Tag Archives: Data Protection Enforcement

Facebook, Fines and Enforcement: ICO investigation into political campaigning

In March the Commissioner executed a warrant under the Data Protection Act 1998, to much fanfare and press coverage, on Cambridge Analytica – the data analytics firm who had been involved in the election campaign by US President Donald Trump and who had allegedly undertaken work for Leave.EU in the 2016 referendum on whether the UL should remain a member of the European Union or not. At the same time the Information commissioner announced a much wider investigation into compliance with data protection and privacy laws in political campaigning.

The Information Commissioner has today published a report giving an update on that wider investigation [pdf]. There has been much fanfare around this report and in particular a suggestion that Facebook has been served with a Monetary Penalty Notice in the amount of £500,000. This would be big news; it may not be a large sum of money to Facebook, but £500,000 is the maximum that the Information commissioner can serve a Monetary Penalty Notice for under the Data Protection Act 1998.

However, it has become clear that Facebook has not been served with a Monetary Penalty Notice in the amount of £500,000. The first thing to note here is that the Data Protection Act 1998 still applies; the alleged breaches of data protection law that the Commissioner is concerned with pre-dated 25 May 2018 and therefore the powers under the General Data Protection Regulation (GDPR) do not apply. What has happened is that the Information Commissioner has served a “Notice of Intent” on Facebook indicating that the Commissioner intends on serving Facebook with a Monetary Penalty Notice in the amount of £500,000. This is the first stage in the process of serving a Monetary Penalty Notice, but it is by no means guaranteed that (a) a Monetary Penalty Notice will be issued; and (b) that it will be in the amount of £500,000.

Facebook will have the opportunity to make written representations to the Information Commissioner on various matters, including whether the statutory tests for serving a Monetary Penalty Notice have been met and on the amount of the Penalty. The Commissioner must take account of these representations when making a final decision on serving the Monetary Penalty Notice: not to do so would likely result in an appeal against the Notice to the First-Tier Tribunal (Information Rights), which could ultimately result in the Monetary Penalty Notice being reduced in amount or quashed altogether. If Facebook brings forward evidence to the Commissioner that means she can no longer make certain findings in fact that will have an impact on both her ability to serve the Monetary Penalty Notice and the amount of that notice.

It could be many more weeks, if not months before we know whether a Monetary Penalty Notice is in fact being served on Facebook and how much it is for. The Commissioner must serve the Monetary Penalty Notice on Facebook within six month of serving the Notice of Intent.

There are some other aspects of the Commissioner’s report that are worthy of some brief consideration. The Commissioner has announced that she is intending on prosecuting SCL Elections Limited. The information given by the Commissioner suggests that this prosecution is to be limited to one very specific issue: their failure to comply with an Enforcement Notice previously served on the company. The Enforcement Notice was served on the company after they failed to comply with a subject access request received by them from a US academic. The company was in administration when the Enforcement Notice was served and remains in administration today. The Information Commissioner is able to prosecute offences under the legislation it is responsible for enforcing in its own right; except in Scotland where it requires to report the matter to the Procurator Fiscal in the same way as every other law enforcement agency is required. How successful that prosecution will be and what benefit it will bring remains to be seen given that the company is in administration. Even if the company is successfully

We have also seen what appears to be the first piece of enforcement action taken under the Data Protection Act 2018 and the General data Protection Regulation.  The Commissioner has served an Enforcement Notice on the Canadian company, Aggregate IQ [pdf]. This amounts to what could be termed as a “stop processing notice” and it requires Aggregate IQ to, within 30 days, “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning, or any other advertising.”

Failure to comply with an Enforcement Notice under the Data Protection Act 2018 and the GDPR is not (unlike under the Data Protection Act 1998) a criminal offence; however, a failure to comply can result in an administrative fine of up to €20 million or 4% of global turnover (whichever is the greater). How successful the ICO will be at enforcing this enforcement notice, given that the company is located in Canada and appears to have no established base in the UK, or any other EU member state, remains to be seen.

Other investigations are still ongoing. The Commissioner appears to be continuing to investigate whether there was any unlawful data sharing between Leave.EU and Eldon Insurance. Investigations are also being undertaken into the main ‘Remain’ campaign in the EU referendum and also into all of the UK’s main political parties. It remains to be seen what will happen there.

The Commissioner’s report also informs us that the appeal by the United Kingdom Independence Party (UKIP) against an Information Notice previously served upon them has been dismissed. The First-Tier Tribunal (Information Rights) has not yet published a decision in that case on its website, but should it do so I shall endeavour to blog on that decision (especially given that there has never to my knowledge been an appeal to the Tribunal against an Information Notice). Failure to comply with an Information Notice is a criminal offence, and a company was recently fined £2,000 at Telford Magistrates’ Court for that very offence.

Alistair Sloan

If you require advice or assistance on a matter relating to data protection or privacy law then you can contact Alistair Sloan on 0141 229 0880 or send him an E-mail. You can also follow our twitter account dedicated to information law matters.

Data Protection/Privacy Enforcement: June 2018

June was exceptionally good weather wise with lots of bright and sunny weather, but the outlook for some data controllers was not so bright or sunny as the Information Commissioner took action againt them for data protection and privacy breaches. Many of the key points arising out of last month’s enforcement action make a regular appearance on this blog. In relation to enforcement of (the now repealed) Data Protection Act 1998, the focus remains heavily on breaches of the seventh data protection principle relating to technical and organisational measures.

