Tag Archives: Direct Marketing

Data Protection/Privacy Enforcement: March 2018

Probably the most high profile piece of enforcement action taken by the Information Commissioner’s Office in March was its application for, and execution of, a warrant to enter and inspect the offices occupied by Cambridge Analytica as part of the Commissioner’s wider investigation into the use of personal data in politics.  It would seem that data protection warrants get more people excited about data protection than would ordinarily be the case. The Cambridge Analytica warrant was not the only warrant that the Commissioner obtained and executed in March; the Commissioner’s website also published details of a warrant that it executed in Clydebank (Glasgow).  This warrant was directed towards alleged breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 which deal with, insofar as this blog is concerned with, the rules concerning direct marketing to individuals by electronic means.

Key Points

  • Care needs to be taken when looking at sharing personal data on a controller-to-controller basis with other companies, including separate companies within the same group of companies. Data controllers need to ensure that they identify what their lawful basis for processing is, provide adequate fair processing information to data subjects in relation to such sharing of personal data and ensure that any changes to their policy in respect of data-sharing do not result in that sharing being for a purpose that is incompatible with those stated at the time of collection.
  • If you, as an individual (whether or not you are yourself a data controller), unlawfully disclose personal data to third parties then you could be liable for prosecution.

Enforcement Action published by the ICO during March 2018

WhatsApp Inc.
An undertaking was given by WhatsApp Inc. In it, WhatsApp undertook not to do a number of things; including not transferring personal data concerning users within the EU to another Facebook-controlled company on a controller-to-controller basis until the General Data Protection Regulation becomes applicable on 25th May 2018.  The undertaking was given after WhatsApp introduced new terms and conditions and a new privacy policy which affected how it processed personal data held by it; in particular, how it would now share personal data with other Facebook-controlled companies.

Prosecutions
A former housing worker was convicted at St. Albans Crown Court after he shared a confidential report identifying a potential vulnerable victim. The defendant was convicted of three charges of unlawfully obtaining disclosing personal data contrary to section 55 of the Data Protection Act 1998.  He was fined £200 for each charge and was ordered to pay £3,500 in costs.

Alistair Sloan

Should you require advice or assistance about UK Data Protection and Privacy law then contact Alistair Sloan on 0141 229 0880.  You can also contact him by E-mail.  You can also follow our dedicated Twitter account covering all Information Law matters@UKInfoLaw

Data Protection and Privacy Enforcement: February 2018

February is a short month, and did not see the same level of publicity by the Information Commissioner’s Office in respect of enforcement action taken to enforce privacy and data protection laws as was seen in January.

Key points 

  • Failing to comply with an Enforcement Notice is a criminal offence (see section 47 of the Data Protection Act 1998); there is a right of appeal to the First-Tier Tribunal (Information Rights) against the terms of an Enforcement Notice and so if you do not agree with the terms of the notice you should seek legal advice about the possibility of making such an appeal.
  • Employees should be careful what they do with personal data; in most cases the enforcement liability will lie with the employer (although, your employer might take disciplinary action against you for failing to comply with company policies and procedures).  However, there are circumstances when employees can be held personally, and indeed criminally, liable for breaches of the Data Protection act 1998.
  • The right of subject access is a fundamental right of data subjects and data controllers must ensure that they comply with their obligations in respect of a subject access request made by a data subject.  The right of subject access remains a key feature of the new European data protection framework and the GDPR strengthens the right of subject access for data subjects.

Enforcement action published by the ICO during February 2018

Pennine Care NHS Foundation Trust
The ICO has conducted a follow-up assessment [pdf] with Pennine Care NHS Foundation Trust finding that the Trust had complied with the terms of the undertaking which it had previously given [pdf] following a consensual audit [pdf] by the Commissioner’s staff.

Gain Credit LLC
Gain Credit LLC was served with an Enforcement Notice [pdf] by the Information Commissioner for failing to comply with a subject access request made to it.  This came to light after the data subject in question made a request to the Information Commissioner that she carry out an assessment pursuant to section 42 of the Data Protection Act 1998 into whether it was likely or unlikely that the processing by Gain Credit LLC was in accordance with the provisions of the Act.

