Here is our summary of the top tips and trends arising from the ICO's enforcement activity over the past few months. This round-up's coverage includes: what we can take away from the ICO's largest fine ever, why nuisance marketing retains the ICO spotlight and how SARs, a typically less focussed upon area, are a rising trend as far as ICO attention is concerned.
1. TalkTalk data breach prompts ICO's largest fine ever
The ICO issued a record-breaking £400,000 fine against telecommunications company TalkTalk in October.
The fine, which is just shy of the maximum ICO penalty limit of £500,000, relates to the widely publicised hack of TalkTalk's customer database in October 2015. The cyber theft resulted in illegitimate access to the banking details, addresses, dates of birth and other identifying details of over 150,000 customers.
The ICO, which carried out an investigation into the incident, subsequently reported that the attack "could have been prevented if TalkTalk had taken basic steps to protect customers’ information" – the lack of measures was a breach of the 7th data protection principle. The sizable nature of the fine is envisaged by the ICO to serve as a warning to 'would be' offenders - “Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
Organisations that hold large amounts of customer personal data are strongly advised to ensure that they have appropriate cyber security measures in place to protect against attacks which target customer personal data in particular. As the case of TalkTalk shows, failures to appropriately safeguard data can result in significant monetary penalties.
To read the ICO's investigation into the incident, click here.
To read the ICO's report on the incident, click here.
2. Nuisance marketing continues to draw ICO attention
Remaining in the ICO spotlight are companies that fail to engage in compliant marketing practices. Most contraventions result from a breach under regulation 22 PECR (which prohibits direct marketing communications without proper consent).
The levels of fines vary. Fines in September for instance ranged from £30,000 to £130,000 and covered spam texting as well as nuisance calls. One of the highest fines this autumn was received by Intelligent Lending trading as Ocean Finance on 28 September. The fine of £130,000 came after 7.7 million unsolicited text messages sent in six months. Almost 2,000 complaints were received.
An increasing sub-trend is the rise of companies which seek to rely on third party suppliers to provide their marketing lists, this is proving a risky business as it is too often the case, that these lists lack the required marketing consents from the individuals concerned. It is becoming a common theme that purchasers of such lists are failing to verify that the correct consents have been obtained before buying and then marketing to (what turn out to be) non-consenting individuals. The ICO is consistently showing that users of unauthenticated marketing lists will not be let off lightly.
By way of example, in October, Rainbow (UK) Ltd, a Barnet based firm, instigated 21,000 spam texts to individuals named on a purchased marketing list. As the list lacked appropriate consents, Rainbow was issued with an ICO fine of £20,000. The ICO found that Rainbow had the responsibility to check the validity of consents and that responsibility was not extinguished because the lists were purchased from a third party supplier.
The ICO recently reiterated its available guidance on the issue of direct marketing and appropriate consent - which includes:
- guidance for firms in direct marketing by phone, text, email, post or fax. To read the ICO direct marketing guidance, click here.
- a new code of practice. To read the ICO's code of practice, click here.
Organisations are reminded to review the consents obtained in connection with any marketing lists they have or may purchase from a third-party supplier.
3. Strictly criminal – processing data without registration
An August prosecution of the telecommunications company Bizcall Communications Limited serves as a reminder to organisations of the importance of registration with the ICO when processing data.
The application of the law for a failure to register when processing personal data is strict; ignorance is no defence.
Bizcall were fined £650 in court, plus costs and a victim surcharge for the offence – which falls under s.17 of the Data Protection Act.
To view the ICO enforcement action taken against Bizcall, please click here.
4. Failures to adequately train; still a big factor in ICO enforcement action
A well established trend in ICO enforcement is the correlation between data breach incidents and shortfalls in the sufficiency and frequency of staff training. In an ICO training checklist for small and medium sized organisations, it was reported that "some 80% of security incidents involve staff there is a clear need for all workers to have a basic understanding of the Data Protection Act 1998". In illustration of this point, we turn to the October undertaking of Cornwall Council which concerned a commitment to comply with the DPA, specifically in respect of training and which followed eight data protection breaches reported over a two year period.
i. The Cornwall Council ICO investigation found that certain staff concerned had not received data protection training, the general uptake of data protection was lacking and despite subsequent ICO involvement, over the course of a year training uptake remained inadequate.
ii. The undertaking required that the Council ensure that staff responsible for personal data handling, receive appropriate data protection training within three months, to be refreshed at regular intervals. New starters with data handling responsibilities should receive specific data protection induction training.
