Category Archives: Privacy and Electronic Communications Regulations

10.01.15
by

Round-Up on DPA and PECR: September 2015

A new, trial feature on the blog in which I take a monthly look at the Monetary Penalty and Enforcement Notices issued by the ICO together with the formal undertakings also published.

September has seen the Information Commissioner issue two Monetary Penalty Notices in respect of breaches of PECR and publish three formal undertakings following breaches of the DPA.

General Dental Council

The General Dental Council (‘the GDC’), a statutory regulator, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal.  This followed an incident in which fitness to practice allegations and a CD containing background information relative to the allegations were sent to the wrong practitioner.  An investigation by the GDC established that the error had occurred because the recipient had a similar name to the intended recipient.

The GDC had in place guidance on the processing of such information; this had not been followed by the employees who had arranged for this information to be sent out.  The GDC’s guidance and processes required that the CD on which the background information was sent was encrypted.  In this particular incident the CD was not encrypted.

The Commissioner established that while the GDC had in place sufficient policies and procedures, there was a lack of corporate refresher training in relation to data protection for those employees whose job roles entailed the processing of personal data.  The GDC had introduced induction training, but this was not rolled out to existing staff.  The GDC did have examples of where data protection training was being delivered; however, much of this was delivered on an ad hoc basis.

The Undertaking records a second incident where a patient’s dental records had gone missing.  The GDC’s investigation suggested that the records had never left their office, but had instead been securely destroyed.  However, the employee involved in this incident had not received induction data protection training.

Cold Call Elimination Ltd

The Commissioner served a Monetary Penalty Notice on Cold Call Elimination Ltd following breaches of PECR.  Somewhat ironically Cold Call Elimination Ltd was making unsolicited cold calls to sell a service and device to stop unsolicited cold calls.

The Commissioner wrote to the company following a number of complaints to the Commissioner and the Telephone Preference Service.  The Company provided an explanation and further explained that it would be putting in additional measures relating to unsolicited marketing calls.  The Commissioner placed the company on a period of monitoring for a period of 3 months, during which a large number of complaints continued to be received.

The Commissioner’s Office met with Cold Call Elimination Ltd to discuss its compliance with PECR following which a further period of monitoring took place.  During that second period of monitoring there was a drop in the number of complaints received, but the Commissioner described this as an insignificant drop.

The Commissioner had received 46 complaints directly from individuals who were subscribed to the Telephone Preference Service between 14 June 2013 and 31 March 2015.  The Telephone Preference Service had received 336 complaints over the same period.

The Commissioner determined that the company was in breach of Regulation 21 of PECR and subsequently issued a Monetary Penalty Notice in the amount of £75,000.

Martin & Company

Martin & Company, a firm of solicitors, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal following an incident in which a DVD containing CCTV footage went missing.  The firm was acting for a criminal accused and the CCTV footage was released to them by the Crown Office and Procurator Fiscal Service (‘the COPFS’).  Martin & Company is based in Ayr and the DVD required to be collected from the COPFS office in Kilmarnock.  Martin & Company instructed a third party to collect the DVD from the COPFS.  The DVD went missing having been collected by the third party, but before reaching Martin & Company.

The Commissioner’s investigation found that there were some shortcomings in Martin & Company’s procedures.  In particular the Commissioner highlighted a lack of guidance to staff regarding the DPA as well as relevant training on the DPA.  The Commissioner also took the view that there was a lack of formal procedure for staff when arranging to have personal data collected from outside of the office environment.

FlyBe Limited

FlyBe Limited, an airline, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal following an incident in which a temporary employee sent a scanned image of another individual’s passport to his personal E-mail address.  The incident occurred in the department responsible for processing airside clearance for other FlyBe staff.

The Commissioner investigated and discovered that FlyBe did not provide any training to its staff members who processed personal data, including the temporary employee who was involved in this particular incident.  The Commissioner also found that FlyBe’s data protection policy was inadequate and only provided limited information.

Home Energy & Lifestyle Management Ltd

The Commissioner served a Monetary Penalty Notice on Home Energy & Lifestyle Management Ltd following breaches of PECR.  Home Energy & Lifestyle Management Ltd engaged in a marketing campaign via automated recorded calls to 6 million people in relation to the ‘Green Deal’, a Government backed energy saving initiative

The Commissioner wrote to the company having received a number of complaints about the calls being made.  The Company explained that it had now ceased the marketing campaign and that it had not realised that there were different rules in the Privacy and Electronic Communications Regulations for recorded calls as opposed to “live” calls.  The company also sought to explain the calls by attempting to lay the blame at the door of the third party company it had contracted to make the calls on its behalf.

