Monetary penalty notice for small fish owned by big fish

The Information Commissioner’s Office (ICO) has served a monetary penalty notice (MPN) of £150,000 on online travel company Think W3 Ltd.

MPNs (sometimes wrongly described as “fines” *cough* http://ico.org.uk/enforcement/fines) are civil penalties which can be served by the ICO where it has determined that the data controller in question has contravened the Data Protection Act 1998 and the contravention was: serious, of a kind likely to cause substantial damage or substantial distress and the data controller knew or ought to have known that there was a risk the contravention would occur but failed to take steps to prevent it. The ICO classed this contravention as very serious.

The website of Essential Travel Ltd, a subsidiary and trading brand of Think W3, was subject to a major attack under which more than 1 million credit card records were extracted. The attack was the result of an SQL injection enabled by a coding error on a login page which (for the facilitation of home-working) was publicly available over the internet. It appears that the coding error, and the lack of suitable checks since, meant the site had been vulnerable since early 2006 until December 2012 (when the attack happened).

The fact that the MPN was at the lower end of the scale available is probably because of the need (laid out in guidance) for the ICO to consider the data controller’s financial ability to pay a penalty. What I find interesting here is that Think W3 Ltd are a company wholly owned by Thomas Cook Group, who acquired 100% of it in 2010. Company law normally provides that liability of a company within a group attaches to that company alone, so the assets of the Group were not available to be taken into account by the ICO, but, given that the seventh data protection principle was already being contravened, in a very serious manner, at the time of the 2010 aquisition, some questions might now be asked of those in charge at the time.

Leave a comment

Filed under Data Protection, Information Commissioner, monetary penalty notice

ICO responds to my concerns about PECR compliance

In assessing one’s own compliance with the law, or in advising a client on the law, or in pontificating on one’s blog about the law, one is well advised to refer not only to the law itself (whether in the form of legislation or precedent at common law), but also codes of practice, and guidance. When the law in question is the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which are enforced and overseen by the Information Commissioner’s Office (ICO), it is natural that one would refer – in addition to PECR themselves, and the European Directive 2002/58/EC to which PECR give domestic effect – to the ICO’s own PECR guidance, and, particularly when it comes to electronic marketing, the guidance on Direct Marketing.

So, when the latter guidance says

Organisations must give the customer the chance to opt out – both when they first collect the details, and in every email or text. Organisations should not assume that all customers will be happy to get marketing texts or emails in future…It must be simple to opt out. When first collecting a customer’s details, this should be part of the same process (eg online forms should include a prominent opt-out box…

it would be reasonable to assume that an organisation which did not do this would be, at least if not in direct breach of PECR, sailing close to the wind. The relevant regulation (22(2)) of PECR says that

a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender

and recital 40 of the originating Directive says that electronic marketing requires that prior, explicit consent be given before electronic marketing can take place.

One could reasonably argue that, until such unsolicited electronic marketing takes place, there is no active breach of PECR, but it should surely be conceded that any practice of collecting email addresses, by – say – a political party, in circumstances where explicit consent to receiving subsequent electronic political marketing, is questionable.

I have blogged a number of times in recent weeks about such harvesting of email addresses, and it was prompted by a “widget” on the Labour Party website. I asked the ICO for a statement specifically about that “widget”, and this is what their spokesman said:

In general terms, if an organisation wishes to retain individuals’ contact details it should make them aware of this before their information is collected.  This appears to be the case in the NHS baby number service. We also advise organisations that web pages should explain how personal information will be used, and this can be via a link to the organisation’s privacy policy. We would also want to ensure that individuals can unsubscribe from emails if they receive them, as appears to be the situation here. 

We have published detailed guidance for political parties for campaigning or promotional purposes. On 1 May 2014, the Information Commissioner wrote to the main UK political parties reminding them of the need to follow data protection and electronic marketing rules. Political campaigning is an area that attracts close public scrutiny. We shall continue to encourage political parties to demonstrate best practice and be open and upfront with people when explaining how their personal details will be used

Now, this is a reasonable and accurate statement about the collection of personal data and compliance with the first Data Protection Principle in Schedule One of the Data Protection Act 1998 – tell people what you are gathering their data for, and how it will be used, and you will probably have broadly complied with the duty to process personal data “fairly”.

However, it seems to overlook – with its reference to “general terms” – the specific requirements of PECR. It seems clear to me that any subsequent email from Labour will have been sent because they have inferred, rather than having received notification of, (explicit) consent.

PECR is not my strongest area. Seriously – am I missing something?

3 Comments

Filed under consent, Data Protection, Information Commissioner, marketing, PECR

Big Political Data

I’ve written over the past few months about questionable compliance by the Conservative, Labour, Liberal Democratic and Scottish National Parties with their obligations under the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003. And, as I sat down to write this post, I thought I’d check a couple of other parties’ sites, and, sure enough, similar issues are raised by the UKIP and Plaid Cymru sites

ukipplaid

No one except a few enthusiasts in this area of law/compliance seems particularly concerned, and I will, no doubt, eventually get fed up with the dead horse I am flogging. However, a fascinating article in The Telegraph by James Kirkup casts a light on just why political parties might be so keen to harvest personal data, and not be transparent about their uses of it.

