May 28, 2013 · 6:58 pm

Pondlife: privacy obligations and privacy rights

Anonymous has threatened the EDL with a campaign of exposure and disruption. However, disclosure – and onward dissemination – of private information, such as lists of members of a group can be unlawful under data protection (and other) laws. Failure to take adequate steps to prevent such disclosure can also put such groups at risk of breaching the same laws.

In 2010 the law firm ACS:Law was victim of a concerted campaign to disrupt its activities through denial of service attacks (DDOS) and other means. The “Hacktivist” network Anonymous claimed responsibility for the attacks, stating that they were in response to the firm’s aggressive litigation tactics in claims against alleged file-sharers. For a short time after the firm’s website was restored after the DDOS attacks a file was exposed which contained large amounts of personal data of individuals who were suspected of file-sharing. This file was rapidly spread by Anonymous activists, and others.

As a result of this data security breach the Information Commissioner (IC) subsequently served a civil Monetary Penalty Notice of £1000 on Andrew Crossley, who operated the firm. At the time the IC said that

Were it not for the fact that ACS:Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach.

The IC found that the firm’s website security was utterly inadequate and constituted a serious breach of the seventh principle of the Data Protection Act 1998 (DPA).

The security measures ACS:Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details

This point has current relevance because “Anonymous” have announced a campaign to disrupt the activities of the English Defence League. The Guardian reports that

A list of what were said to be mobile phone numbers for senior named EDL figures were published online on Tuesday evening along with addresses of what were said to be donors to the far-right group

Twitter accounts also re-published leaked details of hundreds of names and addresses linked to the EDL which were circulated on the web in 2010 after hackers broke in to one of the organisation’s websites
I confess I wasn’t aware of the 2010 hack. One wonders if the IC investigated this at the time. Nonetheless, any further hacks which reveal personal data of members and donors raise potential issues of liability for the EDL under the DPA, for the same reason that ACS:Law attracted enforcement action.
 
I found it notable at the time of the ACS:Law case that there was a lack of action or censure for the many people who happily publicised and distributed the file in question, thus exacerbating the already serious breach. It seemed to me, and still does, that those who originally downloaded the file and made it freely available, and those who continued to publicise it and make it available, were arguably guilty of an offence under section 55 of DPA, which provides that disclosing personal data knowingly or recklessly, without the consent of the data controller can be an offence.
 
The chances of an offence being committed are even more pronounced when concerted efforts are made to hack into a website. The offence under s55 DPA remains (through lack of a ministerial Order implementing the custodial provisions) only punishable by a maximum £5000 fine. However, other potential offences are enaged, including those under the Computer Misuse Act 1990, which are punishable by a maximum of five years’ imprisonment.
 
Anonymous have their reasons for the campaign, and they are perhaps difficult to argue against. But concerted efforts to gather and disclose private information raise worrying issues, which should not be avoided simply because of who the intended victims are.
 
None of this is to be seen as defending, or sympathising with, the views of the EDL, who are scum. But even scum have rights. Furthermore, it might be worth bearing in mind that when a list of apparent members of the BNP was leaked in 2009 – an incident which led to the prosecution of an individual under the DPA (at the sentencing of whom the judge said that he was obliged to impose a “fine…so low as to be ridiculous”) – there were strong indications that a number of people were wrongly named as members. Lists can be dangerous things, and I can think of few things more unpleasant than being wrongly associated with groups like this.

2 Comments

Filed under Breach Notification, Confidentiality, Data Protection, human rights, Information Commissioner, Privacy

Tagged as ,

May 26, 2013 · 10:27 am

Medical records databreach – what will result?

Today’s Sunday Mirror reports that thousands of confidential medical records have apparently been stored outdoors in a car park in an industrial estate for months. The paper alleges that

DHL Healthcare, which provides services for more than 100 NHS trusts, left out documents reportedly containing patients’ names, addresses and details of their medical conditions.

The paperwork is also believed to contain security “key codes” that enable DHL ambulance drivers to open the front doors of patients’ homes so they can be taken to hospital for treatments such as dialysis and chemotherapy.

Although the article doesn’t mention it, I am sure the Information Commissioner (IC) will take a keen interest in this.