Key Points

  • Train, train, train – training is a key aspect of a data controllers ability to reduce the risk of suffering a data breach. Ensuring that all staff receive appropriate training on data protection relevant to their job role upon induction; and regular refresher training thereafter, is a core aspect of ensuring that the organisation has in place adequate organisational measures. It’s also important to ensure that people actually undertake induction and referesher training on offer. It is all very well having lots of well designed and worked-out policies, procedures and training material, but if nobody is being trained on the policies and procedures, then the controller might as well have not made the investment in the first place.
  • Sending bulk E-mails is a high risk activity and extreme care should be taken to ensure that personal data is not inappropriately revealed. The manual entry of E-mail addresses can pose a significant risk; even if there is a well documented procedure to use the Bcc field (and everyone has undergone their induction and refresher training setting out this procedure).
  • The right of subject access is a core right of data subjects and it is therefore important that data controllers have in place adequate procedures to identify, record, track and respond to subject access requests. A failure to comply with a subject access request can result in a data subject making a complaint to the Information Commissioner (who may take enforcement action) or applying to the court for an order forcing the data controller to comply.
  • When conducting direct marketing campaigns by electronic means, make sure that you really do have in place the appropriate consents. Further, if you’re sending something as a service message make sure it really is a service message and not a marketing message dressed up as a service message.
  • If you are making live telephone calls for the purposes of direct marketing you must ensure that you do not make calls to telephone numbers listed with the Telephone Preference Service unless you have clear consent to do so.

Enforcement action published in June 2018

 The British and Foreign Bible Society
The British and Foreign Bible Society was served with a Monetary Penalty Notice in the amount of £100,000 [pdf] after suffering a ransomware attack. This had been possible after a brute-force attack had exploited a vulnerability of a weak password. This gave them access to the Remote Desk Server (which allowed home working). The attackers were therefore able to access personal data. The Commissioner considered that the British and Foreign Bible Society did not have in place adequate organisational and technical measures and as such was in breach of the seventh data protection principle.

Chief Constable of Humberside Police
The Chief Constable of Humberside Police gave an undertaking to the Information Commissioner after loosing interview disks and written notes concerning n allegation of rape [pdf]. Humberside Police had conducted the interviews on behalf of another force. During the course of the Commissioner’s investigation into the data breach, it transpired that training compliance within the force on data protection was only 16.8%. Of the three officers involved in the initial incident, two had received training some years ago and the third had received no training at all.

Chief Constable of Gloucestershire Police
The Chief Constable of Gloucestershire Police was served with a Monetary Penalty Notice in the amount of £80,000 [pdf] after sending a bulk E-mail which identified victims of historic child abuse. In December 2016 an officer sent an update about investigations into allegations of child abuse relating to multiple victims. The officer did not make use of the ‘Bcc’ function and instead entered all of the E-mail addresses into the “to” field thus revealing the E-mail addresses of every recipient to every other.

Ainsworth Lord Estates Limited
Ainsworth Lord Estates Limited was served with an Enforcement Notice after it failed to respond to a Subject Access Request made by a data subject [pdf]. The data subject made a subject access request to the controller and got an out of office response; when they received no response they attempted to engage with the controller, but got no response. When the Commissioner became involved her office attempted to contact the controller, but had no success in receiving a response.

British Telecommunications Plc
British Telecommunications Plc (BT) was served with a Monetary Penalty Notice in the amount of £77,000 [pdf] for breaching the provisions of the Privacy and Electronic Communications (EC Directive) regulations 2003. A complaint was made to the ICO by an individual who had opted out of receiving marketing communications from BT when they received a message from BT promoting its ‘My Donate’ platform. The Commissioner opened an investigation as it appeared the message had been sent to  the whole of BT’s marketing database. BT advised the Commissioner that it considered that the message re ‘My Donate’ was a service message, rather than a marketing message. Two other marketing campaigns took place, which BT accepted were marketing campaigns and argued that they had complied with the requirements of PECR by only sending it to those who had opted-in; BT purported to also reply upon the ‘soft opt-in’. The Commissioner found that in relation to all three campaigns, BT had failed to comply with Regulation 22 of PECR.

Our Vault Limited
Our Vault Limited was served with an Enforcement Notice [pdf] and also with a Monetary Penalty Notice in the amount of £70,000 [pdf] after it failed to comply with the provisions of PECR. The company made live telephone calls for the purposes of marketing the products of a third party company (under the guise of conducting lifestyle research); including to numbers that were listed with the Telephone Preference Service where they did not have the consent of the subscriber to do so, contrary to Regulation 21 of PECR.

Horizon Windows Limited
Horizon Windows Limited was served with an Enforcement Notice after it failed to comply with the provisions of Regulation 21 of PECR [pdf]. In this case complaints continued to be received by the Commissioner during the course of her offices’ investigation.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Data Protection/Privacy Enforcement: May 2018

May saw the long awaited General Data Protection Regulation coming into force, but it will be a while yet before we begin to see regulatory enforcement action taken under the GDPR and the associated Data Protection Act 2018 being taken. In May there was, as is normal, a steady stream of enforcement action against data controllers published by the Information Commissioner’s Office. It is once again time to take our monthly look at what breaches the Commissioner has taken enforcement action in relation to and what data controllers and their staff can learn from it.

Key Points

  • This is a frequent message of these monthly reviews, but it is important to ensure that you screen telephone numbers you are intending to call as part of a marketing campaign against the list maintained by the Telephone Preference Service. If you have, and can demonstrate that you have, consent to do so; you can call a number that is listed with the Telephone Preference Service.
  • When undertaking direct marketing by telephone you must identify the caller; if you are making the call on behalf of a third party then you must also identify the third party. It is not permissible to hide, obscure or refuse to provide the identity of the caller or their principal.
  • If you are obtaining personal data from a third party organisation for the purposes of direct marketing, you should ensure that you conduct your own due diligence checks to ensure that the appropriate consents are in fact in place.
  • When drafting privacy notices, when setting out to who you will be passing personal data onto for the purposes of direct marketing you need to be fairly specific. It is not sufficient to simply put “selected partners” or phrases that are similarly generic.
  • When sending personal data or sensitive personal data, even to other sites within your own company, it is important to ensure that you have in place adequate technical and organisational measures. Encrypting CDs and memory sticks is easy and cheap to do and therefore should be done whenever sending personal data outside the organisation on such media.
  • You should ensure that when updating the security of your websites and servers that you look at all aspects of your website and severs, including microsites and sub-domains, to ensure that you are taking appropriate precautions to secure the websites and servers.
  • When storing personal data offsite you should ensure that you take steps to keep that personal data safe and secure; off-site storage may not be visited as regularly by staff as your on-site storage and so this should be taken into consideration. When vacating a premises it is important to ensure that you systematically check the premises to ensure that all personal data has been removed from the site – you should be able to evidence your plan and that it was followed.
  • If you’re processing personal data within the European Union which concerns a data subject resident oustide of the European Union then you may be required to comply with a subject access request received from teh data subject.

