What does this cover?

To view any of the Monetary Penalty notices discussed below, please click here.

The Crown Prosecution Service ("CPS") – The CPS has been £200,000 after laptops containing video footage of police interviews were stolen from a contractor's editing studio.

The CPS had hired the contractor (who is unnamed in the report) to edit police interview footage for use in criminal trials. The ICO found through its investigation that the CPS were delivering the DVDs unencrypted to the third party using a courier service;  in some cases the third party in receipt of the unencrypted DVDs, would transport them on public transport.

The investigation found that the third party's work premises were situated in an occupied residential block of flats with low security.

The ICO notice states that - "The laptops held videos of police interviews with 43 victims and witnesses involved in 31 cases, nearly all of which were ongoing and of a violent or sexual nature. However, some of the interviews related to historical allegations against a high profile individual".

The failures identified by the ICO regarding the CPS's practices have been determined a contravention of the 7thdata protection principle; 

Oxygen Ltd ("Oxygen") – Oxygen has been fined £120,000 for breach of PECR; a breach arising from its making of over 1 million unsolicited marketing calls to members of the public by way of an automated message.

The automated message stated that the call was "a government awareness call" and further purported that "If you are struggling to pay your debts of 5000 pounds or more, you can now have up to 70% legally written off for free. That’s right all of your debt written off for free. Press 5 now to speak to our specialist team or press 9 to opt out."

The Commissioner has deemed the content of the automated message "misleading" and the practice of Oxygen instigating "the making of 1,015,268 automated marketing calls in less than one month to subscribers without their prior consent" a "serious" contravention of the law.

UKMS Money Solutions Ltd ("UKMS") – The ICO has fined UKMS £80,000 for breaches of PECR.

The fine was issued after an ICO investigation into the company revealed that UKMS had bought mobile phone numbers from list brokers. UKMS used the mobile numbers to contact members of the public by text and attempt to encourage individuals into making a claim for PPI compensation. In the period between April and June 2015, UKMS sent over 1.3 million spam SMS text messages and, in turn, received 1,442 complaints against them. Complaints were received by the 7726 spam text reporting service as well as the ICO. 

What action could be taken to manage risks that may arise from this development?

The CPS case is a good example of the importance that should be placed upon ensuring that personal data is always delivered securely, where required, to any third party contractors and that the same contractors adhere to the same security standards that the instructing financial services company would. Financial service companies should continue to ensure that all of their contracts contain adequate provision for ensuring that contractors comply with the principles – this includes requiring the audit of such contractor's premises, working practices and management of data (including storage and how data is safeguarded from theft and exposure).