Tag Archives: Enforcement Notices (Data Protection)

Facebook, Fines and Enforcement: ICO investigation into political campaigning

In March the Commissioner executed a warrant under the Data Protection Act 1998, to much fanfare and press coverage, on Cambridge Analytica – the data analytics firm who had been involved in the election campaign by US President Donald Trump and who had allegedly undertaken work for Leave.EU in the 2016 referendum on whether the UL should remain a member of the European Union or not. At the same time the Information commissioner announced a much wider investigation into compliance with data protection and privacy laws in political campaigning.

The Information Commissioner has today published a report giving an update on that wider investigation [pdf]. There has been much fanfare around this report and in particular a suggestion that Facebook has been served with a Monetary Penalty Notice in the amount of £500,000. This would be big news; it may not be a large sum of money to Facebook, but £500,000 is the maximum that the Information commissioner can serve a Monetary Penalty Notice for under the Data Protection Act 1998.

However, it has become clear that Facebook has not been served with a Monetary Penalty Notice in the amount of £500,000. The first thing to note here is that the Data Protection Act 1998 still applies; the alleged breaches of data protection law that the Commissioner is concerned with pre-dated 25 May 2018 and therefore the powers under the General Data Protection Regulation (GDPR) do not apply. What has happened is that the Information Commissioner has served a “Notice of Intent” on Facebook indicating that the Commissioner intends on serving Facebook with a Monetary Penalty Notice in the amount of £500,000. This is the first stage in the process of serving a Monetary Penalty Notice, but it is by no means guaranteed that (a) a Monetary Penalty Notice will be issued; and (b) that it will be in the amount of £500,000.

Facebook will have the opportunity to make written representations to the Information Commissioner on various matters, including whether the statutory tests for serving a Monetary Penalty Notice have been met and on the amount of the Penalty. The Commissioner must take account of these representations when making a final decision on serving the Monetary Penalty Notice: not to do so would likely result in an appeal against the Notice to the First-Tier Tribunal (Information Rights), which could ultimately result in the Monetary Penalty Notice being reduced in amount or quashed altogether. If Facebook brings forward evidence to the Commissioner that means she can no longer make certain findings in fact that will have an impact on both her ability to serve the Monetary Penalty Notice and the amount of that notice.

It could be many more weeks, if not months before we know whether a Monetary Penalty Notice is in fact being served on Facebook and how much it is for. The Commissioner must serve the Monetary Penalty Notice on Facebook within six month of serving the Notice of Intent.

There are some other aspects of the Commissioner’s report that are worthy of some brief consideration. The Commissioner has announced that she is intending on prosecuting SCL Elections Limited. The information given by the Commissioner suggests that this prosecution is to be limited to one very specific issue: their failure to comply with an Enforcement Notice previously served on the company. The Enforcement Notice was served on the company after they failed to comply with a subject access request received by them from a US academic. The company was in administration when the Enforcement Notice was served and remains in administration today. The Information Commissioner is able to prosecute offences under the legislation it is responsible for enforcing in its own right; except in Scotland where it requires to report the matter to the Procurator Fiscal in the same way as every other law enforcement agency is required. How successful that prosecution will be and what benefit it will bring remains to be seen given that the company is in administration. Even if the company is successfully

We have also seen what appears to be the first piece of enforcement action taken under the Data Protection Act 2018 and the General data Protection Regulation.  The Commissioner has served an Enforcement Notice on the Canadian company, Aggregate IQ [pdf]. This amounts to what could be termed as a “stop processing notice” and it requires Aggregate IQ to, within 30 days, “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning, or any other advertising.”

Failure to comply with an Enforcement Notice under the Data Protection Act 2018 and the GDPR is not (unlike under the Data Protection Act 1998) a criminal offence; however, a failure to comply can result in an administrative fine of up to €20 million or 4% of global turnover (whichever is the greater). How successful the ICO will be at enforcing this enforcement notice, given that the company is located in Canada and appears to have no established base in the UK, or any other EU member state, remains to be seen.

Other investigations are still ongoing. The Commissioner appears to be continuing to investigate whether there was any unlawful data sharing between Leave.EU and Eldon Insurance. Investigations are also being undertaken into the main ‘Remain’ campaign in the EU referendum and also into all of the UK’s main political parties. It remains to be seen what will happen there.

The Commissioner’s report also informs us that the appeal by the United Kingdom Independence Party (UKIP) against an Information Notice previously served upon them has been dismissed. The First-Tier Tribunal (Information Rights) has not yet published a decision in that case on its website, but should it do so I shall endeavour to blog on that decision (especially given that there has never to my knowledge been an appeal to the Tribunal against an Information Notice). Failure to comply with an Information Notice is a criminal offence, and a company was recently fined £2,000 at Telford Magistrates’ Court for that very offence.

