A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 21 June 2016
In a mixed bag this month, we saw fines for insufficient marketing consents, inadvertent disclosures of personal data, and the age old story that the ICO considers training in data protection, a minimum requirement.
Opt-in marketing consents need to be very specific
Both companies purchased marketing lists to source their contacts and both argued that the lists were made up of consenting individuals who had "opted in" (doubly "opted in" in the case of Better for the Country Ltd which argued that individuals had opted-in consent to receive both government and local government marketing with the data supplier.
The ICO found that the indirect/ third party consents were insufficient in both cases as the consent was not 'clear' and 'specific' as to: (1) the nature of the information/marketing communications; and (2) the identity of the organisation which subsequently sent the communication.
Whilst the ICO has stated that "Indirect, or third party, consent can be valid", it is clear that in order for such consent to be valid for a purchaser of personal data, the data provider needs to meet a high threshold when initially obtaining the consent.
The Check Point Claims Ltd monetary penalty notice can be accessed here.
The Better for the Country Ltd monetary penalty notice can be accessed here.
To 'bcc' or not to 'bcc'
The importance of data protection by design and default has been exemplified in the monetary penalty action against Chelsea and Westminster Hospital NHS Foundation Trust ("Trust").
In this case the Trust addressed a September newsletter email regarding its HIV patient services to 781 email addressees (the majority of addresses contained the recipient's full names). Human error caused the email addresses to appear visibly in the "to" field of the email rather than the "bcc" field (which hides other email addresses).
The Trust were fined £180,000 for the breach which contravened the 7th data protection principle of "Appropriate technical and organisational measures".
Organisations which send out multi recipient emails, such as newsletters, should check with their email providers whether default mechanisms to prevent inappropriately identifying all recipients in the address line of an email are available (such as a default "bcc /blind carbon copy" field appearing instead of the usual default "cc" or "to" fields) and data loss prevention software which recognises personal data leaving the organisation.
Data breach response delays can aggravate an ICO fine
Blackpool Teaching Hospitals NHS Foundation Trust ("Trust") received a £185,000 fine after an attempt to publish equality and diversity data via a spreadsheet on its external website inadvertently revealed (by way of a clickable data expansion link) the sensitive personal information of 6,574 current and previous employees; including names, NI numbers, ethnic, religious, sexual orientation and disability details.
The dangers of 'hidden data' is an area that the ICO have focused on in recent months but most interestingly the fine to the Trust was aggravated by delays: The Trust were unaware of the breach for 11 months, there were then delays in clearing search engines cashes to the data and delays notifying the individuals affected.
The Blackpool Teaching Hospitals NHS Foundation Trust monetary penalty notice can be accessed here.
An ICO blog on the dangers of hidden data can be accessed here.
Be on alert for exiting employees
On 26 May the ICO reported the prosecution of Mark Lloyd who, in anticipation of his departure to a rival company, emailed to himself the contact details and business information (some of which was sensitive) of almost 1,000 clients. Pleading guilty at the Telford Magistrates’ Court for unlawfully obtaining data under section 55 of the DPA, he received a £300 fine plus over £400 costs.
The enforcement notice against Mark Lloyd can be accessed here.
DPA training is "a basic requirement"
Scottish authority, West Dunbartonshire Council, received an ICO enforcement notice for 'repeatedly failing' to train staff about the DPA, monitor that training and implement related guidance policies, specifically a home working policy to assist remote working employees.
In previous month's we've witnessed the ICO consistently taking action against companies whose data handling employees are found to be inadequately or inappropriately trained in information governance / data protection.
The ICO has warned that training is "a basic requirement for an organisation that is trusted with large amounts of local people’s personal data".
A press release about West Dunbartonshire Council's breaches can be accessed here.
To view all ICO enforcement actions this month please click here.
Submitted by Ita Thomas, Solicitor
Return to main page >>>
Richard Highley, Leanne Rogers, John Dunlop
Will Potts, Thomas Jordan, Christopher Gower
Chris Baranowski, Barbara Goddard, Thomas Jordan
Mark Roach, Rebecca Austin
Mark Roach, Christy Mellifont
Rebecca Austin, Esther Dawe
Suzanne Wharton, James Hazlett
Catrin Davies, Tom Bedford
Suzanne Wharton, Naomi Park, Rozie Rafiq
Julian Miller, Philip Murrin
Kylie Poyner, Lucy Beach
Richard Highley, Kevin Hawthorn, Francesca Muscutt
David Johnson, Andrew Parker
Thomas Jordan, Barbara Goddard
Peter Allchorne, Annabel Lingham
Anthony Menzies, Hans Allnutt, Franc Gozalvez