Tag Archives: DPA1998

Data Protection/Privacy Enforcement: August 2018

August was another quiet month in terms of the data protection and privacy enforcement action published by the Information Commissioner’s Office. There were just two Monetary Penalty Notices published by the ICO last month. There are still a few key points to draw from last month’s published enforcement action – some of which are featured fairly regularly on these monthly blogposts, but are worthy of repitition.

Key Points

  • When carrying out direct marketing by telephone it is important that you check the intended list against the list held by the Telephone Preference Service before undertaking the campaign. If any number you intend on calling appears on that list you must satisfy yourself that you have sufficient evidence to support that you can still call that number, despite it being on the TPS.
  • If you’re getting your telephone lists from a third party then you must still do your own due diligence. Ensure that you have received sufficient evidence from the seller that the persons on the list have, in fact, indicated that they don’t mind being marketed to.
  • When drafting a privacy notice which sets out that you may share personal data with third parties it is important to be as accurate and precise as possible. It is not enough to include something along the lines of that you will share personal data with “carefully selected partners” and if you have a detailed list of organisations (or categories of organisations) that you may share personal data with, it is important that you do not share personal data with third parties who do not fall within that list.

Enforcement action published by the ICO in August 2018

AMS Marketing Limited
AMS Marketing Limited was served with a Monetary Penalty Notice in the amount of £100,000 [pdf] after if breached Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003. AMS Marketing had made in excess of 75,000 calls to numbers which were listed with the Telephone Preference Service and were unable to demonstrate to the Commissioner that they had been notified by the subscriber that they did not object, for the time being, to receiving calls for the purpose of direct marketing.

Lifecycle Marketing (Mother and Baby) Ltd
Life Style Marketing (Mother and Baby) Ltd (also known as ‘Emma’s Diary’) was served with a Monetary Penalty Notice in the amount of £140,000 after it failed to comply with the first data protection principle in Schedule 1 to the Data Protection Act 1998 (“DPA1998”). The company sold the personal data of more than 1 million individuals to the Labour Party for use in its campaign during the General election that took place in 2017 without telling those individuals that this is something that it might do with their personal data. The company, the Commissioner found, had no lawful basis within Schedule 2 of the DPA1998 for processing the personal data of those individuals.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

 

 

Data Protection/Privacy Enforcement: July 2018

The summer period can often be a bit quitter than normal and that was certainly true in terms of the volume of data protection and privacy enforcement action published by the Information Commissioner’s Office (but not so much for me, which is why this month’s look at the previous month’s enforcement action is coming later in the month than usual). There were just three pieces of enforcement action published on the ICO’s website during the month of July: two monetary penalty notices and information relating to the prosecution of one business. The key points for this month’s blog post will not be unfamiliar to people who regularly read this feature.

Key Points

  • Remember that if you wish to directly market individuals by electronic mail (which includes SMS) then, unless you are able to avail yourself of the very limited “soft opt-in”, then you must have received (and be able to demonstrate that you have received) consent from the individual. The GDPR has not changed the rules around direct marketing by electronic means (or, indeed, by telephone). These forms of direct marketing continue to be governed by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).
  • It is the responsibility of the person instigating direct marketing by electronic means to satisfy themselves that the campaign they are about to embark upon is lawful. Companies engaged in direct marketing campaigns where the data has come from a third party should undertake adequate checks to ensure that they can lawfully market to the intended recipients.
  • When sending out bulk E-mails it is important to ensure that proper procedures are in place and followed. Not placing the E-mail addresses into the “BCC” field is a fairly common error, which can be costly to an organisation (both in terms of the financial cost as well as reputation). If sending out bulk E-mails is going to be necessary, it may be worthwhile looking at investing in products and services which help to ensure that the personal data of the recipients is kept safe and secure.
  • It is important to ensure that data controllers comply with the terms of Information Notices served on them by the Commissioner. While it is no longer a criminal offence to fail to comply with an Information Notices (if it is served under the Data Protection Act 2018); the Commissioner can issue persons upon whom they are served with administrative fines should they fail to comply.
  • Notification is no longer required under the General Data Protection Regulation, but domestic law still requires data controllers (unless they fall into an exempt category) to pay a fee. The Commissioner has the power to issue a fixed penalty to controllers who have not paid a fee when they should have.

