Tag Archives: Section 55 (DPA)

Data Protection/Privacy Enforcement: May 2018

May saw the long awaited General Data Protection Regulation coming into force, but it will be a while yet before we begin to see regulatory enforcement action taken under the GDPR and the associated Data Protection Act 2018 being taken. In May there was, as is normal, a steady stream of enforcement action against data controllers published by the Information Commissioner’s Office. It is once again time to take our monthly look at what breaches the Commissioner has taken enforcement action in relation to and what data controllers and their staff can learn from it.

Key Points

  • This is a frequent message of these monthly reviews, but it is important to ensure that you screen telephone numbers you are intending to call as part of a marketing campaign against the list maintained by the Telephone Preference Service. If you have, and can demonstrate that you have, consent to do so; you can call a number that is listed with the Telephone Preference Service.
  • When undertaking direct marketing by telephone you must identify the caller; if you are making the call on behalf of a third party then you must also identify the third party. It is not permissible to hide, obscure or refuse to provide the identity of the caller or their principal.
  • If you are obtaining personal data from a third party organisation for the purposes of direct marketing, you should ensure that you conduct your own due diligence checks to ensure that the appropriate consents are in fact in place.
  • When drafting privacy notices, when setting out to who you will be passing personal data onto for the purposes of direct marketing you need to be fairly specific. It is not sufficient to simply put “selected partners” or phrases that are similarly generic.
  • When sending personal data or sensitive personal data, even to other sites within your own company, it is important to ensure that you have in place adequate technical and organisational measures. Encrypting CDs and memory sticks is easy and cheap to do and therefore should be done whenever sending personal data outside the organisation on such media.
  • You should ensure that when updating the security of your websites and servers that you look at all aspects of your website and severs, including microsites and sub-domains, to ensure that you are taking appropriate precautions to secure the websites and servers.
  • When storing personal data offsite you should ensure that you take steps to keep that personal data safe and secure; off-site storage may not be visited as regularly by staff as your on-site storage and so this should be taken into consideration. When vacating a premises it is important to ensure that you systematically check the premises to ensure that all personal data has been removed from the site – you should be able to evidence your plan and that it was followed.
  • If you’re processing personal data within the European Union which concerns a data subject resident oustide of the European Union then you may be required to comply with a subject access request received from teh data subject.

Enforcement action published in May 2018

IAG Nationwide Limited
IAG Nationwide Limited was served with both an Enforcement Notice [pdf] and a Monetary Penalty Notice in the amount of £100,000. [pdf] IAG Nationwide Limited is an advertising/marketing agency. IAG Nationwide Limited made telephone calls to numbers which were listed with the Telephone Preference Service (TPS) and continued to make such calls even after complaints had been raised with the TPS.  This was a contravention of Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). IAG Nationwide Limited also failed to properly identify itself to those who it called which was a contravention of Regulation 24 of PECR. Indeed, when the Commissioner’s staff contacted the company by telephone they refused to provide its address and only provided an E-mail address which was unregistered and available for sale.

Costelloe and Kelly Limited
Costelloe and Kelly Limited were served a Monetary Penalty Notice in the amount of £19,000 [pdf] after it undertook a direct marketing campaign by text message in a way that contravened Regulation 22 of PECR. The company instigated the transmission of approximately 283,500 test messages promoting products without having in place proper consent to do so. The company had relied upon a list supplied to it by a data provider which said that it had obtained consent for the purposes of direct marketing by text messages. Cotselloe and Kelly Limited conducted little or no due diligence itself to ensure appropriate consent. The consent obtained by its data provider was insufficient as it referred only to providing details to its “partners” and other generic descriptions when getting people to “opt-in”.

SCL Elections Limited
SCL Elections Limited was served with an Enforcement Notice requiring it to comply with a Subject Access Request made to it by a data subject [pdf]. SCL Elections Limited provided some information, for and on behalf of Cambridge Analytica. The data subject was not satisfied with the response and made a request for assessment to the Commissioner. In response, SCL Elections Limited asserted that the data subject had no right to make a subject access request nor a request for assessment to the commissioner as the data subject was a US rather than a UK citizen. The Commissioner disagreed and found that SCL Elections had not fully complied with its obligations.

