A data broking investigation

A data broking investigation by ICO results in enforcement action against Experian.

A data broking investigation conducted over the past two years has resulted in an enforcement action against the company Experian.


A data broking investigation into Experian as well as Equifax and TransUnion and their use of personal data within their data broken businesses has resulted in enforcement action. The ICO published a report earlier this month, on the findings of their extensive investigation into these data broking companies, their processes, and the legislative framework which led to this outcome.


The investigation found significant processing of personal data unbeknownst to the data subjects, by the CRAs; Equifax, TransUnion and Experian.


The investigation by the ICO uncovered how these three CRAs (Credit Reference Agencies) were trading, enriching and enhancing people’s personal data without their knowledge. This personal data was then used by commercial organizations, political parties and charities to find new customers, build profiles about people, and also identify the people most likely to be able to afford their goods and services.


The ICO defines data broking as “the practice of obtaining information about individuals and trading, including by licensing, this information or information derived from it as products or services to other organisations or individuals. Information about individuals is often aggregated from multiple sources, or otherwise enhanced, to build individual profiles.” Collecting and using an individual’s personal data without their knowledge goes against data protection law.


Through the data broking investigation, the ICO uncovered several data protection failures at each company. 


Through their investigation the ICO found that the personal data provided to each of these CRAs which would then be used to provide the statutory credit referencing function, was also being used for marketing purposes in limited ways. Some of the CRAs also engaged in profiling to generate new information or previously unknown information about the data subjects. 


These companies also failed to be transparent. While they did provide some privacy information on their websites, it did not clearly explain what they were doing with people’s data. In addition to this, they were using some lawful bases incorrectly to process the data. 


While all three companies were at fault, only Experian was subjected to enforcement action because they did not do enough to improve compliance.


All three CRAs made improvements to their Direct Marketing Services business as a result of the work done by the ICO. In addition to this, Equifax and TransUnion withdrew some of their products and services. For this reason the ICO has chosen not to take any further action against them. 


While Experian has also made some progress, the ICO found that the company did not go far enough. This CRA does not accept accountability for making changes set out by the ICO, and as a result, were not prepared to issue privacy information directly to data subjects, nor were they prepared to stop using credit reference data for direct marketing purposes.


Experian is now expected to make necessary changes to their framework within 9 months or risk further action including being fined.


The ICO decided to issue an enforcement notice, as it is seen at the most effective way of achieving compliance in this situation. The notice orders Experian to make the necessary changes within 9 months or risk further action. The company now risks being hit with a fine of up to €20 million or 4% of it’s total annual worldwide turnover. This notice from the ICO also requires Experian to inform people that hold their personal data. The company must also stop using the data derived from the credit referencing side of its business by January 2021.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

coronavirus pandemic and data protection

The Coronavirus Pandemic and Data Protection.

The Coronavirus (COVID-19) Pandemic and Data Protection: Guidelines for employers regarding privacy laws during the pandemic.

With recent developments in the global arena, the outbreak of the corona virus has led to many changes in the workplace. Numerous employees have taken to working from home with the new push for social distancing and self quarantining. There has been lots of concern over who may or may not be infected by, or have definitely been exposed to the virus or may have visited a country with severe outbreaks. The sharing of information has become critical as medical and other professionals recognize the need for disclosure for the sake of the health of the general public.

The ICO recently released a statement regarding data protection during the coronavirus (COVID-19) pandemic in which the organization expressed an understanding of the fact that businesses will need to adapt the way that they work. While there will be understandable delays where individuals or businesses make information rights requests during this pandemic, the ICO is unable to extend the statutory timescales. However, the ICO maintains that they will not penalise organisations who need to prioritise other aspects of their business over the usual compliance and information governance.

Employee Health and Data Protection.

For the duration of this global pandemic, office staff should be informed about any cases of the virus within the organisation. Names do not need to be disclosed, however because businesses do have an obligation to ensure the health and safety of their employees, data protection does allow them to divulge information on confirmed cases within the organisation.

It is not necessary to collect loads of information on employees’ health, however it is reasonable to stay informed on their travel history, or whether they are presenting symptoms of the virus. It is important, if there is a need to collect specific health data, that businesses only collect data that is necessary and treat that data with the appropriate safeguards. In the context of an epidemic, employers and relevant health officials do not need consent to process this data, especially when the processing of personal data is necessary for the employers for reasons of public interest in the area of public health or to protect vital interests or to comply with another legal obligation.

In a recent statement, Andrea Jelinek, Chair of the European Data Protection Board (EDPB), said: “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”

If it is not possible to process exclusively anonymous data, Article 15 of the ePrivacy Directive allows Member States to introduce legislative measures for the sake of national and public security. This emergency legislation is allowed under the condition that, within a democratic society, it forms part of a necessary, appropriate and proportionate measure, given the circumstances. If these measures are introduced, the Member State will need to apply adequate safeguards, like granting individuals the right to judicial remedy.

Communication of Vital Information by Authorities and the GDPR

During this time of pandemic the government, the NHS or any other health professionals may also need to send health messages to the general public either by phone, text or email. These messages are not considered direct marketing or advertising and therefore are not hindered by data protection laws.

Remote workers and Data Protection.

