UK Information Commissioners Office fines data supplier 80,000 pounds and sends a warning to the data broking industry

November 6, 2017 |

The Information Commissioner’s Office has been an active regulator in the United Kingdom.  The legislation in the United Kingdom, the Data Protection Act, empowers the ICO to levy heavy monetary penalty notices, technical terms for fines. In Australia the Information Commissioner can commence civil penalty proceedings which penalties of up to $1.7 million.  Each regulator has its own regulatory armaments.  The difference is that the ICO is active.  The Australian Information Commissioner is not.

This fine is the first by the ICO involing the data broking industry.

The ICO  issued a monetary penalty notice, fining Verso Group (UK) Limited for supplying personal information to another company, Prodial Ltd which used that data to make 46 million nuisance calls.  Prodial received a record fine but the investigation continued and went to the source of the data.  That is quite a common feature of regulatory investigations.  Commonly one investigation for a breach spawns more investigative digging and commonly it is the subsequent investigation that turns up even more serious breaches.  That is rarely factored in by organisations who come under regulatory scrutiny.

The ICO media release provides:

A firm trading in people’s personal information and describing itself as ‘the UK’s Premier Lead Generation Provider’ has been fined £80,000 by the Information Commissioner’s Office (ICO).

Verso Group (UK) Limited failed to comply with data protection law because it was not clear with people about what it was doing with their personal information.

This is the first fine to be issued following a wider investigation by the ICO into the data broking industry.

James Dipple-Johnstone, ICO Deputy Commissioner – Operations said:

“We have concerns about the impact of invisible data processing on UK citizens and are currently looking at the data broking industry including how businesses trade and use personal data behind the scenes.”

The ICO discovered Verso had supplied personal data for direct marketing to Prodial Ltd, which received a record fine for making 46 million nuisance calls and to EMC Advisory Services Ltd also fined by the ICO for making unsolicited calls. This prompted a separate ICO investigation into Verso’s data trading practices.

The Hertfordshire-based business generated leads by contacting people in the UK from two overseas call centres. Personal data was gathered from what telephone operators described as surveys, but were in fact lead generation calls. Other practices included buying in data from various firms to be packaged up to sell on to companies for use in direct marketing without the correct consent required.

Mr Dipple-Johnstone said:

“This type of unlawful data trading directly fuels the nuisance call and spam text industry and creates misery for millions of UK citizens.

“Businesses need to understand they don’t own personal data – people do and those people have the right to know what is happening to it and who is likely to be contacting them for marketing.”

The firm’s practices spanned a number of years and as a result, anyone affected could not have known who would be obtaining and using their personal data for marketing.

Verso should have ensured that the people whose personal data it was dealing in were given specific information about the companies who would potentially be marketing services to them.

Along with the requirement to process data fairly, Verso should have had people’s consent to use their information in this way. The company could not provide proof of this consent. If businesses are buying data they must be sure of the source of the information and obtain the correct consent.

The investigation into the data broking industry includes looking at a wide range of organisations and the roles they play. This includes credit reference agencies (CRAs) which are key players due to the volume of personal data they gather. The ICO has contacted CRAs about the products they offer and how transparent it is to users as to how personal data is being processed.

The Monetary Penalty Notice relevantly provides:

