Posted by: Mike Clarke
The third quarter has been quiet for the ICO with only two formal actions taken. This has also demonstrated their ability to prosecute individuals and not just the company. Due to the small number of actions, we can’t draw too many conclusions from these actions, but it serves as a good reminder to remain vigilant within our organizations.
Enforcement This Quarter
Fines Issued to Companies
The UK Government launched a health initiative allowing people to get a £50 discount on the repair of their bicycles. To receive this, you had to go into a repair shop and complete a form as part of the checkout process so the company could claim back the money.
Halfords, a well-known brand in the UK for cycle repairs, took this opportunity to email 498,179 former customers who had purchased a bicycle from them in the last 3 years. They had no specific opt-in for marketing emails and many of the recipients had even opted-out from receiving marketing material. Halfords attempted to justify emailing this large group under the guise of “legitimate interest” and that it was a service notification on behalf of the UK Government not a marketing email.
The ICO determined that the use of legitimate interest was not valid in this circumstance. Despite Halfords being known for this type of repair work, simply being a customer or purchasing related products did not meet the criteria in their view. Also, as many of the recipients had clearly opted out as opposed to not opting-in, this meant they could not use their previous purchases from the company as a soft opt-in. The ICO explained that for Halfords to claim these emails were legitimate interest and fall under a soft opt-in, the customer information would need to be obtained during a similar sale for a similar service and that simply purchasing a bicycle was too broad.
Upon reviewing the content of the emails, the ICO pointed towards multiple references to getting the repair work done at your local Halfords and decided that this met the criteria for marketing. The justification being that the emails were deemed to be guiding them to Halfords as the provider of choice rather than just providing general information on the Government scheme. As the emails were then classified as direct marketing the ICO was able to treat the case as a breach of PECR and they opted to issue a fine of £30,000.
The investigator made this decision despite Halfords’ claim that they acted in public interest and clarified that although Halfords may not have intended to breach regulations the company themselves had been negligent. The ICO’s decision was that Halfords failed to properly consider the structure and content of the email, which meant they classified it incorrectly and distributed it to the wrong people. The ICO advised that the incident did not reflect well on the internal processes and advice Halfords were following, and as a well-known brand they should have known better than to act in this manner. Given that the Halfords group made £107m profit in their last financial year, they’ll probably survive paying the fine.
Fines Issued to Individuals
Throughout this year we have seen many fines issued to companies, as well as a few issued to company directors, however this fine was unusual in that it was issued to an individual employee. Christopher O’Brien was a Health Advisor who had access to patient health records due to his role. He took this opportunity to use his access to look at sensitive data related to 14 people he knew outside of the working environment.
Mr O’Brien was unable to demonstrate any valid business reason for accessing these records and did so without the knowledge of his employer, South Warwickshire NHS Foundation Trust. In doing so he was found guilty of section 170 of the Data Protection Act 2018. During his trial one of his victims advised that knowledge of his actions made them uneasy about seeking medical help in future, further underscoring the impact breaching someone’s privacy can have.
Mr O’Brien pled guilty to the breach at Coventry Magistrates’ Court he was ordered to pay £250 compensation to each person whose records he accessed, for a total fine of £3,000.
Although this has been a quiet quarter for ICO enforcement it has still provided a stark reminder to companies who have access to personal data that the data they possess does not belong to them but the individuals who it relates to. Not only do you need to protect your customers’ data from potential external breaches in security, but from the staff you employ misusing that data. We’ve also seen a rare example of an employee being prosecuted instead of their employer and while the scale of the fine is on a different level to those issued to companies, it’s still a significant amount for a momentary lapse of judgement.
Access to personal data should always be heavily restricted and then closely monitored to reduce the opportunity for this type of incident to occur especially when sensitive information such as health records are concerned. If there is any doubt over whether someone needs access to personal information the simplest solution is to deny access until a time all doubt is removed. Additional controls should be in place to access sensitive data, such as requiring a valid business reason on top of extra auditing.
The quickest way to lose the confidence of your consumer base is to fail to protect their privacy and that could be far more costly to a business than a letter from the ICO.