The DPA Is Law

The DPA is Law – it always applies and ignorance is no defence. *

The run up to Christmas 2013 has shown that the Information Commissioners Office is still busy fining organisations and individuals for breaches of the Data Protection Act (DPA). In December two new civil monetary penalties were issued with a total of over £175,000. Both cases highlighted the value of being proactive and implementing good security controls in advance of a DPA breach, albeit in two very different ways.

Unusually, December saw one of the rare instances where the ICO levied a DPA fine (albeit a small one) against an individual working in the health sector. The second item was a much more significant penalty for a payday loans firm. This is less surprising as several organisations in that sector appear to operate as if regulations don’t apply.

DPA Fine for GP Surgery Manager

Early in December, the ICO announced the outcome of a case against a former-GP surgery’s finance manager who pleaded guilty to unlawfully accessing patient medical records on over 2000 occasions.

Discussing the DPA breach, the ICO Head of Enforcement, Stephen Eckersley, said:

We may never know why Steven Tennison decided to break the law by snooping on hundreds of patients’ medical records. What we do know is that he’d received data training and knew he was breaking the law, but continued to access highly sensitive information over a 14-month period.

As a result of this activity, Mr Tennison was fined a total of £996 and ordered to pay a £99 victim surcharge and £250 prosecution costs.

In this case, the GP’ surgery appears to have functioning detective controls which allowed them to identify Mr Tennison’s unlawful behaviour and provide sufficient evidence to the ICO to avoid suffering any sanctions themselves.

We have discussed issues around the insider threat (and the importance of pre-employment screening) before, but the sad fact is even the most trusted employees can go off the rails. What has worked here, and helped the Surgery remain compliant with the DPA, is that there were correct processes and policies in place.

This is a very good example of the benefits of investing in proper security processes before a breach happens. For organisations within the health sector, the alternative tends to be a hefty fine from the ICO, or worse:

The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.

Payday loans firm breaches Privacy and Electronic Communications Regulations (PECR)

Payday loan companies need to be aware of the DPA and PECR.

Payday loan companies need to be aware of the DPA and PECR.

The other case from December centred on the marketing tactics of a Payday Loans firm which breached the Privacy and Electronic Communications Regulations rather than the DPA directly.

The company, First Financial, and it’s director had been fined over £1000 each in October for DPA breaches (failing to register) although it seems that this wasn’t enough to help them avoid falling into the ICO’s clutches a second time.

This time, the £175,000 penalty followed over 4000 complaints that First Financial were sending out unsolicited text messages to people. These messages purported to be from friends and encouraged the recipient to take out a very high interest loan.

Commenting on the company, and the director’s behaviour, Simon Entwisle, said:

People are fed up with this menace and they are not willing to be bombarded with nuisance calls and text messages at all times of the day trying to get them to sign up to high interest loans. The fact that this individual tried to distance himself from the unlawful activities of his company shows the kind of individuals we’re dealing with here.

We will continue to target these companies that continue to blight the daily lives of people across the UK. We are also currently speaking with the government to get the legal bar lowered, allowing us to take action at a much earlier stage.

In this instance, the company were trying to hide their tracks by using un-registered SIM cards to send the messages indicating that this was a blatant deliberate violation of the DPA / PECR rather than ignorance of the law.

While it is unlikely that the director of First Financial would have been willing to implement good security controls to comply with the DPA, the fact is any organisation involved in direct marketing risks allowing this sort of behaviour. Without security controls, breaching the DPA / PECR can result in extensive fines undermining any profit made and risking a collapse of the business.

Good security and governance controls would have enabled First Financial to identify the risky behaviours in advance giving them the opportunity to remain legally compliant while still driving the business forward.

It is a shame that so many organisations believe they need to play fast and loose with the regulations rather than working to succeed in a legal and compliant manner. As long as this behaviour continues, the ICO (and others) will push for harsher and harsher penalties. In anything but the very shortest term, businesses which need to cheat the law to make a profit are doomed to fail.

Security and Governance controls really do protect the business and help it thrive in any environment.

* Image courtesy of Jeroen van Oostrom / FreeDigitalPhotos.net