ICO monetary penalties
Published 1 January 2016
What does this cover?
To view any of the Monetary Penalty notices discussed below, please click here.
Hutchison 3G UK Ltd (H3G)
H3G received a £1,000 fixed penalty notice in October (subsequently reported by the ICO) after the ICO found that the company had breached data breach reporting requirements under PECR to the statutory prescribed timescales on three occassions in July 2015. As a telecommunication provider H3G has compulsory security breach reporting obligations.
H3G reported the three data breach incidents to which the penalty relates, to the ICO in August. The breaches were logged by H3G as follows:
- Agent failed to adhere to password policy and allowed a fraudster with access to customer data to manipulate a security alert on customer account;
- SIM Swap issue - customer A's SIM was sent to customer B. Error resulted in calls being transferred to customer B. Matter escalated and rectified immediately;
- Breach in social media where agent accidently emailed response for customer A to customer B. Limited personal data incl (name and email address).
The reports fell outside the 24 hour time limit required for ICO notification and the ICO did not entertain H3G's argument that the delay was as a result of limited resourcing.
Telegraph Media Group (the Telegraph)
The ICO issued a fine of £30,000 to the Telegraph for breaches of the marketing provisions in PECR.
The Telegraph sent "hundreds of thousands of emails on the day of the general election urging readers to vote Conservative." The act constituted a breach of the provisions under the PECR, which prohibits unsolicited communications by email for the purposes of direct marketing. Subscribers had signed up to receive a daily e-bulletin, but the ICO ruled that consent did not cover political campaigning.
Bloomsbury Patient Network (BPN)
BPN was fined £250 for a breach of security under the DPA after it inadvertently disclosed the email addresses of 200 HIV patients through an electronic mailing error. The nature of email addresses meant that the full and partial names of at least 56 people were revealed in the mailing, which should have been sent with the patient names in the 'bcc' field but instead saw the names set out in the 'to' field.
Whilst the findings detailed in the monetary penalty notice described the incident as having a "cumulative impact" which "would clearly pass the threshold of substantial”, the ICO considered mitigating factors when determining the size of the penalty, which included BPN's cooperation with the ICO, its apology to those affected and substantial remedial action taken.
What action could be taken to manage risks that may arise from this development?
Telecom companies and information service providers currently subject to compulsory breach notification should take note of the fine against H3G. This is also a sign of things to come for all organisations when compulsory breach notification comes in under the GDPR. Organisations should review and ensure their data breach reporting policies and procedures are robust and followed practice.