Tag Archives: Privacy (Enforcement)

Data Protection and Privacy Enforcement: November 2018

0The year is progressing quickly and we’re now onto looking at November’s enforcement action published by the Information Commissioner’s Office in relation to privacy and data protection matters. We are beginning to see enforcement action under the Data Protection Act 2018 (“DPA18”) filter through, but the majority is very much still under the Data Protection Act 1998 (“DPA98”) in respect of breaches which occurred prior to 25 May 2018.

Key Points

  • Carrying out a Data Protection Impact Assessment in the early stages of any project where it is envisaged that personal data will be processed is a useful tool to help highlight privacy and data protection concerns so that they can be addressed in the planning phase. Data protection by design and privacy impact assessments were recommended good practice under the DPA98; however, the GDPR mandates data protection by design and default (Article 25) and the carrying out of data protection impact assessments in certain circumstances (Article 35). Even if the GDPR does not require you to complete a DPIA, it is worthwhile undertaking one in any event – it can also be a helpful document to present to the Commissioner should her office begin any investigation into your organisation.
  • It is important to regularly download an updated version of the Telephone Preference Service list and to do so as close as possible to an intended direct marketing campaign. If you undertake regular direct marketing campaigns then you should probably be downloading the updated list once per month. Relying on an out of date version could mean that you unlawfully call numbers – the cost of regularly obtaining a copy of the TPS list is insignificant compared to the financial penalties that can be issued by the Information Commissioner for contraventions of Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
  • It should go without saying that if the Information Commissioner takes enforcement action against you for contravening privacy and data protection laws then you should ensure that you take adequate remedial measures to ensure that the contravention doesn’t happen again.
  • If you obtain a list of telephone numbers to call for marketing purposes from a third party the obligation rests with you to ensure that you have lawful authority to make (or instruct others on you behalf to make) calls to each intended number.
  • Controllers may no longer be required to notify the Commissioners of their processing of personal data; however, they are still required to make payment to the Commissioner of a fee. Those who either (a) don’t know they are due to pay  a fee; or (b) miss paying their fee and rectify the matter once the Commissioner has contacted them about their non-payment will likely not face formal enforcement action, but those who continue to fail to pay the fee once the Commissioner has contacted them can expect to be required to pay a financial penalty for failure to pay the fee.

Enforcement Action published by the ICO during November 2018

Metropolitan Police Service
The Commissioner of Police of the Metropolis (MPS) was served with an Enforcement Notice by the Information Commissioner [pdf] requiring the MPS to take a number of specified steps; including the conducting of a data protection impact assessment, in respect of its Gangs Matrix. The Gangs Matrix is part of the MPS’ ongoing effort to reduce the incidences of crime in London arising from gangs. The Notice only emphasises the Commissioner’s primary concerns in respect of the MPS’ compliance with the data protection principles, rather than listing every single contravention. The Notice makes reference to contraventions of the first, third, fourth, fifth and seventh data protection principles

DM Bedroom Design Ltd
The Information Commissioner served DM Bedroom Design Ltd with a monetary penalty in the sum of £160,000 [pdf] and also served it with an Enforcement Notice [pdf] after finding that the company had contravened Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). This was not the first time that the company had received a monetary penalty from the Commissioner for contravening PECR. The company operated an internal suppression list and also advised the Commissioner that it screened lists against the Telephone Preference Service (“TPS”) list; however, the Commissioner found that the company had not downloaded the TPS list since March 2017.

Solartech North East Limited
Solaretech North East Limited (“Solartech”) was served by the Information Commissioner with a monetary penalty in the amount of £90,000 [pdf] and an enforcement notice [pdf]. The Commissioner found that Solartech had contravened Regulation 21 of PECR by making almost 75,000 calls unlawfully to numbers listed with the Telephone Preference Service. Solartech had previously came to the attention of the Commissioner’s office in 2014 and had bene provided with advice from her office as well as subjected to a period of monitoring. Despite this, and further advice and monitoring in 2016/17 Solartech continued to contravene Regulation 21 of PECR. Solartech sought (unsuccessfully) to blame third parties for these contraventions.

Uber
Uber is a popular app which provides taxi services to its users by linking them with Uber drivers in their area. It has bene the subject of many recent legal battles in the Employment field and has now also come to the attention of data protection supervisory authorities in the United Kingdom and the Netherlands. The Information Commissioner served Uber with a monetary penalty notice in the amount of £385,000 following a cyber attack. [pdf] The Commissioner found that Uber had breached the seventh data protection principle by failing to have in place adequate technical and organisational measures.

