Organisations have been reminded they could face a criminal prosecution if they fail to respect the public’s legal right to access their personal information.
The warning came from the Information Commissioner’s Office (ICO) after housing developer Magnacrest Ltd was fined by Westminster Magistrates for breaching data protection laws. The company did not comply with an enforcement notice issued by the ICO and so the regulator prosecuted.
The court heard that an individual had submitted a subject access request on 17 April 2017. A subject access request, or SAR, allows someone to request all the personal information an organisation holds about them.
But Magnacrest, based in Hazlemere, Buckinghamshire, failed to provide the information within the required timescale of 40 calendar days and the individual complained to the data protection regulator, the ICO.
The ICO served an enforcement notice on the company ordering it to comply with the law and provide the requested information.
When the company failed to obey the notice, the ICO brought a criminal prosecution under s47(1) of the Data Protection Act 1998.
Magnacrest pleaded guilty to a charge of failing to comply with an enforcement notice when it appeared before Westminster Magistrates on 6 February 2019. The company was fined £300, with a £30 victim surcharge, and was ordered to pay £1,133.75 towards prosecution costs.
Mike Shaw, the ICO’s Criminal Enforcement Manager, said:
“The right to access your own personal information is a fundamental and long-standing principle of data protection law. New laws brought into effect last May strengthen those rights even further.
“Organisations not only have to respect this right but must also respect notices from the ICO enforcing the law. If they fail to do so then they must accept the consequences, which can include a criminal prosecution.”
ICO to audit data protection practices at Leave.EU and Eldon Insurance after fining both companies for unlawful marketing messages | ICO
The Information Commissioner’s Office (ICO) has issued fines totalling £120,000 to an EU referendum campaign and an insurance company for serious breaches of electronic marketing laws and is set to review how both are complying with data protection laws.
The ICO announced an audit and issued a preliminary enforcement notice as well as three notices of intent to fine Leave.EU and Eldon Insurance trading as Go Skippy Insurance, in November 2018 as part of its investigation into data analytics for political purposes.
After considering the companies’ representations, the ICO has issued the fines, confirming a change to one amount, with the other two remaining unchanged. The regulator has also issued two assessment notices to Leave.EU and Eldon Insurance to inform both organisations that they will be audited.
The ICO investigation found that Leave.EU and Eldon Insurance were closely linked. Systems for segregating the personal data of insurance customers’ from that of political subscribers’ were ineffective.
This resulted in Leave.EU using Eldon Insurance customers’ details unlawfully to send almost 300,000 political marketing messages. Leave.EU has been fined £15,000 for this breach.
Eldon Insurance carried out two unlawful direct marketing campaigns. The campaigns involved the sending of over one million emails to Leave.EU subscribers without sufficient consent. Leave.EU has been fined £45,000 and Eldon Insurance has been fined £60,000 for the breach.
Elizabeth Denham, Information Commissioner said:
“It is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes; and vice versa. It should never have happened.
“We have been told both organisations have made improvements and learned from these events. But the ICO will now audit the organisations to determine how they are using customers’ personal information.”
The assessment notices allow the ICO access to Leave.EU and Eldon’s joint offices, staff, and documentation. It is a criminal offence to obstruct an ICO audit or destroy information covered by it.
The ICO’s audit team will be looking at data protection practices including observing how personal data is processed, considering what policies and procedures are in place and looking at the types of training made available for staff. They will also be interviewing key employees across both organisations including the directors, staff and their data protection officers. The ICO’s audit findings will be made public at the conclusion of its work.
Eldon Insurance has also received an enforcement notice from the ICO ordering the company to take steps to ensure it complies with electronic marketing regulations.
The ICO has published two reports as part of its wide-ranging data analytics investigation. Democracy Disrupted? Personal information and political influence looks at the broader policy issues identified during the investigation along with findings and the Information Commissioner’s recommendations for future action. Investigation into the use of data analytics in political campaigns is the latest update for the investigation.
Cold calls about pensions are now illegal in some circumstances following a change in the law.
Unsolicited calls are the most common method for companies who operate pension scams to contact people and new legislation introduced by the government from 9 January aims to tackle this.
ICO Investigations Manager, Andy Curry, said:
”These calls cause untold misery to thousands of people and we are pleased that the law now offers greater protection to stop them being scammed out of their hard-earned pensions by unscrupulous operators.
“The ICO has powers to go after companies who make these nuisance calls and their directors and can impose fines of up to £500,000. We would encourage people to report calls like this to us to help us take action.”
