Tag Archives: Privacy and Electronic Communications (EC Directive) Regulations 2003

Data Protection/Privacy Enforcement: April 2018

In April the Information Commissioner’s Office published a number of enforcement measures taken against public and private organisations under both the Data Protection Act 1998 (“DPA”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).  The key points to draw from the enforcement action this month should be familiar to anyone who has been reading this series of blog posts since it began in September.

Key Points

  • It is important to keep track of personal data, especially when it is sensitive personal data; if it is to be sent out of the organisation ensure that it is properly secured and that a record of it being sent and received is kept.
  • Before sending out information to your customers it is important to consider whether the information you are sending is properly business information (or information you’re required to give by law), or whether it is actually promotional or marketing material. If it’s promotional or marketing material ensure that you only send it to the E-mail addresses of people who have consented to receive promotional or marketing material from you.
  • Make sure that before you conduct a marketing campaign by telephone that you do not include numbers listed with the TPS unless you have the consent of the subscriber to contact them by phone for the purposes of direct marketing.
  • When disclosing information to someone, whether under FOI laws or not, ensure that you do not accidently disclose personal or sensitive personal data of third parties where you do not have legal grounds to do so. Be especially careful with pivot tables, a number of public authorities shave found themselves in regulatory hot water of the use of pivot tables. The ICO produced a helpful blog post in 2013 on the issue of pivot tables.
  • If you are an employee it is important that you remember that you should only be accessing personal data where you have a proper business need to do so and should only be disclosing personal data where you need to do so in order to properly perform your role. You can be held personally liable and find yourself being prosecuted in the criminal courts.

Enforcement action published by the ICO in April 2018

Humberside Police
The Information Commissioner, exercising her powers under section 55A of the DPA, served a Monetary Penalty Notice in the amount of £130,000 [pdf] for breaches of the DPA.  The force conducted an interview of a person alleging that they had been the victim of rape, on behalf of Cleveland Police. The interview was filmed and three copies of it existed: the master and two copies. The discs were unencrypted. They were to be sent to Cleveland Police, but were never received by Cleveland police. Humberside Police were unable to locate the discs or to confirm whether they had ever been posted to Cleveland Police.  The Commissioner found that Humberside Police had failed to comply with the seventh data protection principle and also paragraph 9 of Schedule 1 to the DPA.

Royal Mail Group Limited
The Information Commissioner served a Monetary Penalty Notice on Royal Mail Group Limited for contravening Regulation 22 of PECR.  The Monetary Penalty Notice was in the amount of £12,000 [pdf]. Royal Mail Group is the designated Universal Postal Service Provider in the UK and as such, it has certain statutory responsibilities to disseminate certain information. Royal Mail Group Limited sent E-mails to all of its customers, including those who had opted not to receive electronic marketing, to notify them of a change in price for second class parcels purchased online.  The price change was described as being a “promotional” one. The Commissioner found that this amounted to direct marketing rather than information that Royal Mail was obliged to provide under the Postal Services Act 2011 and was therefore in contravention of Regulation 22 of PECR.

The Royal Borough of Kensington and Chelsea
The Information Commissioner served a monetary penalty notice on the Royal Borough of Kensington and Chelsea in the amount of £130,000 [pdf] for breaches of the DPA. The breach arose out of a request for information made to the council pursuant to the Freedom of Information Act 2000. The Council answered the request for information by providing a pivot table to the requesters. The council did not properly redact the underlying information which was then accessible to the requesters without too much difficulty; the underlying information included personal data.

The Energy Saving Centre Limited
The Information Commissioner has served the Energy Saving Centre Limited with a Monetary Penalty Notice in the amount of £250,000 [pdf] and also with an Enforcement Notice [pdf] for contraventions of PECR.  The Commissioner had found that the Energy Saving Centre Limited had made tens of thousands of marketing calls to numbers which were listed with the Telephone Preference Service and where the individual subscribers to those numbers had not given consent to the Energy Saving Centre Limited to be contacted by phone for marketing purposes.  The Enforcement Notice requires the company to stop making unlawful calls – failure to comply with an Enforcement Notice is a criminal offence.

Approved Green Energy Solutions
The Information Commissioner has served a Monetary Penalty Notice [pdf] on an individual who traded as a sole trader under the name Approved Green Energy Solutions.  The amount of the penalty was £150,000. Approved Green Energy Solutions used a public telecommunications service to make in excess of 330,000 unsolicited telephone calls for the purpose of direct marketing where the line subscriber had listed their number with the Telephone Preference Service (“TPS”). The Commissioner and the TPS received 107 complaints directly from individuals affected.