Enforcement action published during the month of July 2018

STS Commercial Limited
STS Commercial Limited, a welsh-based company, was served with a Monetary Penalty Notice in the sum of £60,000 [pdf] after it sent direct marketing by text message to over 270,000 people in contravention of Regulation 22 of PECR. The company was reliant upon consent which had been provided to a third party and carried out no due diligence of its own to ascertain that the consent met the requirements of PECR.

Independent Inquiry into Child Sex Abuse
The Independent Inquiry into Child Sex abuse was established by the Government to conduct an independent investigation into historic child sexual abuse. The Inquiry was served with a monetary penalty notice by the Information Commissioner in the amount of £200,000 [pdf] after it revealed the identities of abuse victims in a mass E-mail. The incident occurred after a member of the Inquiries staff entered the E-mail addresses of victims and survivors into the “to” field, instead of the “bcc” filed on more than one occasion. Each recipient of the E-mail therefore see the E-mail addresses of every other recipient, some of which contained the full name of the recipient (while others contained a partial name).

Prosecutions
Noble Design and Technology (based in Telford, Shropshire), was prosecuted by the Information Commissioner after it failed to comply with the terms of an Information Notice. The company had also failed to notify with the Information Commissioner, despite being required to do so. The company was convicted in its absence at Telford Magistrates’ Court and was fined £2,000 for failing to comply with an Information Notice. The company was also fined £2,500 for processing personal data without having notified (when it should have) and was also ordered to pay prosecution costs of £364.08 and a victim surcharge of £170.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Information Notices: UKIP -v- Information Commissioner

Last week the Information Commissioner published an update on her investigation into the use of personal data in political campaigning; it received much publicity and I wrote about the report on this blog. In the report it was revealed that the First-Tier Tribunal (Information Rights) (hereafter “FTT”) had dismissed an appeal by the United Kingdom Independence Party (“UKIP”) against an Information Notice served upon it by the Commissioner.

I have previously written on Information Notices more generally (which dealt with them under the Data Protection Act 1998 (”DPA98”), rather than the Data Protection Act 2018(“DPA18”)) and so I don’t propose to set out in any detail what an Information Notice is; however, in brief the Commissioner had the power to compel a person (not just a data controller) to provide her with certain information under section 43 of the DPA98; failure to comply with an Information Notice issued under the DPA98 is a criminal offence.

In my blog post last week I said that I would try and blog when the FTT published its decision in respect of UKIP’s appeal against the Information notice. The FTT has now published its decision in United Kingdom Independence Party (UKIP) –v– The Information Commissioner [pdf]. The background to the Information Notice is set out in the decision, but it appears that the Commissioner’s office wrote to UKIP asking it to provide certain information. UKIP responded, but did so in a very unsatisfactory manner. In particular the answers given were lacking in detail and contradicted information obtained by the Commissioner’s office from the Electoral commission website.  As a result, the Commissioner used her power to compel information from UKIP.

UKIP appealed on the grounds that the Information Notice was “unjust, disproportionate and unnecessary because the UKIP has never suggested it would not comply and that a preferable course of action would have been for the Commissioner to write seeking clarification and specific details.“ [para 13] It seems that the Tribunal issued Directions asking the Commissioner whether she could issue a fresh Information notice because the FTT was not clear on certain matters; however, it was pointed out that this was not open to either the FTT or the Commissioner and that the FTT must allow or dismiss the appeal by UKIP.

