What does this cover?

On 31 August 2015 the Daily Mail broke the story of former Army colonel and widower Samuel Rae who, despite suffering from dementia, had been persuaded out of £35,000 by a succession of fraudulent firms.

According to the Daily Mail "some [firms were] asking for money up to 38 times a year" and surprisingly, firms had been able to target Samuel after his details were passed on over 200 times by charities following the completion of a survey that Samuel filled out in the 90's where he forgot to mark a box confirming that he did not consent to his details being shared.

The ICO, confirming their investigation into the story; stated in their blog that "The Data Protection Act is very clear: the very first principle is that your data should only be processed fairly and lawfully. What has been described in the papers this week doesn’t look like that. If Samuel Rae is still being plagued with unwanted mail and unwanted approaches, then it is really beside the point whether or not he ticked a box in 1994…the rules on data protection and the rules about privacy and electronic communications apply to all who are processing data, whether businesses or charities."

ThinkJessica is an ICO project currently being developed in conjunction with the police and Trading Standards which is aimed at identifying whether vulnerable people are indeed being placed on so-called "suckers lists" in order that scam firms can quickly identify and repeatedly target members of the public considered to be easy targets. The ICO advise that "If there’s any connection between the good work that charities do and the scam merchants, that’s very concerning and we’ve got to get to the bottom of how that information has been passed on".

To view the ICO blog on its data sharing investigation in the charity sector, please click here.

What action could be taken to manage risks that may arise from this development?

This is for interest only, however the story is another reminder of the importance of ensuring that organisations abide by their obligations under PECR and  ensuring that any vendors used also do the same.