Enforcement action published in May 2018

IAG Nationwide Limited
IAG Nationwide Limited was served with both an Enforcement Notice [pdf] and a Monetary Penalty Notice in the amount of £100,000. [pdf] IAG Nationwide Limited is an advertising/marketing agency. IAG Nationwide Limited made telephone calls to numbers which were listed with the Telephone Preference Service (TPS) and continued to make such calls even after complaints had been raised with the TPS.  This was a contravention of Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). IAG Nationwide Limited also failed to properly identify itself to those who it called which was a contravention of Regulation 24 of PECR. Indeed, when the Commissioner’s staff contacted the company by telephone they refused to provide its address and only provided an E-mail address which was unregistered and available for sale.

Costelloe and Kelly Limited
Costelloe and Kelly Limited were served a Monetary Penalty Notice in the amount of £19,000 [pdf] after it undertook a direct marketing campaign by text message in a way that contravened Regulation 22 of PECR. The company instigated the transmission of approximately 283,500 test messages promoting products without having in place proper consent to do so. The company had relied upon a list supplied to it by a data provider which said that it had obtained consent for the purposes of direct marketing by text messages. Cotselloe and Kelly Limited conducted little or no due diligence itself to ensure appropriate consent. The consent obtained by its data provider was insufficient as it referred only to providing details to its “partners” and other generic descriptions when getting people to “opt-in”.

SCL Elections Limited
SCL Elections Limited was served with an Enforcement Notice requiring it to comply with a Subject Access Request made to it by a data subject [pdf]. SCL Elections Limited provided some information, for and on behalf of Cambridge Analytica. The data subject was not satisfied with the response and made a request for assessment to the Commissioner. In response, SCL Elections Limited asserted that the data subject had no right to make a subject access request nor a request for assessment to the commissioner as the data subject was a US rather than a UK citizen. The Commissioner disagreed and found that SCL Elections had not fully complied with its obligations.

Crown Prosecution Service
The Crown Prosecution Service (CPS) was served with its second Monetary Penalty Notice for a failure to comply with the seventh data protection principle [pdf]. In November 2016 the CPS received from Surrey Police 15 unencrypted DVDs from Surrey Police. The DCDs contained interviews with alleged victims of child sexual abuse. The DVDs received by the CPS were copies; the originals being maintained by Surrey Police. The DVDs were sent by tracked DX delivery to another CPS office to be examined by specialists and were noted to have been delivered before 7 in the morning. The DVDs were likely to have been left in a reception area where individuals not employed by the CPS could have had access to the package. The CPS could not locate the packages. They therefore did not have in place adequate technical and organisational measures.

The University of Greenwich
The University of Greenwich was served a monetary penalty notice in the amount of £120,000 [pdf] after a breach of security resulted in the personal data of approximately 19,500 individuals being extracted by an authorised attacker. The personal data included sensitive personal data in relation to 3,500 individuals. The attacker posted the personal data on a third party website. The commissioner found that the university had failed to have in place adequate technical and organisational measures to ensure that, so far as was possible, the security breach which occurred did not happen and thus contravened the seventh data protection principle.

Bayswater Medical Centre
Bayswater Medical Centre was served a monetary penalty notice in the amount of £35,000 [pdf] after it left sensitive personal data in an empty premises. The practice had operated from two sites, but merged down to one retaining the second as a storage facility. Another GP practice sought to take over the lease and the Bayswater Medical Centre provided the second GP practice with a set of keys. On numerous occasions the second practice notified Bayswater medical Centre of the presence of the medical centres patient records which were unsecured. Bayswater Medical Centre did nothing to rectify the situation, including failing to remove the records from the premises when the new practice requested them to uplift the records. The Commissioner found that the Medical Centre had failed to comply with the requirements of the seventh data protection principle.

Prosecutions
A limited company and its director have been prosecuted by the Information Commissioner’s Office for failing to comply with an Information Notice. The Information notices were issued in October 2017 and both failed to respond to the notices. The company was fined £1,000 and ordered to pay a £100 victim surcharge while the director was fined £325 and ordered to pay a victim surcharge of £32. The director was also ordered to pay £364.08 in prosecution costs.

A former recruitment consultant was successfully prosecuted by the Information Commissioner’s Office after he illegally obtained personal data. The defendant set up his own recruitment consultancy and left his former employer’s employment. When he left the defendant took 272 CVs from his former employers’ database without consent. He admitted an offence of unlawfully obtaining personal data under section 55 of the Data Protection Act 1998.  He was fined £355 and ordered to pay £35 victim surcharge and £700 prosecution costs by Exeter Magistrate’s Court.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

 

Data Protection/Privacy Enforcement: April 2018

In April the Information Commissioner’s Office published a number of enforcement measures taken against public and private organisations under both the Data Protection Act 1998 (“DPA”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).  The key points to draw from the enforcement action this month should be familiar to anyone who has been reading this series of blog posts since it began in September.