Fixed Penalty Notices: Data Protection Fees
The old notification requirement and fee under the DPA98 has gone, but has been replaced with a new data protection fee payable by controllers who are not exempt from the fee. The new fees regulations are found in The Data Protection (Charges and Information) Regulations 2018. Organisations who are required to pay the fee and fail to do so may be served with a penalty notice by the Commissioner requiring them to pay a fixed penalty calculated in relation to the amount of the fee payable under the Regulations by the controller. The Commissioner has taken enforcement action, in the form of fixed penalty notices, against a number of controllers in the business, manufacturing and finance sectors for failure to pay their data protection fees; even after being contacted by the Commissioner about the unpaid fee. The Commissioner has not published all of the penalty notices, or even a list of controllers subject to enforcement action, but has instead published “example” notices (which read more like templates than examples) for each of the three sectors.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Data Protection and Privacy Enforcement: October 2018

Regular readers of this blog will know that every month I look at the published enforcement action taken by the Information Commissioner in respect of privacy and data protection law. The infractions are often very similar and the same key lessons to take away from the enforcement action appear frequently; October’s enforcement action proves no different. There is, however, a mixture of enforcement action taken under the Data Protection Act 1998 (“DPA98) – in respect of breaches that occurred prior to the 25 May 2018 – and enforcement action taken under the Data Protection Act 2018 (”DPA18).

Key Lessons

  • When the Commissioner’s office makes contact with you in the course of an investigation it is advisable to cooperate with the investigation. The Commissioner has powers to require persons (not just data controllers) to provide her office with information. It is a criminal offence not to comply with an information notice issued by the Commissioner under the DPA98 while a person who fails to comply with an Information Notice served under the DPA18 can be made the subject of an Information Order by the court.
  • Before making telephone calls for the purpose of direct marketing it is essential that organisations check their list against the list held by the Telephone Preference Service. It is against the law to call a number listed with the TPS for the purposes of direct marketing unless you can show that the recipient has not objected, for the time being, to receiving marketing calls from you. The law has recently been changed and the Commissioner will soon be able to serve a monetary penalty on directors of a company for breaches of the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
  • Any removable media such as CDs and USB memory sticks should be encrypted to prevent unauthorised access to personal data in the event that the media is lost or stolen. Controllers should also consider putting in place technical barriers to ensure that personal data is not unnecessarily being put onto removable media.
  • When drafting privacy statements where you are seeking to obtain consent for direct marketing; it is important to be specific about just what marketing might be sent. It is insufficient to rely upon statements along the lines of “you consent to receive marketing from our carefully selected third party affiliates” and similar.
  • The person who instigates a call is liable for a contravention of PECR, not the person who makes the call. Therefore you cannot avoid liability by engaging a third party contractor to make calls on your behalf. If you have directed that the calls be made then you are liable for any contraventions of PECR. Therefore, companies who engage third parties to undertake telemarketing on their behalf need to ensure that they have in place adequate due diligence to ensure that there are no negligent contraventions of PECR.
  • It’s not enough to simply rely upon your own internal suppression lists when making telephone calls for the purposes of direct marketing; it is also important that call lists as screened against the list maintained by the Telephone Preference Service. It’s also important that companies engaging in telesales regularly obtain an updated version of the list maintained by the TPS and you should never seek to rely upon a version of the list that is more than 28 days old.
  • It can be worthwhile brining appeals against Notices served by the Commissioner – especially where the terms of the notice are unclear. Where reasons are provided for a decision they generally require to be intelligible.

Enforcement action published by the Information Commissioner in October 2018

Oaklands Assist UK Limited
Oaklands Assist UK Limited (“OAUK”) was served with a Monetary Penalty Notice  in the sum of £150,000 [pdf] after the Commissioner found that OAUK had used a public electronic communications service for the purpose of direct marketing in contravention of Regulation 21 of the Privacy and electronic Communications (EC Directive) Regulations 2003 (“PECR”). It appears that OAUK did not initially comply with the Commissioner’s investigation as the penalty notice states that the Commissioner had to serve an Information Notice on OAUK and it only made contact with the Commissioner’s office when they were threated with prosecution for failure to comply with an Information Notice. The Commissioner found that OAUK had made 63,724 direct marketing calls to numbers that were listed on the TPS, in contravention of Regulation 21 of PECR.

Heathrow Airport Limited
Heathrow Airport Limited (“LHR”) was served with a monetary penalty notice in the sum of £120,000 [pdf] after the Commissioner found that it had breached the seventh data protection principle in schedule 1 to the DPA98. LHR had lost an unencrypted USB memory stick which had been found by a member of the public in West London. The member of the public who found the USB memory stick took it to a public library where they accessed it. Approximately 1% of the files on the memory stick contained personal data, including sensitive personal data. The Commissioner found that the use of removable media was widespread within LHR, but that there was little in the way of measures in places to ensure oversight. Furthermore, there were no technical barriers in place to limit or restrict the downloading of information from LHR’s systems onto removable media.