Alistair Sloan

If you require advice or assistance on a matter relating to data protection or privacy law then you can contact Alistair Sloan on 0141 229 0880 or send him an E-mail. You can also follow our twitter account dedicated to information law matters.

Data Protection/Privacy Enforcement: April 2018

In April the Information Commissioner’s Office published a number of enforcement measures taken against public and private organisations under both the Data Protection Act 1998 (“DPA”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).  The key points to draw from the enforcement action this month should be familiar to anyone who has been reading this series of blog posts since it began in September.

Key Points

  • It is important to keep track of personal data, especially when it is sensitive personal data; if it is to be sent out of the organisation ensure that it is properly secured and that a record of it being sent and received is kept.
  • Before sending out information to your customers it is important to consider whether the information you are sending is properly business information (or information you’re required to give by law), or whether it is actually promotional or marketing material. If it’s promotional or marketing material ensure that you only send it to the E-mail addresses of people who have consented to receive promotional or marketing material from you.
  • Make sure that before you conduct a marketing campaign by telephone that you do not include numbers listed with the TPS unless you have the consent of the subscriber to contact them by phone for the purposes of direct marketing.
  • When disclosing information to someone, whether under FOI laws or not, ensure that you do not accidently disclose personal or sensitive personal data of third parties where you do not have legal grounds to do so. Be especially careful with pivot tables, a number of public authorities shave found themselves in regulatory hot water of the use of pivot tables. The ICO produced a helpful blog post in 2013 on the issue of pivot tables.
  • If you are an employee it is important that you remember that you should only be accessing personal data where you have a proper business need to do so and should only be disclosing personal data where you need to do so in order to properly perform your role. You can be held personally liable and find yourself being prosecuted in the criminal courts.

Enforcement action published by the ICO in April 2018

Humberside Police
The Information Commissioner, exercising her powers under section 55A of the DPA, served a Monetary Penalty Notice in the amount of £130,000 [pdf] for breaches of the DPA.  The force conducted an interview of a person alleging that they had been the victim of rape, on behalf of Cleveland Police. The interview was filmed and three copies of it existed: the master and two copies. The discs were unencrypted. They were to be sent to Cleveland Police, but were never received by Cleveland police. Humberside Police were unable to locate the discs or to confirm whether they had ever been posted to Cleveland Police.  The Commissioner found that Humberside Police had failed to comply with the seventh data protection principle and also paragraph 9 of Schedule 1 to the DPA.

Royal Mail Group Limited
The Information Commissioner served a Monetary Penalty Notice on Royal Mail Group Limited for contravening Regulation 22 of PECR.  The Monetary Penalty Notice was in the amount of £12,000 [pdf]. Royal Mail Group is the designated Universal Postal Service Provider in the UK and as such, it has certain statutory responsibilities to disseminate certain information. Royal Mail Group Limited sent E-mails to all of its customers, including those who had opted not to receive electronic marketing, to notify them of a change in price for second class parcels purchased online.  The price change was described as being a “promotional” one. The Commissioner found that this amounted to direct marketing rather than information that Royal Mail was obliged to provide under the Postal Services Act 2011 and was therefore in contravention of Regulation 22 of PECR.

The Royal Borough of Kensington and Chelsea
The Information Commissioner served a monetary penalty notice on the Royal Borough of Kensington and Chelsea in the amount of £130,000 [pdf] for breaches of the DPA. The breach arose out of a request for information made to the council pursuant to the Freedom of Information Act 2000. The Council answered the request for information by providing a pivot table to the requesters. The council did not properly redact the underlying information which was then accessible to the requesters without too much difficulty; the underlying information included personal data.

The Energy Saving Centre Limited
The Information Commissioner has served the Energy Saving Centre Limited with a Monetary Penalty Notice in the amount of £250,000 [pdf] and also with an Enforcement Notice [pdf] for contraventions of PECR.  The Commissioner had found that the Energy Saving Centre Limited had made tens of thousands of marketing calls to numbers which were listed with the Telephone Preference Service and where the individual subscribers to those numbers had not given consent to the Energy Saving Centre Limited to be contacted by phone for marketing purposes.  The Enforcement Notice requires the company to stop making unlawful calls – failure to comply with an Enforcement Notice is a criminal offence.

Approved Green Energy Solutions
The Information Commissioner has served a Monetary Penalty Notice [pdf] on an individual who traded as a sole trader under the name Approved Green Energy Solutions.  The amount of the penalty was £150,000. Approved Green Energy Solutions used a public telecommunications service to make in excess of 330,000 unsolicited telephone calls for the purpose of direct marketing where the line subscriber had listed their number with the Telephone Preference Service (“TPS”). The Commissioner and the TPS received 107 complaints directly from individuals affected.

