Posted by: Mike Clarke
ICO Action Review: Q1 2023
This year we have seen a notable change in the ICO’s actions. As they discussed back in November, the ICO has reviewed its strategic approach to ensure that every action they take is in the public’s best interest. They drew specific reference to not issuing financial penalties to government bodies as this would be the equivalent of applying a penalty to the consumer.
Throughout Q1 we have seen a lower number of fines issued, with more focus on reprimands and enforcement notices, as they are designed to correct poor behaviour.
Enforcement in Q1 2023
- Martin Swan £630
- Asif Iqbal Khan £5,000
- It’s OK Limited £200,000
A clear distinction is the first two penalties are against individuals, not companies. Martin Swan was a 111 advisor and following a dispute with a caller they wrongfully accessed confidential records of the caller and their family. Asif Iqbal Khan was a call handler for the RAC and over time copied information of people who had been in road traffic accidents. He then contacted them independently of his duties under the RAC in reference to the accidents.
Both individuals acted outside of their duties and breached personal privacy of customers without knowledge or consent. While they were issued directly with fines, they also had to cover the legal costs which have not been publicly disclosed. In both scenarios the employer was not found to have been guilty, as both Martin and Asif required access to fulfil their role and they acted out of personal interest.
This is in stark contrast to a 2017 ruling involving a Morrisons employee who accessed the employment details of nearly 10,000 of his colleagues and then posted online. In this case, the judge initially found that even though Morrisons had done everything it could to secure the data of its employees, and the individual who stole the details required access to the data as part of his job, that the company was still liable for the breach. This was overturned on appeal in 2020 and it appears that the ICO is now following this decision as standard practice where individuals, not company policy, is the source of a breach.
It’s OK Limited is the only fine issued throughout the quarter to a company. They made over 1.7 million telephone calls to people without clear consent, they also failed to check the numbers against the Telephone Preference Service (TPS) list. This was a clear breach of PECR section 21.
They advised they had purchased compliant data years earlier and had recycled this data over time. As they were recycling the data, they would routinely contact the people on their list to confirm they still wished to be contacted. They claimed they did this every 6 months, which would negate the reason to check the TPS registry as they had opted in. However, during the investigation It’s OK Limited failed to provide call recordings of these conversations on the grounds that access to the call recordings was restricted to the compliance department which was closed due to the pandemic. They did however provide call scripts and advised that data obtained from third parties confirmed they wished to be contacted by them and their partners such as It’s OK Limited.
The ICO pushed for further confirmation of consent as they could not see a clear declaration of an opt-in from the customer. At this point they also reached out to Trading Standards for any information related to It’s OK Limited which they may hold. Trading standards provided the information which included several citizen’s advice log complaints against It’s OK Limited. At this stage, the ICO requested a full record of all calls made by It’s OK Limited to expand its investigation. Although they were issued with a list of approximately 2.5 million calls, this list also showed a series of numbers used for outbound calls not previously disclosed to the ICO at the outset of the investigation.
When the ICO concluded its investigation, it had become clear that It’s OK Limited had contacted a high volume of people without consent, these calls often misled customers and used pressure tactics to encourage them to buy products they did not require, and that vulnerable people may have been specifically targeted.
Reprimands & Enforcement Notices
- Metropolitan Police Service
- NHS Highland
- London Borough of Lewisham
These actions were taken against government bodies, as such no fines were issued but clear guidance was provided to prevent a repeat of the issues.
The Metropolitan Police Service had failed to maintain the system that ensured sensitive criminal records were uploaded to the Police National Database. This issue extended over a prolonged period and the ICO determined that the impact could not be measured. The reprimand focused on the failure to implement an automated system of checks to ensure the records were uploaded correctly.
NHS Highland attempted to email 37 people who they anticipated may need HIV services, however the individual did so by entering each email address in the carbon copy section which made it visible to all other recipients. This data breach was quickly identified when recipients called in and NHS Highland followed existing procedures to investigate the complaints. The ICO identified multiple infringements of the UK GDPR however it acknowledged that there were mitigating circumstances as the department involved does not typically send emails and was busier than normal putting pressure on the staff that led to the error. The investigators also noted that given the nature of the emails they did not have proper technology and organisational structure around sending them. In response to the reprimand NHS Highland has since altered its processes and the department no longer sends these types of emails.
The London Borough of Lewisham had failed to respond to freedom of information requests in a timely manner. At the time of the investigation they had 338 overdue requests with 221 of these over 12 months past due. The ICO issued an enforcement notice stating that they must respond to all freedom of information requests that are over 20 working days and devise and publish an action plan to mitigate future delays.
Whilst the eyes of the ICO seems to be focused on government bodies just now, they will still be looking at privately owned businesses and complaints made on behalf of the consumer. We can however use these examples as an opportunity to reflect on the personal impact of non-compliance.
Historically, companies tend to treat compliance from a business impact perspective, which has at times meant staff feel less engaged in the learning materials and more prone to complacency further down the road. By engaging staff and demonstrating the personal liability they share alongside the business liability it may help to bring more direct engagement with the learning material and help them to prioritise retaining the information.