Of particular interest is the fact that this apparent breach is said to have involved an organisation, DHL Healthcare, which doesn’t provide healthcare services itself. According to its website it provides “logistics services for the healthcare industry”. I also note that it provides a records management service. It seems almost certain that it acts under contract to NHS bodies. As such, in the terminology of the Data Protection Act 1998 (DPA), it is a “data processor” and an NHS body which instructs it is a “data controller”. Under the DPA, only the latter – the controller – is responsible for complying with the Act, and only the latter is liable to attract enforcement action for serious breaches of the DPA.

The seventh DPA data protection principle places an obligation on a data controller to ensure that

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

and where

Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—

(a)the processing is carried out under a contract—

(i)which is made or evidenced in writing, and

(ii)under which the data processor is to act only on instructions from the data controller, and

(b)the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

This means that where an NHS Trust contracts with – say – a records management service, it must enter into a written contract which demands that the contractor must do nothing other than what the contract says, and must have robust data security measures in place. If the contract does not say that then the NHS body is prima facie in breach of the DPA, and liable for any serious breach which might occur.

Thus, in 2012, Brighton and Sussex University Hospitals NHS Trust was “fined” (in reality, served with a s55A DPA Civil Monetary Penalty Notice) £325,000 by the IC after hard drives containing sensitive medical data ended up for sale on the internet. The IC said that the Trust

failed to choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and take reasonable steps to ensure compliance with those measures.
Further, the processing was not carried out under a contract between the Trust and HIS (whether made or evidenced in writing) under which the data processor was to act only on instructions from the data controller, and which required HIS to comply with obligations equivalent to those imposed on a data controller by the Seventh Data Protection Principle

Any investigation into this latest incident will likely involve assessment of the nature of the contracts in place, and the extent to which data controllers contracting with DHL Healthcare took reasonable steps to ensure compliance by the contractor. However, it appears to be the case, under current law, that if the IC determines there was a robust contract in place, and the data controller took all reaosnable steps to ensure compliance, no enforcement action can ensue. This seems slightly strange, but the DPA (which gives effect to the European Data Protection Directive) does not allow the IC to take action against the contractor. (Of course the other party to the contract could take civil action of its own, but this would almost certainly be only for breach of contract).

The draft European Data Protection Regulation seeks to deal with this possible gap in the law. Draft Article 26 (read with Articles 24 and 30) provides that

If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers

This apparently sensible and minor amendment might, though, have major implications for contractual arrangements to process data. If a data processor becomes (jointly) liable for breaches it is likely to assess risk in a much different way when entering into a contract. “Traditional” data controllers need to be alive to the potential financial implications of this.

One final note. Under current law, a data controller is

a person who determines the purposes for which and the manner in which any personal data are, or are to be, processed

Could it be argued that, even now, when a contractor diverges from the terms of a contract, and decides to process data in a different way, they are in fact determining the purposes in a way which could potentially make them a controller? I would be interested to know if this has ever been argued.

Leave a comment

Filed under Breach Notification, Data Protection, enforcement, Information Commissioner, monetary penalty notice

Tagged as ,

May 20, 2013 · 12:23 pm

There’s nothing like consistency…

Two contradictory decisions from the ICO as to whether disclosure of the names of councillors in the Local Government Pension Scheme is lawful might leave FOI officers – and requesters – scratching their heads

Remember those “Spot the Difference” competitions?

In 2010 the Information Commissioner’s Office (ICO) issued a Decision Notice concerning a request made to Buckinghamshire County Council under the Freedom of Information Act 2000 (FOIA). The request was for the names of councillors who had chosen to join the Local Government Pension Scheme (LGPS). The ICO agreed with BCC that

the withheld information is personal data relating to these councillors

But disagreed that section 40(2) and (3) of FOIA exempted the information from disclosure, rejecting an argument that the councillors would not have had a reasonable expectation of disclosure of the information:

the Commissioner has not found any evidence to support a view that disclosing the requested information would be likely to cause unnecessary or unjustified damage or distress to the individuals concerned

and

The Commissioner is satisfied the requested information relates primarily to the councillors’ public lives and does not intrude significantly on their private and family lives.