Crown Prosecution Service
The Crown Prosecution Service (CPS) was served with its second Monetary Penalty Notice for a failure to comply with the seventh data protection principle [pdf]. In November 2016 the CPS received from Surrey Police 15 unencrypted DVDs from Surrey Police. The DCDs contained interviews with alleged victims of child sexual abuse. The DVDs received by the CPS were copies; the originals being maintained by Surrey Police. The DVDs were sent by tracked DX delivery to another CPS office to be examined by specialists and were noted to have been delivered before 7 in the morning. The DVDs were likely to have been left in a reception area where individuals not employed by the CPS could have had access to the package. The CPS could not locate the packages. They therefore did not have in place adequate technical and organisational measures.

The University of Greenwich
The University of Greenwich was served a monetary penalty notice in the amount of £120,000 [pdf] after a breach of security resulted in the personal data of approximately 19,500 individuals being extracted by an authorised attacker. The personal data included sensitive personal data in relation to 3,500 individuals. The attacker posted the personal data on a third party website. The commissioner found that the university had failed to have in place adequate technical and organisational measures to ensure that, so far as was possible, the security breach which occurred did not happen and thus contravened the seventh data protection principle.

Bayswater Medical Centre
Bayswater Medical Centre was served a monetary penalty notice in the amount of £35,000 [pdf] after it left sensitive personal data in an empty premises. The practice had operated from two sites, but merged down to one retaining the second as a storage facility. Another GP practice sought to take over the lease and the Bayswater Medical Centre provided the second GP practice with a set of keys. On numerous occasions the second practice notified Bayswater medical Centre of the presence of the medical centres patient records which were unsecured. Bayswater Medical Centre did nothing to rectify the situation, including failing to remove the records from the premises when the new practice requested them to uplift the records. The Commissioner found that the Medical Centre had failed to comply with the requirements of the seventh data protection principle.

Prosecutions
A limited company and its director have been prosecuted by the Information Commissioner’s Office for failing to comply with an Information Notice. The Information notices were issued in October 2017 and both failed to respond to the notices. The company was fined £1,000 and ordered to pay a £100 victim surcharge while the director was fined £325 and ordered to pay a victim surcharge of £32. The director was also ordered to pay £364.08 in prosecution costs.

A former recruitment consultant was successfully prosecuted by the Information Commissioner’s Office after he illegally obtained personal data. The defendant set up his own recruitment consultancy and left his former employer’s employment. When he left the defendant took 272 CVs from his former employers’ database without consent. He admitted an offence of unlawfully obtaining personal data under section 55 of the Data Protection Act 1998.  He was fined £355 and ordered to pay £35 victim surcharge and £700 prosecution costs by Exeter Magistrate’s Court.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

 

Data Protection/Privacy Enforcement: March 2018

Probably the most high profile piece of enforcement action taken by the Information Commissioner’s Office in March was its application for, and execution of, a warrant to enter and inspect the offices occupied by Cambridge Analytica as part of the Commissioner’s wider investigation into the use of personal data in politics.  It would seem that data protection warrants get more people excited about data protection than would ordinarily be the case. The Cambridge Analytica warrant was not the only warrant that the Commissioner obtained and executed in March; the Commissioner’s website also published details of a warrant that it executed in Clydebank (Glasgow).  This warrant was directed towards alleged breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 which deal with, insofar as this blog is concerned with, the rules concerning direct marketing to individuals by electronic means.

Key Points

  • Care needs to be taken when looking at sharing personal data on a controller-to-controller basis with other companies, including separate companies within the same group of companies. Data controllers need to ensure that they identify what their lawful basis for processing is, provide adequate fair processing information to data subjects in relation to such sharing of personal data and ensure that any changes to their policy in respect of data-sharing do not result in that sharing being for a purpose that is incompatible with those stated at the time of collection.
  • If you, as an individual (whether or not you are yourself a data controller), unlawfully disclose personal data to third parties then you could be liable for prosecution.

Enforcement Action published by the ICO during March 2018

WhatsApp Inc.
An undertaking was given by WhatsApp Inc. In it, WhatsApp undertook not to do a number of things; including not transferring personal data concerning users within the EU to another Facebook-controlled company on a controller-to-controller basis until the General Data Protection Regulation becomes applicable on 25th May 2018.  The undertaking was given after WhatsApp introduced new terms and conditions and a new privacy policy which affected how it processed personal data held by it; in particular, how it would now share personal data with other Facebook-controlled companies.

Prosecutions
A former housing worker was convicted at St. Albans Crown Court after he shared a confidential report identifying a potential vulnerable victim. The defendant was convicted of three charges of unlawfully obtaining disclosing personal data contrary to section 55 of the Data Protection Act 1998.  He was fined £200 for each charge and was ordered to pay £3,500 in costs.

