PECR & UK GDPR: Need to Know Enforcement Updates (March & April)

Key Cases

The ICO prohibited Serco Leisure from employing facial recognition and fingerprint scanning for monitoring employee attendance, highlighting the disproportionate nature of such surveillance methods. The Ministry of Defence faced a monetary penalty due to serious deficiencies in safeguarding personal data, particularly in relation to the Afghan Relocations and Assistance Policy, emphasising the gravity of those data security breaches. Similarly, Pinnacle Life Limited incurred a penalty for instigating a spam phone call campaign, in clear violation of regulations governing direct marketing communications. 

Reprimands were issued to various entities, such as the Mayor’s Office for Policing and Crime, Chief Constable of West Midlands Police, Chief Constable of Kent Police, and Dover Harbour Board, for infringements spanning data accuracy, security, and appropriate data processing practices. These enforcement actions underscore the need for organisations to adhere to stringent data protection standards and the severity of consequences for non-compliance, highlighting the ongoing efforts to ensure robust protection of individuals' privacy rights.

The University Hospital of Southampton NHS Foundation Trust (UHS), received a reprimand for failing to respond to Special Access Requests (SARs) within the statutory timeframe and Clyde Valley Housing Association (CVHA) was reprimanded for a breach of Article 5(1)(f) of the UK GDPR, resulting from a data security flaw in their online customer portal which allowed residents to view personal information about other residents, indicating inadequate technical measures and testing procedures.

Dr Telemarketing (DRT) faced enforcement action for making unsolicited marketing calls to individuals registered with the Telephone Preference Service Ltd (TPS). Despite evidence of multiple breaches and exploitation of vulnerable individuals, DRT failed to engage with the ICO's investigation, leading to the issuing of both an enforcement notice and a monetary penalty of £100,000. Similarly, Outsource Strategies Limited (OSL) faced a monetary penalty of £240,000 for making unsolicited marketing calls to TPS-registered individuals, contravening Regulation 21 of the Privacy and Electronic Communications Regulations (PECR). 

Lastly, the Central Young Man’s Christian Association (Central YMCA) faced enforcement action and a monetary penalty for a data breach involving the inadvertent disclosure of sensitive personal data relating to HIV status linked to their Positive Health Programme. The most salient feature of the case however is that the penalty notice stated that the fine would have been £300,000 but “taking into account the commissioner's current policy and its action on previous cases” they reduced the fine to £7,500, a 97.5% reduction.  This appears to have been linked to the application of the regulators public sector policy on fines even though the YMCA is not a public sector body indicating that at times the rationale behind the ICO’s decision making remains opaque.

March

Penny Appeal – Unsolicited Marketing Phone Calls - Enforcement notice

On 8 February 2024, the ICO issued an enforcement notice to Penny Appeal, an organisation engaged in transmitting electronic communications, for serious breaches of Regulation 22 of PECR. Regulation 22 of PECR prohibits the transmission of unsolicited electronic communications for direct marketing purposes without the prior consent of individual subscribers, except under specific circumstances outlined in the regulation.

Under Regulation 22(2) of PECR, Penny Appeal, as the sender and instigator of the electronic communications, was obliged to ensure that it has obtained valid consent from recipients for the transmission of direct marketing messages. Valid consent must be freely given, specific, and informed, as defined by Article 4(11) of the UK GDPR, and must be obtained prior to sending marketing communications. Additionally, Regulation 22(3) of PECR outlines the conditions under which electronic communications for direct marketing may be sent, including situations where the recipient's contact details were obtained during the sale or negotiation of a product or service, and the recipient has been provided with a clear means to refuse further communications.

The contravention by Penny Appeal occurred between 22 April 2022 and 1 May 2022, during which approximately 461,650 unsolicited direct marketing messages were transmitted to individual subscribers. Despite this volume of communication, Penny Appeal was unable to provide details of the exact message volumes, resulting in an estimate based on a ten-day period. It was found that Penny Appeal sent these messages to subscribers without obtaining valid consent, even to individuals who had previously opted out of receiving marketing communications. This is a clear violation of Regulation 22 of PECR and constitutes a serious breach of data protection regulations.

