ICO cracks down on subject access requests

David Brothers (Wales) Ltd was ordered to respond to a subject access request after the ICO ruled it had failed to do so in breach of the requirements of section7 DPA 1998.

Misuse of data handling by employees (in March 2017)

  1. A former nurse employed by a health board was prosecuted for accessing the sensitive medical records of over 3000 individuals without the consent of the data controller. The employee was fined £650 under section 55 of the Data Protection Act and ordered to pay costs and a victim surcharge.
  2. A recruiter formerly employed by a recruitment agency emailed the personal data of 500 candidates to his personal email address as he was leaving to start a new rival recruitment company and intended to use them as potential clients for his new business. He was fined £170 under section 55 of the Data Protection Act and ordered to pay costs and a victim surcharge.
  3. A senior barrister was prosecuted for failing to keep her clients' sensitive personal information secure and for failing to encrypt certain files to prevent unauthorised access to confidential material by shared users. Her husband temporarily updated 725 of files containing her clients' sensitive personal information to an online directory and these documents were visible to an internet search engine. Some of these were cached and indexed and therefore easily accessed and recognisable, and certain documents contained confidential and highly sensitive information. Between 200 and 250 individuals were affected by this, including vulnerable adults and children.

Organisations should ensure they comply with all subject access requests ("SARs"). This order, together with our article on key cases regarding SARs indicate that, perhaps in preparation for the GDPR, the ICO and the courts are expecting full compliance with all SARs.

Organisations should implement safeguards to prevent employees unlawfully accessing data (e.g. authorisation requirements and encryption). Organisations should provide regular data protection training, refresher training and issue guidance to employees to ensure compliant data handling.

Firms continue to be hit by marketing fines

February and March 2017 have seen a particular surge and increase in fines:

  1. Media Tactics Ltd was fined £270,000 for making 22 million nuisance calls – making it one of the ICO's highest fines (breach of regulation 19 Privacy and Electronic Communication's Regulations ("PECR")).
  2. Digitonomy Ltd (credit broker) was fined £120,000 for sending millions of marketing texts without proper consent (breach of regulation 22 PECR).
  3. Flybe Ltd (airline) was fined £70,000 for sending more than 3.3 million emails to individuals who had informed them they did not wish to receive marketing emails from the firm (breach of regulation 22 PECR).
  4. Honda Motor Europe Ltd was fined £13,000 for sending 289,790 emails aiming to clarify certain customers’ choices for receiving marketing. Honda believed the emails were not classed as marketing but instead were customer service emails to help the company comply with data protection laws. Honda could not provide evidence that the customers had ever given consent to receive this type of email (breach of regulation 22 PECR).
  5. PRS Media Ltd was fined £80,000 for sending marketing texts to 4.4 million individuals, who were required to opt in as part of entering a completion on the company's website, without their consent. Whilst the company's website privacy policy did state that individuals' details would be shared with third parties, this was not specific enough (breach of regulation 21 PECR).
  6. Xternal Property Renovations was fined £80,000 for making calls to individuals registered with the Telephone Preference Service (the "TPS"). The ICO found that Xternal should have screened the list of people it intended to call against the TPS and provide telesales staff with appropriate data protection training.

The ICO continues to demonstrate its willingness to prescribe fines and is prepared to do so at the higher end of the scale including for large global organisations. Where possible organisations should ensure compliance with marketing laws and on obtaining proper consent to avoid data protection violations and subsequent enforcement or monetary notices.

To view any of the ICO enforcement actions detailed above, please click here.