Statement on Personal Data

The FCA, ICO and FSCS release a Joint Statement Warning FCA Authorised Firms and IPs to be Responsible with Personal Data

The Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO) and the Financial Services Compensation Scheme (FSCS) release a joint statement warning FCA authorised companies and Insolvency Practitioners (IPs) to be responsible when dealing with customers’ personal data.

On February 7th 2020, the Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO) and the Financial Services Compensation Scheme (FSCS) released a joint statement warning FCA authorised firms and insolvency practitioners (IPs) against the unlawful sale of clients’ data to claims management companies (CMCs). This is because it has come to their attention that some FCA-authorised firms and IPs have attempted to sell clients’ personal data to these CMCs unlawfully. The CMCs may not be acting in consumers’ best interest and may also be unlawfully marketing their services.

While The FCA handbook states that CMCs are required to act honestly, fairly and professionally in line with the best interests of their customers, they may not be acting in the customer’s best interest. As a matter of fact, CMCs that intend to buy and use such personal data must demonstrate their compliance with privacy laws. Although contracts may vary, standard contracts typically do not provide sufficient legal consent for personal data to be shared with CMCs to market their services, and may not be lawful.

Why Selling Customers’ Data with CMCs may not be Lawful.

Apart from the fact that most standard contracts simply do not provide the legal consent for customers’ personal data to be sold to CMCs,companies who pass on customers’ personal information may also fail to meet the requirements of the the Data Protection Act 2018 and GDPR. Thereafter, any direct marketing calls, text or emails carried out by CMCs may breach the Privacy and Electronic Communications Regulations 2003 (PECR).

What are the implications of such breaches in data protection legislation?

Companies are expected by law to abide by the Data Protection Act 2018, the GDPRand the FCA Handbook. In the case of FCA authorised companies and IPs in particular, the CMCOB Claims Management: Conduct of Business sourcebook applies. In cases where the ICO or FCA finds these companies to be in breach of any of these data protection laws, they will take appropriate action,and there could be serious legal consequences.

Time and again,we see fines being imposed on companies for breaches in these data protection laws, and just last week,we reported on the Italian DPA Fining TIM SpA in excess of EUR 27 Million for unlawful data processing.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and UK Data Protection Act? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

GDPR student data

ICO children’s data fine imposed

Independent Enquiry into Child Abuse has been fined £200,000 based on ICO children’s data decision.

The ICO has fined the Independent Inquiry into Child Sexual Abuse (IICSA) £200,000, after they sent a bulk email that identified possible victims of non-recent child sexual abuse, according to ICO Children’s data decision.

The Inquiry, set up in 2014 to investigate the extent to which institutions failed to protect children from sexual abuse, did not keep confidential and sensitive personal information secure. This is a breach of the Data Protection Act 1998.

An IICSA staff member sent a blind carbon copy (bcc) email to 90 Inquiry participants telling them about a public hearing, on the 27 February 2017. After noticing an error in the email, a correction was sent but email addresses were entered into the ‘to’ field, instead of the ‘bcc’ field by mistake.

This allowed the recipients to see each other’s email addresses, identifying them as possible victims of child sexual abuse, according to ICO children’s data decision. Fifty-two of the email addresses contained the full names of the participants or had a full name label attached.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.

ICO fines

ICO fines for failure to pay fee

ICO fines company for not registering with it and paying the fee, providing some initial guidance on ICO fines policy under GDPR and Data Protection Act 2018.

ICO fines

Noble Design and Build of Telford, Shropshire, which operates CCTV systems in buildings across Sheffield were fined £4,500 in total, ordered to pay costs of £364.08 and a victim surcharge of £170.00.

The company failed to comply with an Information Notice and failed to register with the ICO, even though they were contacted three times, by letter and by email. The company was prosecuted under the terms of the 1998 Data Protection Act because of when the offences took place (September 2017-January 2018). The new Data Protection Act 2018 came into force on the 25 May, and organisations that process personal data have a duty to pay a data protection fee unless they are exempt.

Although this gives us some guidance on ICO fines and enforcement under GDPR and Data Protection Act 2018, one should note the fines are expected to be higher under the two new pieces of legislation.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.