18 May 2017

UK Enforcement Update

2016-17 has been a busy year for the ICO nuisance call investigations: 23 companies were fined a total of £1.9m

The Guardian Soulmates Spam Attack

In an example of how losing control of your data can be a significant embarrassment – Some users of Guardian Soulmates, the online dating website, have found their contact information has been inadvertently disclosed.  As a result of the unauthorised disclosures, users received sexually explicit spam messages.  

The Guardian News & Media stated that the breach stemmed from a third-party service provider, and has now been remedied.  The disclosed data comprised email addresses and user IDs, which could then be used to find members’ publicly available online profiles. Some of the personal data on such profiles, including for example sexual preference, is considered ‘sensitive.’  The UK Information Commissioner confirmed it is looking into the breach. 

A cold-calling firm has been fined a record £400,000 by the Information Commissioner’s Office (ICO) for making almost 100 million nuisance calls without consent!

Keurboom Communications called people, sometimes at unsocial hours, to see if they were eligible for road-accident or payment protection compensation.  This behaviour of calling people without their consent, and using automation to initial calls is a breach of the UK’s Data protection regime, consequently the ICO was keen to be seen to take action.

Keurboom Communications also sought to hide its identity when making calls so that people would find it harder to complain.  Despite this 1000s did complain to the ICO.  The ICO’s head of enforcement Steve Eckersly stated that:- 

“The unprecedented scale of its campaign and Keurboom’s failure to co-operate with our investigation has resulted in the largest fine issued by the Information Commissioner for nuisance calls.”

The company has since gone into liquidation but the ICO said it was committed to recovering the fine,   presumably by using the rights of enforcement against Directors personally that were announced last year.  It is hoped that making directors personally responsible will stop them avoiding fines by putting their company into liquidation, and generally force greater accountability.  However, as we reported previously, some say this is a draconian response and risk to place on otherwise well-meaning businesses, but it does mean all directors should take care to ensure their company is compliant.

Even the Police can fail to properly look after Data

Registered firearms owners in London are questioning whether the Metropolitan Police have breached data protection law by passing personal data to a third party  – A timely reminder for those who handle personal data to ensure they have the proper consents for their data processing activities.

In early May 2017, approximately 30,000 leaflets were mailed to registered firearms owners in London promoting the services of a company named Smartwater, which provides forensic marking services meant to facilitate the tracking of stolen goods.  The envelopes received by firearms owners were marked with a return address for a marketing company based in Leeds named Yes Direct Marketing.  It is believed that the source of the addresses was a police controlled data base.

Understandably, some recipients of the leaflets were alarmed to find that their personal information appeared to have been passed to a marketing firm by the police, noting that the Metropolitan Police data protection policy for firearm license holders excludes the use of personal data for marketing purposes.  The British Association for Shooting and Conservation has demanded that the circumstances of the mass mailing be investigated as a potential data protection breach.  

The possibility that the personal data of firearms owners was passed to a direct marketing company raises safety concerns, as the addresses of gun owners (required by law to be listed on the National Firearms Licensing Management System database) may leave them vulnerable to criminals seeking access to firearms.  

It is not yet known whether the Information Commissioner will investigate the matter, nor whether any data protection breach occurred.  The matter should nonetheless serve as a reminder to every organisation that handles personal data to be familiar with their data protection policy and the scope of the consents which data subjects have provided.  Data protection policies should be reviewed regularly to ensure that they are appropriate to the scope of the data processing which the organisation carries out; where there is a concern that data processing may take place which is not covered by current policies, updated data subject consents should be obtained.  Regular staff training (at least on an annual basis) on your organisation’s data protection policies is essential to protect against inadvertent data breaches, and to demonstrate diligence in the unfortunate event that a breach occurs.  Data breaches can be very costly, as substantial fines may be levied by the Information Commissioner’s Office, and may also seriously damage an organisation’s reputation with its own clients, as well as in the wider marketplace.