In a mixed bag this month, we saw fines for insufficient marketing consents, inadvertent disclosures of personal data, and the age old story that the ICO considers training in data protection, a minimum requirement.
Opt-in marketing consents need to be very specific
- Check Point Claims Ltd were fined £250,000 for a contravention of PECR regulation 19 (prohibition against making marketing calls to individuals who have not previously given consent to receive such calls from the caller) after making 17.5 million marketing calls canvassing for hearing loss claims.
- Better for the Country Ltd were fined £50,000 (under PECR regulation 22 which prohibits unsolicited electronic communication) after sending over 500,000 texts promoting a campaign to leave the EU.
Both companies purchased marketing lists to source their contacts and both argued that the lists were made up of consenting individuals who had "opted in" (doubly "opted in" in the case of Better for the Country Ltd which argued that individuals had opted-in consent to receive both government and local government marketing with the data supplier.
The ICO found that the indirect/ third party consents were insufficient in both cases as the consent was not 'clear' and 'specific' as to: (1) the nature of the information/marketing communications; and (2) the identity of the organisation which subsequently sent the communication.
Whilst the ICO has stated that "Indirect, or third party, consent can be valid", it is clear that in order for such consent to be valid for a purchaser of personal data, the data provider needs to meet a high threshold when initially obtaining the consent.
The Check Point Claims Ltd monetary penalty notice can be accessed here.
The Better for the Country Ltd monetary penalty notice can be accessed here.
To 'bcc' or not to 'bcc'
The importance of data protection by design and default has been exemplified in the monetary penalty action against Chelsea and Westminster Hospital NHS Foundation Trust ("Trust").
In this case the Trust addressed a September newsletter email regarding its HIV patient services to 781 email addressees (the majority of addresses contained the recipient's full names). Human error caused the email addresses to appear visibly in the "to" field of the email rather than the "bcc" field (which hides other email addresses).
The Trust were fined £180,000 for the breach which contravened the 7th data protection principle of "Appropriate technical and organisational measures".
Organisations which send out multi recipient emails, such as newsletters, should check with their email providers whether default mechanisms to prevent inappropriately identifying all recipients in the address line of an email are available (such as a default "bcc /blind carbon copy" field appearing instead of the usual default "cc" or "to" fields) and data loss prevention software which recognises personal data leaving the organisation.
Data breach response delays can aggravate an ICO fine
Blackpool Teaching Hospitals NHS Foundation Trust ("Trust") received a £185,000 fine after an attempt to publish equality and diversity data via a spreadsheet on its external website inadvertently revealed (by way of a clickable data expansion link) the sensitive personal information of 6,574 current and previous employees; including names, NI numbers, ethnic, religious, sexual orientation and disability details.
The dangers of 'hidden data' is an area that the ICO have focused on in recent months but most interestingly the fine to the Trust was aggravated by delays: Tthe Trust were unaware of the breach for 11 months, there were then delays in clearing search engines cashes to the data and delays notifying the individuals affected.
The Blackpool Teaching Hospitals NHS Foundation Trust monetary penalty notice can be accessed here.
An ICO blog on the dangers of hidden data can be accessed here.
Be on alert for exiting employees
On 26 May the ICO reported the prosecution of Mark Lloyd who, in anticipation of his departure to a rival company, emailed to himself the contact details and business information (some of which was sensitive) of almost 1,000 clients. Pleading guilty at the Telford Magistrates’ Court for unlawfully obtaining data under section 55 of the DPA, he received a £300 fine plus over £400 costs.
The enforcement notice against Mark Lloyd can be accessed here.
DPA training is "a basic requirement"
Scottish authority, West Dunbartonshire Council, received an ICO enforcement notice for 'repeatedly failing' to train staff about the DPA, monitor that training and implement related guidance policies, specifically a home working policy to assist remote working employees.
In previous month's we've witnessed the ICO consistently taking action against companies whose data handling employees are found to be inadequately or inappropriately trained in information governance / data protection.
The ICO has warned that training is "a basic requirement for an organisation that is trusted with large amounts of local people’s personal data".
A press release about West Dunbartonshire Council's breaches can be accessed here.
To view all ICO enforcement actions this month please click here.