The ICO, in considering the evidence and the potential impact of the contravention, has determined that while damage to individuals is unlikely, Penny Appeal's actions necessitate regulatory intervention. Therefore, the ICO is inclined to exercise powers under section 40 of the DPA to issue an enforcement notice to Penny Appeal, requiring the organisation to take specified steps to rectify its non-compliance with Regulation 22 of PECR.

Serco Leisure Operating Limited and relevant associated Trusts – Imposing Collection of Biometric Data - Enforcement notice 

On 19 February 2024, the ICO prohibited “Serco Leisure, Serco Jersey and seven associated community leisure trusts” (“Serco”) from using facial recognition technology and fingerprint scanning to monitor employee attendance. 

The ICO found Serco in contravention with Articles 5(1)(a), 6 and 9 of the GDPR and found that Serco has been unlawfully processing biometric data for more than 2,000 individuals at 38 leisure facilities, for the purpose of tracking employee hours and attendance. Serco failed to justify why it was necessary or proportionate to use facial recognition or fingerprint technology for this purpose, especially when less intrusive methods are usually used for this e.g., ID cards or fobs. 

Employees were not proactively offered an alternative to these methods and instead, scanning of employee faces and fingerprints were presented as requirements to being paid. Due to the nature of the relationship and imbalance in the power dynamic, the ICO believed Serco’s employees were unlikely to feel confident in rejecting the collection and use of their biometric data. 

As such, the ICO used its enforcement notice powers to order Serco to stop processing all biometric data for the purpose of monitoring employee attendance. Serco is also obligated to destroy all biometric data they were not legally entitled to obtain. 

Home Office – Lack of Process Detail & Justification - Enforcement notice

On 28 February 2024, the ICO issued an enforcement notice to the Home Office pursuant to section 149 of the DPA. This notice specifically addresses breaches of Articles 35 and 5(2) of the UK GDPR in connection with the Home Office's satellite tracking services GPS expansion pilot (the "pilot"). The pilot initiative extended the Home Office's utilisation of electronic tagging as an immigration bail condition to a new demographic: individuals who arrived in the UK via perilous routes and had claims suitable for consideration under the detained asylum casework (“DAC”) process.

The ICO’s findings indicate that the Home Office infringed upon Articles 35 and 5(2) UK GDPR due to deficiencies in its data processing practices related to the pilot. Specifically, the Home Office failed to conduct a Data Protection Impact Assessment (“DPIA”) in accordance with the requirements outlined in Article 35. The DPIA lacked comprehensive descriptions of processing operations and their purposes, assessments of necessity and proportionality, and a thorough evaluation of risks to data subjects' rights and freedoms. Additionally, the Home Office failed to demonstrate compliance with the accountability principle outlined in Article 5(2) UK GDPR. This failure encompassed inadequate justifications for the lawfulness, fairness, transparency, and data minimisation of its processing activities related to the pilot.

Chief Constable of Kent Police – Rules Relating to Social Media & Private Devices - Reprimand

On 5 March 2024, the ICO issued a reprimand to the Chief Constable of Kent Police in accordance with Article 58(2)(b) of the UK GDPR and Schedule 13(2)(c) of the Data Protection Act 2018 (“DPA 2018”) for certain alleged infringements. The reprimand is based on an infringement of section 40 of the DPA 2018, which pertains to appropriate security measures for personal data processing in law enforcement activities.

The incident leading to the reprimand occurred in February 2021, when a Kent Police officer took a photograph of an individual's identity document using a personal mobile phone and uploaded the image onto a “Telegram” distribution group without informing the individual about further processing of their personal data.

The investigation found that while the use of the Telegram group was not officially sanctioned, and in fact multiple Kent Police officers were members of the group, indicating a lack of awareness of data protection responsibilities at both operational and supervisory levels. There was also a failure to adequately inform officers about the unacceptable use of personal devices for data processing and a lack of guidance on verifying ID documents.

