Banking and finance dispute resolution
For the latest news and comment on banking and finance disputes.
For the latest news and comment on banking and finance disputes.
For all the latest news and comment in clinical negligence healthcare law
This collection looks at the latest news and comment on commercial contracting healthcare law. With the health and social care sector under…
For all the latest news and comment in employment and pensions healthcare law
For all the latest legal and regulatory news and comment in health technology
This collection contains DAC B eachcroft's latest report, The Route to Integrated Healthcare , which provides the first practical examples of how…
This collection looks at the latest strategic, commercial, regulatory and negligence legal and advisory news and comment in health and social care. …
For all the latest news and comment on employment and pensions law.
DAC Beachcroft Dublin specialises in insurance, professional indemnity, defendant personal injury, health, commercial litigation and employment work.…
For all the latest new and comment in tax law.
The GC Collective collection offers insight and comment for General Counsels (GCs) and in-house legal teams.
For the latest news and comment on Corporate, M&A and Equity Capital Markets.
Analysis, commentary and checklists on the legal and governance implications of Brexit on businesses operating in, and trading with, the UK
The Accountant's Liability Collection brings you topical news and insight of interest to accountants, actuaries, trustees and other financial…
Events and online training for the health and social care sector.
DAC Beachcroft's LatAm Quarterly Newsletter discusses topical news and issues in Latin America
In response to client suggestions and requests, DAC Beachcroft's insurance sector flagship publication.
For all the latest legal and regulatory news and comment in health and social care integration
For all the latest news and comment in corporate regulatory healthcare law
Find advice, commentary and thought leadership on all aspects of Director's & Officer's Insurance; from contract formation through to complex…
This collection looks at the latest news, comment and development on the law affecting mental health services. The law affecting mental health…
Our market-leading Information Law team regularly publish articles and updates addressing the ever-evolving Information Law landscape.
This collection looks at our Safety, Health and Environment Team and the products and services they can provide. In the climate of increased…
The Insurance Act 2015 comes into force in August 2016 and will represent a significant change to insurance contract law in this country. This…
Legislative changes are bringing major changes to the Insurance landscape. This collection houses DAC Beachcroft's alerts on the pertinent issues.
For all the latest news and comment in clinical regulatory healthcare law
Organisations face ever-increasing expectations from Government, regulators, customers or service users, and other stakeholders, so scrutiny and…
For all the latest legal and regulatory news and comment in healthcare estates and facilities management
This collection addresses the full spectrum of cyber security and data risk management – the zeitgeist of our age.
We have acted for clients in the majority of significant product liability cases that have been decided in the UK over the last 35 years. Our product…
Considering the future landscapes of our cities
The European General Data Protection Regulation (GDPR) came into force on 25 May 2016. A rewrite of European data protection law, the GDPR imposes…
Considering the future of housing
For the latest news and comment on public procurement law.
Welcome to the Construction Risks collection. This space is used to report upon issues of interest to those who seek to allocate, manage and reduce…
Technology, brands and intellectual capital are key assets for any successful business. Our intellectual property (IP) team are experts at helping…
Considering the future of retail
The Insurance Market Conditions and Trends report is DAC Beachcroft's insurance sector flagship publication. Now in its tenth year, the report…
The Solicitors' Risk Collection addresses issues and developments affecting legal practitioners, and the professional indemnity insurers of legal…
Published On: 19 April 2016
ICO enforcement action in March continued to focus on nuisance calls, staff training, responding to subject access requests on time with a criminal prosecution for failing to notify the ICO of a CCTV system thrown in for good measure.
CRACKDOWN ON NUISANCE CALLS CONTINUES
With February seeing the ICO's largest ever fine being issued of £350,000 against nuisance call company Prodial Ltd, the ICO's monetary penalties in March continue to focus on unsolicited marketing with 5 fines issued by the ICO. In order of fine amounts, these consisted of:
1. £180,000 issued against Glasgow boiler firm FEP Heatcare Ltd ("FEP") for automated marketing calls;
2. £175,000 issued against Falcon & Pointer Limited ("Falcon") for automated calls despite its licence revocation by the Claims Management Regulator;
3. £50,000 issued against Direct Choice Home Improvements Limited ("Direct Choice") for calls to Telephone Preference Service ("TPS") registered members of the public;
4. £20,000 issued against Advice Direct Limited ("Advice Direct"), a company which used a false local number to make claims marketing calls; and
5. £5,000 to David Lammy MP for campaign call marketing.
Most of the fines come from breaches to regulation 19 of PECR. This prohibits the prompting and making of recorded message marketing calls using an 'automated calling system' unless the individual receiving the call had previously notified the caller of their willingness to accept such calls from them.
In total FEP was found to have made around 2.6 million nuisance calls (including 2,692,217 automated marketing message recordings during the short period between April and July 2015). As well as a PECR regulation 19 breach, FEP was found to have failed to supply call recipients with caller names, addresses and/or any free-phone contact telephone number. This is in breach of regulation 24 of the PECR.