  • at [2] The penalty is based on Verso obtaining and selling large volumes of personal data to be used for direct marketing purposes. The Commissioner’s view is that, in all the circumstances, those activities constituted serious contraventions by Verso of the first data protection principle (“DPP1”) from Schedule  1 to the DPA
  • at [20]…the Commissioner’s view is that, in these circumstances, Verso should have ensured  that the data subjects whose personal data it  obtained  and sold were provided  with sufficiently specific information about the companies to whom their personal data would be provided for direct marketing purposes. Verso did not do so. It therefore  processed that personal data unfairly, contrary  to DPPl
  •  at [26]..The Commissioner has considered the terms and conditions and privacy notices applicable  to  the  personal data  at issue in  this case, to  the extent  that  such information  is  available.  She is not  satisfied  that the data subjects consented to their personal data being supplied to Verso and/or  for  onward sale to  other companies  for  direct marketing purposes
  • at [30}
    • As regards personal  data obtained by  Verso itself (transaction 1),  Verso failed  to  provide  the data subjects with sufficiently clear information about the companies to whom Verso intended to disclose their personal data for direct marketing purposes. Neither Verso’s telephone call scripts nor its website provided sufficiently  clear  information  in  this  respect.  Verso  thus obtained this personal data unfairly and without satisfying any condition from Schedule  2 DPA
    • As regards personal data obtained by Verso from other sources (transactions 2-8), Verso failed to ensure that the data subjects had been provided with sufficiently clear information about the companies (including Verso) to whom their personal data would be disclosed for direct marketing purposes. That failure arose from inadequate due diligence of and contractual arrangements with Verso’s suppliers of personal data; the inadequate terms and conditions and privacy notices used by those suppliers and Verso’s failure to take any other adequate steps to satisfy itself that data subjects had been provided with sufficiently specific information. Verso thus obtained this personal data unfairly and without satisfying any condition from Schedule 2 DPA
    • As regards personal data sold by Verso to other companies (transactions 9-12), Verso sold personal data which it had obtained unfairly (see subparagraphs 1 and 2 above). Accordingly, Verso’s onward sale of that data was also unfair and no condition  from Schedule 2 DPA was satisfied
  • at [33].. these contraventions were of a kind likely to cause substantial  damage or substantial  distress, in that:

(1) As a result of Verso’s contraventions, the affected data subjects could not have known who would be obtaining and using their personal data. At least some proportion of the affected data subjects were likely to be distressed by that uncertainty and loss of control over their personal

(2) At least some proportion of the affected data subjects were likely to suffer damage and/or distress on account of the unsolicited direct marketing communications which were facilitated by Verso’s contraventions. Such communications would have intruded upon data subjects’ privacy. There was also a significant and weighty chance of some data subjects suffering damage by acting on some of the marketing communications facilitated by Verso’s contraventions: see for example the marketing of gambling services referred to in the DMC’s

(3)Given the nature and circumstances of Verso’s contraventions, at least some of its activity was likely to contribute to contraventions of PECR – as was indeed the case. Data subjects were likely to be distressed by the risk of their personal data being used unlawfully by a range of companies.

(4) Even if some of the likely damage and distress outlined above was less than ‘substantial’ on an individual-by-individual level, the cumulative impact was likely to be substantial, in light of the number of data subjects affected by each of Verso’s contraventions

  • [35] …Verso failed to take reasonable steps to prevent such a contravention, in that

(1) Verso failed to undertake adequate due diligence when selecting its data suppliers in order to ensure that it received and used personal  data fairly

(2) Verso failed to incorporate adequate contractual terms requiring its data suppliers to ensure that personal data was obtained and provided to Verso

(3) Verso failed to take practical steps to satisfy itself that data subjects were provided with sufficiently specific information to help them understand what would be done with their personal data. For example, Verso could have examined the terms and conditions and privacy policies used by its data suppliers. Had it done so, Verso would ( or should) have detected the inadequacies and taken appropriate

(4) When obtaining personal data from data subjects (see transaction 1 in Annex 2), Verso should have provided sufficiently specific information about the companies to whom Verso would provide personal

(5) Verso has worked in this sector for several years. It describes itself as “the UK’s Premier Lead Generation Provider”. It was aware of the Commissioner’s investigations into and enforcement actions against some companies with whom Verso worked. Verso’s director between 10 November 2015 and 28 July 2017, Dene Walsh., was a Council member of the OMA. In the circumstances, Verso should have been aware of the requirements of the DPA and with guidance published by the Commissioner and the OMA. Verso should have acted in accordance with those requirements and guidance documents.

Leave a Reply