Additionally, the investigation revealed potential security weaknesses associated with the use of personal devices and social media apps for law enforcement purposes. Despite remedial actions taken by Kent Police, including disciplinary measures and discontinuation of the Telegram group, the ICO issued a reprimand.

Dover Harbour Board – Rules Relating to Social Media - Reprimand

On 5 March 2024, the ICO issued a reprimand to Dover Harbour Board for several infringements of the DPA 2018, in accordance with Article 58(2)(b) of the UK GDPR and Schedule 13(2)(c) of the DPA 2018. The reprimand was based on infringements of Section 35(1) and Section 40 of the DPA 2018.

The reprimand pertains to the creation and use of a social media distribution group initially created on WhatsApp and later migrated to “Telegram” by an officer from the Port of Dover Police. 

The reasons for the ICO’s findings include inadequate consideration of data protection legislation during the creation and use of the social media distribution group, failure to ensure appropriate security measures, lack of adequate data protection training for officers, and absence of policies and procedures regarding the use of social media for official purposes.

Despite considering an administrative penalty, the ICO decided to issue a reprimand. Recommendations for Dover Harbour Board include reviewing existing policies and procedures, enhancing data protection training, issuing clear guidance on app usage and investigating the use of other social media groups for compliance purposes.

Ministry of Defence – Consequences of Human Error - £350,000 fine

The ICO determined that the UK Ministry of Defence (“MOD”) is liable for a monetary penalty under section 155 of the Data Protection Act 2018 (“DPA”) due to a violation of the UK GDPR. The ICO concluded that the MOD infringed Article 5(1)(f) of the UK GDPR due to serious deficiencies in the technical and organisational measures employed by the MOD's Afghan Relocations and Assistance Policy (ARAP) team. This failure resulted in the exposure of personal data of individuals seeking relocation from Afghanistan, posing a significant risk to data security, particularly through human error.

The most notable incident occurred on 20 September 2021 (the "20 September Incident"), where personal data of 245 individuals was disclosed due to the inadvertent use of the "To" field instead of the "blind carbon copy" (BCC) field in an email. Subsequent investigations revealed two similar incidents earlier in September 2021, collectively affecting 265 unique email addresses.

The ICO deemed a financial penalty appropriate, considering the circumstances and the factors listed in Articles 83(1) and (2) of the UK GDPR. Initially, the penalty was set at £1,000,000 based on the nature, gravity, and duration of the infringement. However, considering mitigating factors such as the urgency of the Afghanistan evacuation, the penalty was reduced to £700,000. Additionally, the ICO considered the enforcement policy against public sector bodies, further reducing the penalty by 50%, resulting in a final penalty of £350,000.

Pinnacle Life Limited – Unsolicited Marketing Phone Calls - £80,000 fine & enforcement notice

The ICO issued an enforcement notice and monetary penalty against Pinnacle Life Limited (“PLL”) under section 55A of the Data Protection Act 1998 (DPA 1998) due to a serious breach of Regulations 21 and 24 of PECR. 

PLL was found to have undertaken a year-long unlawful spam phone call campaign. The ICO acknowledged that the company made nearly 48,000 illegal calls between May 2021 and May 2022 to individuals registered on the Telephone Preference Service (“TPS”) to opt-out of marketing calls.

The calls were aimed at selling life insurance products, and individuals reported that company employees would often resort to insulting or aggressive behaviour when asked not to be contacted further. Furthermore, victims were subjected to continued harassment even after expressing their wish not to be contacted. The ICO’s investigation uncovered instances where the company provided misleading information, suggesting affiliation with the victims' existing life insurance providers.

Regulation 21 PECR prohibits the use of a public electronic communications service for unsolicited direct marketing calls to individuals who have previously indicated their objection to receiving such calls, or whose numbers are listed on the TPS register. Additionally, Regulation 24 mandates that certain information be provided with direct marketing communications, including the name and contact details of the sender.

As such, the ICO issued both an enforcement notice and £80,000 fine. 

