Monthly Archives: November 2012

Tetrus Telecoms – Christopher Niebel and Gary McNeish

Posted on by

Breach details

What Serious breach of the Privacy and Electronic Communications Regulations (PECR).
How much Sent millions of unsolicited text messages.
When From December 2009 onwards.
Why Concealed identity and/or failed to provide a valid ‘cease’ address. Sent automated marketing without the necessary opt-in permissions.

BW Comments

Millions of spam SMS messages sent from over 16,000 SIM cards. There can’t have been anyone in the UK that didn’t receive one of Tetrus’s offers to reclaim PPI or pursue a road accident claim.

Regulatory action

Regulator ICO
Action Christopher Niebel: Monetary penalty of £ 300,000
Gary McNeish: Monetary penalty of £ 140,000
When 28 November 2012

Why the regulator acted

Breach of act Breach of regulations 22(2) and 23 of PECR, characterised by the ICO as “continued, repetitive and deliberate contraventions of the law.”
Known or should have known The Commissioner found evidence that the participants deliberately hid their identity and made no attempt to ensure they had the recipient’s opt-in to receive automated messages.
Likely to cause damage or distress Although most people would agree that the receipt of these unwanted text messages is annoying, the Commissioner argues that they the messages caused damage and distress.

BW Observations

That the individuals concerned deliberately flouted the Privacy and Electronic Communications Regulations is not in doubt. The Commissioner’s arguments in respect of the damage and distress caused are informative.

  1. That although the distress / annoyance caused by each individual SMS sents is small, because of the number of messages sent by Niebel and McNiesh, the cumulative distress suffered by “huge numbers of individuals” equates to substantial distress. It will be interesting to see if this is argued in Mr Nielbel’s appeal to the Information Tribunal (EA/2012/0260).
  2. Some recipients were overseas at the time messages were sent, so had to pay their mobile telecommunications provider additional fees for receiving these SMSs when overseas, resulting in real monetary damage.
  3. People receiving emails about an accident claim may worry about other family members, and such messages also had the potential to be disturbing to people who had been involved in accidents.
  4. The wording used had the potential to cause distress by raising false expectations, e.g. “we know how much you are owed” and “You are almost certainly entitled to £2,300.”

Links

View PDF of the Tetris Telecoms: Christopher Niebel Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Tetris Telecoms: Gary McNeish Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Tetris Telecoms: Christopher Niebel Monetary Penalty Notice (Via ICO Website)
View PDF of the Tetris Telecoms: Gary McNeish Monetary Penalty Notice (Via ICO Website)

Plymouth City Council

Posted on by

Breach details

What Loss of sensitive personal data (child protection).
How much 2 records.
When 23 November 2011
Why As a result of a printing problem, two seperate reports were taken from a printer by a social worker, treated as single document and passed to a service user.

BW Comments

A control that required a user to enter a code to collect their printout would have stopped this problem happening. Given the sensitive nature of the information printed in a social work environment it is not unreasonable – given the widespread availability and relative low cost of this type of system – to now expect this. Other organisations that frequently print such sensitive information should conduct a risk assessment and look at implementing a manual control (such as peer-review of documents) until an upgrade to their printer software can be deployed.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 19 November 2012

Why the regulator acted

Breach of act Breach of the seventh principle: the council failed to take appropriate technical and organisational measures against unauthorised processing of personal data, in particular a failure to provide a more secure way of providing access to printout, given the sensitive nature of the information provided.
Known or should have known The ICO’s view was that the Council should have known that any disclosure of such sensitive information would have the potential to be extremely damaging and accordingly should have had controls in place to minimise the possibility of a beach of confidentiality caused by human error.
Likely to cause damage or distress The information concerned child protection and could have have resulted in “physical harm or blackmail”.

BW Observations

It could be argued that the ICO’s argument for the ‘known or should have known’ test has the benefit of hindsight, however the breach occurred because there were no controls in place and not because a in-place control failed.

Links

View PDF of the Plymouth City Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Plymouth City Council Monetary Penalty Notice (Via ICO Website)

Prudential Assurance Company

Posted on by

Breach details

What Data integrity – two customers’ records were merged incorrectly.
How much 2 records.
When March 2007 until 24 September 2010
Why Insufficient steps taken to ensure the accuracy of data once the problem had been reported by both customers.

BW Comments

The breach of the fourth principle was not in respect of the original erroneous merge, but that the Data Controller failed to rectify the problem.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 50,000
When 6 November 2012

Why the regulator acted

Breach of act Breach of the fourth data protection principle – customers’ data must be accurate and kept up to date. Despite repeated notification from both customers, the Prudential failed to adequately investigate of rectify the problem.
Known or should have known The ICO’s view was that Prudential, as “a large company in the financial services sector with approximately six million customers” should have been aware that some customers could share the same name and so should have had processes in place to investigate and rectify such an occurrence when this was reported by a customer.
Likely to cause damage or distress The ICO’s view is that disclosure of financial information to a third party with “no right” to see the information was likely to cause “substantial distress”. Actual damage temporarily occurred in that tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account and was moved away from the Prudential (although all funds have since been recovered, and compensation paid).

BW Observations

The first MPN in respect of a breach of the fourth principle. Although the ICO’s reasoning in respect of the degree of damage or distress is debateable, what is interesting is the Commissioner’s reasoning in respect of the s55A(3) ‘known or should have known’ test. The ICO’s argument is not that the Prudential should have had sufficient data integrity controls in place to prevent the problem occurring, but given such an error was probable in a company with six million customers, that there should have been robust procedures in place to properly investigate the customers’ complaints and rectify the situation.

Organisations should consider whether they have the necessary training and systems in place to recognise that what might appear as a simple change of address problem in a front-line system to be identified and investigated as a potential breach of integrity.

Links

View PDF of the Prudential Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Prudential Monetary Penalty Notice (Via ICO Website)