Consequently BCC was

to provide the complainant with the list of names of the ten councillors who were members of the LGPS

Compare and contrast with a Decision Notice issued recently relating to a FOIA request to Central Bedfordshire Council (CBC). The request was for names of councillors who had chosen to join the Local Government Pension Scheme (LGPS). The ICO agreed that

information regarding the details of an individual’s pension is personal data

And agreed with CBC that section 40(2) and (3) of FOIA exempted the information from disclosure, saying

individuals will have a reasonable expectation that information about their pension, and their decision whether or not to take one, will not be routinely disclosed

and that the councillors’

expectations of privacy with regard to their pensions are still objectively reasonable as it relates far more to their private lives than their professional lives

Consequently CBC was correct

to rely on section 40(2) to withhold…the requested information

A few questions arise: are BCC councillors entitled to bring a complaint against their council for unfair processing? if so, would BCC have a defence that they complied with a legal notice from the statutory regulator? Is local government “lagging behind best practice in other parts of the public sector” (para 20 of FS50233989) or not? Which Decision Notice should other councils follow when they get similar requests? And, finally, did the ICO even look at the earlier decision when it issued the second?

 

DISCLAIMER: I have a professional connection to one of the public authorities involved.

1 Comment

Filed under Data Protection, Freedom of Information, Information Commissioner

May 17, 2013 · 2:58 pm

Damages under s13 Data Protection Act – an Opportunity Lost?

A concession of an issue by the defendant in Halliday v Creation Consumer Finance means the law is still unclear as to whether nominal damages trigger compensation for distress arising from a contravention of the Data Protection Act

Section 13(1) of the Data Protection Act (DPA) provides a right to compensation for a data subject who has suffered damage by reason of any contravention by a data controller of any of the requirements of the Act.  The domestic authorities are clear that “damage” in this sense consists of pecuniary loss. Thus, section 13(1) is a “gateway” to a further right of compensation under section 13(2)(a), for distress. The right to distress compensation cannot be triggered unless section 13(1) damage has been suffered.

This point was addressed in Johnson v The Medical Defence Union Ltd (2) [2006] EWHC 321 and  on appeal (Johnson v Medical Defence Union [2007] EWCA Civ 262), with Buxton LJ in the latter saying

section 13 distress damages are only available if damage in the sense of pecuniary loss has been suffered

In the case at first instance  the judge had found against Mr Johnson in his claim that a failure to renew his membership was caused by unfair processing of his personal data. However, if the first head of claim had succeeded, pecuniary damages in the sum of £10.50, to cover the cost of a breakfast (don’t ask) would have been owed, and

the price of that breakfast [would have represented] his gateway to a right to recover compensation for distress under section 13(2)(a)

This point, already largely hypothetical, fell away on appeal, because the Court held 

The Judge was not entitled to find that this, the only item of pecuniary damage that survived, was attributable to damage for which the MDU was responsible

The judgment in a recent case, Halliday v Creation Consumer Finance Ltd (CCF) [2013] EWCA Civ 333 had been anticipated as possibly clarifying whether nominal, as opposed to substantial, damages under section 13(1), could suffice to be a gateway to distress compensation, and, indeed, whether the DPA effectively transposes the requirements of the European Data Protection Directive to which it gives effect. The case concerned errors by the defendant regarding disputed payments, which affected the claimant’s credit record. As Robin Hopkins said in a recent post on the Panopticon blog, after reports of the ex tempore judgment surfaced,

In Halliday…nominal damages (of £1) were awarded, thereby apparently fulfilling the ‘damage’ requirement and opening the door for a ‘distress’ award (though note that Panopticon has not yet seen a full judgment from the Court of Appeal in this case, so do not take this as a definitive account). If that approach becomes standard practice, claimants may be in much stronger positions for seeking damages.

Now that the full judgment has been made available, it can be seen that Mr Halliday did indeed succeed in using the nominal £1 damages as a gateway to £750 compensation for distress, but only because the defendant conceded the point:

this issue, which was the main issue of the proposed appeal to this court, is now academic as the respondent, CCF, concedes an award of nominal damages is “damage” for the purposes of the Directive and for the purposes of section 13(2) of the Data Protection Act 1998

So it appears we must continue to wait for fuller consideration of the meaning of the word “damage” in both the Directive and section 13 DPA.

UPDATE: Robin Hopkins has blogged on this case at the Panopticon blog. As he says – and as I may have omitted – “the judgment is not without its notable points”.