Prosecutions
A former receptionist/general assistant at Milton Keynes University Hospital NHS Foundation Trust has bene prosecuted by the Information Commissioner after she inappropriately accessed the records of 12 patients when not required to do so in the course of her employment. The defendant entered a plea of guilty to offences of unlawfully accessing personal data and unlawfully disclosing personal data in breach of section 55 of the DPA. The Defendant was fined a total of £300 and ordered to pay a £30 victim surcharge.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Data Protection/Privacy Enforcement: March 2018

Probably the most high profile piece of enforcement action taken by the Information Commissioner’s Office in March was its application for, and execution of, a warrant to enter and inspect the offices occupied by Cambridge Analytica as part of the Commissioner’s wider investigation into the use of personal data in politics.  It would seem that data protection warrants get more people excited about data protection than would ordinarily be the case. The Cambridge Analytica warrant was not the only warrant that the Commissioner obtained and executed in March; the Commissioner’s website also published details of a warrant that it executed in Clydebank (Glasgow).  This warrant was directed towards alleged breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 which deal with, insofar as this blog is concerned with, the rules concerning direct marketing to individuals by electronic means.

Key Points

  • Care needs to be taken when looking at sharing personal data on a controller-to-controller basis with other companies, including separate companies within the same group of companies. Data controllers need to ensure that they identify what their lawful basis for processing is, provide adequate fair processing information to data subjects in relation to such sharing of personal data and ensure that any changes to their policy in respect of data-sharing do not result in that sharing being for a purpose that is incompatible with those stated at the time of collection.
  • If you, as an individual (whether or not you are yourself a data controller), unlawfully disclose personal data to third parties then you could be liable for prosecution.

Enforcement Action published by the ICO during March 2018

WhatsApp Inc.
An undertaking was given by WhatsApp Inc. In it, WhatsApp undertook not to do a number of things; including not transferring personal data concerning users within the EU to another Facebook-controlled company on a controller-to-controller basis until the General Data Protection Regulation becomes applicable on 25th May 2018.  The undertaking was given after WhatsApp introduced new terms and conditions and a new privacy policy which affected how it processed personal data held by it; in particular, how it would now share personal data with other Facebook-controlled companies.

Prosecutions
A former housing worker was convicted at St. Albans Crown Court after he shared a confidential report identifying a potential vulnerable victim. The defendant was convicted of three charges of unlawfully obtaining disclosing personal data contrary to section 55 of the Data Protection Act 1998.  He was fined £200 for each charge and was ordered to pay £3,500 in costs.

Alistair Sloan

Should you require advice or assistance about UK Data Protection and Privacy law then contact Alistair Sloan on 0141 229 0880.  You can also contact him by E-mail.  You can also follow our dedicated Twitter account covering all Information Law matters@UKInfoLaw

It’s just legitimite interests, isn’t it?

The General Data Protection Regulation (GDPR) becomes applicable in the United Kingdom on 25th May 2018.  Preparations are well underway in business, government and the regulator for the new privacy and data protection landscape.  People are trying to find their way through the GDPR and the Data Protection Bill to understand exactly what it is that they’re required to do in order to comply with the new framework, but there are a lot of misunderstandings about certain requirements of the GDPR.  I have already dealt with one of those, the issue as to whether or not consent is required under the GDPR on this blog.  Another area where there appears to a lot of misunderstanding is with the legitimate interests ground for processing, especially in the area of direct marketing.

Article 6(1)(f) of the GDPR provides that it is lawful to process the personal data of a data subject where the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”  This is the legitimate interests ground for processing; but as can be seen from a proper reading of the condition, it is not the silver bullet condition that some people seem to think that it is.

There are essentially three elements to the condition:  (1) necessity; (2) legitimate interests of the controller or a third party; (3) the interests or fundamental rights of the data subject.  Therefore before being able to rely upon legitimate interests as the processing condition, it is essential that controllers go through a three stage process.  The first stage is to identify what the interests are.  In determining whether the interest identified by the data controller is a legitimate interest, it is necessary for them to consider whether a data subject can reasonably expect, at the time and in the context of the collection of the personal data, that processing for this purpose may take place.  If a data subject could not reasonably expect that the processing envisaged by the data controller may take place, at the time and in the context of collection of the personal data, it will not be a legitimate interest.

The second stage is to consider necessity; the processing must be necessary for the legitimate interest(s) being pursued.  If the processing is not necessary then a data controller cannot rely upon the ‘legitimate interests’ condition for processing the personal data in question.  The ICO currently puts it this way “[i]f you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.”  It is therefore essential to consider whether there are other ways to fulfil the legitimate interest(s) identified.  The test does not require it to be “strictly necessary” or “absolutely necessary”, but it is still a high test

The final element that needs to be considered before a decision to rely upon legitimate interests can be taken, is whether the legitimate interests are overridden by the fundamental rights and freedoms of the data subject.  This can be a very difficult assessment to make and can, on occasions, be on a knife-edge.  It is fundamentally about proportionality and in a lot of cases the data subject’s fundamental rights and freedoms will override the legitimate interests with the result that another condition needs to be found to enable processing take place.

At the very outset I did mention that there is a lot of misunderstanding about legitimate interests in the field of direct marketing.  It is true that the GDPR does state, in Recital 47, that “[t]he processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”, but it’s not as simple as that.  Firstly it is important to note that the Recital states that it “may be” a legitimate interest; that is not the same thing as saying that it “will be” or “is” a legitimate interest.  It only opens the door to marketing being a legitimate interest; it does not remove the need to consider whether it is, in any given context, a legitimate interest.

