a short month, and did not see the same level of publicity by the Information Commissioner’s Office in respect of enforcement action taken to enforce privacy and data protection laws as was seen in January.
Key points
- Failing to comply with an Enforcement Notice is a criminal offence (see section 47 of the Data Protection Act 1998); there is a right of appeal to the First-Tier Tribunal (Information Rights) against the terms of an Enforcement Notice and so if you do not agree with the terms of the notice you should seek legal advice about the possibility of making such an appeal.
- Employees should be careful what they do with personal data; in most cases the enforcement liability will lie with the employer (although, your employer might take disciplinary action against you for failing to comply with company policies and procedures). However, there are circumstances when employees can be held personally, and indeed criminally, liable for breaches of the Data Protection act 1998.
- The right of subject access is a fundamental right of data subjects and data controllers must ensure that they comply with their obligations in respect of a subject access request made by a data subject. The right of subject access remains a key feature of the new European data protection framework and the GDPR strengthens the right of subject access for data subjects.
Enforcement action published by the ICO during February 2018
Pennine Care NHS Foundation Trust
The ICO has conducted a follow-up assessment [pdf] with Pennine Care NHS Foundation Trust finding that the Trust had complied with the terms of the undertaking which it had previously given [pdf] following a consensual audit [pdf] by the Commissioner’s staff.
Gain Credit LLC
Gain Credit LLC was served with an Enforcement Notice [pdf] by the Information Commissioner for failing to comply with a subject access request made to it. This came to light after the data subject in question made a request to the Information Commissioner that she carry out an assessment pursuant to section 42 of the Data Protection Act 1998 into whether it was likely or unlikely that the processing by Gain Credit LLC was in accordance with the provisions of the Act.
Direct Choice Home Improvements Limited
In March 2016 Direct Choice Home Improvements Limited was served with a Monetary Penalty Notice in the amount of £50,000 [pdf] and also an Enforcement Notice [pdf] for breaching Regulation 21 of the Privacy and Electronic Communications (EC) Directive Regulations 2003 (PECR). The company continued to breach Regulation 21 of PECR and the Commissioner prosecuted it for breaching the Enforcement Notice. The company was not represented at Swansea Magistrates’ Court and was convicted in absence. The company was fined £400 as well as being ordered to pay £364.08 in prosecution costs and a victim surcharge of £40. (Don’t forget that PECR remains part of the privacy and data protection law landscape when the GDPR becomes applicable in May.)
Other Prosecutions
A former employee of Nationwide Accident Repair Services Limited was prosecuted by the Information Commissioner for unlawfully obtaining personal data contrary to section 55 of the Data Protection Act 1998. The defendant had sold the personal data of his employers’ customers to a third party who then made use of the personal data to contact some of those customers concerning their accident. The defendant was convicted and fined £500 as well as being ordered to pay costs of £364 and a victim surcharge of £50. An offence of unlawfully disclosing personal data was admitted to and taken into consideration by the Court.
A former local authority education worker was prosecuted after she unlawfully disclosed personal data contrary to section 55 of the Data Protection Act 1998. The defendant had taken a screenshot of a council spreadsheet which concerned the eligibility of named children to free school meals and then sent it onto an estranged parent of one of the children. She pled guilty to three offences and was fined £850 by Westminster Magistrates’ Court as well as being ordered to pay £713 in costs.
If you require advice or assistance in respect of a data protection or privacy law matter, or any other Information Law matter; then contact Alistair Sloan on 0345 450 0123, or send him and E-mail.