Key Points

  • It is important to keep track of personal data, especially when it is sensitive personal data; if it is to be sent out of the organisation ensure that it is properly secured and that a record of it being sent and received is kept.
  • Before sending out information to your customers it is important to consider whether the information you are sending is properly business information (or information you’re required to give by law), or whether it is actually promotional or marketing material. If it’s promotional or marketing material ensure that you only send it to the E-mail addresses of people who have consented to receive promotional or marketing material from you.
  • Make sure that before you conduct a marketing campaign by telephone that you do not include numbers listed with the TPS unless you have the consent of the subscriber to contact them by phone for the purposes of direct marketing.
  • When disclosing information to someone, whether under FOI laws or not, ensure that you do not accidently disclose personal or sensitive personal data of third parties where you do not have legal grounds to do so. Be especially careful with pivot tables, a number of public authorities shave found themselves in regulatory hot water of the use of pivot tables. The ICO produced a helpful blog post in 2013 on the issue of pivot tables.
  • If you are an employee it is important that you remember that you should only be accessing personal data where you have a proper business need to do so and should only be disclosing personal data where you need to do so in order to properly perform your role. You can be held personally liable and find yourself being prosecuted in the criminal courts.

Enforcement action published by the ICO in April 2018

Humberside Police
The Information Commissioner, exercising her powers under section 55A of the DPA, served a Monetary Penalty Notice in the amount of £130,000 [pdf] for breaches of the DPA.  The force conducted an interview of a person alleging that they had been the victim of rape, on behalf of Cleveland Police. The interview was filmed and three copies of it existed: the master and two copies. The discs were unencrypted. They were to be sent to Cleveland Police, but were never received by Cleveland police. Humberside Police were unable to locate the discs or to confirm whether they had ever been posted to Cleveland Police.  The Commissioner found that Humberside Police had failed to comply with the seventh data protection principle and also paragraph 9 of Schedule 1 to the DPA.

Royal Mail Group Limited
The Information Commissioner served a Monetary Penalty Notice on Royal Mail Group Limited for contravening Regulation 22 of PECR.  The Monetary Penalty Notice was in the amount of £12,000 [pdf]. Royal Mail Group is the designated Universal Postal Service Provider in the UK and as such, it has certain statutory responsibilities to disseminate certain information. Royal Mail Group Limited sent E-mails to all of its customers, including those who had opted not to receive electronic marketing, to notify them of a change in price for second class parcels purchased online.  The price change was described as being a “promotional” one. The Commissioner found that this amounted to direct marketing rather than information that Royal Mail was obliged to provide under the Postal Services Act 2011 and was therefore in contravention of Regulation 22 of PECR.

The Royal Borough of Kensington and Chelsea
The Information Commissioner served a monetary penalty notice on the Royal Borough of Kensington and Chelsea in the amount of £130,000 [pdf] for breaches of the DPA. The breach arose out of a request for information made to the council pursuant to the Freedom of Information Act 2000. The Council answered the request for information by providing a pivot table to the requesters. The council did not properly redact the underlying information which was then accessible to the requesters without too much difficulty; the underlying information included personal data.

The Energy Saving Centre Limited
The Information Commissioner has served the Energy Saving Centre Limited with a Monetary Penalty Notice in the amount of £250,000 [pdf] and also with an Enforcement Notice [pdf] for contraventions of PECR.  The Commissioner had found that the Energy Saving Centre Limited had made tens of thousands of marketing calls to numbers which were listed with the Telephone Preference Service and where the individual subscribers to those numbers had not given consent to the Energy Saving Centre Limited to be contacted by phone for marketing purposes.  The Enforcement Notice requires the company to stop making unlawful calls – failure to comply with an Enforcement Notice is a criminal offence.

Approved Green Energy Solutions
The Information Commissioner has served a Monetary Penalty Notice [pdf] on an individual who traded as a sole trader under the name Approved Green Energy Solutions.  The amount of the penalty was £150,000. Approved Green Energy Solutions used a public telecommunications service to make in excess of 330,000 unsolicited telephone calls for the purpose of direct marketing where the line subscriber had listed their number with the Telephone Preference Service (“TPS”). The Commissioner and the TPS received 107 complaints directly from individuals affected.

Prosecutions
A former receptionist/general assistant at Milton Keynes University Hospital NHS Foundation Trust has bene prosecuted by the Information Commissioner after she inappropriately accessed the records of 12 patients when not required to do so in the course of her employment. The defendant entered a plea of guilty to offences of unlawfully accessing personal data and unlawfully disclosing personal data in breach of section 55 of the DPA. The Defendant was fined a total of £300 and ordered to pay a £30 victim surcharge.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

The Information Commissioner’s power to compel information

The Information Commissioner is presently undertaking an investigation into the possible unlawful use of personal data, in particular, data analytics, by political parties and political campaigning organisations.  The most high profile activity that the Commissioner has undertaken in respect of that investigation has to be the obtaining and execution of a warrant to search the offices of Cambridge Analytica.  As part of that investigation it has been reported that a number of persons and organisations involved in politics have been served with Information Notices by the Information Commissioner, including the United Kingdom Independence Party (UKIP), Leave.EU and Arron Banks.

An Information Notice is a formal investigative tool which the Information Commissioner can use in order to gather information.  Her power to issue such notices, in respect of the processing of personal data, is to be found in section 43 of the Data Protection Act 1998.  There are two circumstances in which the Commissioner can issue an Information Notice:  (1) when conducting an assessment pursuant to section 42 of the Data Protection Act 1998; and (2) where the Commissioner reasonably requires any information for the purpose of determining whether the data controller has complied or is complying with the data protection principles.  Broadly speaking this means that the Commissioner can issue an Information Notice either when her office is conducting an investigation at the request of a data subject or an investigation undertaken by her office which has been instigated by the Commissioner herself.