Prosecutions
A former receptionist/general assistant at Milton Keynes University Hospital NHS Foundation Trust has bene prosecuted by the Information Commissioner after she inappropriately accessed the records of 12 patients when not required to do so in the course of her employment. The defendant entered a plea of guilty to offences of unlawfully accessing personal data and unlawfully disclosing personal data in breach of section 55 of the DPA. The Defendant was fined a total of £300 and ordered to pay a £30 victim surcharge.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Data Protection and Privacy Enforcement: February 2018

February is a short month, and did not see the same level of publicity by the Information Commissioner’s Office in respect of enforcement action taken to enforce privacy and data protection laws as was seen in January.

Key points 

  • Failing to comply with an Enforcement Notice is a criminal offence (see section 47 of the Data Protection Act 1998); there is a right of appeal to the First-Tier Tribunal (Information Rights) against the terms of an Enforcement Notice and so if you do not agree with the terms of the notice you should seek legal advice about the possibility of making such an appeal.
  • Employees should be careful what they do with personal data; in most cases the enforcement liability will lie with the employer (although, your employer might take disciplinary action against you for failing to comply with company policies and procedures).  However, there are circumstances when employees can be held personally, and indeed criminally, liable for breaches of the Data Protection act 1998.
  • The right of subject access is a fundamental right of data subjects and data controllers must ensure that they comply with their obligations in respect of a subject access request made by a data subject.  The right of subject access remains a key feature of the new European data protection framework and the GDPR strengthens the right of subject access for data subjects.

Enforcement action published by the ICO during February 2018

Pennine Care NHS Foundation Trust
The ICO has conducted a follow-up assessment [pdf] with Pennine Care NHS Foundation Trust finding that the Trust had complied with the terms of the undertaking which it had previously given [pdf] following a consensual audit [pdf] by the Commissioner’s staff.

Gain Credit LLC
Gain Credit LLC was served with an Enforcement Notice [pdf] by the Information Commissioner for failing to comply with a subject access request made to it.  This came to light after the data subject in question made a request to the Information Commissioner that she carry out an assessment pursuant to section 42 of the Data Protection Act 1998 into whether it was likely or unlikely that the processing by Gain Credit LLC was in accordance with the provisions of the Act.

Direct Choice Home Improvements Limited
In March 2016 Direct Choice Home Improvements Limited was served with a Monetary Penalty Notice in the amount of £50,000 [pdf] and also an Enforcement Notice [pdf] for breaching Regulation 21 of the Privacy and Electronic Communications (EC) Directive Regulations 2003 (PECR).  The company continued to breach Regulation 21 of PECR and the Commissioner prosecuted it for breaching the Enforcement Notice.  The company was not represented at Swansea Magistrates’ Court and was convicted in absence.  The company was fined £400 as well as being ordered to pay £364.08 in prosecution costs and a victim surcharge of £40. (Don’t forget that PECR remains part of the privacy and data protection law landscape when the GDPR becomes applicable in May.)

Other Prosecutions
A former employee of Nationwide Accident Repair Services Limited was prosecuted by the Information Commissioner for unlawfully obtaining personal data contrary to section 55 of the Data Protection Act 1998.  The defendant had sold the personal data of his employers’ customers to a third party who then made use of the personal data to contact some of those customers concerning their accident.  The defendant was convicted and fined £500 as well as being ordered to pay costs of £364 and a victim surcharge of £50.  An offence of unlawfully disclosing personal data was admitted to and taken into consideration by the Court.

A former local authority education worker was prosecuted after she unlawfully disclosed personal data contrary to section 55 of the Data Protection Act 1998.  The defendant had taken a screenshot of a council spreadsheet which concerned the eligibility of named children to free school meals and then sent it onto an estranged parent of one of the children.  She pled guilty to three offences and was fined £850 by Westminster Magistrates’ Court as well as being ordered to pay £713 in costs.

Alistair Sloan

If you require advice or assistance in respect of a data protection or privacy law matter, or any other Information Law matter; then contact Alistair Sloan on 0345 450 0123, or send him and E-mail.

Data Protection/Privacy Enforcement: January 2018

It has been a busy start to the year for the Information Commissioner’s Office (ICO).  The start of 2018 also saw the highest ever sentences imposed on those in breach of Data Protection and Privacy laws in the United Kingdom.  It is time to have a closer look at the Data Protection and Privacy Enforcement action published by the ICO during January 2018 as part of our regular monthly review.  You can read our review of the privacy and data protection enfrocement from December 2017 here.

