ICO gears up for aggressive fine campaign in 2015 - Part 2
Article added: 20/11/2014
In Part 1 we made you aware of the impending changes to the way in which fines for breaching TPS regulations were going to operate. Now we cover the kind of action that the ICO can take against your business if you fail to operate proper call screening procedures.
Where a consumer feels that they have received an unwanted marketing call, they can register their concern with the ICO by phone or online. The ICO has a dedicated team that considers complaints, investigates breaches and can take formal enforcement action against those organisations or individuals who breach them.
The ICO can issue a fine (Civil Monetary Penalty or CMP) of up to £500,000. Whilst there have not been many very large fines issued to date, that's likely to change in 2015 with fines starting as low as few a hundred pounds for smaller breaches, but you can be sure there will be many of them. That's a message received loud and clear from the ICO press machine.
In recent years complaint numbers to the ICO about nuisance calls and text messages have increased substantially, which can be attributed in part to the ICO enabling consumers since the end of March 2012 to more easily register complaints online via their website reporting tool:
Financial year 2011-2012: 7,526
Financial year 2012-2013: 160,561
Financial year 2013-2014: 161,720
Enforcing the Regulations
The ICO can take action to change the behaviour of organisations and individuals who breach the regulations including enforcement action, onsite audits and the power to serve fines. The ICO's focus is squarely on serving many more fines as a clear and resounding message to companies failing to screen their data properly.
The options are not mutually exclusive and the ICO can also use them in combination.
The ICO can:
Serve information notices requiring organisations to provide the ICO with specified information within a certain time period. Failure to comply with a notice is a criminal offence. These requests are often very labour intensive and put your resources under strain.
Serve third party information notices requiring your communications provider to supply the ICO with information specified in the notice about another person’s use of electronic communications, where this is necessary to investigate compliance of any person with potential PECR breaches. Failure to comply with a notice is a criminal offence. So your suppliers may be made aware that you're being investigated.
Issue press releases naming and shaming companies against whom it has taken action. The ICO believes this negative press will act as a deterrent to businesses failing to get their house in order and in addition it will undoubtedly have the knock on effect in the ability of those businesses to attract customers in the future.
Issue undertakings, which is a regulatory tool that the ICO has developed, rather than being a formal part of their statutory powers, committing an organisation to a particular course of action in order to improve its compliance.
Serve enforcement notices where there has been a breach, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law. Failure to comply with a notice is a criminal offence.
Apply to the court for an Enforcement Order under s. 213 of the Enterprise Act 2002, for an order requiring a person to cease conducting harm to consumers.
Conduct a compulsory audit of the compliance of a communications service provider in accordance with the personal data breach requirements. Which means they can turn up at your premises. You have to expect in the future, with the intended increase in fines, the ICO may well turn up at your offices if they are visiting another company in your area for breaches you may feel are somewhat minor. Get ready, it's going to happen.
Issue fines, requiring organisations to pay up to £500,000 for serious breaches occurring on or after 26 May 2011. The ICO does not retain the fines (contrary to popular presumption), which are collected from the organisation, but instead pays them into Her Majesty’s Treasury (HMT) consolidated fund.
Issue fines requiring a communications service provider to pay a fixed monetary penalty of £1,000 for failing to comply with the personal data breach notification requirements of PECR.
Apply to the court for a search warrant (entry, inspection and seizure) where there are reasonable grounds for suspecting that the PECR has been contravened.
The ICO also works closely with OFCOM and launched a joint action plan on 31 July 2013, which was updated on 3 March 2014. This action plan focused on nuisance calls and both the ICO and OFCOM remain committed to working together to reduce consumer harm. This plan also clarified the priority areas as being ongoing targeted enforcement action, improving the tracing of calls, including assessing technical measures, working with Government, other regulators, industry and consumer groups to ensure effective coordinated action and improving consumer information. Additionally, the ICO is a member of the Which? taskforce that is considering lead generation and consent issues, which will report to Government later this year.
If you flout TPS regulations, you can expect a unified attack from all regulators including MOJ, FCA, ICO, DMA, FSA, SRA, and any business with whom you operate as an Appointed Representatives (AR) or Introducer Appointed Representative (IAR).
The ICO is of the view that there should be a greater breadth of penalties issued by them, not just focused upon cases that could be regarded as ‘large’, so that it is clearer that any deliberate or incompetent breach, however small, could result in a fine. For example, in a case where there is evidence of “annoyance or nuisance”, a lower threshold would provide the ICO with the option of imposing a smaller fine, but a fine none the less with its accompanying negative press.
Refrain from calling TPS registered numbers and conduct proper checks.