An Information Notice is simply a document which requires the data controller concerned to provide the Commissioner with information specified within the notice relating to the section 42 request or the controller’s compliance with the data protection principles.  However, its simplicity obscures its formality.  The issuing of an Information Notice is a formal step, and is a serious one for the recipient of the notice.  There is an automatic right of appeal against the notice or any part of the notice to the First-Tier Tribunal (Information Rights).  The right of appeal exists precisely because of its formality and the consequences for not complying with the notice.  It has been reported that UKIP has appealed the Information Notice served on it to the Tribunal.

An Information Notice is more than a polite request for information; it is a formal demand for information which is baked up by the threat of sanctions.  It is a criminal offence to fail to comply with an information notice which can result, if convicted, in a fine.  Furthermore, it is a criminal offence  to (i) make a statement in response to an information notice which is known to be false; or (ii) recklessly make a false statement in response to an information notice.

When serving an Information Notice, the Commissioner can specify or describe the information required by her or can be broader and instead specify or describe categories of information that she requires from the data controller.  There are some restrictions though on the information that the Commissioner can require a data controller to provide her with.  A data controller is not required to furnish the Commissioner with (a) “any communication between a professional legal adviser and his client in connection with the giving of legal advice to the client with respect to the person’s obligations, liabilities or rights under [the Data Protection Act 1998]”, or (b) “any communication between a professional legal adviser and his client, or between such an adviser or his client and any other person, made in connection with or in contemplation of proceedings under or arising out of [the Data Protection Act 1998] (including proceedings before the Tribunal) and for the purposes of such proceedings.”

A data controller can also refuse to provide information which would reveal evidence of the commission of any offence.  However, there are some exceptions to this general exception; if the offence is an offence under the Data Protection Act 1998 or offences under certain statutory provisions concerning the giving of false evidence, then the data controller may still be required to provide the Commissioner with that information.

The serving of an Information Notice on a data controller is a significant step by the Commissioner and it is one that data controllers should not take lightly.  The consequences for failing to comply with the notice or for deliberately or recklessly misleading the Commissioner through the provision of false information can see the data controller facing criminal charges.  The Notice can be challenged through the First-Tier Tribunal (Information Rights) which could see part or all of the notice reduced/quashed.  The Data Protection Bill contains provisions in relation to Information Notices which are for the most part identical to the powers found within the Data Protection Act 1998 and so the Commissioner will continue to possess this potentially powerful took once the GDPR becomes a reality next month (subject, of course, to the Data Protection Bill completing is passage through parliament and receiving Royal Assent in time).

Alistair Sloan

If you are facing an investigation by the Information Commissioner in respect of alleged failures to comply with privacy and data protection law, or if you require advice on any other information law matter you can contact Alistair Sloan on 0141 229 0880.  Alternatively you can contact him directly by E-mail.  We also have a dedicated information law twitter account which you can follow.

Data Protection/Privacy Enforcement: March 2018

Probably the most high profile piece of enforcement action taken by the Information Commissioner’s Office in March was its application for, and execution of, a warrant to enter and inspect the offices occupied by Cambridge Analytica as part of the Commissioner’s wider investigation into the use of personal data in politics.  It would seem that data protection warrants get more people excited about data protection than would ordinarily be the case. The Cambridge Analytica warrant was not the only warrant that the Commissioner obtained and executed in March; the Commissioner’s website also published details of a warrant that it executed in Clydebank (Glasgow).  This warrant was directed towards alleged breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 which deal with, insofar as this blog is concerned with, the rules concerning direct marketing to individuals by electronic means.

Key Points

  • Care needs to be taken when looking at sharing personal data on a controller-to-controller basis with other companies, including separate companies within the same group of companies. Data controllers need to ensure that they identify what their lawful basis for processing is, provide adequate fair processing information to data subjects in relation to such sharing of personal data and ensure that any changes to their policy in respect of data-sharing do not result in that sharing being for a purpose that is incompatible with those stated at the time of collection.
  • If you, as an individual (whether or not you are yourself a data controller), unlawfully disclose personal data to third parties then you could be liable for prosecution.

Enforcement Action published by the ICO during March 2018

WhatsApp Inc.
An undertaking was given by WhatsApp Inc. In it, WhatsApp undertook not to do a number of things; including not transferring personal data concerning users within the EU to another Facebook-controlled company on a controller-to-controller basis until the General Data Protection Regulation becomes applicable on 25th May 2018.  The undertaking was given after WhatsApp introduced new terms and conditions and a new privacy policy which affected how it processed personal data held by it; in particular, how it would now share personal data with other Facebook-controlled companies.

Prosecutions
A former housing worker was convicted at St. Albans Crown Court after he shared a confidential report identifying a potential vulnerable victim. The defendant was convicted of three charges of unlawfully obtaining disclosing personal data contrary to section 55 of the Data Protection Act 1998.  He was fined £200 for each charge and was ordered to pay £3,500 in costs.

Alistair Sloan

Should you require advice or assistance about UK Data Protection and Privacy law then contact Alistair Sloan on 0141 229 0880.  You can also contact him by E-mail.  You can also follow our dedicated Twitter account covering all Information Law matters@UKInfoLaw

The Information Commissioner’s Powers of Entry and Inspection

Yesterday I wrote a blog post looking at data subject’s rights and lessons for controllers arising out of the Cambridge Analytica and Facebook privacy matter.  In that blog post I mentioned briefly about the Information Commissioner’s powers of entry and search after the Commissioner announced that she was seeking a warrant to enter and search Cambridge Analytica’s premises.   In this blog post I will look at the Commissioner’s powers of entry and search in a bit more detail.

As noted yesterday, the Commissioner’s powers of entry and search are contained in Schedule 9 to the Data Protection Act 1998.  Schedule 9 sets out the circumstances in which a judge can grant a warrant to the Information Commissioner.  The judge considering the application must be satisfied, based on statements made on oath, that the there are reasonable grounds of suspecting that (a) a data controller has contravened or is contravening any of the data protection principles, or (b) that an offence under the Data Protection Act has been or is being committed, and that evidence of the contravention or of the commission of the offence is to be found on any premises specified in the information supplied by the Commissioner.

