Privacy and Security Enforcement Tracker

Explore the actions taken by privacy regulators around the world for infringements of privacy laws during 2017

Overview

In our fourth annual Privacy and Security Enforcement Tracker, we review the key regulatory enforcement cases in the UK and provide a synopsis of key privacy issues and trends for 34 other countries. Use our two interactive tools to explore the enforcement facts and figures that interest you most - and download the full report below.

UK findings

The UK report contains details of every enforcement imposed by the ICO during 2017 (whist the Data Protection Act 1998 was still in force). There were 91 enforcements in total and included:

  1. Enforcement Notices which require organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law
  2. Monetary Penalty Notices (MPNs) require organisations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010
  3. Prosecutions of those who commit criminal offences under the Act through the Court system
  4. Undertakings commit an organisation to a particular course of action in order to improve its compliance

Almost half of last year’s UK data protection enforcement actions were due to marketing infringements and half of these were attributable to telephone marketing. Security breaches and misusing data for profiling purposes also continued to appear as substantial causes of failure. The charity sector had a particularly tough year with 11 MPNs imposed – 20% of the UK total.

In his foreword to this year’s publication, James Dipple-Johnstone, Deputy Commissioner (Operations) at the ICO, emphasises that while the new law strengthens the ICO’s fining powers – from a maximum of £500,000 to £17 million or 4% of global turnover – “our approach to enforcement action will not change. We remain committed to the carrot over the stick. Guiding, advising and supporting organisations to help them comply with the law will always be our preference.”

Use the interactive data tool below to explore the UK enforcements in more detail. Select your chosen industry to see key statistics relating to the actions taken, and click on the reasons behind each enforcement to reveal detailed summaries for each breach. 

 

