Data Protection/Privacy Enforcement: May 2018

May saw the long awaited General Data Protection Regulation coming into force, but it will be a while yet before we begin to see regulatory enforcement action taken under the GDPR and the associated Data Protection Act 2018 being taken. In May there was, as is normal, a steady stream of enforcement action against data controllers published by the Information Commissioner’s Office. It is once again time to take our monthly look at what breaches the Commissioner has taken enforcement action in relation to and what data controllers and their staff can learn from it.

Key Points

  • This is a frequent message of these monthly reviews, but it is important to ensure that you screen telephone numbers you are intending to call as part of a marketing campaign against the list maintained by the Telephone Preference Service. If you have, and can demonstrate that you have, consent to do so; you can call a number that is listed with the Telephone Preference Service.
  • When undertaking direct marketing by telephone you must identify the caller; if you are making the call on behalf of a third party then you must also identify the third party. It is not permissible to hide, obscure or refuse to provide the identity of the caller or their principal.
  • If you are obtaining personal data from a third party organisation for the purposes of direct marketing, you should ensure that you conduct your own due diligence checks to ensure that the appropriate consents are in fact in place.
  • When drafting privacy notices, when setting out to who you will be passing personal data onto for the purposes of direct marketing you need to be fairly specific. It is not sufficient to simply put “selected partners” or phrases that are similarly generic.
  • When sending personal data or sensitive personal data, even to other sites within your own company, it is important to ensure that you have in place adequate technical and organisational measures. Encrypting CDs and memory sticks is easy and cheap to do and therefore should be done whenever sending personal data outside the organisation on such media.
  • You should ensure that when updating the security of your websites and servers that you look at all aspects of your website and severs, including microsites and sub-domains, to ensure that you are taking appropriate precautions to secure the websites and servers.
  • When storing personal data offsite you should ensure that you take steps to keep that personal data safe and secure; off-site storage may not be visited as regularly by staff as your on-site storage and so this should be taken into consideration. When vacating a premises it is important to ensure that you systematically check the premises to ensure that all personal data has been removed from the site – you should be able to evidence your plan and that it was followed.
  • If you’re processing personal data within the European Union which concerns a data subject resident oustide of the European Union then you may be required to comply with a subject access request received from teh data subject.

Enforcement action published in May 2018

IAG Nationwide Limited
IAG Nationwide Limited was served with both an Enforcement Notice [pdf] and a Monetary Penalty Notice in the amount of £100,000. [pdf] IAG Nationwide Limited is an advertising/marketing agency. IAG Nationwide Limited made telephone calls to numbers which were listed with the Telephone Preference Service (TPS) and continued to make such calls even after complaints had been raised with the TPS.  This was a contravention of Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). IAG Nationwide Limited also failed to properly identify itself to those who it called which was a contravention of Regulation 24 of PECR. Indeed, when the Commissioner’s staff contacted the company by telephone they refused to provide its address and only provided an E-mail address which was unregistered and available for sale.

Costelloe and Kelly Limited
Costelloe and Kelly Limited were served a Monetary Penalty Notice in the amount of £19,000 [pdf] after it undertook a direct marketing campaign by text message in a way that contravened Regulation 22 of PECR. The company instigated the transmission of approximately 283,500 test messages promoting products without having in place proper consent to do so. The company had relied upon a list supplied to it by a data provider which said that it had obtained consent for the purposes of direct marketing by text messages. Cotselloe and Kelly Limited conducted little or no due diligence itself to ensure appropriate consent. The consent obtained by its data provider was insufficient as it referred only to providing details to its “partners” and other generic descriptions when getting people to “opt-in”.

SCL Elections Limited
SCL Elections Limited was served with an Enforcement Notice requiring it to comply with a Subject Access Request made to it by a data subject [pdf]. SCL Elections Limited provided some information, for and on behalf of Cambridge Analytica. The data subject was not satisfied with the response and made a request for assessment to the Commissioner. In response, SCL Elections Limited asserted that the data subject had no right to make a subject access request nor a request for assessment to the commissioner as the data subject was a US rather than a UK citizen. The Commissioner disagreed and found that SCL Elections had not fully complied with its obligations.

Crown Prosecution Service
The Crown Prosecution Service (CPS) was served with its second Monetary Penalty Notice for a failure to comply with the seventh data protection principle [pdf]. In November 2016 the CPS received from Surrey Police 15 unencrypted DVDs from Surrey Police. The DCDs contained interviews with alleged victims of child sexual abuse. The DVDs received by the CPS were copies; the originals being maintained by Surrey Police. The DVDs were sent by tracked DX delivery to another CPS office to be examined by specialists and were noted to have been delivered before 7 in the morning. The DVDs were likely to have been left in a reception area where individuals not employed by the CPS could have had access to the package. The CPS could not locate the packages. They therefore did not have in place adequate technical and organisational measures.

The University of Greenwich
The University of Greenwich was served a monetary penalty notice in the amount of £120,000 [pdf] after a breach of security resulted in the personal data of approximately 19,500 individuals being extracted by an authorised attacker. The personal data included sensitive personal data in relation to 3,500 individuals. The attacker posted the personal data on a third party website. The commissioner found that the university had failed to have in place adequate technical and organisational measures to ensure that, so far as was possible, the security breach which occurred did not happen and thus contravened the seventh data protection principle.

Bayswater Medical Centre
Bayswater Medical Centre was served a monetary penalty notice in the amount of £35,000 [pdf] after it left sensitive personal data in an empty premises. The practice had operated from two sites, but merged down to one retaining the second as a storage facility. Another GP practice sought to take over the lease and the Bayswater Medical Centre provided the second GP practice with a set of keys. On numerous occasions the second practice notified Bayswater medical Centre of the presence of the medical centres patient records which were unsecured. Bayswater Medical Centre did nothing to rectify the situation, including failing to remove the records from the premises when the new practice requested them to uplift the records. The Commissioner found that the Medical Centre had failed to comply with the requirements of the seventh data protection principle.

A limited company and its director have been prosecuted by the Information Commissioner’s Office for failing to comply with an Information Notice. The Information notices were issued in October 2017 and both failed to respond to the notices. The company was fined £1,000 and ordered to pay a £100 victim surcharge while the director was fined £325 and ordered to pay a victim surcharge of £32. The director was also ordered to pay £364.08 in prosecution costs.

A former recruitment consultant was successfully prosecuted by the Information Commissioner’s Office after he illegally obtained personal data. The defendant set up his own recruitment consultancy and left his former employer’s employment. When he left the defendant took 272 CVs from his former employers’ database without consent. He admitted an offence of unlawfully obtaining personal data under section 55 of the Data Protection Act 1998.  He was fined £355 and ordered to pay £35 victim surcharge and £700 prosecution costs by Exeter Magistrate’s Court.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.