Boost Finance Limited
Boost Finance Limited (“Boost”) was served with a monetary penalty notice in the sum of £90,000 [pdf] after the Commissioner found that it was responsible for a large number of unsolicited E-mails in respect of pre-paid funeral plans. The Commissioner found that Boost (trading as findmeafuneralplan.com) had instigated, via affiliates that it had appointed, in excess of 4 million unsolicited marketing E-mails contrary to Regulation 22 of PECR. The E-mails were sent to individuals who had subscribed to a number of Boost’s affiliates. The Commissioner concluded [para 16] that Boost had “relied upon inadequate, generic, vague, misleading, tiered and incomplete personal data collection methods and privacy statements as a way of obtaining consent to send direct marketing E-mails.”

Aggregate IQ Data Services Limited
This is not a new Enforcement Notice, but rather it is a notice of variation of the first ever enforcement notice served under the DPA18 [pdf]. Aggregate IQ Data Services Limited (“AIQ”) was served with an enforcement notice by the Commissioner in respect of her investigation into data analytics in politics (which arose out of the allegations surrounding Facebook and Cambridge Analytica). AIQ had appealed the Notice to the First-Tier Tribunal (Information Rights) and has since discontinued that appeal. The revised notice is in much tighter terms than the original notice served by the Commissioner. The revised notice requires AIQ to “[e]rase any personal data of individuals in the UK, determined by reference to the domain name of the email address processed by AIQ, retained by AIQ on its servers as notified to the Information Commissioner…” AIQ is required to do this within 30 days of the Office of the Information and Privacy Commissioner of British Columbia notifying it that either the OIPC no longer requires it for an investigation, or that the OIPC informs AIQ that it is happy for AIQ to comply with the notice (whichever occurs the soonest).

Facebook Ireland Ltd
Facebook Ireland Ltd is the company who UK users (and indeed other EU users) of the Facebook social media platform have a relationship with. The Commissioner served Facebook Ireland with a monetary penalty notice in the sum of £500,000 for breaches of the first and seventh data protection principles [pdf]. The Commissioner considered that Facebook UK Limited, a UK establishment, had carried out certain activities on behalf of Facebook Ireland and Facebook Inc. As the breaches occurred while the DPA98 was still in force, £500,000 represents the maximum penalty that the Commissioner could issue. It is understood that Facebook Ireland has appealed the monetary penalty to the First-Tier Tribunal (Information Rights).

ACT Response Limited
The Information Commissioner served ACT Response Limited (“ACT”) with a monetary penalty notice in the amount of £140,000 [pdf] after she found that ACT had instigated in excess of £490,000 telephone calls for the purposes of direct marketing in contravention of Regulation 21 of PECR. The company operated its own internal suppression list, but did not screen its lists against the Telephone Preference Service list. ACT provided a copy of a training manual to the commissioner during her investigation, which contained a script which directed those making the calls to ask whether a person was listed on the TPS and to apologise if they were. ACT tried to blame the contravention on one of its sister companies as the company that made the calls, but the sister company made the calls on behalf of ACT and the lines used to make the calls were registered to ACT.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Data Protection/Privacy Enforcement: August 2018

August was another quiet month in terms of the data protection and privacy enforcement action published by the Information Commissioner’s Office. There were just two Monetary Penalty Notices published by the ICO last month. There are still a few key points to draw from last month’s published enforcement action – some of which are featured fairly regularly on these monthly blogposts, but are worthy of repitition.

Key Points

  • When carrying out direct marketing by telephone it is important that you check the intended list against the list held by the Telephone Preference Service before undertaking the campaign. If any number you intend on calling appears on that list you must satisfy yourself that you have sufficient evidence to support that you can still call that number, despite it being on the TPS.
  • If you’re getting your telephone lists from a third party then you must still do your own due diligence. Ensure that you have received sufficient evidence from the seller that the persons on the list have, in fact, indicated that they don’t mind being marketed to.
  • When drafting a privacy notice which sets out that you may share personal data with third parties it is important to be as accurate and precise as possible. It is not enough to include something along the lines of that you will share personal data with “carefully selected partners” and if you have a detailed list of organisations (or categories of organisations) that you may share personal data with, it is important that you do not share personal data with third parties who do not fall within that list.