The ban prohibits cold calling in relation to pensions, except where:
For further information, read the updated guidance for businesses in the telephone marketing section of the guide to the Privacy and Electronic Communications Regulations (PECR).
The Information Commissioner’s Office (ICO) has begun formal enforcement action against care homes that have failed to pay the data protection fee.
The data protection regulator has sent notices of its intent to fine the businesses unless they pay, those that don’t could face a maximum fine of £600.
The ICO recently sent out the first fines to more than 100 organisations across a range of sectors for non-payment of the fee.
All organisations that process personal data must pay a fee to the ICO and are then listed on their register of data controllers. The care home sector is currently under-represented on this register. There are exemptions from paying the fee but care homes process particularly sensitive personal information for health administration and patient care purposes and are therefore not exempt.
Paul Arnold, Deputy Chief Executive Officer at the ICO, said:
“We expect the notices we have issued to serve as a final demand to these businesses and that they will pay before we proceed to a fine. But we will not hesitate to use our powers if necessary.
“All organisations that are required to pay the data protection fee must prioritise payment or risk getting a formal letter from us outlining enforcement action.”
Organisations have 21 days to respond to the notices. If they pay, action will stop.
The data protection fee is set by Government which has a statutory duty to ensure the ICO is adequately funded, and is part of the Data Protection (Charges and Information) Regulations 2018. It came into force on 25 May to coincide with the new Data Protection Act (2018) and the General Data Protection Regulation. And it replaces the need to notify or register with the ICO.
The data protection fee helps fund the ICO’s work to uphold information rights such as investigations into data breaches and complaints, our popular advice line, and guidance and resources for organisations to help them understand and comply with their data protection obligations. The ICO has grown over the last two years - now employing around 670 staff.
Under the funding model, set by Government, organisations are divided into three tiers based on their size, turnover and whether an organisation is a public authority or charity.
For very small organisations, the fee won’t be any higher than the £35 they currently pay (if they take advantage of a £5 reduction for paying by direct debit).
Larger organisations will be required to pay £2,900. The fee is higher because these organisations are likely to hold and process the largest volumes of data and therefore represent a greater level of risk.
Those that ignore the notices or refuse to pay may face a fine ranging from £400 to £4,000 depending on the size and turnover of the organisation. Aggravating factors may lead to an increase in the fine up to a maximum of £4,350.
Further information and the ICO’s fee calculator tool are available here.
The ICO’s Guide to the Data Protection Fee can be found here.
Organisations that have a current registration (or notification) under the 1998 Act – prior to 25 May 2018 – do not have to pay the new fee until that registration has expired.
An investigation by the Information Commissioner’s Office (ICO) found that the Metropolitan Police Service’s (MPS) use of the Gangs Matrix led to multiple and serious breaches of data protection laws.
The investigation into the Gangs Matrix, a database that records intelligence related to alleged gang members, began in October 2017 after concerns were raised by Amnesty International.
The ICO found that, whilst there was a valid purpose for the database, the inconsistent way it was being used did not comply with data protection rules.
It has now issued an Enforcement Notice, compelling the MPS to ensure it complies with data protection laws in future and has given them six months to make these changes, which the MPS has accepted and already started to implement.
Deputy Information Commissioner of Operations, James Dipple-Johnstone, said:
“Protecting the public from violent crime is an important mission and we recognise the unique challenges the MPS faces in tackling this.
“Our aim is not to prevent this vital work, nor are we saying that the use of a database in this context is not appropriate; we need to ensure that there are suitable policies and processes in place and that these are followed.
“Clear and rigorous oversight and governance is essential, so the personal data of people on the database is protected and the community can have confidence that their information is being used in an appropriate way.”
The MPS’ operating model governs the use of the matrix across the Metropolitan area. Each of the 32 London boroughs operate their own Matrix, which are then compiled centrally to form a larger London-wide Gangs Matrix.
The personal data of people recorded on the Gangs Matrix includes; full names, dates of birth, home addresses, and information on whether someone is a prolific firearms offender or knife carrier.
The investigation found:
The MPS already has an action plan underway and has stopped sharing personal data on the Gangs Matrix with third parties, where there is no individual sharing agreement in place. They have committed to being more open about the database and are working with us to complete a Data Protection Impact Assessment.
The Deputy Commissioner added,
“I am pleased that the MPS has been co-operating with us and has committed to bringing the Gangs Matrix in line with data protection laws, and we will continue to work with them.
“I believe that by taking these steps and demonstrating that people’s data rights matter to them, the MPS will be able to build increased trust amongst their communities.”
Due to the timing of the case, it was dealt with under the provisions of the Data Protection Act 1998, and not the General Data Protection Regulation (GDPR) and 2018 Act that replaced it in May this year.
