Teiss Head of Training and Consulting, Jeremy Swinfen Green, outlines some of the more interesting data protection decisions taken by the ICO so far this year.
At first sight, the Data Protection Act (DPA) is pretty easy to understand. If someone is a customer you can email them, and if they are not you need to get their permission, right?
Well, not altogether. A review of decisions made this year by the Information Commissioner’s Office (ICO) illustrate how easy it is to fall foul of the rules if you aren’t careful.
Getting data protection compliance wrong
1. Ranking your customer data base
A number of charities, including Cancer Research UK, have been fined by the ICO for profiling donors based on their wealth. Donors were unaware of this practice.
Under the DPA, people must be told if any decisions taken about them have been automated so that they can object to them if they choose to.
2. Adding information about people that they didn’t provide
CRUK also fell foul of the rules in another way. They strengthened their database of donors by updating the information in it; sometimes they would add extra information in without telling the donors.
For instance, between 2011 and 2016 they matched 678,887 telephone numbers to supporters.
The ICO believes that people have a right to choose what personal information they provide. That includes deciding whether to tell an organisation that their personal details have changed. Organisations can add personal data about you that you didn't provide and that you didn't give them permission to use.
3. Emailing people to ask them to opt in to marketing emails
Most people realise that you can’t just email people with direct marketing messages: you have to ask them to opt in to marketing emails.
However, you can’t email people asking them to opt in!
Late last year the supermarket Morrisons emailed people about “Your account details”. It warned them that by opting out of Morrisons More card marketing they had chosen not to receive any marketing from Morrisons. Citing the benefits of money off coupons, it invited them to change their preferences.
The ICO ruled that the e-mail that Morrison sent was sent for the purposes of direct marketing, and so was subject to the same rules as other marketing e-mails.
Honda was also fined in a recent case when the ICO rules that a customer service email designed to confirm marketing preferences was in fact a marketing email.
The ICO is clear that organisations cannot e-mail an individual to consent to future marketing messages.
4. Not providing training
To keep the right side of the DPA you need to take “appropriate technical and organisational measures”.
Following an audit of Medway Council this month, the ICO told the Council that they were required to ensure that there is a mandatory data protection training programme, with refresher training delivered at least every 2 years.
Providing comprehensive training in data protection, and in associated areas such as cyber security, will take you a long way towards compliance with the organisational measures required under the DPA.
5. Not providing evidence of "soft opt-in" or consent
To contact people with marketing messages you need to have their consent, or to be able to rely on the "soft opt in". This involves being able to email existing customers unless they ask you not to.
But that's not sufficient. You need to be able to demonstrate that you have a valid right to contact people.
Onecom spammed mobile phone users with messages suggesting that they upgrade their contracts. When people complained to the ICO, Onecom defended itself by saying that they had legal reasons to email the complainants. Some were customers (or customers of companies that Onecom had bought) and so could be contacted under the soft-opt in rules. The others were people whose data had given a third party data supplier permission for their data to be shared.
Unfortunately for Onecom, it was unable to prove that it had consent or the right to use soft opt-in. And without proof, the ICO decided that they hadn't complied with the rules.
The moral here is always make sure you can prove what legitimate reason you have for contacting people.
6. Losing personal data is an offence, even when it doesn't get shared
Greater Manchester Police (GMP) was fined £150,000 after three DVDs containing footage of interviews with victims of violent or sexual crimes got lost in the post.
The DVDs (so far) haven't been found and the personal data they contained hasn't been shared. But GMP were still guilty of not complying with the DPA. This was in large part because the DVDs hadn't been encrypted. Making sure that this type of information can't be accessed by unauthorised people is basic cyber hygiene, one might imagin
7. Sending it to yourself is illegal
You might think that if you can legally access something at work you can share it with yourself. But you can't because that would be using the data for a purpose that was not originally intended.
Recruitment executive Gregory Oram found this out the hard way when he was fined £170 for emailing himself the details of 500 candidates before leaving his job and setting up with a rival recruitment agency.
8. If you use an agency outside the UK it makes no difference
Munee Hut LLP used a company in Belize to send thousands of spam texts to people promoting its loans.
But the fact that the messages originated outside the UK made no difference. Munee Hut was the "data controller" and liable for the illegal campaign. They were fined £20,000.
Remember: don't think that you can use someone outside the UK to do your dirty work for you - you won't get away with it.
9. CCTV on your premises can cause problems
A lot of organisations have CCTV on their premises. If you do, you need to ensure you are complying with the rules.
This involves telling people clearly that CCTV is in operation and registering your use of CCTV with the ICO. Newsagent Kavitha Karthikethu was fined for failing to register. her excuse was that, while she had recieved warnings from the ICO that she needed to register, she thought the letters were spam.
It's also worth keeping in mind that the rules mean ensuring that you aren't always recording sound as this could be considered excessive. And any recording you do make should be stored securely.
Food for thought
It's not easy getting data protection right. And things are getting more complicated with changes in the law: the EU's GDPR will replace the DPA in May 2018, and is most likely to stay as part of UK law even when we have left the EU.
If you are feeling worried by data protection issues then why not sign up for our one day workshop on data protection. Hosted by a highly experienced data Protection professional, Emma Butler from yoti.com, it will give you all the answers you need.
Image under licence from thinkstockphotos.co.uk, copyright cacaroot