Main Image

Companies: A caution over data protection

All organisations that process personal information must comply with the data protection principles enshrined in the Data Protection Act 1998 (the DPA), as well as other regulatory responsibilities.

It is the Information Commissioner’s Office (ICO) task to protect the data privacy of individuals and it has the power to impose fines up to £500,000, in addition to its powers of criminal prosecution, non-criminal enforcement and audit. The ICO had announced its intention to take increased action against defaulting organisations, in particular those making nuisance calls.

In 2015, the ICO imposed monetary penalties in excess of £1.1 million in relation to nuisance marketing alone, including two prominent examples:

  • A fine of £200,000 to Help Direct UK Ltd, a lead generation company that sent out thousands of unsolicited marketing text messages for services including PPI claims, bank refunds and loans. Importantly, this was the first civil monetary penalty for a breach of the first principle of the DPA; the fair and lawful processing of personal information.
  • A fine of £130,000 to Pharmacy 2U, an online pharmacy that sold details of more than 20,000 customers to marketing companies. Again, this was an important case because it was the first civil monetary penalty imposed by the ICO using the new powers granted to it in 2015.

The ICO’s powers stretch beyond nuisance marketing and notable cases include:

  • Google being required to improve its privacy policy to clarify the information it provides about how personal data is collected in the UK. The ICO also ordered Google to remove search results relating to historic data on an individual.
  • The Crown Prosecution Service was fined £200,000 after laptops containing police interviews, held at a private film studio, were stolen.
  • Northumbria NHS Trust was required to improve the way it handles patients’ information after mistakenly sending five faxes to the wrong number.
  • Bloomsbury Patient Network was fined £250 after revealing the identity of HIV patients by mistakenly listing e-mail addresses when sending a newsletter. The serious nature of the breach would have meant a significant fine for most organisations, although it was limited in this case because, as an unincorporated association, liability to pay the fine fell to individual trustees.

If you hold or handle personal information, then the enhanced levels of ICO action make it increasingly important that you adhere to your responsibilities. I’ll leave you with a word of warning from the ICO: “We need to send a clear message – no matter how small your organisation, you must make sure staff and volunteers are trained to protect personal data.”

The new Data Protection Regulations come into force in 2018, click here to read more about what that means for you and your company.


If you would like more information or advice relating to this article or a Corporate law matter, please do not hesitate to contact Vanessa Crawley on 01727 798104..

© SA LAW 2017

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.

Chris Wilks is an experienced corporate partner who focuses on advising small and medium sized companies and individual investors.
Chambers & Partners
Corporate Night View of London