Our top tips and trends arising from the ICO's enforcement activity over the past few months.

19 fines were issued by the ICO between April and May this year.

Fines ranged from £6,000 (for seeking personal data without consent) to a record £400,000 (for making 99.5 million unsolicited nuisance marketing calls).

The majority of penalties this period related to non PECR compliant marketing practices but companies falling foul of implementing appropriate technical and organisational safeguards also saw ICO enforcement action.

Finally, the ICO's charity sector investigation into fundraising has revealed a further 11 charities fell short of DPA compliant practice.

1. Another firm joins the ICO's highest fined companies list

  • Keurboom Communications Limited ("Keurboom") received a monetary penalty notice for £400,000 this May. Keurboom were responsible for making 99.5 million calls to members of the public without consent. The automated messages attracted over 1,000 complaints. The fine falls just shy of the ICO's maximum monetary penalty capability of £500,000. However, under looming GDPR changes the ICO will soon be able to impose fines of a much higher sum. The size of Keurboom's fine means that it now shares with TalkTalk Telecom Group PLC the unenviable accolade of achieving the ICO's highest fine issued so far.
  • Check Point Claims Ltd ("Check Point") was fined £250,000 this May. Check Point made over 17.5 million automated marketing calls. The monetary penalty equates to the 5th highest ever fine levied against a company by the ICO.

The marketing practices of Keurboom and Check Point were in breach of regulation 19 of the PECR. This regulation prohibits the use of recorded automated calls to non-consenting members of the public.

TalkTalk remains the only company to make the ICO's top 5 list with a non-nuisance marketing related breach. Talk Talk's fine related to a data attack.

It is clear that the largest fines reflect the sheer volume of those affected in each case.

2. Nuisance marketing continued

Other organisations continued to be caught out for failures to market compliantly. The following companies received monetary penalties across April and May for their role in nuisance marketing campaigns:

  • £100,000 fine issued to Onecom Limited after millions of text messages concerning mobile phone services were sent to members of the public. Onecom was not able to evidence to the ICO that its recipients had consented to the marketing communications;
  • £50,000 fine to Brighter Home Solutions Limited in response to nuisance calls made to individuals registered with the Telephone Preference System. The company also received an ICO enforcement notice requiring it to stop making calls to TPS registered and otherwise non-consenting members of the public;
  • £40,000 fine and an enforcement notice ordering Concept Car Credit Limited to stop sending nuisance text messages; and
  • £40,000 fine issued to Monevo Limited. Monevo sent 44,172 loan marketing messages without the appropriate consents of the recipients to members of the public.

3. Clarifying "Appropriate technical and organisational measures"

Organisations will be aware of their duty under the DPA to apply appropriate technical and organisational data security measures within their business.

Through a series of fines this month, the ICO has clarified some key requirements:

"design and organise security to fit the nature of the personal data held".

  • In May, Greater Manchester Police exemplified the need to adhere to this principle when the force were fined £150,000 for sending unencrypted DVDs in the post to the National Crime Agency. The DVDs, containing interview footage relating to violent and sexual crimes (sensitive personal data), were lost in transit. An ICO investigation found that DVDs were routinely sent unencrypted by the force prior to the incident.

"make sure you have the right physical and technical security, backed up by robust policies and procedures…"

  • Construction Materials Online Ltd ("CMO") was fined £55,000 in May after a coding error on CMO's website meant that personal data was vulnerable to attack.

"have… reliable, well-trained staff";

  • The ICO recently sought action against a GP surgery employee who made multiple unlawful accesses to patient medical records. The employee was prosecuted for two offences under s55 of the DPA.

"be clear about who in your organisation is responsible for ensuring information security";

  • A £150,000 fine was issued against Basildon Borough Council by the ICO after information of a sensitive nature regarding members of a family was published online. Investigation revealed that the council staff member involved was inexperienced and had failed to notice that there was personal data in the release. There was no protocol in place for a secondary check of the data by a more experienced employee.

4. Charity data misuse investigation leads to 11 more fines

An ICO investigation into the charity sector between 2015 and 2017 focused on the sector's fundraising practices. Two Charities were fined in December 2016, 11 further charities received fines April 2017.

The key concerns of the investigation looked at how those charities were obtaining donor data. The following illegitimate practices were identified:

  • Legacy profiling i.e. the profiling of individuals based on their financial position;
  • Hiring companies to update old data, such as locating a past donor's new address or contact details; and
  • Sharing data with other charities without proper consent.

Whilst the ICO's charity sector investigation focussed on charity fundraising, the practices identified through the investigation were not sector-specific. Organisations should ensure that relevant staff are aware of those practices which were found to be unlawful.

For further detail on any of the ICO enforcement actions discussed above, please click here.

Press releases surrounding the ICO's charity fines can be accessed here and here.