"Vote No!" - Brexit Campaign company fined for unsolicited text messages
Better for the Country Ltd, a company campaigning for Britain to leave the European Union, has been fined £50,000 for sending 500,000 unsolicited text messages to promote the "Vote No" Brexit campaign. The Information Commissioner's Office (ICO) found that the company was in contravention of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 by transmitting unsolicited communications to individual subscribers for the purposes of direct marketing.
The ICO flagged that adequate consent had not been obtained, echoing previous guidance that organisations purchasing mailing lists from third parties must carry out rigorous checks to ensure the third party has obtained consents and is processing data fairly and lawfully (in line with Principle 1 of the Data Protection Act). It is not sufficient to rely on assurances of consent without first conducting proper due diligence. The ICO has recommended that companies consider the following:
- How and when was consent obtained?
- Who obtained it and in what context?
- What method was used – e.g. was it opt-in or opt-out?
- Was the information provided clear and intelligible?
- Did the wording specifically mention texts, emails or automated calls?
- Did it list organisations by name, by description, or was the consent for disclosureto any third party?
- Is the seller a member of a professional body or accredited in some way?
The ICO's penalty notice can be accessed here.
NHS Trust fined for employee data breach
The ICO has fined Blackpool Teaching Hospitals NHS Foundation Trust (theTrust) £185,000 following the leak of sensitive personal information of over 6,000 members of staff - including their national insurance number, date of birth, religious beliefs and sexual orientation. Employees of the Trust uploaded an Excel spreadsheet containing the personal data to the Trust's website without realising that the personal data was freely accessible by users of the site. The Excel spreadsheet was used to display equality and diversity metrics, and personal data associated with metrics could also be viewed using a feature on Excel. The ICO highlighted that employees of the Trust provided personal information voluntarily in the expectation that it could be held securely, which heightened the need for robust measures to safeguard against unauthorised disclosure. The Trust's slow response to the breach lead to a higher penalty and this was made worse by the fact that there was a delay in the cached data being removed from search engines. Companies are reminded of the importance of clearing caches where a data breach has occurred via a public website.
The ICO report is available here.
NHS Trust fined for HIV-positive patients' email leak
The ICO has fined Chelsea and Westminster Hospital NHS Foundation Trust (the Trust) £180,000 for a leak of sensitive information relating to HIV-positive patients at 56 Dean Street - a sexual health clinic ran by the Trust. The clinic allowed HIV-positive patients to book appointments and receive test results by email, and newsletters were also circulated to the email addresses. Due to an internal error, recipients of one newsletter were able to see the email addresses of the other recipients, many of which contained first and last names. The email addresses were mistakenly entered into the "to" box rather than the "bcc" box when the emails were sent. The ICO responded with the following statement,"People’s use of a specialist service at a sexual health clinic is clearly sensitive personal data. The law demands this type of information is handled with particular care following clear rules, and put simply, this did not happen." The fine issued in this case does not come as a surprise considering this is not the first time a data breach has occurred at 56 Dean Street. In September 2015 a similar data breach occurred also involving the use of an email newsletter. This case highlights the importance of staff training and well-planned procedures and reveals the robust measures the ICO is adopting when it comes to repeat offenders.
The ICO report is available here.
Panama Papers scandal continues as data made public
A database of documents, leaked from Panamanian law firm Mossack Fonseca, has been made available publicly online. Ignoring a "cease and desist" order from Mossack Fonseca, the International Consortium of Investigative Journalists (ICIJ) posted the documents online last week. Reportedly, the information was leaked by an unknown source using the alias "John Doe" over a year ago, after which hundreds of journalists began examining the data. The ICIJ said "the database will not include records of bank accounts and financial transactions, emails and other correspondence, passports and telephone numbers. The selected and limited information is being published in the public interest". With "hacktivism" on the rise, organisations holding large amounts of personaldata must view data security as a priority. Whilst technical measures cannot always protect against human error or intent, strict controls on who within an organisation can access what data can help to manage and mitigate risk.
The coverage from the BBC is available here.