Key Points

  • If you have access to personal data as part of your employment, ensure that you only access it where there is a genuine professional need for you to do so; even if the reason you are looking for information could be considered harmless.
  • As far as the Information Commissioner is concerned, ‘ignorance is not bliss’; Data Controllers must have adequate and up to date procedures, technology and policies in place to ensure that they are not in breach of any data protection laws or regulations.
  • Organisations can’t generally send advertising or marketing emails unless the recipient has informed the sender that they consent to such emails being sent by, or at the instigation of, that sender.  Any consent must be freely given, explicit and informed but also involve a positive indication signifying the individual’s agreement. In order for consent to be informed by an individual, the individual must know exactly what it is they are consenting to (for more information see Alistair Sloan’s blog post PECR:  The forgotten relative).
  • Failure to notify the Information Commissioner of any personal data breach in accordance with the Notification Regulations will not be tolerated.  If it has come to your attention that there has been a breach, you must come clean and put your hands up. A much wider requirement to notify the ICO of personal data breaches becomes applicable with the GDPR later this year, for more on that see our blog post on Personal Data Breaches under the GDPR.
  • It goes without saying, meticulous attention to detail must be taken when you are sending any correspondence containing personal data, you must ensure that it is sent to the correct person.

Enforcement action published by the ICO in January 2018

The Carphone Warehouse Ltd
The Carphone Warehouse Ltd was served with a Monetary Penalty Notice in the sum of £400,000 after serious failures and inadequate software placed customer and employee data at risk.

Newday Limited
Newday Ltd were served a Monetary Penalty Notice in the sum of £230,000 after approximately 48,096,988 emails were sent to individuals who had not consented to receive marketing, contrary to regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  The Commissioner decided that the consent relied on by Newday Limited was not sufficiently informed and therefore it did not amount to valid consent.

TFLI Ltd
TFLI Ltd received a Monetary Penalty Notice of £80,000.  This penalty was also in relation to contravention of regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  TFLI Limited sent approximately 1,218,436 unsolicited marketing texts promoting a loan website.

Barrington Claims Ltd
Barrington Claims Ltd were issued a Monetary Penalty Notice in the sum £250,000 after they failed to ensure automated marketing calls were made only to individuals who had consented to receive them. The Commissioner decided to issue a Monetary Penalty under section 55A of the Data Protection Act 1998, in relation to contravention of regulations 19 and 24 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  The company were unable to provide evidence that it had the consent of individuals to whom it had instigated the calls.

Goody Market UK Ltd
Goody Market UK Ltd were issued a Monetary Penalty Notice in the sum of £40,000 after they failed to ensure that text messages containing marketing material were only sent to individuals who had consented to receive them.  They were also served an Enforcement Notice. The texts were sent on the basis of data sourced from a third party, and purchased on behalf of Goody Market UK Ltd by a data broker.  Goody Market UK Ltd were unable to provide the Commissioner with any evidence that the recipients consented to the marketing messages, having relied on verbal assurance from the data broker.  The Commissioner found that Goody Market UK Ltd had contravened Regulation 22 of PECR.

West Midlands Police
West Midlands Police have signed an Undertaking to comply with the Data Protection Act after the Information Commissioner was informed that a data breach had occurred in relation a Criminal Behaviour Order.  The order was imposed on two individuals, but in a leaflet distributed to publicise the order, the names of the witnesses were revealed.

Miss-sold Products UK Ltd
Miss-sold Products UK Ltd were served a Monetary Penalty Notice in the sum of £350,000 after they failed to ensure that marketing calls were only made to individuals who had consented to receive marketing. The penalty was in relation to contravention of Regulation 19 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

SSE Energy Supply Ltd
SSE Energy Supply Ltd was issued a Monetary Penalty Notice of £1,000 after they sent an email to an individual in error.   The penalty was issued because of contravention of Regulation 5A of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  This Regulation requires that a provider of a public electronic communications service must notify the Information Commissioner of a personal data breach without undue delay.  SSE Energy Supply Ltd sent an email to the wrong email address, disclosing the name of a customer and their account number.  After they became aware of the breach, SSE Energy Supply Limited did not follow its policies and procedures that were in place and as a consequence there was a delay in reporting the personal data breach to the Information Commissioner.

Prosecutions
There were a number of successful prosecutions reported by the ICO during January 2018:

  1. An investigation by the ICO, which began in 2013, resulted in record fines for Woodgate and Clark Ltd, the company director and private investigators who were involved in the illegal trade of personal information.  A claim had been made on an insurance policy in relation to a fire at business premises which the claimant owned.  Private investigators unlawfully obtained confidential financial information and disclosed it to Woodgate and Clark Ltd, which then disclosed it to an insurer client.  The defendants were all prosecuted under s55 of the Data Protection Act 1998.  Woodgate and Clark Ltd were fined £50,000 in addition to being ordered to pay £20,000 in costs.  The company director was fined £75,000 and was ordered to pay £20,000 in costs; while both private investigators were fined £10,000 and ordered to pay £2,500 in costs.
  2. A director of an accident claims company invented a car crash so that he could trace and get in touch with the owner of a private number plate he wanted to buy.  He was prosecuted at Bristol Magistrates’ Court for a breach of S55 of the Data Protection Act 1998 for the offence of unlawfully obtaining personal data.  He was convicted and received a fine of £335.00.  The defendant was also ordered to pay prosecution costs of £364.08 and a victim surcharge of £33.00.
  3. An individual was charged with two offences of unlawfully disclosing personal data.  The defendant had come into possession of a USB stick and published sensitive police information from it on Twitter.  He was sentenced to a 12 month conditional discharg,e in part because he had been placed on a stringent bail conditions including wearing an electronic tag before the hearing.  He had to pay £150 in cost and £15 victim charge.