The Commissioner’s office received 242 complaints concerning Home Energy & Lifestyle Management Ltd’s calls during a three month period of monitoring. The Commissioner decided that the company had breached Regulation 19 of PECR. The Commissioner also found that the company had breached Regulation 24 of PECR by not identifying the person who was sending the automated marketing calls, not providing the address of the person and not providing a telephone number on which the person responsible for making the calls can be reached free of charge.

The Commissioner issued a Monetary Penalty notice requiring the company to pay the sum of £200,000, the largest amount ever required for a breach of PECR. Press reports of the Monetary Penalty Notice have indicated that the company intends to appeal.

Comment

In respect of the three undertakings for breaches of the Data Protection Act 1998 it is clear that data controllers, even large organisations, are still failing in the basics by not having in place adequate policies and procedures covering data protection and failing to provide adequate induction and refresher training on data protection to those who handle personal data.  This is a regular feature in enforcement action taken by the Information Commissioner.  Having in place sufficient policies and procedures, as well as training and adequate checks to ensure compliance, will reduce the chances of experiencing a data breach in the first place.  Furthermore, it will undoubtedly serve to mitigate any enforcement action taken by the Commissioner should a data controller experience a breach.

The Monetary Penalty Notices issued this month highlight the importance of ensuring that organisations undertaking marketing by telephone have in place he appropriate consents and take sufficient steps to ensure that the calls are not made to individuals who have registered with the Telephone Preference Service.  They also highlight the truth of the latin maxim ignorantia legis neminem excusat – or ignorance of the law excuses no one. Following a change in the law, it is now much easier for the Commissioner to issue Monetary Penalty Notices in respect of breaches of PECR; it is therefore now much more likely that breaches of PECR will result in the Commissioner issuing Monetary Penalty Notices.

05.09.15
by

#GE2015, Data Protection, Privacy and FOI

It is now two days since the UK went to the polls to elect the 650 people who will be responsible for representing us until Parliament dissolves on Monday 20 April 2020 (assuming the Fixed-Term Parliaments Act 2011 remains in place and intact).  The result was significant for many reasons, some of which I may address in a future blog post.  The focus of this blog post though will be the possible impact on Data Protection, Privacy and Freedom of Information following the result in this election.

Data Protection and Privacy

These two areas, in their current form, rely heavily on EU law.  Both the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations implement EU directives into UK law.

It is well known that one of the promises David Cameron made was a referendum on the UK’s continued membership of the EU if the Conservatives were returned to power with a majority.  They were, albeit a small and fragile one, and as such it is likely that in 2017 we will have a referendum on whether the UK will continue to be part of the EU, or not.  If the UK were to leave the EU (and this is purely hypothetical at this stage), then there would be no requirement for the UK to continue to comply with EU law; including the Directives underpinning the Data Protection Act and the Privacy and Electronic Communications Regulations.

Withdrawal from the EU would not, of course, immediately repeal every piece of law that is implementing an EU Directive – such a position would be unworkable.  Overtime there would, like there is in every other area of law, be reform and that could include both the Data Protection Act and the Privacy and Electronic Communications Regulations.

That is not the end of the story though; our continued relationship with the EU will have some impact in this area, especially with regards to the Data Protection Act.  If we were to remain part of the EEA, we would still have to comply with EU law except in some areas: data protection is not one of those.  So, if we withdrew from the EU and remained part of the EEA, nothing would change.

If we withdrew from both the EU and the EEA there would still be some Data Protection implications.  The eighth Data Protection Principal prevents the transfer of personal data outside the EEA unless the country or territory to which the personal data is to be sent “ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”  In other words, we would require some form of Data Protection or Privacy legislation that meets the test of “adequate” under EU data protection law.  This is a requirement that looks set to stay as part of the Data Protection Regulation currently working its way through the EU legislative process.  In all likelihood we would probably adopt the same data protection regulations as the EU, or something substantially similar thereto.  For that reason, Data Protection and Privacy looks fairly safe over the coming 5 years.

Freedom of Information

Scotland has its own Freedom of Information laws that cover Scottish public authorities.  These laws will likely remain largely unchanged in light of the 2015 election result.