Kirkup points out how parties have begun an

extraordinarily extensive – and expensive – programme of opinion polls and focus groups generating huge volumes of data about voters’ views and preferences…Traditional polls and focus groups have changed little in the past two decades. They help parties discover what voters think, what they want to hear, and how best to say it to them. That is the first stage of campaigning. The second is to identify precisely which voters you need to speak to. With finite time and resources, parties cannot afford to waste effort either preaching to the converted or trying to win over diehard opponents who will never change sides. The party that finds the waverers in the middle gains a crucial advantage.

It seems clear to me that the tricks, and opacity, which are used to get people to give up their personal information, are part of this drive to amass more and more data for political purposes. It’s unethical, it’s probably unlawful, but few seem to care, and no one, including the Information Commissioner’s Office (which has, in the past taken robust action against dodgy marketing practices in party politics) has seemed prepared so far to do anything to prevent it. However, the ICO has good guidance for the parties on this, and in May this year, issued a warning to play by the marketing rules in the run-up to local and European elections. Let’s hope this warning, and the threat of enforcement action, extends to the bigger stage of the national elections next year.

 

 

 

 

Leave a comment

Filed under Confidentiality, consent, Data Protection, Information Commissioner, marketing, PECR, Privacy

Naming and shaming no shows is a no-no

I know a couple who run a restaurant. And I know how the problem of no-shows can cause great economic damage to restaurants. Failing to show up, or to cancel in advance, is, moreover, incredibly rude. But the response, which I only became aware of today, of naming and shaming the no-show customers on twitter is a risky and probably unlawful one for restaurateurs to take.

In the instance I saw this morning a London restaurant had apparently searched for the twitter account of a person who they thought had failed to show, and had openly tweeted their displeasure. He, however, had email proof that he had cancelled in advance. The restaurant investigated, accepted this, and apologised (and the customer accepted, so I’m not going to name either of the parties).

However, the restaurant was processing the personal data of the customer when it took his booking, and their use of that data would be limited to what the customer was told at the time, or what he might reasonably expect. So, unless they had a very odd privacy notice, their permitted processing purposes would not have extended to the naming and shaming of him for failing to turn up. Thus, it would seem to be a breach of at least the both the first and the second data protection principle. Moreover, the rather cavalier approach to customer data wouldn’t make one confident about other aspects of data protection compliance.

I really do sympathise with restaurateurs: one of the alternative approaches to no-shows and late cancellers is punitive cancellation fees but that also has its drawbacks and detractors. However, there are not many areas of commerce where companies would be able to get away with such apparently unfair and unlawful processing of their customer’s personal data: announcing that someone has failed to attend at a certain restaurant potentially indicates quite a bit about the person’s tastes, means and location. It’s a risky thing for a restaurateur to do, especially when, as with the restaurant I saw tweeting earlier today, they haven’t registered their processing with the Information Commissioner’s Office (which, I would emphasise, is a criminal offence).

 

 

Leave a comment

Filed under Data Protection, Information Commissioner, privacy notice, social media

The days of wine and disclosures

I like FOI. I like wine. Here’s an FOI disclosure about wine.

In the early days of the Freedom of Information Act 2000 (FOI) there were frequent attempts to get the government to disclose detailed information about its wine cellar (see for instance this seemingly interminable request). Eventually, the Information Commissioner got fed up with the lack of FOI hospitality from the Foreign and Commonwealth Office (FCO), who seem to be responsible for this sort of thing, and started issuing decision notices requiring disclosure.

I’m pleased to see that disclosure is now, if not a matter of routine, not resisted by FCO (except for some intriguing little redactions – one wonder if they hide things like “this is the Minister for X’s favourite”). So, we now know that the government has reserves of, for instance, 139 bottles of Latour 1961, with a market value of £321,000. This is the highest value wine, but we (sorry, they) also hold 110 bottles of Chateau Margaux 1983 (market value £15k – not the best vintage, after all). And their Pétrus is only the 1978, but even so, the estimated market value of £250 seems very low.

It’s a shame the dataset isn’t in resuable format, but, we’re all in it together, so I’d invite others to search out some other interesting cellar items. Those Krug ’82 magnums look a steal at £125 a pop…

Leave a comment

Filed under Freedom of Information, Information Commissioner, transparency, Uncategorized

ICO v ICO?

UPDATE: 16 July 2014 – in the comments to this piece the ICO adds some further details on the “non-trivial” incident: “We are unable to provide details of the breach at this stage, as the information involved is linked to an ongoing criminal investigation.”

The ICO had a “non-trivial” data security incident last year. Can it “fine” itself? Will/has it?