Enforcement action published by the ICO in August 2018

AMS Marketing Limited
AMS Marketing Limited was served with a Monetary Penalty Notice in the amount of £100,000 [pdf] after if breached Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003. AMS Marketing had made in excess of 75,000 calls to numbers which were listed with the Telephone Preference Service and were unable to demonstrate to the Commissioner that they had been notified by the subscriber that they did not object, for the time being, to receiving calls for the purpose of direct marketing.

Lifecycle Marketing (Mother and Baby) Ltd
Life Style Marketing (Mother and Baby) Ltd (also known as ‘Emma’s Diary’) was served with a Monetary Penalty Notice in the amount of £140,000 after it failed to comply with the first data protection principle in Schedule 1 to the Data Protection Act 1998 (“DPA1998”). The company sold the personal data of more than 1 million individuals to the Labour Party for use in its campaign during the General election that took place in 2017 without telling those individuals that this is something that it might do with their personal data. The company, the Commissioner found, had no lawful basis within Schedule 2 of the DPA1998 for processing the personal data of those individuals.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

 

 

Privacy and Data Protection: director disqualified

In September 2017 the Information Commissioner served a Monetary Penalty Notice on Easyleads Limited in the amount of £260,000 [pdf]; the company was also served with an Enforcement Notice by the Commissioner requiring the company to comply with the terms of the Privacy and Electronic Communications (EC Directive) Regulations 2003 [pdf]. It has since transpired that the company never paid the monetary penalty notice and the Information Commissioner petitioned the court to have the company wound-up. It is not unheard of for monetary penalty notices served by the Commissioner to go unpaid; however, where they do it is often because the company goes into liquidation. A copy of the order winding the company up following the petition by the Information Commissioner [pdf] can be found on the Companies House website.

What is interesting about this case though is an announcement by the Insolvency Service that the Secretary of State had accepted a disqualification undertaking from Shaun Harkin, the director of Easyleads Limited. The effect of the undertaking is to ban Mr. Harkin from “directly or indirectly becoming involved, without the permission of the court, in the promotion, formation or management of a company for six years”.

The announcement from the insolvency Service explains that the reason Mr Harkin is now banned from being a director of a company for 6 years is because he failed to ensure that the company complied with its statutory obligations, specifically that he failed to ensure that the company complied with the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 around undertaking direct marketing by telephone.

This is an important announcement from the Insolvency Service; it demonstrates that the effects of failing to comply with data protection and privacy law can be wide-ranging. There is the potential for directors running companies which fail to comply with data protection and privacy law facing being banned from being involved in the formation or management of companies for a not insignificant period of time. It remains to be seen whether this sort of action becomes much more frequent and it is not something that is directly in the control of the Information Commissioner herself, but if the Insolvency Service is starting to take seriously breaches of data protection and privacy law by companies and looking to disqualify directors (where it can within the parameters of the law) then this is clearly something that those involved in the formation and management of limited companies ought to bear in mind when considering data protection and privacy compliance.

Alistair Sloan

If you require advice or assistance on a matter relating to data protection or privacy law then you can contact Alistair Sloan on 0141 229 0880 or send him an E-mail. You can also follow our twitter account dedicated to information law matters.

Facebook, Fines and Enforcement: ICO investigation into political campaigning

In March the Commissioner executed a warrant under the Data Protection Act 1998, to much fanfare and press coverage, on Cambridge Analytica – the data analytics firm who had been involved in the election campaign by US President Donald Trump and who had allegedly undertaken work for Leave.EU in the 2016 referendum on whether the UL should remain a member of the European Union or not. At the same time the Information commissioner announced a much wider investigation into compliance with data protection and privacy laws in political campaigning.

The Information Commissioner has today published a report giving an update on that wider investigation [pdf]. There has been much fanfare around this report and in particular a suggestion that Facebook has been served with a Monetary Penalty Notice in the amount of £500,000. This would be big news; it may not be a large sum of money to Facebook, but £500,000 is the maximum that the Information commissioner can serve a Monetary Penalty Notice for under the Data Protection Act 1998.

However, it has become clear that Facebook has not been served with a Monetary Penalty Notice in the amount of £500,000. The first thing to note here is that the Data Protection Act 1998 still applies; the alleged breaches of data protection law that the Commissioner is concerned with pre-dated 25 May 2018 and therefore the powers under the General Data Protection Regulation (GDPR) do not apply. What has happened is that the Information Commissioner has served a “Notice of Intent” on Facebook indicating that the Commissioner intends on serving Facebook with a Monetary Penalty Notice in the amount of £500,000. This is the first stage in the process of serving a Monetary Penalty Notice, but it is by no means guaranteed that (a) a Monetary Penalty Notice will be issued; and (b) that it will be in the amount of £500,000.