Mayor’s Office for Policing and Crime (MOPAC) – Consequences of Human Error – Reprimand

The ICO issued a reprimand to the Mayor’s Office for Policing and Crime (“MOPAC”) in accordance with Article 58(2)(b) of the UK GDPR for certain alleged infringements. The reprimand is based on alleged violations of Article 5(1)(f) and Article 32 of the UK GDPR, relating to the appropriate security measures for personal data processing.

MOPAC, a functional body of the Greater London Authority (“GLA”), was found to be the controller responsible for the data processing activities carried out by GLA on its behalf. An incident occurred where, due to an error by a GLA staff member, certain webforms hosted on the London.gov.uk website became public, potentially exposing personal data. MOPAC was found to have lacked specific training and policies regarding permissions for webforms, contributing to the breach.

April 

University Hospital of Southampton NHS Foundation Trust – Failure to Respond to SARs – Reprimand

The ICO issued a reprimand to the University Hospital of Southampton NHS Foundation Trust (“UHS”) in accordance with Article 58(2)(b) UK GDPR for infringing Articles 12(3), 15(1) and 15(3) UK GDPR. Between 1 August 2022 and 1 July 2023, UHS only responded to 59% of incoming Special Access Requests (“SARs”) within the statutory timeframe.

Under Article 12(3), the controller must provide information on action taken on request to the data subject without undue delay and within one month of receipt of the request. This may be extended by two months where necessary, considering the complexity and number of requests. The controller must inform the data subject of the extension along with reasons for the delay.

The data subject has the right to obtain confirmation from the controller on whether their personal data has been processed under Article 15(1). Where it has been processed, the data subject also has the right to obtain access to the personal data. Under Article 15(3), the controller must provide a copy of the personal data undergoing processing.
Along with failing to respond to SARs within the statutory timeframe, the ICO found that UHS failed to demonstrate that they provided the data subjects the right to obtain confirmation and/or access. UHS also failed to inform data subjects of the progress of their request, only sending acknowledgment emails when requests were received. UHS automatically applied extensions to all requests regardless of complexity, and data subjects were not informed.

Remedial steps taken by UHS were considered. UHS actively notified the ICO of their backlog in April 2023 and cooperated throughout the investigation. UHS implemented remedial measures after attending a compliance meeting with the ICO. UHS currently intends to implement a new system, which should relieve time and allow for better management and location of records.

The ICO recommended further action to improve UHS’ compliance, though these are not legally binding. These include actioning outstanding SARs, ensuring staff are adequately trained to process and respond to SARs, and reviewing policies and procedures in relation to data protection legislation. UHS is invited to update the ICO on the progress of implementing recommendations. Failure to rectify infringements may be considered aggravating factors in further enforcement actions.

Clyde Valley Housing Association – Failure to Protect Data against Unauthorised Processing – Reprimand

On 18 April 2024, the ICO issued a reprimand to Clyde Valley Housing Association (“CVHA”) for infringing Article 5(1)(f) UK GDPR. In July 2022, residents were able to view personal information about other residents using CVHA’s online customer portal due to a lack of appropriate technical measures and adequate testing.

Under Article 5(1)(f), personal data must be processed in a manner that ensures appropriate security of the personal data. Appropriate technical or organisational measures must be used to protect against unauthorised or unlawful processing, and against accidental loss, destruction, or damage. 

On the same day that the Portal went live, a resident reported to CVHA’s customer service advisor that they were able to view personal information about other residents. There was a widget available for residents who had ongoing anti-social behaviour cases, and a configuration error allowed them to access all other documents on the Portal. 394 data entries linked to anti-social behaviour were accessible, of which 286 contained sufficient information to identify data subjects. 139 data subjects were affected, and 62 faced a ‘high risk’ to their rights and freedoms. 

Dr Telemarketing – Enforcement Notice and Monetary Penalty

Dr Telemarketing (“DRT”) was implicated in this notice for initiating unsolicited calls for direct marketing, contravening Regulation 21 of the PECR. This regulation prohibits such calls to individuals registered with the Telephone Preference Service Ltd (“TPS”) unless the individual has expressly allowed them.

