Every once in a while, a light-bulb gets turned on and the world makes a little bit more sense. This happened for me over this weekend – and here’s how.

Trawling

Trawling, not trolling, through the ICO pages, as I do – and sometimes not willingly, I saw the announcement about how they interesting treated one set of complaints.

Complaints were made about nuisance calls and, in their normal manner, the ICO went about their normal investigation to see what was going on. No light bulb moment yet.

They found the source of the problem to be data being shared, against company policy, within the motor industry. This meant that individuals were receiving unsolicited direct marketing calls, breaking section 121 of the Data Protection Act 2018, from a data sharing perspective, section 11 of the of the Data Protection Act 2018, from a direct marketing perspective, and a raft of section from the Privacy and Electronic Communications Regulation 2003.

Interestingly, they did not pursue the perpetrator through either of the above acts, they utilised the little-known Computer Misuse Act 1990 instead. This allowed the perpetrator and the originator of the nuisance calls (who received the illegally shared data from the perpetrator) to be prosecuted knowing that there could be different and more severe outcomes for the individuals acting illegally.

Punishment

Using this Act allows for different punishment. A likely result if bringing a prosecution using either the Data Protection Act 2018, or the Privacy and Electronic Communications Regulation 2003 would have been court costs (still considerable for the individuals involved – obviously) and a personal fine for those involved in the process. Instead, this is what happened.

Perpetrator:

Nuisance Call Generator:

Assistance

As always when a matter like this come to the fore, the ICO require assistance from many places to get to the bottom of the problem. The perpetrators employer, the Insurance Fraud Bureau and many insurance companies helped to unpick and resolve this matter.

SME’s, therefore, need to take a leaf from their book. Why you might ask? Policy and process are what helped these businesses prove to the ICO that the perpetrator what acting outside of what they were allowed to do. Without it there could have been negative comment about them and I haven’t seen anything so far.

I haven’t reported on such a case before, indeed I missed the last one (which happened on November 2018 – apparently). It means, therefore, stance of data protection being a framework explanation making a lot more sense to me. Hopefully it will help you too and it will help to appreciate the benefit of documenting what you do.

Our experience helps business owners find the right way for them. Call, or email, us to find out more about how we can help.

Mobile:  07943211611          email:  enquiries@eyebray.com

Leave a Reply

Your email address will not be published. Required fields are marked *