Secondly, it is important not to consider the GDPR in isolation.  I have already written about the forgotten relative of the GDPR:  The Privacy and Electronic Communications (EC Directive) Regulations 2003.  These are extremely relevant when conducting direct marketing by electronic means (such a by telephone, E-mail or text message).  Processing personal data for the purposes of marketing might well be lawful because it can be shown that it is a legitimate interest for the controller or a third party, but how that marketing is then delivered must comply with the other relevant laws and codes which regulate marketing activity.

The legitimate interests condition is a flexible one, but data controllers should not assume that if no other condition applies, or is appropriate, that they can simply say “it’s legitimate interests” and be done with it.  Where a controller does rely upon legitimate interests, the accountability principle will kick in and the supervisory authority may well ask for it to be justified.  Therefore, where it is proposed to rely upon legitimate interests a record should be kept demonstrating how each of three elements to the legitimate interests condition is met.

Alistair Sloan

If you would like advice or assistance with a privacy or data protection matter, or any other information law matter then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.

 

PECR: The forgotten relative

Much of the focus in relation to data protection and privacy law is on implementation of the Genera Data Protection Regulation, which becomes applicable from 25 May 2018.  However, many of the discussions that are taking place in respect of GDPR implementation are forgetting the GDPR’s older cousin:  the snappily named Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).  This Directive from the European Union dating from 2002 was implemented in the United Kingdom through the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

 The Directive on privacy and electronic communications is concerned with the processing of personal data and the protection of privacy in the electronic communications sector and is of importance to telecommunications providers, Internet Service Providers and any person or organisation who conducts direct marketing by electronic means; however, this blog post is concerned only with direct marketing and is a follow-up to my recent blog post on whether consent is required under the GDPR.

The GDPR might be the big thing at the moment, but it is important not to consider it in isolation.  When thinking about GDPR implementation it is necessary to take a holistic view and think about how it interacts with other laws because these other laws don’t stop having effect just because of the GDPR.  Therefore, it is essential to consider how these other laws affect your GDPR implementation.

The rules on direct marketing by electronic means are relatively simple and straightforward, but this does not stop unlawful behaviour from taking place on an industrial scale.  Rarely does a month go past without the Information Commissioner’s Office publishing information on enforcement action it has taken against businesses arising out of failing to comply with PECR, especially since the law changed to lower the legal threshold for Monetary Penalty Notices in relation to PECR infringements.

Electronic Mail
Electronic Mail includes E-mail and SMS text messaging.  The general rule for direct marketing by electronic mail is that you need consent, as defined by the 1995 Data Protection Directive.  This means that you must have a freely given, specific and informed indication that the person to whom you are directing the marketing wants to receive such marketing.

There is an exception to this which is referred to as the “soft opt-in”.  This applies where you have obtained a person’s personal data “in the course of the sale or negotiations for the sale of a product or service” to them.  You can then send direct marketing to this person, without first gaining their express consent, where you are marketing your own similar products or services.  The data subject must be “given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected”.

Each direct marketing communication that is sent must include a simple means of opt-out of further direct marketing content (and this must be free of charge, except for the costs of transmission of the opt-out).

Telephone:  Automated calls
The rules for direct marketing by telephone are split into automated and unsolicited live telesales calls.  In the case of automated calls with recorded information played when the phone line being called is answered, the subscriber (i.e. the person who has contracted with the telephone service provider) must have notified the caller (or the person instigating the call where the caller is a third party acting on behalf of the instigator) that, for the time being, they consent to receiving such calls.  Again, this requires there to be a freely given, specific and informed indication.  Consent can be withdrawn.

Telephone:  Unsolicited live telesales calls
You do not require consent to make such calls; however, you must not make such calls where the subscriber has notified you that they do not wish to receive such calls, or if the number is registered with the Telephone Preference Service (TPS).  You can call numbers registered with the TPS where the subscriber has consented to receiving calls from you, notwithstanding that the number is registered with the TPS.  Consent can, as always, be withdrawn at a later date.

Fax
Yes, it is still a thing and some people (and indeed whole sectors) still use fax machines.  However, as it is more or less an obsolete technology all I will say on the matter is that PECR regulates the use of fax for direct marketing and the relevant parts are Regulations 20 and 25.

That is a very brief run through of the relevant law as it stands today.  However, a couple of points to note in closing:  Firstly, the EU is currently working on a replacement to the current Directive.  It had been anticipated that the new E-Privacy Regulation would be implemented alongside the GDPR, but work started on it too late and so it won’t.  Whether it will be finalised in and in force prior to Brexit is something that we will need to wait and see.  Secondly, depending on what happens with the Brexit negotiations it may still end up being part of UK law even if it comes into force after the UK leaves the EU.  Thirdly, there is likely to be some temporary adjustments to PECR from 25 May 2018, that is because PECR adopts a lot of definitions from the Data Protection Act 1998 and the 1995 Data Protection Directive (both of which will be repealed on 25 May 2018).  Finally, the domestic Regulations were made under the European Communities Act 1972; therefore the European Union (Withdrawal) Bill may well have some impact upon them.

Alistair Sloan

If you would like advice or assistance with a privacy or data protection matter, or any other information law concern then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.