The matters upon which the FTT was uncertain were clarified by the Commissioner and ultimately the appeal was dismissed by the FTT. The appeal was considered, at the request of both parties, on the papers alone and therefore no hearing took place. The Tribunal concluded that “the expressed intention of UKIP to provide information and co-operate with the Commissioner is at odds with the information provided by UKIP.” [para 19] UKIP was not arguing that the Notice was not issued “in accordance with the Data Protection Act [1998]” [para 20].

It appears from the FTT’s decision that UKIP later did try to argue that it was not in accordance with the law founding upon the FTT’s own request for clarification; however, the FTT decided that the “notice, of itself, is clear”  and that the reasoning advanced by UKIP did “not provide grounds for allowing this appeal.” [para 25]

The Tribunal also concluded that the appeal had no merit [para 26] before unanimously dismissing the appeal [para 27].

Information Notices are not a common feature of the data protection enforcement landscape. UKIP could seek to appeal the FTT’s decision to dismiss its appeal and whether UKIP seek permission to appeal the decision to the Upper Tribunal remains to be seen. My own view, from the information available in the FTT’s judgment, is that the ultimate conclusion of the FTT was correct; however, the route by which the FTT arrived at that conclusion is unhelpful and may be enough to persuade either the FTT or the Upper Tribunal to grant permission to appeal.

From reading the FTT’s decision it appears that there might have been some confusion on the part of the FTT concerning what its functions were in respect of Information Notices and what the statutory scheme for such a notice was. Whether this was down to the way in which the Commissioner had presented the case on the papers or down to a genuine lack of understanding by the FTT is something that we might never know (especially if there is no appeal by UKIP to the Upper Tribunal)

In terms of the actual decision; it is not at all surprising that the FTT did not take UKIP’s assertion that it would co-operate with the Commissioner at face value when presented with its response to the Commissioner’s more informal request for information from them. It underlines the importance of genuinely engaging with the Commissioner when they are undertaking investigations – they do have certain powers to assist them with their investigation and they do seem willing to use those powers where they feel as though they need to do so.

The framework for Information Notices has changed slightly under the GDPR/DPA18 – it’s no longer a criminal offence to fail to comply with an Information Notice; however, the Commissioner could go to court and obtain an Information Order from the Court where an Information Notice is not complied with. A right of appeal to the FTT continues to exist against Information Notices issued under the DPA18.

Alistair Sloan

If you are facing an investigation by the Information Commissioner in respect of alleged failures to comply with privacy and data protection law, or if you require advice on any other information law matter you can contact Alistair Sloan on 0141 229 0880.  Alternatively you can contact him directly by E-mail.  We also have a dedicated information law twitter account which you can follow.

Data Protection/Privacy Enforcement: June 2018

June was exceptionally good weather wise with lots of bright and sunny weather, but the outlook for some data controllers was not so bright or sunny as the Information Commissioner took action againt them for data protection and privacy breaches. Many of the key points arising out of last month’s enforcement action make a regular appearance on this blog. In relation to enforcement of (the now repealed) Data Protection Act 1998, the focus remains heavily on breaches of the seventh data protection principle relating to technical and organisational measures.

Key Points

  • Train, train, train – training is a key aspect of a data controllers ability to reduce the risk of suffering a data breach. Ensuring that all staff receive appropriate training on data protection relevant to their job role upon induction; and regular refresher training thereafter, is a core aspect of ensuring that the organisation has in place adequate organisational measures. It’s also important to ensure that people actually undertake induction and referesher training on offer. It is all very well having lots of well designed and worked-out policies, procedures and training material, but if nobody is being trained on the policies and procedures, then the controller might as well have not made the investment in the first place.
  • Sending bulk E-mails is a high risk activity and extreme care should be taken to ensure that personal data is not inappropriately revealed. The manual entry of E-mail addresses can pose a significant risk; even if there is a well documented procedure to use the Bcc field (and everyone has undergone their induction and refresher training setting out this procedure).
  • The right of subject access is a core right of data subjects and it is therefore important that data controllers have in place adequate procedures to identify, record, track and respond to subject access requests. A failure to comply with a subject access request can result in a data subject making a complaint to the Information Commissioner (who may take enforcement action) or applying to the court for an order forcing the data controller to comply.
  • When conducting direct marketing campaigns by electronic means, make sure that you really do have in place the appropriate consents. Further, if you’re sending something as a service message make sure it really is a service message and not a marketing message dressed up as a service message.
  • If you are making live telephone calls for the purposes of direct marketing you must ensure that you do not make calls to telephone numbers listed with the Telephone Preference Service unless you have clear consent to do so.