The ICO will also be launching a second investigation that focuses on how partners of the police handle information, such as that provided through the Gangs Matrix, and is already investigating a data breach at Newham Borough Council involving the Matrix.
Six month prison sentence for motor industry employee in first ICO Computer Misuse Act prosecution | ICO
A motor industry employee has been sentenced to six months in prison in the first prosecution to be brought by the Information Commissioner’s Office (ICO) under legislation which carries a potential prison sentence.
Mustafa Kasim, who worked for accident repair firm Nationwide Accident Repair Services (NARS), accessed thousands of customer records containing personal data without permission, using his colleagues’ log-in details to access a software system that estimates the cost of vehicle repairs, known as Audatex.
He continued to do this after he started a new job at a different car repair organisation which used the same software system. The records contained customers’ names, phone numbers, vehicle and accident information.
NARS contacted the ICO when they saw an increase in customer complaints about nuisance calls and assisted the ICO with their investigation.
The ICO usually prosecutes cases like this under the Data Protection Act 1998 or 2018, depending on the individual case. However, in appropriate cases, it can prosecute under other legislation - in this case s.1 of the Computer Misuse Act 1990 - to reflect the nature and extent of the offending and for the sentencing Court to have a wider range of penalties available.
Mike Shaw, Group Manager Criminal Invesitgations Team at the ICO said:
”People who think it’s worth their while to obtain and disclose personal data without permission should think again.
“Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behaviour.
“Members of the public and organisations can be assured that we will push the boundaries and use any tool at our disposal to protect their rights.
“Data obtained in these circumstances is a valuable commodity, and there was evidence of customers receiving unwarranted calls from claims management companies causing unnecessary anxiety and distress.
“The potential reputational damage to affected companies whose data is stolen in this way can be immeasurable. Both Nationwide Accident Repair Services and Audatex have put appropriate technical and organisational measures in place to ensure that this cannot happen again.”
Mr Kasim pleaded guilty to a charge of securing unauthorised access to personal data between 13 January 2016 and 19 October 2016, at a hearing in September 2018 and was sentenced at Wood Green Crown Court.
Confiscation proceedings under the Proceeds of Crime Act, to recover any benefit obtained as a result of the offending, have been commenced and are ongoing.
Two firms that were behind nearly 600,000 nuisance calls attempting to sell home security systems to people registered with the Telephone Preference Service (TPS), have been fined a total of £220,000 by the Information Commissioner’s Office.
It is against the law to make marketing calls to numbers that have been registered with the TPS.
ACT Response Ltd of Middlesbrough was behind 496,455 live marketing calls to TPS subscribers and has been fined £140,000.
There were 128 complaints made about the company between January 2017 and February 2018.
“Didn’t get any other details but this number calls all the time, several times a day and seven days a week and it’s driving me mad.”
The script used by the company for making the calls, even asked people whether they were registered with the TPS.
The full penalty notice to ACT Response Ltd can be read here.
Another firm, Secure Home Systems (SHS) of Bilston, West Midlands, has been fined £80,000 for making calls to 84,347 numbers registered with the TPS between September and December 2017, using call lists bought from third parties without screening them.
People made 268 complaints about the company over a two-year period.
”I was angry and disturbed that they had obtained my number and ignored the fact that we’re registered with the TPS.”
The full penalty notice to Secure Home Systems can be read here.
Andy Curry, ICO Group Enforcement Manager, said:
“These fines should set alarm bells ringing and deter marketing companies across all sectors that are contacting people without their consent. It is a company’s responsibility to make sure that it has valid consent to make these calls.
“The TPS is there for a reason – to protect people’s privacy and ensure that marketing companies obey the law. Marketing companies failing to take the basic step of checking TPS can expect robust enforcement.”
The advice for people who receive nuisance marketing calls, emails and texts is to ask the company to remove their details from their lists, read the small print and be careful about ticking boxes which could give them consent to contact you and to report them to the ICO.
Companies that carry out electronic marketing and want to make sure they are complying with the law, should subscribe to the TPS for a fee to get the register of subscribers to screen their own call lists against. Further advice is available on the ICO website.
The ICO has the power to issue fines up to £500,000 to firms who carry out nuisance marketing under the Privacy and Electronic Communications Regulations (PECR).
ICO issues maximum £500,000 fine to Facebook for failing to protect users’ personal information - ICO
The Information Commissioner’s Office (ICO) has fined Facebook £500,000 for serious breaches of data protection law.
