The Information Commissioner’s Office (ICO)| Investigations into Data Breaches
The Information Commissioner’s Office (the ICO) is an independent UK public authority, reporting directly to the UK Parliament, and which enforces the provisions of the Privacy and Electronic Communications Regulations 2003, the Data Protection Act 2018 and the General Data Protection Regulation.
It investigates and enforces data compliance of companies in the UK.
The Information Commissioner is an independent official whose responsibility is to ‘uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals’.
Naz Maqsoom of KANGS outlines the general law.
Commencement of Investigation | KANGS Regulatory Solicitors
Upon commencement of an Investigation by the ICO, the company being examined, together with its officers, will receive written notice containing relevant information such as the authority of the ICO to:
- provide advice and guidance upon compliance procedures,
- conduct voluntary and involuntary audits,
- issue Monetary Penalty Notices against both organisations and their officers, rendering the latter personally liable.
The General Data Protection Regulation | KANGS Data Protection Offences Defence Solicitors
The General Data Protection Regulation (‘GDPR’) covers key principles along with rights and obligations when processing personal data and sits alongside the Data Protection Act 2018 (‘the Act’).
GDPR is a legal framework setting guidelines for collection and processing of personal information with the aim to give consumers control over their data by holding companies accountable for the way they handle and treat private information.
GDPR defines the operations of ‘controllers’, those who determine the purpose and means of processing personal data and ‘processors,’ those responsible for processing personal data on behalf of controllers.
Comprehensive, legally enforceable obligations are imposed upon both controllers and processors, such as:
- maintaining records of personal data,
- informing users that their data is to be saved and stored.
- ensuring that supply contracts with third party processors comply with GDPR, whether within or outside the UK.
There are six lawful bases for a company to process personal data:
- Consent - clear consent has been given for a specific purpose,
- Contract -specific steps to be taken when entering into a contract,
- Legal obligation - necessary to comply with relevant law and legislation,
- Vital interest - necessary to protect someone’s life,
- Public task - necessary to perform a lawful task in the public interest,
- Legitimate interests - necessary legitimate interest for either yourself or a third party unless there is a good reason to protect an individual’s personal data which overrides a legitimate interest.
Failure to comply with GDPR:
Consequences for failure to comply may involve the imposition of a very substantial fine to the sum of £20 million or 4% of the defaulting company’s global revenue, whichever is higher.
Furthermore, victims of data breaches have a right to seek compensation for damages.
Privacy and Electronic Communications Regulations 2003 | KANGS Electronic Communications Offences Defence Solicitors
The Privacy and Electronic Communications Regulations 2003 (‘PECR’) sit alongside the Data Protection Act and GDPR providing specific privacy rules on:
- marketing by electronic means such as calls, emails, texts and faxes,
- implementation of technology such as cookies that track consumers accessing a website,
- maintenance of secure public electronic services,
- customer privacy when using communications or services.
Since the introduction of PECR, there have been frequent amendments to encompass requirements as they develop, such as bans on cold calling by:
- Claims Management Providers,
- Pension schemes.
These bans have been accompanied by the implementation of company director liability in the event of substantial breaches.
When investigating alleged breaches of PECR, the ICO will have regard to the following:
‘Use of automated calling systems
19.—(1) A person shall neither transmit, nor instigate the transmission of, communications comprising recorded matter for direct marketing purposes by means of an automated calling system except in the circumstances referred to in paragraph (2).
(2) Those circumstances are where the called line is that of a subscriber who has previously notified the caller that for the time being he consents to such communications being sent by, or at the instigation of, the caller on that line.
(3) A subscriber shall not permit his line to be used in contravention of paragraph (1).
(4) For the purposes of this regulation, an automated calling system is a system which is capable of—
(a) automatically initiating a sequence of calls to more than one destination in accordance with instructions stored in that system; and
(b) transmitting sounds which are not live speech for reception by persons at some or all of the destinations so called.
Use of facsimile machines for direct marketing purposes
20.—(1) A person shall neither transmit, nor instigate the transmission of, unsolicited communications for direct marketing purposes by means of a facsimile machine where the called line is that of—
(a) an individual subscriber, except in the circumstances referred to in paragraph (2);
(b) a corporate subscriber who has previously notified the caller that such communications should not be sent on that line; or
(c) a subscriber and the number allocated to that line is listed in the register kept under regulation 25.
(2) The circumstances referred to in paragraph (1)(a) are that the individual subscriber has previously notified the caller that he consents for the time being to such communications being sent by, or at the instigation of, the caller.
(3) A subscriber shall not permit his line to be used in contravention of paragraph (1).
(4) A person shall not be held to have contravened paragraph (1)(c) where the number allocated to the called line has been listed on the register for less than 28 days preceding that on which the communication is made.
