The Information Commissioner’s Office (ICO) is considering a new code of practice for data subject access requests. There have been no fines or enforcement actions under the Data Protection Act 2018 (DPA 2018), but in February 2019 the failure by Magnacrest Ltd, a housing developer, to process a request, and subsequent failure to act on an enforcement notice led to a criminal prosecution. The company’s guilty plea in the Westminster Magistrates Court led to a fine of £300, a costs order of £1,300 and a victim surcharge of £30. Although the fines and costs were not onerous in this instance, it is a timely reminder of the need to process requests and act on enforcement notices.
In March this year Vote Leave, one of the umbrella organisations which campaigned for a leave vote in the 2016 referendum, was fined £40,000 for sending nearly 200,000 text messages to individuals without being able to provide evidence that the recipients had given consent for their mobile numbers to be used for this purpose.
The ICO’s director of investigations, Steve Eckersley, said that spam texts were a real nuisance for millions of people and that the ICO would take action against organisations which disregarded the law. “Direct marketing is not just about selling products and services, it’s also about promoting an organisation’s aims and ideals. Political campaigns and parties, like any other organisations, have to comply with the law,” he added.
In early May this year the ICO sent an enforcement notice to HMRC, which had been recording callers’ voices since 2017 for identification purposes without always gathering the individual's consent. The ICO’s investigation found that around 7 million callers had had their voices recorded for voice recognition purposes, and of the 1.25 million who had responded to HMRC’s request to grant or withhold their consent, more than 260,000 had refused consent.
The ICO also takes action against individuals found to have breached data protection law. In one case an NHS trust employee who was authorised to access records, illegally accessed the files of seven family members and seven children she knew. She had no professional reason to do so, and was fined £120, plus £364 costs and a victim surcharge of £30. In another case an admin assistant at a used car dealership forwarded emails that contained personal data of colleagues and customers to her personal account before resigning. She was fined £200 and ordered to pay costs of £590 and a victim surcharge of £30.
In another recently reported case (April 2019) the importance of training employees fully about their obligations under the DPA 2018 was highlighted. An experienced GP practice manager was fined for forwarding work emails that contained personal data to her personal account. In this case the employee forwarded the application details for vacancies at the surgery as she was job hunting at the time. This employee certainly should have known that this was a breach of data protection law, but others may forward emails for an innocent purpose.