With more people working from home or working remotely due to the pandemic, the ICO reminds businesses that the same type of security measures must be in place for people who are working remotely as is the case for workers in a normal office setting. Employees may use their own computers and other devices, however, with security measures maintained, data protection does not hinder employees who need to work from home.

Do you have questions about how to navigate data protection laws during this global coronavirus pandemic in your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Employer/employee relations gdpr

Employer/ Employee relations : A GDPR perspective

Today’s blog provides an overview of the GDPR’s expectations regarding employer/employee relations; specifically in terms of company policies on communication and security.

If you work or have worked in the corporate world then youre no stranger to the fact that in order to protect the organization, most companies have in place internal policies and procedures which speak to communications, internet usage, security access and personal data protection. Meanwhile across the board, more and more companies are utilizing video surveillance for a host of security and protective measures. But do these policies and video surveillance systems comply with the GDPR? Employer/Employee relations are key when it comes to GDPR compliance.

A recent investigation by the Hellenic DPA in regards to the lawfulness of access to and inspection of deleted employee emails as well as the use of surveillance on company premises offers a prime opportunity to delve into some of the GDPR mandates.

The Ηellenic DPA in response to a complaint conducted an investigation regarding the lawfulness of personal data processing on a server of ALLSEAS MARINE S.A., as well as the lawfulness of access to and inspection of deleted emails of a senior manager for whom there was suspicion that he had committed unlawful acts against the companys interests.

According to the EDPB article the Hellenic Data Protection Authority deemed that Allseas Marine S.A had in fact complied with the requirements of the GDPR and that its internal policies and regulations provided for a ban on the use of the companys electronic communications and networks for private purposes, and for the possibility of carrying out internal inspections.  As such, the Hellenic DPA found that the company had a legal right under Articles 5(1) and 6(1)(f) of the GDPR to carry out an internal investigation searching and retreating employees emails.

However as it related to Allseas Marines utilization of a closed-circuit video surveillance system, the DPA determined that the system had been installed and operated illegally. Further, the recorded material submitted to the Authority was considered illegal. The EDPB article further noted that the Hellenic Authority found that the company did not satisfy the employees right of access to his personal data contained in his corporate PC.

As a result of its investigation the Hellenic DPA also determined that the company did not satisfy the employees right of access to his personal data contained in his corporate PC.

In response to these GDPR infringements the Hellenic DPA has therefore mandated Allseas Marine S.A to take several corrective measures in order to comply with the GDPR. Allseas Marine was also fined 15,000.

Has your company examined its employee policies since the 2018 implemented the GDPR? What about a review of your firms video surveillance utilization? Are you GDPR compliant? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.  We can help your company get on track towards full compliance. Contact us today.

ICO takes action against 34 organisations

ICO takes action for failure to pay new data protection fee

The ICO has taken action against 34 organisations that have failed to pay the new data protection fee. The data protection regulator has sent notices of its intent to fine the organisations unless they pay and for those who don’t pay, they could face a maximum fine of £4,350.

A fee must be paid by all  organisations that process personal data unless they are exempt. The money charged is used to fund the ICO’s data protection work and new expanded services introduced such as the advice line, more online resources and new guidance as strengthened data protection laws have come into force.

Paul Arnold, Deputy Chief Executive Officer at the ICO, said:

”We expect the notices we have issued to serve as a final demand to organisations and that they will pay before we proceed to a fine. But we will not hesitate to use our powers if necessary.

“All organisations that are required to pay the data protection fee must prioritise payment or risk getting a formal letter from us outlining enforcement action.”

The ICO takes action against 34 organisations with 34 notices of intent that were sent earlier this month to a range of organisations across both the public and private sector including the NHS, recruitment, finance, government, and accounting. More notices are in the drafting stage and will be issued soon.

The ICO has given the companies 21 days to respond to the notices. If they pay, action will stop. Those that ignore the notices or refuse to pay may face a fine ranging from £400 to £4,000 depending on the size and turnover of the organisation. Aggravating factors may lead to an increase in the fine up to a maximum of £4,350.

The data protection fee is set by Government which has a statutory duty to ensure the ICO is adequately funded and is part of the Data Protection (Charges and Information) Regulations 2018. It came into force on 25 May to coincide with the new Data Protection Act (2018) and the General Data Protection Regulation. And it replaces the need to notify or register with the ICO.

The money helps fund the ICO’s work to uphold information rights such as investigations into data breaches and complaints, our popular advice line, and guidance and resources for organisations to help them understand and comply with their data protection obligations. The ICO has grown over the last two years – now employing around 670 staff.

Under the funding model, set by Government, organisations are divided into three tiers based on their size, turnover and whether an organisation is a public authority or charity.

For very small organisations, the fee won’t be any higher than the £35 they currently pay (if they take advantage of a £5 reduction for paying by direct debit).

Larger organisations will be required to pay £2,900. The fee is higher because these organisations are likely to hold and process the largest volumes of data and therefore represent a greater level of risk.

The ICO has produced a fee calculator tool and guidance on the data protection fee.

Organisations that have a current registration (or notification) under the 1998 Act – prior to 25 May 2018 – do not have to pay the new fee until that registration has expired.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.