The large fine issued to FEP is a good example of how the ICO considers aggravating and mitigating factors when looking at penalty level consideration factors, as set out in the ICO's monetary penalty guidance. Aggravating factors contributing to the large fine against FEP include the fact that FEP continued to contravene PECR despite a previous ICO warning and the sheer volume of calls made by FEP (see the fine of similar value levied against Falcon (discussed below) for a correspondingly large amount of calls).
Falcon, which fell foul of regulations 19 and 24, argued that calls it made were actually carried out on its behalf by a third-party vendor; which Falcon claimed had agreed that the data it was using was “opt in and / or TPS checked”. However, this argument did not save Falcon from ICO action because, as indicated in the penalty notice, Falcon provided no evidence to substantiate their claim. It would be interesting to see how the ICO might have dealt with Falcon if evidence had been provided.
We note that the ICO would still have power to penalise a company who 'knew, or ought to have known' that its third party marketing agency were at risk of contravening the PECR and the company nevertheless failed to take reasonable steps to prevent the breach. On the other hand, non-compliant PECR marketing activity which is outside of the control and the knowledge of the engaging company is indicated in ICO's monetary penalty guidance to potentially lessen the value of a monetary penalty imposed.
Advice Direct and Direct Choice received fines relating to breaches of regulation 21 of PECR. This specifically prohibits the making of marketing calls to people signed up to the TPS. If a company wishes to make legitimate marketing calls to such people, they should first gain their consent. Direct Choice, which specialises in home improvement installations, however, made 168 unsolicited calls to TPS subscribers. The TPS received 160 complaints about Advice Direct, a business involved in claims lead generating.
The fine to David Lammy resulted from his London Mayoral candidate campaign which involved the making of 25,629 automated calls. These calls played a pre-recorded message to members of the public. Although the fine against David Lammy MP is much smaller than those discussed above it still shows a willingness of the ICO to take action even where the activity is perpetuated by an individual rather than a company.
Organisations should ensure that automated call campaigns are undertaken in compliance with PECR, for example: (i) by checking the TPS; (ii) keeping to business hours; (iii) documenting agreements between marketing vendors; and (iv) keeping track of any marketing vendor calling activity.
To access the ICO monetary penalty notices issues this month please click here.
We continue to see a focus from the ICO on adequacy, frequency and monitoring of staff training in areas of work involving data handling. This undertaking against South Eastern Health & Social Care Trust ("Trust"), followed the discovery of a locum doctor's withdrawal from the Trust of a significant amount of sensitive personal documentation and a separate employee's attempt to email highly confidential information to her personal email account. It exemplifies the need for organisations to ensure that they not only put appropriate policies in place to regulate employee adherence to data protection principles, but that they make sure that these policies are at the forefront of employee practices by implementing regular training and refresher training at appropriate intervals. In addition, the ICO places emphasis on making sure that staff in receipt of training include those who are temporarily engaged and who might handle data, such as agency staff and third party contractors.
Organisations should ensure that adequate staff training takes place at regular intervals for staff involved in the handling of data (including for those temporarily employed or engaged).
To see the undertaking against the Trust please click here.
SUBJECT ACCESS REQUESTS AND CORRECT REGISTRATIONS STILL A PRIORITY FOR THE ICO
Enforcement action for failure to respond to SARs
March also saw enforcement action taken by the ICO against M I Wealth Management Ltd and Wainwrights Estate Agents Limited for a failure to respond to subject access requests ("SARs"). Enforcement action for failure to respond to SARs is something we have not seen in a while. The failures are in breach of section 7 of the DPA and contravene the 6th principle of the DPA which requires that "Personal data shall be processed in accordance with the rights of the data subject under the Act". For the organisations to have received an enforcement notice, we can only assume that the organisations did not respond to either the request or the ICO's standard initial letters requesting compliance.
Organisations should keep their staff briefed on the organisation's responsibility to reply appropriately and promptly to SARs.
Criminal Prosecution for Failure to Notify
Finally, the ICO is continuing to take action against companies who fail to notify the ICO. I&K Prestige Food Limited (T/A Stokrotka) ("I&K") pleaded guilty at Reading Magistrates' Court to the section 17 DPA offence of non-notification and have been fined £200. Under the DPA, organisations are required to register with the ICO if they intend to process personal data, with the exception of certain limited exemptions. In this case I&K operated CCTV at its deli premises which did require registration with the ICO. Whilst notification requirements are to be removed under the GDPR, organisations should still be careful to comply with current notification requirements under the DPA whilst it remains in force.
Organisations should ensure they notify the ICO of any data processing activity (including the use of CCTV).
To see the enforcement action taken by the ICO this month, please click here.
Submitted by Ita Thomas, Solicitor