2015 Data protection enforcement action in the UK – the story so far…
June 17, 2015
As we approach the half way mark in 2015 I thought it would be helpful to summarise the main enforcement action issued by the Information Commissioner’s Office (ICO) this year. This article will detail some of the key trends and key cases of 2015. This is how the 18 new enforcement actions break down as of 15 June 2015:
- 4 Public Prosecutions
- 4 Monetary Penalty Notices (MPNs)
- 4 Enforcement Notices
- 19 Undertakings, of which 13 were follow-ups and 6 were newly signed
Undertakings
Office Holdings Limited signed an undertaking in January 2015 after they suffered a hack which exposed customer contact and payment details on an outdated server. The ICO followed up on the undertaking within 3 months and were satisfied that the company completed the mandated regular penetration testing and implement the required new policies for data retention. Elsewhere, Google signed a large undertaking to bring their new privacy policy for all services in line with European standards.
The rest of the undertakings signed so far in 2015 demonstrate polishing of 2014 themes. Providing and monitoring comprehensive staff training and awareness is crucial. Data protection and information governance policies should also be regularly reviewed and updated.
Prosecutions
The lower figure for Prosecutions in 2015 compared to 2014 reflects a return to business as usual. The fines remain largely insignificant, although Tivium Limited was fined the maximum £5,000 in January for failing to respond to an information notice. As of 12 March the Magistrates Courts have the power to now impose an unlimited fine on individuals in serious contravention of s.55 of the Data Protection Act 1998. Given these new powers, those in serious contravention of s.55 are unlikely to get off as lightly.
Enforcement Notices
Action was taken against two direct marketers who contravened ss. 22 & 23 of the Privacy and Electronic Communications Regulations (2003) (PECR). As usual, the offenders had 35 days to stop marketing communications to customers who had not consented and to cease marketing to unidentified recipients. The ICO found North Tees and Hartlepool NHS Foundation Trust to have sufficiently poor security measures that an Undertaking would not suffice; the Trust was given three months to review data protection policies and to create a breach management policy, amongst other actions. The final Enforcement Notice was issued to a government department in Northern Ireland, requiring a response to outstanding Freedom of Information requests.
MPNs
The ICO’s MPN focus has been on the private sector since January. Only one of the four MPNs was issued to a public sector body; the South Wales Police department received a £160,000 fine for the loss of DVDs containing highly sensitive personal information. The ICO’s movement away from attention grabbing penalties toward the more subtle Undertakings tool continues, a trend mentioned in our 2014 Enforcement Tracker.
Three organisations were investigated for breaching the 7th data protection principle[1] resulting in £515,000 worth of penalties. Staysure.co.uk was fined £175,000 for falling victim to an injection attack that revealed customers’ payment records to the hackers. A lack of vulnerability awareness has also started appearing as an ‘aggravating factor’ for the penalties. The ICO expect organisations to have a greater level of knowledge of threats and cyber vulnerability than ever before.
Perhaps the most interesting MPN of this year was issued in March to Direct Assist Limited, a personal injury claims company. Direct Assist was the subject of over 800 complaints for unsolicited telephone marketing, many of which claimed substantial distress had been caused as a result. An £80,000 fine followed for breach of s.21 PECR. Steve Eckersley of the ICO highlighted the “blatant disregard”[2] for the law shown by the company as a key aggravating factor. The fine was enough to place the company in liquidation meaning the ICO is lining up as an unsecured creditor.
How does this lead on from 2014?
At this point last year there were 29 new enforcement actions, but less undertaking follow-ups. So far, 2015 has been ‘more of the same’ for enforcement actions, with some refinement of 2014 themes. Security is still a top priority and fines are continuing to be less operative in procuring change from organisations. Requirements within Undertakings highlight the ICO’s desire for organisations to deeply embed responsibilities under the Data Protection Act into their daily operations and business, rather than simply implement quick fixes.
[1] Organisations should implement appropriate organisational and technical measures to ensure security (http://www.legislation.gov.uk/ukpga/1998/29/schedule/1)
[2] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/04/personal-injury-claims-company-fined-80-000-by-the-ico-for-unsolicited-nuisance-calls/
James Witton | Trainee Solicitor | PwC Legal - UK
[email protected] | +44 (0) 20 7804 2509