Direct Choice Home Improvements Limited
In March 2016 Direct Choice Home Improvements Limited was served with a Monetary Penalty Notice in the amount of £50,000 [pdf] and also an Enforcement Notice [pdf] for breaching Regulation 21 of the Privacy and Electronic Communications (EC) Directive Regulations 2003 (PECR).  The company continued to breach Regulation 21 of PECR and the Commissioner prosecuted it for breaching the Enforcement Notice.  The company was not represented at Swansea Magistrates’ Court and was convicted in absence.  The company was fined £400 as well as being ordered to pay £364.08 in prosecution costs and a victim surcharge of £40. (Don’t forget that PECR remains part of the privacy and data protection law landscape when the GDPR becomes applicable in May.)

Other Prosecutions
A former employee of Nationwide Accident Repair Services Limited was prosecuted by the Information Commissioner for unlawfully obtaining personal data contrary to section 55 of the Data Protection Act 1998.  The defendant had sold the personal data of his employers’ customers to a third party who then made use of the personal data to contact some of those customers concerning their accident.  The defendant was convicted and fined £500 as well as being ordered to pay costs of £364 and a victim surcharge of £50.  An offence of unlawfully disclosing personal data was admitted to and taken into consideration by the Court.

A former local authority education worker was prosecuted after she unlawfully disclosed personal data contrary to section 55 of the Data Protection Act 1998.  The defendant had taken a screenshot of a council spreadsheet which concerned the eligibility of named children to free school meals and then sent it onto an estranged parent of one of the children.  She pled guilty to three offences and was fined £850 by Westminster Magistrates’ Court as well as being ordered to pay £713 in costs.

Alistair Sloan

If you require advice or assistance in respect of a data protection or privacy law matter, or any other Information Law matter; then contact Alistair Sloan on 0345 450 0123, or send him and E-mail.

Data Protection/Privacy Enforcement: January 2018

It has been a busy start to the year for the Information Commissioner’s Office (ICO).  The start of 2018 also saw the highest ever sentences imposed on those in breach of Data Protection and Privacy laws in the United Kingdom.  It is time to have a closer look at the Data Protection and Privacy Enforcement action published by the ICO during January 2018 as part of our regular monthly review.  You can read our review of the privacy and data protection enfrocement from December 2017 here.

Key Points

  • If you have access to personal data as part of your employment, ensure that you only access it where there is a genuine professional need for you to do so; even if the reason you are looking for information could be considered harmless.
  • As far as the Information Commissioner is concerned, ‘ignorance is not bliss’; Data Controllers must have adequate and up to date procedures, technology and policies in place to ensure that they are not in breach of any data protection laws or regulations.
  • Organisations can’t generally send advertising or marketing emails unless the recipient has informed the sender that they consent to such emails being sent by, or at the instigation of, that sender.  Any consent must be freely given, explicit and informed but also involve a positive indication signifying the individual’s agreement. In order for consent to be informed by an individual, the individual must know exactly what it is they are consenting to (for more information see Alistair Sloan’s blog post PECR:  The forgotten relative).
  • Failure to notify the Information Commissioner of any personal data breach in accordance with the Notification Regulations will not be tolerated.  If it has come to your attention that there has been a breach, you must come clean and put your hands up. A much wider requirement to notify the ICO of personal data breaches becomes applicable with the GDPR later this year, for more on that see our blog post on Personal Data Breaches under the GDPR.
  • It goes without saying, meticulous attention to detail must be taken when you are sending any correspondence containing personal data, you must ensure that it is sent to the correct person.

Enforcement action published by the ICO in January 2018

The Carphone Warehouse Ltd
The Carphone Warehouse Ltd was served with a Monetary Penalty Notice in the sum of £400,000 after serious failures and inadequate software placed customer and employee data at risk.

Newday Limited
Newday Ltd were served a Monetary Penalty Notice in the sum of £230,000 after approximately 48,096,988 emails were sent to individuals who had not consented to receive marketing, contrary to regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  The Commissioner decided that the consent relied on by Newday Limited was not sufficiently informed and therefore it did not amount to valid consent.

