A new, trial feature on the blog in which I take a monthly look at the Monetary Penalty and Enforcement Notices issued by the ICO together with the formal undertakings also published.
September has seen the Information Commissioner issue two Monetary Penalty Notices in respect of breaches of PECR and publish three formal undertakings following breaches of the DPA.
General Dental Council
The General Dental Council (‘the GDC’), a statutory regulator, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal. This followed an incident in which fitness to practice allegations and a CD containing background information relative to the allegations were sent to the wrong practitioner. An investigation by the GDC established that the error had occurred because the recipient had a similar name to the intended recipient.
The GDC had in place guidance on the processing of such information; this had not been followed by the employees who had arranged for this information to be sent out. The GDC’s guidance and processes required that the CD on which the background information was sent was encrypted. In this particular incident the CD was not encrypted.
The Commissioner established that while the GDC had in place sufficient policies and procedures, there was a lack of corporate refresher training in relation to data protection for those employees whose job roles entailed the processing of personal data. The GDC had introduced induction training, but this was not rolled out to existing staff. The GDC did have examples of where data protection training was being delivered; however, much of this was delivered on an ad hoc basis.
The Undertaking records a second incident where a patient’s dental records had gone missing. The GDC’s investigation suggested that the records had never left their office, but had instead been securely destroyed. However, the employee involved in this incident had not received induction data protection training.
Cold Call Elimination Ltd
The Commissioner served a Monetary Penalty Notice on Cold Call Elimination Ltd following breaches of PECR. Somewhat ironically Cold Call Elimination Ltd was making unsolicited cold calls to sell a service and device to stop unsolicited cold calls.
The Commissioner wrote to the company following a number of complaints to the Commissioner and the Telephone Preference Service. The Company provided an explanation and further explained that it would be putting in additional measures relating to unsolicited marketing calls. The Commissioner placed the company on a period of monitoring for a period of 3 months, during which a large number of complaints continued to be received.
The Commissioner’s Office met with Cold Call Elimination Ltd to discuss its compliance with PECR following which a further period of monitoring took place. During that second period of monitoring there was a drop in the number of complaints received, but the Commissioner described this as an insignificant drop.
The Commissioner had received 46 complaints directly from individuals who were subscribed to the Telephone Preference Service between 14 June 2013 and 31 March 2015. The Telephone Preference Service had received 336 complaints over the same period.
The Commissioner determined that the company was in breach of Regulation 21 of PECR and subsequently issued a Monetary Penalty Notice in the amount of £75,000.
Martin & Company
Martin & Company, a firm of solicitors, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal following an incident in which a DVD containing CCTV footage went missing. The firm was acting for a criminal accused and the CCTV footage was released to them by the Crown Office and Procurator Fiscal Service (‘the COPFS’). Martin & Company is based in Ayr and the DVD required to be collected from the COPFS office in Kilmarnock. Martin & Company instructed a third party to collect the DVD from the COPFS. The DVD went missing having been collected by the third party, but before reaching Martin & Company.
The Commissioner’s investigation found that there were some shortcomings in Martin & Company’s procedures. In particular the Commissioner highlighted a lack of guidance to staff regarding the DPA as well as relevant training on the DPA. The Commissioner also took the view that there was a lack of formal procedure for staff when arranging to have personal data collected from outside of the office environment.
FlyBe Limited, an airline, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal following an incident in which a temporary employee sent a scanned image of another individual’s passport to his personal E-mail address. The incident occurred in the department responsible for processing airside clearance for other FlyBe staff.
The Commissioner investigated and discovered that FlyBe did not provide any training to its staff members who processed personal data, including the temporary employee who was involved in this particular incident. The Commissioner also found that FlyBe’s data protection policy was inadequate and only provided limited information.
Home Energy & Lifestyle Management Ltd
The Commissioner served a Monetary Penalty Notice on Home Energy & Lifestyle Management Ltd following breaches of PECR. Home Energy & Lifestyle Management Ltd engaged in a marketing campaign via automated recorded calls to 6 million people in relation to the ‘Green Deal’, a Government backed energy saving initiative
The Commissioner wrote to the company having received a number of complaints about the calls being made. The Company explained that it had now ceased the marketing campaign and that it had not realised that there were different rules in the Privacy and Electronic Communications Regulations for recorded calls as opposed to “live” calls. The company also sought to explain the calls by attempting to lay the blame at the door of the third party company it had contracted to make the calls on its behalf.
The Commissioner’s office received 242 complaints concerning Home Energy & Lifestyle Management Ltd’s calls during a three month period of monitoring. The Commissioner decided that the company had breached Regulation 19 of PECR. The Commissioner also found that the company had breached Regulation 24 of PECR by not identifying the person who was sending the automated marketing calls, not providing the address of the person and not providing a telephone number on which the person responsible for making the calls can be reached free of charge.
The Commissioner issued a Monetary Penalty notice requiring the company to pay the sum of £200,000, the largest amount ever required for a breach of PECR. Press reports of the Monetary Penalty Notice have indicated that the company intends to appeal.
In respect of the three undertakings for breaches of the Data Protection Act 1998 it is clear that data controllers, even large organisations, are still failing in the basics by not having in place adequate policies and procedures covering data protection and failing to provide adequate induction and refresher training on data protection to those who handle personal data. This is a regular feature in enforcement action taken by the Information Commissioner. Having in place sufficient policies and procedures, as well as training and adequate checks to ensure compliance, will reduce the chances of experiencing a data breach in the first place. Furthermore, it will undoubtedly serve to mitigate any enforcement action taken by the Commissioner should a data controller experience a breach.
The Monetary Penalty Notices issued this month highlight the importance of ensuring that organisations undertaking marketing by telephone have in place he appropriate consents and take sufficient steps to ensure that the calls are not made to individuals who have registered with the Telephone Preference Service. They also highlight the truth of the latin maxim ignorantia legis neminem excusat – or ignorance of the law excuses no one. Following a change in the law, it is now much easier for the Commissioner to issue Monetary Penalty Notices in respect of breaches of PECR; it is therefore now much more likely that breaches of PECR will result in the Commissioner issuing Monetary Penalty Notices.