A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 17 May 2016
The ICO continues its crackdown on nuisance calls in April
April marked the one year anniversary of the removal of the legal requirement that nuisance calls had to have caused "substantial damage or substantial distress" before a fine could be levied against the nuisance call maker. Before the change, the ICO had long argued that removal of the requirement would make it easer for the regulator to fine nuisance marketers.
In a reflective ICO 'One year on' report, covering the ICO's progress over the months since the change took effect, the ICO confirmed their prediction; stating that fines had reached a record-breaking "£2 million compared with just £360,000 during the previous 12 months". It also announced it would shortly fine a Scottish firm for making 2.5 million recorded calls in an effort to sell its home improvement services. "It will be the 19th firm the regulator has taken action against since April 2015 and brings the tally of penalties for nuisance marketing to £2,035,000". The £50,000 monetary penalty was later revealed to have been levied against Nevis Home Improvements Ltd. The calls breached regulation 19 of PECR which prohibits the making of recorded direct marketing communications by automated calling systems without the prior consent of the recipient.
April also saw mandatory marketing caller ID proposals confirmed to be taken forward by the government.
Last but not least, within the recent ICO Blog "Nuisance calls – the facts behind the headlines" the ICO hinted that its anti-nuisance marketing campaign will now involve seeking to obtain stronger powers to hold accountable the directors of nuisance communications companies.
To see the ICO blogs click here and here.
To see the government's response to the consultation on requiring direct marketing callers to provide calling line identification click here.
Monetary Penalty imposed for breach of security and lack of supervision of staff
Kent police were fined £80,000 after the ICO found that the full contents of a complainant's mobile phone were disclosed by Kent Police to the suspect (a police officer). As well as finding that there were inappropriate security measures in place, the ICO found that the staff member (a hearings manager) tasked with disclosure of the evidence had not been appropriately briefed of the situation and "did not receive any (or any adequate) input, supervision or oversight from officers involved in the investigation (or others with similar experience) which would have enabled the hearings manager to distinguish between what was to be disclosed and what was to be withheld". The disclosure breached the seventh data protection principle, regarding "Appropriate technical and organisational measures".
The ICO's particular attention to the extent of responsibility placed upon a single person in the disclosure process should prompt organisations involved in data handling to ensure the implementation of robust supervision systems utilised when determining when and what data should be disclosed.
To view the ICO monetary penalty discussed above, please click here.
We also saw three prosecutions reported by the ICO:
To view any of the ICO prosecutions discussed above, please click here.
Finally, fair processing, records retention and training were the key themes running through April's undertakings and enforcement notices.
Opting to use opt-outs so that customers have more control over their data may seem good practice for organisations in principle; however, an April Health & Social Care Information Centre ("HSCIC") undertaking highlighted the risks of embarking upon such a course of action without first ensuring that there are workable and robust processing methods for gathering and implementing all responses received.
In 2014 the HSCIC offered patients the chance to object to its sharing of their personal data with third-party organisations for reasons other than direct care. Patients wishing to opt-out were instructed to do so via an opt-out request to their GP. A number of objections were made; however, due to "legal and technological reasons" (as described in the ICO – HSCIC undertaking) HSCIC were unable to gather, record and then implement the opt-out responses. Consequently, opted-out patient data was shared for purposes other than direct care.
Despite the HSCIC being able to show "legitimate reasons for the sharing" it was still a contravention of the first data protection principle that "Personal data shall be processed fairly and lawfully"; because in giving patients the right to opt-out HSCIC were under a duty not to process the data "outside of their reasonable expectations".
The ICO continues to take action against companies whose data handling employees are found to be inadequately trained. The ICO have issued an enforcement notice against the Scottish West Dunbartonshire Council for "repeatedly failing to train staff around data protection". The ICO initially audited the council in January 2013 but in a November 2013 follow-up found that recommendations made in January had not been fully implemented. The recommendations included "mandatory data protection training programme for all staff (including new starters) and refresher training on an annual basis".
The trend continues in two separate follow up assessments reported by the ICO in April (Brunel University London and Croydon Health Services NHS Trust). In both cases the ICO reiterated that:
An additional aspect of the Croydon Trust undertaking (noted above) regarded records management, particularly legacy record disposal. In Croydon Trust, a birth register covering 2009 went missing and whilst subsequently recovered, highlighted that documentation may have been kept for longer than was necessary.
Data protection Principle 5 states that data should be kept for no longer than is necessary and, although there is no prescribed maximum or minimum timescale for what a 'necessary' timescale might be, the ICO suggest that "In practice, it means that you will need to:
i. review the length of time you keep personal data;
ii. consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
iii. securely delete information that is no longer needed for this purpose or these purposes; and
iv. update, archive or securely delete information if it goes out of date".
Organisations will know that good record management will inevitably reduce the risk of data loss. Organisations are advised to review its systems in place to manage records retention, particularly in light of the impending GDPR, which gives data subjects the right to have data deleted if it is no longer required by an organization.
To view the ICO undertakings/follow-up assessments and enforcement notices discussed above, please click here.
Submitted by Ita Thomas, Solicitor
Return to main page >>>
Richard Highley, Leanne Rogers, John Dunlop
Will Potts, Thomas Jordan, Christopher Gower
Chris Baranowski, Barbara Goddard, Thomas Jordan
Mark Roach, Rebecca Austin
Mark Roach, Christy Mellifont
Rebecca Austin, Esther Dawe
Suzanne Wharton, James Hazlett
Catrin Davies, Tom Bedford
Suzanne Wharton, Naomi Park, Rozie Rafiq
Julian Miller, Philip Murrin
Kylie Poyner, Lucy Beach
Richard Highley, Kevin Hawthorn, Francesca Muscutt
David Johnson, Andrew Parker
Thomas Jordan, Barbara Goddard
Peter Allchorne, Annabel Lingham
Anthony Menzies, Hans Allnutt, Franc Gozalvez