TFLI Ltd
TFLI Ltd received a Monetary Penalty Notice of £80,000.  This penalty was also in relation to contravention of regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  TFLI Limited sent approximately 1,218,436 unsolicited marketing texts promoting a loan website.

Barrington Claims Ltd
Barrington Claims Ltd were issued a Monetary Penalty Notice in the sum £250,000 after they failed to ensure automated marketing calls were made only to individuals who had consented to receive them. The Commissioner decided to issue a Monetary Penalty under section 55A of the Data Protection Act 1998, in relation to contravention of regulations 19 and 24 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  The company were unable to provide evidence that it had the consent of individuals to whom it had instigated the calls.

Goody Market UK Ltd
Goody Market UK Ltd were issued a Monetary Penalty Notice in the sum of £40,000 after they failed to ensure that text messages containing marketing material were only sent to individuals who had consented to receive them.  They were also served an Enforcement Notice. The texts were sent on the basis of data sourced from a third party, and purchased on behalf of Goody Market UK Ltd by a data broker.  Goody Market UK Ltd were unable to provide the Commissioner with any evidence that the recipients consented to the marketing messages, having relied on verbal assurance from the data broker.  The Commissioner found that Goody Market UK Ltd had contravened Regulation 22 of PECR.

West Midlands Police
West Midlands Police have signed an Undertaking to comply with the Data Protection Act after the Information Commissioner was informed that a data breach had occurred in relation a Criminal Behaviour Order.  The order was imposed on two individuals, but in a leaflet distributed to publicise the order, the names of the witnesses were revealed.

Miss-sold Products UK Ltd
Miss-sold Products UK Ltd were served a Monetary Penalty Notice in the sum of £350,000 after they failed to ensure that marketing calls were only made to individuals who had consented to receive marketing. The penalty was in relation to contravention of Regulation 19 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

SSE Energy Supply Ltd
SSE Energy Supply Ltd was issued a Monetary Penalty Notice of £1,000 after they sent an email to an individual in error.   The penalty was issued because of contravention of Regulation 5A of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  This Regulation requires that a provider of a public electronic communications service must notify the Information Commissioner of a personal data breach without undue delay.  SSE Energy Supply Ltd sent an email to the wrong email address, disclosing the name of a customer and their account number.  After they became aware of the breach, SSE Energy Supply Limited did not follow its policies and procedures that were in place and as a consequence there was a delay in reporting the personal data breach to the Information Commissioner.

Prosecutions
There were a number of successful prosecutions reported by the ICO during January 2018:

  1. An investigation by the ICO, which began in 2013, resulted in record fines for Woodgate and Clark Ltd, the company director and private investigators who were involved in the illegal trade of personal information.  A claim had been made on an insurance policy in relation to a fire at business premises which the claimant owned.  Private investigators unlawfully obtained confidential financial information and disclosed it to Woodgate and Clark Ltd, which then disclosed it to an insurer client.  The defendants were all prosecuted under s55 of the Data Protection Act 1998.  Woodgate and Clark Ltd were fined £50,000 in addition to being ordered to pay £20,000 in costs.  The company director was fined £75,000 and was ordered to pay £20,000 in costs; while both private investigators were fined £10,000 and ordered to pay £2,500 in costs.
  2. A director of an accident claims company invented a car crash so that he could trace and get in touch with the owner of a private number plate he wanted to buy.  He was prosecuted at Bristol Magistrates’ Court for a breach of S55 of the Data Protection Act 1998 for the offence of unlawfully obtaining personal data.  He was convicted and received a fine of £335.00.  The defendant was also ordered to pay prosecution costs of £364.08 and a victim surcharge of £33.00.
  3. An individual was charged with two offences of unlawfully disclosing personal data.  The defendant had come into possession of a USB stick and published sensitive police information from it on Twitter.  He was sentenced to a 12 month conditional discharg,e in part because he had been placed on a stringent bail conditions including wearing an electronic tag before the hearing.  He had to pay £150 in cost and £15 victim charge.

