Teal blue graphic

ICO penalties for breaches likely to cause distress and unsolicited marketing

Anglesey County Council

Breach Breach of the Seventh Data Protection Principle likely to cause distress to data subjects. 

Background Anglesey County Council (ACC) has somewhat of a history with the ICO. Following two separate security incidents in January 2011 and December 2012, the ICO issued ACC with Undertakings requiring it to take remedial action. 

The ICO then carried out an audit in July 2013 and a follow-up audit in October 2014, neither of which revealed satisfactory results. The ICO considered that neither the Undertakings nor the recommendations following the 2013 audit had been properly implemented. 

The ICO issued a preliminary enforcement notice to ACC on 5 August 2015. ACC responded arguing that it had now put in place relevant measures to comply with the notice but the ICO questioned ACC's long-term commitment to enforce the measures. 

The ICO held that ACC had contravened the Seventh Data Protection Principle by failing to take appropriate security measures to prevent unauthorised or unlawful processing of personal data or accidental loss of or damage to personal data. The Commissioner also took into account the fact that the data subjects whose personal information was processed by ACC were entitled to respect for private and family life, home and correspondence under Article 8 of the European Convention on Human Rights.  

The ICO issued an enforcement notice requiring ACC to take steps to ensure that, among others:

  • mandatory data protection training is introduced for all staff, with annual refresher training, and completion of such training is monitored and documented; 
  • all relevant data protection policies are read, understood and complied with by all staff;  
  • information is backed up daily and back-ups are periodically tested; 
  • physical access rights are appropriately controlled and reviewed; and
  • a clear desk policy should be enforced and compliance regularly monitored. 

Home Energy & Lifestyle Management Ltd

Breach Unsolicited automated marketing calls for direct marketing purposes in contravention of regulation 19(1) and (2) of the Privacy and Electronic communications (EC Directive) Regulations 2003 (PEC Regulations).

Background Home Energy & Lifestyle Management Ltd (HELM) made a large number of automated marketing calls between 2 October and 12 December 2014 as part of a marketing campaign offering free solar panels. The automated call offered an option to press five to speak to an adviser if the individual was interested, or to press nine to be removed from the call list, but these options did not always work effectively. The calls also failed to identify the sender of the calls. 

The ICO received a total of 242 complaints about the calls, with many subscribers claiming that they were registered with the Telephone Preference Service (TPS), against which organisations should screen when making any kind of marketing telephone calls. 

It was subsequently admitted by HELM that in fact over 6 million calls were made during the relevant period. HELM was unable to show that it had consent to make any of the calls. Some of the calls were also repeated to the same subscribers despite the fact that they had pressed nine to unsubscribe. As such, the Commissioner considered that the breach of Regulation 19(1) and (2) of PECR was serious and likely to cause substantial distress to the subscribers who received the automated calls. 

The Commissioner also held that the contravention was deliberate. HELM had contended that it did not realise that different rules applied to automated calls from those that apply to live marketing calls, but the Commissioner's view was the even if HELM did not intend to contravene PECR, the infringement was deliberate in that it did deliberately send automated marketing calls on a very large scale. Furthermore, the Commissioner has issued guidance setting out the relevant rules with which organisations must comply if they wish to carry out direct marketing. 

The ICO issued a monetary penalty of £200,000. 

Pharmacy2U Ltd

Breach Breach of the first Data Protection Principle likely to cause distress to data subjects. 

Background Pharmacy2U Ltd is an NHS approved online pharmacy, regulated by both the General Pharmaceutical Council and the Care Quality Commission. When registering to purchase prescriptions, customers were presented with a pre-ticked box which allowed individuals to opt out of receiving marketing communications from Pharmacy2U. 

The terms and conditions linked to the company's privacy policy, which stated that it "would make details available to companies whose products or services we think may interest our customers. If you do not wish to receive such offers please login to your account and change the setting to indicate "No" for "Selected company data sharing".

Pharmacy2U Ltd was found to have undertaken a serious contravention of the first data protection principle, by failing to ensure that:

"Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:

  • at least one of the conditions in Schedule 2 is met; and
  • in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met."

The ICO, when issuing the monetary penalty notice found that Pharmacy2U had obtained personal data unfairly because it did not inform its customers that it intended to sell their personal data to third party organisations, in addition to sending out its own marketing material. 

The ICO considered that a customer would not have a reasonable expectation that this form of disclosure would occur, even if they were willing to agree to the receipt of marketing material from itself. 

The ICO also felt that Pharmacy2U had not provided sufficient information to enable the processing in respect of its customers to be fair. This approach follows the Information Commissioner's decision, as confirmed by the Tribunal, in the Optical Express case, and therefore, Pharmacy 2U's customers were unable to have given their informed consent to the sale of their personal data to third party organisations.

This case highlights the increasing attention the Information Commissioner, together with the courts, are taking in respect of the (mis)use of personal data by data controllers for purposes to which the data subjects were not informed about.

This decision also indicates a development of a dual track approach to breaches of the Privacy and Electronic Communications Regulations, relating to unsolicited electronic marketing communications. 