Select an industry to explore the data
Location of organisations subject to enforcement:
Enforcement
No enforcement
Prosecutions
Prosecutions of those who commit criminal offences under the Act through the Court system
MPNs
Monetary Penalty Notices require organisations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010
Enforcements
Enforcement Notices require organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law
Undertakings
Undertakings commit an organisation to a particular course of action in order to improve its compliance
Brighter Homes Solutions Ltd
12 May 2017
Monetary Penalty
PECR — Regulation 21
The Commissioner has received 187 complaints via the TPS and directly from individuals who are subscribers to specific telephone lines. The individuals allege they have received unsolicited marketing calls on those lines from Brighter Home Solutions Ltd. Each individual states that they have previously notified Brighter Home Solutions Ltd that such calls should not be made on that line and/or have registered their number with the TPS.
Enforced remedial action required within 35 days:
  1. Neither use, nor instigate the use of a public electronic communications service for the purposes of making unsolicited direct marketing calls where the called line is that of:
    • A subscriber who has previously notified Brighter Home Solutions Ltd that such calls should not be made on that line; and/or
    • A subscriber who has registered their number with the TPS at least 28 days previously and who has not notified Brighter Home Solutions Ltd that they do not object to such calls being made.
Concept Car Credit Limited
12 May 2017
Monetary Penalty
PECR — Regulation 22
Over an 18 month period between 2015 and 2016, the Company used a public telecommunications service for the purposes of instigating the transmission of 336,000 unsolicited communications by means of electronic mail to individual subscribers for direct marketing purposes contrary to Regulation 22 of PECR.
In this case the Commissioner is satisfied that the Company did not have the consent, within the meaning of the regulation 22 (2), of the 336,000 subscribers to whom it sent unsolicited direct marketing text messages.
Enforced remedial action required within 35 days:
  1. Except in the circumstances referred to in paragraph (3) of Regulation 22 of the Regulations, neither transmit, nor instigate the transmission of unsolicited communications for direct marketing purposes by means of electronic mail unless the recipient has previously notified Concept Car Credit Limited that they consent for the time being to such communications being sent by, or at the instigation of Concept Car Credit Limited
Davies Brothers (Wales) Limited
23 January 2017
DPA — 6th Principle
Davies Brothers (Wales) Limited is a “data controller” as defined in section 1 (1) of the Data Protection Act 1998 (“DPA”).
Section 4 (4) of the DPA provides that, subject to Section 27 (1), it is the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.
The Commissioner held that Davies Brothers (Wales) Limited contravened the Sixth Data Protection Principle in that, contrary to Section 7, it has failed to inform the complainant, without undue delay, whether personal data of which this individual was the data subject were being processed by or on behalf of the data controller and, where that was the case, failed, without undue delay, to have communicated to them in an intelligible form information which may constitute personal data.
Enforced remedial action required within 30 days:
  • Inform the complainant whether the personal data processed by the data controller includes personal data of which the complainant is the data subject and supply them with a copy of any personal data so processed in accordance with the requirements of Section 7 of the DPA and the Sixth Data Protection Principle in that respect, subject only to the proper consideration and application of any exemption from, or modification to, Section 7 of the DPA provided for in or by virtue of part IV of the DPA which may apply.
Easyleads Limited
14 September 2017
Monetary Penalty
PECR — Regulations 19 & 24
Between 22 October 2015 and 30 June 2017 Easyleads Limited instigated the transmission of 16,730,340 automated marketing calls to subscribers without prior consent, resulting in 551 complaints to the ICO. Easyleads Limited also contravened Regulation 24 of PECR in that it did not identify the person who was sending or instigating the automated marketing calls or provide the address of the person or a telephone number on which this person can be reached free of charge.
Enforced remedial action required within 35 days:
  1. Neither transmit, nor instigate the transmission of communications comprising recorded matter for direct marketing purposes by means of an automated calling system except:
    1. Where the line called is that of a subscriber who has previously notified Easyleads Limited that for the time being they consent to such communications being sent by, or at the instigation of, Easyleads Limited; and
    2. Where the communication includes the name of Easyleads Limited and either the address of Easyleads Limited or a telephone number on which Easyleads Limited can be reached free of charge.
H.P.A.S. Limited t/a Safestyle UK
31 July 2017
Monetary Penalty
PECR — Regulation 21
The Commissioner received 264 complaints via the TPS and directly from individuals who are subscribers to specific telephone lines. The individuals alleged that they have received unsolicited marketing calls on those lines from HPAS. Each individual stated that they had previously notified HPAS that such calls should not be made on that line and/or have registered their number with the TPS.
Enforced remedial action required within 70 days:
  1. Review all of its telephone marketing data to ensure that it can evidence the consents it relies upon to make marketing calls. Pursuant to the Commissioner’s Direct Marketing Guidance the consent must be knowingly and freely given, clear and specific.
  2. All such data where the evidence of specific consent cannot be verified, shall be screened against the TPS register before being used to make marketing calls
  3. Put in place an effective suppression system to ensure that all requests not to be called again received from subscribers are recorded, actioned and retained in place until such a time as positive specific consent to receiving such calls is obtained
  4. Screen all unsolicited calls against that suppression system and against the TPS register.
Hamilton Digital Solutions Limited
16 November 2017
Monetary Penalty
PECR — Regulation 22
Between 1 April 2016 and 19 September 2016, Hamilton Digital Solutions Limited (HDSL) used a public electronic telecommunications service for the purposes of instigating the transmission of 156,250 unsolicited communications by means of electronic mail to individual subscribers for direct marketing purposes contrary to Regulation 22 of PECR.
Enforced remedial action required within 35 days:
  1. Except in the circumstances referred to in paragraph (3) of Regulation 22 of PECR, neither transmit, nor instigate the transmission of unsolicited communications for direct marketing purposes by electronic mail unless the recipient has previously notified HDSL that they consent for the time being to such communications being sent by, or at the instigation of HDSL.
Laura Anderson Limited t/a Virgo Home Improvements
31 July 2017
Monetary Penalty
PECR — Regulation 21
The Commissioner received 440 complaints via the TPS and directly from individuals directly who are subscribers to specific telephone lines. The individuals alleged that they have received unsolicited marketing calls on those lines from Virgo. Each individual stated that they had previously notified Virgo that such calls should not be made on that line and/or have registered their number with the TPS.
Enforced remedial action required within 35 days:
  1. Neither use, nor instigate the use of a public electronic communications service for the purposes of making unsolicited direct marketing calls where the called line is that of:
    1. A subscriber who has previously notified Virgo that such calls should not be made on that line;
    2. A subscriber who has registered their number with the TPS at least 28 days previously and who has not notified Virgo that they do not object to such calls being made.
The Lead Experts Limited
10 October 2017
Monetary Penalty
PECR — Regulations 19 & 24
Between 4 May 2016 and 5 May 2016 The Lead Experts Limited (TLEL) instigated the transmission of 111,072 automated marketing calls to subscribers without their prior consent. Furthermore, contrary to Regulation 24 of PECR, TLEL did not identify the organisation (person) who was sending or instigating the automated marketing calls or provide the address of the organisation or a telephone number on which this organisation can be reached free of charge.
Enforced remedial action required within 35 days:
  1. Neither transmit, nor instigate the transmission of communications comprising recorded matter for direct marketing purposes by means of an automated calling except:
    1. Where the called line is that of a subscriber who has previously notified TLEL that for the time being they clearly and specifically consent to such communications being sent by, or at the instigation of, TLEL; and
    2. Where the communication includes the name of TLEL and either the address of TLEL or a telephone number on which TLEL can be reached free of charge.
Medway Council
9 June 2017
No Monetary Penalty
DPA — 7th Principle
The Commissioner’s Office carried out a consensual audit of the data controller (Medway Council) in October 2014 which provided ‘limited assurance’. The audit report recommended (among other things) that mandatory data protection training should be given to all staff and that there is regular refresher training which is monitored.
The Commissioner’s office carried out a ‘follow-up’ audit in June 2015. Although mandatory data protection training had been implemented, the Commissioner’s office advised the data controller to continue to roll out the training. The Commissioner’s office carried out a further investigation into the data controller’s compliance with the provisions of the DPA following two security breaches. The data controller has failed to take adequate steps to ensure that mandatory data protection training has been rolled out, as advised.
The Commissioner’s has considered the data controller’s compliance with the provisions of the DPA in light of these matters.
Enforced remedial action required within 6 months:
  1. There is a mandatory data protection training programme for staff and refresher training at least every two years. Delivery of the training should be tailored to reflect the needs of the staff following a training needs analysis; and
  2. Completion of any such training is monitored and properly documented.
Munee Hut LLP
10 March 2017
Monetary Penalty
PECR — Regulation 22
Between 1 May 2015 and 22 March 2016, Munee Hut LLP used a public telecommunications service for the purposes of instigating the transmission of approximately 64,000 unsolicited communications by means of electronic mail to individual subscribers for direct marketing purposes contrary to Regulation 22 of PECR.
Enforced remedial action required within 35 days:
  1. Except in the circumstances referred to in paragraph (3) of Regulation 22 of the Regulations, neither transmit, nor instigate the transmission of unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient has previously notified Munee Hut LLP that they consent for the time being to such communications being sent by, or at the instigation of Munee Hut LLP.
Road Accident Consult Ltd t/a Media Tactics
3 March 2017
Monetary Penalty
PECR — Regulations 19 & 24
Between 13 November 2014 and 9 June 2015 Media Tactics instigated the transmission of 22,065,627 automated marketing calls to subscribers without their prior consent. Media Tactics also contravened Regulation 24 of PECR in that ¡t did not identify the person who was sending or instigating the automated marketing calls or provide the address of the person or a telephone number on which this person can be reached free of charge.
Enforced remedial action required within 35 days:
  1. Neither transmit, nor instigate the transmission of communications comprising recorded matter for direct marketing purposes by means of an automated calling system except:
    1. Where the called line is that of a subscriber who has previously notified Media Tactics that for the time being they consent to such communications being sent by, or at the instigation of, Media Tactics; and
    2. Where the communication includes the name of Media Tactics and either the address of Media Tactics or a telephone number on which Media Tactics can be reached free of charge.
Secretary of State for Justice
21 December 2017
No Monetary Penalty
DPA — 6th Principle
On 28 July 2017, the data controller had a backlog of 919 subject access requests from individuals, some of which dated back to 2012. The data controller's recovery plan involved eliminating the backlog by October 2018 and from 31 January 2018 dealing with any new subject access requests from individuals without undue delay. On 10 November 2017, there were 793 cases over 40 days old.
The data controller failed to inform the individuals, whether their personal data is being processed by or on behalf of the data controller, without undue delay, and failed to communicate in an intelligible form information which may constitute personal data. Further, the data controller’s internal systems, procedures and policies for dealing with subject access requests made under the DPA were unlikely to achieve compliance with the provisions of the DPA.
Enforced remedial action required within 10 months:
  1. Inform the individuals whose access requests are over 40 days olds whether the personal data processed includes personal data of which those individuals (or any of them) are the data subjects and shall supply each of them with a copy of any such personal data so processed in accordance with the requirements of Section 7 of the DPA and the sixth data protection principle in that respect, subject only to the proper consideration and application of any exemption from, or modification to, Section 7 of the DPA provided for in or by virtue of part IV of the DPA which may apply.
Enforced remedial action required within 30 days:
  1. Carry out changes to its internal systems, procedures and policies necessary to ensuring all subject access requests received by the data controller, in respect of the data controller, pursuant to Section 7 of the DPA are identified and complied with in accordance with the seven requirements of Section 7 of the DPA, and the sixth data protection principle in that respect, subject only to:
    1. The proper consideration and application of any exemption from, or modification to, Section 7 of the DPA provided for in or by virtue of part IV of the DPA which may apply; and
    2. The expectation that such requests are expressed with reasonable clarity and are properly addressed.
  2. Continue to use his best endeavours to surpass the milestones outlined above.
  3. Provide the Commissioner with a progress report at the beginning of each month, documenting in detail how the terms of this enforcement notice have been, or are being, implemented.
True Telecom Limited
6 September 2017
Monetary Penalty
PECR — Regulations 21 & 24
The Commissioner received numerous complaints via TPS and directly from individuals who are subscribers to specific telephone lines. The individuals allege that they have received unsolicited marketing calls on those lines from True Telecom. Each individual states they have previously notified True Telecom that such calls should not be made on that line and/or have registered their number with the TPS.
Enforced remedial action required within 35 days:
  1. Neither use, nor instigate the use of a public electronic communications service for the purposes of making unsolicited direct marketing calls where the called line is that of:
    1. A subscriber who has previously notified True Telecom that such calls should not be made on that line;
    2. A subscriber who has registered their number with the TPS at least 28 days previously and who has not notified True Telecom that they do not object to such calls being made.
  2. Neither use, nor instigate the use of a public electronic communications service for the purposes of making calls (whether solicited or unsolicited) for direct marketing purposes except where they;
    1. Do not prevent presentation of the identity of the calling line on the called line; or
    2. Present the identity of a line on which they can be contacted.
  3. In accordance with Regulation 24 of the Regulations, cease using a public communications service for the transmission of a communication to which Regulation 21 of the Regulations applies unless the particulars mentioned in paragraph (2)(a) of Regulation 24 of the Regulations are provided with that communication.
In addition to the above, The Commissioner would note at this point that in the period of May 2017 – July 2017, following the established contravention which forms the basis of this Notice, in excess of 50 further complaints have been logged with the TPS in respect of unsolicited calls made by True Telecom.
Vanquis Bank Limited
4 October 2017
Monetary Penalty
PECR — Regulation 22
Between 9 April 2015 and 16 February 2016, Vanquis Bank Limited (VBL) used a public telecommunications service for the purposes of instigating the transmission of 870,849 unsolicited communications by means of electronic mail (text message) to individual subscribers for direct marketing purposes contrary to Regulation 22 of PECR. This resulted in 131 complaints being made to the 7726 system.
Furthermore, between 1 April 2016 and 1 September 2016, VBL used a public telecommunications service for the purposes of instigating the transmission of 620,000 unsolicited communications by electronic mail (e-mail) to individual subscribers for direct marketing purposes contrary to Regulation 22 of PECR. This resulted in 9 complaints being made to the ICO.
The Commissioner was satisfied that VBL did not have the consent within the meaning of Regulation 22 (2) from the 870,849 subscribers to whom it sent unsolicited direct marketing test messages or the 620,000 subscribers to whom its affiliate had sent unsolicited direct marketing e-mails.
Enforced remedial action required within 35 days:
  1. Except in the circumstances referred to in paragraph (3) of Regulation 22 of PECR, neither transmit, nor instigate the transmission of unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient has previously notified VBL that they clearly and specially consent for the time being to such communications being sent by, or at the instigation of VBL.
Xternal Property Renovations Ltd
28 March 2017
Monetary Penalty
PECR — Regulation 21
The Commissioner has received numerous complaints via the TPS and directly from individuals who are subscribers to specific telephone lines. The individuals allege they have received unsolicited marketing calls on those lines from Xternal Property Renovations Ltd. Each individual states that they have previously notified Xternal Property Renovations Ltd that such calls should not be made on that line and/or have registered their number with the TPS.
Enforced remedial action required within 35 days:
  1. Neither use, nor instigate the use of a public electronic communications service for the purposes of making unsolicited direct marketing calls where the called line is that of:
    1. A subscriber who has previously notified Xternal Property Renovations Ltd that such calls should not be made on that line; and/or
    2. A subscriber who has registered their number with the TPS at least 28 days previously and who has not notified Xternal Property Renovations Ltd that they do not object to such calls being made.
Brioney Woolfe
11 August 2017
A former employee of Colchester Hospital University NHS Foundation Trust, Brioney Woolfe was prosecuted at the Colchester Magistrates’ Court. Woolfe accessed the medical records of several people without a business purpose to do so while employed as a health care assistant by Colchester Hospital University NHS Foundation Trust.
Action:
Woolfe pleaded guilty to two offences under section 55 of the Data Protection Act for accessing the sensitive health records of friends and people she knew and disclosing some of the personal information obtained.
Ms Woolfe was fined £400 for the offence of obtaining personal data and £650 for disclosing it. Ms Woolfe was ordered to pay prosecution costs of £600 and a victim surcharge £65.
Clair Francis
9 November 2017
Clair Francis, who worked as a Coding Officer for Dudley Group NHS Trust, pleaded guilty to one offence of obtaining personal data and one offence of disclosing personal data. She accessed her neighbour and former friend’s medical records and disclosed information about a baby.
Action:
Ms Francis was fined £125 for each offence and ordered to pay costs of £500 and a victim surcharge of £30.
Joseph Walker
8 June 2017
Following a prosecution by the ICO, Joseph Walker pleaded guilty to section 55 Data Protection Act offences before Liverpool Magistrates’ Court. The offence related to making blagging calls to obtain information about policy holders and the road traffic accidents they had been involved in, from insurance companies. At the time of the offences the defendant had worked at a claims management company, UK Claims Organisation Ltd, based in Liverpool, together with co-defendants Lesley Severs and Kayleigh Billington, who were sentenced last year. It was the prosecution case that data originally obtained unlawfully from a car hire company was used by the employees of the claims management company as leads, to make blagging calls to insurance companies. In the calls the defendants used various guises and tried to obtain further information from the insurers, in order to be able to sell cases on to solicitors as personal injury claims.
Action:
Joseph Walker pleaded guilty to 12 offences under section 55 of the Data Protection Act 1998 and 44 like offences were taken into consideration, for which he was fined £2,000, ordered to pay a victim surcharge of £15 and prosecution costs of £1,600.
Linda Reeves
4 September 2017
A former data co-ordinator employed by The University Hospitals of North Midlands NHS Trust has been prosecuted at North Staffordshire Magistrates’ Court. Linda Reeves accessed the sensitive medical records of colleagues as well as people she knew that lived in her locality, without the consent of the data controller. 
Action:
Ms Reeves pleaded guilty to the offence under section 55 of the Data Protection Act and was fined £700, ordered to pay costs of £364.08 and a £70 Victim Surcharge.
Marian Waddell
13 November 2017
Marian Waddell, a former nursing auxiliary was fined for accessing a patient and her neighbour’s medical records without a valid legal reason. She worked at Royal Gwent Hospital in Newport and unlawfully accessed the records of a patient who was also her neighbour.
Action:
She was fined £232 and was ordered to pay £150 costs and a victim surcharge of £30.
Nicola Wren
16 October 2017
A former administrator employed by Kent and Medway NHS and Social Care Partnership Trust has been prosecuted by the ICO at Medway Magistrates’ Court.
Nicola Wren accessed the sensitive medical records of a patient who was known to her 279 times in a three week period, without any business need to do so, which was without the consent of the data controller.
Action:
Ms Wren pleaded guilty to the offence under section 55 of the Data Protection Act and was fined £300, ordered to pay costs of £364.08 and a £30 Victim Surcharge.
Nilesh Morar
21 September 2017
Nilesh Morar has been prosecuted at Nuneaton Magistrates’ Court for the offence of unlawfully obtaining personal data.  The defendant, who at the time worked at Leicester City Council, emailed personal data relating to 349 individuals, which included sensitive personal data of service users of the Adult Social Care Department, to his personal email address without his employer or the data controller’s consent.
Action:
Mr Morar pleaded guilty to the offence under section 55 of the Data Protection Act and was fined £160, ordered to pay £364.08 prosecution costs and a £20 victim surcharge.
Robert Morrisey
9 November 2017
A former employee of a community based counselling charity has been prosecuted by the ICO at Preston Crown Court. Robert Morrisey sent spreadsheets containing the information of vulnerable clients to his personal email address without any business need to do so, which was without the consent of the data controller.
Eleven emails were sent from his work email account on 22 February 2017, which contained the sensitive personal data of 183 people, three of whom were children. The personal data included full names, dates of birth, telephone numbers and medical information. Further investigation showed that he had sent a similar database to his personal account on 14 June 2016.
Action:
Mr Morrisey pleaded guilty to three offences under section 55 of the Data Protection Act and was sentenced to a two year Conditional Discharge, ordered to pay costs of £1,845.25 and a £15 Victim Surcharge.
Sally Anne Day
16 May 2017
A former administration employee of Crickhowell Group Practice, part of the Powys Health Trust Board was prosecuted at Newport Crown Court for repeatedly accessing the sensitive medical records of two patients without the consent of the data controller.
Action:
Ms Sally Anne Day pleaded guilty to the offence under section 55 of the Data Protection Act and was fined £400, ordered to pay costs of £350 and a victim surcharge of £40.
Stuart Franklin
21 July 2017
Stuart Franklin has been prosecuted at Birmingham Magistrates’ Court for the offence of unlawfully disclosing personal data. The defendant, who at the time worked at a Walsall based domestic services company, emailed the CVs of 26 job applicants to a third party company without his employer or the data controller’s consent.
Action:
Mr Franklin pleaded guilty to the offence under section 55 of the Data Protection Act and was fined £573, ordered to pay £364 prosecution costs and a £57 victim surcharge.
True Telecom Limited
15 March 2017
True Telecom Limited has been prosecuted at Medway Magistrates Court for the offence of processing personal data without having an entry in the register maintained by the Information Commissioner.
Action:
The telecommunications company was found guilty of the offence under section 17 of the Data Protection Act 1998, and was fined £400, ordered to pay costs of £593.75 and a victim surcharged of £40.
Cheshire West and Chester Council
10 August 2017
DPA – 7th Principle
In February 2014, Cheshire West and Chester Council agreed to an ICO audit which was undertaken in October 2014, following which a limited assurance rating was achieved. A follow up was undertaken on behalf of the Commissioner in June 2015, to check progress with the agreed recommendations.
As a result of this audit and follow up, a number of concerns relating to staff training were identified. These concerns were compounded by a series of self-reported incidents which the Commissioner was advised of both during the follow up period to the audit and also thereafter. The majority of these incidents concerned disclosure in error cases and almost all staff involved who had not received data protection training. Some of these individuals were also temporary agency workers.
Despite agreed audit recommendations specifically related to training, which included the requirement to train all staff employed and monitor take up of such training, subsequent investigations have identified that these recommendations have not been implemented fully.
Further data breaches reported to the Commissioner subsequent to the audit follow up have involved disclosures which had the potential to cause serious distress for those affected, including: the disclosure of an incorrect mobile phone number to an ex-partner of a data subject; allegations of historic sexual abuse being sent to an incorrect address due to the address and postcode being obtained from a Google Map search. The data handling procedures introduced following previous breaches not being adhered to in some high risk areas as staff had not been made aware of it. Following investigations into those incidents, it was found that some staff members within these services had not received any data protection training at all.
Whilst the data controller has policies in place which highlight the data protection obligations of its employees, the level of overall organisational compliance with mandatory data protection training has fluctuated significantly over the last two years.
The latest organisational data protection training compliance figure for the year ended 2016/2017 was 61% overall, with much lower than expected attainment figures evidenced in some high risk areas such as Children and Family Services and Adult Social Care and Health.
Following consideration of the remedial action that has been taken by the data controller, it is agreed that in consideration of the Commissioner not exercising his powers to serve an Enforcement Notice under section 40 of the Act, the data controller undertakes as follow:
The data controller shall, as from the date of this Undertaking and for so long as similar standards are required by the Act or other successor legislation, ensure that personal data are processed in accordance with the Seventh Data Protection Principle in Part I of Schedule 1 to the Act, and in particular that:
  1. The data controller shall conduct a risk based training needs analysis for all roles within the organisation to ascertain the level of data protection awareness required for the role, and the frequency at which the individual should receive refresher training to ensure they are reminded of their obligations in order to prevent further security incidents. This analysis should also consider whether the training should be tailored for specific roles and should be completed within six months of the date of the undertaking.
  2. The data controller shall deliver mandatory data protection training in relation to both the requirements of the Act and the data controller’s policies and guidance to all employees whose role involves the handling of personal data, as identified in the training needs analysis and regardless of their contractual status. This process should be completed within six months.
  3. The data controller shall ensure that all new members of staff responsible for the handling of personal data are given appropriate data protection training, commensurate with their role upon induction.
  4. The data controller shall ensure that mandatory refresher data protection training is undertaken at the intervals identified and as set out in the training needs analysis; such training to be refreshed annually as a minimum.
  5. The data controller shall ensure that mandatory data protection and refresher training is monitored and enforced.
Cornwall Council
3 February 2017 (follow-up to Undertaking issued 16 September 2016)
DPA – 7th Principle
On 30 January 2017 the Information Commissioner’s Office (ICO) conducted a follow-up assessment of the actions taken by Cornwall Council in relation to the undertaking it signed on 16 September 2016. The objective of the follow-up is to provide the ICO with a level of assurance that the agreed undertaking requirements have been appropriately implemented.
Cornwall Council agreed to the undertaking following the Commissioner’s investigation of eight data breaches that occurred over a 2 year period, some of which involved disclosures made in error, which revealed that some staff members had not received data protection training. The Commissioner’s investigation also found that the general uptake of data protection training across Cornwall Council was unsatisfactory (DPA – 7th Principle).
The review demonstrated that Cornwall Council has taken appropriate steps to address the three requirements of the undertaking:
  1. All current staff members responsible for the handling of personal data should receive appropriate, specific data protection training. This process should be completed within three months.
    • In November 2016 Cornwall Council confirmed within their Uptake of Mandatory Information Governance Training Report that over 83% of Cornwall Council employees had completed their Information Governance training within a two year period. 83% of employees accounted for all of Cornwall Council staff, excluding those who were long term absentees.
  2. Such training should be refreshed at regular intervals, not exceeding two years and its provision monitored and recorded.
    • The ‘Uptake of Mandatory Information Governance Training Report’ states that Cornwall Council monitor compliance with the requirement to complete the Information Governance training at least every two years. Compliance reports are reviewed at the Information Governance steer group and the Corporate Directors’ Team on a monthly basis to identify any employees who are due to complete their training so that follow up action can be taken to ensure compliance with the training requirement.
  3. New staff members responsible for the handling of personal data are given appropriate, specific data protection training upon induction.
    • Cornwall Council provided copies of their corporate induction checklists, New Employee Checklist and Induction Checklist for Managers Who Manage New Staff -Managers’ Induction Checklist for New Staff. The checklists state that it is a mandatory requirement that new employees complete their Information Governance training within their first week of employment.
Dyfed Powys Police
27 September 2017
DPA – 7th Principle
The Information Commissioner (the ‘Commissioner’) was informed of several data protection incidents by Dyfed Powys Police over an 18 month period. The number of incidents reported is of concern especially as they are repeated in nature.
In August 2016, Dyfed Powys Police’s Mental Health Team passed sensitive personal data to an individual’s General Practitioner (GP). The information was sent by open fax message to the GP’s surgery, and whilst it arrived at its intended destination, appropriate consent was not obtained from the data subject. At the time of the incident the officer had not completed any data protection training.
The Commissioner’s enquiries into this incident revealed that as at 17 March 2017, 1,204 officers out of a total of 2,258 had not completed any data protection training and there was no current programme of refresher training in place.
In January 2017, an officer passed personal data relating to a Councillor and a neighbour by email to the clerk of a local council. There was no information sharing agreement in place between the data controller and the council; authorisation from a senior colleague was not sought prior to sending the email; and the officer had received no data protection training.
A third incident investigated by the Commissioner occurred prior to November 2015 but was not brought to the attention of the data controller and subsequently the Commissioner, until March 2017. The incident involved a photograph taken using a mobile telephone. The photograph showed an officer’s working environment, including a computer screen on which data was displayed. The picture was forwarded to a family member. By sending the photograph the officer breached the data controller’s Information security Policy and the College of Policing Code of Ethics. The officer had received no data protection training.
The Commissioner’s investigation into these incidents has determined repeated failures with regard to the training of staff.
The data controller shall, as from the date of this Undertaking and for so long as similar standards are required by the Act or other successor legislation, ensure that personal data are processed in accordance with the Seventh Data Protection Principle in Part I of Schedule 1 to the Act, and in particular that:
  1. A force-wide programme of data protection training adequate to equip officers with the necessary knowledge to comply both with the Act and with the data controller’s policies concerning the processing of personal data be implemented without further delay.
  2. A force-wide programme of refresher training be introduced to ensure ongoing compliance with the Act.
  3. A programme of recording and monitoring of training undertaken be implemented with prompt remedial action to address non-compliance being taken where necessary.
  4. The data controller shall implement such other security measures as are appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.
  5. The data controller shall confirm its plans in writing to the Commissioner to demonstrate its commitment to these steps within one month of the date of agreement to this undertaking.
Kent Police
10 August 2017 (follow-up to Undertaking issued 9 August 2016)
DPA – 1st Principle
On 21 June the Information Commissioner’s Office (ICO) conducted a follow-up assessment of the actions taken by Kent Police in relation to the undertaking it signed on 8 August 2016. The objective of the follow-up is to provide the ICO with a level of assurance that the agreed undertaking requirements have been appropriately implemented.
Kent Police agreed to an undertaking following the Commissioner’s investigation of an incident that involved downloading the entire contents of an individual’s mobile phone, which contained a recording supporting the individual’s abuse allegations, without informing the individual that this processing would take place. There was also no fair processing notice or other written authorisation form to explain to the data subject what she would be consenting to by providing her phone to the data controller (DPA – 1st Principle).
Findings of the ICO in relation to undertakings signed:
  1. Develop written procedures and supporting documentation for the extraction of data from mobile devices which emphasise that explicit, informed consent should be sought from victims and witnesses of crime in the first instance by 31 October 2016.
    • Written procedures have been documented for the extraction of data from mobile devices and they have been communicated to the teams and staff undertaking the work. The intranet was updated 16 October 2016 and further updates were made on 26 April 2017 with links to the process and fair processing form.
  2. Create a fair processing notice for victims and witnesses of crime to read and sign, which clearly explains which personal data will be extracted from their mobile device and how this will be processed, by 31 October 2016.
    • A fair processing form has been documented to include digital disclosures, version controlled and added to the documents repository. There are also links to the document via the intranet (InSite), briefing packs and local team communications. The use of the form, awareness and testing is frequently monitored in the form of on-site tests and audits.
  3. Where technically possible, limit the extraction of data from the mobile devices from victims and witnesses of crime to relevant data sets and delete any irrelevant information once identified as such by the Disclosure Officer. The data controller shall ensure that these processes are contained within in the relevant written procedures by 31 October 2016.