Vicki Macleod Folan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair Sloan on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.

It’s just legitimite interests, isn’t it?

The General Data Protection Regulation (GDPR) becomes applicable in the United Kingdom on 25th May 2018.  Preparations are well underway in business, government and the regulator for the new privacy and data protection landscape.  People are trying to find their way through the GDPR and the Data Protection Bill to understand exactly what it is that they’re required to do in order to comply with the new framework, but there are a lot of misunderstandings about certain requirements of the GDPR.  I have already dealt with one of those, the issue as to whether or not consent is required under the GDPR on this blog.  Another area where there appears to a lot of misunderstanding is with the legitimate interests ground for processing, especially in the area of direct marketing.

Article 6(1)(f) of the GDPR provides that it is lawful to process the personal data of a data subject where the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”  This is the legitimate interests ground for processing; but as can be seen from a proper reading of the condition, it is not the silver bullet condition that some people seem to think that it is.

There are essentially three elements to the condition:  (1) necessity; (2) legitimate interests of the controller or a third party; (3) the interests or fundamental rights of the data subject.  Therefore before being able to rely upon legitimate interests as the processing condition, it is essential that controllers go through a three stage process.  The first stage is to identify what the interests are.  In determining whether the interest identified by the data controller is a legitimate interest, it is necessary for them to consider whether a data subject can reasonably expect, at the time and in the context of the collection of the personal data, that processing for this purpose may take place.  If a data subject could not reasonably expect that the processing envisaged by the data controller may take place, at the time and in the context of collection of the personal data, it will not be a legitimate interest.

The second stage is to consider necessity; the processing must be necessary for the legitimate interest(s) being pursued.  If the processing is not necessary then a data controller cannot rely upon the ‘legitimate interests’ condition for processing the personal data in question.  The ICO currently puts it this way “[i]f you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.”  It is therefore essential to consider whether there are other ways to fulfil the legitimate interest(s) identified.  The test does not require it to be “strictly necessary” or “absolutely necessary”, but it is still a high test

The final element that needs to be considered before a decision to rely upon legitimate interests can be taken, is whether the legitimate interests are overridden by the fundamental rights and freedoms of the data subject.  This can be a very difficult assessment to make and can, on occasions, be on a knife-edge.  It is fundamentally about proportionality and in a lot of cases the data subject’s fundamental rights and freedoms will override the legitimate interests with the result that another condition needs to be found to enable processing take place.

At the very outset I did mention that there is a lot of misunderstanding about legitimate interests in the field of direct marketing.  It is true that the GDPR does state, in Recital 47, that “[t]he processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”, but it’s not as simple as that.  Firstly it is important to note that the Recital states that it “may be” a legitimate interest; that is not the same thing as saying that it “will be” or “is” a legitimate interest.  It only opens the door to marketing being a legitimate interest; it does not remove the need to consider whether it is, in any given context, a legitimate interest.

Secondly, it is important not to consider the GDPR in isolation.  I have already written about the forgotten relative of the GDPR:  The Privacy and Electronic Communications (EC Directive) Regulations 2003.  These are extremely relevant when conducting direct marketing by electronic means (such a by telephone, E-mail or text message).  Processing personal data for the purposes of marketing might well be lawful because it can be shown that it is a legitimate interest for the controller or a third party, but how that marketing is then delivered must comply with the other relevant laws and codes which regulate marketing activity.

The legitimate interests condition is a flexible one, but data controllers should not assume that if no other condition applies, or is appropriate, that they can simply say “it’s legitimate interests” and be done with it.  Where a controller does rely upon legitimate interests, the accountability principle will kick in and the supervisory authority may well ask for it to be justified.  Therefore, where it is proposed to rely upon legitimate interests a record should be kept demonstrating how each of three elements to the legitimate interests condition is met.

Alistair Sloan

If you would like advice or assistance with a privacy or data protection matter, or any other information law matter then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.

