Halifax-based company fined by the ICO

A Halifax-based company fined by the ICO was found to have been making unlawful pension calls. 

A Halifax-based company, Parker Beach LTD (PBL) has been fined by the ICO, a total of £50,000 for unlawful cold calls regarding pensions, according to this report from the ICO. The ICO’s investigation revealed that the company, which operates under the trading name “Your Pension Options”,  made calls to people regarding their pensions, looking to arrange an introduction to an advisor. These calls were unauthorized, and resulted in 16 complaints to the ICO. The company has admitted to making over 96 thousand calls. Pension cold calling was banned in 2019, specifically to protect vulnerable pensioners and their retirement funds, as cold calls are admittedly one of the more common ways of defrauding people out of pension and retirement funds. 

Pension calls have been outlawed since 2019, and are only allowed under very few, specific conditions. 

Pension calls are outlawed, unless certain conditions apply. If the caller is authorized by the Financial Conduct Authority (FCA), or is the trustee or manager of an occupational or personal pension scheme, or if the recipient has an existing relationship with the caller and has consented to calls, these calls are considered lawful. This stance was taken in 2019, making it illegal for companies to make nuisance cold calls to people regarding pensions schemes. The ICO’s Head of Investigations, Andy Curry has stated that cold calls have been a common tool in fraud, and for that reason, tough action will be taken on companies who utilize this kind of marketing. He said in a statement, “Companies are responsible for knowing the law and following it. We have a range of powers and enforcement action which we can and will take on behalf of the public to put a stop to the activities of unscrupulous companies.”

The ICO fined the company and issued an enforcement notice ordering them to make no further calls. 

In their investigation, the ICO uncovered that PBL sourced the data for its calls from a third party supplier which obtained the data itself from various websites. Signing up on the site required users to agree to possible marketing from an extensive list of organizations from various sectors. It did not appear possible that these users could select which, if any of these organizations, they would like to have their details forwarded to or from which they would like to receive marketing material. This means that PBL did not obtain clear, informed consent. As a result the company was hit with a fine for £50,000, and also an enforcement notice ordering them stop making further calls. Under the Privacy and Electronic Communications Regulations (PECR), the ICO can issue fines of up to £500,000

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Fine imposed for unsecured website

Fine imposed for unsecured website

Fine imposed for unsecured website for registration of new orthodontic patients. 

 

Patient personal data was found to be at risk, including citizen service numbers, when an orthodontic practice allowed new patients to sign up via an unsecured website. According to this report, several fields of mandatory personal information were captured on an unsecured connection. This could have resulted in a data breach, which could have led to fraud, with several individuals affected, including minors. The Dutch DPA has imposed a fine of €12,000 on an orthopedic practitioner. 

Sensitive personal data was at risk of being accessed by unauthorized parties. 

 

An unsecured connection was used to capture mandatory personal information from new patients signing up for orthodontic services. 

 

The unsecured website being used to capture information from new patients included a form, requiring the input of personal data into mandatory fields. The required information included patients’ parents’ information, their general practitioner, insurance information as well as their dentist and citizen service number. This information was sent over an unencrypted connection, making it unsecured. Individuals submitting their personal information while signing up on the website of an orthodontic practitioner are trusting that their sensitive data will be protected. In addition, the majority of orthodontic patients are children and young adults, so this case involved the personal data of several children. Data protection laws have specific safeguards for the sensitive data of children, who are considered a particularly vulnerable group. 

 

Fine imposed for unsecured website after a complaint was lodged about a privacy violation. 

 

A complaint was lodged with the Dutch DPA regarding a privacy violation. Because the complaint was regarding poor security within the health sector, a sector with particularly strict privacy requirements, this complaint was taken very seriously by the DPA. Monique Verdier, the DPA’s deputy chair commented on the situation stating “When you register with an orthodontist, you entrust your personal data to them. This is data that the practice needs, but it is also of interest to criminals. Taking good care of your patients includes taking good care of their personal data. This applies to all care providers, not just large institutions.” It is a business’ responsibility to ensure that its website is GDPR compliant, and to secure customer data and websites, preventing possible data breaches, phishing, and other forms of malicious online activity. A fine of €12,000 was imposed on the orthodontic practitioner for this infraction. 

 

An objection to this fine was lodged, which the DPA declared unfounded. 

The fine imposed on the orthodontic practitioner is not final, and was challenged by the provider. While the fine may be revocable, the DPA has called the objection by the practitioner unfounded. An application for judicial review can be submitted to the district court to have the €12,000 fine revoked. If this is done, the final decision will rest in the hands of the district court. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

ICO fine

The ICO has imposed a fine on UK retailer due to poor security safeguards

The Information Commissioner’s Office (ICO) has imposed a £500,000 fine on UK retailer DSG Retail Limited after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.

Ok, so your company accepts credit cards payments for product sales/service offerings. You value security so youve ensured that your website is https (hypertext transfer protocol secure) in order to provide a secured communication over the digital network. But is this enough to safeguard this highly sensitive personal data, which your customers are using in online and offline sales? Have you set up adequate protocols to thwart any malware or hacker attempts? Or do you believe this isnt something you need to worry explicitly about because… well your site is https. “Secure” is built into the acronym, so what could possibly go wrong? A lot actually, including the possibility of a hefty fine particularly if your clientele are residents within the EU or UK. So we highly implore you to take a detailed look into your companys safeguards least you find yourself in hot water, much like a UK Retailer, DSG Retail Limited (DSG) who has been fined half a million pounds by the ICO for failing to keep personal information secure.

A January 9, 2020 ICO news article explains that  an ICO investigation revealed that an attacker had installed malware on 5,390 tills at DSGs Currys PC World and Dixons Travel stores between July 2017 and April 2018, and had collected personal data for the nine month period before the attack was detected. DSGs inadequate security systems therefore resulted in unauthorized access of some 5.6 million payment cards details and the personal information of approximately 14 million people, including full names, post codes, email addresses and failed credit checks from internal servers, the ICO further notes.

Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen . . . The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR,ICO Director of Investigations, Steve Eckersley, is quoted in the news article.

The £500,000 ICO fine was levied under the Data Protection Act 1998 since the breach took place before the GDPR and DPA 2018 came into effect. Security of Processing is covered under article 32 of the GDPR.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and UK Data Protection Act? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.  We can help your company get on track towards full compliance. Contact us today.