Teal blue graphic

Summary of Enforcement Notices, Monetary Penalty Notices and Undertakings in January/February 2015

Enforcement Notices

Optical Express (Westfield) Limited (6 January 2015)

Breach: Unsolicited marketing text messages in contravention of regulation 22(2) of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Background: Over 4,600 people made a report to the mobile phone networks spam text reporting service in just seven months (between September 2013 and April 2014) in relation to unsolicited messages they had received from Optical Express (Westfield) Limited.

The Glasgow-based business, which has branches across the UK, had been sending out texts that included details of a competition to win free laser eye surgery. 

The ICO warned Optical Express that it is should not send any further unsolicited communications for the purposes of direct marketing unless the recipients had previously provided their consent to such communications.

Click here for the full Enforcement Notice.

Monetary Penalty Notices

Staysure.co.uk Limited (24 February 2015)

Fine: £175,000

Breach: Serious contravention of the Seventh Data Principle, in particular the data controller failed to take appropriate technical and organisational measures against the unauthorised or unlawful processing, or accidental loss of personal data. The contravention was of a kind likely to cause substantial damage and distress (Section 55A(1) of the Data Protection Act 1998).  

Background: Staysure.co.uk Limited (Staysure), an online holiday insurance company, was subject to an attack by hackers exploiting a vulnerability in the JBoss Application Server on which its website server was based. Details of the vulnerability had been published, but Staysure did not have a formal process for reviewingand applying software updates.

More than 5,000 customers had their credit cards used by the hackers after the attack on the company. Over 110,000 live card details were stored on the system at the time of the attack and were at risk of being accessed, alongside details of customers’ medical records. Credit card CVV numbers, the security numbers on the signature strips of the cards, were also accessible, despite industry rules that they should not be stored at all.

The ICO believed that the contravention of the Seventh Data Protection Principle was particularly serious in this case and the penalty imposed reflected the severity of the breach. 

In considering the mitigating features, the ICO did note, however, that Staysure had been co-operative and had taken remedial action to remove all payment card data from its systems. It also notified customers of the security breach and provided a dedicated response team to help customers together with a free Experian Data Patrol subscription for a period of six months.

Click here for the full Monetary Penalty Notice. 


Office (19 January 2015)

A hacker managed to gain access to the contact details and website passwords of over one million customers of the shoe retailer Office. The hacker bypassed various technical measures the company had put in place and gained access to the details via an unencrypted database that was due to be decommissioned.  

The ICO required Office to sign an undertaking to ensure that it processes its personal data in accordance with the fifth and seventh data protection principles and in particular that: 

  • it shall ensure that all of its websites and servers are subject to regular penetration testing;
  • it shall implement its new data protection policy documents within three months of the date of the Undertaking. These should link to or include a retention and disposal policy for customer data, the requirements of which should be monitored on an ongoing basis;
  • it shall provide formal data protection training to all Office employees and should introduce regular refresher training to reinforce this provision; and
  • it shall implement such other security measures as are appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage, and to ensure that any such information is only retained for as long as necessary in relation to the purposes of the processing. 

Click here for details of the Undertaking.

Google (30 January 2015)

Google has signed an undertaking committing to make further changes to its privacy policy in order to ensure compliance with the Data Protection Act. The undertakings are the result of an investigation following the launch of Google's new privacy policy in March 2012. The new privacy policy, which applied to all Google's products and services, made it clear that data could be combined across all those products and services. It also applied to Google account users whether they were signed in or not.

The undertaking includes a commitment to enhance the accessibility and clarity of the privacy policy and to provide clear information regarding data protection to enable individuals to exercise their rights. Google also agrees to continue to proactively cooperate with the Commissioner. This approach differs from that taken by data protection regulators in other member states where Google has been found to be in breach of national data protection laws. In Spain and France, for instance, enforcement action has been taken by the imposition of fines and in the Netherlands such action has been threatened.

Click here for details of the Undertaking.

Insights & events View all