Continuing the regular monthly look at Data Protection and Privacy enforcement taken by the Information Commissioner, this blog post reviews the enforcement action published during October 2017.
Key Points
- When seeking consent for the purposes of direct marketing, be clear and precise in the language that you use.
- When buying-in lists of contact details for the purpose of Direct Marketing you are responsible for ensuring that the there is valid consent in place so carry out your own due-diligence.
- You are responsible for the direct marketing calls made by your agent as you are the instigator of the calls
- If you have access to personal data as part of your job, do not access it unless you have a valid reason to do so in connection with your employment.
Enforcement Action published by ICO in October 2017
Xerpla Limited
Xerpla Limited was served with a Monetary Penalty Notice [pdf] in the amount of £50,000 after the Information Commissioner found that they had sent more than 1 million unsolicited direct marketing communications by electronic mail. The Information Commissioner considered that Xerpla was not clear or specific enough about who subscribers were agreeing to receive marketing from.
Vanquis Bank Limited
Vanquis Bank Limited were served with an Monetary Penalty Notice [pdf] in the amount of £75,00 and an Enforcement Notice [pdf] after the Information Commissioner found that they had sent text messages and E-mails marketing credit cards without consent.
The Lead Experts Limited
The Lead Experts Limited were served with a Monetary Penalty Notice [pdf] in the amount of £70,000 and an Enforcement Notice [pdf] after the Information Commissioner found that they had instigated automated marketing calls to telephone subscribers without the subscriber’s consent.
Prosecutions
A former employee of Kent and Medway NHS and Social Care Partnership Trust was fined £300, ordered to pay prosecution costs of £364.08 and a victim surcharge of £30 after pleading guilty to an offence under the Data Protection Act 1998. The defendant had accessed the health records of a single patient 279 times over a three-week period in October and November 2015, viewing the files up to 50 times in a day. The patient was known to the defendant, but she had no valid lawful reason to access the records and did so without her employer’s consent.
If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog. Alternatively, you can send me an E-mail directly.