 

PECR: The forgotten relative

Much of the focus in relation to data protection and privacy law is on implementation of the Genera Data Protection Regulation, which becomes applicable from 25 May 2018.  However, many of the discussions that are taking place in respect of GDPR implementation are forgetting the GDPR’s older cousin:  the snappily named Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).  This Directive from the European Union dating from 2002 was implemented in the United Kingdom through the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

 The Directive on privacy and electronic communications is concerned with the processing of personal data and the protection of privacy in the electronic communications sector and is of importance to telecommunications providers, Internet Service Providers and any person or organisation who conducts direct marketing by electronic means; however, this blog post is concerned only with direct marketing and is a follow-up to my recent blog post on whether consent is required under the GDPR.

The GDPR might be the big thing at the moment, but it is important not to consider it in isolation.  When thinking about GDPR implementation it is necessary to take a holistic view and think about how it interacts with other laws because these other laws don’t stop having effect just because of the GDPR.  Therefore, it is essential to consider how these other laws affect your GDPR implementation.

The rules on direct marketing by electronic means are relatively simple and straightforward, but this does not stop unlawful behaviour from taking place on an industrial scale.  Rarely does a month go past without the Information Commissioner’s Office publishing information on enforcement action it has taken against businesses arising out of failing to comply with PECR, especially since the law changed to lower the legal threshold for Monetary Penalty Notices in relation to PECR infringements.

Electronic Mail
Electronic Mail includes E-mail and SMS text messaging.  The general rule for direct marketing by electronic mail is that you need consent, as defined by the 1995 Data Protection Directive.  This means that you must have a freely given, specific and informed indication that the person to whom you are directing the marketing wants to receive such marketing.

There is an exception to this which is referred to as the “soft opt-in”.  This applies where you have obtained a person’s personal data “in the course of the sale or negotiations for the sale of a product or service” to them.  You can then send direct marketing to this person, without first gaining their express consent, where you are marketing your own similar products or services.  The data subject must be “given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected”.

Each direct marketing communication that is sent must include a simple means of opt-out of further direct marketing content (and this must be free of charge, except for the costs of transmission of the opt-out).

Telephone:  Automated calls
The rules for direct marketing by telephone are split into automated and unsolicited live telesales calls.  In the case of automated calls with recorded information played when the phone line being called is answered, the subscriber (i.e. the person who has contracted with the telephone service provider) must have notified the caller (or the person instigating the call where the caller is a third party acting on behalf of the instigator) that, for the time being, they consent to receiving such calls.  Again, this requires there to be a freely given, specific and informed indication.  Consent can be withdrawn.

Telephone:  Unsolicited live telesales calls
You do not require consent to make such calls; however, you must not make such calls where the subscriber has notified you that they do not wish to receive such calls, or if the number is registered with the Telephone Preference Service (TPS).  You can call numbers registered with the TPS where the subscriber has consented to receiving calls from you, notwithstanding that the number is registered with the TPS.  Consent can, as always, be withdrawn at a later date.

Fax
Yes, it is still a thing and some people (and indeed whole sectors) still use fax machines.  However, as it is more or less an obsolete technology all I will say on the matter is that PECR regulates the use of fax for direct marketing and the relevant parts are Regulations 20 and 25.

That is a very brief run through of the relevant law as it stands today.  However, a couple of points to note in closing:  Firstly, the EU is currently working on a replacement to the current Directive.  It had been anticipated that the new E-Privacy Regulation would be implemented alongside the GDPR, but work started on it too late and so it won’t.  Whether it will be finalised in and in force prior to Brexit is something that we will need to wait and see.  Secondly, depending on what happens with the Brexit negotiations it may still end up being part of UK law even if it comes into force after the UK leaves the EU.  Thirdly, there is likely to be some temporary adjustments to PECR from 25 May 2018, that is because PECR adopts a lot of definitions from the Data Protection Act 1998 and the 1995 Data Protection Directive (both of which will be repealed on 25 May 2018).  Finally, the domestic Regulations were made under the European Communities Act 1972; therefore the European Union (Withdrawal) Bill may well have some impact upon them.

Alistair Sloan

If you would like advice or assistance with a privacy or data protection matter, or any other information law concern then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.

