ICO enforcement action over the last month
Published 17 May 2016
The ICO continues its crackdown on nuisance calls in April
April marked the one year anniversary of the removal of the legal requirement that nuisance calls had to have caused "substantial damage or substantial distress" before a fine could be levied against the nuisance call maker. Before the change, the ICO had long argued that removal of the requirement would make it easer for the regulator to fine nuisance marketers.
In a reflective ICO 'One year on' report, covering the ICO's progress over the months since the change took effect, the ICO confirmed their prediction; stating that fines had reached a record-breaking "£2 million compared with just £360,000 during the previous 12 months". It also announced it would shortly fine a Scottish firm for making 2.5 million recorded calls in an effort to sell its home improvement services. "It will be the 19th firm the regulator has taken action against since April 2015 and brings the tally of penalties for nuisance marketing to £2,035,000". The £50,000 monetary penalty was later revealed to have been levied against Nevis Home Improvements Ltd. The calls breached regulation 19 of PECR which prohibits the making of recorded direct marketing communications by automated calling systems without the prior consent of the recipient.
April also saw mandatory marketing caller ID proposals confirmed to be taken forward by the government.
Last but not least, within the recent ICO Blog "Nuisance calls – the facts behind the headlines" the ICO hinted that its anti-nuisance marketing campaign will now involve seeking to obtain stronger powers to hold accountable the directors of nuisance communications companies.
To see the government's response to the consultation on requiring direct marketing callers to provide calling line identification click here.
Monetary Penalty imposed for breach of security and lack of supervision of staff
Kent police were fined £80,000 after the ICO found that the full contents of a complainant's mobile phone were disclosed by Kent Police to the suspect (a police officer). As well as finding that there were inappropriate security measures in place, the ICO found that the staff member (a hearings manager) tasked with disclosure of the evidence had not been appropriately briefed of the situation and "did not receive any (or any adequate) input, supervision or oversight from officers involved in the investigation (or others with similar experience) which would have enabled the hearings manager to distinguish between what was to be disclosed and what was to be withheld". The disclosure breached the seventh data protection principle, regarding "Appropriate technical and organisational measures".
The ICO's particular attention to the extent of responsibility placed upon a single person in the disclosure process should prompt organisations involved in data handling to ensure the implementation of robust supervision systems utilised when determining when and what data should be disclosed.
To view the ICO monetary penalty discussed above, please click here.
We also saw three prosecutions reported by the ICO:
- Former LV employee, David Barlow Lewis, made an attempt to unlawfully obtain and sell LV customer data. Lewis was prosecuted, fined £300 and ordered to pay costs by Bournemouth Magistrates’ Court. In an ICO press release the ICO made reference to their repeated requests for 'tougher sentences' in data theft cases. The prosecution of Lewis is sure to reinforce the ICO's campaign of this issue. (Readers may recall the ICO's most recent call for a change to the law occurred in January this year after former Enterprise Rent-A-Car employee, Sindy Nagra, was prosecuted for the theft and sale of almost 30,000 customer records. Nagra received a fine which the ICO said "…highlights the limited options the courts have…" in data theft cases).
As the law stands, obtaining, disclosing and seeking to sell personal data to another person without proper consent can be prosecuted as a criminal offence under section 55 of the Data Protection Act; but the offence does not attract a custodial sentence – a scenario which the ICO have consistently argued is inconsistent with the severity of the crime. Organisations in support of harsher data theft deterrents will be pleased to note that the ICO's press release on the case of Lewis indicates that the ICO have no intention to back down on this issue.
- The ICO's enforcement powers include the authority to request information from data controllers to assess whether they have acted in compliance with the Data Protection Act 1998 and PECR. Keurboom Communications Limited together with its Director, Gregory Rudd, were prosecuted at Luton Magistrates’ Court under section 47 of the DPA for failing to comply with such a notice. As well as costs and a victim surcharge, the company were fined £1,500 and Mr Rudd £1,000 for the breach. Prosecutions of this type are relatively infrequent.
- The final prosecution this month was against Getwork2day Ltd, a recruitment firm, prosecuted by Worthing Magistrates’ Court for failure to notify (an offence under s 17 of the DPA which requires that "personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner").
To view any of the ICO prosecutions discussed above, please click here.
Finally, fair processing, records retention and training were the key themes running through April's undertakings and enforcement notices.
Opting to use opt-outs so that customers have more control over their data may seem good practice for organisations in principle; however, an April Health & Social Care Information Centre ("HSCIC") undertaking highlighted the risks of embarking upon such a course of action without first ensuring that there are workable and robust processing methods for gathering and implementing all responses received.
In 2014 the HSCIC offered patients the chance to object to its sharing of their personal data with third-party organisations for reasons other than direct care. Patients wishing to opt-out were instructed to do so via an opt-out request to their GP. A number of objections were made; however, due to "legal and technological reasons" (as described in the ICO – HSCIC undertaking) HSCIC were unable to gather, record and then implement the opt-out responses. Consequently, opted-out patient data was shared for purposes other than direct care.
Despite the HSCIC being able to show "legitimate reasons for the sharing" it was still a contravention of the first data protection principle that "Personal data shall be processed fairly and lawfully"; because in giving patients the right to opt-out HSCIC were under a duty not to process the data "outside of their reasonable expectations".
The ICO continues to take action against companies whose data handling employees are found to be inadequately trained. The ICO have issued an enforcement notice against the Scottish West Dunbartonshire Council for "repeatedly failing to train staff around data protection". The ICO initially audited the council in January 2013 but in a November 2013 follow-up found that recommendations made in January had not been fully implemented. The recommendations included "mandatory data protection training programme for all staff (including new starters) and refresher training on an annual basis".
The trend continues in two separate follow up assessments reported by the ICO in April (Brunel University London and Croydon Health Services NHS Trust). In both cases the ICO reiterated that:
- all staff (including temporary ones) should be trained;
- training should be refreshed regularly; and
- training uptake should be monitored.
- all staff (including temporary ones) should be trained;
An additional aspect of the Croydon Trust undertaking (noted above) regarded records management, particularly legacy record disposal. In Croydon Trust, a birth register covering 2009 went missing and whilst subsequently recovered, highlighted that documentation may have been kept for longer than was necessary.
Data protection Principle 5 states that data should be kept for no longer than is necessary and, although there is no prescribed maximum or minimum timescale for what a 'necessary' timescale might be, the ICO suggest that "In practice, it means that you will need to:
i. review the length of time you keep personal data;
ii. consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
iii. securely delete information that is no longer needed for this purpose or these purposes; and
iv. update, archive or securely delete information if it goes out of date".
Organisations will know that good record management will inevitably reduce the risk of data loss. Organisations are advised to review its systems in place to manage records retention, particularly in light of the impending GDPR, which gives data subjects the right to have data deleted if it is no longer required by an organization.
To view the ICO undertakings/follow-up assessments and enforcement notices discussed above, please click here.
Submitted by Ita Thomas, Solicitor