(5) Where a subscriber who has caused a number allocated to a line of his to be listed in the register kept under regulation 25 has notified a caller that he does not, for the time being, object to such communications being sent on that line by that caller, such communications may be sent by that caller on that line, notwithstanding that the number allocated to that line is listed in the said register.
(6) Where a subscriber has given a caller notification pursuant to paragraph (5) in relation to a line of his—
(a) the subscriber shall be free to withdraw that notification at any time, and
(b) where such notification is withdrawn, the caller shall not send such communications on that line.
(7) The provisions of this regulation are without prejudice to the provisions of regulation 19.
Unsolicited calls for direct marketing purposes
21.—(1) A person shall neither use, nor instigate the use of, a public electronic communications service for the purposes of making unsolicited calls for direct marketing purposes where—
(a) the called line is that of a subscriber who has previously notified the caller that such calls should not for the time being be made on that line; or
(b) the number allocated to a subscriber in respect of the called line is one listed in the register kept under regulation 26.
(2) A subscriber shall not permit his line to be used in contravention of paragraph (1).
(3) A person shall not be held to have contravened paragraph (1)(b) where the number allocated to the called line has been listed on the register for less than 28 days preceding that on which the call is made.
(4) Where a subscriber who has caused a number allocated to a line of his to be listed in the register kept under regulation 26 has notified a caller that he does not, for the time being, object to such calls being made on that line by that caller, such calls may be made by that caller on that line, notwithstanding that the number allocated to that line is listed in the said register.
(5) Where a subscriber has given a caller notification pursuant to paragraph (4) in relation to a line of his—
(a) the subscriber shall be free to withdraw that notification at any time, and
(b) where such notification is withdrawn, the caller shall not make such calls on that line.
Use of electronic mail for direct marketing purposes
22.—(1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers.
(2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.
(3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—
(a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;
(b) the direct marketing is in respect of that person’s similar products and services only; and
(c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.
(4) A subscriber shall not permit his line to be used in contravention of paragraph (2).
Use of electronic mail for direct marketing purposes where the identity or address of the sender is concealed.
23. A person shall neither transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail—
(a) where the identity of the person on whose behalf the communication has been sent has been disguised or concealed; or
(b) where a valid address to which the recipient of the communication may send a request that such communications cease has not been provided.
Information to be provided for the purposes of regulations 19, 20 and 21.
24.—(1) Where a public electronic communications service is used for the transmission of a communication for direct marketing purposes the person using, or instigating the use of, the service shall ensure that the following information is provided with that communication—
(a )in relation to a communication to which regulations 19 (automated calling systems) and 20 (facsimile machines) apply, the particulars mentioned in paragraph (2)(a) and (b);
(b) in relation to a communication to which regulation 21 (telephone calls) applies, the particulars mentioned in paragraph (2)(a) and, if the recipient of the call so requests, those mentioned in paragraph (2)(b).
(2) The particulars referred to in paragraph (1) are—
(a) the name of the person.
(b) either the address of the person or a telephone number on which he can be reached free of charge.’
Consequences of breaches of PECR:
The ICO may:
- pursue a criminal prosecution,
- provide advice to companies/organisations on how to handle data protection matters,
- conduct voluntary and involuntary audits to ensure compliance,
- impose financial penalties of up to £500,000 against organisations and their officers, thereby imposing personal liability upon the latter.
Case Example | KANGS Serious Crime Defence Solicitors
KANGS successfully represented a client which had been informed by the ICO that it had received complaints from consumers of alleged unsolicited marketing calls despite the fact that they were registered with the Telephone Preference Service.
The ICO sought to determine whether any enforcement action was necessary and conducted a formal investigation into our client’s compliance procedures.
Once it had considered all of the detailed representations prepared by the Team at Kangs Solicitors, the ICO determined that enforcement action was not necessary and the investigation was concluded.
For further detail, please refer to:
Successful Outcome in ICO Investigation
How Can We Assist? | KANGS National Criminal Defence Solicitors
Should you and your company become subject to an ICO investigation into suspected data breaches of any nature, it is essential that immediate expert advice is sought prior to engaging in any form of questioning, interview or presentation of trading material and records of any nature whatsoever.
The Team at KANGS offers enormous experience gained over many years defending allegations of breaches of Regulations of every description and alleged criminal conduct and provides guidance and support from inception to completion of any investigation or prosecution.
Our Team is always energetically pro-active when seeking to secure the best possible outcome to whatever situation is presented to each and every client.
If we can be of assistance, please do not hesitate to contact our Team through any of the following, who will be delighted to hear from you.
Telephone: 0333 370 4333
Email: info@kangssolicitors.co.uk
We provide initial no obligation discussion at our three offices in London, Birmingham and Manchester.
Alternatively, discussions can be held virtually through live conferencing or telephone.
Hamraj Kang
Senior Partner
Naz Maqsoom
Associate