Vicki Macleod Folan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair Sloan on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.

Data Protection/Privacy Enforcement: December 2017

Our monthly look at the enforcement action taking by the Information Commissioner in respect of Privacy and Data Protection matters continues with a review of the enforcement action published by the ICO in December 2017.  You can view last month’s review of the November 2017 enforcement action here.  December 2017 was not an overly busy month for the ICO; they published just one Enforcement Notice.

Key Points

  • Ensure that you have in place adequate procedures to ensure that you handle Subject Access requests within the time allowed by the law.

Enforcement Action

Secretary of State for Justice
The Secretary of State for Justice was served with an Enforcement Notice [pdf] requiring him to deal with his department’s backlog of delayed Subject Access Requests.  As at 10 November 2017 the Ministry of Justice had 793 Subject Access Requests which were over 40 days old; some of this backlog was made up of Subject Access Requests made in 2014.  This was a reduction from the 919 requests more than 40 days old as at 28 July 2017 (which included requests going back to 2012).  The Data Protection Act 1998 requires that Subject Access Requests be responded to within 40 calendar days (this will be reduced to 30 calendar days under the GDPR – you can find out more about this change, and others to the right of subject access requests, in my blog post on Subject Access Requests under the GDPR).

Alistair Sloan

If you require advice or assistance with Subject Access Requests, or any other Information Law matter then contact Alistair Sloan on 0345 450 0123 or send him and E-mail

Data Protection/Privacy Enforcement: November 2017

A bit later than normal, it is time for our monthly review of the enforcement action taken by the Information Commissioner in respect of Privacy and Data Protection matters during the month of November 2017.  This follows on from our reviews covering September 2017 and October 2017.

Key Points

  • Ensure that when you are collecting personal data that you are clear and open about what it will be used for.  If it is to be supplied to third parties for direct marketing purposes state as accurately as possible who those third parties are –  stating that it will be shared with “carefully selected partners” is not going to be sufficient.
  • When undertaking direct marketing by electronic means, such as by E-mail or text message, ensure that you have in place the necessary consent (and remember the definition of consent in the Data Protection Directive) of the recipient before sending your marketing messages.
  • Once again, if you have access to personal data as part of your employment, ensure that you only access it where there is a legitimate business need for you to do so.  Do not send personal data to your own personal E-mail address without first explaining to your employer why you need to do it and getting their consent to do so.

Enforcement action published by the ICO in November 2017

Verso Group (UK) Limited

Verso Group (UK) Limited was served with a Monetary Penalty Notice [pdf] in the amount of £80,000.  Verso had been supplying personal data to third parties to enable those third parties to conduct direct marketing campaigns; the Commissioner considered that Verso had breached the First Data Protection Principle in doing so.  This was because the Commissioner did not consider that the terms and conditions and privacy policies of Verso and those other companies from which it obtained personal data were clear enough to make the processing by Verso fair and lawful.

Hamilton Digital Solutions Limited

Hamilton Digital Solutions Limited were served with an Enforcement Notice [pdf] and a Monetary Penalty Notice [pdf] in the amount of £45,000 after the company were responsible for the sending of in excess of 150,000 text messages for the purposes of direct marketing in breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Prosecutions

There were a number of successful prosecutions reported by the ICO during the month of November 2017:

Prosecution 1 –
A former employee of a community based counselling charity was prosecuted by the ICO at Preston Crown Court and pleaded guilty to three charges under Section 55 of the Data Protection Act 1998.  The Defendant had sent a number of E-mails to his personal E-mail address which contained sensitive personal data of clients, without his employers’ consent.  He was given a 2 year Conditional Discharge, ordered to pay costs of £1,845.25 and a £15 Victim Surcharge.

Prosecution 2 –
An employee of Dudley Group NHS Trust pleaded guilty two offences under Section 55 of the Data Protection Act 1998:  one of unlawfully obtaining personal data and one of unlawfully disclosing personal data.  The defendant had accessed the medical records of a neighbour and former friend medical records and also disclosed information about a baby.  She was fined a total of £250 (£125 for each offence) and was ordered to pay prosecution costs amounting to £500 and a victim surcharge of £30.

Prosecution 3 –
A former nursing auxiliary at the Royal Gwent Hospital in Newport was fined £232 for offences under Section 55 of the Data Protection Act 1998.  She was also ordered to pay prosecution costs of £150 and a victim surcharge of £30.  The Defendant had unlawfully accessed the records of a patient who was also her neighbour

Alistair Sloan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.

