1. Ignorance is no excuse: CCTV footage is personal data
The ICO have warned firms that if they use CCTV, they must register that use with the ICO. Why? Because all businesses are obliged under the law to register with the ICO if they handle personal data and the ICO have made it clear that CCTV footage of individuals constitutes personal data.
On 1 February Kavitha Karthikesu, a business owner operating CCTV without ICO registration, was found guilty under section 17 of the DPA to operating without a licence. Karthikesu was fined £200 and ordered to pay costs. The ICO pursued the prosecution despite the argument that she was unaware of the duty to register.
The ICO have commented that “Being ignorant of the law and the regulator is no excuse…" (ICO Enforcement head Steve Eckersley).
The ICO have previously issued guidance on the use of CCTV.
If an organisation uses CCTV monitoring in any of its offices, it should ensure that this use is registered with the ICO.
2. Being wary of employee data theft
2016 saw the record-breaking fining of TalkTalk which, through external cyber-attack, saw its customer personal data compromised.
Whilst businesses should certainly be concerned with such external threats to customer data – from hackers and the like, they must also be aware of the internal risks of data misappropriation from employees. 2017 has already yielded three examples:
A large fine of £150,000 has been issued to Royal & Sun Alliance Insurance PLC ('RSA') in January after the personal details of 59,592 customers were put at risk when RSA gave a number of employees and contractors (including non-essential staff) unsupervised access to a device containing the personal details of those customers.
In January Rebecca Gray, who worked at a recruitment agency, was prosecuted for unlawfully obtaining data. Ms Gray emailed the personal details of around 100 clients to her private email address in anticipation for a new job starting at a competing recruitment firm. She was fined £200 and ordered to pay costs.
In January, Enterprise Rent A Car former employees, Andrew Minty, Jamie Leong and Michelle Craddock were found guilty of Conspiracy to commit Section 55 Data Protection Act offences after accessing Enterprise's systems to collect and pass on details of individuals to pass on to claims management companies.
Where possible, organisations should have in place technological safeguards to prevent employees from unlawfully accessing customer data. For example, appropriate authorisation requirements.
In addition, the importance of regularly training staff on data protection principles and the consequences of wilful breach of these principles, should not be underestimated.
3. Marketing fines continue in 2017
An ICO round-up is never quite complete without a reference to marketing breaches. Marketing breaches continue to be the source of the majority of ICO enforcement actions. This trend has continued in 2017:
- in January a £40,000 was levied against a firm which tele-marketed to TPS registered individuals (in breach of regulation 21 PECR); and
- a Manchester firm received a £50,000 fine for the delivery of almost 400,000 nuisance texts about debt without the required consent of the recipients (a breach of regulation 22 PECR).
To view any of the ICO enforcement actions detailed above, please click here.