It has been a busy start to the year for the Information Commissioner’s Office (ICO). The start of 2018 also saw the highest ever sentences imposed on those in breach of Data Protection and Privacy laws in the United Kingdom. It is time to have a closer look at the Data Protection and Privacy Enforcement action published by the ICO during January 2018 as part of our regular monthly review. You can read our review of the privacy and data protection enfrocement from December 2017 here.
- If you have access to personal data as part of your employment, ensure that you only access it where there is a genuine professional need for you to do so; even if the reason you are looking for information could be considered harmless.
- As far as the Information Commissioner is concerned, ‘ignorance is not bliss’; Data Controllers must have adequate and up to date procedures, technology and policies in place to ensure that they are not in breach of any data protection laws or regulations.
- Organisations can’t generally send advertising or marketing emails unless the recipient has informed the sender that they consent to such emails being sent by, or at the instigation of, that sender. Any consent must be freely given, explicit and informed but also involve a positive indication signifying the individual’s agreement. In order for consent to be informed by an individual, the individual must know exactly what it is they are consenting to (for more information see Alistair Sloan’s blog post PECR: The forgotten relative).
- Failure to notify the Information Commissioner of any personal data breach in accordance with the Notification Regulations will not be tolerated. If it has come to your attention that there has been a breach, you must come clean and put your hands up. A much wider requirement to notify the ICO of personal data breaches becomes applicable with the GDPR later this year, for more on that see our blog post on Personal Data Breaches under the GDPR.
- It goes without saying, meticulous attention to detail must be taken when you are sending any correspondence containing personal data, you must ensure that it is sent to the correct person.
Enforcement action published by the ICO in January 2018
The Carphone Warehouse Ltd
The Carphone Warehouse Ltd was served with a Monetary Penalty Notice in the sum of £400,000 after serious failures and inadequate software placed customer and employee data at risk.
Newday Ltd were served a Monetary Penalty Notice in the sum of £230,000 after approximately 48,096,988 emails were sent to individuals who had not consented to receive marketing, contrary to regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003. The Commissioner decided that the consent relied on by Newday Limited was not sufficiently informed and therefore it did not amount to valid consent.
TFLI Ltd received a Monetary Penalty Notice of £80,000. This penalty was also in relation to contravention of regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003. TFLI Limited sent approximately 1,218,436 unsolicited marketing texts promoting a loan website.
Barrington Claims Ltd
Barrington Claims Ltd were issued a Monetary Penalty Notice in the sum £250,000 after they failed to ensure automated marketing calls were made only to individuals who had consented to receive them. The Commissioner decided to issue a Monetary Penalty under section 55A of the Data Protection Act 1998, in relation to contravention of regulations 19 and 24 of the Privacy and Electronic Communications (EC Directive) Regulations 2003. The company were unable to provide evidence that it had the consent of individuals to whom it had instigated the calls.
Goody Market UK Ltd
Goody Market UK Ltd were issued a Monetary Penalty Notice in the sum of £40,000 after they failed to ensure that text messages containing marketing material were only sent to individuals who had consented to receive them. They were also served an Enforcement Notice. The texts were sent on the basis of data sourced from a third party, and purchased on behalf of Goody Market UK Ltd by a data broker. Goody Market UK Ltd were unable to provide the Commissioner with any evidence that the recipients consented to the marketing messages, having relied on verbal assurance from the data broker. The Commissioner found that Goody Market UK Ltd had contravened Regulation 22 of PECR.
West Midlands Police
West Midlands Police have signed an Undertaking to comply with the Data Protection Act after the Information Commissioner was informed that a data breach had occurred in relation a Criminal Behaviour Order. The order was imposed on two individuals, but in a leaflet distributed to publicise the order, the names of the witnesses were revealed.
Miss-sold Products UK Ltd
Miss-sold Products UK Ltd were served a Monetary Penalty Notice in the sum of £350,000 after they failed to ensure that marketing calls were only made to individuals who had consented to receive marketing. The penalty was in relation to contravention of Regulation 19 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
SSE Energy Supply Ltd
SSE Energy Supply Ltd was issued a Monetary Penalty Notice of £1,000 after they sent an email to an individual in error. The penalty was issued because of contravention of Regulation 5A of the Privacy and Electronic Communications (EC Directive) Regulations 2003. This Regulation requires that a provider of a public electronic communications service must notify the Information Commissioner of a personal data breach without undue delay. SSE Energy Supply Ltd sent an email to the wrong email address, disclosing the name of a customer and their account number. After they became aware of the breach, SSE Energy Supply Limited did not follow its policies and procedures that were in place and as a consequence there was a delay in reporting the personal data breach to the Information Commissioner.
There were a number of successful prosecutions reported by the ICO during January 2018:
- An investigation by the ICO, which began in 2013, resulted in record fines for Woodgate and Clark Ltd, the company director and private investigators who were involved in the illegal trade of personal information. A claim had been made on an insurance policy in relation to a fire at business premises which the claimant owned. Private investigators unlawfully obtained confidential financial information and disclosed it to Woodgate and Clark Ltd, which then disclosed it to an insurer client. The defendants were all prosecuted under s55 of the Data Protection Act 1998. Woodgate and Clark Ltd were fined £50,000 in addition to being ordered to pay £20,000 in costs. The company director was fined £75,000 and was ordered to pay £20,000 in costs; while both private investigators were fined £10,000 and ordered to pay £2,500 in costs.
- A director of an accident claims company invented a car crash so that he could trace and get in touch with the owner of a private number plate he wanted to buy. He was prosecuted at Bristol Magistrates’ Court for a breach of S55 of the Data Protection Act 1998 for the offence of unlawfully obtaining personal data. He was convicted and received a fine of £335.00. The defendant was also ordered to pay prosecution costs of £364.08 and a victim surcharge of £33.00.
- An individual was charged with two offences of unlawfully disclosing personal data. The defendant had come into possession of a USB stick and published sensitive police information from it on Twitter. He was sentenced to a 12 month conditional discharg,e in part because he had been placed on a stringent bail conditions including wearing an electronic tag before the hearing. He had to pay £150 in cost and £15 victim charge.
If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair Sloan on 0345 450 0123 or by completing the form on the contact page of this blog. Alternatively, you can send him an E-mail directly.