Data Protection/Privacy Enforcement: October 2017

Continuing the regular monthly look at Data Protection and Privacy enforcement taken by the Information Commissioner, this blog post reviews the enforcement action published during October 2017.

Key Points

  • When seeking consent for the purposes of direct marketing, be clear and precise in the language that you use.
  • When buying-in lists of contact details for the purpose of Direct Marketing you are responsible for ensuring that the there is valid consent in place so carry out your own due-diligence.
  • You are responsible for the direct marketing calls made by your agent as you are the instigator of the calls
  • If you have access to personal data as part of your job, do not access it unless you have a valid reason to do so in connection with your employment.

Enforcement Action published by ICO in October 2017

Xerpla Limited

Xerpla Limited was served with a Monetary Penalty Notice [pdf] in the amount of £50,000 after the Information Commissioner found that they had sent more than 1 million unsolicited direct marketing communications by electronic mail.  The Information Commissioner considered that Xerpla was not clear or specific enough about who subscribers were agreeing to receive marketing from.

Vanquis Bank Limited

Vanquis Bank Limited were served with an Monetary Penalty Notice [pdf] in the amount of £75,00 and an Enforcement Notice [pdf] after the Information Commissioner found that they had sent text messages and E-mails marketing credit cards without consent.

The Lead Experts Limited

The Lead Experts Limited were served with a Monetary Penalty Notice [pdf] in the amount of £70,000 and an Enforcement Notice [pdf] after the Information Commissioner found that they had instigated automated marketing calls to telephone subscribers without the subscriber’s consent.

Prosecutions

A former employee of Kent and Medway NHS and Social Care Partnership Trust was fined £300, ordered to pay prosecution costs of £364.08 and a victim surcharge of £30 after pleading guilty to an offence under the Data Protection Act 1998.  The defendant had accessed the health records of a single patient 279 times over a three-week period in October and November 2015, viewing the files up to 50 times in a day.  The patient was known to the defendant, but she had no valid lawful reason to access the records and did so without her employer’s consent.

Alistair Sloan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send me an E-mail directly.

Data Protection/Privacy Enforcement: September 2017

Following on from last month’s post looking at the Data Protection/Privacy Enforcement taken in August 2017, it is now time to review what data protection/privacy enforcement the ICO publicised during September 2017.

Key Points

The key points from the enforcement action publicised by the ICO during the course of September are:

  • Ensure that where your organisation undertakes direct marketing by telephone, you do not make calls to numbers which are listed on the Telephone Preference Service; unless you have been given consent to make such calls.
  • Before you engage in a marketing campaign by making automated telephone calls, ensure that you have consent from the subscribers to the numbers that you intend to call, whether the numbers are registered with the telephone Preference Service or not.
  • Generally you require the consent of the recipient before you can send marketing materials by electronic means (including text messages and E-mail).
  • It is important that all employees (including agency and temporary staff) have an adequate level of data protection training for their job role and that there is in place ongoing refresher training on a regular basis.
  • If you are an employee and have access to personal data as part of your job role, do not make use of that access for any purposes not required as part of your employment; including for personal purposes.  Also, don’t forward personal data to your personal E-mail, for any reason, unless your employer has agreed to it first.

Enforcement Action published by ICO in August 2017

True Telecom Limited

True Telecom Limited were served with a Monetary Penalty Notice [pdf] in the amount of £85,000 and an Enforcement Notice [pdf] after the Commissioner had found that True Telecom was responsible for 201 unsolicited telephone calls for the purposes of direct marketing made to numbers registered with the Telephone Preference Service, contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Cab Guru Limited

Cab Guru Limited were served with a Monetary Penalty Notice [pdf] in the amount of £45,000 after the Commissioner found that it had instigated the transmission of more than 350,000 text messages for the purposes of direct marketing without having the consent of the intended recipient to do so, contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Your Money Rights Limited

Your Money Rights Limited were served with a Monetary Penalty Notice [pdf] in the amount of £350,000 after the Commissioner found that it had instigated more than 146,000,000 automated marketing calls without having the consent of the subscribers to the number(s), contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Easy Leads Limited

Easy Leads Limited were served with a Monetary Penalty Notice [pdf] in the amount of £208,000 and an Enforcement Notice [pdf] after the Commissioner found that the company had instigated more than 16,500,000 automated marketing telephone calls without having the consent of the subscribers to the numbers, contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Dyfed Powys Police

The Chief Constable of Dyfed Powys Police signed an undertaking [pdf] to ensure compliance with the seventh data protection principle after a number of breach incidents occurred which highlighted that many of the force’s police officers had received no data protection training and that there was no refresher training in place either.  The Commissioner did not take formal enforcement action against Dyfed Powys Police on the basis of remedial actions which had already been taken by the controller.

