Posts Tagged ‘Information Commissioner’s Office’

UK e-privacy enforcement ramps up

avatar Posted on April 29th, 2013 by Brian Davidson

The times when one could say that the UK ICO was a fluffy, teethless regulator are over. Recently, the ICO has been going through its most prolific period of enforcement activity – by the end of 2012 it had imposed 25 fines, issued 3 enforcement notices, secured 6 prosecutions and obtained 31 undertakings and 2013 looks set to bring similar activities (in March for example the ICO issued its first monetary penalty for a serious breach of the Privacy and Electronic Communications Regulations 2003 (‘PECR’) relating to live marketing calls – a £90,000 fine for Glasgow-based DM Design for unwanted marketing calls.

To coincide with such activities, the ICO has recently updated the enforcement section of its website. What this tells us is that whilst data security breaches will continue to be a significant area of focus for the ICO, PECR breaches will also figure highly in the ICO’s enforcement agenda. In this regard, the ICO tell us that it has already been active in the areas of ‘spam texts’, sales calls and cookies.

Spam texts are identified as ‘one of the biggest concerns to consumers’ (the ICO refers to texts about accident and ‘PPI’ claims, in particular) and refers to the work it has carried out with members of the mobile phone industry in order to identify an organisation which is now the subject of enforcement action. The ICO also identifes ‘Live’ Sales Calls and ‘Automated Calls’ as other areas of priority, and have explicitly identified (and published) the names of a number of companies where they have either met to discuss compliance issues; or indeed are in the process of activeley monitoring ‘concerns’ about compliance with a view to considering enforcement action. This is not only related to UK-based companies, but also those based overseas who are targeting UK-based consumers. The ICO tell us that they are actively working with the FTC in the US and with other regulators based in Ireland, Belgium and Spain through Consumer Protection Co-operation arrangements.

Finally the ICO tells us that between January and March 2013 it received a further 87 reported concerns via its website from individuals about cookies (many less than the amount of concerns about unwanted marketing communications from individuals, it has to be said). The ICO will continue to focus on those websites that are doing nothing to raise awareness of cookies or obtain users’ consent, and also on those sites they receive complaints about or are ‘visited most by consumers’. However the ICO also say that they have ‘maintained a consumer threat level of ‘low’ in this area due to the low level of concerns reported’.

It is obvious that as consumer technologies such as tablets and smart-phones continue to develop, so too will the ICO’s enforcement strategy in this area. Compliance with PECR should therefore also figure highly on any business’s data protection compliance strategy.

Tags:, , , ,
Posted in Cookie rule, Direct marketing, DPAs competence, Sanctions, Uncategorized

Misdirected e-mails and miscreant employees beware: ICO flexes its enforcement muscle!

avatar Posted on June 13th, 2011 by Phil Lee

Last week was a busy week in the world of UK data protection enforcement, with reports of not one, but two significant data protection enforcement acts by the Information Commissioner’s Office (“ICO“).

£120,000 Monetary Penalty Notice for Surrey County Council

First, there was the news that the ICO had imposed a fine of £120,000 on Surrey County Council for a serious breach of the Data Protection Act 1998 (“DPA”). The fine related to misdirected e-mails sent by Council staff on three separate occasions, with each e-mail resulting in confidential and sensitive personal information falling into the hands of unintended recipients. The most serious of the three incidents saw sensitive personal information about 241 individuals’ physical and mental health being inadvertently sent to various transportation companies, including taxi firms and coach and mini bus hire services. The other incidents concerned sensitive personal information being inadvertently circulated to newsletter registrants and to an incorrect group mailing list.

Following the fine, Information Commissioner Christopher Graham said: “Any organisation handling sensitive information must have appropriate levels of security in place. Surrey County Council has paid the price for their failings and this case should act as a warning to others that lax data protection practices will not be tolerated.

s.55 prosecution against former T-Mobile employees

In a separate development, two former employees of T-Mobile were prosecuted and fined a total of £73,700 for having stolen and sold customer data from the company on 2008.  The former employees, David Turley and Darren Hames, pleaded guilty to the section 55 DPA offence of unlawful obtaining of personal data. The prosecution was the culmination of a joint investigation by the ICO and T-Mobile into how customers’ names, addresses, telephone numbers and customer contract and end dates were being unlawfully supplied to third parties.

What this means

These reports highlight that the ICO’s data protection enforcement capabilities, having been criticised for so long by privacy commentators, are really beginning to ramp up.  Since the introduction of its fining powers in April 2010, the ICO has now issued no fewer than 6 fines (one every two months or so) with an aggregate total of £431,000, including two against private businesses.  The ICO has also demonstrated that it is not a ‘one trick pony’, showing that it will resort to criminal prosecutions (as in the case of the former T-Mobile employees) and other means of enforcement where these are warranted.

More tellingly, we are also starting to learn what makes the ICO tick.  The subject of fines issued so far have included:

  • misdirected communications of sensitive personal information (on e-mail and by fax);
  • unencrypted laptop theft;
  • failure to exercise proper due diligence over data processors; and
  • unlawful publication of individuals’ sensitive personal information online.

The message for data controllers is clear – lead by example, don’t risk becoming the example!

Tags:, ,
Posted in Financial penalties, Sanctions