    • Kent police has made significant investment in resources to create dedicated digital hubs; one within each policing division. These environments will be secure with restricted and authorised access, staffed by fully trained operatives working to published policies and procedures which support compliance with all aspects of information and data management. The first phase of recruitment and training will be completed by the end of July 2017 and following a month of mentored operational activity, it is planned the organisation will be in a position to locally deploy staff to the three hub locations from 4th September 2017.
    • Three hubs have been established, two are in the process of being made operational and the third will be operational by November 2017.
    • A full review of staff able to complete digital downloads was conducted and resulted in a significant drop in numbers who are now able to undertake this activity. This is supported by regular audits and quality control checks.
  4. Remain up to date with developments and guidance around the extraction of data from mobile devices and promptly take action to address any recommendations relating to compliance with the Act arising from this.
    • As part of the monthly Force Security and Integrity Committee (FSIC) forum the forensics team will have visibility of updates to legislation and are included in the readiness for GDPR.
    • Work is ongoing to continually review and update policies and embed the guidance and continuously improve data protections standards with a structured audit program.
  5. Implement such other security measures as are appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.
    • The central forensic team have plans to safeguard data beyond the plans for forensic hubs and a collaborative approach facilitated by the Operational and Information security (OIS) Head includes a broad audit program and regular forums to strengthen adherence to the Act.
London Borough of Ealing
2 May 2017 (follow-up to Undertaking issued 15 November 2016)
DPA – 7th Principle
On 19 April 2017 the Information Commissioner’s Office (ICO) conducted a follow-up assessment of the actions taken by the London Borough of Ealing (LBE) in relation to the undertaking it signed on 10 October 2016. The objective of the follow-up is to provide the ICO with a level of assurance that the agreed undertaking requirements have been appropriately implemented.
LBE agreed to the undertaking following the Commissioner’s investigation of an incident involving a social worker, who lost a court bundle containing sensitive personal data relating to 27 data subjects including 14 children, when she put them on top of her car and then drove off. The documents were not recovered (DPA – 7th Principle).
The ICO acknowledge that although the London Borough of Ealing has taken initial steps to address the requirements of the undertaking, significant work is still required before they are fully satisfied. In particular appropriate steps have not been taken to address the following requirements:
  1. The council continue to work toward achieving their stated target for 100% completion of mandatory online data protection refresher training for all permanent, locum and temporary Social Care staff who handle personal data by 3 April 2017. That the same monitoring and recording processes for the completion of this training are applied to locum, temporary and permanent social care staff.
    • LBE confirmed that 74% of social care staff (including permanent, temporary and locum) had completed the eLearning data protection module and 25% staff (without online access) had completed the PDF version between January 2016 and January 2017. Training was either part of induction for new starters or as a refresher course for existing staff. The remaining 1% were on long term absence. LBE reports that it is in the process of putting measures in place to ensure that any new starters since January 2017 complete the data protection module. There are currently no plans to ensure that the refresher training is completed annually.
    • It was difficult to obtain the training completion figures from LBE who confirmed they are derived manually by cross referencing names from the e-learning system and manual records of staff completing the PDF version of the course, with payroll lists of temporary and permanent staff. It is not clear how the ongoing control and monitoring of training will be achieved when managers do not have recurrent reports of training completion rates.
    • The council should implement management, monitoring and recording processes to verify that they have achieved and are maintaining their stated target for 100% completion of annual mandatory data protection refresher training for Social Care, locums, and temporary staff.
  2. The recording and monitoring of initial and refresher data protection training for non-permanent staff employed in all other departments of the council involved in the handling of personal data is performed as (1) above.
    • LBE have not established regular reporting and governance procedures to ensure data protection training compliance rates are maintained on an ongoing basis. Additionally it is unclear how training delivered via the PDF version of the module will be monitored. It is concerning that LBE advised that they may not monitor refresher training prior to the launch of updated training that will be required for GDPR.
    • The council should implement monitoring and recording processes to assure that they continue to achieve their stated objective of 100% completion of annual data protection refresher training for all staff who are involved in the handling of personal data.
  3. The council ensures the use of MetaCompliance is a sufficiently robust mechanism for delivering and measuring refresher Data Protection related training to meet the council's stated objective of an annual requirement.
    • The MetaCompliance review document states “using the Policy Management software we are able to create and control business and IT policies, implement enforced compliance of key messages and monitor acceptance” and that “Metacompliance is a robust mechanism for delivering and measuring refresher DP related training”. It was reported however that the tool is used to manage policy dissemination and it is not used for delivering and measuring the annual requirement to refresh the Data Protection e-learning training module.
    • The council should therefore ensure that either MetaCompliance or another tool is a sufficiently robust mechanism for delivering and measuring refresher data protection related training to meet the council’s stated objective of an annual refresher requirement.
If any further incidents involving the LBE are reported to the ICO, the undertaking and its fulfilment will be taken into consideration as part of its investigation process. Dependent upon the outcome, enforcement action could be considered by the ICO as a result.
NHS Digital (formerly known as HSCIC)
6 January 2017 (follow up to Undertaking issued 19 April 2016)
DPA – 1st Principle
On 16 December 2016 the Information Commissioner’s Office (ICO) conducted a follow-up assessment of the actions taken by NHS Digital (formerly known as HSCIC) in relation to the undertaking it signed on 19 April 2016. The objective of the follow-up is to provide the ICO with a level of assurance that the agreed undertaking requirements have been appropriately implemented.
NHS Digital agreed to the undertaking following the Commissioner’s investigation of the way NHS Digital shared patient data for purposes other than direct care. Specifically, that NHS Digital was not able to collect, record or implement Type 2 objections registered by patients with their GPs, for legal and technical reasons, which resulted in Type 2 objections not being implemented for approximately 700,000 patients. Further, the HSCIC had not taken steps to inform affected patients other than a statement placed on its website (DPA – 1st Principle).
The review demonstrated that NHS Digital has taken appropriate steps and put plans in place to address the requirements of the undertaking and to mitigate the risks highlighted. NHS Digital confirmed that it has taken the following steps:
  1. HSCIC should establish and operate a system to process and uphold Type 2 objections, in accordance with the Direction from the Secretary of State.
    • NHS Digital has established and currently operates a system to process and uphold Type 2 objections. This was done by directing GPs to supply the necessary data via the General Practice Extraction Service or HSCIC Secure Electronic File Transfer system. Internal technological systems have been developed to receive, record and manage these patient objections around a central Patient Objections System. Organisational processes have been developed for NHS Digital staff to be aware of, and correctly use, the Central Patient Objections System where their work makes this necessary. Auditable information is recorded for these processes and the policies are due for regular review. Specific roles, (such as Information Asset Owners,) have been identified as responsible for aspects of the system and such individuals have received appropriate guidance. A steering group and system user group have been established as part of ongoing monitoring to ensure continued compliance.
  2. HSCIC should ensure measures are put in place so that any patients who have previously registered a Type 2 objection, or patients who register a Type 2 objection in future, are provided with clear fair processing information that enables them to understand how the Type 2 objection will be applied and how their data will be used.
    • NHS Digital has updated the fair processing information on its website to describe and explain Type 1 and Type 2 objections to patients. The NHS Choices website has also been updated to include clear information on objections and contains referral links to more information on the NHS Digital website relating to objections. Additionally, awareness about objections was relayed via the external relations manager to selected external organisations who regularly offer advice to patients who contacted them.
  3. HSCIC should contact recipients of data sets it provided in the period January 2014 – April 2016 (where Type 2 objections can be processed and upheld in accordance with the Direction) and make them aware that the data sets may include records relating to patients who have chosen to opt out. HSCIC should do this within three months of the undertaking.
    • Using its Data Access Release team and Data Release Register NHS Digital was able to identify the recipients of data sets provided between January 2014 and April 2016 that were likely to contain records of patients who had registered a Type 2 objection and not covered by an exemption. A letter was sent on 19 July 2016 (the day after the three months described in the undertaking expired), informing the recipient that the data set may include records as described above. Further contact was made if a recipient did not confirm receipt of the original correspondence. This was done by letter or telephone as appropriate. As of 19 October 2016 it was reported that all recipients had been successfully contacted.
  4. HSCIC should contact recipients of data sets it provided in the period January 2014 – April 2016 (which included patient data where Type 2 objections can be processed and upheld in accordance with the Direction) and where the agreement allowed the recipient to onwardly disseminate the data, to make them aware that this data should no longer be disseminated further. HSCIC should do this within three months of the undertaking.
    • It was identified that four data sharing agreements included provision to onwardly disseminate data. The circumstances of each were examined in detail and found that for each, for different reasons, no action was required in relation to the undertaking requirement
  5. HSCIC should contact recipients of data sets it provided in the period January 2014 – April 2016 (which included patient data where Type 2 objections can be processed and upheld in accordance with the Direction) to inform them that, where possible, the data sets should be destroyed or deleted and replaced with a new data set, which reflects patient opt outs, provided by HSCIC in its place. Whether it is possible to destroy or delete the data will depend on whether or not it has already been processed and used, such as in a research study or as part of business intelligence information made available to a Trust. HSCIC will collect and retain a certificate of destruction where it is possible for data to be destroyed or deleted.
    • As part of contacting the recipients of the relevant data sets as previously mentioned, NHS Digital advised that where possible the data sets should be destroyed / deleted. A log of destruction certificates has been kept where they have been provided to NHS Digital and requests for replacement data sets are being processed if appropriate.
  6. HSCIC should revisit the matter of objections following the completion of the National Data Guardian review and consider whether its systems and processes can be modified to allow the Type 2 objection to be applied in circumstances where this is not currently possible.
    • NHS Digital has stated that they have examined the National Data Guardian’s (NDG) review of data security, consent and opt-outs published 6 July 2016. NHS Digital reports that for the systems identified where it is currently accepted as not possible to apply the Type 2 objections the review does not change this situation. The NDG review does not recommend any changes to existing arrangements pending a full consultation on the proposed new consent/opt-out model. NHS Digital has undertaken that the systems identified will be examined again following the publication of the response by the Secretary of State to the NDG review, as there may be proposals made regarding legislative changes that impact the situation.
  7. Although NHS Digital took appropriate steps and put plans in place to address some of the requirements of the undertaking, the Commissioner found that further work needed to be completed by 18 April 2017 to fully address the agreed actions. In particular:
  8. HSCIC should ensure measures are put in place so that any patients affected by this incident can be made aware that it is possible that their personal data has been shared with third parties against their wishes. This process should be completed within six months.
    • NHS Digital has, as well as relying on the press coverage regarding the incident to raise awareness, published relevant information to the NHS Choices website on the right to opt-out of identifying information of patients being shared beyond their GP practice or NHS Digital. It has produced standard wording that was sent to all GP practices asking for the information be made available to patients. It also provided the same to both Healthwatch England and the Patients Association and requested they disseminate it throughout their organisations to aid in informing patients.
    • However, the requirement to make patient’s affected by the incident aware that their personal information has been shared with third parties against their wishes has not been fulfilled. The wording used on the NHS Choices website is “The HSCIC has started to uphold type 2 objections from 29 April 2016”. It does not make clear that there was sharing carried out prior to the date where objections made were not being honoured. There is an assumption that while mentioning that sharing occurs, and the objections will be honoured from 29 April 2016, the reader will know that prior to this date even though they had objected, that objection was not honoured and sharing took place. It must be considered if it is a reasonable assumption that the average individual would know that the delay caused inappropriate sharing. While correspondence to GPs and third party organisations is more detailed, there is no evidence that any did pass on the information to patients, or that GPs made it available to returning patients who attended their surgeries.
      NHS Digital should take further action:
    • To make it clear by amending published material that type 2 objections received prior to 29 April 2016 were not honoured prior to this date, and so information was shared incorrectly from January 2014.
    • To assess the effectiveness of the program of distributing material to GPs and other organisations to raise patient awareness of the failure honour received objections.
Northern Health & Social Care Trust
3 April 2017 (follow-up to Undertaking issued 19 July 2016)
DPA – 7th Principle
In March 2017 the Information Commissioner’s Office (ICO) conducted a follow-up assessment of the actions taken by Northern HSC Trust in relation to the undertaking it signed in July 2016. The objective of the follow-up is to provide the ICO with a level of assurance that the agreed undertaking requirements have been appropriately implemented.
Northern HSC Trust agreed to the undertaking following the Commissioner’s investigation of an incident involving 11 emails, which were intended for a doctor’s personal non-trust account, being sent to a member of the public with the same name over a two year period (DPA – 7th Principle).
The ICO noted that Northern HSC Trust has taken some steps to meet the requirements of the undertaking; however there are still some areas of concern which need addressing to mitigate the highlighted risks. In particular:
  1. The data controller must ensure that all staff, including locum doctors, 3rd Party contractors, temporary (agency /bank) staff and volunteers, whose role involves the routine processing of personal and sensitive personal data, undertakes mandatory data protection and data handling induction training and regular refresher training on the requirements of the Act.
    • All staff at the Trust are now required to do Information Governance (IG) awareness training during their induction. This training will then be refreshed every three years. The most recent compliance report that has been provided, states that 84% of staff have completed the IG Training and 84% of managers have completed the POPI training in December 2016. Although this is an improvement, the Trust still needs to ensure that all staff are completing the IG training within the given time. It has been reported that the IG Training booklet and package for locum doctors and agency staff is still under review. Due to the fact that this has yet to be implemented, there is still a risk that IG incidents will occur due to the lack of training. However the Trust has provided evidence showing that the contractual terms with external domiciliary care providers have been revised. This will reassure the trust the relevant IG training will be given to these contractual staff.
  2. Provision of such training shall be recorded and monitored with oversight provided at a senior level against agreed Key Performance Indicators (KPI)to ensure completion. In addition, the data controller shall implement follow-up procedures to ensure that staff who have not attended/completed training do so as soon as is practicable.
    • IG Training KPI and monitoring reports are being produced. These reports should be produced every quarter; evidence of the September report was received but nothing from this year. It has been reported that these reports are provided to all the directorates, the Trust Board and the Corporate Governance Steering Group. However no evidence has been provided to show that this information is being reported to the Trusts Board. The said reports are also used by management to monitor staff members that have not completed the training in given timeframe. Again there is no evidence showing this. There are also no processes in place to show what the consequences are if staff members repeatedly fail to complete the IG training.
  3. The data controller shall ensure that staff, including Locum doctors, 3rd party contractors, temporary (agency/bank) staff and volunteers are aware of the content and location of its policies and procedures relating to the processing of personal data, specifically the procedure for reporting and recording IG breaches. If not already in place, a mechanism to ensure that staff are updated of any changes to these policies and procedures should also be implemented.
    • Policies are kept on the Trusts staffnet website. During the staff departmental induction they are informed of where the policies are and which ones are specifically relevant to them. If there are any changes to policies or there are new policies implemented, staff are made aware of this via email and the staff newsletter. Managers will also mention any updates in team meetings, to inform staff who have not got access to email. However, no evidence of this was provided.
    • The Trust fully implemented Datix web in November 2016. Evidence has been provided showing that training and information has been given to all staff about this system and incident reporting in general. However, the Incident Management policy has yet to be updated with the new process for reporting incidents. The updating of this policy should be completed as soon as possible to ensure staff have guidance on what to do if an IG incident occurs.
  4. The data controller shall implement such other security measures as are appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and or damage.
    • The Trust created an IG improvement plan after the undertaking was issued. This plan has identified key risks that the Trust needs to look into; one of which was risk management. It was reported that an element of this risk has been addressed by ensuring risk assessments are completed and reviewed for all of the Trusts information assets. However, the Trust has not provided evidence to confirm this new procedure. The Trust has also stated that they are now ISO27001 compliant, which should help with the implementation of measures to ensure the security of the personal data they process. However, there has been no ISO27001 certificate or other evidence provided showing this. There are also regular reviews of IG incidents at the Trusts IG Forum. If any trends occur from incidents, lessons learnt can be discussed in this arena.
Pennine Care NHS Foundation Trust
21 February 2017
DPA – 7th Principle
The Information Commissioner (the “Commissioner”) was informed of several similar data protection incidents by Pennine Care NHS Foundation Trust (“the Trust”) over a twelve month period. The number of incidents reported is of concern especially as they are repeated in nature. The Commissioner also identified delays in reporting with limited information provided, even with ample time to conduct an internal investigation.
One of the incidents occurred in April 2015 and involved a CAMHS patient letter for a GP follow up being sent to a neighbour containing sensitive diagnosis information. On this occasion the envelope was not marked ‘private and confidential’ or for ‘addressee only’. This incident was seen to be representative of subsequent reported data breaches to the Commissioner, where personal information was posted to the wrong person in error.
Information Governance concerns have been raised within the CAMHS service in general, particularly related to an inconsistency with checking patient addresses on internal systems or on correspondence before being sent. There were also identified concerns around addressees on patient records not being kept up to date. During the Commissioner’s investigation into similar security incidents, it was also found that administrative tasks were being undertaken by clinicians who were not clear about the correct administration procedures to protect personal data.
A further data security incident occurring in July 2016 involved a letter being sent to an outdated address containing confidential mental health information and its impact on the committal of an offence. Whilst the confidential letter had been returned to the service, it had been opened by an unintended recipient and could have been accessed further, seeing as this was returned by a third party.
The investigation found that staff failed to check the Electronic Patient Record for the correct address and whilst this can be seen to be attributable to human error, there were concerns around the level of training undertaken by staff. Information Governance training was completed post incident and reliance only placed upon previous experience and college based training.
The data controller shall, as from the date of this Undertaking and for so long as similar standards are required by the Act or other successor legislation, ensure that personal data are processed in accordance with the Seventh Data Protection Principles in Part I of Schedule 1 to the Act, and in particular that:
  1. Procedures are put in place to ensure any reported breach of security relating to personal data is acted upon promptly and any containment and remedial measures are swiftly enforced. The Incident Reporting Policy should include provisions to train staff around reporting to timescales and to provide the most pertinent information to assist an investigation, internal categorisation and prompt remedial measures.
  2. The data controller shall ensure all processes within the CAMHS service are standardised across all teams and staff duties between administration staff and clinicians are clearly defined.
  3. To review and clarify relevant checking procedures when sending patient correspondence. This is to include procedures around patient record keeping to ensure they are kept up to date. Any related guidance should be disseminated to all staff.
  4. The completion of mandatory induction data protection training, in relation to both the requirements of the Act and the data controller’s policies concerning the use of personal data, is appropriately enforced. Completion of such training, including that of regular refresher training, shall be recorded and monitored to ensure compliance.
Royal Bank of Scotland
18 May 2017 (follow up to Undertaking issued 4 November 2016)
DPA – 7th Principle
On 15 May 2017 the Information Commissioner’s Office (‘ICO’) conducted a follow-up assessment of the actions taken by Royal Bank of Scotland (‘RBS’) in relation to the undertaking it signed on 4 November 2016. The objective of the follow-up is to provide the ICO with a level of assurance that the agreed undertaking requirements have been appropriately implemented.
RBS agreed to the undertaking following the Commissioner’s investigation of an incident that took place in October 2014, whereby dozens of faxes containing personal data were sent to an incorrect fax number belonging to a third party organization, despite being informed that faxes were regularly being sent to the incorrect number over a period spanning over 14 months (DPA – 7th Principle).
The review demonstrated that RBS has taken appropriate steps and put plans in place to address some of the requirements of the undertaking. However, further work needs to be completed by RBS to fully address the agreed actions.
RBS confirmed that it has taken the following steps:
  1. Procedures are put in place to ensure any reported breach of security relating to personal data is acted upon promptly and any containment and remedial measures are swiftly enforced;
    • The process for breach reporting within the retail bank has been reviewed and amended to make it easier for staff reporting a data protection breach, including instances where communications have been sent to a recipient in error. An amended ereporting form to log any data protection (‘DP’) breach was introduced in December 2016.
    • RBS has provided evidence of the guidance it has issued on MyKnowledge; which is an online tool and is the front line / branch staff’s first port of call for guidance on processes. This process has made it easy for staff to report a data protection breach. This guidance includes how to recognise a breach and contains a step by step guide including timescales, which stipulates that all breaches are required to be reported within 24 hours and where a breach meets the criteria for notification to the regulator, notification is to be submitted to the regulator within 72 hours.
  2. Fax procedures are implemented consistently across all branches and regularly monitored to ensure consistent standards. Compliance with any associated fax policy and guidance should be monitored on an ongoing basis and appropriate steps taken to ensure any failings are rectified with minimal delay by no later than 24 February 2017;
    • For those activities where there is currently no alternative to using faxes, RBS has provided evidence of the new fax procedure implemented in January 2017. The fax process includes the requirement to use pre-programmed numbers and any number added to the list must be double checked by a colleague.
    • RBS has provided information on how the new process acts to enforce any remedial measures resulting from a fax data breach. As part of the new fax process, branch managers carry out a weekly check for any faxes sent in error to the wrong recipient and log them as a DP breach. The DP breach logs are continuously monitored by the business, via ‘Privacy Champs’ who sit throughout RBS’ retail businesses. They check that appropriate corrective action is taken when DP breaches arise in their area and escalate any issues as required. The Privacy team further assesses all submissions on a monthly basis to spot trends and root causes, allowing for the identification of additional training and awareness needs. Monthly meetings are held with representatives across the retail bank. RBS states that attendees have been tasked with ensuring that Privacy matters are understood by their business areas with any areas of concern discussed and escalated to the Privacy team for guidance. However we have not been provided any evidence to support this.
    • Evidence has been provided to show how RBS’ Assurance teams have checked that the new fax process communication has been understood and is being implemented by their retail business, in the form of an Assurance thematic review which was conducted on 16 January 2017, three weeks after the implementation of the new fax process. This activity was completed by Control Quality Managers (‘CQM’) with support of the Business Embedding & Execution Managers across NatWest, Royal Bank of Scotland & Ulster Bank. The teams have visited 187 branches and spoken to 460 staff members.
    • RBS has also provided a copy of the Faxed Themed Review Outcome dated February 2017. The results show that 88% of staff were aware of the new fax process, 96% of staff were able to locate the policy and 78% of staff were aware of the process to follow if they were informed by a customer or a third party of a data protection breach. A check of the pre-programmed numbers showed 67% were inputted correctly and 32% incorrectly. Of the numbers not pre-programmed, only 39% followed exceptions. According to RBS, the themed review failings in these areas have been addressed by either the CQM during their visit or through local actions plans, however no evidence has been provided to support this.
  3. To ensure any alternative revised processes are fully tested for security and reliability and any related guidance is disseminated to all staff.
    • At the time of the review, this action had not been completed. However, whilst no evidence has been provided to support the progress of this action, RBS appears to be considering more secure methods for transferring personal data.
    • Work is presently under way to explore technical solutions which will allow switching from fax processes to electronic processes to allow for increased paperless processing within their branch network and telephony business. For example, the implementation of an email scanning solution is being pursued as the long-term alternative to using faxes.
    • A phased roll-out is underway and is planned to complete in the first half of 2018. This project is a priority project for the retail bank. Before introduction of any new technical solution it will be fully tested in line with the Bank’s standard processes and procedures and adequate controls put in place to protect customer data.
    • RBS should ensure that as soon as practical, all staff handling personal data are provided with relevant guidance in relation to any newly implemented technical solution and trained in those new procedures, in order to safeguard customer’s personal data.
  4. The data controller shall implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.
    • RBS carries out ongoing security awareness and education activities. Through these activities, RBS promotes and maintains a “security aware” culture across the Bank that educates employees, contractors, third-party users, and business partners on how to protect bank information throughout its lifecycle. Employees are required to complete mandatory manual computer based training, guiding and reminding them of best practice.
    • The need for security and confidentiality is addressed through Bank policy (such as the Bank’s Security Policy and Privacy & Client Confidentiality Policy) including reminders to staff that data breaches must be promptly and fully internally reported once identified. A snapshot of the Security Policy dated 15 December 2016 has been provided, however this is not evidence of the above.
    • In addition RBS’ Security Policy requires the principles of least privilege and least access to be applied, to ensure that access is not authorised or available if there is no justified business requirement. Customers and Bank employees are identified and authorised before systems access is granted and access is regularly validated to ensure it remains appropriate.
However, RBS should take further action to fully address the agreed steps:
  • RBS has provided evidence of the content of a new training session which is available online for staff to highlight the revised breach reporting process and the importance of logging DP breaches. Managers can access this material and deliver it to staff as and when a need for particular staff training is identified. However, no evidence has been provided to show how many staff have received this training. RBS should implement monitoring and recording processes to assure that all staff who handles personal data receives this training and that it is included in any mandatory refresher training.
  • RBS has confirmed that staff are tested on their understanding of, and compliance with, the fax process on an ongoing basis. However, no evidence has been provided to confirm what percentage of staff have been tested, or whether any signed declarations are required from staff confirming their understanding of the new policy. RBS should therefore consider asking staff to sign a declaration to confirm their understanding of the new fax process and breach reporting procedure to ensure all staff are familiar with the new processes.
  • RBS has confirmed that a further Assurance review into the new fax process will take place once adequate time has passed for recommended updates to be implemented, however no evidence has been provided as to when this review will take place and how often monitoring of compliance will be undertaken. Whilst we note that progress has been made in this area, we would strongly advise that the follow up review is conducted as soon as possible to ensure the identified failings are addressed promptly.
Royal Free London NHS Foundation Trust
3 July 2017
DPA – 1st, 3rd, 6th, & 7th Principles
In response to media reports publicised in May 2016, the Information Commissioner (the 'Commissioner') was alerted to an arrangement between the Trust and DeepMind Technologies Limited (‘DeepMind’), a UK company and data processor, under which DeepMind was engaged to develop and deploy a new clinical detection, diagnosis and prevention application for the Trust. The Commissioner launched an investigation which primarily focused on the data processing undertaken during the clinical testing phase of the application.
The investigation determined that on 30 September 2015, the Trust entered into an agreement with Google UK Limited (an affiliate of DeepMind) to develop and deploy a new clinical detection, diagnosis and prevention application and the associated technology platform for the Trust. In order to undertake clinical safety testing of this application and technology platform DeepMind, for this purpose and under the terms of the aforementioned agreement, processed approximately 1.6 million partial patient records containing sensitive identifiable personal information held by the Trust.
The identifiable information in question included information on persons who had presented for treatment at the Trust in the previous five years for pathology tests, together with data from the Trust’s existing radiology and electronic patient record system. The purpose of requiring DeepMind to process such information was to enable the clinical safety testing and deployment in live operation of a new application and associated technology platform that would provide the Trust with a mobile electronic patient record and an alert, diagnosis and detection system for acute kidney injury. The clinical safety testing of that platform was undertaken by the Trust, using the application and technology hosted and maintained by DeepMind.
The Trust explained to the Commissioner that clinical safety testing at the relevant time was required by standards issued under the Health and Social Care Act 2012 and needed to be undertaken before new technology was deployed. The Commissioner has concluded however that these points need further exploration before a final view can be reached on them and expects to find them considered more fully in the Privacy Impact Assessment that the Trust is required to complete.
The platform went on to be formalised into a mobile device application, known as 'Streams'. From February 2017, the Streams application moved to live deployment and it is now in active use by the Trust’s clinicians. The Streams application is registered with the Medicines and Healthcare products Regulatory Agency as a Class I non-measuring device and is CE marked (a declaration of conformity with the EU’s Medical Devices Directive).
The agreement of 30 September 2015 set out the relationship between the Trust and Google UK Limited as one of a data controller to data processor, with the Trust retaining its data controller responsibilities throughout.
The Trust confirmed to the Commissioner that DeepMind was only provided access to patient records as a data processor. The Trust has also confirmed that DeepMind has never used that information for any purpose other than to conduct clinical safety tests and for the live operation of the application and associated technology platform set out above.
Data streaming between the Trust and DeepMind commenced on 18 November 2015. At that stage, the data was processed for clinical safety testing purposes only, and the Streams application was not in live deployment. This is an important point to note in the context of the conditions for processing that the Trust sought to rely upon at that stage.
All development and functional testing of the application and the related technology platform was undertaken by DeepMind using synthetic, non-personally identifiable, data. Pseudonymisation of the patient identifiable data was not undertaken for clinical safety testing. This is because the Trust was (and remains) of the view that it needed access to patient records in the application and technology platform in order to undertake clinical safety testing. The Trust is of the view that it is not possible to demonstrate clinical safety of a new technology of this type without access to information about real patients. The Trust was therefore of the view that the data was being held and made available for the purpose of direct patient care.