Prosecutions

A former employee of The University Hospitals of North Midlands NHS Trust was prosecuted at North Staffordshire Magistrates’ Court for an offence under Section 55 of the Data Protection Act 1998. The former employee accessed the sensitive medical records of colleagues as well as people she knew that lived in her locality, without the consent of the data controller. The defendant entered a plea of guilty and was fined £700, ordered to pay costs of £364.08 and a Victim Surcharge in the amount of £70.

A former employee of Leicester City Council was convicted of an offence under Section 55 of the Data Protection Act 1998 at Nuneaton Magistrates’ Court after he unlawfully obtained personal data.  The defendant emailed personal data relating to 349 individuals, which included sensitive personal data of service users of the Adult Social Care Department, to his personal email address without his employers’ consent.  He was fined £160, ordered to pay £364.08 prosecution costs and a victim surcharge in the amount of £20.

Alistair Sloan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send me an E-mail directly.

Data Protection Bill 2017: initial observations and comments

Last week the UK Government finally introduced their much anticipated Data Protection Bill [pdf], which is required to deal with certain aspects of the General Data Protection Regulation.  I have spent some time since then reading through the Bill and this blog post is intended as an initial introduction to the new Bill.

The first thing to note is that the Bill is not an easy read and certainly much of the commentary and discussion has centred on how uneasy a Bill it is to read.  This may well create some difficulties for practitioners going forward, and indeed may also cause some difficulties for data subjects who are trying to understand what their data protection rights are.

There are a few things of note which clarify a number of matters.  The GDPR requires public bodies to appoint a Data Protection Officer, but the GDPR does not stipulate what is and what is not a public body; this was left up to member states to deal with.  The proposed answer comes in Clause 6 of the Bill which gives it the same meaning as public authority in the Freedom of Information Act 2000 and Scottish public authority in the Freedom of Information (Scotland) Act 2002.  So, a public authority for the purposes of FOI is also a public authority for the purpose of the GDPR.  The definition does not include those bodies who are subject only to the Environmental Information Regulations 2004 or the Environmental Information (Scotland) Regulations 2004.

It should be noted that it is proposed that the Secretary of State will have the power to provide, in regulations, that a public body, as defined by clause 6, is not in fact a public body for the purposes of the GDPR.  It is also proposed that the Secreatry of State shall have the power to provide that a body that is not a public body, as defined by clause 6, is in fact a public body for the purposes of the GDPR.  There has been no indication as yet that the Secretary of State intends on making any Regulations under these powers and so for the time being it would be prudent to work on the basis that every person and organisation who is subject to the provisions of either the UK or Scottish FOI Acts is a public body for the purposes of the GDPR.

Although the Scottish Ministers cannot directly decide that a person or body ought to be (or ought not to be) a public body for the purposes of the GDPR, the exercising of their powers under Sections 4 and 5 of the Freedom of Information (Scotland) Act 2002 can result in persons or bodies becoming, or ceasing to be, public bodies for the purpose of the GDPR.  This effect is something to consider when the Scottish Government is seeking to extend the coverage of the Freedom of Information (Scotland) Act 2002; the obvious example is housing associations in Scotland.  The Scottish Government is currently considering whether they ought to be Scottish public authorities for the purposes of the Freedom of Information (Scotland) Act 2002 or not.  If they lay Regulations to make housing associations a Scottish public authority this will have the effect of making housing associations a public body for the purposes of the GDPR as well.  Of course, the Secretary of State would have the power to then make Regulations which would have the effect of not making housing associations in Scotland a public authority for GDPR purposes.

This may well have an effect on how quickly an order under Section 5 of the Freedom of Information (Scotland) Act 2002 can come into force.  The data controller would become a public authority for the purposes of the GDPR immediately upon the coming into force of the “Section 5 Order”; if they do not already have a Data Protection Officer appointed then they will need to recruit an dappoint someone in advance of the Section 5 Order entering into force.

The definition of who is a public body also has implications beyond the need to appoint a Data Protection Officer.  Public bodies are not allowed to rely upon the “legitimate interests” condition for processing personal data in the performance of the public body’s tasks.

In relation to consent, the GDPR allows member states to set an age between 13 and 16 for the purposes of when a child can give consent for the processing of their personal data by ‘information society services’ (e.g. Twitter, Facebook, Snapchat); Clause 8 of the Data Protection Bill proposes setting this at 13 in the UK.  It should be stressed that this only applies to consent provided to information society services and not consent more generally.  A child who is younger than 13 may be capable of providing consent more generally under the GDPR (and ineed, the presumtion in Scotland will continue to be that a child of 12 can provide consent).

The GDPR allows data controllers to charge fees, in limited circumstances, when dealing with subject access requests.  Clause 11 of the Data Protection Bill provides that the Secretary of State may “by regulations specify limits on the fees that a controller may charge”.   The inclusion of this power within the Bill suggests that it is the Government’s intention to place a cap on what can be charged by data controllers in those circumstances where a fee can be charged.  The general right to charge a fee in order to process a subject access request, that is in place under the current Data Protection Act, will go.  A more detailed blog on the topic of subject access requests under the GDPR shall follow.