Organisations should make sure to instigate, monitor, track and review their data protection training regime for staff. This should include consideration of the frequency of training, training received at induction and whether staff are in need of refresher courses (which the ICO recommends should occur at regular intervals).
5. SARs – TMI (too much information)
In summer we noted an increase in ICO enforcement actions taken as a result of failures and delays in responding subject access requests ("SARs"). That trend continued into autumn.
i. In September, Nottingham Forest Football Club Ltd failed to respond to a SAR (or unduly delayed in respect of that response) breaching DPA principle 6 that "Personal data shall be processed in accordance with the rights of data subjects".
ii. Regal Medical Practice (of Hertfordshire) became subject to ICO enforcement action when it inappropriately released confidential information in a SAR response regarding the requester's estranged partner – despite that estranged partner previously requesting to the GP practice that they take extra care with her information. The practice received a fine of £40,000 for the breach of DPA principle 7 – that "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data". In this case the ICO commented that the fine would have been higher had the practice partners not been individually liable for the breach.
iii. The ICO also took action against Poundstretcher Limited for failing to respond to a subject access request.
The ICO have previously published guidance on "How to disclose information safely: Removing personal data from information requests and datasets". The guidance is available here.
On 15 August, the ICO published the blog "Don’t get caught out by subject access requests", which deals with common complaints made to the ICO regarding the mis-handling of SAR requests.
Organisations should pay particular attention to the handling of SARs. The cases above highlight (together with the ICO's own blog on the subject) that there are inherent risks in many of the stages of dealing with a SAR and the ICO are regularly taking action against companies that fail to manage those risks correctly.
To view the ICO press release on this enforcement action, please click here.
To view the ICO's blog on SARs 'Don’t get caught out by subject access requests', please click here.
6. Failure to encrypt increases regulatory action risk
Whilst the DPA does not expressly require organisations to encrypt their data, organisations would be very wise to do so in any event. The ICO fervently supports this contention, and has stated that "where data breaches occur and encryption software has not been used to protect the data, regulatory action may be pursued."
By way of example in August, Whitehead Nursing Group received a £15,000 fine for loss of sensitive personal data. The data loss pertained to an unencrypted laptop containing nursing home resident information (including medical details). The laptop was stolen from the home of a member of staff and was not recovered. The nature of the data combined with the increase in risk of storing sensitive confidential data unencrypted on a mobile device undoubtedly increased the severity of the breach.
To view the ICO monetary penalty notice against Whitehead Nursing Group, please click here.
ICO have previously published encryption guidance, this can be accessed here.
7. Keep tabs on data
We regularly advocate the importance of ensuring that data be kept only as long as necessary (Data Protection Principle 5); the less personal data stored, the lower the risk and impact of a data breach.
An autumn fine against Hampshire County Council proved that, also important, is an organisation's ability to keep track of the personal data it has (and had) so that in the event of data loss, the affected organisation can respond quickly; and so that personal data is not accidently disposed of or inadvertently left behind.
Hampshire County Council were fined £100,000 by the ICO for a breach of security, after personal data held by the Council was found in a disused building by the new owners. The building had previously hosted the Council's confidential information team. Stored personal data was not evidently accounted for once the department moved to different premises.
Organisations are advised to ensure that stringent policies are in place governing the decommissioning of historic IT systems to ensure, all personal data can be accounted for.
To view the monetary penalty notice taken against Hampshire County Council, please click here.
8. Notifying the ICO
Last but not least, organisations must not forget the importance of ensuring notification for data processing activity with the ICO. Let the prosecution of Triforce Recruitment Ltd be a warning. Triforce were prosecuted in September for failing to register with the ICO resulting in a breach under s17 of the DPA and were fined £5,000 plus costs and a victim surcharge.