In July, the ICO issued a Notice of Intent to fine Facebook as part of a wide ranging investigation into the use of data analytics for political purposes.
After considering representations from the company, the ICO has issued the fine to Facebook and confirmed that the amount – the maximum allowable under the laws which applied at the time the incidents occurred - will remain unchanged.
The ICO’s investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had.
Facebook also failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. These failings meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge. A subset of this data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica who were involved in political campaigning in the US.
Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. In the case of SCL Group, Facebook did not suspend the company from its platform until 2018.
The ICO found that the personal information of at least one million UK users was among the harvested data and consequently put at risk of further misuse.
Elizabeth Denham, Information Commissioner, said:
“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”
This fine was served under the Data Protection Act 1998. It was replaced in May by the new Data Protection Act 2018, alongside the EU’s General Data Protection Regulation. These provide a range of new enforcement tools for the ICO, including maximum fines of £17 million or 4% of global turnover.
Ms Denham added:
“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.
“Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.”
Watch Elizabeth Denham talk about the fine here.
A further update on the ICO investigation into data analytics for political purposes will be on Tuesday 6 November, when Ms Denham will give evidence to the Department for Digital, Culture, Media and Sport (DCMS) Select Committee.
In July, the ICO published an interim progress update on its investigation and also published a partner report, Democracy Disrupted? Personal information and political influence looking at the broader policy issues identified during the investigation along with findings and the Information Commissioner’s recommendations for future action.
ICO fines firm £90,000 for nuisance emails about pre-paid funeral plans
The Information Commissioner has fined London-based marketing company, Boost Finance Ltd (BFL), a company responsible for millions of nuisance emails about pre-paid funeral plans.
Trading as findmeafuneralplan.com, BFL was behind 4,396,780 emails that were sent from January to September 2017. The emails were sent to people who had subscribed to websites operated by BFL’s affiliates, but who had not given their consent to receive them.
The ICO investigation found that in all but one of the websites, it was not made obvious who the emails were from - although they did make generic mention of prepaid funeral plan providers in some cases.
The majority of the websites did not provide subscribers with the opportunity to opt out of third party marketing.
Andy Curry, ICO Enforcement Group Manager, said:
“Companies seeking to use email marketing must make sure they follow the law. People would particularly expect this to be so when the subject may be perceived as sensitive, as in this case.
“Boost Finance relied heavily on their affiliates to deliver millions of unwanted messages to members of the public, and also ensure compliance with the law. However, it was Boost Finance’s responsibility to ensure they had valid consent to send the emails. Businesses should send marketing messages in compliance with the law or face potential enforcement action by the ICO.”
The law states that organisations must have consent to send such emails. That consent must be freely given, specific and informed and involve a positive indication - such as ticking a box.
The investigation found that BFL relied upon inadequate and misleading methods to collect personal data to obtain consent and that consent was not sufficiently informed and therefore breached the Privacy and Electronic Communications Regulations (PECR).
Notes to Editors
- marketing calls, emails, texts and faxes;
- cookies (and similar technologies);
- keeping communications services secure; and
- customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
We aim to help organisations comply with PECR and promote good practice by offering advice and guidance. We will take enforcement action against organisations that persistently ignore their obligations.
The Information Commissioner’s Office (ICO) has fined Everything DM Ltd (EDML), based in Stevenage, £60,000 for sending 1.42 million emails without consent.
The investigation found that, between May 2016 and May 2017, the firm used its direct marketing system called ‘Touchpoint’ to send emails on behalf of its clients for a fee.
Those emails gave the impression they were sent by the clients directly, and EDML couldn’t prove that the recipients had ever given consent to receive marketing emails from its clients or itself.
The investigation revealed that EDML relied on the consent of third parties but didn’t take reasonable steps to make sure the data complied with the Privacy and Electronic Communications Regulations (PECR).
ICO Director of Investigations, Steve Eckersley, said:
“Firms providing marketing services to other organisations need to double-check whether they have valid consent from people to send marketing emails to them. Generic third party consent is not enough and companies will be fined if they break the law.”
The ICO has also served an Enforcement Notice on EDML requiring them to comply with PECR in the future.
The corac team
News and thoughts from Centaur House
Open Government Licence
In addition to our own posts we also post news content from selected government agencies.
We are pleased to include the following attribution statements in recognition of the content we use in the following categories:
"Contains public sector information published by the Health and Safety Executive and licensed under the Open Government Licence"
Environment Agency -
"Contains Environment Agency information © Environment Agency and database right"
Food Standards Agency
Plus other general .gov content:
"Contains public sector information licensed under the Open Government Licence v3.0".