The Commissioner is generally required, by the terms of Schedule 9 to the Data Protection Act 1998, to jump through some hoops before the judge considering the warrant application can grant the warrant to the Commissioner.  Paragraph 2 of Schedule 9 requires that the judge considering the application be satisfied of a number of other things:

  1. that the Commissioner has given seven days’ notice in writing to the occupier of the premises in question demanding access to the premises, and
  2. that either (i) access was demanded at a reasonable hour and was unreasonably refused, or (ii) although entry to the premises was granted, the occupier unreasonably refused to comply with a request by the Commissioner or any of the Commissioner’s officers or staff to permit the Commissioner or the officer or member of staff to do any of the things she would be entitled to do if she had a warrant (see below); and
  3. that the occupier, has, after the refusal, been notified by the Commissioner of the application for the warrant and has had an opportunity of being heard by the judge on the question whether or not it should be issued.

Where the judge is satisfied that the case is one of urgency or that compliance with those provisions would defeat the object of the entry, the judge does not need to be satisfied of the three things listed above.  In this case, given that the Commissioner announced her intention to apply for a warrant on national television, it is likely that a judge will require to be satisfied of the three conditions listed above.

Who considers an application by the Commissioner for a warrant depends upon the jurisdiction in which the warrant is being applied for.  In England and Wales a District Judge (Magistrates’ Court) or a Circuit Judge has the power to grant the warrant; in Scotland it is the Sheriff and in Northern Ireland it is a Country Court Judge.

A warrant granted under Schedule 9 of the Data Protection Act 1998 gives the Commissioner the power to do a number of things; these things can be found in paragraph 1(3) of the Schedule and are:

  1. to enter the premises
  2. to search the premises
  3. to inspect, examine, operate and test any equipment found on the premises which is used or intended to be used for the processing of personal data;
  4. to inspect and seize any relevant documents or other material found on the premises;
  5. to require any person on the premises to provide an explanation of any document or other material found on the premises;
  6. to require any person on the premises to provide such other information as may reasonably be required for the purpose of determining whether the data controller has contravened, or is contravening, the data protection principles.

The warrant must be executed at a reasonable hour, unless it appears to the person executing it that there are grounds for suspecting that the object of the warrant would be defeated if it were so executed, and within 7 days of the date of issue.  It allows the Commissioner, her officers and staff to use reasonable force to execute the warrant.

There are lots of other, really boring and technical requirements, which I won’t go into; the last thing I will mention is the terms of paragraph 12 of Schedule 9 which makes it an offence to: (i) intentionally obstruct a person in the execution of a warrant issued under Schedule 9; (ii) fail, without reasonable excuse, to give any person executing such a warrant such assistance as he may reasonably require for the execution of the warrant; (iii) makes a statement in response to a requirement  to provide information (see 5 and 6 in the list of powers the warrant gives the Commissioner) which that person knows to be false in a material respect; and (iv) recklessly makes a statement in response to such a requirement which is false in a material respect.

The Commissioner does get warrants from time to time; for example, earlier this month the ICO executed search warrants in relation to two properties in Greater Manchester as part of an investigation into companies suspected of sending text messages in contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).  The provisions of Schedule 9 to the Data Protection Act 1998 apply to PECR by virtue of Regulation 31 of PECR.

Alistair Sloan

If you are a data controller or an individual who is looking for advice and assistance with any aspect of data protection or privacy law, then you can contact Alistair Sloan on 0345 450 0123 or 0141 229 0880.  Alternatively, you can send him an E-mail.

Data Protection, Facebook and Cambridge Analytica

We know that the Information Commissioner is investigating the circumstances surrounding the obtaining of personal data of a considerable number of individuals by Cambridge Analytica.  Cambridge Analytica is a data analytics company that is in the midst of what can only be described as a data protection and privacy scandal.

There are a number of significant allegations being made against Cambridge Analytica about how it obtains and processes personal data.  The Information Commissioner has also revealed that Cambridge Analytica is not cooperating with her investigation to the extent that she is going to apply for a warrant to enter and search their premises.  This means that, in all probability, the Commissioner has already sought access and it has been refused.  Schedule 9 to Data Protection Act 1998 sets out the Information Commissioner’s powers of entry and inspection; it permits the Commissioner to obtain a warrant from the court where the court is satisfied that a data controller has contravened or is contravening any of the data protection principles, or that an offence under this Act has been or is being committed, and that evidence of the contravention or of the commission of the offence is to be found on any premises specified.

This story is moving at quite a pace and is constantly changing with new revelations coming to light; it’s also the subject of an investigation by the Information Commissioner and there is the possibility that the company might face prosecution for offences under Section 55 of the Data Protection Act 1998 depending upon what the Commissioner finds during the course of her investigation.  I am therefore going to try and keep this blog post broad and theoretical rather than trample upon the toes of a live regulatory investigation.

A data controller has a duty to comply with the data protection principles in relation to all of the personal data for which they are the controller, subject to certain specified exemptions set out in statute.  The First data protection principle requires that personal data be “processed fairly and lawfully”; this requires the data controller to meet one or more of the conditions set out in Schedule 2 to the Data Protection Act 1998 (and, in respect of sensitive personal data, a condition in Schedule 3 also requires to be satisfied).

What can individuals do if they are concerned about whether Cambridge Analytica has any personal data concerning them and what they’ve been doing with it?  Data Subjects have a number of rights under the Data Protection Act 1998 and the cornerstone of those rights is the right of subject access.  This is currently given effect to in section 7 of the Data Protection Act 1998 and is not simply about getting copies of the personal data being processed by a data controller:  it consists of a whole suite or rights, of which getting a copy of the personal data is only one aspect.  Under the current law, data controllers are entitled to charge a fee up to a prescribed maximum for dealing with such requests; a request of this nature would attract a fee of £10, but many individuals might well think that this is a price worth paying to know if and how they have been affected by this issue.  Data Controllers have up to 40 days in which to comply with a subject access request.  Some key changes to the right of subject access will come into effect on 25th May 2018, but for now the law contained within the Data Protection Act 1998 is still applicable.

