The UK Information Commissioner’s Office (the “ICO”) recently issued monetary penalties to two companies which appear in the BBC Three television series “The Call Centre”. The first of which is associated with nuisance calls relating to Payment Protection Insurance (otherwise known as PPI).
We Claim You Gain and Nationwide Energy Services, both part of Save Britain Money Limited, were issued a total sum of £225,000 in penalties. We Claim You Gain was fined £100,000 and Nationwide Energy Services £125,000. The ICO discovered that these businesses were responsible for over 2,700 complaints to the Telephone Preference Service (“TPS”) or online survey reports to the ICO during the time period of 26 May 2011 to end of December 2012.
The businesses fined had failed to ensure that the individuals they were contacting had registered with the TPS. This is a breach on the businesses part of a legal requirement under the Privacy and Electronic Communications Regulations 2003 (as amended) (the “Spam Regulations”) that govern electronic marketing. At the time of the first monetary penalties for breach of the Spam Regulations that the ICO issued at the end of 2012, it referred to other on-going investigations and the ICO has revealed that its investigations into these call centres had been taking place for more than a year prior to issue of the monetary penalties. Thus far the ICO has issued penalties in total of over three quarters of a million pounds to organisations that have breached the Spam Regulations, although a further 10 investigations are on-going and this amount therefore seems destined to increase further in the coming months.
In a statement, Nationwide Energy Services and We Claim You Gain stressed that they “remain committed to the best interests of our customers at all times”. Both companies have indicated that they intend to lodge a formal appeal to the ICO’s decision.
Simon Entwisle, ICO Director of Operations, commenting on the action taken by the ICO and the reasons for it said:
“The public have told us that they are fed up with the constant bombardment of nuisance calls… …People have the legal right not to receive marketing calls and these companies have paid the price for failing to respect people’s wishes.”
“While we are pleased with our success to date, there is still more we can do, and we welcome discussions in the House of Commons last week around ways to improve the law around unwanted marketing calls and texts. We’d like to see it made easier for us to issue penalties to companies who are breaking the rules.”
Issuing of a number of fines for breach of the Spam Regulations does not mean however that the ICO is neglecting to enforce breaches of the Data Protection Act 1998 (the “DPA”). As evidence of this, the ICO recently fined Glasgow City Council £150,000 for a serious breach of the DPA following the loss of two unencrypted laptops. These laptops were stolen from unsecure areas in the Council’s office on the night of 28 May 2012. On one, the personal information of 20,143 people was stored. The stolen information also included 6,069 individuals’ bank accounts details and the Council’s creditor payment history file. Further investigation revealed that there were a number of other unencrypted laptops that could not be accounted for.
The Assistant Information Commissioner for Scotland, Ken Macdonald, commented:
“Glasgow City Council was issued with an enforcement notice back in 2010 after a similar incident where an unencrypted memory stick was lost. To find out that these poor practices have returned some two years later shows a flagrant disregard for the law and the people of Glasgow. The council should be held to account, and the penalty goes some way to achieving that.”
The cold-calling companies and Glasgow City Council are operating in different areas and in different ways but as a result of these recent monetary penalty notices both have become public examples of the action that the ICO is willing to take to enforce the obligations that it oversees and they are a clear warning for all organisations to become attuned to detail of the data protection regime and to ensure their compliance with it.