ICO Undertakings - April 2015
Published 28 April 2015
View any of the ICO undertakings discussed below.
Office Holdings Ltd
On 24 April 2015, Office Holdings Ltd received a follow-up assessment undertaken by the ICO. The assessment sought to evaluate whether the company had adequately addressed certain actions agreed in the undertaking it had signed on 13 January 2015.
The January undertaking arose after Office's historic database, which contained consumer personal information, was hacked in May 2014.
Whilst Office confirmed a number of steps undertaken post the undertaking (including new data protection training, the introduction of a data protection policy and a document retention policy) the ICO report noted that "the retention period for the Customer Relationship Marketing Database is five years, or as long as customer is ‘Active’. Five years may be too long a retention period for this type of information, and consequently represent a potential risk. Office might want to keep this under review".
The Racing Post
Reported by the ICO on 20 April 2015, the Racing Post received a follow-up assessment undertaken by the ICO. The assessment sought to evaluate whether the company had adequately addressed certain actions agreed in the undertaking it had signed on 20 August 2014.
The August undertaking arose after the Racing Post was subject to an online attack which allowed the hacker to obtain access to the Post's consumer database. Details accessible included consumer names, addresses, dates of birth and passwords. It was found that, whilst the Racing Post had consulted experts in the development of its online security, its security systems were not updated adequately.
In the follow-up, it was confirmed that the Racing Post had improved its security with steps that included the setup of an information security risk register.
The ICO commented that "The review demonstrated that the Racing Post has taken appropriate steps and put plans in place to address the requirements of the undertaking and to mitigate the risks highlighted; however, the majority of these policies and procedures are still in their infancy and will require the Racing Post to monitor them over time to ensure they become fully embedded into the working practices of the organisation".
The ICO has requested an undertaking from UCAS in relation to its breach of PECR when it signed up young people, who were aiming to enrol onto educational courses via the service, to receive commercial product and services adverts.
The breach came to light, following a Guardian story in March 2014 which questioned the validity of consent given to receive the advertisements.
"The form only allowed applicants to opt out of receiving marketing from commercial companies if they un-ticked three boxes covering marketing emails, post and text messages. The wording of the opt out also meant that un-ticking these boxes would result in the applicant not receiving information about career opportunities and education providers or health information.
"The ICO has ruled that this approach meant applicants felt obliged to let UCAS use their information for commercial purposes, otherwise they’d potentially miss out on important information about their career or education. This breaches the Data Protection Act, which requires personal information to be processed fairly, and the Privacy and Electronic Communications Regulations, which govern electronic marketing and require consent to be given freely and for a specific purpose."
View the ICO press release.
What action could be taken to manage risks that may arise from this development?
The Office Holdings undertaking is a further indication that the ICO are looking at data retention policies and practices in more detail. Companies should keep their data retention policies and practices under review.
As noted in the investigation of the Racing Post, it is not enough to have the most effective IT security systems implemented if they are not adequately maintained and kept up to date. Companies should continue to ensure that their own IT systems remain regularly updated and safeguarded against online risk.