The Commissioner has concluded that there were a number of shortcomings in the way in which patient records were made available to DeepMind in support of the clinical safety testing of the Streams application by the Trust. These shortcomings amounted, in the Commissioner’s view, to non-compliance with the First, Third, Sixth and Seventh Data Protection Principles. These Principles are set out in Part I of Schedule 1 to the Act. The Commissioner considers that the data controller is also processing 'sensitive' personal data as defined by section 2(e) of the Act.
Principle One
The Commissioner's investigation determined that DeepMind processed approximately 1.6 million partial patient records to enable the clinical safety testing of the Streams application by the Trust. It is the Commissioner's view that patients were not adequately informed that their records would be processed for the purpose of clinical safety testing.
The Commissioner concluded that the data controller did not provide an appropriate level of transparency to patients about the use of their personal data during the clinical safety testing phase and that this processing was not something that the patients might reasonably expect. Specifically the Commissioner concluded that the fair processing information available to the patients was insufficient. Patients were not provided with sufficient notice that their records would be processed in support of the clinical safety testing of the Streams application. The Commissioner noted the recent improvements that have been made by the data controller to improve transparency and that a revised notice regarding live clinical use is now available.
The Commissioner was not satisfied that the Trust has, to date, properly evidenced a condition for processing that would otherwise remove the need for the Trust to obtain the informed consent of the patients involved for the processing of personal data for the clinical safety testing of the application prior to live deployment. As a result, during the Commissioner's investigation and to the Commissioner's satisfaction, the data controller has not been able to evidence a valid condition for processing personal data under Schedule 2 to the Act during the clinical safety testing phase of the application or to evidence a valid condition for processing sensitive personal data under Schedule 3 to the Act during the clinical safety testing phase of the application. The Commissioner therefore required the Trust to provide evidence that any future testing arrangements with DeepMind will comply with a processing condition in Schedule 2 and 3 to the Act.
The Commissioner worked closely with the Office of the National Data Guardian (the 'NDG') on the issue of whether the processing of the patient records during the clinical safety testing phase was in breach of the common law duty of confidentiality. The Trust maintains that the clinical safety testing of the application amounted to direct care so that it had the implied consent of its patients for confidentiality purposes, in accordance with the NDG’s guidance. The Commissioner has considered the advice given by the NDG on this issue earlier this year and in light of the Commissioner’s review and the NDG's view on the matter, the Commissioner considers it is likely that the processing of the records during the clinical safety testing phase was in breach of confidence and therefore not compliant with the First Data Protection Principle under the Act. The Commissioner has therefore required the Trust to provide evidence that any future development or testing arrangements with DeepMind are not in breach of its duty of confidence, as it relates to the First Data Protection Principle.
The Commissioner also notes that the Trust has adopted a revised notice and opt out approach, in line with the recent guidance of the NDG in order to enable compliance with patient confidentiality. Patients should also note that the Commissioner has not, in investigations to date, found grounds for concern regarding the data processing in the live use of the Streams application.
Principle Three
The Commissioner considered the Trust's representations as to why it was necessary for so many records (1.6 million) to be used to support the clinical safety testing of the application. The Commissioner was not persuaded that proper consideration was given to the necessity of processing so many patients' records. As such the Commissioner is of the view that the Trust has failed to demonstrate that the processing of such a large number of partial records was both necessary and proportionate to the purpose pursued by the data controller and that the processing was potentially excessive. The Commissioner did not receive evidence of whether lower volumes of records could have been used during the testing phase. Whilst the rationale for using the full range of records in the live clinical setting is now clearer, the Commissioner emphasises the importance of assessing the proportionality in future iterations of the application for testing or clinical purposes.
Principle Six
The Commissioner's investigation has determined that as patients were not provided with sufficient information about the processing and as a result those patients would have been unable to exercise their rights to prevent the processing of their personal data under section 10 of the Act. As set out above, the Trust has now taken further steps to ensure patients are aware of the use of their data for clinical safety testing and of their ability to opt out from such testing. This was not the case in 2015 and early 2016.
Principle Seven
Principle Seven requires that where a data processor carries out processing on behalf of a data controller, a contract evidenced in writing must be in place. Although there was a written information sharing agreement in place that set out the parties’ roles and imposed security obligations on the processor at the time DeepMind was given access to the data, the Commissioner's investigation has determined that this agreement did not in the Commissioner’s view go far enough to ensure that the processing was undertaken in compliance with the Act. It is the Commissioner's view that the information sharing agreement of 30 September 2015 did not contain enough detail to ensure that only the minimal possible data would be processed by DeepMind and that the processing would only be conducted for limited purposes. It is the Commissioner’s view that the requirements DeepMind must meet and maintain in respect of the data were not clearly stated. The Commissioner is also concerned to note that the processing of such a large volume of records containing sensitive health data was not subject to a privacy impact assessment ahead of the project's commencement.
The Commissioner does however recognise that the Trust has since replaced and improved the documentation in place between the Trust and DeepMind and has increased patient visibility of the use of data for the Streams application.
The data controller shall, as from the date of this Undertaking and for so long as similar standards are required by the Act or other successor legislation, ensure that personal data are processed in accordance with the First, Third, Sixth and Seventh Data Protection Principles in Part I of Schedule 1 to the Act, and in particular that:
  1. The data controller will, within two months, complete a privacy impact assessment explaining how the data controller will demonstrate compliance with the Act in relation to the arrangement with DeepMind, if and to the extent such arrangement involves the processing of personal data relating to patients, during any future (a) application development and functional testing and (b) clinical safety testing that in either case is either planned or already in process. The privacy impact assessment should contain specific steps to review and (where necessary) ensure transparency and the provision of the fair processing information to affected individuals;
  2. The data controller will, within one month of the date of the completion of the privacy impact assessment set out in (1) above, provide evidence that a condition for processing personal data under Schedule 2 to the Act applies in relation to its arrangement with DeepMind, if and to the extent such arrangement involves the processing of personal data relating to patients, to the use of such data for any further (a) application development and functional testing and (b) clinical safety testing which in either case uses patient data, and which in either case is either planned or currently in process;
  3. The data controller will, within one month of the date of completion of the privacy impact assessment set out in (1) above, provide evidence that a condition for processing sensitive personal data under Schedule 3 to the Act applies in relation to its arrangement with DeepMind, if and to the extent such arrangement involves the processing of personal data relating to patients, to any future (a) application development and functional testing; and (b) clinical safety testing, which in either case is either planned or currently in process;
  4. The data controller will, within one month of the completion of the privacy impact assessment set out in (1) above, provide the Commissioner with details of about how it will comply with its duty of confidence to patients as it relates to compliance with the First Data Protection Principle, in any future (a) application development and functional testing; and (b) clinical safety testing in relation to its arrangement with DeepMind if and to the extent such arrangements will use patient data and which in either case is either planned or in process;
  5. The data controller will commission, within three months of the date of this undertaking, a third party audit of the current processing arrangements between the data controller and DeepMind, including an audit of how the data processing agreement between the data controller and DeepMind is operating, in practice in order to ensure compliance with Act, and disclose the findings to the Commissioner. The audit scope should assess both the current live clinical use of the Streams application and (a) any future application development and functional testing and (b) clinical safety testing that in either case is either planned or already in process. It should also include consideration as to whether the transparency, fair processing, proportionality and information sharing concerns outlined in this undertaking are now being met. The Commissioner will first approve the data controller's choice of auditor and agree the terms of reference. The Commissioner will, in the interests of transparency and in acknowledging the wider public interest in this case, retain the discretion to publish parts or all of the audit findings as appropriate.
Wolverhampton City Council
28 March 2017 (follow-up to Undertaking issued 6 June 2016)
DPA – 7th Principle
During March 2017 the Information Commissioner’s Office (ICO) conducted a follow-up assessment of the actions taken by Wolverhampton City Council (WCC) in relation to the undertaking it signed on 2 June 2016. The objective of the follow-up is to provide the ICO with a level of assurance that the agreed undertaking requirements have been appropriately implemented.
WCC agreed to the undertaking following the Commissioner’s investigation of an incident that involved an email containing a spreadsheet holding the personal information of employees at 73 educational establishments, being sent in error to an external recipient (DPA – 7th Principle).
The ICO review found that WCC has taken steps and put plans in place to mainly address the requirements of the undertaking as follows:
  • A report was submitted to the Council's Strategic Executive Board on 19 July 2016, including a proposed action plan to ensure that the requirements of the ICO undertaking would be met.
  • A review of the ‘Protecting Information’ e-learning module was carried out and the module was updated.
  • An email was sent to employees in August 2016 who had not completed or that needed to retake the Protecting Information; eLearn, including a deadline of 30 September 2016 for completion. This was extended to the 30 November 2016 and if any of WCC’s employees had not completed it by that point, WCC ensured that they had completed it by the 3 March 2017 in line with the ICO’s undertaking requirements.
  • Between July 2016 and February 2017, a series of communications were issued across WCC to raise awareness of the ICO undertaking, including the requirement for all WCC employees to complete the Protecting Information e-learning module. These communications included: messages sent via email in the form of ‘Core Briefs’, email reminders from Organisational Development, messages published on WCC’s intranet, managing director briefings, specific internal red banner messages on WCC’s intranet and key message reminders at directorate and team meetings.
  • Additionally, WCC ran several Information Governance (IG) Surgeries during December 2016 and 15 IG Surgeries across 4 days during February 2017. These IG Surgeries were dedicated to delivering the Protecting Information eLearning training.
  • WCC continued to work with their Workforce Development Team and the Learning Pool (providers of the Learning Hub - the Council's e-learning training system), to implement a solution which would enable WCC to track and monitor employees training completion. This was implemented in July 2016.
  • The Learning Hub now has a tab which specifies that protecting information e-learning training is mandatory for all employees.
  • Between July 2016 and February 2017, regular updates on the completion of the protecting information e-learning training were provided to the Senior Strategic Board – with any follow-up action being undertaken by area directors.
  • WCC have confirmed that the Protecting Information e-learning refresher training will now take place every 12 months. WCC employees will receive an automated email reminder when they are due to complete the protecting information e-learning training.
  • Between 3 June 2016 and 2 January 2017, 98% of WCC’s employees had completed their Protecting Information e-learning 3 refreshing training and 86% of employees had completed their protecting information e-learning induction training.
  • Between 3 June 2016 and 3 March 2017, 99% of WCC’s employees had completed WCC’s mandatory induction and refresher Protecting Information e-learning training.
Although WCC has largely taken appropriate steps to comply with the undertaking, the ICO advised that WCC continue to work in the following areas to further improve their data protection compliance:
  1. The data controller shall devise and implement a system to ensure that completion of data protection training is monitored and that procedures are in place to ensure that staff who have not completed training within the specified time period do so promptly. This should be completed within three months of the undertaking.
    • As line managers are responsible for ensuring that their team/s completes any mandatory training, WCC should continue to look at providing managers with an additional dashboard solution that will provide them with information about which staff have completed the Protecting Information e-learning training.
    • WCC should consider producing a training communications plan each year to ensure continuous awareness of the Protecting Information e-learning training and the requirements of the Data Protection Act.
  2. The data controller shall ensure that all staff handling personal data receive data protection training and that this training is refreshed at regular intervals, not exceeding two years. The data controller should ensure that all staff that handle sensitive personal data regularly, receive refresher training within six months of the date of the undertaking, and all other staff have received refresher training within nine months of the date of the undertaking.
    • WCC should ensure that they monitor and produce statistical reporting information for the protecting information learning module, specifically in respect of employees that handle sensitive personal information.
Basildon Borough Council
22 May 2017
£150,000
DPA - 7th Principle
Factual background
Basildon Borough Council (the ‘Council’) is a local planning authority which is required to make decisions on planning applications. This involves its planning department uploading planning applications to its website in order to consult with the public.
On 16 July 2015, an administrator in the Council’s business services department received a planning statement (the ‘statement’) in support of a householder's application for proposed works in a green belt. The statement contained sensitive personal data relating to a static traveller family (the ‘family’) that had been living on the relevant site for many years. In particular, the statement referred to the family's disability requirements, including mental health issues, the names of all the family members, their age and the location of the site.
The Council’s policy and established approach was that personal would be redacted from such documents before being uploaded to the website. The planning technician, however, was inexperienced in checking the contents of documents relating to planning applications which contained sensitive information. He did not notice the information about the family that was embedded in the statement and therefore did not make any redactions. No procedure was in place for a second person to check such documents before they were uploaded. Consequently, the planning application, which contained sensitive personal data was uploaded onto the Council’s website on 16 July 2015 and remained available until it was removed on 4 September 2015.
ICO Finding
The ICO found that the Council failed to take appropriate organisational measures against the unauthorised processing of personal data (DPA – 7th Principle). Basildon did not have in place appropriate organisational measures for ensuring so far as possible that such an incident would not occur, i.e. for ensuring that statements containing sensitive personal data would not be published on Basildon's website. In particular, the Council did not:
  • have in place an adequate procedure governing the redaction of statements by planning technicians;
  • provide any (or any adequate) training to planning technicians on the redaction of statements;
  • have in place any guidance or procedures for a second planning technician or senior officer to check statements for unredacted data (and specifically sensitive personal data) before they were returned to the administrator; and
  • have in place any guidance for the administrator to check statements for unredacted data before they were uploaded to its website.
The Council had submitted that (i) it was obliged under the Town and Country Planning (Development Management Procedure) (England) Order 2015 (the ‘2015 Order’) to include the full contents (including any unredacted planning statements) of any application as part of its local authority planning register and (ii) where it chose to makes its planning register available it has no power to redact any details of its register. The ICO rejected these submissions for the following reasons:
  • The 2015 Order could not be construed so as to oust an individual’s rights under the Data Protection Act 1998, Directive 95/46/EC or Article 8 of the European Convention on Human Rights;
  • The Council’s duty to make the planning application available to members of the public did not entail including every single item of information which is included in the application;
  • Disclosure on a website is materially different from a right of inspection, and where the Council chooses to makes it planning register available it cannot override individuals’ rights under the Data Protection Act 1998, Directive 95/46/EC or Article 8 of the European Convention on Human Rights; and
  • If every single item of information submitted with a planning application should have been made publicly available on its website, this should have been made clear to applicants so that they could make informed decisions about what data to include in their applications.
The Commissioner considers that Basildon did not deliberately contravene the DPA, but rather the contravention was the result of serious oversight. Basildon knew or ought reasonably to have known that there was a risk that this contravention would occur.
Harm
The Commissioner found that the contravention was ‘serious’ due to the number of affected individuals, the sensitive nature of the personal data that was contained in the statement, the period of time for which this sensitive personal data was available online and the potential consequences for the affected individuals. The Commissioner also found the contravention was of a kind likely to cause substantial distress and/or damage, because sensitive personal data was published online for six weeks and Basildon failed to process the personal data in accordance with its own policies and within reasonable expectations of the individuals.
Aggravating factors
  • Basildon did not notify the affected individuals.
  • Basildon had not taken sufficient remedial action.
Mitigating factors
  • Basildon referred this incident to the Commissioner, removed the relevant data from its website and was co-operative during the Commissioner's investigation.
  • A monetary penalty might have a significant impact on Basildon's reputation.
  • Some of the personal data and sensitive personal data which Basildon should have redacted was otherwise available in a public document, namely the previously published report of a Planning Inspector.
  • The affected individuals do not appear to have become aware of or complained about this contravention. The Commissioner was not aware of the affected individuals actually suffering any damage or distress in this case.
Battersea Dogs’ and Cats’ Home
3 April 2017
£9,000
DPA – 1st Principle, 2nd Principle
Factual Background
Battersea Dogs & Cats Home (‘BDCH’) is an animal shelter which rescues cats and dogs in need of help, and nurtures them until an owner or a new home can be found.
BDCH used the services of external companies to undertake tele-matching on its behalf between November 2010 and July 2015. Tele-matching is the use of personal data to obtain and use telephone numbers which data subjects may have chosen not to provide to the data controller. The ICO understands that in the period between January 2011 and July 2015 BDCH processed a total of 740,181 records containing personal data for this purpose. This resulted in 385,709 records being matched and 229,476 individuals being contacted.
ICO Finding
The ICO considered that BDCH’s privacy notices in place at the relevant time did not indicate that personal data would be used for tele-matching purposes. The ICO found that BDCH did not process its supporters’ personal data fairly because BDCH did not have the required consent to use the data for tele-matching purposes and such activities were incompatible with the purposes explained in their privacy notices (DPA – 1st and 2nd Principles).
In particular, BDCH did not amend its privacy notices adequately, or obtain consent from the data subjects to the processing of data for tele-matching purposes.
The ICO is satisfied that these contraventions were deliberate, in the sense that BDCH’s actions were deliberate. While BDCH may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so. Alternatively, BDCH ought reasonably to have known that there was a risk of these contraventions occurring, and that they would be of a kind likely to cause substantial damage or distress.
Harm
The ICO was satisfied that the contraventions identified were ‘serious’ due to the duration of the contravention, the number of individuals affected, and potential significant consequences of the contravention, which included receiving additional marketing communications from BDCH and/or marketing communications using contact details which the data subjects may have declined to provide.
The ICO held that the contraventions were of a kind likely to cause substantial damage or substantial distress to the individuals concerned, taking into account:
  • At least some proportion of data subjects are likely to be distressed if BDCH uses personal data they have chosen to provide in order to obtain and use data which they have chosen not to provide, in order to contact them for direct marketing purposes. They are also likely to be distressed by not being told in advance that their personal data may be used in that way.
  • At least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional marketing approaches from the BDCH arising from its tele-matching practices.
  • Given the scale and duration of the contravention, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have been likely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • BDCH followed the unlawful practice described over a period of several years.
  • BDCH’s practice appears to have been driven by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • BDCH has contravened the fundamental rights of very large numbers of individuals to have their personal data processed in accordance with the Data Protection Act 1998 and Directives 95/46/EC.
  • By failing to adequately explain to data subjects how their personal data would be used, BDCH has deprived them of control and informed decision-making about their personal data to a significant extent.
  • BDCH’s activity has exposed the relevant data subjects to substantially distressing and/or damaging consequences, including: intrusions into their privacy due to increased direct marketing communications from BDCH. It is likely that many individuals will have been persuaded to increase their financial support. Those financial consequences will to a significant extent have flowed from BDCH’s unlawful data protection practice.
Mitigating Factors
  • BDCH co-operated with the ICO’s investigations.
  • BDCH is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • BDCH's practice may to an extent have reflected commonplace – albeit mistaken and unlawful – approaches in the charitable sector.
  • BDCH has taken remedial action.
  • The intended monetary penalty may have negative reputational consequences for BDCH.
Boomerang Video Ltd
9 June 2017
£60,000
DPA – 7th Principle
Factual Background
Boomerang Video operates a website that enables its customers to rent video games via a payment web application. The website was developed in 2005 by a third party company (the ‘data processor’). The login page on the website contained a coding error Boomerang Video was unaware of.
On 5 December 2014, an attacker exploited this vulnerability by using SQL injection to gain access to usernames and password hashes for the WordPress section of the site. One password was shown to be a simple dictionary word based on the company’s name. The attacker then uploaded a malicious web shell onto the web server to further compromise the system and gain access to the personal data of individuals stored within. On 30 December 2014, the attacker was able to query the customer database and download text files containing 26,331 cardholder details (including name, address, primary account number, and expiry date and security code). Although part of the primary account numbers were stored unencrypted, the attacker was able to gain access to the decryption key with ease, using information in configuration files on the web server. Industry guidelines prohibit the storage of the security code after payment authorisation.
This was an ongoing contravention from 2005 when the website was developed by the data processor until Boomerang Video took remedial action on 12 January 2015.
ICO Finding
The ICO found that Boomerang Video failed to take appropriate technical measures against the unauthorised or unlawful processing of personal data (DPA – 7th Principle).
The Commissioner also found that Boomerang Video did not have in place appropriate technical measures for ensuring the personal data stored on the customer database could not be accessed by an attacker performing an SQL injection attack. In particular Boomerang Video failed to:
  • carry out regular penetration testing on its website that should have detected the error;
  • ensure that the password for the WordPress account was sufficiently complex to be resistant to a brute-force attack on the stored hash values; and
  • keep the decryption key secure and prevent it being accessed by the attacker.
The Commissioner did not consider the contravention deliberate, but Boomerang Video ought reasonably to have known that there was a risk an attack performed by SQL injection would occur unless it ensured the personal data stored on the database was appropriately protected.
Harm
The Commissioner considered Boomerang Video’s failure to take adequate steps to safeguard against unauthorised or unlawful access ‘serious’ due to the number of data subjects, the nature of the personal data that was stored on the database and the potential consequences.
The Commissioner also found that the contravention was of a kind likely to cause substantial distress because of the number of data subjects and the nature of the personal data stored on the customer database. Further, ICO found that contravention caused damage because this information was misused by the person who had access to it, and exposed some of the data subjects to fraud.
Aggravating factors
  • Boomerang Video was not aware of this security breach until 9 January 2015 when it was notified by its customers.
  • Boomerang Video assessed itself to be compliant with the “Payment Card Industry Data Security Standard” despite failing to carry out penetration testing on its website.
  • Boomerang Video received approximately 1,100 complaints and enquiries as a result of this security breach.
Mitigating factors
  • Boomerang Video’s website was subjected to a criminal attack.
  • Boomerang Video reported this incident to the Commissioner and was co-operative during the investigation.
  • The data processor assured Boomerang Video that the payment security codes were not stored on the customer database.
  • Boomerang Video has now taken substantial remedial action.
  • A monetary penalty may have a significant impact on Boomerang Video’s reputation (and to some extent) its resources.
Brighter Home Solutions Ltd
12 May 2017
£50,000
PECR – Regulation 21
Factual Background
Brighter Home Solutions’ (‘BHS’) business involves making marketing calls to subscribers in order to sell its home improvement products and services including windows, doors, conservatories and kitchens.
Between 4 January 2016 and 26 August 2016, the Telephone Preference Service (‘TPS’) received 160 complaints about BHS. The TPS is a register of numbers allocated to subscribers who have notified the TPS that they do not wish to receive unsolicited calls for direct marketing purposes on those lines. The TPS referred all of those complaints to BHS and also notified the ICO. BHS did not respond to the TPS in relation to any of the complaints.
Some of the individual subscribers complained that the calls were misleading because the callers gave the impression that they were calling from a local number and were misled into believing that they may have been contacted by BHS previously and agreed at that time to receive further calls in the future.
After being contacted by the ICO, BHS explained that it purchased opt-in data from third party companies, which it then used to call individual subscribers to market its products and services. However, BHS hadn’t carried out any due diligence checks to ensure that the individual subscribers had given their consent to BHS to receiving such calls.
ICO finding
The ICO found that BHS made live marketing calls to subscribers who had registered with the TPS at least 28 days prior to receiving the calls and they had not given their prior consent to BHS to receive calls (Regulation 21 of PECR).
In particular:
  • BHS was unable to provide any evidence that it had undertaken appropriate due diligence in this case.
  • BHS was unable to provide sufficient evidence that the individuals to whom the text messages had been sent had consented to the receipt of those messages.
The ICO did not consider the contravention deliberate, but BHS failed to take reasonable steps to prevent the contravention and were therefore negligent.
Harm
The Commissioner was satisfied that the contravention was ‘serious’ because there were multiple breaches of regulation 21 by BHS over an 8 month period, which led to a significant number of complaints to the TPS and the ICO.
Aggravating Factors
  • BHS might obtain a commercial advantage over its competitors by generating leads from unlawful marketing practices.
  • BHS misled subscribers by displaying a false CLI (Calling Line Identification) that had the same area code as the subscriber. This led subscribers to think that the call was from someone in their local area. This was done as the subscriber was more likely to answer the telephone.
  • The call script used by BHS contained the misleading statement “… [we] are calling everyone back who did not receive our call or who may have asked us to call back this year. It was a while back so don’t worry if you do not remember receiving the call.” This was not necessarily always the case.
  • In October 2016 the ICO received evidence that although BHS had an up to date TPS registration, it had not accessed the system for at least the previous 4 months. As such, there was no evidence that company had screened its data against the TPS in order to avoid callings subscribers who did not wish to be called.
Mitigating Factors
  • There was a potential for damage to BHS’s reputation which may affect future business.
Cab Guru Limited
6 September 2017
£45,000
PECR – Regulation 22
Factual Background
Cab Guru Limited (‘Cab Guru’) is the company behind the mobile application called "Cab Guru", which allows customers to compare taxi and min cab fares and pickup times and then to book the selected service.
Cab Guru marketed this service by sending direct marketing text messages, inviting customers to download the application.
Between 27 May 2016 and 5 June 2016:
  • 360,373 unsolicited text messages were delivered;
  • 165 complaints were made via GSMA's Spam Reporting Service (the data from which the ICO is provided access to); and
  • One complaint was made to the ICO.
On 25 June 2016 the ICO wrote to Cab Guru requesting evidence of consent relied upon to send the text messages. Cab Guru stated that it had undertaken a one-day SMS marketing campaign targeted at customers, whose telephone numbers had been obtained from Cab Guru's associated taxi companies. Cab Guru did not obtain consent directly from the SMS recipient, however the associated taxi companies had asked customers for their consent to receive text messages.
The ICO subsequently requested copies of the customer agreements to evidence the consent relied upon. Cab Guru confirmed that there were no formal written contract/consent as the text message contact was requested by the customer via the online web booking form or mobile phone apps.
Upon further investigation, the ICO discovered that the associated cab companies incorporated an automatic agreement to marketing in privacy policies or terms & conditions for use of their services. The consent to the marketing was therefore a compulsory term rather than a discretionary one.
ICO Finding
The ICO found that Cab Guru successfully sent 360,373 unsolicited direct marketing text messages without the appropriate consent (Regulation 22 of PECR). Another further 346,277 had failed to send.
The ICO held that this contravention was not deliberate. However, Cab Guru knew or ought to have known that there was a risk that these contraventions would occur given that the issue of unsolicited text messages has been widely publicised by the media, and that the ICO had published detailed guidance in this area. Cab Guru had therefore been negligent in sending the text messages.
Further, the ICO found that Cab Guru failed to take reasonable steps to prevent the contravention. In particular, it failed to:
  • put in place appropriate systems and procedures to ensure that it had the specific consent of those whom it had sent marketing text messages; and
  • adequately record the source of the data used or retain evidence of any consent obtained.
Harm
The ICO was satisfied that the contravention caused distress among consumers, as evidenced by the large number of complaints made. Furthermore, the ICO determined that the contravention was 'serious' given the high number of contraventions, and the fact that this number could have been much larger, as 346,277 messages had failed to send.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Cancer Research UK
3 April 2017
£16,000
DPA – 1st Principle, 2nd Principle
Factual Background
Wealth screening
Cancer Research UK (‘CRUK’) used the services of a wealth screening company to analyse the financial status of its supporters in order to identify those that would have the capacity and propensity to make a larger donation to charity. The personal data which CRUK provided to the wealth screening company included supporters' names and addresses and information relating to their donation history. Between 2010 and 2016, CRUK processed 10,017,997 records for the purposes of wealth analysis relating to 3,523,566 supporters.
Tele-matching
CRUK also used the services of external companies to undertake tele-matching (tele-marketing is a data-matching by which telephone numbers are obtained and used) on its behalf. Since July 2011 it has matched at least 678,887 telephone numbers to supporters for whom it has other personal data.
ICO Finding
The Commissioner was satisfied that these contraventions were deliberate, in the sense that the actions of CRUK were deliberate. While CRUK may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so. Alternatively, CRUK ought reasonably to have known that there was a risk that the contraventions would occur, and that they would be of a kind likely to cause substantial damage or distress.
Wealth screening
The ICO found that CRUK unfairly processed individuals’ personal data because using their data to perform wealth screening was not in the reasonable expectation of those individuals and they were not informed that CRUK would adopt these techniques (through CRUK’s privacy policy or otherwise) (DPA – 1st Principle). The ICO also found that the purpose of wealth analysis was incompatible with the purposes for which the data were obtained (administrating the donation, and if the individual consented, for marketing purposes) (DPA – 2nd Principle).
Tele-matching
The ICO also found that it was unfair for CRUK to use the data for data-matching and/or tele-matching purposes without consent of the data subjects and that such activities were incompatible with the purposes explained in their privacy notices (DPA – 1st Principle, 2nd Principle).
Harm
The ICO considered that the contraventions were serious because of the length of time over which the contraventions took place, the number of data subjects whose rights were infringed and the data subjects were likely to have been affected by those contraventions in significant practical ways.
The ICO was satisfied that these contraventions were of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed as a result of the contravention;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional approaches from CRUK; and