Facebook will have the opportunity to make written representations to the Information Commissioner on various matters, including whether the statutory tests for serving a Monetary Penalty Notice have been met and on the amount of the Penalty. The Commissioner must take account of these representations when making a final decision on serving the Monetary Penalty Notice: not to do so would likely result in an appeal against the Notice to the First-Tier Tribunal (Information Rights), which could ultimately result in the Monetary Penalty Notice being reduced in amount or quashed altogether. If Facebook brings forward evidence to the Commissioner that means she can no longer make certain findings in fact that will have an impact on both her ability to serve the Monetary Penalty Notice and the amount of that notice.

It could be many more weeks, if not months before we know whether a Monetary Penalty Notice is in fact being served on Facebook and how much it is for. The Commissioner must serve the Monetary Penalty Notice on Facebook within six month of serving the Notice of Intent.

There are some other aspects of the Commissioner’s report that are worthy of some brief consideration. The Commissioner has announced that she is intending on prosecuting SCL Elections Limited. The information given by the Commissioner suggests that this prosecution is to be limited to one very specific issue: their failure to comply with an Enforcement Notice previously served on the company. The Enforcement Notice was served on the company after they failed to comply with a subject access request received by them from a US academic. The company was in administration when the Enforcement Notice was served and remains in administration today. The Information Commissioner is able to prosecute offences under the legislation it is responsible for enforcing in its own right; except in Scotland where it requires to report the matter to the Procurator Fiscal in the same way as every other law enforcement agency is required. How successful that prosecution will be and what benefit it will bring remains to be seen given that the company is in administration. Even if the company is successfully

We have also seen what appears to be the first piece of enforcement action taken under the Data Protection Act 2018 and the General data Protection Regulation.  The Commissioner has served an Enforcement Notice on the Canadian company, Aggregate IQ [pdf]. This amounts to what could be termed as a “stop processing notice” and it requires Aggregate IQ to, within 30 days, “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning, or any other advertising.”

Failure to comply with an Enforcement Notice under the Data Protection Act 2018 and the GDPR is not (unlike under the Data Protection Act 1998) a criminal offence; however, a failure to comply can result in an administrative fine of up to €20 million or 4% of global turnover (whichever is the greater). How successful the ICO will be at enforcing this enforcement notice, given that the company is located in Canada and appears to have no established base in the UK, or any other EU member state, remains to be seen.

Other investigations are still ongoing. The Commissioner appears to be continuing to investigate whether there was any unlawful data sharing between Leave.EU and Eldon Insurance. Investigations are also being undertaken into the main ‘Remain’ campaign in the EU referendum and also into all of the UK’s main political parties. It remains to be seen what will happen there.

The Commissioner’s report also informs us that the appeal by the United Kingdom Independence Party (UKIP) against an Information Notice previously served upon them has been dismissed. The First-Tier Tribunal (Information Rights) has not yet published a decision in that case on its website, but should it do so I shall endeavour to blog on that decision (especially given that there has never to my knowledge been an appeal to the Tribunal against an Information Notice). Failure to comply with an Information Notice is a criminal offence, and a company was recently fined £2,000 at Telford Magistrates’ Court for that very offence.

Alistair Sloan

If you require advice or assistance on a matter relating to data protection or privacy law then you can contact Alistair Sloan on 0141 229 0880 or send him an E-mail. You can also follow our twitter account dedicated to information law matters.

Data Protection/Privacy Enforcement: March 2018

Probably the most high profile piece of enforcement action taken by the Information Commissioner’s Office in March was its application for, and execution of, a warrant to enter and inspect the offices occupied by Cambridge Analytica as part of the Commissioner’s wider investigation into the use of personal data in politics.  It would seem that data protection warrants get more people excited about data protection than would ordinarily be the case. The Cambridge Analytica warrant was not the only warrant that the Commissioner obtained and executed in March; the Commissioner’s website also published details of a warrant that it executed in Clydebank (Glasgow).  This warrant was directed towards alleged breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 which deal with, insofar as this blog is concerned with, the rules concerning direct marketing to individuals by electronic means.

Key Points

  • Care needs to be taken when looking at sharing personal data on a controller-to-controller basis with other companies, including separate companies within the same group of companies. Data controllers need to ensure that they identify what their lawful basis for processing is, provide adequate fair processing information to data subjects in relation to such sharing of personal data and ensure that any changes to their policy in respect of data-sharing do not result in that sharing being for a purpose that is incompatible with those stated at the time of collection.
  • If you, as an individual (whether or not you are yourself a data controller), unlawfully disclose personal data to third parties then you could be liable for prosecution.

