June was exceptionally good weather wise with lots of bright and sunny weather, but the outlook for some data controllers was not so bright or sunny as the Information Commissioner took action againt them for data protection and privacy breaches. Many of the key points arising out of last month’s enforcement action make a regular appearance on this blog. In relation to enforcement of (the now repealed) Data Protection Act 1998, the focus remains heavily on breaches of the seventh data protection principle relating to technical and organisational measures.
- Train, train, train – training is a key aspect of a data controllers ability to reduce the risk of suffering a data breach. Ensuring that all staff receive appropriate training on data protection relevant to their job role upon induction; and regular refresher training thereafter, is a core aspect of ensuring that the organisation has in place adequate organisational measures. It’s also important to ensure that people actually undertake induction and referesher training on offer. It is all very well having lots of well designed and worked-out policies, procedures and training material, but if nobody is being trained on the policies and procedures, then the controller might as well have not made the investment in the first place.
- Sending bulk E-mails is a high risk activity and extreme care should be taken to ensure that personal data is not inappropriately revealed. The manual entry of E-mail addresses can pose a significant risk; even if there is a well documented procedure to use the Bcc field (and everyone has undergone their induction and refresher training setting out this procedure).
- The right of subject access is a core right of data subjects and it is therefore important that data controllers have in place adequate procedures to identify, record, track and respond to subject access requests. A failure to comply with a subject access request can result in a data subject making a complaint to the Information Commissioner (who may take enforcement action) or applying to the court for an order forcing the data controller to comply.
- When conducting direct marketing campaigns by electronic means, make sure that you really do have in place the appropriate consents. Further, if you’re sending something as a service message make sure it really is a service message and not a marketing message dressed up as a service message.
- If you are making live telephone calls for the purposes of direct marketing you must ensure that you do not make calls to telephone numbers listed with the Telephone Preference Service unless you have clear consent to do so.
Enforcement action published in June 2018
The British and Foreign Bible Society
The British and Foreign Bible Society was served with a Monetary Penalty Notice in the amount of £100,000 [pdf] after suffering a ransomware attack. This had been possible after a brute-force attack had exploited a vulnerability of a weak password. This gave them access to the Remote Desk Server (which allowed home working). The attackers were therefore able to access personal data. The Commissioner considered that the British and Foreign Bible Society did not have in place adequate organisational and technical measures and as such was in breach of the seventh data protection principle.
Chief Constable of Humberside Police
The Chief Constable of Humberside Police gave an undertaking to the Information Commissioner after loosing interview disks and written notes concerning n allegation of rape [pdf]. Humberside Police had conducted the interviews on behalf of another force. During the course of the Commissioner’s investigation into the data breach, it transpired that training compliance within the force on data protection was only 16.8%. Of the three officers involved in the initial incident, two had received training some years ago and the third had received no training at all.
Chief Constable of Gloucestershire Police
The Chief Constable of Gloucestershire Police was served with a Monetary Penalty Notice in the amount of £80,000 [pdf] after sending a bulk E-mail which identified victims of historic child abuse. In December 2016 an officer sent an update about investigations into allegations of child abuse relating to multiple victims. The officer did not make use of the ‘Bcc’ function and instead entered all of the E-mail addresses into the “to” field thus revealing the E-mail addresses of every recipient to every other.
Ainsworth Lord Estates Limited
Ainsworth Lord Estates Limited was served with an Enforcement Notice after it failed to respond to a Subject Access Request made by a data subject [pdf]. The data subject made a subject access request to the controller and got an out of office response; when they received no response they attempted to engage with the controller, but got no response. When the Commissioner became involved her office attempted to contact the controller, but had no success in receiving a response.
British Telecommunications Plc
British Telecommunications Plc (BT) was served with a Monetary Penalty Notice in the amount of £77,000 [pdf] for breaching the provisions of the Privacy and Electronic Communications (EC Directive) regulations 2003. A complaint was made to the ICO by an individual who had opted out of receiving marketing communications from BT when they received a message from BT promoting its ‘My Donate’ platform. The Commissioner opened an investigation as it appeared the message had been sent to the whole of BT’s marketing database. BT advised the Commissioner that it considered that the message re ‘My Donate’ was a service message, rather than a marketing message. Two other marketing campaigns took place, which BT accepted were marketing campaigns and argued that they had complied with the requirements of PECR by only sending it to those who had opted-in; BT purported to also reply upon the ‘soft opt-in’. The Commissioner found that in relation to all three campaigns, BT had failed to comply with Regulation 22 of PECR.
Our Vault Limited
Our Vault Limited was served with an Enforcement Notice [pdf] and also with a Monetary Penalty Notice in the amount of £70,000 [pdf] after it failed to comply with the provisions of PECR. The company made live telephone calls for the purposes of marketing the products of a third party company (under the guise of conducting lifestyle research); including to numbers that were listed with the Telephone Preference Service where they did not have the consent of the subscriber to do so, contrary to Regulation 21 of PECR.
Horizon Windows Limited
Horizon Windows Limited was served with an Enforcement Notice after it failed to comply with the provisions of Regulation 21 of PECR [pdf]. In this case complaints continued to be received by the Commissioner during the course of her offices’ investigation.
If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly. You can also follow our dedicated information law twitter account.