Tag Archives: ICO

Facebook failed to protect user data – fined £500k

On 30 October 2019, the Information Commissioner’s Office (ICO) issued a statement saying that Facebook and the ICO have settled their dispute over Facebook’s failure to protect app users’ personal data, some of which Cambridge Analytica (CA) used for micro-targeting of political adverts during the EU Referendum.

As part of the agreement, Facebook agreed to pay a £500,000 fine levied under the Data Protection Act 1998 but did not admit liability and was allowed to retain documents disclosed by the ICO during the appeal, for the purposes of its own internal investigations.

£60,000 fine for sending filing cabinet (and contents!) to second hand shop

In April 2014, social work case files were discovered in a cabinet purchased by a member of the public from a second hand shop. The cabinet had been used by the children’s social work team at Norfolk County Council and the case files included information relating to seven children.

The Information Commissioner’s Office found that the Council did not have in place appropriate organisational measures for ensuring that such an incident would not occur and in particular did not have an adequate written procedure governing how office furniture disposal should be managed.

The Council was issued with a monetary penalty under the Data Protection Act for a serious contravention of the seventh data protection principle, and was fined £60,000.

First fine under new powers for unsolicited marketing texts

The Information Commissioner’s Office (ICO) has fined Help Direct UK Ltd £200,000 for sending thousands of unsolicited marketing texts. This is the first time that the ICO has used its new enforcement powers under section 55A of the Data Protection Act 1998.

The lead generation company ran a marketing campaign in April 2015 which prompted 6,758 complaints in one month alone. People complained about a variety of messages offering services including the reclaim of PPI payments, bank refunds and loans.

As the ICO considers unsolicited text marketing “a matter of significant public concern” and as it is now be easier for it to issue fines for failing to comply with regulations 19 to 24 (relating to unsolicited direct marketing calls, texts and emails, automated calls, fax messages, identification of sender (when concealed) for email, and the information regulations), companies should ensure that their direct marketing activities comply fully with the Privacy Regulations 2003.

Google search engine de-optimised?

The Information Commissioner’s Office has issued an enforcement notice which requires Google Inc to remove links to eight websites from the search results displayed in response to a query for the name of an unnamed individual.

This follows a decision from the European Court of Justice that EU citizens have the right to request internet search engines to remove search results in response to a query for their name if those results are outdated or irrelevant.

Google Inc must delist the relevant links within 35 days of the date of the enforcement notice.

£175,000 fine for failing to keep personal information secure

The Information Commissioner’s Office (ICO) has fined a specialist on-line travel insurer £175,000 for failing to keep customers’ personal information secure.

The ICO found that, in October 2013, the firm’s website was subject to an attack by someone exploiting a vulnerability in the firm’s IT security. The IT failings let hackers access a database containing approximately 3 million customer records. Attackers potentially had access to over 110,000 live credit card details relating to over 90,000 customers, as well as customers’ medical details.

Credit card security numbers and the number on the signature strip on the back of the cards were also accessible, despite industry rules that they should not be stored.

The attack was discovered after the firm was notified by its card acquirer of suspicious activity on customer accounts. Over 5,000 customers had their credit cards used by fraudsters after the attack. Fortunately for the customers, those losses were reimbursed by the relevant banks.

The firm had no policy or procedures in place to review and update IT security systems, and had twice failed to update database software that could have prevented this incident. This left security flaws in the firm’s system, some for as long as five years, which hackers ultimately exploited to gain access to customer information.

The ICO commented that this fine should send a clear message to other companies of the importance of proper IT security.