5 Comments

Filed under damages, Data Protection

May 16, 2013 · 7:58 am

NO THANK YOU I DON’T WANT TO REGISTER

The other day I was in town, and popped in to a shop to look at an interesting item. I was rather annoyed to be greeted by a shop assistant waving a large banner which obscured everything. He said he’d put the banner down if I handed over my contact details so he could send me marketing guff in the future. He only got out of the way when I kneed him in the Edwards.

Not strictly true of course. However – you wouldn’t run a physical shop this way, so why run web scripts that have the same effect?

bfp

I don’t want to register for your website – I just want to dip in for a quick look then leave (that still counts as a page view for you to quote to advertisers) and I’d suggest that’s pretty standard practice for the large majority of internet users.

I confidently state that no one, ever, in recorded history, has thought, when they got a pop-up inviting them to register their details, “Oo, how helpful that was. Thank you for obstructing my journey to what I really wanted”.

And I know I could probably configure a pop-up blocker to bypass them, but I don’t (often) walk around town accompanied by a bouncer. So just stop it, everyone who does this.

3 Comments

Filed under Uncategorized

April 16, 2013 · 12:15 pm

Police, poems and FOI

In which I am inspired into literary expression by a rather bizarre ICO decision notice saying that a poem sent by a senior police officer on his mobile device is exempt from disclosure under the “personal data” provisions of the Freedom of Information Act

Mr Plod once sent friends a rhyme
Which was rumoured to be out of line
When a request was lodged
To see what it was
His bosses politely declined

Chris Graham agreed with the force
Saying “It’s personal data because
He’s easy to spot
From the words that we’ve got:
It’s exempt from disclosure, of course!”

A Tribunal may have to decide later
– As the statutory arbitrator –
If it’s rather perverse
To suggest that a verse
Can possibly be personal data.

1 Comment

Filed under Data Protection, Freedom of Information, Information Commissioner, police

Tagged as , , ,

April 5, 2013 · 5:11 pm

A Howitzer of an FOI Exemption

A recent decision by the Information Commissioner shows that the House of Commons is able, under the FOI Act, to apply a blanket provision preventing disclosure of information of potential public interest, from which there is no appeal. If I were a cynical adviser to the House, I’d suggest using it more often.

The Freedom of Information Act 2000 (FOIA) contains a few howitzers with which a relevant public authority can obliterate an otherwise valid request for information. The most familiar of these is at section 53, whereby, in relation to a Information Commissioner (IC) decision notice served on a government department requiring them to disclose information, a Cabinet minister can issue a veto, from which there is no right of appeal.

Less well-known are the certificates which can be served under sections 23 and 24, by ministers, to be conclusive evidence that information requested was supplied by or relates to national security bodies, or is exempt from disclosure for reasons of national security. (These are appealable, either by the IC or by the applicant, under section 60 of FOIA).

Less well-known still is a section which allows the Speaker of the House of Commons (or the Clerk of the Parliaments) to issue a certificate which provides conclusive evidence that disclosure would or would be likely to cause prejudice to the effective conduct of public affairs. This is section 36(7) and, read with section 2(3)(e), it provides an absolute exemption to disclosure, which the IC is duty bound to accept. In effect, it is a means whereby the Houses of Parliament can prevent FOIA disclosure, with no right of appeal.

Thus, in a decision notice published this week about a request for information relating to the tax treatment of residential accommodation provided by the House of Commons, the IC says

Given the nature and provenance of the certificate, the Commissioner is obliged by section 36(7) FOIA to accept the certificate as “conclusive evidence” that the opinion is reasonable in both process and substance and that the alleged inhibition would be likely to occur; therefore, the Commissioner accepts that section 36(2) FOIA is engaged and that the withheld information is exempt

Any appeal of this decision would have the same outcome: if a properly-made certificate states that the exemption applies, then it does, and no regulator or court can say different. So, despite what appears to be a potentially high degree of public interest in the information requested, about, in the applicant’s words

issues of principle… the provision of residential accommodation is a substantial benefit, and its tax treatment is of legitimate interest to the public

we will not get to see it.

There could, I imagine, potentially be an application for judicial review of the decision to issue the certificate, in the same way that the ministerial veto at section 53 is potentially amenable to judicial review, but this would have to be on the classic public law grounds, and would be a very difficult challenge.