The Monetary Penalty Notice is to remain (although it will now just be a penalty notice) and this is the way in which the Information Commissioner will be able to exercise her powers under the GDPR to issue administrative fines.  The procedure adopted under the current monetary penalty regime is retained with the requirement for the Commissioner to issue a “notice of intent” in advance of serving a penalty.  It will also continue to be a requirement that the penalty notice be issued within 6 months of the notice of intent (see Schedule 16 of the Data Protection Bill).  The Commissioner will be able to issue a penalty notice to a data controller who has failed to comply with an enforcement notice.

These are just a few of the notable points from the new Data Protection Bill and there is plenty more to write about, but that will come in future blog posts.  The Bill has only just been introduced to the House of Lords and still has to go through the full process of scrutiny in both the House of Lords and the House of Commons; therefore, it is entirely possible that the Bill’s 194 clauses and 18 schedules will be amended during the passage of the Bill through Parliament.  The Bill is due to have its Second Reading in the House of Lords, at which the House of Lords will agree (or not) to the general principles of the Bill, on 10th October 2017.

Alistair Sloan

If you would like advice on the General Data Protection Regulation or on the new Data Protection Bill then contact our Alistair Sloan on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.

Data Protection/Privacy Enforcement – August 2017

In this blogpost I shall be looking at the enforcement action taken by the Information Commissioner in the fields of data protection and privacy which was publicised during August 2017.  It is hoped that this will become a regular monthly feature on this blog.

Key Points

The key points from the enforcement action publicised by the ICO during the course of August are:

  • Ensure that where your organisation undertakes direct marketing by telephone, you do not make calls to numbers which are listed on the Telephone Preference Service; unless you have been given consent to make such calls.
  • Ensure that contractors who have access to personal data only have access to that personal data which is necessary for the services that they are providing to you.
  • Ensure that you have appropriate technical and organisational measures in places to prevent the unauthorised or unlawful processing of personal data when processing personal data over the internet.
  • Ensure that all of your staff (including temporary and agency staff) are given data protection training which is appropriate to their job role, and to ensure that regular refresher training is undertaken.
  • If you are an employee and have access to personal data as part of your job role, do not make use of that access for any purposes not required as part of your employment; including for personal purposes.

Enforcement Action published by ICO in August 2017

H.P.A.S Limited (trading as Safestyle UK)

H.P.A.S Limited were served with a Monetary Penalty Notice [pdf] in the amount of £70,000 and an Enforcement Notice [pdf] after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Laura Anderson Limited t/a Virgo Home Improvements

Laura Anderson Limited were served with a Monetary Penalty Notice [PDF] in the amount of £80,000 and an Enforcement Notice [pdf] after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Home Logic UK Limited

Home Logic UK Limited were served with a Monetary Penalty Notice [pdf] in the amount of £50,000 after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Talk Talk Telecom Group Plc

Talk Talk Telecom Group Plc were served with a Monetary Penalty Notice [pdf] in the amount of £100,000.  The Commissioner found that they had failed to have in place adequate technical and organisational measures to prevent against the unauthorised or unlawful processing of personal data.  Talk Talk Telecom Group Plc had in place unjustifiably wide-ranging access to personal data by external agents, which put that personal data at risk.

London Borough of Islington

The London Borough of Islington was served with a Monetary Penalty Notice [pdf] in the amount of £70,000.  The Commissioner found that the Borough’s parking enforcement application had design flaws and some of the functionality was misconfigured, allowing for unauthorised access to personal data.

Nottinghamshire County Council

Nottinghamshire County Council was served with a Monetary Penalty Notice [pdf] in the amount of £70,000.  The Commissioner found that the Council had failed to have in place an authentication process for accessing an internet based allocation service for home carers; this left personal data and sensitive personal data exposed on the internet.

Cheshire West and Chester Council

Cheshire West and Chester Council signed an undertaking [pdf] stating that they would take certain steps to ensure compliance with the Data Protection Act 1998.  In particular the Commissioner was concerned that a number of self-reported incidents by the council involved staff who had not received data protection training.

Prosecution

A former employee of Colchester Hospital University NHS Foundation Trust was prosecuted in The Colchester Magistrates’ Court.  The Defendant pleaded guilty to offences under Section 55 of the Data Protection Act 1998.  She had accessed the sensitive health records of friends and people she knew and disclosed some of the personal information she obtained obtained.  She was fined £400 for the offence of obtaining the personal data and £650 for the offence of disclosing the personal data.  She was also required to pay prosecution costs and a victim surcharge.

I can provide advice and assistance on a wide range of information law matters.  If you wish to discuss an information law matter with me then you can contact me on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send me an E-mail directly.

Alistair Sloan