Firms in all business sectors are advised to take note of three different enforcement actions imposed by the Information Commissioner’s Office (ICO) in early 2019.

A Buckinghamshire-based housing developer was served with an Enforcement Notice by the ICO after one of its customers complained that the firm had not responded to his request for a copy of his personal data (a Subject Access Request). When the firm still did not respond to the customer’s request, the data protection regulator duly prosecuted them in the courts.

The firm pleaded guilty to a charge of failing to comply with an enforcement notice at Westminster Magistrates Court, and was fined £300, with a £30 victim surcharge, and was ordered to pay £1,133.75 towards prosecution costs.

Mike Shaw, the ICO’s Criminal Enforcement Manager, said:

“The right to access your own personal information is a fundamental and long-standing principle of data protection law. New laws brought into effect last May strengthen those rights even further.

“Organisations not only have to respect this right but must also respect notices from the ICO enforcing the law. If they fail to do so then they must accept the consequences, which can include a criminal prosecution.”

A Bristol-based insurance company was fined £60,000 after it sent more than one million marketing emails to individuals who had not consented in advance to receiving this type of communication. The recipients were in fact individuals who had signed up to an organisation that campaigned for a Leave vote in the EU referendum, and the ICO says there were close links between the campaign firm and the insurance firm. The insurance firm was also served with an enforcement notice compelling the firm to take steps to ensure it complies with electronic marketing regulations in the future.

A fine was also imposed on the campaigning organisation.

Elizabeth Denham, the Information Commissioner said:

“It is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes; and vice versa. It should never have happened.

“We have been told both [the insurance company and the political campaigning organisation] have made improvements and learned from these events. But the ICO will now audit the organisations to determine how they are using customers’ personal information.”

Finally, a Liverpool-based legal services firm has been fined £80,000 for making 213 unsolicited marketing calls to individuals who were registered with the Telephone Preference Service (TPS).

So, to summarise:

  • Firms must comply with all Subject Access Requests within 30 days of receipt
  • Firms must not send email marketing to individuals who have not consented in advance to receiving this type of communication – including a link to opt out of future emails is not sufficient
  • Firms must not cold call individuals who are TPS-registered

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article