One rather wonders why this provision has not been used more often. It has been used in the past to prevent disclosure of information relating to names and salaries of MPs’ staff, and to prevent disclosure of information about the claiming of parliamentary privilege. But when requests were made for disclosure of MPs’ expenses information, the exemption claimed was the one relating to personal data. A section 36(7) certificate would, it seems to me, have rendered those requests dead in the water. Did the House of Commons miss a cynical trick?

Leave a comment

Filed under Freedom of Information, Information Commissioner, Uncategorized

Tagged as ,

April 2, 2013 · 11:33 am

A Question of Apparent Bias?

So, the Information Commissioner’s Office (ICO) has been using “ctrl+v” a bit too much. Large chunks of source material from Wikipedia and – to me more crucially – the website of the Royal Household were quoted, without attribution (and without indication that they were quotations) in a decision letter upholding the Royal Household’s refusal to disclose environmental information to tweeter @foimonkey.

Paul Gibbons – “FOIMan” – has blogged about this, and he wonders if this is evidence of a current lack of resources for the ICO. I think the ICO is under-resourced, and this is set to get worse but I’m not sure I agree with Paul that @FOIMonkey’s case illustrates this.

When Christopher Graham, the current Information Commissioner, was appointed, he inherited a damning backlog of FOI complaint cases, some going back several years. He stated openly that, to deal with this backlog, there might at times be a “silver standard” of investigation (as opposed to a gold one) from his office. True to his word, and much to his credit, the backlog has been greatly reduced, to the point where no cases were more than one year old, at the time of the publication of his last annual report.

So, I would agree with Paul, if @FOImonkey’s case was simply one of these “silver standard” ones, but that surely is not the case here. The refusal by the Royal Household to consider itself a public authority for the purposes of the Environmental Information Regulations 2004 was made over a year ago, and I understand the complaint to the ICO was made promptly after that. This means the ICO has had effectively twelve months to consider a request of considerable (if perhaps obscure) constitutional interest and significance. Even with limited resources twelve months is an awfully long time for a qualified solicitor and national Director of Freedom of Information to have to arrive at a decision.

I have a bigger concern though.

Paul is by no means uncritical of the ICO, and he notes that internal quality controls appear to be lacking, but he is perhaps not overly concerned with the act of copying itself (which could potentially be in breach of copyright):

I’m sure there are FOI out there who have copied chunks of the ICO’s decisions into their own FOI responses without citing them where it suited

However, I think the difference here is related to authority, and perception.

It is quite right for an FOI officer to quote ICO decisions in their own FOI responses (although I agree that citations should be given). Common law relies on a system of precedent and judicial authority, and, although the ICO is a regulator, and not a judicial body, the principle is similar: refer to and cite the authoritative statements of those who make decisions on the law in question.

However, the ICO is the one in a position of decision-making authority here, and to cite the website (without attribution) of one of the parties in a case he has to decide, gives rise to a perception of lack of independence, or bias. And that is an extremely important thing for a regulator to avoid doing.

As it is, most of the unattributed quotes are merely of uncontroversial statements of fact, and I am not sure they are clear evidence of any actual bias on the part of the ICO, but perception of bias is corrosive in itself. The classic test, as propounded by Lord Hope in Porter v Magill [2002] 2 AC 357, is

whether the fair-minded and informed observer, having considered the facts, would conclude that there was a real possibility that the tribunal was biased

Maybe I’m not fair-minded (although I do consider myself reasonably informed) so I would have to invite other observers to say whether they would conclude there was a real possibility of bias in this case.

UPDATE: the ICO has now tweeted saying the failure to cite sources was an error. Fair enough, but I’m not sure that changes my views here.

3 Comments

Filed under Environmental Information Regulations, Freedom of Information, Information Commissioner, transparency

March 27, 2013 · 2:35 pm

Private NHS Providers and FOI

Monitor have recommended that FOI requirements should apply to private providers of NHS services. I’m not sure we should be too optimistic that much will ensue.

