It has been well publicised, not least by the Information Commissioner's Office (ICO), that one of the key areas of action for the ICO in 2015 has been to tackle nuisance calls and messages. Its parting shot on 29 December 2015 (showing that there's no let up even in the Christmas break), was a warning that companies making nuisance calls should expect more fines in 2016.
Andy Curry, ICO Enforcement Group Manager, warned that the ICO has got 90 ongoing investigations, and "a million pounds worth of fines in the pipeline." The ICO has been able to step up its enforcement action this year following an amendment to section 55A(1) of the Data Protection Act 1998 (DPA) in April 2015.
The effect of the change is that the ICO no longer needs to prove that a company has caused ‘substantial damage or substantial distress’ by its conduct before action can be taken under the Privacy and Electronic Communications Regulations (PECR) relating to unsolicited marketing calls, texts and emails.
The warning from the ICO comes after an update on 14 December 2015, in which the ICO gives some more detail on the actions that it has been taking recently. These include:
- Joint week of action: along with the Ministry of Justice Claims Management Regulator, the ICO held a 'week of action' at the end of November to co-ordinate planned enforcement activity on nuisance calls and messages;
- Letters sent to 1000 companies: at the end of November, the ICO wrote to more than 1,000 companies involved in buying and selling people's names and numbers. The companies were given 21 days to respond to a detailed questionnaire regarding compliance with the law. They were also asked to supply a sample copy of a contract, which they use to buy, sell or rent personal data.
- Joint Action Plan with Ofcom: at the beginning of December, the ICO and Ofcom released an update on their Joint Action Plan, which highlights the progress made in 2015 in tackling nuisance calls. In addition to ongoing targeted enforcement action, the ICO and Ofcom have continued their work to improve tracing nuisance calls and to pursue other technical measures to help reduce nuisance calls. To coincide with the release of the update, Ofcom has also published a consultation on amendments to its policy on taking action on persistent misuse of an electronic communications network or service (under sections 128-130 Communications Act 2003).
- Enforcement action: in November alone, the ICO served monetary penalties amounting to £370,000, with fines ranging from £80,000 to £120,000 for making unsolicited calls or sending unsolicited text messages. A number of enforcement notices were also issued and compliance meetings held.
The update also provides an analysis of the data collected from all the concerns that people have reported to the ICO. Live calls, automated calls and spam texts are examined by topic. This reveals that accident claims remained the top reported topic for both live calls and spam texts, whereas PPI has been the top most reported topic for automated calls throughout 2015.
What steps should organisations take?
It is clear that that the risk of enforcement action and substantial fines will increase if an organisation does not understand and comply with its obligations under PECR and the DPA.
If your organisation is involved in electronic and telephone marketing, there are a number of practical steps you may wish to consider to strengthen compliance:
- Suppression list (also known as a DNC (Do Not Call) List): if an individual has asked not be to contacted, his/her details should be listed on an accurate, up-to-date internal suppression list, rather than simply deleted.
- Use by third parties: you must ensure that you have obtained explicit opt-in consent to marketing if you intend to sell or otherwise allow third parties to carry out electronic marketing with your data.
- Contractual protection: it is important to ensure that you put in place a robust contract with any companies which buy, sell, rent or share personal data to ensure both parties understand how the data should be used, who will be liable and how complaints will be resolved.
- Retention: ensure that your organisation knows how long it should retain and use someone's personal details by maintaining a clear retention policy.
The ICO has published various guidance notes on electronic and telephone marketing, which can act as a useful starting point when reviewing your marketing practices and policies. Please note that the ICO has launched a review of its direct marketing guidance (which was last updated in 2013), so watch out for updated guidance in 2016 ….along with further enforcement action.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at December 2015. Specific advice should be sought for specific cases. For more information see our terms & conditions on www.TLTsolicitors.com