Breach Serious contravention of the Seventh Data Protection Principle, in particular the data controller failed to take appropriate technical and organisational measures against the unauthorised or unlawful processing, or accidental loss of personal data. The contravention was of a kind likely to cause substantial damage and distress (Section 55A (1) of the Data Protection Act 1998).
Background The Money Shop has a policy whereby local servers, which hold full employee records (store location, employee number and password) and customer records (name, address, date of birth, bank account and payment card details) should be locked in a separate room when a shop is closed.
Despite this, in April 2014, a Money Shop store in Lurgan was burgled and a server, which was left in the manager’s office overnight (as opposed to a locked room) was stolen. The data on the server could be accessed by a ‘motivated expert user’ and has not been recovered to date. The ICO found that even though Money Shop's policy stated that servers should be stored in a locked room, a number of stores did not in fact have a locked room. The Money Shop should not have a policy that is unachievable and not being followed.
In May 2014, the Money Shop lost a second server while being transported between stores by a third party courier. The server was unencrypted and the data could be accessed by a user with forensic knowledge.
In addition, the Money Shop regularly transported unencrypted customer records between stores to repair and upgrade the software. Further, they never deleted any customer details from their servers when the information was no longer needed.
The ICO held that the data controller failed to take appropriate organisational measures against the unauthorised processing and accidental loss of personal data, for example, by not encrypting data held on servers and not keeping servers locked in a secure room. As the servers held a significant amount of customer data, the ICO held that if this data was disclosed to an unauthorised third party, it was likely to cause substantial distress to the victim.
The Money Shop was issued with a fine of £180,000.
Read the full Monetary Penalty Notice.
Breach Unsolicited marketing calls for direct marketing purposes in contravention of regulation 21 of the Privacy and Electronic communications (EC Directive) Regulations 2003 (PECR Regulations).
Background The company’s business involves calling individuals to market a call blocking device and a service to arrange for the removal of their details from the data provider’s database. However, if the company makes calls to individuals whose telephone numbers are registered with the Telephone Preference Service Ltd (TPS), then the individual must have given their consent to do so.
Between 1 February 2014 and 31 March 2015, 169 complaints were made to the ICO for unsolicited calls. The company was also in the top 20 list of companies about which the TPS received the most complaints in March 2014 and continued to be in this list until February 2015. The TPS received 562 complaints during this period.
In November 2014, the ICO issued some advice to the company on how to go comply with the rules in relation to unsolicited marketing, as outlined in the PECR Regulations. The company was monitored for 3 months, but still remained in the TPS top 20 list.
The ICO considered whether the contravention of the Regulations had caused or was likely to cause any person damage. The unsolicited marketing calls were often repeated and received on the same day. Some of the callers were also rude and aggressive and bank details were obtained from subscribers. The ICO therefore concluded that it was likely that actual damage had been caused.
The company was issued with a fine of £50,000.
Read the full Monetary Penalty Notice.