In this article we provide a round up of some of the enforcement actions taken by the Information Commissioner’s Office (ICO) over the last 18 months in order to highlight the key areas of data protection compliance that organisations should focus on.
Readers should bear in mind that the majority of the enforcement actions referenced related to events occurring pre-GDPR which were therefore subject to the lower £500,000 fining cap under the Data Protection Act 1998. The fines against British Airways and Marriott Hotels (summarised below) are the first to be brought under the GDPR and offer a stark contrast, clearly demonstrating a willingness by the ICO to implement the higher fining cap under the GDPR.
Non-payment of data protection fee
The ICO recently released a data protection fee non-payment trends report covering the period from 1 July to 30 September 2019. During this three month period a huge 340 monetary penalties were issued for failure to pay the data protection fee. The ICO’s report provides a useful summary showing how fines were broken down across the different sectors. Whilst the highest number of fines were imposed in the healthcare, finance, insurance and credit sectors, all sectors were represented and the sheer number of penalties issued shows that enforcement for non-payment of the data protection fee is still very much on the ICO’s agenda.
Use of biometric data
The GDPR re-categorised biometric data as special category data and recent months have seen the ICO bringing its first enforcement action for (mis)use of such data. The action was brought against HMRC and concerned its failure to obtain proper consent for the use of voice identification technology. A more detailed report on the case can be found on our website here.
The ICO has since reviewed the use of live facial recognition (LFR) technology by the Metropolitan Police Service and the South Wales Police Service. Whilst the ICO concluded that fair processing obligations were broadly met in these cases, it did observe that the current lack of a statutory code of practice and national guidelines on the use of biometric data contributes to inconsistent practice and increases the risk of compliance failures.
With the conversation on biometric data looking set to continue well into 2020 and beyond, any organisation considering using biometric data would be well advised to take specific advice.
Failure to respond to Subject Access Requests (SARs)
Organisations are reporting a significant increase in the number of SARs received since the GDPR came into effect and this is backed up by ICO statistics. During the period 25 May 2018 to 1 May 2019, the ICO received over 41,000 data protection complaints from the public, 38% of which concerned subject access requests.
In June 2019, the ICO took action against the Metropolitan Police Service (MPS). The MPS had failed to respond to numerous SARs within the required time limit of one month (as at the date of the ICO’s enforcement action it had 1,169 overdue SARs). The ICO was unsympathetic to the MPS’s claims that it could not cope with the increase in the number of requests and gave it three months to overhaul its internal procedures to ensure that it met the statutory time frames for future requests.
Failure to implement appropriate security measures
Ensuring appropriate security measures when processing personal data has long been recognised as a key aspect of compliance. With an increasing focus on cyber security risks and social engineering, it is easy to overlook that the biggest risk within most organisations remains its people.
Life at Parliament View Limited (LPVL), a London based estate agency, was recently fined £80,000 by the ICO after an investigation uncovered a string of security failings. LPV was finally prompted to notify the ICO after being contacted by a hacker. The hacker alerted LPV to the fact that it had not implemented access restrictions when transferring data to a partner organisation. Anyone going online was therefore able to access all the data stored by LPV between March 2015 and February 2017 which included personal data such as bank statements, salary details, copies of passports, dates of birth and addresses of over 18,000 tenants and landlords.
Marketing breaches
A significant number of enforcement actions relate to marketing breaches, and a number of recent enforcement actions demonstrate the many pitfalls and risks that marketing can present.
Bounty (UK) Limited, a pregnancy support club which markets offers and services to parents, was fined £400,000 for transferring records containing the personal details of over 14m individuals to data broking organisations for direct marketing use without having obtained appropriate consent or identified an alternative legal basis. This provides a timely reminder that data cannot be shared for marketing purposes without appropriate consents in place, an issue that is equally relevant to companies that are both looking to buy and sell lists for direct marketing purposes.
The ICO fined mobile network provider EE £100,000 after it sent more than 2.5m text messages to customers. Whilst the network claimed that they were service messages, the ICO held that the inclusion of promotional material meant that the messages were marketing communications and therefore required consent under the Privacy and Electronic Communications. The case reiterates the fact that any communication which contains materials inducing a customer to make a purchase will be deemed a marketing communication.
Hall and Hanley Limited (H&H), a PPI claims company, was fined £120,000 after sending out 3,560,211 direct marketing text messages without having obtained the recipients’ consent. In this case, H&H had engaged the services of third party websites to obtain the contact details and consent to marketing but the ICO found that only two of the four websites used named H&H in their privacy policies and that the sites made the giving of consent to third party marketing a condition of subscription. Three key lessons to take form this case are: 1) ensure that your organisation is specifically named in marketing consents; 2) do not make access to goods or services conditional on giving consent to marketing as this will invalidate the consent; and 3) organisations need to conduct appropriate due diligence when acquiring marketing lists from third parties as they will be held liable if the relevant rules have not been complied with by the third party.
The ICO fined Vote Leave Limited (VLL) £40,000 after it sent 196,154 unsolicited text messages providing a link to its website in respect of the 2016 referendum. During the ICO’s investigation VLL could not point to any consents that it held in respect of the recipients agreeing to receive the messages. This case is a reminder that marketing isn’t just about selling goods and services; the promotion of political aims and fundraising messages are also considered to be marketing.
Prosecutions against individuals
Since 3 December 2018, the ICO has successfully brought criminal prosecutions against eight individuals who had, in each case, used data obtained in the course of their employment for personal reasons. The most recent case was brought against David Cullen, former managing director of a claims management company, who unlawfully obtained and sold personal data. David was sentenced to a fine totalling £1,050, ordered to pay costs of £250 and disqualified from being a director for five years.
Fines under the GDPR
2019 has seen the first two actions by the ICO under the GDPR.
On 8 July 2019 the ICO issued a notice of intent to fine British Airways (BA) £183.39m for breaches of the GDPR following a cyber attack in June 2018 which saw BA website traffic being diverted from the official website through to a fraudulent site. Approximately 500,000 customers’ details were harvested by the fraudsters. The ICO investigation found that BA had poor security arrangements and that it had failed to protect data from loss, damage or theft.
In the same week, the ICO also issued a notice of intent to fine Marriott International, Inc (Marriott) a sum of £99m after 339 million guest records were exposed as the result of a cyber incident – seven million of which related to UK residents. The vulnerability originated in 2014 when the systems of Starwood Hotels group were compromised but the issue was not identified until 2018. The Starwood Hotels group was acquired by Marriott in 2016. When issuing its notice of intent, the ICO observed that Marriott failed to undertake proper due diligence when purchasing the Starwood Hotels group and should have done more to secure its systems.
Both Marriott and BA have submitted representations to the ICO and we currently await the ICO’s final decision as to whether to issue penalty notices and, if so, the level of fines to be imposed.
Conclusions
The above cases demonstrate a pro-active stance to enforcement by the ICO across the board. The fines against BA and Marriot show that the ICO is ready and willing to use its enhanced fining powers under the GDPR.
In light of the above, organisations would be well advised to ensure that data protection compliance remains high on the agenda and that adequate resource is made available within the business to maintain a good standard of compliance.
This article is from the December 2019 issue of Upload, our newsletter for professional with an interest in technology. To download the latest issue, please visit the newsletter section of our website.
To keep up-to-date with the latest news, legal updates and seminar information, please register and select the areas that are of interest to you.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at December 2019.