  • given the scale and duration of the contraventions, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have beenlikely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • CRUK has followed the unlawful practices over a period of several years.
  • CRUK's practices appear to have been driven by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • CRUK has contravened the fundamental rights of very large numbers of individuals to have their personal data processed in accordance with the Data Protection Act 1998 and Directive 95/46/EC.
  • By failing to adequately explain to data subjects how their personal data would be used, CRUK has deprived them of control and informed decision-making about their personal data to a significant extent.
  • CRUK's activities have exposed the relevant data subjects to substantially distressing and/or damaging consequences, including intrusions into their privacy due to increased direct marketing communications from CRUK. It is likely that many individuals will have been persuaded by CRUK to increase their financial support. Those financial consequences will to a significant extent have flowed from CRUK's unlawful data protection practices.
Mitigating Factors
  • CRUK co-operated with the Commissioner's investigations.
  • CRUK is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • CRUK has taken remedial action.
  • CRUK's practices may to an extent have reflected commonplace - albeit mistaken and unlawful - approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
Cancer Support UK (formerly Cancer Recovery Foundation UK)
3 April 2017
£16,000
DPA – 1st Principle, 2nd Principle
Factual Background
Cancer Support UK (‘CSUK’) is a charity that provides practical and emotional support to people with cancer, during and after the treatment period.
CSUK shared the names and addresses of its supporters with third party organisations. CSUK also participated in the Reciprocate Scheme, a scheme run by an external company which enabled participating charities to share or swap the personal data of donors or prospective donors. The Commissioner understands that CSUK no longer shares personal data of its supporters in this way.
CSUK shared 3,075,550 records of its supporters between April 2010 and August 2016 with other organisations and charities through recognised list brokers who were “DPA-compliant”.
ICO Finding
The ICO found that CSUK did not process data fairly because the terms of CSUK’s privacy notice did not provide data subjects with adequate information as to how their personal data would be shared with third parties (DPA – 1st Principle). The ICO also found that such sharing was incompatible with the purposes explained in CSUK’s privacy notices (DPA – 2nd Principle).
In particular:
  • CSUK failed to take reasonable steps to prevent these contraventions from occurring.
  • CSUK did not amend its privacy notice adequately. The ICO was satisfied that these contraventions were deliberate, in the sense that the actions of CSUK were deliberate. While CSUK may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so. Alternatively, CSUK ought reasonably to have known that there was a risk that the contraventions would occur, and that they would be of a kind likely to cause substantial damage or distress.
Harm
The ICO considered these contraventions to be ‘serious’ due to the number of individuals affected, the duration of contravention, and potential consequences of the contravention.
The ICO was satisfied that these contraventions were of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed if their personal data is shared by one charity with another for the purposes of the latter's fundraising efforts, without it being made sufficiently clear to the data subject that this would happen;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with approaches from the bodies with which their data was shared; and
  • given the scale and duration of the contraventions, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have been likely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • CSUK had followed the unlawful practice over a period of several years.
  • CSUK's practice appears to have been driven by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • CSUK had contravened the fundamental rights of very large numbers of individuals to have their personal data processed in accordance with the Data Protection Act 1998 and Directive 95/46/EC.
  • By failing to adequately explain to data subjects how their personal data would be used, CSUK has deprived them of control and informed decision-making about their personal data to a significant extent.
  • CSUK's activities exposed the relevant data subjects to substantially distressing and/or damaging consequences, including intrusions into their privacy due to increased direct marketing communications from CSUK and /or other charities. It is likely that many individuals will have been persuaded - by CSUK and/or other charities - to increase their financial support. Those financial consequences will to a significant extent have flowed from CSUK's unlawful data protection practice.
Mitigating Factors
  • CSUK co-operated with the Commissioner's investigations.
  • CSUK is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • CSUK's practices may to an extent have reflected commonplace - albeit mistaken and unlawful - approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
Concept Car Credit Limited
12 May 2017
£40,000
PECR – Regulation 22
Factual Background
Concept Car Credit Limited (the ‘Company’) is a used car dealer offering both cars for sale and brokering car finance.
Over an 18 month period between 2015 and 2016, the Company used a public telecommunications service for the purposes of instigating the transmission of 336,000 unsolicited communications by means of text message to individual subscribers for the purposes of direct marketing.
Between 9 April 2015 and 5 March 2016, 66 complaints were made to GSMA’s Spam Reporting Service, or direct to the ICO, about the receipt of unsolicited direct marketing text messages sent on behalf of the Company. The GSMA’s Spam Reporting Service allows mobile users to report the receipt of unsolicited marketing text messages to the GSMA, who makes such complaints data available to the ICO.
The Company explained that it had obtained the data used to send the text messages from a number of third parties with whom they hold introducer agreements between 2012 and 2016. However, the Company was unable to provide sufficient evidence that the individuals to whom the text messages had been sent had consented to the receipt of those messages.
ICO finding
The ICO found that the Company did not have the consent of the 336,000 subscribers to whom it had instigated the sending of unsolicited direct marketing text messages (PECR – Regulation 22).
In particular:
  • The Company was unable to provide any evidence that it had undertaken appropriate due diligence in this case.
  • The Company was unable to provide sufficient evidence that the individuals to whom the text messages had been sent had consented to the receipt of those messages.
  • The Company failed to take reasonable steps to prevent the contraventions in this case.
The Commissioner was satisfied that the contravention was not deliberate, however, the Company knew or ought reasonably to have known that there was a risk that these contraventions would occur.
Harm
The ICO considered the contravention ‘serious’ because there were multiple breaches of Regulation 22 of PECR by the Company over an 18-month period. In addition, a large number of complaints were made to the ICO and GSMA’s Spam Reporting Service.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Construction Materials Online Ltd
26 April 2017
£55,000
DPA – 7th Principle
Factual Background
Construction Materials Online Ltd (‘CMO’) operated a website that had been developed by a third party company. The website enabled its customers to purchase building products online by entering their card details which were then encrypted and sent directly to an external payment system. However, CMO were unaware that the login pages contained a coding error.
An attacker exploited this vulnerability and gained access to usernames and passwords. The attacker uploaded a ‘malicious web shell’ to further compromise the system and on 6 May 2014 was able to modify payment pages and access 669 unencrypted cardholder details at the point of entry to the website. This included names, addresses, primary account numbers and security codes.
ICO Finding
The ICO found that although CMO did not deliberately contravene the DPA, CMO failed to take appropriate technical measures against the unauthorised or unlawful processing of personal data (DPA – 7th Principle). This was a serious oversight.
The ICO found that CMO ought reasonably to have known that there was a risk of an attack occurring which was likely to cause substantial damage or distress unless the data processed on its website was appropriately protected.
Harm
The ICO found that owing to the number of data subjects, nature of the information which was stolen and potential consequences, the attack was ‘serious’.
The ICO found that there was a risk the contravention would be of a kind likely to cause substantial damage or distress, particularly as the information was misused by the person who had access to it, exposing the customers to fraud.
Aggravating Factors
  • CMO was not aware of the security breach until notified by a customer.
  • CMO received approximately 50 complaints and enquiries from its customers as a result of the security breach.
Mitigating Factors
  • CMO’s website was subjected to a criminal attack.
  • CMO notified the data subjects so that fraudulent transactions were intercepted.
  • CMO was co-operative during the ICO’s investigation.
  • CMO took substantial remedial action.
  • A monetary penalty might have a significant impact on CMO’s reputation and to some extent its resources.
Data breach by a barrister
10 March 2017
£1,000
DPA – 7th Principle
Factual Background
The data controller is a senior barrister who specialises in family law.
The barrister created documents at home on her standalone desktop computer. The computer was password protected but the files were unencrypted. In January 2013, the Bar Council issued guidance to barristers that specific files may require encryption to prevent unauthorised access to confidential matters by shared users. On 19 September 2015, the barrister's husband temporarily uploaded the barrister's files (725 documents) to an online directory to back them up before a software update.
On 5 January 2016, a local authority solicitor informed the barrister's Chambers that the documents containing confidential and sensitive information could be accessed on the internet. 15 of these were cached and indexed so could be easily accessed using a recognisable word. 6 of the 15 contained confidential and highly sensitive information relating to lay clients who were involved in proceedings in the Court of Protection and the Family Court.
Between 200 and 250 individuals were affected by this incident, including vulnerable adults and children.
ICO Finding
The ICO found that the barrister did not have in place appropriate technical measures for ensuring that such an incident would not occur, i.e. for ensuring that her files could not be accessed by unauthorised third parties (DPA – 7th Principle). In particular, the barrister did not encrypt her files.
The Commissioner considered the contravention the result of a serious oversight rather than deliberate intent to ignore or bypass the provisions of the DPA. However, the Commissioner was satisfied that the barrister ought reasonably to have known that there was a risk that such an incident would occur unless she ensured that the files held on her desktop computer were technically secured.
Harm
The ICO was satisfied that the contravention was ‘serious’ due to the number of affected individuals, the nature of the personal data contained in the files and the potential consequences.
The files contained confidential and highly sensitive information relating to 200 to 250 individuals, some of whom were adults and children in vulnerable circumstances. The ICO considered that the contravention was of a kind likely to cause distress to the barrister's lay clients if they knew that their confidential and highly sensitive information has been accessed by unauthorised third parties and could be further disseminated or misused.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
  • The barrister was fully co-operative with the ICO.
  • The barrister has taken remedial action.
Digitonomy Limited
13 February 2017
£120,000
PECR – Regulation 22
Factual Background
Digitonomy is a credit broker which introduces borrowers and lenders for the purposes of entering into loan agreements. It generates leads for its businesses though affiliates who send marketing text messages directing individuals to websites owned by them.
Between 6 April 2015 and 29 February 2016, 1408 complaints were received by the GSMA's Spam Reporting Service and a further 56 complaints were received by the ICO, relating to the receipt of unsolicited direct marketing text messages sent by Digitonomy. The GSMA’s Spam Reporting Service allows mobile users to report the receipt of unsolicited marketing text messages to the GSMA, who makes such complaints data available to the ICO. The ICO identified unsolicited direct marketing text messages sent by Digitonomy as being in the "Top 20" messages reported to the GSMA.
Digitonomy's attempted to send 5,900,940 text messages during the period of complaint, of which 5,238,653 were successfully transmitted.
ICO Finding
The ICO found that Digitonomy had not received freely given, specific and informed consent from individuals to receive marketing text messages (Regulation 22 of PECR).
The ICO did not consider the contravention deliberate but Digitonomy should have known or ought reasonably to have known that there was a risk that this contravention would occur. The ICO found that Digitonomy had failed to take reasonable steps to prevent the contravention, stating that it had failed to undertake sufficient due diligence.
Harm
The ICO was satisfied that the contravention was 'serious' due to the large number of direct marketing text messages sent to subscribers without their consent and the resulting large number of complaints.
Aggravating Factors
  • Digitonomy might obtain a commercial advantage over its competitors by generating leads from unlawful marketing practices.
Mitigating Factors
  • There is potential for damage to Digitonomy's reputation which may affect future business.
Easyleads Limited
14 September 2017
£260,000
PECR – Regulations 19 and 24
Factual Background
Easyleads Limited (‘Easyleads’) is a marketing firm based in Coventry.
Between 22 October 2015 and 30 June 2017, Easyleads made 16,730,340 marketing calls to subscribers without their prior consent, resulting in 551 complaints to the ICO.
The automated calls contained recorded messages from Easyleads regarding an entitlement to a grant to replace oil or LPG boilers ‘totally free of charge’.
Many of the complaints reported that multiple calls were received and that there was an inability to opt-out of the calls. Others expressed distress as individuals would be expecting urgent calls only to receive an automated message about replacement boilers. Calls were also being made late at night and in the early hours of the morning with particular frequency over the May 2017 bank holiday weekend.
Easyleads was unable to provide evidence that it had the consent of the individuals to carry out such marketing calls.
ICO Finding
The ICO was satisfied that Easyleads did not have the consent of the individuals to whom it had made 16,730,340 automated direct marketing calls (Regulation 19 of PECR). The ICO also found that Easyleads failed to include the company name, address and telephone number in their automated messages, pursuant to the requirements of Regulation 24 of PECR.
In particular, the ICO highlighted the following:
  • The wording of some of the automated calls was misleading in that it referred to a ‘government scheme’ and the offer of a ‘free boiler’.
  • Whilst the automated calls offered an ‘opt-out’ option, there is evidence to suggest that repeat calls were made to subscribers regardless of this.
  • There was a failure to ensure that an effective suppression system was in place to prevent repeat calls to those who had opted out.
The Commissioner is satisfied that Easyleads Limited did deliberately contravene Regulation 19 of PECR in that its actions which constituted the contravention were deliberate.
Harm
The ICO was satisfied that the contravention was 'serious' due to the sheer extent of the contravention: Easyleads made over 16 million automated marketing calls without the prior consent of the affected individuals. This resulted in 551 complaints being made to the ICO. In particular, complainants expressed distress as some would be expecting urgent calls only to receive an automated message about replacement boilers. However, no financial loss is noted.
Aggravating Factors
  • Within 9 days of receiving a letter from the ICO to confirm that it was under investigation, Easyleads carried out a further marketing campaign and continued to make automated marketing calls.
  • The ICO’s direct marketing monthly threat assessments showed that one of the CLI's used by Easyleads was the most complained about number for automated calls for four consecutive months, from March 2017 to June 2017.
  • Easyleads failed to engage with the ICO in assisting with its investigations, and have failed to respond to queries.
Mitigating Factors
There were no mitigating features
Flybe Limited
20 March 2017
£70,000
PECR – Regulation 22
Factual background
Flybe Limited (‘Flybe’) is a large regional airline carrier, based in Exeter.
On 15 August 2016 it sent 3,662,973 e-mails to individuals entitled "Are your details correct?”. 3,333,940 of these were successfully received. The e-mail advised individuals to amend any out of date information and update any marketing preferences. The e-mail also instructed that by updating their preferences they may be entered into a prize draw.
Flybe used a third party agent to distribute bulk e-mails. The agent holds Flybe's customer database and maintains the list of opt-in and opt-out individuals for direct marketing purposes. On this occasion, Flybe requested that its agent send e-mails to customers who had previously explicitly opted out of direct marketing.
ICO Finding
The ICO found that on 15 August 2016, Flybe instigated the transmission of 3,333,940 unsolicited communications by e-mail to individual subscribers for the purposes of direct marketing without their consent (Regulation 22 of PECR).
In addition, Flybe also instigated the sending of a further 329,033 marketing e-mails. Although these were not received by individuals it evidences an attempt to send large volumes of marketing e-mails to individuals without consent to do so.
As the instigator of the e-mails, it was the responsibility of Flybe to ensure that sufficient consent had been acquired. The ICO was satisfied that Flybe did not have the required consent and deliberately contravened Regulation 22 of PECR.
Harm
The ICO was satisfied that the contravention was ‘serious’ due to the large volume of direct marketing emails sent to subscribers without their consent. Flybe were aware that the email was being sent to individuals who according to its records, had previously indicated that they did not consent to receive direct marketing.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
The Guide Dogs for the Blind Association
3 April 2017
£15,000
DPA – 1st Principle, 2nd Principle
(PECR – Regulation 21 also considered, but was not a basis for the monetary penalty)
Factual Background
The Guide Dogs for the Blind Association (‘GBDA’) is a British charitable organisation founded in 1934.
Wealth screening
The GDBA used the services of wealth screening companies to analyse the financial status of its supporters in order to identify wealthy or high value individuals. The personal data which the GDBA provided to the wealth screening companies included supporters' names and addresses and information relating to their donation history. The GDBA informed the ICO that it had undertaken such activity in respect of its entire database of donors in 2008 and 2012, and more specific activity in 2010 and 2015. In total, the GDBA performed wealth screening on over 1.7m data subjects.
Data-matching and tele-matching
The GDBA had used the services of an external company to undertake tele-matching on its behalf since at least 2010. The GDBA has 248,094 matched telephone numbers on its database, of which 165,730 are Telephone Preference Service (‘TPS’) registered. The TPS is a register of numbers allocated to subscribers who have notified the TPS that they do not wish to receive unsolicited calls for direct marketing purposes on those lines. 163,180 of those have been added to the database since 6 April 2010.
The GDBA did not have specific consent from data subjects for whom it had matched telephone numbers, but who were TPS registered, to receive live telephone calls from the GDBA. It relied on generic consents provided to it by its commercial third party tele-matching data provider. Those generic consents referred only to contact from third parties and not to the GDBA. The GDBA accepted that until the summer of 2015, it did not screen its tele-matched calls against the TPS registration list.
The GDBA also used the services of an external company to identify donors to the GDBA who had not agreed to gift aid their donations by reference to donations they had made to other charitable organisations where gift aid was agreed. Those identified donors would then be contacted by the GDBA with material about using gift aid.
ICO Finding
The ICO was satisfied that the contraventions of the Data Protection Act 1998 (‘DPA’) were deliberate, in the sense that the actions of the GDBA were deliberate. While the GDBA may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so. The ICO also found that the GDBA failed to take reasonable steps to prevent the contraventions of the DPA from occurring.
Wealth screening
The ICO found that the GDBA unfairly processed individuals’ personal data because using their data to perform wealth screening was not in the reasonable expectation of those individuals and they were not informed that GDBA would adopt these techniques (through the GDBA’s privacy policy or otherwise) (DPA – 1st Principle). The ICO also found that the purpose of wealth analysis was incompatible with the purposes for which the data were obtained (administrating the donation, and if the individual consented, for marketing purposes) (DPA – 2nd Principle).
Data-matching and tele-matching
The ICO also found that it was unfair for the GDBA to use the data for data-matching and/or tele-matching purposes without consent of the data subjects and that such activities were incompatible with the purposes explained in their privacy notices (DPA – 1st Principle, 2nd Principle).
The ICO also considered that by making telephonic contacts with persons who had not provided their specific consent to receiving direct marketing telephone calls from the GDBA and who were TPS registered the GDBA had contravened Regulation 21 of PECR. This contravention was recorded by the ICO as an additional matter of concern but was not used as a basis for the MPN.
Harm
The ICO considered that the contraventions of the DPA were serious because of the length of time over which the contraventions took place, the number of data subjects whose rights were infringed and the data subjects were likely to have been affected by those contraventions in significant practical ways.
The ICO was satisfied that these contraventions were of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed as a result of the contravention;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional approaches from the GDBA; and
  • given the scale and duration of the contraventions, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have beenlikely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • The GDBA had followed the unlawful practices described above over a period of several years.
  • The GDBA's practices appear to have been driven by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • The GDBA had contravened the fundamental rights of very large numbers of individuals to have their personal data processed in accordance with the DPA and Directive 95/46/EC.
  • By failing to adequately explain to data subjects how their personal data would be used, the GDBA had deprived them of control and informed decision-making about their personal data to a significant extent.
  • The GDBA's activities as described above have exposed the relevant data subjects to substantially distressing and/or damaging consequences, including intrusions into their privacy due to increased direct marketing communications from the GDBA. It is likely that many individuals will have been persuaded by the GDBA to increase their financial support. Those financial consequences will to a significant extent have flowed from the GDBA's unlawful data protection practices.
  • It is likely that the GDBA have also contravened Regulation 21 of PECR.
Mitigating Factors
  • The GDBA co-operated with the Commissioner's investigations.
  • The GDBA is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • The GDBA has taken remedial action.
  • The GDBA's practices may to an extent have reflected commonplace - albeit mistaken and unlawful - approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
Gloucester City Council
26 May 2017
£100,000
DPA – 7th Principle
Factual Background
On 17 April 2014 the Council’s IT staff identified a vulnerability in its own systems when using an appliance known as ‘SonicWall’.
A software patch for the vulnerability was available by the time of discovery, but the Council’s third party IT outsourcers overlooked it and therefore the software patch was not applied.
In July 2014, Senior Officers of the Council had their Twitter accounts compromised by an attacker who also gained access to 16 user mailboxes via the vulnerability in the SonicWall appliance. The attacker was able to download 30,000 emails from these mailboxes which contained financial and sensitive personal information on approximately 40 members of current or former staff.
ICO Finding
The ICO found that the Council failed to take appropriate technical and organisational measures for ensuring that emails containing financial and sensitive personal information could not be accessed (DPA – 7th Principle). In particular, the Council did not have a process in place to ensure that during outsourcing of its IT services the software watch was applied.
Harm
The ICO found that the Council’s current or former staff had an expectation that their financial and sensitive personal data would have been held securely and that the Council’s failure to do so had likely caused distress to the affected current and former staff.
The ICO also found that as the attacker had not been identified and the emails had not been recovered, further disclosure was possible and could cause damage as well as additional distress.
Aggravating Factors
  • The Council was not aware of the incident until the attacker notified it.
  • The attacker had the option to download even more emails if they had chosen to do so.
Mitigating Factors
  • The Council’s website was subject to a criminal attack.
  • The Council reported the incident to the ICO and was co-operative during the investigation.
  • The Council has taken significant remedial action.
  • The intended monetary penalty may have a significant effect on the Council’s reputation and (to some extent) its resources.
Great Ormond Street Hospital Children’s Charity
3 April 2017
£11,000
DPA – 1st Principle, 2nd Principle
Factual Background
Great Ormond Street Hospital Children’s Charity (‘GOSHCC’) is an academic medical research centre specialising in paediatrics.
Sharing personal data with third parties
Between 2011 and September 2015, GOSHCC participated in the Reciprocate Scheme. During this period the GOSHCC disclosed batches of records containing unique reference numbers; names; addresses; last donation amount, Gift Aid status; and information about donation type. In total, GOSHCC disclosed 910,283 batches of records containing personal data to around 40 other charities while participating in the scheme.
Wealth screening
GOSHCC also used the services of a wealth screening company to run two campaigns to analyse the financial status of its supporters in order to identify those that would have the capacity and propensity to make a larger donation, and to predict whether they were likely to leave a legacy. The personal data which GOSHCC provided to the wealth screening company included supporters’ names, telephone numbers and email addresses. Between April 2010 and June 2016 it had processed on average 795,000 records for the purposes of wealth screening per month.
Data-matching
Between 2012 and 2015, GOSHCC used the services of an external company to match email addresses to individual supporters’ records. GOSHCC matched 103,500 email addresses to the personal data of supporters. GOSHCC also matched 208,000 dates of birth to individual supporters’ records.
ICO Finding
The ICO was satisfied that the contraventions were deliberate, in the sense that the actions of GOSHCC were deliberate. While GOSHCC may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so. The ICO also found that GOSHCC failed to take reasonable steps to prevent the contraventions of the DPA from occurring.
Sharing personal data with third parties
The ICO found that GOSHCC unfairly processed individuals’ personal data because the terms of its privacy notice were unduly vague and/or ambiguous and did not provide data subjects with adequate information as to how their personal data would be shared via the schemes (DPA – 1st Principle). The ICO also found that the sharing of personal data via the schemes was incompatible with the purposes explained in GOSHCC’s privacy notices (DPA – 2nd Principle).
Wealth screening
The ICO found that GOSHCC unfairly processed individuals’ personal data because using their data to perform wealth screening was not in the reasonable expectation of those individuals and they were not informed that GOSHCC would adopt these techniques (through GOSHCC’s privacy policy or otherwise) (DPA – 1st Principle). The ICO also found that the purpose of wealth analysis was incompatible with the purposes for which the data were obtained (administrating the donation, and if the individual consented, for marketing purposes) (DPA – 2nd Principle).
Data-matching and tele-marketing
The ICO found that it was unfair for GOSHCC to use the data for data-matching purposes without consent of the data subjects and that such activities were incompatible with the purposes explained in their privacy notices (DPA – 1st Principle, 2nd Principle).
Harm
The ICO considered that the contraventions were serious because of the length of time over which the contraventions took place, the number of data subjects whose rights were infringed and the data subjects were likely to have been affected by those contraventions in significant practical ways.
The ICO was satisfied that these contraventions were of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed as a result of the contravention;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional approaches from GOSHCC; and
  • given the scale and duration of the contraventions, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have beenlikely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • GOSHCC had engaged in the unlawful practices over a period of several years.
  • GOSHCC’s practices were driven by financial gain, this is aggravated by the fact that the public may expect charities to be especially vigilant in complying with their legal obligations.
  • GOSHCC had contravened the fundamental right of data subjects to have their personal data processed in accordance with the Data Protection Act 1995 and Directive 95/46/EC.
  • By failing to adequately explain to the data subjects the manner in which their personal information would be processed, GOSHCC had deprived the individuals of control and informed decision making about their personal data.
  • GOSHCC's activities exposed the relevant data subjects to substantially distressing consequences, including intrusions into their privacy due to increased direct marketing communications. It is likely that many individuals will have been persuaded by GOSHCC to increase their financial support. Those financial consequences will to a significant extent have flowed from GOSHCC's unlawful data protection practices.
Mitigating Factors
  • GOSHCC co-operated with the Commissioner’s investigations.
  • GOSHCC is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • GOSHCC took remedial action.
  • GOSHCC’s practices may to an extent have reflected commonplace—albeit mistaken and unlawful—approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
Greater Manchester Police
2 May 2017
£150,000
DPA – 7th Principle
Factual Background
In 2015 Greater Manchester Police (‘GMP’) sent three unencrypted DVDs by Recorded Delivery to the Serious Crime Analysis Section (‘SCAS’). The DVDs contained footage of police interviews with victims of serious violent or sexual crimes in ongoing cases. The victims were named and talking openly about the crimes.
The SCAS did not receive the DVDs and they have not been recovered.
ICO Finding
The ICO found that GMP failed to take appropriate organisational measures against unauthorised or unlawful processing of personal data and against accidental loss of personal data (DPA – 7th Principle). GMP should have known or ought to have envisaged those risks and it did not take reasonable steps to prevent the loss.
The sending of similar DVDs by recorded delivery was an ongoing contravention from 2009 until this incident in 2015.
The ICO did not consider this contravention to be deliberate, however, the GMP should have known or ought to reasonably have known that there was a risk that this contravention would occur.
Harm
The ICO is satisfied that the contravention identified was ‘serious’ because the DVD’s contained highly sensitive personal data. The ICO found that the loss of the DVDs was likely to cause substantial damage or distress to the victims. This included distress that their highly sensitive personal data could have been accessed by individuals who had no right to see that information. This could lead to further distress if that information was misused by untrustworthy third parties.
Aggravating Factors
  • The DVDs were not password protected.
Mitigating Factors
  • GMP referred the incident to the ICO and SCAS.
  • GMP was cooperative during the investigation.
  • As far as the ICO is aware, the information on the DVDs has not been further disseminated.
  • GMP notified the affected individuals and provided support.
  • GMP has taken remedial action until a technical solution can be found.
  • A monetary penalty may have a significant impact on GMP’s reputation.
H.P.A.S. Limited t/a Safestyle UK
31 July 2017
£70,000
PECR – Regulation 21
Factual Background
Safestyle’s business involves making marketing calls to subscribers in order to sell its products and services, including windows and doors to homeowners.
Between 1 May 2015 and 31 December 2016, the Commissioner received 264 complaints about unsolicited direct marketing calls made by Safestyle. Of those complaints, 178 complaints were made to the TPS, with a further 86 made directly to the ICO. All of these complaints were made by individual subscribers who were registered with the Telephone Preference Service (‘TPS’), a register of numbers allocated to subscribers who have notified the ICO that they do not wish to receive unsolicited calls for direct marketing purposes, and/or who had not given their prior consent to Safestyle to receive direct marketing calls.
On 18 January 2016, the Commissioner wrote to Safestyle explaining that the ICO and the TPS had received complaints from individual subscribers in relation to unsolicited calls. Safestyle explained that it only canvassed existing customers and enquirers who had provided their number requesting a quotation to follow up on interest expressed. Safestyle said that it did not screen against the TPS as that would prevent it from contacting customers who are registered but who have nonetheless invited contact for quotation and sales purposes. Safestyle indicated it operates a suppression list and adds the telephone numbers of anybody asking not to be called again. Safestyle also advised that it was revisiting the way it conducted marketing in order to improve its practice and procedures.
Safestyle underwent three periods of monitoring to determine whether there was a suitable reduction in the number of complaints being recorded. However, despite Safestyle’s assurances of its continued commitment to preventing unwanted contact with its customers, the Commissioner continued to receive an unacceptable level of complaints.
ICO Finding
The Commissioner found that Safestyle made unsolicited direct marketing calls without the appropriate consent (Regulation 21 of PECR).
The ICO also found that Safestyle failed to screen the numbers against the TPS, maintain an accurate suppression list, and otherwise failed to take reasonable steps to prevent the contravention. Whilst the Commissioner was satisfied that Safestyle had not set out to deliberately contravene PECR, it knew or ought to have known that its direct marketing activities would lead to a contravention and was therefore negligent.
Harm
The ICO held that the contravention was ‘serious’ due to the number of complaints made, and the extended period over which the contraventions occurred. No financial loss was experienced by those affected, however they did experience a diversion of resources and time in having to deal with the unsolicited calls, and in having to report these to the TPS and the ICO.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
HCA International Ltd
23 February 2017
£200,000
DPA – 7th and 8th Principles
Factual background
HCA International Ltd (‘HCA’) owns private hospitals including the Lister Hospital in London. It provides a wide range of services to private patients, including IVF treatment.
Beginning in 2009, Lister Hospital sent unencrypted audio recordings of private consultations by email to a data processor in India for transcription. HCA was aware that the data processor used an unsecured FTP server to store the recordings. The server did not have an authentication process to restrict access to the transcripts.
On 8 April 2015, a patient informed the hospital that transcripts of consultations containing confidential and sensitive personal data could be accessed via an internet search engine.
ICO finding
The ICO found that HCA failed to take appropriate technical measures against unauthorised or unlawful processing of personal data in contravention of the seventh data protection principle. In particular:
  • HCA sent unencrypted recordings by email to the data processor in India;
  • HCA had no guarantee that the data processor would use a secure FTP server to store the recordings and then send completed transcripts to the hospital;
  • HCA had no guarantee that the data processor would erase the recordings after they had been transcribed;
  • HCA failed to monitor the data processor in relation to any security measures taken by it; and
  • HCA did not have a DPA compliant contract with the data processor in relation to the processing.