Freedom of Information Act 2000

The FOIA covers English and Welsh authorities as well as UK-wide authorities such as UK Government Departments, the British Transport Police, the BBC, Channel 4 etc.  They are not popular with the Government; they force the Government to reveal information it would rather keep secret.  The Prime Minister isn’t a big fan of FOI; it “furs up the arteries of Government”.  We can expect to see some changes to FOI laws over the coming 5 years: the veto will likely be strengthened in light of the recent UK Supreme Court decision in the Prince Charles case; there could well be changes to the cost limits making it harder to get access to information and there could be the introduction of fees (at least for Tribunal cases).  Substantial harm could be done here (and if you value FOI and the power it gives you to access information held by public bodies I would commend the Campaign for Freedom of Information to you – they could need a lot of help, support and money over the coming 5 years).

Environmental Information Regulations 2004

These implement an EU Directive and provide a much tighter access to information regime with respect to Environmental Information – they also cover a much wider number of bodies than the FOIA does.  While they implement an EU Directive, they have their origin in another international Convention (one which is not anything to do with the EU), the Aarhus Convention.  The UK is a signatory and so if it were to remain a signatory it is likely that there would be no change to the substance of the EIRs.  There would be changes though.

Currently, because they are based upon EU law, they are subject to the primacy of EU law.  It is largely for this reason that the veto was held not to apply to Environmental Information.  It also gives recourse to the Court of Justice of the European Union in respect of interpretation (as was seen with Fish Legal).  This strengthens the EIRs significantly.  However, all is not lost.  In terms of the Aarhus Convention there is a right of remedy to the Aarhus Compliance Committee.

10.26.14
by

Consultation on PECR Monetary Penalty Notice Threshold: Initial Thought

Section 55A of the Data Protection Act 1998 (DPA) confers upon the Information Commissioner the power to issue a Monetary Penalty Notice (MPN) to Data Controllers for serious contraventions of the DPA.  This power is extended to cover contraventions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECRs) by virtue of an amendment made to Regulation 31 of the PECRs.

The test for issuing a MPN for contraventions of either the DPA or the PECRs is as set out in Section 55A of the DPA and it requires a number of boxes to be ticked before the Commissioner can issue one:

  • That the commissioner is satisfied that there has been a serious contravention of section 4(4) of the DPA (or a serious contravention of the PECRs)
  • The contravention was of a kind likely to cause substantial damage or substantial distress
  • and either the contravention was deliberate but failed to take reasonable steps to prevent it; or that the data controller knew (or ought to have known) that there was a risk that the contravention would occur and that such a contravention was of a kind likely to cause substantial damage or substantial distress but failed to take reasonable steps to prevent it

It looks complicated, and to an extent it is.  However, what is clear from the way in which the statutory provisions have been drafted and from the binding interpretation given to them by the Upper Tribunal in The Information Commissioner v Niebel [pdf] is that the test is an almost impossibly high one to meet.

The Department of Culture Media and Sport (DCMS) has issued a consultation document seeking the views of those interested as to whether the threshold should be lowered (and to what) for the Commissioner to be able to issue a MPN in respect of breaches of the PECRs (the proposal would see the test remain as is in respect of contraventions of the DPA).

The consultation document makes three proposals:

  1. do nothing
  2. replace the requirement for the contravention to be of a kind likely to cause substantial damage or substantial distress with a requirement that the contravention is of a kind likely to cause annoyance, inconvenience or anxiety
  3. remove the requirement for the contravention to be of a kind likely to cause substantial damage or substantial distress altogether and replace it with nothing

The Commissioner favours the third option and the DCMS state in the consultation document that their provisional view is that the third option is their preference too.

I’ve given the consultation some consideration since its publication on Saturday and begun to formulate my response (it’s nor a particularly lengthy consultation document and does present three clear and simple options).  What has struck me though is what is missing from option three.  The current test and the second option within the consultation document both include situations where the Data Controller ought to have known that there was a risk that the contravention would occur and that such a contravention was of a kind likely to cause substantial damage or substantial distress but failed to take reasonable steps to prevent it.  However, this appears to be missing from the third option as expressed within the consultation document.

This apparent omission concerns me.  It creates a defence where someone can demonstrate that they didn’t know that there was a risk the contravention would occur even when it is apparent to all and sundry that they really should have known there was a risk.  It basically excuses negligence.  It allows a completely unreasonable situation to avoid the regulatory sanction of a MPN.

