Monthly Archives: October 2017

Data Protection/Privacy Enforcement: September 2017

Following on from last month’s post looking at the Data Protection/Privacy Enforcement taken in August 2017, it is now time to review what data protection/privacy enforcement the ICO publicised during September 2017.

Key Points

The key points from the enforcement action publicised by the ICO during the course of September are:

  • Ensure that where your organisation undertakes direct marketing by telephone, you do not make calls to numbers which are listed on the Telephone Preference Service; unless you have been given consent to make such calls.
  • Before you engage in a marketing campaign by making automated telephone calls, ensure that you have consent from the subscribers to the numbers that you intend to call, whether the numbers are registered with the telephone Preference Service or not.
  • Generally you require the consent of the recipient before you can send marketing materials by electronic means (including text messages and E-mail).
  • It is important that all employees (including agency and temporary staff) have an adequate level of data protection training for their job role and that there is in place ongoing refresher training on a regular basis.
  • If you are an employee and have access to personal data as part of your job role, do not make use of that access for any purposes not required as part of your employment; including for personal purposes.  Also, don’t forward personal data to your personal E-mail, for any reason, unless your employer has agreed to it first.

Enforcement Action published by ICO in August 2017

True Telecom Limited

True Telecom Limited were served with a Monetary Penalty Notice [pdf] in the amount of £85,000 and an Enforcement Notice [pdf] after the Commissioner had found that True Telecom was responsible for 201 unsolicited telephone calls for the purposes of direct marketing made to numbers registered with the Telephone Preference Service, contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Cab Guru Limited

Cab Guru Limited were served with a Monetary Penalty Notice [pdf] in the amount of £45,000 after the Commissioner found that it had instigated the transmission of more than 350,000 text messages for the purposes of direct marketing without having the consent of the intended recipient to do so, contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Your Money Rights Limited

Your Money Rights Limited were served with a Monetary Penalty Notice [pdf] in the amount of £350,000 after the Commissioner found that it had instigated more than 146,000,000 automated marketing calls without having the consent of the subscribers to the number(s), contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Easy Leads Limited

Easy Leads Limited were served with a Monetary Penalty Notice [pdf] in the amount of £208,000 and an Enforcement Notice [pdf] after the Commissioner found that the company had instigated more than 16,500,000 automated marketing telephone calls without having the consent of the subscribers to the numbers, contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Dyfed Powys Police

The Chief Constable of Dyfed Powys Police signed an undertaking [pdf] to ensure compliance with the seventh data protection principle after a number of breach incidents occurred which highlighted that many of the force’s police officers had received no data protection training and that there was no refresher training in place either.  The Commissioner did not take formal enforcement action against Dyfed Powys Police on the basis of remedial actions which had already been taken by the controller.

Prosecutions

A former employee of The University Hospitals of North Midlands NHS Trust was prosecuted at North Staffordshire Magistrates’ Court for an offence under Section 55 of the Data Protection Act 1998. The former employee accessed the sensitive medical records of colleagues as well as people she knew that lived in her locality, without the consent of the data controller. The defendant entered a plea of guilty and was fined £700, ordered to pay costs of £364.08 and a Victim Surcharge in the amount of £70.

A former employee of Leicester City Council was convicted of an offence under Section 55 of the Data Protection Act 1998 at Nuneaton Magistrates’ Court after he unlawfully obtained personal data.  The defendant emailed personal data relating to 349 individuals, which included sensitive personal data of service users of the Adult Social Care Department, to his personal email address without his employers’ consent.  He was fined £160, ordered to pay £364.08 prosecution costs and a victim surcharge in the amount of £20.

Alistair Sloan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send me an E-mail directly.

Ireland: High Court to refer Privacy Shield to the Court of Justice of the European Union

One of the primary requirements of the European Data Protection Framework is that personal data of European citizens must not be transferred to a country which is outside of the European Economic Area unless the country to which the personal data is to be transferred “ensures an adequate level of protection”; this is provided for within Article 25 of the 1995 Data Protection Directive and is given effect to in the UK in the form of the eighth data protection principle in Schedule 1 to the Data Protection Act 1998.

The United States of America has, for some time, been a somewhat contentious destination for personal data of European citizens.  The European Commission and the United States Government sought to assist the flow of personal data between the EU and the US through a scheme called “Safe Harbour”.  This scheme was challenged and in 2015 the Court of Justice of the European Union held that the European Commission’s decision in respect of the “safe harbour” scheme was invalid.

The Court of Justice’s decision on safe harbour came following a request for a preliminary ruling by the Irish High Court.  This followed a complaint to the Irish Data Protection Commissioner by an Austrian citizen, Max Schrems, in respect of Facebook.  Under Facebook’s terms and conditions all of its users in Europe have a relationship with ‘Facebook Ireland’ and as such, it falls to the Irish Data Protection Commissioner to regulate the use of personal data by Facebook.

Following that decision the European Commission and the US negotiated a new scheme, known as “Privacy Shield”.   There has been much debate about whether privacy shield is itself adequate and a challenge, also by Max Schrems, is underway.  The Irish Data Protection Commissioner sought from the Irish High Court a reference to the Court of Justice of the European Union and today the Irish High Court has agreed to make the reference.

The Irish Data Protection Commissioner has, the court decided, identified a number of “well founded concerns” and that the introduction of the Privacy Shield Ombudsman mechanism does not “eliminate” those concerns.

Although this is an Irish case, the outcome of a decision from the Court of Justice of of the European Union could have profound consequences for data controller’s right across the European Union.  In the event that the Court invalidates the privacy shield agreement, data controllers who are reliant upon it will find themselves in a situation where their compliance with data protection laws will be in doubt.

The exact questions which will be referred to the Court of Justice of the European Union by the Irish High Court are yet to be determined and the judge in the case will be addressed by parties on this issue in due course.

This is certainly a case that data controllers (and indeed data subjects) should keep a close eye on.  Data controllers who transfer personal data from the EU to the United States of America should think about reviewing their transfers and assessing whether they would continue to be permitted, within the context of the EU data protection framework, in the event that privacy shield is invalidated by the Court of Justice of the European Union in due course.

Alistair Sloan

If you would like advice or assistance on a data protection/privacy matter, or any other information law matter, then you can contact Alistair Sloan on 0345 0345 450 0123.  Alternatively, you can send him an E-mail.