Regulation 21 outlines specific conditions for making such calls, including restrictions on calling subscribers who have notified against such calls or whose numbers are on the TPS register. It also stipulates requirements for obtaining consent and withdrawal of consent for receiving marketing calls.

The ICO’s investigation revealed that DRT made marketing calls on behalf of Lotto Express, utilising data obtained from various sources. Despite contradictions and lack of clarity in DRT's responses to inquiries from the Commissioner. Evidence suggests that DRT instigated at least 80,240 unsolicited calls promoting Lotto Express to TPS registered individuals between 11 February 2021 and 22 March 2022.

The ICO determined that these calls constitute direct marketing, meeting the conditions outlined in section 122(5) of the Data Protection Act 2018. Based on the evidence and balancing probabilities, the ICO concluded that DRT contravened Regulation 21 of PECR. Based on the severity of the breaches and the exploitation of vulnerable individuals via pressurised phone tactics, DRT’s lack of engagement with the ICO’s investigation and failure to provide relevant evidence, the ICO issued both an enforcement notice and a monetary penalty of £100,000. 

Outsource Strategies Ltd – Unsolicited Marketing Calls – Enforcement Notice & Monetary Penalty 

Outsource Strategies Limited (“OSL”) has been issued with both an enforcement notice and monetary penalty for utilising a public electronic communications service to make unsolicited calls for direct marketing, which is in violation of Regulation 21 of PECR.

Regulation 21 pertains to unsolicited calls made for direct marketing purposes. It mandates that individuals who are registered with the Telephone Preference Service Ltd (“TPS”) and do not wish to receive such calls must have notified the company in question accordingly.

The contravention by OSL involved the making of 1,346,503 unsolicited calls for direct marketing purposes between 11 February 2021 and 22 March 2022, to subscribers whose numbers were listed on the Commissioner's register, resulting in 74 complaints.

OSL made these unsolicited calls to subscribers who had registered with the TPS at least 28 days prior to receiving the calls, and who had not notified OSL that they did not object to receiving such calls.

In light of their findings, the ICO issued an enforcement notice as well as a monetary penalty of £240,000. 

The Central Young Man’s Christian Association - Consequences of Human Error – Enforcement Notice & Monetary Penalty

The Central Young Man’s Christian Association face both an enforcement notice and monetary policy, on the basis that its breach occurred concerning the Positive Health Programme, which collects special category data for people living with HIV.

On 6 October 2022, the Programme coordinator mistakenly sent an email to 270 recipients, exposing their email addresses. Despite attempting to recall the email, the error led to further disclosure. While 255 recipients received the email, it affected 166 data subjects.

The content of the email and the nature of the Programme led recipients to infer that the individuals affected were likely living with HIV, making the disclosed data special category data under UK GDPR.

The Central YMCA failed in several areas related to data protection:

• Lack of a written policy regarding group emails.
  
• Inappropriate reliance on the CC function instead of BCC.
  
• Inadequate monitoring of data protection training.
  
• Deficiencies in the training provided.
  
• Lack of awareness of data protection legislation within some parts of the organization.
  
• The ICO determined that this breach resulted from serious deficiencies in technical and organizational measures, contravening Articles 5(1)(f) and 32(1) and (2) of the UK GDPR.
  

Factors considered in assessing the penalty include the nature and gravity of the breach, the number of data subjects affected, and the Central YMCA's negligence. Despite the organisation's cooperation with the investigation, the breach was deemed sufficiently serious to warrant a penalty.

The Central YMCA's failure to implement appropriate security measures and address training deficiencies led to the unauthorised disclosure of sensitive personal data. As a result, the ICO concluded that Central YMCA violated data protection regulations and should be penalised accordingly.

Taking all factors into account, the Commissioner decided to impose an enforcement notice and monetary penalty of £7,500 on the Central YMCA. The most salient feature of the case however is that the penalty notice stated that the fine would have been £300,000 but “taking into account the commissioner's current policy and its action on previous cases” reduced the fine to £7,500 a 97.5% reduction. 

Have a question? Get in touch with James Moss from our team or your usual Bird & Bird contact.