There was an interesting teaser in the Information Commissioner’s Annual Report. As The Times reports

Christopher Graham, the Information Commissioner (ICO), revealed yesterday that his office had suffered a “non-trivial data security incident” within the last 12 months, which prompted a full internal investigation

The ICO, of course, processes personal data and in doing so assumes the role of the data controller (according to section 1(1) of the Data Protection Act 1998 (DPA)). It also assumes the obligation to comply with the data protection principles, and the liability for contravening them. In 2012 the ICO responded to a Freedom of Information Act 2000 (FOIA) request for its “data breach log” with a document that showed admirable commitment to recording even the smallest of potential data security incidents (“person taking photographs outside building”, “theft of small amount of money”). In that instance there were two incidents identified as “high risk”, but the ICO declined to provide information, and the requester, it seems, did not pursue the matter.

This time, with national media picking the story up, the matter may be pushed further. At the moment the ICO is apparently declining to offer any further comment to the media, advising The Times that

You will have to fill out a freedom of information request

which doesn’t really sit that well with their normal commitment to transparency.

But to what extent can or should the ICO investigate its own compliance with the DPA? The Act does not provide for any derogation for the ICO from its obligations, and nor does it provide for any alternative to “self regulation”. Nor, moreover, does it appear to provide for any delegation to a third party to investigate. When it deals with complaints about its own handling of FOIA requests it habitually issues decision notices about itself (sometimes even finding against itself). It does this by distinguishing between “the ICO” (the entity dealing with the request) and “the Commissioner” (the entity dealing with the complaint). I would imagine that a similar nominal separation would be used if it came to formal enforcement action being contemplated in response to a data security incident.

I emphasis the word “if” in the previous sentence, because, although The Times says

The ICO, which can levy fines of up to £500,000 for data protection breaches, did not disclose whether it had fined itself for the breach

it is clear in fact that no such enforcement action resulted in this instance. This is clear because, firstly, the ICO’s own Monetary Penalty Guidance says that any monetary penalty notice (for which “fine” is a convenient, if not strictly correct, shorthand) will be published on its website. None has been published (believe me – I check these things very regularly). And secondly, and more fundamentally, the ICO’s report says that the incident in question

did not amount to a serious breach of the Data Protection Act [emphasis added]

By section 55A a monetary penalty can only be served for a serious contravention of the data controller’s obligations under the DPA. If the incident was not a serious contravention, the statutory threshold for a monetary penalty is simply not met. So, regardless of what other information about the incident might be winkled out of the ICO, we are not going to have a story of “ICO fines ICO”.

However, on a final point, I note that the ICO expects data controllers to report serious data security incidents to the ICO. So the question arises – did the ICO report this to the ICO, or did the ICO assess this as not serious enough to refer to the ICO?  How did the ICO get to know? Could it have been a leak by the ICO? Or even by the ICO? These questions deserve answers*.

*no they don’t

7 Comments

Filed under Data Protection, enforcement, Freedom of Information, Information Commissioner, monetary penalty notice

Political attitudes to ePrivacy – this goes deep

With the rushing through of privacy-intrusive legislation under highly questionable procedures, it almost seems wrong to bang on about political parties and their approach to ePrivacy and marketing, but a) much better people have written on the #DRIP bill, and b) I think the two issues are not entirely unrelated.

Last week I was taking issue with Labour’s social media campaign which invited people to submit their email address to get a number relating to when they were born under the NHS.

Today, prompted by a twitter exchange with the excellent Lib Dem councillor James Baker, in which I observed that politicians and political parties seem to be exploiting people’s interest in discrete policy issues to harvest emails, I looked at the Liberal Democrats’ home page. It really couldn’t have illustrated my point any better. People are invited to “agree” that they’re against female genital mutilation, by submitting their email address.

libdem

There’s no information whatsoever about what will happen to your email address once you submit it. So, just as Labour were, but even more clearly here, the Lib Dems are in breach of the The Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 1998. James says he’ll contact HQ to make them aware. But how on earth are they not already aware? The specific laws have been in place for eleven years, but the principles are much older – be fair and transparent with people’s private information. And it is not fair (in fact it’s pretty damn reprehensible) to use such a bleakly emotive subject as FGM to harvest emails (which is unavoidably the conclusion I arrive at when wondering what the purpose of the page is).

So, in the space of a few months I’ve written about the Conservatives, Labour and the Lib Dems breaching eprivacy laws. If they’re unconcerned about or – to be overly charitable – ignorant of these laws, then is it any wonder that they railroad each other into passing “emergency” laws (which are anything but) with huge implications for our privacy?

UPDATE: 13.07.14

Alistair Sloan draws attention to the Scottish National Party’s website, which is similarly harvesting emails with no adequate notification of the purposes of future use. The practice is rife, and, as Tim Turner says in the comments below, the Information Commissioner’s Office needs to take action.

snp

5 Comments

Filed under consent, Data Protection, PECR, Privacy, transparency