The Information Commissioner’s Office (ICO) is the UK’s independent authority established to uphold information rights in the public interest. It promotes openness by public bodies and data privacy for individuals. A keen public educator on data protection regulations, it also has the power to impose fines for non-compliance.
And when the General Data Protection Regulation (GDPR) comes into force on 25 May 2018 these fines can rocket up to £17 million or four percent of global annual turnover, whichever is greater. While it’s unlikely to use this enormous power, an ICO investigation can do serious damage to an organisation’s reputation and even be the catalyst for closure. Here are three organisations that learned the hard way that the ICO has teeth.
On 6 April 2018, the ICO fined Royal Mail Group Limited £12,000 for sending “nuisance emails” to 327,000 people who had already opted out of receiving direct marketing. The ICO was alerted to the emails through a complaint made to them by a member of the public.
ICO Head of Enforcement Steve Eckersley said: “These rules are there for a reason – to protect people from the irritation and, on occasions, distress nuisance emails cause. I hope this sends the message that we will take action against companies who flout them.”
It’s one thing to send nuisance emails. It’s entirely another when an organisation fails to protect sensitive personal data, as was the case with Humberside Police. They were fined £130,000 for losing a highly sensitive interview tape regarding an alleged assault. Three unencrypted discs and accompanying paperwork went missing from an officer’s desk. They were supposed to be posted to Cleveland Police, but the package never arrived. It included the victim’s name, date of birth and signature as well as details about the alleged assault, notes on the victim’s mental health and the suspect’s name and address.
The ICO investigation revealed three key failings in its data protection practices; in that Humberside Police failed to:
- Encrypt the discs
- Maintain a detailed audit trail of the package
- Adhere to its ‘Information Security Policy’ – this related directly to their Protecting Vulnerable People Unit.
Commenting on the action, Eckersley said: “We see far too many cases where police forces fail to look after discs containing the highly sensitive personal information contained within victim or witness interviews…. Staff training in this area is vital.”
For some companies, an ICO investigation can spell the end of the business, as was the case with Liverpool-based The Lead Experts. The ICO found them to be responsible for 110,072 unsolicited, automated calls about reducing energy bills that it had outsourced to another company.
They were stung with a £70,000 fine. Soon after, Companies House posted plans for The Lead Experts to be struck off and dissolved. Eckersley said: “Companies cannot hide behind paying another firm to make the calls for them. They must take responsibility and, ultimately, accept the consequences if they break the law.”
Educating staff on data protection regulations is critical if organisations want to stay on the right side of the law. To help both public and private organisations, Me Learning has teamed up with data specialist lawyers Clayden Law to develop a portfolio of flexible, online GDPR training courses.
To find out more click here.