Data Protection/Privacy Enforcement: November 2017

A bit later than normal, it is time for our monthly review of the enforcement action taken by the Information Commissioner in respect of Privacy and Data Protection matters during the month of November 2017.  This follows on from our reviews covering September 2017 and October 2017.

Key Points

  • Ensure that when you are collecting personal data that you are clear and open about what it will be used for.  If it is to be supplied to third parties for direct marketing purposes state as accurately as possible who those third parties are –  stating that it will be shared with “carefully selected partners” is not going to be sufficient.
  • When undertaking direct marketing by electronic means, such as by E-mail or text message, ensure that you have in place the necessary consent (and remember the definition of consent in the Data Protection Directive) of the recipient before sending your marketing messages.
  • Once again, if you have access to personal data as part of your employment, ensure that you only access it where there is a legitimate business need for you to do so.  Do not send personal data to your own personal E-mail address without first explaining to your employer why you need to do it and getting their consent to do so.

Enforcement action published by the ICO in November 2017

Verso Group (UK) Limited

Verso Group (UK) Limited was served with a Monetary Penalty Notice [pdf] in the amount of £80,000.  Verso had been supplying personal data to third parties to enable those third parties to conduct direct marketing campaigns; the Commissioner considered that Verso had breached the First Data Protection Principle in doing so.  This was because the Commissioner did not consider that the terms and conditions and privacy policies of Verso and those other companies from which it obtained personal data were clear enough to make the processing by Verso fair and lawful.

Hamilton Digital Solutions Limited

Hamilton Digital Solutions Limited were served with an Enforcement Notice [pdf] and a Monetary Penalty Notice [pdf] in the amount of £45,000 after the company were responsible for the sending of in excess of 150,000 text messages for the purposes of direct marketing in breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Prosecutions

There were a number of successful prosecutions reported by the ICO during the month of November 2017:

Prosecution 1 –
A former employee of a community based counselling charity was prosecuted by the ICO at Preston Crown Court and pleaded guilty to three charges under Section 55 of the Data Protection Act 1998.  The Defendant had sent a number of E-mails to his personal E-mail address which contained sensitive personal data of clients, without his employers’ consent.  He was given a 2 year Conditional Discharge, ordered to pay costs of £1,845.25 and a £15 Victim Surcharge.

Prosecution 2 –
An employee of Dudley Group NHS Trust pleaded guilty two offences under Section 55 of the Data Protection Act 1998:  one of unlawfully obtaining personal data and one of unlawfully disclosing personal data.  The defendant had accessed the medical records of a neighbour and former friend medical records and also disclosed information about a baby.  She was fined a total of £250 (£125 for each offence) and was ordered to pay prosecution costs amounting to £500 and a victim surcharge of £30.

Prosecution 3 –
A former nursing auxiliary at the Royal Gwent Hospital in Newport was fined £232 for offences under Section 55 of the Data Protection Act 1998.  She was also ordered to pay prosecution costs of £150 and a victim surcharge of £30.  The Defendant had unlawfully accessed the records of a patient who was also her neighbour

Alistair Sloan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.

Data Protection/Privacy Enforcement: October 2017

Continuing the regular monthly look at Data Protection and Privacy enforcement taken by the Information Commissioner, this blog post reviews the enforcement action published during October 2017.

Key Points

  • When seeking consent for the purposes of direct marketing, be clear and precise in the language that you use.
  • When buying-in lists of contact details for the purpose of Direct Marketing you are responsible for ensuring that the there is valid consent in place so carry out your own due-diligence.
  • You are responsible for the direct marketing calls made by your agent as you are the instigator of the calls
  • If you have access to personal data as part of your job, do not access it unless you have a valid reason to do so in connection with your employment.

Enforcement Action published by ICO in October 2017

Xerpla Limited

Xerpla Limited was served with a Monetary Penalty Notice [pdf] in the amount of £50,000 after the Information Commissioner found that they had sent more than 1 million unsolicited direct marketing communications by electronic mail.  The Information Commissioner considered that Xerpla was not clear or specific enough about who subscribers were agreeing to receive marketing from.

