ICO has launched a new consultation to give the opportunity for comments on the circumstances when it proposes issue monetary penalty notices for serious breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003. What will businesses, particularly telemarketers, make of the examples of non-compliant behaviour the guidance singles out? Anna Williams reports on the draft guidance.
Who: UK Information Commissioner's Office ("ICO")
When: July 2011
Law stated as at: 28 July 2011
In 2010, ICO published statutory guidance on the monetary penalties that could be enforced under section 55C(1) of the Data Protection Act 1998 (the "DPA"). ICO has now launched a consultation on proposed changes to this guidance. Additional powers have since been conferred on ICO which enable it to issue monetary penalty notices for serious breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the "Regulations") as well as for serious breaches of the DPA and this is why ICO believes it is now appropriate to revise its guidance to take these additional powers into account.
What is interesting about the proposed guidance note is that it provides a number of practical examples of circumstances in which ICO may be likely to use its powers to enforce monetary penalties for breaches of the DPA and/or the Regulations and data controllers can more clearly see where enforcement actions are likely. Telemarketers in particular want to take note of the consultation and the proposed guidance as it appears ICO will have a keen eye on telemarketing in particular going forward as it is used as the illustration for many of the examples provided.
In this article, we highlight just a few of the enforcement action examples illustrated in the guidance note. The full draft of ICO's proposed guidance can be accessed here.
Examples provided of when ICO may impose a monetary penalty
The proposed guidance note summaries the application of the DPA and the Regulations and which categories of person may be imposed with monetary penalties. It also summarises the processes ICO shall go through when considering appropriate penalties and what appeal options are open to those who receive a penalty notice. The point we shall focus on in this article is in what circumstances will ICO consider it has the grounds to serve a penalty notice and what examples has it provided businesses to indicate when it shall step in and exercise its powers.
As a starting point, the Guidance summarises how ICO has the power to impose a monetary penalty where it is satisfied there has been a serious contravention of the DPA or the Regulations. ICO therefore has to be satisfied that: (1) There has been a serious contravention of section 4(4) of the DPA by a data controller or the requirements of the Regulations by a person; (2) the contravention was of a kind likely to cause substantial damage or substantial distress and either: (a) the contravention was deliberate; or (b) the data controller or person knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.
The proposed guidance seeks to provide practical examples to explain when ICO considers these constituent parts of the test above have been satisfied and the examples provided are as follows:
(A) Examples of what will constitute a "serious contravention" of the DPA
The Information Commissioner will take an objective approach when considering whether there has been a serious contravention of the DPA or the Regulations and will aim to reflect the reasonable expectations of individuals and society and ensure that any harm is genuine and capable of explanation. Examples of what ICO would consider serious contraventions of the DPA are:
- the failure by a data controller to take adequate security measures (use of encrypted files and devices, operational procedures, guidance etc.) resulting in the loss of a compact disc holding personal data; and
- the loss of medical records containing sensitive personal data following a security breach by a data controller during an office move.
(B) Examples of what will constitute a "serious contravention" of the Regulations
The examples provided in the proposed guidance are:
- making a large number of automated marketing calls to individuals who have not consented to receive the calls causing distress and anxiety to recipients;
- systematic failings in the processes to record and respect marketing objections which leads to an organisation persistently sending marketing faxes to recipients who have clearly objected; and
- covertly tracking an individual’s whereabouts using mobile phone location data.
(C) Examples of reasonable steps ICO expects someone to take
The guidance indicates that ICO is more likely to consider that a person has taken reasonable steps to prevent a contravention of the DPA or Regulations if any of the following apply:
- the person had carried out a risk assessment or there is other evidence (such as appropriate policies, procedures, practices or processes in place or advice and guidance given to staff) that the person had recognised the risks of handling personal data and taken steps to address them;
- the person had good governance and/or audit arrangements in place to establish clear lines of responsibility for preventing contraventions of this type;
- in relation to a security breach the data controller rectifies a flaw in his computer systems as soon as he practicably could have done;
- temporarily suspending marketing operations to allow time to fix a problem when it becomes clear processes have failed (for example, because a number of calls have been made to TPS registered numbers due to a system fault);
- the person had appropriate policies, procedures, practices or processes in place and they were relevant to the contravention, for example, a policy to encrypt all laptops and removable media in relation to the loss of a laptop by an employee of the data controller or clear processes to screen against the Telephone Preference Service and their own suppression lists before making marketing calls; or
- guidance or codes of practice published by the Commissioner or others and relevant to the contravention were implemented by the person (for example, the person can demonstrate compliance with the BS ISO/IEC 27001 standard on information security management or that he followed the Commissioner’s guidance on the Regulations).
This list of examples is not exhaustive and ICO has indicated it will consider whether a person has taken "reasonable steps" in relation to a breach on a case-by-case basis taking into account matters such as the resources available to the person concerned (although this alone will not be a determining factor).