The contravention was ongoing from 2009 until HCA took remedial action following the security breach on 8 April 2015.
The ICO did not consider the contravention deliberate but HCA should have known or ought reasonably to have known that there was a risk that this contravention would occur and that it would be of a kind likely to cause substantial distress. The ICO found that HCA failed to take reasonable steps to prevent the contravention.
The ICO also found that the eighth data protection principle was contravened by HCA, in that data was transferred outside the EEA without an adequate level of protection.
Harm
The ICO was satisfied that the contravention was serious as the transcripts contained confidential and sensitive personal data. The ICO also had regard to the number of affected individuals and the possible consequences.
The ICO considered that the contravention would cause distress to patients and that such distress was likely to be substantial, having regard to the number of affected individuals and the nature of the personal data involved.
Aggravating Factors
No mention of aggravating factors
Mitigating Factors
  • HCA voluntarily reported the breach to the ICO.
  • HCA were fully co-operative with the ICO.
  • HCA have taken substantial remedial action.
  • There will be a significant impact on HCA’s reputation as a result of this security breach.
Hamilton Digital Solutions Limited
16 November 2017
£45,000
PECR – Regulation 22Factual BackgroundHamilton Digital Solutions Ltd (‘HDSL’) is a London based online technology and telecoms company.
Between 1 April 2016 and 19 September 2016, HDSL used a public electronic telecommunications service to transmit 156,250 unsolicited communications by e-mail to individual subscribers for the purposes of direct marketing.
HDSL used third-parties to send the marketing text messages, who would act as an ‘introducer’ of customers to HDSL. In response to correspondence from the ICO, HDSL indicated that they would carry out an “extensive due diligence exercise” with each new introducer, including a review of the permissions held; its ‘privacy policy’; consents; and data sources.
HDSL gave the ICO details of the consent relied upon for the direct marketing that had been provided by the ‘introducer’ which sent the messages.
ICO Finding
The ICO found that HDSL instigated the sending of 156,250 unsolicited direct marketing text messages without consent (Regulation 22 of PECR).
In particular, the ICO stated that organisations can generally only send marketing texts to individuals if that person has specifically consented to receiving them from the sender. The ICO also explained that particular care must be taken when relying on "indirect consent", and that it is not acceptable to rely on assurances given by third party suppliers without undertaking proper due diligence. The ICO found the evidence of consent relied upon by HDSL for the direct marketing that had been provided by the ‘introducer’ was insufficient for the purposes of Regulation 22 PECR.The ICO did not consider the contravention deliberate but stated that HDSL should have known or ought reasonably to have known that there was a risk that this contravention would occur. The ICO found that HDSL had failed to take reasonable steps to prevent the contravention.HarmThe ICO was satisfied that the contravention identified was ‘serious’, owing to the fact that between dates of 1 April 2016 and 19 September 2016, HDSL sent a total of 156,250 direct marketing text messages to subscribers without their consent. Between the periods of 1 April 2016 and 9 May 2016, this action resulted in 595 complaints.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Home Logic UK Ltd
15 August 2017
£50,000
PECR – Regulation 21
Factual Background
Home Logic UK Ltd (‘Home Logic’) is a provider of home energy saving solutions and products.
Between 1 April 2015 and 31 July 2016, Home Logic made 1,475,969 unsolicited direct marketing calls promoting its services to subscribers. During this period, 136 complaints were made to the TPS regarding these calls by Telephone Preference Service (‘TPS’) registered individuals. The TPS is a register of numbers allocated to subscribers who have notified the TPS that they do not wish to receive unsolicited calls for direct marketing purposes on those lines.
Home Logic licensed the data used to make the calls from third party data providers. These third parties assured Home Logic that the data subjects had ‘opted-in’ and/or were screened against the TPS. However, one third party provider made it clear in its contract with Home Logic that it was the purchaser's responsibility to conduct such screenings.
Home Logic informed the ICO that it did upload data to a dialler system for screening against the TPS. However, due to technical difficulties, the dialler system was unavailable for a period of 90 days during which time Home Logic continued to make unsolicited direct marketing calls without taking any other steps to screen against the TPS.
Home Logic was unable to provide evidence that it had consent to make calls to the subscribers who had complained to the TPS.
ICO Finding
The ICO held that Home Logic made unsolicited direct marketing calls to subscribers who had registered with the TPS without obtaining prior consent(Regulation 21 of PECR).
Although the ICO determined that Home Logic did not deliberately contravene Regulation 21 of PECR, it ought reasonably to have known that there was a risk that these contraventions would occur, particularly because:
  • Home Logic relied heavily on direct marketing due to the nature of its business;
  • the issue of unsolicited calls was widely publicised by the media as being a problem;
  • the dialler system used by Home Logic to screen against the TPS was unavailable for 90 days during which time Home Logic continued to make unsolicited calls without taking any steps to screen against the TPS; and
  • the ICO had published detailed guidance for companies carrying out marketing explaining the legal requirements under PECR.
The ICO further held that Home Logic did not take reasonable steps to prevent the contravention, which could have included the following:
  • asking its third party data providers for evidence that subscribers had consented to receiving calls; and
  • screening the data against the TPS itself, regardless of any assurances that might have been given by the third party data providers.
Harm
The ICO was satisfied that the contravention was 'serious' as there had been multiple breaches of Regulation 21 of PECR over a 15 month period, leading to a significant number of complaints being made. However, it did not appear that any individuals affected suffered financial damage.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Honda Motor Europe Limited t/a Honda (U.K.)
20 March 2017
£13,000
PECR – Regulation 22
Factual Background
Honda Motor Europe Limited (‘Honda’) is responsible for the sale of Honda products in the UK, including cars and motorbikes. It also coordinates Honda's operations in Europe.
Between 1 May 2016 and 22 August 2016 Honda sent a large number of e-mails to individuals entitled "would you like to hear from Honda?" in order to clarify marketing preferences. The e-mail was sent to those individuals on the database where no 'opt in' or 'opt out' information was held.
Honda explained to the ICO that it had sent the e-mail as a service email, rather than as a marketing e-mail.
Honda obtains personal data of individuals and their specific preferences for direct marketing purposes in a number of ways, including through authorised dealers who are expected to adhere to Honda's Data Management Policy and Guidelines. Due to a design flaw, some dealers had input data onto Honda's central customer database and had confirmed that an individual had agreed to direct marketing but had failed to complete the actual marketing preferences field as a yes/no completion of the field was not mandatory.
ICO Finding
The ICO found that between 1 May 2016 and 22 August 2016, Honda instigated the transmission of 289,093 unsolicited communications by e-mail to individual subscribers for the purposes of direct marketing without consent (Regulation 22 of PECR).
As the instigator of the e-mails, Honda was responsible for ensuring that sufficient consent had been acquired. The ICO was satisfied that Honda did not have the requisite consent.
The ICO also found Honda had failed to take reasonable steps to prevent the contraventions.
The Commissioner did not consider the contravention deliberate, however, Honda knew or ought to reasonably have known that there was a risk that these contraventions would occur.
Harm
The Commissioner was satisfied that the contravention was ‘serious’ because of the number of individuals affected.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
The International Fund for Animal Welfare
3 April 2017
£18,000
DPA – 1st Principle, 2nd Principle
(PECR – Regulation 22 also considered, but was not a basis for the monetary penalty)
Factual Background
The International Fund for Animal Welfare (‘IFAW’) is one of the largest animal welfare and conservation charities in the world.
Sharing personal data with third parties
The IFAW shared personal data as part of a Reciprocate Scheme. The Reciprocate Scheme was run by an external company and enabled participating charities to share or swap the personal data of donors or prospective donors. The IFAW participated in the Reciprocate Scheme and another similar scheme between 2011 and September 2015 inclusive. During this period, 4,948,633 records were disclosed, some of which may have been shared more than once.
Wealth screening
The IFAW also provided personal data to wealth screening companies. The personal data which IFAW provided to the wealth screening companies included supporters' names and addresses, as well as internal coding information related to the donation history of the relevant data subject. The IFAW submitted a total of 685, 956 records for wealth screening in 2012 and 2013, relating to 466,206 individual supporters.
Data-matching and tele-matching
The IFAW also used the services of an external company to undertake tele-matching on its behalf since at least 1995. Data-matching is the use of personal data to obtain and use other items of personal data which data subjects may have chosen not to provide to the data controller, and tele-marketing is a data-matching by which telephone numbers are obtained and used. The IFAW matched 220,286 telephone numbers to supporters for whom it had other personal data between 2006 and 2016. IFAW also used the services of an external company to match e-mail addresses to individual supporter records in 2012 and 2013. The IFAW matched 50,282 email addresses to the personal data of supporters, and proceeded to email all of them.
ICO Finding
The ICO was satisfied that the contraventions of the Data Protection Act 1998 (‘DPA’) were deliberate, in the sense that the actions of the IFAW were deliberate. While the IFAW may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so. The ICO also found that the IFAW failed to take reasonable steps to prevent the contraventions of the DPA from occurring.
Sharing personal data with third parties
The ICO found that IFAW unfairly processed individuals’ personal data because the terms of its privacy notice were unduly vague and/or ambiguous and did not provide data subjects with adequate information as to how their personal data would be shared via the schemes (DPA – 1st Principle). The ICO also found that the sharing of personal data via the schemes was incompatible with the purposes explained in IFAW’s privacy notices (DPA – 2nd Principle).
Wealth screening
The ICO found that the IFAW unfairly processed individuals’ personal data because using their data to perform wealth screening was not in the reasonable expectation of those individuals and they were not informed that IFAW would adopt these techniques (through the IFAW’s privacy policy or otherwise) (DPA – 1st Principle). The ICO also found that the purpose of wealth analysis was incompatible with the purposes for which the data were obtained (administrating the donation, and if the individual consented, for marketing purposes) (DPA – 2nd Principle).
Data-matching and tele-marketing
The ICO found that it was unfair for the IFAW to use the data for data-matching and/or tele-matching purposes without consent of the data subjects and that such activities were incompatible with the purposes explained in their privacy notices (DPA – 1st Principle, 2nd Principle).
The ICO also considered that by sending emails to persons who had not provided their specific consent to receiving direct marketing e-mails from IFAW, IFAW contravened Regulation 22 of PECR. This contravention was recorded by the ICO as an additional matter of concern but was not used as a basis for the MPN.
Harm
The ICO considered that the contraventions of the DPA were serious because of the length of time over which the contraventions took place, the number of data subjects whose rights were infringed and the data subjects were likely to have been affected by those contraventions in significant practical ways.
The ICO was satisfied that these contraventions were of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed as a result of the contravention;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional approaches from the IFAW; and
  • given the scale and duration of the contraventions, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have beenlikely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • IFAW had followed the unlawful practices described above over a period of several years.
  • IFAW's practices appear to have been driven by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • IFAW had contravened the fundamental rights of very large numbers of individuals to have their personal data processed in accordance with the DPA and Directive 95/46/EC.
  • The number of affected persons by the various breaches of the DPA is considerably higher than those which specifically form the contraventions in this Notice because of the time period when some of the contraventions of the DPA occurred (i.e. prior to the power to impose a monetary penalty).
  • By failing to adequately explain to data subjects how their personal data would be used, IFAW has deprived them of control and informed decision-making about their personal data to a significant extent.
  • IFAW's activities have exposed the relevant data subjects to substantially distressing and/or damaging consequences, including intrusions into their privacy due to increased direct marketing communications from IFAW and /or other charities. It is likely that many individuals will have been persuaded - by IFAW and/or other charities - to increase their financial support. Those financial consequences will to a significant extent have flowed from IFAW's unlawful data protection practices.
  • It is likely that IFAW has also contravened Regulation 22 of PECR.
Mitigating Factors
  • IFAW co-operated with the Commissioner's investigations.
  • IFAW is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • IFAW has taken remedial action.
  • IFAW's practices may to an extent have reflected commonplace – albeit mistaken and unlawful - approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
IT Protect Ltd
11 January 2017
£40,000
PECR – Regulation 21
Factual Background
IT Protect Ltd’s (‘IT Protect’) business involves making unsolicited marketing calls to elderly subscribers in order to sell a call blocking device to "stop" unwanted marketing calls.
Between 6 April 2016 and 16 May 2016, IT protect made 157 unsolicited marketing calls to subscribers who were registered with the Telephone Preference Service (‘TPS’). The TPS is a register of numbers allocated to subscribers who have notified the TPS that they do not wish to receive unsolicited calls for direct marketing purposes on those lines.
The ICO received 35 complaints about IT Protect from individual subscribers who were registered with the TPS. The TPS received 122 complaints about IT Protect and referred all of these to IT Protect and also notified the ICO. IT Protect did not respond to the TPS on 69 occasions.
IT Protect explained to the ICO that it had purchased opt-in data from a third party company, however it had not carried out any due diligence checks to ensure that they had given their consent to receive such calls from IT Protect.
ICO Finding
The ICO found that IT Protect did not have the appropriate consent to make unsolicited direct marketing calls to subscribers registered with the TPS (Regulation 21 of PECR).
The ICO did not consider the contravention deliberate, but stated that IT Protect should have known or ought reasonably to have known that there was a risk that this contravention would occur. The ICO found that IT Protect had failed to take reasonable steps to prevent the contravention.
Harm
The ICO was satisfied that the contravention was 'serious' due to there being multiple breaches, the duration of the contravention and the number of complaints received.
Individual subscribers complained that the calls were misleading as they gave the impression that they were calling on behalf of BT and some complainants allege that IT Protect preyed on the elderly.
The contravention was exacerbated by the fact that IT Protect was making unsolicited marketing calls to elderly subscribers to sell them a call blocking device to "stop" unwanted marketing calls.
Aggravating Factors
  • IT Protect may obtain a commercial advantage over its competitors by generating leads from unlawful marketing practices.
Mitigating Factors
  • There is a potential for damage to IT Protect’s reputation which may affect future business.
Keurboom Communications Ltd
3 May 2017
£400,000
PECR – Regulation 19
Factual Background
Keurboom Communications Ltd (‘Keurboom’) provides (among other things) telephony services including “voice broadcasting” to companies in order to generate leads so that they can maximise their potential sales.
Between 29 April 2015 and 7 June 2016, the ICO received 1,036 complaints via its online reporting tool. The essence of the complaints was that automated marketing calls had been received by subscribers, mainly in relation to road traffic accidents and PPI claims. Some of the complainants had also received repeat calls (sometimes on the same day) and at unsocial hours.
The calls allowed an option to press 5 if interested, or an option to press 9 to be removed from the list. The calls did not identify the sender and the option of being connected to a person or suppressing the number was not always effective. Some of the calls were also misleading because they gave the impression that the calls were urgent and related to a recent road traffic accident or an ongoing PPI claim.
ICO finding
The Commissioner found that Keurboom instigated automated marketing calls to subscribers without their prior consent (Regulation 19 of PECR).
Between 1 October 2014 and 31 March 2016, Keurboom sent or instigated 99,535,654 automated marketing calls to subscribers without their prior consent.
The ICO also found that Keurboom’s actions which constituted the contravention were deliberate actions (even if Keurboom did not actually intend thereby to contravene PECR).
Harm
The ICO was satisfied that the contravention identified was ‘serious’ because of the number of individuals affected and the extent of the contravention.
Aggravating Factors
  • Keurboom did not co-operate with the Commissioner's investigation.
  • Keurboom might obtain a commercial advantage over its competitors by generating leads from unlawful marketing practices.
Mitigating Factors
There were no mitigating features
LAD Media Limited
18 January 2017
£50,000 – reduced on appeal to £20,000
PECR – Regulation 22
Factual background
LAD Media Limited (‘LAD Media’) is a lead generation and data brokerage business operating in the financial services, debt management and consumer claims sector.
Between 6 January 2016 and 10 March 2016 LAD Media instigated the sending of 393,872 direct marketing text messages to individuals. It had purchased the data used to send the messages from a third party data supplier and the text messages had then been sent on LAD Media’s behalf by another third party. LAD Media provided examples of the opt-in statements which had been relied on to the ICO, which included (among others) the following:
“By agreeing to these terms and condition we may contact you about services or products offered by us or other companies in our group or approved by us, which we believe you may be interested in, or to carry out market research about our services or products or those of third parties. We may also pass information to other companies approved by us so that they may contact you about services or products, which they believe you may be interested in. Contact for these purposes may be by post, email, SMS or by other means as we may agree with you from time to time. This will override any registrations you may have with any preference services.”
During this period, 158 complaints were received by the GSMA's Spam Reporting Service or direct to the ICO, relating to the receipt of unsolicited direct marketing text messages sent on behalf of LAD Media. The GSMA’s Spam Reporting Service allows mobile users to report the receipt of unsolicited marketing text messages to the GSMA, who makes such complaints data available to the ICO.
ICO Finding
The ICO found that LAD Media did not have the appropriate consent to send unsolicited direct marketing text messages to individuals (Regulation 22 of PECR).
The ICO did not consider the contravention deliberate but stated that LAD Media should have known or ought reasonably to have known that there was a risk that this contravention would occur.
The ICO found that LAD Media had failed to take reasonable steps to prevent the contravention, stating that it is not acceptable to rely on assurances of indirect consent without undertaking proper due diligence.
Harm
The ICO was satisfied that the contravention was 'serious' due to the number of messages sent and number of complaints received.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Appeal
LAD Media appealed the ICO’s MPN and the Tribunal substituted the ICO’s MPN for an MPN on the same terms with the amount of the penalty amended to £20,000. The Tribunal found that there was a contravention of Regulation 22 of PECR as LAD Media did not have the necessary consents, the contravention was sufficiently serious and LAD Media knew or ought to have known the contravention would occur. However, the amount of the penalty was too high when considering the size of the company and the low levels of profit generated from the activity. Notably, the Tribunal set out some general factors which may be used to determine the amount of a monetary penalty:
  • The circumstances of the contravention;
  • The seriousness of that contravention, as assessed by the harm, either caused or likely to be caused, as a result; whether the contravention was deliberate or negligent; and the culpability of the person or organisation concerned, including an assessment of any steps taken to avoid the contravention.
  • Whether the recipient of the MPN is an individual or an organisation, including its size and sector;
  • The financial circumstances of the recipient of the MPN, including the impact of any monetary penalty;
  • Any steps taken to avoid further contravention(s); and
  • Any redress offered to those affected.
Laura Anderson Limited t/a Virgo Home Improvements
31 July 2017
£80,000
PECR – Regulation 21
Factual Background
Virgo Home Improvements (‘VHI’) sells home improvement products and services to residential homes in England.
Between 6 April 2015 and 22 November 2016, the ICO received 440 complaints about separate unsolicited direct marketing calls made by VHI. VHI had purchased 500,000 telephone numbers from a third party list supplier between 2010 and 2014, and following this used their own data bases and a further purchase of 400,000 numbers to fuel its telemarketing activities. There were no contracts in place with the data suppliers, but Virgo say they were assured by the relevant companies that data was Telephone Preference Service (‘TPS’) screened prior to being provided to them. The TPS is a register of numbers allocated to subscribers who have notified the TPS that they do not wish to receive unsolicited calls for direct marketing purposes on those lines.
Virgo does not hold its own TPS license and does not screen against the TPS register. Virgo indicated that they operate an internal suppression list and adds to it the telephone numbers of anybody asking not to be called again. Virgo also advised that prior to 2010, all data had been recorded and stored in a paper format which has now been destroyed following its transfer to an electronic format. Virgo was therefore unable to provide evidence of consent or that it had undertaken the appropriate due diligence with its list providers.
ICO Finding
The ICO found that VHI had made unsolicited calls for direct marketing purposes without the appropriate consent (Regulation 21 of PECR). The ICO considers that VHI had deliberately contravened Regulation 21 of PECR because VHI did not screen against the TPS, nor did it keep clear records of which individuals had consented to be called.
Harm
The ICO was satisfied that the contravention was ‘serious’ due to the large number of data subjects affected, and the duration of the contravention (spanning over a year). Furthermore, the ICO recognised that these calls were likely to have caused distress to some individuals, as many of the individuals had received repeated unsolicited calls and their opt-out requests were ignored. The ICO also highlighted the targeting of some vulnerable individuals, including the elderly, and anecdotally referenced instances of VHI repeatedly contacting grieving families.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
London Borough of Islington
7 August 2017
£70,000
DPA – 7th Principle
Factual Background
In 2012, Islington's internal application team developed 'TicketViewer' on behalf of Islington Parking Services (‘the application’). It was hosted separately to Islington's other systems. A user could log onto the application by entering the vehicle registration number (‘VRN’) and a parking ticket number to see a CCTV image or video of their alleged contravention or offence. If a user still wanted to appeal a parking ticket, they could send supporting evidence to Islington Parking Services by email or post. This included their name and address together with details of any mitigating circumstances such as health issues, disabilities and financial details. The back office processing centre scanned all of this information (including the parking ticket and the CCTV image or video that showed the VRN) onto the user's ticket attachment folder.
On 25 October 2015, Islington was informed by a user that the ticket attachment folders could be accessed by manipulating the URL in the user's browser. At that time, the ticket attachment folders contained personal data relating to approximately 89,000 users, including sensitive personal data and financial details. On 16 and 25 October 2015, external testing discovered that a total of 119 documents had been accessed a total of 235 times from 36 unique IP addresses affecting 71 individuals.
ICO finding
The ICO found that Islington failed to take appropriate technical measures against the unauthorised and unlawful processing of personal data (DPA — 7th Principle). The Commissioner did not consider the contravention to be deliberate, however, Islington ought reasonably to have known that there was a risk that that unauthorised or unlawful access would occur unless it ensured that the personal data held in the ticket attachment folders was appropriately protected.
The ICO also found that Islington failed to takes reasonable steps to prevent the contravention, such as ensuring that Islington’s IT security team tested the application prior to going live, and regular testing subsequently.
Harm
The Commissioner is satisfied that the contravention was ‘serious’ due to the number of data subjects, the nature of the personal data that was held in some of the ticket attachment folders and the potential consequences. Further, the Commissioner considered that the contravention was of a kind likely to cause distress to the users if they knew that their personal data had been accessed by unauthorised individuals. The Commissioner also considers that such distress was likely to be substantial, having regard to the number of users and the nature of the data that was held in the ticket attachment folders.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
  • Islington referred this incident to the Commissioner, immediately took the application offline and was co-operative during the Commissioner's investigation.
  • The affected individuals were notified by Islington.
  • The Commissioner is not aware of the affected individuals actually suffering any damage or distress in this case.
  • A monetary penalty may have a significant impact on Islington's reputation, and to an extent, its resources.
  • This incident has been publicised on social media and in the local press.
Macmillan Cancer Support
3 April 2017
£14,000
DPA – 1st Principle, 2nd Principle
Factual Background
Macmillan Cancer Support (‘Macmillan’) is one of the largest British charities and provides specialist health care, information and financial support to people affected by cancer.
Wealth screening
Macmillan used the services of wealth screening companies to analyse the financial status of its supporters in order to identify wealthy or high value individuals. The personal data which Macmillan provided to the wealth screening companies included supporters' names and addresses and information relating to their donation history. The wealth screening companies then analysed the data in order to identify wealthy or high value individuals amongst Macmillan's donors. Macmillan confirmed that it had undertaken such activity in respect of donors on its database on two occasions, in 2009 and 2014. In 2014 details of 2,188,508 of its supporters had been processed for the purposes of wealth analysis.
Tele-matching
Macmillan also used the services of an external company to undertake tele-matching on its behalf since 2009. The ICO understood that, while Macmillan does not hold records of the precise number of data subjects involved, it is likely to be several hundred thousand.
ICO Finding
The ICO was satisfied that these contraventions were deliberate, in the sense that the actions of Macmillan were deliberate. Alternatively, Macmillan ought reasonably to have known that there was a risk that the contraventions would occur, and that they would be of a kind likely to cause substantial damage or distress.
Wealth screening
The ICO found that Macmillan unfairly processed individuals’ personal data because using their data to perform wealth screening was not in the reasonable expectation of those individuals and they were not informed that NSPCC would adopt these techniques (through the Macmillan’s privacy policy or otherwise) (DPA – 1st Principle). The ICO also found that the purpose of wealth analysis was incompatible with the purposes for which the data were obtained (administrating the donation, and if the individual consented, for marketing purposes) (DPA – 2nd Principle).
Tele-matching
The ICO also found that it was unfair for Macmillan to use the data for data-matching and/or tele-matching purposes without consent of the data subjects and that such activities were incompatible with the purposes explained in their privacy notices (DPA – 1st Principle, 2nd Principle).
Harm
The ICO considered that the contraventions were serious because of the length of time over which the contraventions took place, the number of data subjects whose rights were infringed and the data subjects were likely to have been affected by those contraventions in significant practical ways.
The ICO was satisfied that these contraventions were of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed as a result of the contravention;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional approaches from Macmillan; and
  • given the scale and duration of the contraventions, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have beenlikely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • Macmillan followed the unlawful practices over a period of several years.
  • Macmillan's practices appeared to have been driven by financial gain. Its charitable status was not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • Macmillan contravened the fundamental rights of very large numbers of individuals to have their personal data processed in accordance with the Data Protection Act 1998 and Directive 95/46/EC.
  • By failing adequately to explain to data subjects how their personal data would be used, Macmillan has deprived them of control and informed decision-making about their personal data to significant extent.
  • Macmillan's activities have exposed the relevant data subjects to substantially distressing and/or damaging consequences.
Mitigating Factors
  • Macmillan co-operated with the ICO's investigations.
  • Macmillan is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • Macmillan's practices may to an extent have reflected commonplace - albeit mistaken and unlawful - approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
Monevo Limited
13 April 2017
£40,000
PECR – Regulation 22
Factual Background
Monevo Limited (Monevo) is a financial brokerage company which offers to find lenders and financial service providers for applicants via an online service. Monevo engaged a third party to carry out a text marketing campaign on its behalf which directed recipients to a web link, which in turn redirected to the website of ‘Purple Payday’, a trading name of Monevo. 353,740 such text messages were sent.
44,172 of these text messages were sent using data obtained from three competition or money saving websites. The privacy notices on those websites were generic and unspecific and none indicated that the data would be used for sending direct marketing text messages by or on behalf of the company.
Between the dates of 1 April 2016 and 28 June 2016 GSMA’s Spam Reporting Service received 130 complaints in relation to the text messages sent on behalf of Monevo.
ICO Finding
The ICO found that in contracting with the affiliate company to send the direct marketing text messages on its behalf, Monevo instigated the sending of the text messages, regardless of whether or not the text messages had been in the form agreed.
As the instigator, it was Monevo’s responsibility to ensure that the necessary consent had been gained. The ICO was satisfied that Monevo did not have the consent of the 44,172 subscribers to whom it instigated the sending of unsolicited direct marketing messages (Regulation 22 of PECR).
In particular, Monevo:
  • failed to take reasonable steps to prevent the contraventions; and
  • did not carry out any, or any sufficient, due diligence to satisfy themselves that the third party affiliate had obtained the data it is using fairly and lawfully, and that they have the necessary consent.
The Commissioner did not consider this contravention deliberate, but the Commissioner was satisfied that Monevo knew or ought reasonably to have known that there was a risk that these contraventions would occur.
Harm
The ICO was satisfied that the contravention was ‘serious’ owing to the number of individuals affected and the number of complaints received.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Moneysupermarket.com Ltd
17 July 2017
£80,000
PECR – Regulation 22
Factual Background
Moneysupermarket.com Ltd (‘Moneysupermarket’) is an online price comparison service.
In December 2016, the company sent an email to a consumer advising them that the terms and conditions of the service had been updated. The individual complained to the ICO, stating that they had previously opted out of Moneysupermarket's marketing emails.
The ICO informed Moneysupermarket that organisations cannot email individuals to consent to future marketing. Upon discussion with the ICO, Moneysupermarket confirmed that all of the customers sent the terms and conditions update email had previously opted out of receiving direct marketing emails. Further, Moneysupermarket was unable to evidence that any individuals contacted had subsequently consented to this marketing.
ICO Finding
The ICO found that Moneysupermarket knowingly instigated the transmission of 6,788,496 unsolicited marketing communications without the appropriate consent (Regulation 22 of PECR).
The ICO also found that Moneysupermarket failed to take reasonable steps to prevent the contraventions in this case. The ICO further considers that these actions were deliberate, as Moneysupermarket was aware that the emails were being sent, and that these individuals had not consented to the direct marketing.
Harm
The ICO was satisfied that the contravention was ‘serious’ due to the number of marketing emails sent without consent, which totalled 6,788,496 emails.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Munee Hut LLP
10 March 2017
£20,000
PECR – Regulation 22
Factual Background
Munee Hut LLP (‘Munee Hut’) is a credit lending and brokerage business which markets its services though affiliates which send marketing text messages directing recipients to its website. Between 1 May 2015 and 22 March 2016, approximately 64,000 unsolicited direct marketing text messages were sent on the company's behalf by its affiliate, a company based in Belize. During this period, 885 complaints were made to GSMA's Spam Reporting Service. The GSMA’s Spam Reporting Service allows mobile users to report the receipt of unsolicited marketing text messages to the GSMA, who makes such complaints data available to the ICO.
The data had been obtained from a number of different websites (loan companies and a prize draw website) which had generic and unspecific privacy notices which did not indicate that the data would be used for sending direct marketing text messages by or on behalf of the company.
ICO Finding
The ICO found that between 1 May 2015 and 22 March 2016, Munee Hut instigated the transmission of approximately 64,000 unsolicited direct marketing messages to individual subscribers without the requisite consent (Regulation 22 of PECR).
As the instigator of the text messages, it was the responsibility of the company to ensure that sufficient consent had been acquired. The ICO was satisfied that the company did not have the consent of the subscribers.
The ICO stressed that it was not acceptable to rely on assurances of indirect consent without undertaking proper due diligence. It found that a reputable list broker should provide full details of individual’s consent to be contacted. If a broker could not provide such information, the buyer should not use the list. Munee Hut relied on contractual assurances, but did not carry out a proper review of the privacy notices of the websites of which the data had been obtained.
The ICO did not consider the contravention deliberate, but Munee Hut should have known or ought reasonably to have known that there was a risk that these contraventions would occur.
Harm
The ICO was satisfied that the contravention was 'serious' due to the fact that 64,000 messages were sent and 885 complaints received.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
MyHome Installations Limited
19 June 2017
£50,000
PECR – Regulation 21
Factual background
MyHome Installations Limited (the ‘Company’) provides home security and electrical installation products and services to members of the public.