Vanquis Bank Limited

Vanquis Bank Limited were served with an Monetary Penalty Notice [pdf] in the amount of £75,00 and an Enforcement Notice [pdf] after the Information Commissioner found that they had sent text messages and E-mails marketing credit cards without consent.

The Lead Experts Limited

The Lead Experts Limited were served with a Monetary Penalty Notice [pdf] in the amount of £70,000 and an Enforcement Notice [pdf] after the Information Commissioner found that they had instigated automated marketing calls to telephone subscribers without the subscriber’s consent.

Prosecutions

A former employee of Kent and Medway NHS and Social Care Partnership Trust was fined £300, ordered to pay prosecution costs of £364.08 and a victim surcharge of £30 after pleading guilty to an offence under the Data Protection Act 1998.  The defendant had accessed the health records of a single patient 279 times over a three-week period in October and November 2015, viewing the files up to 50 times in a day.  The patient was known to the defendant, but she had no valid lawful reason to access the records and did so without her employer’s consent.

Alistair Sloan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send me an E-mail directly.

Data Protection/Privacy Enforcement: September 2017

Following on from last month’s post looking at the Data Protection/Privacy Enforcement taken in August 2017, it is now time to review what data protection/privacy enforcement the ICO publicised during September 2017.

Key Points

The key points from the enforcement action publicised by the ICO during the course of September are:

  • Ensure that where your organisation undertakes direct marketing by telephone, you do not make calls to numbers which are listed on the Telephone Preference Service; unless you have been given consent to make such calls.
  • Before you engage in a marketing campaign by making automated telephone calls, ensure that you have consent from the subscribers to the numbers that you intend to call, whether the numbers are registered with the telephone Preference Service or not.
  • Generally you require the consent of the recipient before you can send marketing materials by electronic means (including text messages and E-mail).
  • It is important that all employees (including agency and temporary staff) have an adequate level of data protection training for their job role and that there is in place ongoing refresher training on a regular basis.
  • If you are an employee and have access to personal data as part of your job role, do not make use of that access for any purposes not required as part of your employment; including for personal purposes.  Also, don’t forward personal data to your personal E-mail, for any reason, unless your employer has agreed to it first.

Enforcement Action published by ICO in August 2017

True Telecom Limited

True Telecom Limited were served with a Monetary Penalty Notice [pdf] in the amount of £85,000 and an Enforcement Notice [pdf] after the Commissioner had found that True Telecom was responsible for 201 unsolicited telephone calls for the purposes of direct marketing made to numbers registered with the Telephone Preference Service, contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Cab Guru Limited

Cab Guru Limited were served with a Monetary Penalty Notice [pdf] in the amount of £45,000 after the Commissioner found that it had instigated the transmission of more than 350,000 text messages for the purposes of direct marketing without having the consent of the intended recipient to do so, contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Your Money Rights Limited

Your Money Rights Limited were served with a Monetary Penalty Notice [pdf] in the amount of £350,000 after the Commissioner found that it had instigated more than 146,000,000 automated marketing calls without having the consent of the subscribers to the number(s), contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Easy Leads Limited

Easy Leads Limited were served with a Monetary Penalty Notice [pdf] in the amount of £208,000 and an Enforcement Notice [pdf] after the Commissioner found that the company had instigated more than 16,500,000 automated marketing telephone calls without having the consent of the subscribers to the numbers, contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Dyfed Powys Police

The Chief Constable of Dyfed Powys Police signed an undertaking [pdf] to ensure compliance with the seventh data protection principle after a number of breach incidents occurred which highlighted that many of the force’s police officers had received no data protection training and that there was no refresher training in place either.  The Commissioner did not take formal enforcement action against Dyfed Powys Police on the basis of remedial actions which had already been taken by the controller.

Prosecutions

A former employee of The University Hospitals of North Midlands NHS Trust was prosecuted at North Staffordshire Magistrates’ Court for an offence under Section 55 of the Data Protection Act 1998. The former employee accessed the sensitive medical records of colleagues as well as people she knew that lived in her locality, without the consent of the data controller. The defendant entered a plea of guilty and was fined £700, ordered to pay costs of £364.08 and a Victim Surcharge in the amount of £70.