(D) Examples of what the term "substantial" means in respect of damages or distress
The guidance indicates that ICO considers the likelihood of damage or distress suffered by individuals will have to be "considerable" in importance, value, degree, amount or extent. ICO will assess both the likelihood and the extent of the damage or distress objectively. In assessing the likelihood of damage or distress ICO will consider whether such damage or distress in question is merely perceived or of real substance. If damage or distress that is less than considerable in each individual case, but is suffered by a large number of individuals however, the totality of the damage or distress can nevertheless be considered "substantial" by ICO when assessing monetary penalties.
Examples provided in the guidance are:
- in the case of a serious contravention of the DPA, inaccurate personal data held by an ex-employer being disclosed by way of an employment reference resulting in the loss of a job opportunity for an individual would be considered "substantial"; and
- in the case of a serious contravention of the Regulations, distress and anxiety caused to a large number of individuals who receive repeated automated marketing calls, particularly where the identity of the caller is concealed so stopping the calls or complaining is difficult, would be deemed "substantial" for these purposes.
(E) Examples of what is considered "damage" in this context
In the proposed guidance note ICO describes "damage" as being any financially quantifiable loss such as loss of profit or earnings, and provides the following particular examples:
- in the case of a serious contravention of the DPA, damage would be caused following a security breach by a data controller if financial data is lost and an individual becomes the victim of identity fraud; and
- in the case of a serious contravention of the Regulations, damage would be caused if the telephone lines of a large number of organisations (including sole traders, doctor’s surgeries and the emergency services) are inundated with automated marketing calls. Alternative arrangements would have to be made so that urgent calls can be received and this would result in substantial costs being incurred.
(F) Examples of what is considered "distress" in this context
The ICO guidance refers to distress as being any injury to feelings, harm or anxiety suffered by an individual. It also provides the following examples:
- following a security breach by a data controller, medical details are stolen and an individual suffers worry and anxiety that his sensitive personal data will be made public even if his concerns do not materialise; and
- over a period of several weeks repeated automated marketing calls are made to a subscriber who has not agreed to receive them causing anxiety and annoyance to the individual.
(G) Examples of what is considered a "deliberate" contravention of the DPA or Regulations
The proposed guidance indicates that in the case of a serious contravention of the DPA, there will be "deliberate" contravention in the case of a marketing company that collects personal data stating it is for the purpose of a competition and then, without consent, knowingly discloses the data to populate a tracing database for commercial purposes without informing the individuals concerned. Where the Regulations are concerned, a contravention will be "deliberate":
- in the case of a debt collection company which continues to send marketing faxes to subscribers who are registered on the Fax Preference Service despite their repeated objections; or
- in the case of a company which sends marketing text messages to subscribers who have not consented to receiving them in order to encourage them to send opt-out requests to a premium rate short code.
(H) Examples of what is meant by the term "knew or ought to have known" in this context
ICO has indicated that the reference someone "knew or ought to have known" there was a risk a contravention of the DPA or Regulations would occur, means a data controller or person is aware or should be aware of a risk that a contravention will occur. This is an objective test and ICO will expect the standard of care of a reasonably prudent person. In particular, the following examples are given:
- in the case of a serious contravention of the DPA, a data controller "knew or ought to have known" if it is warned by its IT department that employees are using sensitive personal data but fails to carry out a risk assessment or implement a policy of encrypting all laptops and removable media as appropriate; and
- in the case of a serious contravention of the Regulations, if a company that makes numerous marketing telephone calls is aware that the system it uses for blocking calls to TPS registered numbers may develop a fault but continues to make calls without assessing the likelihood of the fault occurring and the implications if it does, the test of "knew or ought to have known" is satisfied.
Why this matters:
The aim of the consultation is not to review ICO's previous guidance in its entirety but to amend the guidance note to include references to the interpretation of ICO's powers under the Regulations. ICO's powers in relation to the provision of monetary penalties in respect of breaches of the DPA was already consulted upon when the guidance note was first put into place.
So what we now have is a set of guidance notes which indicate to businesses when ICO may attempt to step in and flex its monetary muscles where it is satisfied of non-compliance with the Regulations or the DPA. Such a note will be useful to businesses to plan their compliance and ensure that if any of their business activities have been used as an example of non-compliance or a risk area, they continue that activity with their eyes open.
If anyone has serious concerns with any of the examples proposed by ICO or how their powers could be interpreted and applied going forwards, they should respond to the consultation by 27 September 2011. ICO is particularly keen to receive responses as to whether their proposed guidance clearly explains the circumstances in which the Information Commissioner is likely to use his new powers to issue a monetary penalty under the Regulations and whether the examples provided are helpful. Once all feedback has been received ICO shall publish the final version of its advice on the ICO website together with a summary of consultation responses. So watch this space……