ICO enforcement action over the last month
Published 19 April 2016
ICO enforcement action in March continued to focus on nuisance calls, staff training, responding to subject access requests on time with a criminal prosecution for failing to notify the ICO of a CCTV system thrown in for good measure.
CRACKDOWN ON NUISANCE CALLS CONTINUES
With February seeing the ICO's largest ever fine being issued of £350,000 against nuisance call company Prodial Ltd, the ICO's monetary penalties in March continue to focus on unsolicited marketing with 5 fines issued by the ICO. In order of fine amounts, these consisted of:
1. £180,000 issued against Glasgow boiler firm FEP Heatcare Ltd ("FEP") for automated marketing calls;
2. £175,000 issued against Falcon & Pointer Limited ("Falcon") for automated calls despite its licence revocation by the Claims Management Regulator;
3. £50,000 issued against Direct Choice Home Improvements Limited ("Direct Choice") for calls to Telephone Preference Service ("TPS") registered members of the public;
4. £20,000 issued against Advice Direct Limited ("Advice Direct"), a company which used a false local number to make claims marketing calls; and
5. £5,000 to David Lammy MP for campaign call marketing.
Most of the fines come from breaches to regulation 19 of PECR. This prohibits the prompting and making of recorded message marketing calls using an 'automated calling system' unless the individual receiving the call had previously notified the caller of their willingness to accept such calls from them.
In total FEP was found to have made around 2.6 million nuisance calls (including 2,692,217 automated marketing message recordings during the short period between April and July 2015). As well as a PECR regulation 19 breach, FEP was found to have failed to supply call recipients with caller names, addresses and/or any free-phone contact telephone number. This is in breach of regulation 24 of the PECR.
The large fine issued to FEP is a good example of how the ICO considers aggravating and mitigating factors when looking at penalty level consideration factors, as set out in the ICO's monetary penalty guidance. Aggravating factors contributing to the large fine against FEP include the fact that FEP continued to contravene PECR despite a previous ICO warning and the sheer volume of calls made by FEP (see the fine of similar value levied against Falcon (discussed below) for a correspondingly large amount of calls).
Falcon, which fell foul of regulations 19 and 24, argued that calls it made were actually carried out on its behalf by a third-party vendor; which Falcon claimed had agreed that the data it was using was “opt in and / or TPS checked”. However, this argument did not save Falcon from ICO action because, as indicated in the penalty notice, Falcon provided no evidence to substantiate their claim. It would be interesting to see how the ICO might have dealt with Falcon if evidence had been provided.
We note that the ICO would still have power to penalise a company who 'knew, or ought to have known' that its third party marketing agency were at risk of contravening the PECR and the company nevertheless failed to take reasonable steps to prevent the breach. On the other hand, non-compliant PECR marketing activity which is outside of the control and the knowledge of the engaging company is indicated in ICO's monetary penalty guidance to potentially lessen the value of a monetary penalty imposed.
Advice Direct and Direct Choice received fines relating to breaches of regulation 21 of PECR. This specifically prohibits the making of marketing calls to people signed up to the TPS. If a company wishes to make legitimate marketing calls to such people, they should first gain their consent. Direct Choice, which specialises in home improvement installations, however, made 168 unsolicited calls to TPS subscribers. The TPS received 160 complaints about Advice Direct, a business involved in claims lead generating.
The fine to David Lammy resulted from his London Mayoral candidate campaign which involved the making of 25,629 automated calls. These calls played a pre-recorded message to members of the public. Although the fine against David Lammy MP is much smaller than those discussed above it still shows a willingness of the ICO to take action even where the activity is perpetuated by an individual rather than a company.
Organisations should ensure that automated call campaigns are undertaken in compliance with PECR, for example: (i) by checking the TPS; (ii) keeping to business hours; (iii) documenting agreements between marketing vendors; and (iv) keeping track of any marketing vendor calling activity.
To access the ICO monetary penalty notices issues this month please click here.
We continue to see a focus from the ICO on adequacy, frequency and monitoring of staff training in areas of work involving data handling. This undertaking against South Eastern Health & Social Care Trust ("Trust"), followed the discovery of a locum doctor's withdrawal from the Trust of a significant amount of sensitive personal documentation and a separate employee's attempt to email highly confidential information to her personal email account. It exemplifies the need for organisations to ensure that they not only put appropriate policies in place to regulate employee adherence to data protection principles, but that they make sure that these policies are at the forefront of employee practices by implementing regular training and refresher training at appropriate intervals. In addition, the ICO places emphasis on making sure that staff in receipt of training include those who are temporarily engaged and who might handle data, such as agency staff and third party contractors.
Organisations should ensure that adequate staff training takes place at regular intervals for staff involved in the handling of data (including for those temporarily employed or engaged).
To see the undertaking against the Trust please click here.
SUBJECT ACCESS REQUESTS AND CORRECT REGISTRATIONS STILL A PRIORITY FOR THE ICO
Enforcement action for failure to respond to SARs
March also saw enforcement action taken by the ICO against M I Wealth Management Ltd and Wainwrights Estate Agents Limited for a failure to respond to subject access requests ("SARs"). Enforcement action for failure to respond to SARs is something we have not seen in a while. The failures are in breach of section 7 of the DPA and contravene the 6th principle of the DPA which requires that "Personal data shall be processed in accordance with the rights of the data subject under the Act". For the organisations to have received an enforcement notice, we can only assume that the organisations did not respond to either the request or the ICO's standard initial letters requesting compliance.
Organisations should keep their staff briefed on the organisation's responsibility to reply appropriately and promptly to SARs.
Criminal Prosecution for Failure to Notify
Finally, the ICO is continuing to take action against companies who fail to notify the ICO. I&K Prestige Food Limited (T/A Stokrotka) ("I&K") pleaded guilty at Reading Magistrates' Court to the section 17 DPA offence of non-notification and have been fined £200. Under the DPA, organisations are required to register with the ICO if they intend to process personal data, with the exception of certain limited exemptions. In this case I&K operated CCTV at its deli premises which did require registration with the ICO. Whilst notification requirements are to be removed under the GDPR, organisations should still be careful to comply with current notification requirements under the DPA whilst it remains in force.
Organisations should ensure they notify the ICO of any data processing activity (including the use of CCTV).
To see the enforcement action taken by the ICO this month, please click here.
Submitted by Ita Thomas, Solicitor