Once you have the response to your subject access request your rights do not end there; once you’ve established what a data controller is processing about you, what they’re doing with it and where they got it from there are a number of other steps that you might be able to take, such as requiring them to cease processing your personal data, complaining to the Information Commissioner or making a claim for compensation.

For data controllers, what is currently unfolding should be seen as an important lesson.  Data can be a useful tool to a business; whether it is being used for targeted marketing campaigns or to work out what consumers want from products and services in your market.  However, there are laws governing data protection and privacy and at the heart of those laws are the principles of fairness and transparency.  Controllers need to be careful as to how they obtain personal data, where they obtain it from, what they do with it and be certain that they have a lawful basis for processing that personal data in the ways that they want to do so; that may be because you have the consent of the data subject, because you have a legitimate interest in the processing or some other lawful ground for processing.  Don’t forget the Privacy and Electronic Communications (EC Directive) Regulations 2003 when conducting direct marketing by electronic means.

Simply because a person has made their personal data available, for example through social media, does not mean that is free to be used by whomever and for whatever they want.  The principles of the Data Protection Act 1998 still apply and the reputational damage that can be suffered may well vastly outweigh any regulatory action taken by the Information Commissioner or by data subjects themselves.

Alistair Sloan

If you are a data controller or an individual who is looking for advice and assistance with any aspect of data protection or privacy law, then you can contact Alistair Sloan on 0345 450 0123 or 0141 229 08800.  Alternatively, you can send him an E-mail.

Data Protection and Privacy Enforcement: February 2018

February is a short month, and did not see the same level of publicity by the Information Commissioner’s Office in respect of enforcement action taken to enforce privacy and data protection laws as was seen in January.

Key points 

  • Failing to comply with an Enforcement Notice is a criminal offence (see section 47 of the Data Protection Act 1998); there is a right of appeal to the First-Tier Tribunal (Information Rights) against the terms of an Enforcement Notice and so if you do not agree with the terms of the notice you should seek legal advice about the possibility of making such an appeal.
  • Employees should be careful what they do with personal data; in most cases the enforcement liability will lie with the employer (although, your employer might take disciplinary action against you for failing to comply with company policies and procedures).  However, there are circumstances when employees can be held personally, and indeed criminally, liable for breaches of the Data Protection act 1998.
  • The right of subject access is a fundamental right of data subjects and data controllers must ensure that they comply with their obligations in respect of a subject access request made by a data subject.  The right of subject access remains a key feature of the new European data protection framework and the GDPR strengthens the right of subject access for data subjects.

Enforcement action published by the ICO during February 2018

Pennine Care NHS Foundation Trust
The ICO has conducted a follow-up assessment [pdf] with Pennine Care NHS Foundation Trust finding that the Trust had complied with the terms of the undertaking which it had previously given [pdf] following a consensual audit [pdf] by the Commissioner’s staff.

Gain Credit LLC
Gain Credit LLC was served with an Enforcement Notice [pdf] by the Information Commissioner for failing to comply with a subject access request made to it.  This came to light after the data subject in question made a request to the Information Commissioner that she carry out an assessment pursuant to section 42 of the Data Protection Act 1998 into whether it was likely or unlikely that the processing by Gain Credit LLC was in accordance with the provisions of the Act.

Direct Choice Home Improvements Limited
In March 2016 Direct Choice Home Improvements Limited was served with a Monetary Penalty Notice in the amount of £50,000 [pdf] and also an Enforcement Notice [pdf] for breaching Regulation 21 of the Privacy and Electronic Communications (EC) Directive Regulations 2003 (PECR).  The company continued to breach Regulation 21 of PECR and the Commissioner prosecuted it for breaching the Enforcement Notice.  The company was not represented at Swansea Magistrates’ Court and was convicted in absence.  The company was fined £400 as well as being ordered to pay £364.08 in prosecution costs and a victim surcharge of £40. (Don’t forget that PECR remains part of the privacy and data protection law landscape when the GDPR becomes applicable in May.)

Other Prosecutions
A former employee of Nationwide Accident Repair Services Limited was prosecuted by the Information Commissioner for unlawfully obtaining personal data contrary to section 55 of the Data Protection Act 1998.  The defendant had sold the personal data of his employers’ customers to a third party who then made use of the personal data to contact some of those customers concerning their accident.  The defendant was convicted and fined £500 as well as being ordered to pay costs of £364 and a victim surcharge of £50.  An offence of unlawfully disclosing personal data was admitted to and taken into consideration by the Court.

A former local authority education worker was prosecuted after she unlawfully disclosed personal data contrary to section 55 of the Data Protection Act 1998.  The defendant had taken a screenshot of a council spreadsheet which concerned the eligibility of named children to free school meals and then sent it onto an estranged parent of one of the children.  She pled guilty to three offences and was fined £850 by Westminster Magistrates’ Court as well as being ordered to pay £713 in costs.

Alistair Sloan

If you require advice or assistance in respect of a data protection or privacy law matter, or any other Information Law matter; then contact Alistair Sloan on 0345 450 0123, or send him and E-mail.

Data Protection/Privacy Enforcement: January 2018

It has been a busy start to the year for the Information Commissioner’s Office (ICO).  The start of 2018 also saw the highest ever sentences imposed on those in breach of Data Protection and Privacy laws in the United Kingdom.  It is time to have a closer look at the Data Protection and Privacy Enforcement action published by the ICO during January 2018 as part of our regular monthly review.  You can read our review of the privacy and data protection enfrocement from December 2017 here.