Between 6 April 2015 and 9 September 2016, the ICO received 169 complaints about unsolicited direct marketing calls made by the Company. Of those, 138 complaints were made to the Telephone Preference Service (‘TPS’) (a register of numbers allocated to subscribers who have notified the ICO that they do not wish to receive unsolicited calls for direct marketing purposes), with a further 31 made direct to the ICO. All of these complaints were made by individual subscribers who were registered with the TPS.
The Company had purchased data from third party companies for the purpose of marketing, and relied on their data providers to deliver their promise of high quality, TPS cleansed data. The Company was unable to provide consent for the complaints made, in response to the ICO’s enquiries, as the marketing manager in place at the time had left the business. This previous manager had historically bought data and added it to the company’s call lists without any way of referencing its source.
ICO finding The ICO found between 6 April 2015 and 9 September 2016, the Company used a public telecommunications service for the purposes of making 169 unsolicited calls for direct marketing purposes to subscribers where the number allocated to the subscriber in respect of the called line was a number registered with the TSP, contrary to regulation 21(1)(b) of PECR.
The ICO also found that the 169 complaints were made by subscribers who had registered with the TPS at least 28 days prior to receiving the calls and they had not given their prior consent to the Company to receive calls.
The ICO did not consider the contravention deliberate. However, because the Company knew that people were complaining about calls they were receiving, the ICO considered that it ought to have known the risk of contravening PECR. The ICO also found that the Company failed to take reasonable steps to prevent the contraventions.
Harm
The ICO considered that these contraventions were ‘serious’ because there had been multiple breaches of regulation 21 by the Company arising from its activities over an 18 month period, which led to a number of complaints about unsolicited direct marketing calls being made to the TPS and the ICO. Also, it is reasonable to suppose that considerably more calls were made by the Company because those who went to the trouble of complaining are likely to represent only a proportion of those who actually received calls.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
The National Society for the Prevention of Cruelty to Children
3 April 2017
£12,000
DPA – 1st Principle, 2nd Principle
(PECR – Regulation 22 also considered, but was not a basis for the monetary penalty)
Factual Background
The National Society for the Prevention of Cruelty to Children (‘NSPCC’) is a charity campaigning and working in child protection in the , the and the Isle of Man.Collection and use of data
From June 2014 until August 2015, the NSPCC used a standard form (the ‘June 2014 Form’) when collecting the personal data of individuals. The June 2014 Form did not provide any privacyinformation about the use of the personal data collected for live telephone or mail marketing. In each case, some time after the collection of the data, the NSPCC sent the individuals a letter which stated that their data would be used for marketing.
NSPCC collected personal data from 22,608 individuals using the June 2014 Form. Of these:
  • 22,354 individuals were sent a total of 144,317 marketing mailings since June 2014;
  • the personal data of 20,370 individuals were being used for mail marketing as of November 2016, with four complaints having been received; and
  • 11,360 individuals received a total of around 22,720 live telephone marketing calls up to November 2016. 2,540 of the telephone numbers called were registered with the Telephone Preference Service (‘TPS’), and 3,527 marketing calls were made to those numbers.
The TPS is a register of numbers allocated to subscribers who have notified the TPS that they do not wish to receive unsolicited calls for direct marketing purposes on those lines.
Data-matching and tele-matching
The NSPCC used the services of external companies to undertake data-matching and tele-matching on its behalf since at least 2010. Data-matching is the use of personal data to obtain and use other items of personal data which data subjects may have chosen not to provide to the data controller, and tele-marketing is a data-matching by which telephone numbers are obtained and used. From 6 April 2010 until May 2016 the NSPCC tele-matched 246,751 individuals' records in order to obtain their telephone numbers and make marketing calls to them. 46,415 telephone numbers were on the TPS, but the NSPCC did not screen the numbers against the TPS. From May 2016 onwards the NSPCC tele-matched numbers for data accuracy purposes. The NSPCC also used the services of an external company to match email addresses to individual supporter records. In November 2014 the NSPCC data-matched 115,741 individuals' email addresses to the personal data of supporters.
Wealth screening
The NSPCC used the services of a wealth screening company to market specific events to a select number of appropriate individuals. The personal data which the NSPCC provided to the wealth screening company included supporters' names and addresses and information relating to their donation history.
The wealth screening company appended 3,217 records, of the 2,105,145 screened, with a specific “millionaire” wealth flag. In April 2015 the NSPCC contacted 493 of these 3,217 individuals across two fundraising communications specifically on the basis of that wealth flag. The NSPCC also used the services of a wealth screening company to screen 5,870,135 supporter records held in data warehouses, although these included duplicate supporter records, as the same supporter may have been included on multiple databases. It appended 1,862 of these records with a wealth flag, and selected 70 of these for a regional legacy event.‘You Can’ Direct Response Television campaign In June 2014 the NSPCC began its 'You Can' Direct Response Television (‘DRTV’) campaign. The campaign ended in November 2015. Individuals who made a donation by text received two separatebounce-back text messages. As of June 2016, 73,921 individuals had made a donation via SMS text to the NPSCC as part of this campaign, and received two bounce-back text messages in response:
“Thank you for supporting the NSPCC. We’d like to contact you to tell you more about our work. For terms visit http://www.nspcc....”
“Text OUT to 70744 to stop further contact”
The Commissioner considers that these bounce back text messages were sent for the purposes of direct marketing since they informed supporters of the NSPCC's intention to make further marketing approaches in the future. Further, individuals were automatically opted-in to receive further marketing communications.
ICO Finding
The ICO was satisfied that the contraventions of the Data Protection Act 1998 (‘DPA’) were deliberate, in the sense that the actions of the NSPCC were deliberate. While the NSPCC may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so. The ICO also found that the NSPCC failed to take reasonable steps to prevent the contraventions of the DPA from occurring.
Collection and use of data
The ICO found that the NSPCC’s system of processing personal data was unfair because it did not inform individuals that their data would be processed for the purposes of live telephone or mail marketing at the time the data was collected and/or before the intended processing occurred (DPA – 1st Principle, 2nd Principle).
Data-matching and tele-matching
The ICO also found that it was unfair for the NSPCC to use the data for data-matching and/or tele-matching purposes without consent of the data subjects and that such activities were incompatible with the purposes explained in their privacy notices (DPA – 1st Principle, 2nd Principle).
Wealth screening
The ICO found that the NSPCC unfairly processed individuals’ personal data because using their data to perform wealth screening was not in the reasonable expectation of those individuals and they were not informed that NSPCC would adopt these techniques (through the NSPCC’s privacy policy or otherwise) (DPA – 1st Principle). The ICO also found that the purpose of wealth analysis was incompatible with the purposes for which the data were obtained (administrating the donation, and if the individual consented, for marketing purposes) (DPA – 2nd Principle).
‘You Can’ Direct Response Television campaign
The ICO considered that the bounce back text messages were sent for the purposes of direct marketing because they informed supporters of the NSPCC’s intention to make further marketing approaching in the future and the NSPCC had failed to receive the necessary consent for such direct marketing (PECR – Regulation 22). This contravention was recorded by the ICO as an additional matter of concern but was not used as a basis for the MPN.
Harm
The ICO considered that the contraventions of the DPA were serious because of the length of time over which the contraventions took place, the number of data subjects whose rights were infringed and the individuals’ were effectively stripped of control over their own personal data (where the NSPCC used the June 2014 Form) or the data subjects were likely to have been affected by those contraventions in significant practical ways (where data-matching and wealth screening took place).
The ICO was satisfied that these contraventions were of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed as a result of the contravention;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional approaches from the NSPCC; and
  • given the scale and duration of the contraventions, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have beenlikely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • The NSPCC had followed the unlawful practices described above over a period of several years and on a continuing basis.
  • The NSPCC's practices appear to have been driven at least in part by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • The NSPCC had contravened the fundamental rights of a very large number of individuals not to be subject to unlawful direct telephone marketing and to have their personal data processed in accordance with the DPA and Directive 95/46/EC.
  • By failing adequately to explain to data subjects how their personal data would be used, the NSPCC had deprived them of control and informed decision-making about their personal data to a significant extent.
  • The NSPCC's activities as described above have exposed the relevant data subjects to substantially distressing and/or damaging consequences, including intrusions into their privacy due to unsolicited direct marketing communications. It is likely that many individuals will have been persuaded by the NSPCC to increase their financial support. Those financial consequences will to a significant extent have flowed from the NSPCC's unlawful practices described above.
  • It is likely that the NSPCC has also contravened Regulation 22 of PECR.
Mitigating Factors
  • The NSPCC co-operated with the Commissioner's investigations.
  • The NSPCC is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • The NSPCC has taken remedial action.
  • The NSPCC's practices may to an extent have reflected commonplace -albeit mistaken and unlawful - approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
Norfolk County Council
15 March 2017
£60,000
DPA – 7th Principle
Factual Background
On 14 April 2014, a third party collected some redundant furniture from the Council as part of an office move. The furniture included a number of filing cabinets used by the children’s social work team.
On 18 April 2014, a member of the public bought one of the filing cabinets from a second hand furniture shop. The filing cabinet was delivered to their home address and was found to contain case files, including sensitive information relating to (among others) seven children.
The Council did not keep a record of how many pieces of furniture were collected by the third party and it was not clear which team was responsible for ensuring that the furniture was empty prior to disposal.
ICO Finding
The ICO found that the Council did not have in place appropriate organisational measures for ensuring that such an incident would not occur, i.e. for ensuring that the office furniture was empty prior to disposal (DPA – 7th Principle).
In particular, the Council did not have adequate written procedure governing how office furniture disposal should be managed.
The ICO did not consider the contravention deliberate, however, the Council ought reasonably to have known that there was a risk that this contravention would occur unless it ensured the office furniture disposal process was governed by an adequate written procedure.
Harm
The ICO was satisfied that the contravention was ‘serious’ due to the highly sensitive nature of some of the personal data that was left in the furniture and the potential consequences.
The ICO also considered that the contravention was of a kind likely to cause distress to the affected individuals because the personal data could be further disseminated or misused and that the damage or distress was likely to be substantial having regard to the number of affected individuals and the highly sensitive nature of some of the personal data held in the files.
Aggravating Factors
  • Some of the office furniture is still unaccounted for.
Mitigating Factors
  • The information in the filing cabinet was recovered from the member of the public after eight days, as soon as the Council was notified.
  • The Council has taken remedial action.
  • The Council referred this incident to the ICO and was co-operative during the investigation.
  • A monetary penalty may have a significant impact on the Council’s reputation and (to some extent) its resources.
Nottinghamshire County Council
24 August 2017
£70,000
DPA – 7th Principle
Factual Background
In July 2011, the Council’s digital team launched its ‘Home Care Allocation System’ (‘HCAS’). Third party home care providers could access HCAS to confirm that they had capacity to support a particular service user. The home care providers were each sent a link to HCAS via e-mail. There were no access controls on HCAS, such as the use of a username or password.
On 14 June 2016, a member of the public informed Nottinghamshire that HCAS could also be accessed via an internet search engine. They were concerned that, “Should someone who would wish to prey on a vulnerable person…it would not be difficult for them to attend one of the streets listed, find where the carers attend and subsequently consider attempting a burglary or similar knowing the service user is very likely to be vulnerable or elderly.”
At that time, HCAS contained a directory of 81 service users including their gender, addresses (to the extent required by each home care provider) and post codes; personal care needs and care package requirements such as the number of home visits per day and whether the service user was currently in hospital. This personal data would allow a motivated individual to identify a service user.
ICO Finding
The ICO found that the Council did not have appropriate technical and organisational measures in place for ensuring so far as possible that such an incident would not occur (DPA – 7th Principle). In particular, the ICO found that HCAS did not have in place an authentication process which identified a user before allowing them access to the system, such as a username or password.
The ICO did not consider the contravention deliberate. However, the Council should have known or ought reasonably to have known there was a risk that unauthorised or unlawful access would occur unless it ensured the personal data held on HCAS was appropriately protected. The ICO found that the Council had failed to take reasonable steps to prevent the contravention.
Harm
The ICO was satisfied that the contravention identified was ‘serious’ due to the number of data subjects, the nature of the personal data held on HCAS and the potential consequences of unauthorised or unlawful access.
The ICO held that the contravention was likely to cause distress to the service users if they knew that their personal data had been accessed by unauthorised individuals over a five year period, and that such distress was likely to be substantial because the nature of data, number of service users, and the vulnerable nature of service users. The ICO also found that service users would be distressed simply through having justifiable concerns that their information has been further disseminated, even if those concerns do not actually materialise.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
  • HCAS was taken offline on 14 June 2016.
  • Nottinghamshire reported this incident to the Commissioner and was co-operative during her investigation.
  • A monetary penalty might have a significant impact on the Nottinghamshire’s reputation, and to an extent, its resources.
Onecom Limited
11 May 2017
£100,000
PECR – Regulation 22
Factual Background
Onecom confirmed that it had sent 3,284,908 text messages between 1 October 2015 and 31 March 2016. Of these, 2,796,075 had been received by the recipient. The data used by Onecom for sending the marketing text messages had been obtained from various sources: (i) data acquired through the acquisition of other businesses; (ii) data obtained by Onecom from its own customers; and (iii) data obtained from third party data suppliers.
Between 26 October 2015 and 2 June 2016, 1050 complaints were made to GSMA’s Spam Reporting Service, or directly to the ICO, about the receipt of unsolicited direct marketing text messages relating to mobile phone upgrades. The GSMA’s Spam Reporting Service allows mobile users to report the receipt of unsolicited marketing text messages to the GSMA, who makes such complaints data available to the ICO. 944 of such messages did not identify Onecom as the sender, though the ICO was satisfied that all 1050 text messages complained about were sent by Onecom. Onecom was unable to provide evidence that it had consent to send those text messages or that it could rely on the ‘soft opt-in’.
ICO finding
The ICO found that Onecom sent direct marketing messages without the appropriate consent (Regulation 22 of PECR).
The Commissioner did not consider the contravention deliberate but Onecom should have known or ought to reasonably to have known that there was a risk that this contravention would occur. The ICO found that Onecom had failed to take reasonable steps to prevent the contravention.
Harm
The Commissioner was satisfied that the contravention identified was ‘serious’ because of the number of individuals affected by the contravention.
Aggravating Factors
  • Onecom contravened regulation 23 of PECR in that it did not (at the very least in 944 of the 1050 text messages complained of) identify the person on whose behalf the messages were sent.
Mitigating Factors
  • Onecom has stopped sending marketing texts and taken a number of remedial steps to ensure future compliance.
Oxfam
3 April 2017
£6,000
DPA – 1st Principle, 2nd Principle
(PECR – Regulation 22 also considered, but was not a basis for the monetary penalty)
Factual Background
Oxfam is an international confederation of focused on the alleviation of global .
Tele-matching
During the period 2003 until August 2015, Oxfam used the services of external companies to undertake tele-matching on its behalf. Tele-matching is data-matching by which telephone numbers which data subjects may have chosen not to provide are obtained and used.
Since 2011, Oxfam tele-matched a total of 267,521 records of donors. Oxfam used the telephone numbers obtained through tele-matching to make live marketing calls. Oxfam did not inform individuals that their data would be processed in this way.
Text message donation campaigns
Between August 2013 and July 2015, Oxfam undertook two campaigns that allowed individuals to donate to Oxfam via SMS text. Individuals who donated to the campaign received a bounce back text message and were automatically opted-in to receive further text and telephone marketing. In addition, 40,504 individuals received between one to four further marketing text messages as part of further campaigns in the following 13 months.
ICO Finding
Tele-matching
The ICO found that it was unfair for Oxfam to use the data for tele-matching purposes without consent of the data subjects and that such activities were incompatible with the purposes explained in their privacy notices (DPA – 1st Principle, 2nd Principle).
The ICO was satisfied that the contravention of the Data Protection Act 1998 (‘DPA’) was deliberate, in the sense that the actions of Oxfam were deliberate. While Oxfam may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so. The ICO also found that Oxfam failed to take reasonable steps to prevent the contraventions of the DPA from occurring.
Text message donation campaigns
The ICO considers that bounce back text messages as part of two separate Oxfam campaigns were sent for the purposes of direct marketing since they informed supporters of Oxfam's intention to make further marketing approaches in the future. The Commissioner also found that Oxfam did not have the requisite consent to send direct marketing text messages to individuals who made donations via SMS text messages. This was considered to be a likely contravention of Regulation 22 of PECR. This contravention was recorded by the ICO as an additional matter of concern but was not used as a basis for the MPN.
Harm
The ICO considered that the contravention of the DPA was serious because of the length of time over which the contravention took place, the number of data subjects whose rights were infringed and the data subjects were likely to have been affected by this contravention in significant practical ways.
The ICO was satisfied that the contravention was of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed as a result of the contravention;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional approaches from Oxfam; and
  • given the scale and duration of the contravention, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have beenlikely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • Oxfam has followed the unlawful practice described above over a period of several years and on a continuing basis.
  • Oxfam's practice appear to have been driven at least in part by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • Oxfam has contravened the fundamental rights of very large numbers of individuals not to be subject to unlawful direct telephone marketing and to have their personal data processed in accordance with the DPA and Directive 95/46/EC.
  • Oxfam's activities as described above have exposed the relevant data subjects to substantially distressing and/or damaging consequences, including intrusions into their privacy due to unsolicited direct marketing communications. It is likely that many individuals will have been persuaded by Oxfam to increase their financial support. Those financial consequences will to a significant extent have flowed from Oxfam's unlawful practice described above.
  • It is likely that Oxfam has also contravened Regulation 22 of PECR.
Mitigating Factors
  • Oxfam co-operated with the Commissioner's investigations.
  • Oxfam is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • Oxfam has changed its television advertisements in light of the Commissioner's investigation.
  • Oxfam's practices may to an extent have reflected commonplace - albeit mistaken and unlawful - approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
PRS Media Limited (trading as Purus Digital)
27 March 2017
£140,000
PECR – Regulation 22
Factual Background
PRS Media Limited (‘PRS’) is an advertising marketing company. It markets services using different forms of media, including email and text message, directing recipients to websites.
Between 1 January 2016 and 17 May 2016, the GSMA’s Spam Reporting Service had received 2,628 complaints about the receipt of unsolicited direct marketing text messages sent on behalf of PRS. The GSMA’s Spam Reporting Service allows mobile users to report the receipt of unsolicited marketing text messages to the GSMA, who makes such complaints data available to the ICO.
Following the receipt of an Information Notice from the ICO, PRS explained that it had sourced the personal data for the text messaging from a competition and a prize draw website it owned. A condition of the entry to the competitions included a compulsory agreement to marketing at the point of sign-up. Although reference was made to this in both its terms and conditions and privacy policy, both were generic and unspecific. At no point was an individual able to express a preference on how they may be contacted.
ICO Finding
The ICO found that PRS did not have the consent of the 4,357,453 subscribers to whom it sent unsolicited direct marketing text messages (PECR – Regulation 22).
Harm
The ICO was satisfied that the contravention was serious due to the number of direct marketing text messages that were sent to subscribers without their consent, and the number of subsequent complaints made.
Aggravating Factors
  • PRS had failed on two separate occasions to answer requests for information from the ICO and it required the service of an Information Notice to compel a response.
  • The response received from PRS to the Information Notice provided unsatisfactory answers to the questions asked and figures provided were at odds with the Commissioners own findings.
  • PRS did not identify the person who was sending or instigating direct marketing text messages.
Mitigating Factors
There were no mitigating features
Providence Personal Credit Limited
11 July 2017
£80,000
PECR – Regulation 22
Factual Background
Between 6 April 2015 and 13 October 2015, 285 complaints about the receipt of unsolicited direct marketing text messages relating to online loans were made to GSMA’s Spam Reporting Service, which shares complaints data with the ICO. The direct marketing text messages were sent by third party affiliates on behalf of Providence Personal Credit Limited (‘PPC’).
Under the affiliate agreement, PPC agreed to provide text promoting its products and the affiliates would send the text as direct marketing text messages. Affiliates received a fee for each individual who subsequently entered into a credit agreement with PPC having clicked on the web link contained in the text message.
Between 6 April 2015 and 31 October 2015, one of the affiliate companies, Money Gap Group Ltd, sent 868,393 unsolicited direct marketing text messages promoting PPC. In the same period another affiliate company, Sandhurst Associates Ltd, sent 130,664 unsolicited direct marketing text messages promoting PPC.
The individuals to whom the text messages were sent had not consented to the receipt of such direct marketing by or on behalf of PPC. The privacy notices used by the affiliates did not name PPC or any of its trading names, nor did they indicate that the data would be used for sending direct marketing text messages on behalf of PPC.
ICO Finding
The ICO found that PPC instigated the sending of direct marketing messages without the appropriate consent (Regulation 22 of PECR).
The Commissioner also found that PPC failed to take reasonable steps to prevent the contravention because as the instigator of the direct marketing text messages, it was the responsibility of PPC to ensure valid consent to send direct marketing text messages had been acquired. Reasonable steps in these circumstances could have included reviewing the privacy notices and consent wording relied on by the affiliate companies, ensuring that they were sufficiently specific to amount to valid consent for the sending of direct marketing text messages on behalf of PPC.
The Commissioner did not consider PPC’s contravention of regulation 22 of PECR deliberate, however, PPC knew or ought reasonably to have known that there was a risk that these contraventions would occur and was therefore negligent.
Harm
The Commissioner was satisfied that the contravention was ‘serious’ because PPC instigated the sending of at least 999,057 direct marketing text messages to subscribers without their consent.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Road Accident Consult Ltd t/a Media Tactics
3 March 2017
£270,000
PECR – Regulations 19 & 24
Factual Background
Media Tactics generates leads in relation to individuals making a claim for a PPI refund.
Between 24 July 2014 and 9 June 2015 the ICO received 182 complaints about the receipt of unsolicited automated marketing calls made from telephone numbers used by Media Tactics. On further investigation, it was found that between 13 November 2014 and 9 June 2015 Media Tactics made 22,065,627 automated direct marketing calls.
On 24 August 2015 the ICO wrote to Media Tactics informing it that the ICO had evidence that it had made over 22 million automated direct marketing calls, that the ICO had received 182 complaints and asked Media Tactics to provide evidence that the recipients of the calls had consented to receiving automated marketing calls from Media Tactics.
Media Tactics informed the ICO that it purchased data from a number of different third party data providers, who had given warranties that the data was “opted-in”, and that the data had been screened against the Telephone Preference System. Most of the websites from which the telephone numbers of the complainants had originally been sourced belonged to payday loan and insurance brokers.
Many of the privacy notices on the identified websites were generic and unspecific and did not refer to the data being used for the purposes of making automated direct marketing calls. Only one of the privacy notices identified Media Tactics as a recipient of the data, but this was in a list of over 200 organisations.
ICO Finding
The ICO found that Media Tactics instigated over 22 million automated direct marketing calls without prior consent of the individuals called (Regulation 19 of PECR).
In particular, the ICO found that between 13 November 2014 and 9 June 2015 Media Tactics instigated the transmission of 22,065,627 automated marketing calls to subscribers without their prior consent. It also found that Media Tactics did not identify the person who was sending or instigating the automated marketing calls and provide the address of the person or a telephone number on which this person could be reached free of charge.
The ICO did not consider the contravention deliberate but Media Tactics should have known or ought reasonably to have known that there was a risk that this contravention would occur. Further, the ICO found that Media Tactics had failed to undertake adequate due diligence on its data providers.
Harm
The ICO was satisfied that the contravention was 'serious' because Media Tactics instigated the making of over 22 million automated marketing calls to subscribers without their prior consent, which resulted in 182 complaints being made to the Commissioner.
The Commissioner was also satisfied that contravention was of a kind likely to cause substantial distress and Media Tactics ought to have known that it was only a matter of time before substantial distress to the recipients of the calls was likely to be caused. The ICO indicated that the failure to identify Media Tactics as the caller or provide an address or telephone number on which it could be contacted free of charge was a factor likely to cause substantial damage or distress.
Aggravating Factors
  • The director of Media Tactics had been involved in the lead generation business for several years and had a history of contact with the ICO. Media Tactics should therefore have had a good level of awareness of PECR and its requirements.
Mitigating Factors
  • There is a potential for damage to Media Tactic’s reputation which may affect future business.
Royal & Sun Alliance Insurance plc (RSA)
5 January 2017
£150,000
DPA – 7th Principle
Factual background
Royal & Sun Alliance Insurance plc (‘RSA’) is a multinational general insurance company. It provides (among other things) personal insurance products and services to its customers.
At some point between 18 May 2015 and 30 July 2015, a portable ‘Network Attached Storage’ device (the ‘device’) was stolen by an unidentified member of staff or contractor from a server room in RSA’s premises.
Access to the server room at RSA’s premises requires use of an access card and key. 40 of RSA’s staff and contractors (some of whom were non-essential) were permitted to access the DSR unaccompanied.
The device held, among other things, personal datasets containing:
  • 59,592 customer names, addresses, bank account and sort code numbers; and
  • 20,000 customer names, addresses and credit card ‘Primary Account Numbers’.
The device did not contain expiry dates or CVV numbers. It was password protected but not encrypted. The device has not been discovered to date.
ICO finding
The ICO found that RSA did not have appropriate technical and organisational measures for ensuring so far as possible that such an incident would not occur (DPA – 7th Principle).
In particular:
  • RSA did not encrypted the dataset prior to loading them on the device;
  • RSA failed to physically secure the device in the server room;
  • RSA failed to routinely monitor whether the device was online and (if not) raise alarm;
  • RSA did not have CCTV installed inside the server room;
  • RSA failed to restrict access to the server room to essential staff and contractors;
  • RSA permitted staff and contractors to access the server room unaccompanied; and
  • RSA failed to monitor access to the server room.
The ICO did not consider the contravention deliberate but held that RSA should have known or ought reasonably to have known that there was a risk that this contravention would occur. The ICO found that RSA had failed to take reasonable steps to prevent the contravention.
Harm
The ICO was satisfied that the contravention identified was ‘serious’ due to the number of affected individuals, the nature of the personal data that was held on the device and the potential consequences of the contravention.
The ICO held that the contravention was likely to cause substantial damage or substantial distress, taking into account:
  • the nature of the personal data, in particular as it concerns financial information; and
  • that portable devices have a high risk of loss or theft and require adequate security.
The ICO recognised that distress could be caused to RSA’s customers if they knew their financial information might have been accessed by the individual who stole the device, further disseminated or misused. Financial damage could also arise from exposure to blagging and possible fraud.
Aggravating Factors
  • RSA was unable to pinpoint exactly when the device was stolen.
  • RSA received 195 complaints about this incident.
Mitigating Factors
  • The device was password protected.
  • The personal data held on the device was not easily accessible.
  • So far as the Commissioner is aware, the information has not been further disseminated or accessed by third parties, and has not been used for fraudulent purposes.
  • RSA notified its affected customers and offered free CIFAS protection for 2 years.
  • RSA has now taken substantial remedial action.
  • A monetary penalty may have a significant impact on the RSA’s reputation and, to an extent, its resources.
  • RSA has sought independent professional advice to assist with the remediation of this incident.
  • There is no indication that any RSA customer has suffered a financial loss.
TalkTalk Telecom Group Plc
7 August 2017
£100,000
DPA – 7th Principle
Factual Background
In 2002, TalkTalk’s portal was designed and implemented. Wipro, which was acting as processor to resolve high level complaints and monitor and address network connectivity problems on TalkTalk’s behalf, was given access to the portal. 40 individual users employed in Wipro’s High Repeat Team had access to the personal data of between 25,000 to 50,000 TalkTalk customers at any point in time.
In September 2014, TalkTalk began receiving complaints from customers regarding scam calls purportedly from TalkTalk. Typically, the callers purported to be providing support for technical problems which had been detected. They were able to quote customers' addresses and TalkTalk account numbers.
TalkTalk commenced an initial security investigation and reported the matter to the ICO on 11 September 2014. In October 2014, TalkTalk commissioned a specialist investigation which identified three Wipro user accounts that had been used to gain unauthorised and unlawful access to the relevant personal data of up to 21,000 customers.
In November 2014, and in February, October and November of 2015, TalkTalk wrote to all of its customers warning them of potential scam calls and how to deal with them.
ICO Finding
The ICO found that TalkTalk did not have the appropriate technical and organisational controls to prevent unauthorised or unlawful processing of personal data (DPA – 7th Principle). The ICO also found that TalkTalk did not have controls in place to limit access to the customers whose accounts were being worked on to resolve network problems, or to allow for the exporting of the fields that were actually needed for Ofcom reporting. Further, Wipro employees were able to access the portal from any internet-enabled device. No controls were put in place to restrict such access to devices linked to Wipro.
The Wipro employees were able to make "wildcard" searches, view large numbers of customer records at a time and to export data to separate applications and files (although there is no evidence of any bulk download of this data). Those capabilities gave opportunities for the misuse of the relevant personal data. There was no adequate justification for those capabilities.
The ICO considered that TalkTalk knew or ought reasonably to have known that there was a risk that the contravention would occur, and be of a kind likely to cause substantial damage or substantial distress. The ICO further found that TalkTalk failed to take reasonable steps to prevent such a contravention.
Harm
The ICO considered the contravention ‘serious’ because of the number of inadequacies in TalkTalk’s technical and organisational measures, the number of individuals affected, the nature of the personal data compromised, and the extent of the contravention.
In light of such inadequacies, some of the relevant personal data was likely to be misused in furtherance of fraud and/or other criminal activity. The relevant personal data was likely to help scammers (a) identify and contact target individuals and (b) pass themselves off as representatives of TalkTalk. Such communications were likely to result in at least some recipients providing their bank details to scammers and/or being defrauded and/or having their bank accounts used for money laundering. Those consequences would constitute substantial damage, and would be likely to cause substantial distress to at least some recipients, whether individually or cumulatively.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
  • TalkTalk was the victim of the malicious actions of a small number of individuals.
  • TalkTalk proactively reported this matter to the Commissioner.
  • TalkTalk took steps to minimise potentially harmful consequences, for example by immediately removing the offending Wipro employees' access to the portal and alerting all of its customers to the potential for scam calls.
  • There is no evidence that the affected customers (up to 21,000) suffered any damage or distress as a result of these incidents.
  • TalkTalk has implemented certain measures to prevent the recurrence of such incidents.