Enforcement Action published by the ICO during March 2018

WhatsApp Inc.
An undertaking was given by WhatsApp Inc. In it, WhatsApp undertook not to do a number of things; including not transferring personal data concerning users within the EU to another Facebook-controlled company on a controller-to-controller basis until the General Data Protection Regulation becomes applicable on 25th May 2018.  The undertaking was given after WhatsApp introduced new terms and conditions and a new privacy policy which affected how it processed personal data held by it; in particular, how it would now share personal data with other Facebook-controlled companies.

Prosecutions
A former housing worker was convicted at St. Albans Crown Court after he shared a confidential report identifying a potential vulnerable victim. The defendant was convicted of three charges of unlawfully obtaining disclosing personal data contrary to section 55 of the Data Protection Act 1998.  He was fined £200 for each charge and was ordered to pay £3,500 in costs.

Alistair Sloan

Should you require advice or assistance about UK Data Protection and Privacy law then contact Alistair Sloan on 0141 229 0880.  You can also contact him by E-mail.  You can also follow our dedicated Twitter account covering all Information Law matters@UKInfoLaw

Data Protection and Privacy Enforcement: February 2018

February is a short month, and did not see the same level of publicity by the Information Commissioner’s Office in respect of enforcement action taken to enforce privacy and data protection laws as was seen in January.

Key points 

  • Failing to comply with an Enforcement Notice is a criminal offence (see section 47 of the Data Protection Act 1998); there is a right of appeal to the First-Tier Tribunal (Information Rights) against the terms of an Enforcement Notice and so if you do not agree with the terms of the notice you should seek legal advice about the possibility of making such an appeal.
  • Employees should be careful what they do with personal data; in most cases the enforcement liability will lie with the employer (although, your employer might take disciplinary action against you for failing to comply with company policies and procedures).  However, there are circumstances when employees can be held personally, and indeed criminally, liable for breaches of the Data Protection act 1998.
  • The right of subject access is a fundamental right of data subjects and data controllers must ensure that they comply with their obligations in respect of a subject access request made by a data subject.  The right of subject access remains a key feature of the new European data protection framework and the GDPR strengthens the right of subject access for data subjects.

Enforcement action published by the ICO during February 2018

Pennine Care NHS Foundation Trust
The ICO has conducted a follow-up assessment [pdf] with Pennine Care NHS Foundation Trust finding that the Trust had complied with the terms of the undertaking which it had previously given [pdf] following a consensual audit [pdf] by the Commissioner’s staff.

Gain Credit LLC
Gain Credit LLC was served with an Enforcement Notice [pdf] by the Information Commissioner for failing to comply with a subject access request made to it.  This came to light after the data subject in question made a request to the Information Commissioner that she carry out an assessment pursuant to section 42 of the Data Protection Act 1998 into whether it was likely or unlikely that the processing by Gain Credit LLC was in accordance with the provisions of the Act.

Direct Choice Home Improvements Limited
In March 2016 Direct Choice Home Improvements Limited was served with a Monetary Penalty Notice in the amount of £50,000 [pdf] and also an Enforcement Notice [pdf] for breaching Regulation 21 of the Privacy and Electronic Communications (EC) Directive Regulations 2003 (PECR).  The company continued to breach Regulation 21 of PECR and the Commissioner prosecuted it for breaching the Enforcement Notice.  The company was not represented at Swansea Magistrates’ Court and was convicted in absence.  The company was fined £400 as well as being ordered to pay £364.08 in prosecution costs and a victim surcharge of £40. (Don’t forget that PECR remains part of the privacy and data protection law landscape when the GDPR becomes applicable in May.)

Other Prosecutions
A former employee of Nationwide Accident Repair Services Limited was prosecuted by the Information Commissioner for unlawfully obtaining personal data contrary to section 55 of the Data Protection Act 1998.  The defendant had sold the personal data of his employers’ customers to a third party who then made use of the personal data to contact some of those customers concerning their accident.  The defendant was convicted and fined £500 as well as being ordered to pay costs of £364 and a victim surcharge of £50.  An offence of unlawfully disclosing personal data was admitted to and taken into consideration by the Court.

A former local authority education worker was prosecuted after she unlawfully disclosed personal data contrary to section 55 of the Data Protection Act 1998.  The defendant had taken a screenshot of a council spreadsheet which concerned the eligibility of named children to free school meals and then sent it onto an estranged parent of one of the children.  She pled guilty to three offences and was fined £850 by Westminster Magistrates’ Court as well as being ordered to pay £713 in costs.

Alistair Sloan

If you require advice or assistance in respect of a data protection or privacy law matter, or any other Information Law matter; then contact Alistair Sloan on 0345 450 0123, or send him and E-mail.