This seems like a glaring omission to me and it’s something I’ll certainly be thinking about the possible ramifications of in more detail before submitting a response to the DCMS.  I thought it was an interesting point that was worth raising in a blog.

The DCMS consultation can be found here [pdf] and the deadline for responses to be received by the DCMS is 7 December 2014.

10.17.14
by

Direct Marketing by E-mail and Text: the need for consent

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECRs) are probably not the most widely known piece of legislation, but they are important when it comes to marketing – and everyone who hates spam text messages, telephone calls and E-mails would probably benefit from knowing about them!  The Regulations implement a piece of EU law into domestic law (for those that are interested the relevant EU law is Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)) and are concerned with when and how organisations and individuals (which for ease of reference will simply be referred to as ‘organisations’ throughout) can market directly to individuals via electronic means.  Direct marketing means any form of advertising or marketing which is targeted at a specific individual.

The rules are really very simple, but are regularly not complied with by companies large and small.  The general rule is that unless you have the consent of the individual (and that consent should be freely given and informed) then you cannot market directly to individuals via E-mail, text message, telephone call or any other electronic means.  This post will focus on electronic mail only (such as text messages and E-mail).

What does not qualify as consent for the purposes of the PECRs?  Consent isn’t specifically defined within the PECRs; however, the Regulations provide that where a term is not defined within either the PECRs or the Data Protection Act 1998 (DPA) the terms should be given the definition ascribed to it in the Directive.  The Directive, in turn, directs us to another EU Directive (95/46/EC – the Directive upon which the DPA is based) where the definition is given as:

any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

It is very clear.  Consent must be:

  • Freely given
  • Specific
  • informed

When it comes to gaining consent different companies do it in different ways, most of which do not in any way come close to satisfying those three basic requirements.  One way, which I have encountered recently, is to simply build it into their Privacy Policy and/or Terms and Conditions that you consent.  That’s probably the most blatant and flagrant way of breaching the PECRs you can get.  The consent is neither freely given nor informed.  While such organisations might give an option to opt-out at a later date that is insufficient to comply with the Regulations.  Consent isn’t consent unless there is an option not to consent.  Refusing should also be free (except for the cost of transmitting the refusal).  In other words, an individual cannot be charged a fee for refusing (or withdrawing) consent to direct marketing by electronic mail, but if there is a cost to transmitting it (e.g. the cost of a text message or a stamp) then that cost is legitimate.

Another common occurrence is for organisations to have an ‘opt-out’ box requiring the individual to tick in order to say that they don’t consent.  This is nothing more than another form of presumed consent, which clearly doesn’t comply with the requirements of the PECRs.  So far as electronic mail is concerned, the only option is a clear decision to opt-in.

Some organisations will have the opt-in box and will have helpfully already ticked it, meaning that individuals need to un-tick it to withhold their consent to direct marketing by electronic mail.  Again, this is not compliant with the Regulations.  Giving consent is a positive action, if the registration, order form, enquiry form, questionnaire etc. goes away with a pre-ticked marketing box still ticked then it is unclear whether the individual has given their consent to the direct marketing or whether they simply  haven’t (for whatever reason) un-ticked the box.

All is not lost though if details have been obtained by stealth.  There ought to be a way of withdrawing consent contained in every text message or E-mail that is received (a requirement of the PECRs).  However, there is another useful right open to individuals.  That right is contained in section 11(1) of the DPA which states:

An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.

Simply put, individuals can send a letter or an E-mail or some other form of written notice to the organisation in question requiring them to stop sending direct marketing.  This covers all forms of direct marketing and would include text messages, E-mails, letters, phone calls and such like.  The organisation then has to stop direct marketing within “a reasonable time” – the Information Commissioner gives guidance which states that for direct marketing by electronic means organisations should comply within 28 days, and for postal marketing the guidance is 6 weeks.  These notices are legally enforceable and it is possible to go to Court if an organisation doesn’t comply – alternatively the Information Commisisoner can become involved as there will be breaches of the Data Protection Principles if such a notice is not complied with.

This is just a very basic overview of the requirements of the PECRs, the Information Commissioner has produced a more in-depth guide  to Direct Marketing [pdf] which covers everything in more detail.  I was prompted to write this blog post based on the sheer number of flagrant breaches of the PECRs that there are.  These breaches are by big names.  Major political parties, FTSE 100 companies and major household brands are failing to act in accordance with a basic requirement: that before they can bombard individuals with direct marketing they have to obtain the freely given and informed consent of the individual.