ICO fines Emma's Diary £140,000 for selling personal data to Labour party

ICO fines Emma's Diary £140,000 for selling personal data to Labour party

News / ICO fines Emma’s Diary £140,000 for selling personal data to Labour party

ICO fines Emma’s Diary £140,000 for selling personal data to Labour party

Emma's Diary, a firm providing pregnancy and childcare advice, was recently fined £140,000 by the Information Commissioner's Office (ICO) for collecting and selling personal data of more than one million people, including new mums, to The Labour Party prior to the 2017 General Election.

The collection of personal data of new mums by Emma's Diary was considered by the ICO to be in violation of the pre-GDPR Data Protection Act as the firm did not disclose in its privacy policy that personal information collected by it would be used for political marketing or by political parties.

According to the ICO, personal data obtained by The Labour Party from Emma's Diary allowed the party to "send targeted direct mail to mums living in areas with marginal seats about its intention to protect Sure Start Children’s centres".

Emma's Diary sold data of 1m mums to Labour Party

Emma's Diary, also known as Lifecycle Marketing (Mother and Baby) Limited, describes itself as "the most widely circulated mother-and-baby publication, with a circulation of 870,000 copies distributed a year", and also states in its website that it maintains a database which is used by marketers to pitch their products to new mums.

The firm supplied 1,065,220 personal data records to Experian Marketing Services in May last year as part of an agreement where The Labour Party was listed as the latter's client. Personal data sold by Emma's Diary to Experian included names of parents, home addresses, children's dates of birth, and presence of children up to five years old. Such data was provided to the firm by young mums at the time of online and offline registrations.

According to the ICO, The Labour Party used data provided by Emma's Baby to target new mums in the constituencies for 106 parliamentary seats with political marketing communications. After Emma's Diary learned about an investigation being carried out by the ICO over the sale of personal data to a political party, the firm changed its privacy policy to include "and political parties" in January this year.

The firm has now informed the ICO that it will not sell any personal data to political parties in future and has amended its privacy policy accordingly.

"The relationship between data brokers, political parties and campaigns is complex. Even though this company was not directly involved in political campaigning, the democratic process must be transparent. All organisations involved in political campaigning must use personal information in ways that are transparent, lawful and understood by the UK public," said Elizabeth Denham, the Information Commissioner.

"The ICO is committed to monitoring data brokers, political parties, and online platforms and using new audit and enforcement powers so that the public can have confidence that parties and political campaign groups are complying with the law," she added.

Personal data more valuable than innovation

Around the same time last year, the ICO found the Royal Free NHS Foundation Trust guilty of sharing 1.6 million patient records with UK-based Google DeepMind to enable the latter to 'develop and deploy a new clinical detection, diagnosis and prevention application and the associated technology platform' for the former.

Even though the Trust said it shared nearly 1.6 million 'partial patient records containing sensitive identifiable personal information' only for clinical safety tests and for no other purpose, the ICO ruled that the trust failed to adequately inform patients that their data would be used by DeepMind for conducting clinical safety tests.

According to the ICO, the 'price of innovation didn’t need to be the erosion of legally ensured fundamental privacy rights' and that deployments of innovative technologies can be completed while adhering to the Data Protection Act. The office added that privacy impact assessments should be carried out compulsorily by NHS trusts before handing over sensitive data to third parties.

The following two tabs change content below.

Jay Jay

Jay has been a technology reporter for almost a decade. When not writing about cybersecurity, he writes about mobile technology for the likes of Indian Express, TechRadar India and Android Headlines

Comments

Most Popular

Get the latest cyber news in your inbox

Join our community of cyber professionals today!