Data Protection/Privacy Enforcement: January 2018

It has been a busy start to the year for the Information Commissioner’s Office (ICO).  The start of 2018 also saw the highest ever sentences imposed on those in breach of Data Protection and Privacy laws in the United Kingdom.  It is time to have a closer look at the Data Protection and Privacy Enforcement action published by the ICO during January 2018 as part of our regular monthly review.  You can read our review of the privacy and data protection enfrocement from December 2017 here.

Key Points

  • If you have access to personal data as part of your employment, ensure that you only access it where there is a genuine professional need for you to do so; even if the reason you are looking for information could be considered harmless.
  • As far as the Information Commissioner is concerned, ‘ignorance is not bliss’; Data Controllers must have adequate and up to date procedures, technology and policies in place to ensure that they are not in breach of any data protection laws or regulations.
  • Organisations can’t generally send advertising or marketing emails unless the recipient has informed the sender that they consent to such emails being sent by, or at the instigation of, that sender.  Any consent must be freely given, explicit and informed but also involve a positive indication signifying the individual’s agreement. In order for consent to be informed by an individual, the individual must know exactly what it is they are consenting to (for more information see Alistair Sloan’s blog post PECR:  The forgotten relative).
  • Failure to notify the Information Commissioner of any personal data breach in accordance with the Notification Regulations will not be tolerated.  If it has come to your attention that there has been a breach, you must come clean and put your hands up. A much wider requirement to notify the ICO of personal data breaches becomes applicable with the GDPR later this year, for more on that see our blog post on Personal Data Breaches under the GDPR.
  • It goes without saying, meticulous attention to detail must be taken when you are sending any correspondence containing personal data, you must ensure that it is sent to the correct person.

Enforcement action published by the ICO in January 2018

The Carphone Warehouse Ltd
The Carphone Warehouse Ltd was served with a Monetary Penalty Notice in the sum of £400,000 after serious failures and inadequate software placed customer and employee data at risk.

Newday Limited
Newday Ltd were served a Monetary Penalty Notice in the sum of £230,000 after approximately 48,096,988 emails were sent to individuals who had not consented to receive marketing, contrary to regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  The Commissioner decided that the consent relied on by Newday Limited was not sufficiently informed and therefore it did not amount to valid consent.

TFLI Ltd
TFLI Ltd received a Monetary Penalty Notice of £80,000.  This penalty was also in relation to contravention of regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  TFLI Limited sent approximately 1,218,436 unsolicited marketing texts promoting a loan website.

Barrington Claims Ltd
Barrington Claims Ltd were issued a Monetary Penalty Notice in the sum £250,000 after they failed to ensure automated marketing calls were made only to individuals who had consented to receive them. The Commissioner decided to issue a Monetary Penalty under section 55A of the Data Protection Act 1998, in relation to contravention of regulations 19 and 24 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  The company were unable to provide evidence that it had the consent of individuals to whom it had instigated the calls.

Goody Market UK Ltd
Goody Market UK Ltd were issued a Monetary Penalty Notice in the sum of £40,000 after they failed to ensure that text messages containing marketing material were only sent to individuals who had consented to receive them.  They were also served an Enforcement Notice. The texts were sent on the basis of data sourced from a third party, and purchased on behalf of Goody Market UK Ltd by a data broker.  Goody Market UK Ltd were unable to provide the Commissioner with any evidence that the recipients consented to the marketing messages, having relied on verbal assurance from the data broker.  The Commissioner found that Goody Market UK Ltd had contravened Regulation 22 of PECR.

West Midlands Police
West Midlands Police have signed an Undertaking to comply with the Data Protection Act after the Information Commissioner was informed that a data breach had occurred in relation a Criminal Behaviour Order.  The order was imposed on two individuals, but in a leaflet distributed to publicise the order, the names of the witnesses were revealed.

Miss-sold Products UK Ltd
Miss-sold Products UK Ltd were served a Monetary Penalty Notice in the sum of £350,000 after they failed to ensure that marketing calls were only made to individuals who had consented to receive marketing. The penalty was in relation to contravention of Regulation 19 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

SSE Energy Supply Ltd
SSE Energy Supply Ltd was issued a Monetary Penalty Notice of £1,000 after they sent an email to an individual in error.   The penalty was issued because of contravention of Regulation 5A of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  This Regulation requires that a provider of a public electronic communications service must notify the Information Commissioner of a personal data breach without undue delay.  SSE Energy Supply Ltd sent an email to the wrong email address, disclosing the name of a customer and their account number.  After they became aware of the breach, SSE Energy Supply Limited did not follow its policies and procedures that were in place and as a consequence there was a delay in reporting the personal data breach to the Information Commissioner.

