There has been a lot of ICO enforcement action to catch up on. Most of this action has been under the previous Data Protection Act 1998 (as it relates to data processing activities prior to the application of the GDPR). See article number 1 in my series in relation to GDPR enforcement action.
A few topical penalties for my maternity leave:
Emma’s Diary, which provides information to support pregnancy, birth and early motherhood, was issued with a monetary penalty of £140,000 in August 2018 for unlawfully collecting and selling personal data of over one million people. Emma’s Diary sold information for use in political campaigning, enabling the Labour party to profile and send marketing communications to mums in the run up to the 2017 UK General Election. The ICO considered that Emma’s Diary was not sufficiently transparent, nor did it gain consent or satisfy another fair processing condition (now known as the legal basis for processing), and its actions exposed data subjects to potential distress.
Mumsnet, the online network for parents, posted on its website about a data breach in February 2019, where user account information may have been switched. Mumsnet reported that 4,000 user accounts were logged into during the relevant period, although not every account was affected.
Bounty, the pregnancy and parenting support club, was issued with a monetary penalty of £400,000 in April 2019 for unlawfully sharing personal data of over 14 million individuals to organisations such as credit reference and marketing agencies. The ICO considered that Bounty was not sufficiently transparent in relation to these activities, nor did it obtain valid consent or satisfy another fair processing condition (now known as the legal basis for processing), and its actions were likely to cause substantial distress to some data subjects.
A television production company was issued with a monetary penalty of £120,000 for unfair and unlawful filming in a maternity clinic (in breach of principle 1 of the Data Protection Act 1998 in 2017). It had set up CCTV-style cameras and microphones in examination rooms for a Channel 4 documentary on stillbirths. The ICO found that it did not provide patients with adequate information about the filming, nor get adequate permission (for use of sensitive personal data) from those affected by the filming in advance. Whilst notices about the filming were posted near to the cameras and in the waiting rooms, staff did not draw attention to them. They also did not provide adequate explanations, and indicated that permission would be sought, when it was not. There was also no mechanism by which the filming could be stopped, if an objection was raised. The ICO commented: "Patients would not have expected to have been filmed in this situation, and many will have been very distressed when they learned such a private and potentially traumatic moment had been recorded".
I also have to mention the Facebook monetary penalty in October 2018 of £500k; this was the maximum penalty the ICO could impose under the previous data protection law. It related to the use of data analytics for political purposes. Facebook’s breaches included allowing application developers to access personal data without clear and informed consent, and failing to keep personal data secure. Data relating to up to 87 million people worldwide was harvested without their knowledge, some of which was shared for political campaigning purposes. Facebook then did not do enough to ensure remedial action was taken once the misuse of data was discovered. At least one million UK users were put at risk of further data misuse.
Olivia Whitcroft, principal of OBEP, 6 June 2019 (updated 9 December 2019)
This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details