In this blogpost I shall be looking at the enforcement action taken by the Information Commissioner in the fields of data protection and privacy which was publicised during August 2017. It is hoped that this will become a regular monthly feature on this blog.
Key Points
The key points from the enforcement action publicised by the ICO during the course of August are:
- Ensure that where your organisation undertakes direct marketing by telephone, you do not make calls to numbers which are listed on the Telephone Preference Service; unless you have been given consent to make such calls.
- Ensure that contractors who have access to personal data only have access to that personal data which is necessary for the services that they are providing to you.
- Ensure that you have appropriate technical and organisational measures in places to prevent the unauthorised or unlawful processing of personal data when processing personal data over the internet.
- Ensure that all of your staff (including temporary and agency staff) are given data protection training which is appropriate to their job role, and to ensure that regular refresher training is undertaken.
- If you are an employee and have access to personal data as part of your job role, do not make use of that access for any purposes not required as part of your employment; including for personal purposes.
Enforcement Action published by ICO in August 2017
H.P.A.S Limited (trading as Safestyle UK)
H.P.A.S Limited were served with a Monetary Penalty Notice [pdf] in the amount of £70,000 and an Enforcement Notice [pdf] after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.
Laura Anderson Limited t/a Virgo Home Improvements
Laura Anderson Limited were served with a Monetary Penalty Notice [PDF] in the amount of £80,000 and an Enforcement Notice [pdf] after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.
Home Logic UK Limited
Home Logic UK Limited were served with a Monetary Penalty Notice [pdf] in the amount of £50,000 after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.
Talk Talk Telecom Group Plc
Talk Talk Telecom Group Plc were served with a Monetary Penalty Notice [pdf] in the amount of £100,000. The Commissioner found that they had failed to have in place adequate technical and organisational measures to prevent against the unauthorised or unlawful processing of personal data. Talk Talk Telecom Group Plc had in place unjustifiably wide-ranging access to personal data by external agents, which put that personal data at risk.
London Borough of Islington
The London Borough of Islington was served with a Monetary Penalty Notice [pdf] in the amount of £70,000. The Commissioner found that the Borough’s parking enforcement application had design flaws and some of the functionality was misconfigured, allowing for unauthorised access to personal data.
Nottinghamshire County Council
Nottinghamshire County Council was served with a Monetary Penalty Notice [pdf] in the amount of £70,000. The Commissioner found that the Council had failed to have in place an authentication process for accessing an internet based allocation service for home carers; this left personal data and sensitive personal data exposed on the internet.
Cheshire West and Chester Council
Cheshire West and Chester Council signed an undertaking [pdf] stating that they would take certain steps to ensure compliance with the Data Protection Act 1998. In particular the Commissioner was concerned that a number of self-reported incidents by the council involved staff who had not received data protection training.
Prosecution
A former employee of Colchester Hospital University NHS Foundation Trust was prosecuted in The Colchester Magistrates’ Court. The Defendant pleaded guilty to offences under Section 55 of the Data Protection Act 1998. She had accessed the sensitive health records of friends and people she knew and disclosed some of the personal information she obtained obtained. She was fined £400 for the offence of obtaining the personal data and £650 for the offence of disclosing the personal data. She was also required to pay prosecution costs and a victim surcharge.
I can provide advice and assistance on a wide range of information law matters. If you wish to discuss an information law matter with me then you can contact me on 0345 450 0123 or by completing the form on the contact page of this blog. Alternatively, you can send me an E-mail directly.