Enforcement action published in June 2018

 The British and Foreign Bible Society
The British and Foreign Bible Society was served with a Monetary Penalty Notice in the amount of £100,000 [pdf] after suffering a ransomware attack. This had been possible after a brute-force attack had exploited a vulnerability of a weak password. This gave them access to the Remote Desk Server (which allowed home working). The attackers were therefore able to access personal data. The Commissioner considered that the British and Foreign Bible Society did not have in place adequate organisational and technical measures and as such was in breach of the seventh data protection principle.

Chief Constable of Humberside Police
The Chief Constable of Humberside Police gave an undertaking to the Information Commissioner after loosing interview disks and written notes concerning n allegation of rape [pdf]. Humberside Police had conducted the interviews on behalf of another force. During the course of the Commissioner’s investigation into the data breach, it transpired that training compliance within the force on data protection was only 16.8%. Of the three officers involved in the initial incident, two had received training some years ago and the third had received no training at all.

Chief Constable of Gloucestershire Police
The Chief Constable of Gloucestershire Police was served with a Monetary Penalty Notice in the amount of £80,000 [pdf] after sending a bulk E-mail which identified victims of historic child abuse. In December 2016 an officer sent an update about investigations into allegations of child abuse relating to multiple victims. The officer did not make use of the ‘Bcc’ function and instead entered all of the E-mail addresses into the “to” field thus revealing the E-mail addresses of every recipient to every other.

Ainsworth Lord Estates Limited
Ainsworth Lord Estates Limited was served with an Enforcement Notice after it failed to respond to a Subject Access Request made by a data subject [pdf]. The data subject made a subject access request to the controller and got an out of office response; when they received no response they attempted to engage with the controller, but got no response. When the Commissioner became involved her office attempted to contact the controller, but had no success in receiving a response.

British Telecommunications Plc
British Telecommunications Plc (BT) was served with a Monetary Penalty Notice in the amount of £77,000 [pdf] for breaching the provisions of the Privacy and Electronic Communications (EC Directive) regulations 2003. A complaint was made to the ICO by an individual who had opted out of receiving marketing communications from BT when they received a message from BT promoting its ‘My Donate’ platform. The Commissioner opened an investigation as it appeared the message had been sent to  the whole of BT’s marketing database. BT advised the Commissioner that it considered that the message re ‘My Donate’ was a service message, rather than a marketing message. Two other marketing campaigns took place, which BT accepted were marketing campaigns and argued that they had complied with the requirements of PECR by only sending it to those who had opted-in; BT purported to also reply upon the ‘soft opt-in’. The Commissioner found that in relation to all three campaigns, BT had failed to comply with Regulation 22 of PECR.

Our Vault Limited
Our Vault Limited was served with an Enforcement Notice [pdf] and also with a Monetary Penalty Notice in the amount of £70,000 [pdf] after it failed to comply with the provisions of PECR. The company made live telephone calls for the purposes of marketing the products of a third party company (under the guise of conducting lifestyle research); including to numbers that were listed with the Telephone Preference Service where they did not have the consent of the subscriber to do so, contrary to Regulation 21 of PECR.

Horizon Windows Limited
Horizon Windows Limited was served with an Enforcement Notice after it failed to comply with the provisions of Regulation 21 of PECR [pdf]. In this case complaints continued to be received by the Commissioner during the course of her offices’ investigation.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.