The Data Supply Company Limited
27 January 2017
£20,000
DPA – 1st Principle
Factual Background
The Data Supply Company is a list or data broker which obtains personal data from various sources and sells this information as marketing leads to organisations for the purpose of sending direct marketing to those individuals.
Between 19 June 2015 and 21 September 2015, 174 complaints were received by the GSMA's Spam Reporting Service or direct to the ICO, relating to the receipt of 21,045 unsolicited direct marketing text messages about pay day loans. The GSMA’s Spam Reporting Service allows mobile users to report the receipt of unsolicited marketing text messages to the GSMA, who makes such complaints data available to the ICO. The ICO established that the person responsible for sending those text messages had obtained the data from The Data Supply Company. The Data Supply Company had provided 580,302 records containing personal data.
ICO Finding
The ICO found that The Data Supply Company did not process the personal data it obtained from individuals fairly and lawfully (DPA – 1st Principle).
In particular:
  • The relevant individuals were not informed that their personal data would be disclosed to The Data Supply Company, or the organisations to which The Data Supply Company sold the data on to, for the purpose of sending direct marketing text messages.
  • The disclosures given would not be within those individuals’ reasonable expectations.
The ICO did not consider the contravention deliberate but The Data Supply Company should have known or ought reasonably to have known that there was a risk that this contravention would occur and that they would be of a kind likely to cause substantial damage or substantial distress.
The ICO found that The Data Supply Company had failed to take reasonable steps to prevent the contravention, stating that it had failed to undertake proper due diligence when both buying and selling personal data to ensure that the processing was fair.
Harm
The ICO was satisfied that the contravention was 'serious' due to the number of records containing personal data being disclosed without the data subjects' knowledge or consent.
The ICO found that the contravention was of a kind likely to cause substantial distress.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
  • The Data Supply Company has informed the ICO that it is no longer trading in personal data.
The Lead Experts Limited
10 October 2017
£70,000
PECR – Regulations 19 & 24
Factual Background
The Lead Experts Limited (‘TLEL’) is a marketing firm based in Liverpool.
On 31 October 2016 the Commissioner served a third party information notice on DXI Limited (‘DXI’) in relation to automated calls made via the DXI voice broadcasting platform from numbers prefixed with 08454290 and 0844337, those being the prefixes for the reported complaint numbers.
DXI responded providing a spreadsheet containing a list of automated calling campaigns instigated by their customers, using these numbers as presentation CLIs (‘Calling Line Identifications’). The spreadsheet included the company names, CLIs used, dates of the campaigns and volume of calls made. The information provided showed that, between 4 May 2016 and 5 May 2016, TLEL made a total of 115,341 automated calls.
TLEL denied ever using automatic dialling and stated that its “only experience with DXI was that of buying a small batch of test leads of which we [TLEL] only dialled a small amount due to the quality not being very good.” DXI, however, provided sufficient evidence to refute this claim including, a signed order form outlining charges for calls to landlines and mobiles, audio files containing voice recordings of the messages to be played when the calls connected, and copies of e-mails in which TLEL supplied DXI with numbers to be loaded onto a dialler as part of their marketing campaign.
TLEL was unable to provide evidence that it had the consent of the individuals to whom it had instigated the transmission of the automated direct marketing calls.ICO Finding
The ICO found that between 4 May 2016 and 5 May 2016 TLEL instigated the transmission of 115,341 automated marketing calls to subscribers (111,072 of which were successful) without their prior consent (Regulations 19 and 24 of PECR).
Furthermore, they failed to include the company name, address and telephone number in their automated messages pursuant to the requirements of Regulation 24.
The ICO was satisfied that TLEL deliberately contravened Regulation 19 of PECR in the sense that TLEL’s actions were deliberate.
Harm
The Commissioner was satisfied that the contravention identified above was ‘serious’ because TLEL instigated the making of 115,341 automated marketing calls to subscribers without their prior consent.
Aggravating Factors
  • TLEL had repeatedly denied all wrongdoing and pleaded ignorance as to the contravention, despite evidence to verify its instigation of the direct marketing. TLEL has also disengaged with the Commissioner during the latter part of the investigation.
  • While the CLIs used for the marketing calls were legitimate, they did not identify the company making the call. The CLIs were routed through Buenos Aires making it difficult to trace the company.
  • The CLIs were also 'added value' numbers which charged the individual when they would call to try to identify the company.
  • The Commissioner also took into account the fact that TLEL did not identify the person/organisation who was instigating the call, or provide details on which the person making the calls could be contacted free of charge.
  • When challenged regarding its practice TLEL sought to liquidate the company on 27 July 2017. This was placed on hold pending the Commissioner’s investigation.
Mitigating factors
There were no mitigating features
Remedial Action
No mention of remedial action
The Royal British Legion
3 April 2017
£12,000
DPA – 1st Principle, 2nd Principle
Factual Background
Wealth screening
The Royal British Legion (‘RBL’) used the services of a wealth screening company to analyse the financial status of its supporters in order to identify those that would have the capacity and propensity to make a larger donation to charity. The personal data which RBL provided to the wealth screening company included supporters' names and addresses and information relating to their donation history. 2,445,670 records were scanned in 2014.
Data-matching and tele-matching
RBL also used the services of external companies to undertake data-matching and tele-matching on its behalf since 2010. Data-matching is the use of personal data to obtain and use other items of personal data which data subjects may have chosen not to provide to the data controller, and tele-matching is data-matching with telephone numbers. RBL estimated that it is likely to have tele-matched approximately 900,000 records and data-matched 52,966 email addresses to the personal data of supporters since 2010.
ICO Finding
The ICO was satisfied that these contraventions were deliberate, in the sense that the actions of RBL were deliberate. While RBL may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so.
Alternatively, RBL ought reasonably to have known that there was a risk that the contraventions would occur, and that they would be of a kind likely to cause substantial damage or distress.
Wealth screening
The ICO found that the wording of RBL’s privacy notices in place at the relevant time did not indicate that personal data may be processed for the purpose of wealth analysis, nor had sufficient information been provided to supporters to enable them to understand what would be done with their personal data in terms of screening and object to such processing if they so wished (DPA – 1st Principle). In addition, the processing of personal data for the purposes of wealth analysis was incompatible with the purpose for which the data were obtained (DPA – 2nd Principle).
Data-matching and tele-matching
The ICO also found that RBL did not have the consent of the data subjects to use individuals’ personal data to undertake data-matching and/or tele-matching and that such activities were neither compatible with the purposes explained in RBL’s privacy notices nor in the reasonable expectation of the individuals affected (DPA – 1st and 2nd Principles).
Harm
The ICO considered that the contraventions were serious because of the length of time over which the contraventions took place, the number of data subjects whose rights were infringed and the data subjects were likely to have been affected by those contraventions in significant practical ways (where data-matching and wealth screening took place).
The ICO was satisfied that these contraventions were of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed as a result of the contravention;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional approaches from the RBL; and
  • given the scale and duration of the contraventions, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have beenlikely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • RBL has followed the unlawful practices described over a period of several years.
  • RBL's practices appear to have been driven by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • RBL has contravened the fundamental rights of very large numbers of individuals to have their personal data processed in accordance with the Data Protection Act 1998 and Directive 95/46/EC.
  • By failing to adequately explain to data subjects how their personal data would be used, RBL has deprived them of control and informed decision-making about their personal data to a significant extent.
  • RBL's activities as described have exposed the relevant data subjects to substantially distressing and/or damaging consequences, including intrusions into their privacy due to increased direct marketing communications from RBL. It is likely that many individuals will have been persuaded by RBL to increase their financial support. Those financial consequences will to a significant extent have flowed from RBL's unlawful data protection practices.
Mitigating Factors
  • RBL co-operated with the Commissioner's investigations.
  • RBL is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • RBL has taken remedial action.
  • RBL’s practices may to an extent have reflected commonplace – albeit mistaken and unlawful – approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
True Telecom Limited
6 September 2017
£85,000
PECR – Regulation 21, Regulation 24
Factual Background
True Telecom Limited (‘True Telecom’) provides telephone services to businesses and residential consumers. Services include broadband, line rental, calls, and mobile sim-only plans.
Between 6 April 2015 and 27 April 2017, the ICO received 201 complaints through the Telephone Preference Service (‘TPS’) about unsolicited direct marketing calls made by True Telecom. The TPS is a register of numbers allocated to subscribers who have notified them that they do not wish to receive unsolicited calls for direct marketing purposes on those lines. All of these complaints were made by individual subscribers who were registered with the TPS.
Some of the complainants reported that they received unsolicited calls from a withheld number and that the calls were misleading because the callers gave the impression that they were calling from BT Openreach.
On 18 May 2016, the ICO informed True Telecom of the complaints received. True Telecom's response stated that it was unable to provide any consent for the calls and that it had obtained the data used to make the calls through 'data scraping' – during which a software tool is used to pull or 'scrape' information from open source listings into a spreadsheet. Once data is scraped, the number is uploaded to True Telecom's TPS screening software before being allocated to their internal sales team.
Although the TPS screening software was used, True Telecom advised that a selection of data was made available to the outbound sales team. This data was not subject to TPS screening during a transitional period after the departure of the previous IT manager.
ICO Finding
The ICO held that True Telecom made unsolicited direct marketing calls to subscribers whose numbers were registered with the TPS without prior consent (Regulation 21 of PECR).
The ICO was also satisfied that, for the purposes of Regulation 21 of PECR, the 201 complaints were made by subscribers who had registered with the TPS at least 28 days prior to receiving the calls and had not given prior consent to True Telecom to receive calls.
True Telecom was unable to establish that subscribers had consented to be called due to the nature of the way it had obtained the data. ICO guidance on direct marketing explains that organisations must keep clear records of what an individual has consented to and when and how this consent was obtained.
In addition, the ICO held that True Telecom knew or ought reasonably to have known that there was a risk that these contraventions would occur given that True Telecom relied on direct marketing due to:
  • the nature of its business;
  • the way in which it sourced its data; and
  • the fact that the issue of unsolicited calls was widely publicised by the media as being a problem.
The ICO also held that True Telecom failed to take reasonable steps to prevent the contraventions, which could have included:
  • carrying out adequate screening of the data against the TPS register;
  • ensuring that the entire TPS file they received from their provider was uploaded on their system before making calls; and
  • providing telesales staff with written procedures and training regarding the requirements of PECR and how to comply with them.
Harm
The ICO was satisfied that the contravention was ‘serious’, owing to the number of individuals affected, and True Telecom’s grievous failure to screen the telephone numbers against the TPS. In addition, the contraventions took place over a period of approximately two years. The ICO also noted that it was reasonable to suppose that considerably more calls were made, and those affected had not complained.
Aggravating Factors
  • True Telecom had previously been contacted by the ICO regarding complaints and received guidance related to this.
  • Despite being advised by the ICO of the requirement to do so, True Telecom failed to register as a data controller under the Data Protection Act 1998 and was prosecuted for this offence in March 2017. The ICO considered this indicative of True Telecom's attitude towards compliance with regulatory requirements.
  • The ICO also took account of the fact that True Telecom had failed to identify the person who was making the calls, or provide contact details on which the person could be reached free of charge.
Mitigating Factors
  • There is potential for damage to True Telecom’s reputation which may affect future business.
Vanquis Bank Limited
4 October 2017
£75,000
PECR – Regulation 22
Factual Background
Between 9 April 2015 and 16 February 2016, Vanquis Bank Limited (‘VBL’) instigated a campaign to send 870,849 direct marketing text messages to subscribers. VBL obtained the personal data from third parties and relied on indirect consent for sending the direct marketing text messages sent to subscribers.
VBL came to the attention of the ICO in December 2015 on review of the ICO’s ‘monthly threat assessment’. This revealed that 15 complaints about VBL had been made to GSMA’s Spam Reporting Service, which allows mobile users to report the receipt of unsolicited marketing text messages to the GSMA (the GSMA makes such complaints data available to the ICO). The Commissioner subsequently launched an investigation to determine whether VBL’s text message marketing had been carried out in compliance with Regulation 22 of PECR.
Further, between 17 December 2015 and 3 August 2016 620,000 direct marketing e-mails were sent to subscribers by one of VBL’s sub-affiliates on behalf of VBL. The ICO received 9 complaints in respect of such e-mails. The indirect consent VBL had relied upon for 7 of the 9 complaints had been obtained through various affiliates and sub-affiliates.
ICO Finding
The ICO found that VBL it did not have the appropriate consent of the data subjects to direct marketing text messages or emails (Regulation 22 of PECR).
VBL was unable to evidence that individuals to whom direct marketing text messages and e-mails had been sent had consented to receipt of the messages.
The ICO considered that VBL did not deliberately contravene Regulation 22 of PECR, however, VBL knew or ought to reasonably have known that there was a risk that these contraventions would occur. The ICO also found that VBL failed to take reasonable steps to prevent the contraventions. Harm
The Commissioner was satisfied that the contravention was ‘serious’ because in a ten month period VBL sent a total of 870,849 direct marketing text messages to subscribers without their consent. This resulted in 131 complaints being made.
Further, in a five month period VBL instigated the sending of a total of 620,000 direct marketing emails to promote VBL services to subscribers without their consent. This resulted in 9 complaints being made. Aggravating factors
No mention of aggravating features
Mitigating factors
There were no mitigating features
Remedial Action
No mention of remedial action
Verso Group (UK) Limited
17 October 2017
£80,000D
PA – 1st Principle
Factual backgroundVerso Group (UK) Limited (‘Verso’) is a data broking company.
Whilst investigating two organisation for sending of direct marketing communications in contravention of PECR, it came to the Commissioner’s attention that Verso had supplied those companies with large volumes of personal data which was then used in contravention of PECR. Consequently, on 17 March 2016 the Commissioner commenced an investigation into whether or not Verso had obtained and/or supplied the personal data in compliance with Data Protection Principle 1. The Commissioner corresponded extensively with Verso between March and November 2016.
In that correspondence Verso explained how it obtained and supplied personal data, including information about specific transactions. It provided the Commissioner with information about the companies and websites from which it obtained personal data. Verso also provided the Commissioner with evidence of its due diligence measures in respect of companies that had supplied it with personal data. Verso also supplied information about telemarketing campaigns through which it obtained personal data and the scripts for those telephone calls.
The Commissioner considered the terms and conditions and privacy notices applicable to the personal data and found that the data subjects had not consented to their personal data being supplied to Verso and/or for onward sale to other companies for direct marketing purposes. The Commissioner also considered an adjudication of the Direct Marketing Commission (DMC) published in August 2016 concerning Verso’s supply of data of over 2 million customer records to be used for an SMS marketing company by a gambling company. In their adjudication the DMC found that Verso had contravened a number of provisions of the Direct Marketing Association’s Code. ICO FindingThe ICO found that across the various transactions it reviewed Verso:
  • failed to provide the data subjects with sufficiently clear information about the companies to whom their personal data would be disclosed to for direct marketing purposes; and
  • sold personal data which it had obtained unfairly, and so the onward sale was also unfair.
The ICO found that these transactions contravened Data Protection Principle 1.
The Commissioner considered that these contraventions were deliberate, in the sense that Verso's actions were deliberate and systemic. Alternatively, Verso knew or ought reasonably to have known that there was a risk that these contraventions would occur and be of a kind likely to cause damage or substantial distress.
The Commissioner further considers that Verso failed to take reasonable steps to prevent such a contravention, in that:
  • Verso failed to undertake adequate due diligence when selecting its data suppliers in order to ensure that it received and used personal data fairly;
  • Verso failed to incorporate adequate contractual terms requiring its data suppliers to ensure that personal data was obtained and provided to Verso fairly;
  • Verso failed to take practical steps to satisfy itself that data subjects were provided with sufficiently specific information to help them understand what would be done with their personal data; and
  • when obtaining personal data from data subjects, Verso should have provided sufficiently specific information about the companies to whom Verso would provide personal data.
Harm
The Commissioner considers that these contraventions were serious, in that:
  • they involved large volumes of personal data and large numbers of data subjects;
  • Verso's contraventions were systemic: they were not isolated, one-off or occasional errors; and
  • there were numerous contraventions extending over a period of years.
Aggravating factors
  • Verso's contraventions were numerous, systemic and serious. They took place over a number of years and affected many thousands of data subjects.
  • Verso was unhelpful and obstructive during the Commissioner's investigation. It failed to provide some requested information, obfuscated in many of its answers and declined to co-operate adequately on a number of occasions. The Commissioner had to threaten to issue formal information notices in order to obtain answers to some of her questions.
  • Verso was unable to demonstrate how it had taken steps to ensure compliance with the DPA.
  • In the circumstances, the Commissioner considers Verso to have acted in disregard of its legal obligations.
Mitigating factors
  • Verso provided the Commissioner with some relevant information about its practices during the course of her investigation.
  • The penalty could have a significant reputational impact on Verso.
WM Morrison Supermarkets Plc
12 June 2017
£10,500
PECR – Regulation 22
Factual Background
WM Morrison Supermarkets Plc (‘Morrisons’) is a national chain of supermarkets.
As a result of an update to its systems in early 2016, Morrisons received queries from customers stating that they were not receiving e-mails from Morrisons. It therefore made the decision to send “Your account details” e-mail to individuals who had previously opted out of marketing in relation to their Morrisons More card but had opted in to marketing for online groceries, advising them on how to update their marketing preferences.
Between 24 October 2016 and 25 November 2016, Morrisons instigated the transmission of 236,651 “Your account details” e-mails. Of those, 130,671 e-mails were successfully received.
ICO Finding
The ICO found that Morrisons had sent 130,671 unsolicited communications by means of e-mail to individuals subscribers for the purposes of direct marketing without the necessary consent (Regulation 22 of PECR).
As the instigator of the e-mails, it was the responsibility of Morrisons to ensure that sufficient consent had been acquired. Morrisons was unable to evidence that the individuals to whom e-mails had been sent had consented to receipt of the messages.
The Commissioner considered that Morrisons deliberately contravened Regulation 22 of PECR because Morrisons was aware that the e-mail was being sent to individuals who had previously indicated that they did not consent to receive direct marketing in relation to their Morrisons More card. However, Morrisons sent these individuals emails despite its knowledge of its obligations under the Data Protection Act 1998 to respect such opt-outs.
Harm
The Commissioner was satisfied that the contravention was ‘serious’ because between 24 October 2016 and 25 November 2016 Morrisons knowingly sent a total of 130,671 direct marketing emails to subscribers without their consent.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Remedial Action
No mention of remedial action
WWF-UK
3 April 2017
£9,000
DPA – 1st Principle, 2nd Principle
Factual Background
WWF-UK is an founded in 1961, working in the field of wilderness preservation, and the reduction of .
Sharing personal data with third parties
WWF-UK was a member of a Reciprocate Scheme, which was run by an external company and enabled participating charities to share or swap the personal data of donors or prospective donors. Between 2012 and 2015 WWF-UK provided quarterly updates to the Reciprocate Scheme and in total shared 174,512 donor records, including details such as the name and addresses of donors.
WWF-UK’s privacy notice stated that “from time to time we may agree with carefully selected organisations to swap data, so that we can write to each other’s supporters. If you do not wish us to share your data in this way, please tick this box…”
Wealth screening
WWF-UK used the services of a wealth screening company to analyse the financial status of its supporters in order to identify those that would have the capacity and propensity to make a larger donation to charity. The personal data which WWF-UK provided to the wealth screening company included supporters' names and addresses and information relating to their donation history.
WWF-UK confirmed that it had undertaken such activity on three occasions: in 2006, 2011, and 2016. It wealth-screened 211,352 records in 2011, and a further 580,098 records in 2016. These figures do not necessarily reflect the number of individuals whose data was screened, as some supporters’ data may have been screened more than once. The total number of individuals whose personal data was processed for the purposes of wealth analysis was 643,531.
Tele-matching
WWF-UK began tele-matching (using personal data to obtain and use telephone numbers which data subjects have chosen not to provide) in 2006 and stopped in March 2016. From 6 April 2010 until March 2016 it tele-matched a total of 83,475 records relating to 55,684 supporters.
ICO Finding
The Commissioner was satisfied that these contraventions were deliberate, in the sense that the actions of WWF-UK were deliberate. While WWF-UK may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so.
Alternatively, WWF-UK ought reasonably to have known that there was a risk that the contraventions would occur, and that they would be of a kind likely to cause substantial damage or distress.
Sharing personal data with third parties
The ICO found that WWF-UK unfairly processed individuals’ personal data because the terms of its privacy notice were unduly vague and/or ambiguous and did not provide data subjects with adequate information as to how their personal data would be shared via the schemes (DPA – 1st Principle). The ICO also found that the sharing of personal data via the schemes was incompatible with the purposes explained in WWF-UK’s privacy notices (DPA – 2nd Principle).
Wealth screening
The ICO found that the WWF-UK unfairly processed individuals’ personal data because using their data to perform wealth screening was not in the reasonable expectation of those individuals and they were not informed that WWF-UK would adopt these techniques (through the WWF-UK’s privacy policy or otherwise) (DPA – 1st Principle). The ICO also found that the purpose of wealth analysis was incompatible with the purposes for which the data were obtained (administrating the donation, and if the individual consented, for marketing purposes) (DPA – 2nd Principle).
Tele-matching
The ICO found that it was unfair for the WWF-UK to use the data for data-matching and/or tele-matching purposes without consent of the data subjects and that such activities were incompatible with the purposes explained in their privacy notices (DPA – 1st Principle, 2nd Principle).
Harm
The ICO considered that the contraventions were serious because of the length of time over which the contraventions took place, the number of data subjects whose rights were infringed and the data subjects were likely to have been affected by those contraventions in significant practical ways.
The ICO was satisfied that these contraventions were of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed as a result of the contravention;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional approaches from the WWF-UK; and
  • given the scale and duration of the contraventions, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have beenlikely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • WWF-UK had followed the unlawful practices described over a period of several years and on a continuing basis.
  • WWF-UK's practices appear to have been driven at least in part by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • WWF-UK had contravened the fundamental rights of very large numbers of individuals to have their personal data processed in accordance with the DPA and Directive 95/46/EC.
  • By failing to adequately explain to data subjects how their personal data would be used, WWF-UK has deprived them of control and informed decision-making about their personal data to a significant extent.
  • WWF-UK's activities as described have exposed the relevant data subjects to substantially distressing and / or damaging consequences, including intrusions into their privacy due to unsolicited direct marketing communications. It is likely that many individuals will have been persuaded by WWF-UK to increase their financial support. Those financial consequences will to a significant extent have flowed from WWF-UK's unlawful data protection practices.
Mitigating Factors
  • WWF-UK co-operated with the Commissioner's investigations.
  • WWF-UK is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • WWF-UK has taken remedial action.
  • WWF-UK's practices may to an extent have reflected commonplace - albeit mistaken and unlawful - approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
Xerpla Limited
4 October 2017
£50,000
PECR – Regulation 22
Factual Background
Xerpla Limited (‘Xerpla’) offers design, advertising and marketing services.
Between 6 April 2015 and 20 January 2017 Xerpla transmitted 1,257,580 unsolicited direct marketing emails. These emails promoted products and services of a wide range of third parties, including providers of pet products, wine, motoring services, financial services and boilers.
The emails were sent to individuals who had subscribed to two websites operated by Xerpla - YouSave.co.uk and HeadsYouWin.co.uk. When subscribing, individuals were informed that by submitting their details, they consented to receive newsletters and offers from and on behalf of offer partners and from other similar third party online discount and deal providers. By subscribing, individuals were also consenting to the processing of their information as outlined in a separate Privacy Policy.
In 2016, the ICO received 14 complaints about the receipt of unsolicited direct marketing emails from the two websites through Xerpla.
ICO Finding
The ICO held that the consent relied on by Xerpla was not sufficiently informed and therefore did not amount to valid consent (Regulation 22 of PECR).
The ICO held that Xerpla did not deliberately seek to contravene Regulation 22 of PECR but ought to have known that there was a risk that these contraventions would occur. This is particularly the case given that direct marketing of this nature is widely publicised by the media as being a problem and that the ICO has published detailed guidance for organisations explaining their legal obligations under PECR.
The ICO was also satisfied that Xerpla failed to take reasonable steps to prevent the contravention. Reasonable steps in these circumstances could have included seeking appropriate guidance on the rules in relation to electronic direct marketing and ensuring that the consent Xerpla sought to rely on was valid.
Harm
The ICO was satisfied that the contravention was ‘serious’ due to the large number of data subjects affected by the 1,257,580 emails sent by Xerpla. It is not clear that the contravention caused any financial loss to those affected, however due to the persistent nature of the emails, the contravention may have caused distress or diversion of time in reporting the contraventions.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Remedial Action
No mention of remedial action
Xternal Property Renovations Ltd
28 March 2017
£80,000
PECR - Regulation 21
Factual Background
Xternal Property Renovations Ltd (the ‘Company’) provides property maintenance and repair services to members of the public. The Commissioner wrote to the Company on 10 December 2015 regarding its compliance with PECR following a number of complaints having been made by subscribers registered with the Telephone Preference Service (‘TPS’) about unsolicited direct marketing telephone calls.
In February 2016 the Company responded, explaining that it had endeavoured to acquire legitimate and authorised third party customer information. However, the Company did not provide the identity of the company or companies from whom the data had been acquired, nor any evidence of the due diligence performed on the list provider or the data itself. It also became apparent that the Company had not performed any TPS screening as it was still in the process of completing the application process for its licence.
Between 14 August 2015 and 11 April 2016, the ICO received 131 complaints about unsolicited direct marketing calls made by the Company. Of those complaints, 94 were made to the TPS, with a further 37 made direct to the ICO. All of these complaints were made by individual subscribers who were registered with the TPS.
ICO Finding
The ICO found that the Company made a number of unsolicited calls for direct marketing purposes without the appropriate consent (Regulation 21 of PECR).
Between 14 August 2015 and 11 April 2016, the Company used a public telecommunications service to make 131 unsolicited direct marketing calls. The called lines were numbers listed on the register of numbers kept by the Commissioner in accordance with Regulation 26, contrary to Regulation 21(1)(b) of PECR.
The Commissioner was also satisfied for the purposes of Regulation 21 that the 131 complaints were made by subscribers who had registered with the TPS at least 28 days prior to receiving the calls and they had not given their prior consent to the Company to receive calls.
The Commissioner considered that in this case the Company did not deliberately contravene Regulation 21 of PECR, however, the Company ought reasonably to have known the risk of contravening PECR because the Company knew people were complaining about calls received. The Commissioner also found that the Company failed to take reasonable steps to prevent the contraventions.
Harm
The Commissioner did not comment on the harm associated with the contravention in this case. However, the complaints received indicate that at least some of the affected individuals suffered some distress from receiving these calls.
In particular:
  • “I get these calls from early morning to late at night, I'm disabled and I worry about these calls.”
  • “I was concerned about how this company had obtained my details - particularly my name. My number is TPS-registered and has been ex-directory for more than 30 years.”
  • “I object to being called an idiot and told ‘it’ll serve you right when you can’t pay your bills’. Nasty and could really upset an older person.”
Aggravating factors
  • Between 7 September 2015 and 30 November 2015, 109,726 direct marketing calls were made by the Company to individual subscribers registered with the TPS. This represented 81% of the total calls made by the Company in the same period.
  • As late as February 2016 the Company had not performed any TPS screening as it had not yet completed its TPS annual licence application process.
  • The Company did not identify the person instigating the calls and deliberately misled subscribers by using generic company names which had no relation to the Company.
  • There was a failure to fully cooperate with the Commissioner.
  • The Company is a private organisation within a competitive direct marketing industry where continuous breaches of PECR could create an unfair advantage.
Mitigating factors
  • There is a potential for damage to the Company’s reputation which may affect future business.
Your Money Rights Ltd
11 September 2017
£350,000
PECR – Regulation 19
Factual Background
Your Money Rights Ltd (‘YMR’) is a payment protection insurance (‘PPI’) company.
Between 8 March 2016 and 27 July 2016, YMR made 146,020,773 unsolicited automated direct marketing calls concerning PPI claims. During the same period, the ICO received 255 complaints regarding the calls made by YMR.
Upon investigation, it was confirmed that:
  • YMR were not identified as the maker of the calls;
  • Data was licensed to YMR from third party providers; and
  • YMR contracted with a separate third party to make the calls on behalf of YMR.
YMR was unable to provide evidence that it had obtained the necessary consent of the individuals to whom it made the calls to.
ICO Findings
The ICO found that YMR made 146,020,773 automated direct marketing calls to individuals without their necessary prior consent (Regulation 19 of PECR).
The ICO stated that it had published detailed guidance for companies carrying out marketing activities explaining their legal obligations under PECR. In particular, it stated that marketing material can only be transmitted via an automated system with the prior consent of the individual.
The ICO held that whilst YMR may not have deliberately set out to contravene PECR, it did deliberately send automated marketing calls on a massive scale to individuals in contravention of Regulation 19 of PECR.
Harm
The ICO was satisfied that the contravention was 'serious' given that YMR instigated the making of over 146 million automated marketing calls to individuals without their prior consent, resulting in 255 complaints being made to the ICO.
While it does not appear that financial loss was suffered by the individuals affected, some may have suffered distress as a result of the provision of their personal data to a third party, or suffered a diversion of resources due to the need to make complaints and deal with the contravention.
Aggravating Factors
  • YMR may have obtained a commercial advantage over its competitors by generating leads from unlawful marketing practices.
  • YMR sent automated direct marketing calls on an enormous scale, with over 146 million calls being made.*
  • YMR were not identified as the body instigating the calls and there were no contact details provided by which YMR could be reached free of charge. This contravened regulation 24 of PECR.
  • The data was provided to a third party.*
Mitigating Factors
  • YMR suffered reputational damage as a result of the contravention and MPN.*
* Not explicitly identified by the ICO in the monetary penalty notice as a mitigating or aggravating factor. However, we have included these factors because such factors have had a significant influence on penalties handed down by the ICO.

“None of us can really be sure about what the future under GDPR will hold. It might contain prospects of great stress and anxiety for some. But, there will also be big opportunities for those who embrace the new reality, which is that data protection is here to stay."

Stewart Room, PwC Partner

Global summary


The global section of our 2017 Privacy and Security Enforcement Tracker provides a synopsis of key privacy issues and trends in 34 countries - 17 in Europe and 17 in the rest of the world. The content has been compiled from contributions from our data protection experts worldwide.
 

Click here to explore the global data

 

Share
Share
Stewart Room

Stewart Room

Partner, PwC United Kingdom

Tel: +44 (0)7711 588 978

Contact