Whilst previously, the Information Commissioner has issued monetary penalty notices against the business or organisation responsible for sending the offending unsolicited email, automated telephone call or SMS, it appears that it is now also targeting the suppliers of such information.

The ICO considered the nature of the information involved, the potential impact of the breaches, as well as the other mitigating factors, and issued a monetary penalty notice of £130,000.

Help Direct UK Ltd

Breach Unsolicited marketing text messages for direct marketing purposes in contravention of regulation 22 of the PEC Regulations. 

Background Help Direct UK Ltd (HDUK) is a business which generates leads by way of text marketing. HDUK had previously been served with an Enforcement Notice in February 2015 as a result of 659 complaints made to the GSMA's Spam Reporting Service between December 2013 and April 2014. The GSMA is a worldwide organisation representing the interests of mobile operators. 

In the period between 7 April 2015 and 30 April 2015 the GSMA service received a further 6,758 complaints about marketing text messages sent by HDUK. 

The ICO was of the view that HDUK deliberately contravened regulation 22 of the PEC Regulations. Having previously been served with an Enforcement Notice, HDUK should have been aware of the requirements of regulation 22 and the ICO found that HDUK had used unregistered SIM cards to carry out the direct marketing in an attempt to avoid detection by spam detectors. 

Finding that there were no mitigating features of the case, the ICO issued a monetary penalty of £200,000. 

Crown Prosecution Service

Breach Breach of the Seventh Data Protection Principle likely to cause distress to data subjects. 

Background The Crown Prosecution Service (CPS) had, in 2002, engaged a sole proprietor to edit videos of police interviews. The arrangement began as a six-month trial but then continued on the basis of an informal arrangement beyond this. 

The way the arrangement worked was that the CPS would deliver DVDs containing the videos to the sole proprietor by way of a courier. If the matter was particularly urgent, the sole proprietor would collect the DVDs from the CPS directly and take them back to his premises using public transport. The DVDs were not encrypted. 

The sole proprietor moved premises in 2006 to a multi-occupied residential block which was used as a studio. The studio had no alarm and the CCTV cameras installed did not work. 

In September 2014, the studio was burgled and three laptops were stolen, two of which the sole proprietor had used for editing the videos, subsequently leaving the laptops out on a desk. The laptop held videos of interviews with 43 victims and witnesses involved in 31 cases. Many of the cases were ongoing and were of a violent or sexual nature. Some interviews related to historical allegations against a high-profile individual. The names and addresses of the witnesses and victims had been edited out but they could be heard openly talking about the case and naming the offenders. The laptops were the sole proprietor's own property and were password protected but not encrypted. They were recovered by the police eight days after the theft and had not been accessed by any unauthorised third party. 

The ICO found that the CPS had failed to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and accidental loss of or damage to personal data, in particular the following points arose:

  • The DVDs with the videos on were unencrypted and were delivered to the sole proprietor using a national courier firm (not a secure courier), or collected and transported via public transport; 
  • The CPS did not inspect the sole proprietor's premises to check they were suitable for editing the videos;
  • The CPS had no guarantee that the sole proprietor would store the unencrypted DVDs in a locked cabinet and return or securely destroy the DVDs at the end of a case; 
  • The CPS failed to monitor security measures taken by the sole proprietor; 
  • The CPS did not have a DPA compliant contract with the sole proprietor in relation to the processing of the personal data in the videos. 

Because of the highly confidential and sensitive personal data contained within the videos, the ICO found that the contravention by the CPS was serious and of a kind likely to cause distress to the victims and witnesses in the interviews, particularly given that many were already vulnerable. 

The ICO issued a monetary penalty of £200,000. 

Oxygen Ltd

Breach Unsolicited automated marketing calls for direct marketing purposes in contravention of regulation 19(1) and (2) of the Privacy and Electronic communications (EC Directive) Regulations 2003 (PEC Regulations).

Background Oxygen Ltd is a lead generation organisation and between 25 March 2015 and 28 April 2015, the ICO received 214 complaints about the receipt of automated marketing calls which did not identify the sender of the call. The ICO investigated and found that the subscriber of the telephone numbers used to make the calls was Oxygen Ltd. 

Following correspondence from the ICO, Oxygen Ltd claimed that the calls had been made on behalf of the company by a third party which had said it would screen against the Telephone Preference Service, and that it had purchased the list of telephone numbers from a separate third party who had informed Oxygen Ltd that the data was "opted in". The ICO responded stating that with regard to automated marketing calls, consent must be obtained and that this was Oxygen Ltd's responsibility as instigator of the calls. It was not sufficient to rely on an undocumented assurance of consent from a third party. 

The company that had made the calls on behalf of Oxygen Ltd then confirmed to the ICO that 2,038,067 calls had been made in March and April 2015. 

The ICO found that this was a deliberate contravention (in the sense that Oxygen Ltd had deliberately instigated the calls) and issued a monetary penalty of £120,000. 

Insights & events View all