Key Points

  • If you have access to personal data as part of your employment, ensure that you only access it where there is a genuine professional need for you to do so; even if the reason you are looking for information could be considered harmless.
  • As far as the Information Commissioner is concerned, ‘ignorance is not bliss’; Data Controllers must have adequate and up to date procedures, technology and policies in place to ensure that they are not in breach of any data protection laws or regulations.
  • Organisations can’t generally send advertising or marketing emails unless the recipient has informed the sender that they consent to such emails being sent by, or at the instigation of, that sender.  Any consent must be freely given, explicit and informed but also involve a positive indication signifying the individual’s agreement. In order for consent to be informed by an individual, the individual must know exactly what it is they are consenting to (for more information see Alistair Sloan’s blog post PECR:  The forgotten relative).
  • Failure to notify the Information Commissioner of any personal data breach in accordance with the Notification Regulations will not be tolerated.  If it has come to your attention that there has been a breach, you must come clean and put your hands up. A much wider requirement to notify the ICO of personal data breaches becomes applicable with the GDPR later this year, for more on that see our blog post on Personal Data Breaches under the GDPR.
  • It goes without saying, meticulous attention to detail must be taken when you are sending any correspondence containing personal data, you must ensure that it is sent to the correct person.

Enforcement action published by the ICO in January 2018

The Carphone Warehouse Ltd
The Carphone Warehouse Ltd was served with a Monetary Penalty Notice in the sum of £400,000 after serious failures and inadequate software placed customer and employee data at risk.

Newday Limited
Newday Ltd were served a Monetary Penalty Notice in the sum of £230,000 after approximately 48,096,988 emails were sent to individuals who had not consented to receive marketing, contrary to regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  The Commissioner decided that the consent relied on by Newday Limited was not sufficiently informed and therefore it did not amount to valid consent.

TFLI Ltd
TFLI Ltd received a Monetary Penalty Notice of £80,000.  This penalty was also in relation to contravention of regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  TFLI Limited sent approximately 1,218,436 unsolicited marketing texts promoting a loan website.

Barrington Claims Ltd
Barrington Claims Ltd were issued a Monetary Penalty Notice in the sum £250,000 after they failed to ensure automated marketing calls were made only to individuals who had consented to receive them. The Commissioner decided to issue a Monetary Penalty under section 55A of the Data Protection Act 1998, in relation to contravention of regulations 19 and 24 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  The company were unable to provide evidence that it had the consent of individuals to whom it had instigated the calls.

Goody Market UK Ltd
Goody Market UK Ltd were issued a Monetary Penalty Notice in the sum of £40,000 after they failed to ensure that text messages containing marketing material were only sent to individuals who had consented to receive them.  They were also served an Enforcement Notice. The texts were sent on the basis of data sourced from a third party, and purchased on behalf of Goody Market UK Ltd by a data broker.  Goody Market UK Ltd were unable to provide the Commissioner with any evidence that the recipients consented to the marketing messages, having relied on verbal assurance from the data broker.  The Commissioner found that Goody Market UK Ltd had contravened Regulation 22 of PECR.

West Midlands Police
West Midlands Police have signed an Undertaking to comply with the Data Protection Act after the Information Commissioner was informed that a data breach had occurred in relation a Criminal Behaviour Order.  The order was imposed on two individuals, but in a leaflet distributed to publicise the order, the names of the witnesses were revealed.

Miss-sold Products UK Ltd
Miss-sold Products UK Ltd were served a Monetary Penalty Notice in the sum of £350,000 after they failed to ensure that marketing calls were only made to individuals who had consented to receive marketing. The penalty was in relation to contravention of Regulation 19 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

SSE Energy Supply Ltd
SSE Energy Supply Ltd was issued a Monetary Penalty Notice of £1,000 after they sent an email to an individual in error.   The penalty was issued because of contravention of Regulation 5A of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  This Regulation requires that a provider of a public electronic communications service must notify the Information Commissioner of a personal data breach without undue delay.  SSE Energy Supply Ltd sent an email to the wrong email address, disclosing the name of a customer and their account number.  After they became aware of the breach, SSE Energy Supply Limited did not follow its policies and procedures that were in place and as a consequence there was a delay in reporting the personal data breach to the Information Commissioner.

Prosecutions
There were a number of successful prosecutions reported by the ICO during January 2018:

  1. An investigation by the ICO, which began in 2013, resulted in record fines for Woodgate and Clark Ltd, the company director and private investigators who were involved in the illegal trade of personal information.  A claim had been made on an insurance policy in relation to a fire at business premises which the claimant owned.  Private investigators unlawfully obtained confidential financial information and disclosed it to Woodgate and Clark Ltd, which then disclosed it to an insurer client.  The defendants were all prosecuted under s55 of the Data Protection Act 1998.  Woodgate and Clark Ltd were fined £50,000 in addition to being ordered to pay £20,000 in costs.  The company director was fined £75,000 and was ordered to pay £20,000 in costs; while both private investigators were fined £10,000 and ordered to pay £2,500 in costs.
  2. A director of an accident claims company invented a car crash so that he could trace and get in touch with the owner of a private number plate he wanted to buy.  He was prosecuted at Bristol Magistrates’ Court for a breach of S55 of the Data Protection Act 1998 for the offence of unlawfully obtaining personal data.  He was convicted and received a fine of £335.00.  The defendant was also ordered to pay prosecution costs of £364.08 and a victim surcharge of £33.00.
  3. An individual was charged with two offences of unlawfully disclosing personal data.  The defendant had come into possession of a USB stick and published sensitive police information from it on Twitter.  He was sentenced to a 12 month conditional discharg,e in part because he had been placed on a stringent bail conditions including wearing an electronic tag before the hearing.  He had to pay £150 in cost and £15 victim charge.

Vicki Macleod Folan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair Sloan on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.