Insights
Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.
Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.
Data Protection in 2016: Who was naughty and who was nice?
The Information Commissioner knows if you’ve been bad or good, so be good for goodness’ sake.
With 2016 coming to an end, we review who has complied with their data protection obligations and who has found their way onto the Information Commissioner’s naughty list.
The season of giving
Despite it being the season of goodwill, the Information Commissioner’s Office (ICO) has this month fined two charities, the RSPCA and the British Heart Foundation, for secretly screening donors through use of a third party company’s screening scheme over a number of years. Both charities were using the same scheme and received fines of £18,000 and £25,000 respectively.
Whilst the Commissioner did consider the charities’ statuses as a mitigating factor, it wasn’t enough to avoid a fine.
And they weren’t the only charities to be the subject of enforcement action this year. At least four other charities have had enforcement action brought against them, with the British Red Cross signing an undertaking regarding fundraising calls and Age International signing an undertaking to comply with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and implement an opt-in consent model for telephone marketing.
Record Breakers
2016 saw the ICO issue its two largest fines in its history:
- The biggest fine this year, and the highest fine ever issued by the ICO, went to TalkTalk Telecom Group PLC (TalkTalk). The telecoms provider was ordered to pay a £400,000 fine for failing to have adequate security in place which allowed personal data of customers to be accessed “with ease”. Unhappily for TalkTalk, it has been reported that it recently suffered another cyber-attack, this time involving the theft of passwords to customer’s wi-fi routers. Industry experts have advised customers to reset their passwords.
- Back in February, Prodial Ltd received this year’s second highest fine when it was ordered to pay £350,000 by the ICO. Prodial made over 46million pre-recorded unsolicited calls to individuals breaching the PECR. The calls resulted in over 1,000 complaints being made to the ICO, some of which were from very distressed members of the public.
The “naughtiest” sectors?
2016 saw the finance, insurance and credit sector being subject to the most enforcement action by the ICO, with a number of loan and credit facility companies in particular breaching the PECR by sending mass marketing communications.
Various organisations within the Health sector were also the subject of ICO enforcement action, with several NHS trusts failing to comply with data protection laws. Whilst most of the organisations who were sanctioned did not receive monetary penalties, there were two significant breaches in 2016 attracting large fines:
- Chelsea and Westminster Hospital NHS Foundation Trust was fined £180,000 for failings by a sexual health clinic which revealed email addresses of users of an HIV service; and
- Blackpool Teaching Hospitals NHS Foundation Trust was fined £185,000 for publishing employee personal data including sensitive data.
The “nicest” sectors?
The “media” and “retail and manufacture” sectors largely avoided ICO enforcement action this year, with only one organisation in each sector being subject to enforcement notices for failing to comply with a subject access request.
WAB Comment
Over the past 12 months a number of organisations across nearly every sector have been subject to enforcement action by the ICO for failing to protect personal data.
The ICO has issued its two largest fines to date this year, which may indicate Commissioner Denham’s willingness to make full use of her powers. With the General Data Protection Regulation (GDPR) coming to town in May 2018, regardless of Brexit, organisations processing personal data in the UK had better watch out, to avoid incurring fines of up to the greater of €20,000,000 or 4% of the undertaking’s total worldwide annual turnover.
You can read our previous posts on the incoming GDPR here.
This post was written by Amelia Day.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.