Prosecutions
There were a number of successful prosecutions reported by the ICO during January 2018:

  1. An investigation by the ICO, which began in 2013, resulted in record fines for Woodgate and Clark Ltd, the company director and private investigators who were involved in the illegal trade of personal information.  A claim had been made on an insurance policy in relation to a fire at business premises which the claimant owned.  Private investigators unlawfully obtained confidential financial information and disclosed it to Woodgate and Clark Ltd, which then disclosed it to an insurer client.  The defendants were all prosecuted under s55 of the Data Protection Act 1998.  Woodgate and Clark Ltd were fined £50,000 in addition to being ordered to pay £20,000 in costs.  The company director was fined £75,000 and was ordered to pay £20,000 in costs; while both private investigators were fined £10,000 and ordered to pay £2,500 in costs.
  2. A director of an accident claims company invented a car crash so that he could trace and get in touch with the owner of a private number plate he wanted to buy.  He was prosecuted at Bristol Magistrates’ Court for a breach of S55 of the Data Protection Act 1998 for the offence of unlawfully obtaining personal data.  He was convicted and received a fine of £335.00.  The defendant was also ordered to pay prosecution costs of £364.08 and a victim surcharge of £33.00.
  3. An individual was charged with two offences of unlawfully disclosing personal data.  The defendant had come into possession of a USB stick and published sensitive police information from it on Twitter.  He was sentenced to a 12 month conditional discharg,e in part because he had been placed on a stringent bail conditions including wearing an electronic tag before the hearing.  He had to pay £150 in cost and £15 victim charge.

Vicki Macleod Folan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair Sloan on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.

Data Protection/Privacy Enforcement: November 2017

A bit later than normal, it is time for our monthly review of the enforcement action taken by the Information Commissioner in respect of Privacy and Data Protection matters during the month of November 2017.  This follows on from our reviews covering September 2017 and October 2017.

Key Points

  • Ensure that when you are collecting personal data that you are clear and open about what it will be used for.  If it is to be supplied to third parties for direct marketing purposes state as accurately as possible who those third parties are –  stating that it will be shared with “carefully selected partners” is not going to be sufficient.
  • When undertaking direct marketing by electronic means, such as by E-mail or text message, ensure that you have in place the necessary consent (and remember the definition of consent in the Data Protection Directive) of the recipient before sending your marketing messages.
  • Once again, if you have access to personal data as part of your employment, ensure that you only access it where there is a legitimate business need for you to do so.  Do not send personal data to your own personal E-mail address without first explaining to your employer why you need to do it and getting their consent to do so.

Enforcement action published by the ICO in November 2017

Verso Group (UK) Limited

Verso Group (UK) Limited was served with a Monetary Penalty Notice [pdf] in the amount of £80,000.  Verso had been supplying personal data to third parties to enable those third parties to conduct direct marketing campaigns; the Commissioner considered that Verso had breached the First Data Protection Principle in doing so.  This was because the Commissioner did not consider that the terms and conditions and privacy policies of Verso and those other companies from which it obtained personal data were clear enough to make the processing by Verso fair and lawful.

Hamilton Digital Solutions Limited

Hamilton Digital Solutions Limited were served with an Enforcement Notice [pdf] and a Monetary Penalty Notice [pdf] in the amount of £45,000 after the company were responsible for the sending of in excess of 150,000 text messages for the purposes of direct marketing in breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Prosecutions

There were a number of successful prosecutions reported by the ICO during the month of November 2017:

Prosecution 1 –
A former employee of a community based counselling charity was prosecuted by the ICO at Preston Crown Court and pleaded guilty to three charges under Section 55 of the Data Protection Act 1998.  The Defendant had sent a number of E-mails to his personal E-mail address which contained sensitive personal data of clients, without his employers’ consent.  He was given a 2 year Conditional Discharge, ordered to pay costs of £1,845.25 and a £15 Victim Surcharge.

Prosecution 2 –
An employee of Dudley Group NHS Trust pleaded guilty two offences under Section 55 of the Data Protection Act 1998:  one of unlawfully obtaining personal data and one of unlawfully disclosing personal data.  The defendant had accessed the medical records of a neighbour and former friend medical records and also disclosed information about a baby.  She was fined a total of £250 (£125 for each offence) and was ordered to pay prosecution costs amounting to £500 and a victim surcharge of £30.

Prosecution 3 –
A former nursing auxiliary at the Royal Gwent Hospital in Newport was fined £232 for offences under Section 55 of the Data Protection Act 1998.  She was also ordered to pay prosecution costs of £150 and a victim surcharge of £30.  The Defendant had unlawfully accessed the records of a patient who was also her neighbour

Alistair Sloan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.