Alistair Sloan

Should you require advice or assistance about UK Data Protection and Privacy law then contact Alistair Sloan on 0141 229 0880.  You can also contact him by E-mail.  You can also follow our dedicated Twitter account covering all Information Law matters@UKInfoLaw

Data Protection, Facebook and Cambridge Analytica

We know that the Information Commissioner is investigating the circumstances surrounding the obtaining of personal data of a considerable number of individuals by Cambridge Analytica.  Cambridge Analytica is a data analytics company that is in the midst of what can only be described as a data protection and privacy scandal.

There are a number of significant allegations being made against Cambridge Analytica about how it obtains and processes personal data.  The Information Commissioner has also revealed that Cambridge Analytica is not cooperating with her investigation to the extent that she is going to apply for a warrant to enter and search their premises.  This means that, in all probability, the Commissioner has already sought access and it has been refused.  Schedule 9 to Data Protection Act 1998 sets out the Information Commissioner’s powers of entry and inspection; it permits the Commissioner to obtain a warrant from the court where the court is satisfied that a data controller has contravened or is contravening any of the data protection principles, or that an offence under this Act has been or is being committed, and that evidence of the contravention or of the commission of the offence is to be found on any premises specified.

This story is moving at quite a pace and is constantly changing with new revelations coming to light; it’s also the subject of an investigation by the Information Commissioner and there is the possibility that the company might face prosecution for offences under Section 55 of the Data Protection Act 1998 depending upon what the Commissioner finds during the course of her investigation.  I am therefore going to try and keep this blog post broad and theoretical rather than trample upon the toes of a live regulatory investigation.

A data controller has a duty to comply with the data protection principles in relation to all of the personal data for which they are the controller, subject to certain specified exemptions set out in statute.  The First data protection principle requires that personal data be “processed fairly and lawfully”; this requires the data controller to meet one or more of the conditions set out in Schedule 2 to the Data Protection Act 1998 (and, in respect of sensitive personal data, a condition in Schedule 3 also requires to be satisfied).

What can individuals do if they are concerned about whether Cambridge Analytica has any personal data concerning them and what they’ve been doing with it?  Data Subjects have a number of rights under the Data Protection Act 1998 and the cornerstone of those rights is the right of subject access.  This is currently given effect to in section 7 of the Data Protection Act 1998 and is not simply about getting copies of the personal data being processed by a data controller:  it consists of a whole suite or rights, of which getting a copy of the personal data is only one aspect.  Under the current law, data controllers are entitled to charge a fee up to a prescribed maximum for dealing with such requests; a request of this nature would attract a fee of £10, but many individuals might well think that this is a price worth paying to know if and how they have been affected by this issue.  Data Controllers have up to 40 days in which to comply with a subject access request.  Some key changes to the right of subject access will come into effect on 25th May 2018, but for now the law contained within the Data Protection Act 1998 is still applicable.

Once you have the response to your subject access request your rights do not end there; once you’ve established what a data controller is processing about you, what they’re doing with it and where they got it from there are a number of other steps that you might be able to take, such as requiring them to cease processing your personal data, complaining to the Information Commissioner or making a claim for compensation.

For data controllers, what is currently unfolding should be seen as an important lesson.  Data can be a useful tool to a business; whether it is being used for targeted marketing campaigns or to work out what consumers want from products and services in your market.  However, there are laws governing data protection and privacy and at the heart of those laws are the principles of fairness and transparency.  Controllers need to be careful as to how they obtain personal data, where they obtain it from, what they do with it and be certain that they have a lawful basis for processing that personal data in the ways that they want to do so; that may be because you have the consent of the data subject, because you have a legitimate interest in the processing or some other lawful ground for processing.  Don’t forget the Privacy and Electronic Communications (EC Directive) Regulations 2003 when conducting direct marketing by electronic means.

Simply because a person has made their personal data available, for example through social media, does not mean that is free to be used by whomever and for whatever they want.  The principles of the Data Protection Act 1998 still apply and the reputational damage that can be suffered may well vastly outweigh any regulatory action taken by the Information Commissioner or by data subjects themselves.

Alistair Sloan

If you are a data controller or an individual who is looking for advice and assistance with any aspect of data protection or privacy law, then you can contact Alistair Sloan on 0345 450 0123 or 0141 229 08800.  Alternatively, you can send him an E-mail.