A former employee of Leicester City Council was convicted of an offence under Section 55 of the Data Protection Act 1998 at Nuneaton Magistrates’ Court after he unlawfully obtained personal data.  The defendant emailed personal data relating to 349 individuals, which included sensitive personal data of service users of the Adult Social Care Department, to his personal email address without his employers’ consent.  He was fined £160, ordered to pay £364.08 prosecution costs and a victim surcharge in the amount of £20.

Alistair Sloan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send me an E-mail directly.

Data Protection/Privacy Enforcement – August 2017

In this blogpost I shall be looking at the enforcement action taken by the Information Commissioner in the fields of data protection and privacy which was publicised during August 2017.  It is hoped that this will become a regular monthly feature on this blog.

Key Points

The key points from the enforcement action publicised by the ICO during the course of August are:

  • Ensure that where your organisation undertakes direct marketing by telephone, you do not make calls to numbers which are listed on the Telephone Preference Service; unless you have been given consent to make such calls.
  • Ensure that contractors who have access to personal data only have access to that personal data which is necessary for the services that they are providing to you.
  • Ensure that you have appropriate technical and organisational measures in places to prevent the unauthorised or unlawful processing of personal data when processing personal data over the internet.
  • Ensure that all of your staff (including temporary and agency staff) are given data protection training which is appropriate to their job role, and to ensure that regular refresher training is undertaken.
  • If you are an employee and have access to personal data as part of your job role, do not make use of that access for any purposes not required as part of your employment; including for personal purposes.

Enforcement Action published by ICO in August 2017

H.P.A.S Limited (trading as Safestyle UK)

H.P.A.S Limited were served with a Monetary Penalty Notice [pdf] in the amount of £70,000 and an Enforcement Notice [pdf] after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Laura Anderson Limited t/a Virgo Home Improvements

Laura Anderson Limited were served with a Monetary Penalty Notice [PDF] in the amount of £80,000 and an Enforcement Notice [pdf] after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Home Logic UK Limited

Home Logic UK Limited were served with a Monetary Penalty Notice [pdf] in the amount of £50,000 after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Talk Talk Telecom Group Plc

Talk Talk Telecom Group Plc were served with a Monetary Penalty Notice [pdf] in the amount of £100,000.  The Commissioner found that they had failed to have in place adequate technical and organisational measures to prevent against the unauthorised or unlawful processing of personal data.  Talk Talk Telecom Group Plc had in place unjustifiably wide-ranging access to personal data by external agents, which put that personal data at risk.

London Borough of Islington

The London Borough of Islington was served with a Monetary Penalty Notice [pdf] in the amount of £70,000.  The Commissioner found that the Borough’s parking enforcement application had design flaws and some of the functionality was misconfigured, allowing for unauthorised access to personal data.

Nottinghamshire County Council

Nottinghamshire County Council was served with a Monetary Penalty Notice [pdf] in the amount of £70,000.  The Commissioner found that the Council had failed to have in place an authentication process for accessing an internet based allocation service for home carers; this left personal data and sensitive personal data exposed on the internet.

Cheshire West and Chester Council

Cheshire West and Chester Council signed an undertaking [pdf] stating that they would take certain steps to ensure compliance with the Data Protection Act 1998.  In particular the Commissioner was concerned that a number of self-reported incidents by the council involved staff who had not received data protection training.

Prosecution

A former employee of Colchester Hospital University NHS Foundation Trust was prosecuted in The Colchester Magistrates’ Court.  The Defendant pleaded guilty to offences under Section 55 of the Data Protection Act 1998.  She had accessed the sensitive health records of friends and people she knew and disclosed some of the personal information she obtained obtained.  She was fined £400 for the offence of obtaining the personal data and £650 for the offence of disclosing the personal data.  She was also required to pay prosecution costs and a victim surcharge.

I can provide advice and assistance on a wide range of information law matters.  If you wish to discuss an information law matter with me then you can contact me on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send me an E-mail directly.

Alistair Sloan