Regardless of one’s views of the Health and Social Care Act 2012* it is important that, if “any willing provider” can be commissioned to provide private health services, there should be parity of treatment. And, indeed, the need to ensure a “Fair Playing Field” was, at least ostensibly, what led the Secretary of State for Health to ask Monitor (“the sector regulator of NHS-funded health care services”) to conduct

an independent review of matters that may be affecting the ability of different providers of NHS services to participate fully in improving patient care

That review has now finished, and was laid before Parliament by the Secretary of State yesterday.

My specific interest is in the section regarding transparency. Monitor note that

Historically, public providers have faced higher levels of scrutiny than other providers, including requests for information under the Freedom of Information Act. This degree of scrutiny can improve accountability to patients and promote good practice. Freedom of Information requirements have been extended through the standard NHS contract to private and charitable providers. However, it is not clear that this is operating effectively as yet, and other aspects of transparency do not apply across all types of provider

Accordingly

The Government and commissioners should ensure that transparency, including Freedom of Information requirements, is implemented across all types of provider of NHS services on a consistent basis

This could be read as a recommendation that the Freedom of Information Act 2000 (FOIA) be extended to all (including private) providers.

However, I am not sure we should be too optimistic that the recommendation will be read in this way by the Department of Health. The Justice Committee, in its recent post-legislative scrutiny of FOIA, was unconvinced that FOIA needed to be extended to private providers of public services, feeling that the use of contractual terms to ensure transparency was sufficient:

The evidence we have received suggests that the use of contractual terms to protect the right to access information is currently working relatively well…We believe that contracts provide a more practical basis for applying FOI to outsourced services than [extending FOIA to those private providers]

and rather unsurprisingly the government, in its response to the Justice Committee, agreed

 The Government therefore does not intend, at this time, to legislate to extend FOIA obligations to contractors.

 Given this, I suspect that, rather than taking up Monitor’s recommendation and extending FOIA to private healthcare providers, the government will merely reiterate the point about the use of contractual terms to promote transparency aims.

However, even if FOIA is not to be explicitly extended to include private contractual providers, there is a potential way forward which would achieve those transparency aims in a clearer and more enforceable way. This is the proposal by the Campaign for Freedom of Information, who observed (in light of the post-legislative scrutiny reports)

We don’t believe that relying on every authority to insert an appropriate clause into every contract one at a time is likely to be effective. The FOI Act itself should state that all such contracts are deemed to include a wide disclosure requirement, automatically bringing information about the contractor’s performance and the way the contractor goes about it within the Act’s scope

This seems eminently sensible. I wish eminently sensible things would happen more often than they do.

 

*I happen to think it’s an example of an ideologically-driven privatisation of public services which we will look back on in decades to come as a drastic mistake.

3 Comments

Filed under Freedom of Information

Tagged as

March 20, 2013 · 7:38 am

ICO Bares Teeth at Nuisance Callers

I know a retired chap whose daily life is blighted by nuisance marketing phone calls. Some are from charities he donates to, and I’ve told him he’s entitled to donate and still opt out of receiving these. But others are entirely unsolicited, and despite the fact that about a year ago I got him to register with the Telephone Preference Service (TPS) the calls continue.

Now I remember when I signed up with the TPS a few years ago it was remarkably successful in stopping all nuisance calls, especially when, if one got through, I’d threaten to complain. However, my retired friend won’t complain because, he says, “it wouldn’t achieve anything”. Until recently, I’d have tended to agree with him, but it is good to see the Information Commissioner’s Office (ICO) showing that it does have teeth when it comes to enforcement of the Privacy and Electronic Communications Regulations 2003 (PECR). The ICO have today announced that a monetary penalty notice of £90,000 has been served on a Glasgow company for a breach of the PECR.

DM Design, based in Glasgow, has been the subject of nearly 2,000 complaints to the ICO and the Telephone Preference Service (TPS). The company consistently failed to check whether individuals had opted out of receiving marketing calls – in clear breach of the law – and responded to just a handful of the complaints received.

In one instance an employee refused to remove a complainant’s details from the company’s system and instead threatened to “continue to call at more inconvenient times like Sunday lunchtime”

And it is interesting to note that the ICO say they intend to issue similar “fines” against two other companies.

Of course, this kind of robust enforcement action can only really happen if people complain about this type of call, either to the ICO or to the TPS. I will be encouraging my retired friend to do so, in the knowledge that it might actually achieve something.

Leave a comment

Filed under Uncategorized