To view the any notices discussed below, please click here.
The Money Shop –The ICO has issued a Monetary penalty notice to The Money Shop of £180,000. Instant Cash Loans Ltd, which trades as The Money Shop, was issued with the notice after a store located in Northern Ireland underwent a burglary in which a server was stolen. The server had been left, contrary to firm policy, on a desk rather than in a locked room. One month later a second server was lost in transit by a courier service. The data on the server was not encrypted. Data including customer addresses, dates of birth and contact details were accessible on the servers and the ICO found a breach of the 7th data protection principle (security).
The Monetary penalty notice makes reference to the fact that The Money Shop did not delete the customer data when it was no longer needed. It does not however mention a breach of the 5th principle (data should be kept no longer than necessary) in its notice.
In line with the ICO's recent guidance on monetary penalty notices, the ICO took into account, when determining the size of the penalty, favourable factors including:
- The fact that the incident was voluntarily reported to the ICO
- Partial encryption of some of the data
- Full co-operation with the ICO
- Substantial remedial action taken by the Money shop
Point One Marketing Ltd (previously Conservo Digital Ltd) trading as 'Stop the Calls' – In one of the more ironic ICO actions to have taken place, the ICO has fined Point One Marketing Ltd £50,000 for "aggressive cold-calling practices".
The company marketed to subscribers a call blocking device and a service which would "stop" unsolicited calls. Between 1 February 2014 and 31 March 2015, the ICO received 169 complaints in respect of repeated calls (sometimes taking place on the same day). In some cases, the company failed to action the complainants' request to stop calling and to suppress their telephone number.
Many of the complainants were elderly and vulnerable and some cases bank details or credit card information was obtained under duress. The law changed in April of this year to remove the requirement for the ICO to prove that the breach of PECR has caused "substantial damage and distress", however the actions by the company in question took place prior to this change in law and therefore the notice lists many examples of the distress caused to individuals.
In summing up, the ICO noted that:
“This company lacked integrity. They tried to sell a product that they claimed would stop nuisance calls, knowing full well they were responsible for so many such calls themselves. They operated in what appears to have been such a bullying, aggressive way only makes matters worse".
What action could be taken to manage risks that may arise from this development?
Companies should note that encryption of data remains a key requirement by the ICO when assessing whether data controllers have met the requirements of the security principle.