April was an extremely busy month for the ICO with a number of enforcement actions being taken as well as two consultations on the important issues of consent and profiling under GDPR. These consultations have now closed and we must wait patiently to hear what the output will be. Whilst the consultation on profiling only closed at the end of last week, the consent consultation closed earlier and the ICO has indicated that it received a significant response. You can see the ICO’s initial statement on the response by clicking on the link below.
The latest fine issued by the ICO highlights that “cyber security must be a top priority for businesses regardless of size”.
This fine came as a result of an investigation by the ICO which concluded that an online construction materials business had failed to implement appropriate technical and organisational measures to protect its customer data. In particular, the investigation found that the organisation had failed to identify that its website contained a coding error which left it vulnerable to attack. This vulnerability was subsequently exploited by hackers who gained access to 669 unencrypted cardholder details including names, addresses, account numbers and security codes.
Whilst the investigation highlighted that the retailer had not intended to bypass the law, it also made clear that oversight is not an excuse. As such, organisations must ensure that they do detect vulnerabilities in their security systems and ensure that the security measures they have in place are adequate to protect the personal data entrusted to them.
The ICO’s Head of Enforcement Steve Eckersley commented that “this fine must serve as a warning to other small and medium-sized firms that the security of their customers’ personal information must come first”.
This month the Information Commissioner, Christopher Graham, repeated his call for stronger sentencing powers in relation to individuals who steal personal information.
This call comes after a recent incident highlighted the inadequacy of the current options available to the Court to both punish and deter would-be data thieves.
What happened?
This recent incident involved an employee of a car rental company who stole the personal data, including details of the policy holder and their insurance claim, of almost 28,000 people. She then sold it to an accident claim company o make nuisance calls.
In this instance the employee, Sindy Nagra, pleaded guilty to unlawfully obtaining, disclosing and selling personal data, a criminal offence under section 55 of the Data Proection Act 1998 (the “DPA”). Whilst the Courts have the power to impose unlimited fines in respect of such offences, they do not have the power to impose custodial sentences.
Despite Nagra selling this information for £5,000, the Court only fined her £1,000 and, whilst she was also ordered to pay a £100 victim surcharge and £864 prosecution costs, Nagra still made a profit.
Equally, the recipient of this stolen personal information was also guilty of an offence under section 55 of the DPA. They were also fined £1,000, ordered to pay a victim surcharge and was required to pay £864 prosecution costs.
What was the ICO reaction?
In response to this incident and the outcome of the Court, the Information Commissioner, Christopher Graham, commented that
“This fine highlights the limited options the Courts have. windy Nagra got £5,000 for stealing thousands of people’s information. She lost her job when she was caught and has no money to pay a fine, and the courts have to reflect that, but we would like to see the courts given more options: suspended sentences, community service, and even prison in the most serious cases.
Key messages
- The ICO have been calling for stronger powers for some time now. With so many thefts of personal data being reported in the media, it is only a matter of time before Westminster recognises the need for greater deterrents and punishment or these offences;
- Anyone who unlawfully obtains or discloses personal data without the consent of the data controller is likely to be guilty of an offence under section 55 of the DPA. However, it is important that all employees understand what they can and cannot do with the information they access as part of their employment as otherwise, in the event that they do take and sell such information, it may prove difficult to establish and enforce that an offence has been committed.
- Any organisation purchasing personal data must ensure that they are obtaining it lawfully and that they have the right to use it for their intended purposes. Otherwise, by obtaining it and/or using it, they too will be guilty of committing an offence.
How can Merrion Data Consultants help?
We can help you by:-
. Ensuring that you have appropriate policies and procedures in place to help protect your business against data theft and disclosures.
. Supporting you when you buy customer information to ensure that the information you receive can be used for your intended purposes and that you won’t break the law.
. Working with you to establish whether or not data has been stolen and if so, what action can be taken to manage the incident and mitigate the impact for your business and those affected.
If you would like to discuss the further, please contact us here.