Regulation Hub Update - October 2018

This article is written by Steve Sullivan who is the Deputy Chair of the Contact Centre Council.

It’s a bumper issue of the Update, this month, with lots happening (but still no-one fined 4% of global turnover for a data protection transgression, unsurprisingly). Some headlines include:

• Still no confirmation of when individual directors will be able to be personally fined for breaching the electronic communications and marketing rules
• What the PSA does and their no-nonsense approach to robust regulation
• Lead generator firm fined £90k for using affiliate marketers which didn’t have consent to send marketing emails on their behalf
• Claims management firm fined £150,000 for calling prospects registered on the TPS
• The Information Commissioner’s mysterious reversal of a £60,000 fine
• How a poorly controlled CRM solution cost BUPA significant reputational damage and a £175k fine
• The Court of Appeal finds in favour of an employee class action seeking compensation after a corporate data breach
• npower’s recent data breach shows that it’s not just cyber security you need to worry about – shoddy envelope stuffing can also result in the walk of shame to the ICO

And Google shuts down Google+ after a data breach, but no-one notices.

Directors’ Fines

The Department for Digital, Culture, Media & Sport (DCMS) is still assessing the responses it received during the consultation about giving the ICO the ability to fine company directors, which ended on 21^st August.

www.gov.uk/government/consultations/nuisance-calls-and-messages-action-against-directors

We have neglected the work of the PSA, which is appointed by Ofcom to regulate phone-paid services in the UK. Phone-paid services are the premium rate services which include charity donations by text, directory enquiries, paid for quiz and entertainment services, voting on TV talent shows, in-app purchases and the like.

The PSA’s tribunal adjudication enforcement actions over the past few weeks have encompassed quiz & video services, directory enquiries and xxxx. As well as the substantial fines described below, the companies concerned will be required to compensate c.10,000 customers, as well as in some cases being barred from offering phone paid services in future.

Tobaji Limited – which operates as www.customerservicecontactnumber.uk - was fined £700,000 for a number of transgressions around a lack of openness and clarity about its nature and charging structure. The website is a source of high street names’ customer service numbers, presented with Tobaji’s premium rate forwarding numbers most prominently – numbers which are far more expensive to call than the ‘true’ numbers.

As you can see above, the site now includes a warning to customers about the premium rate numbers but these warnings haven’t always been so prominent. The full adjudication notice is rather involved, but worth a read if you want a better understanding of how the PSA works: www.psauthority.org.uk/-/media/Files/PSA/00NEW-website/Tribunal-adjudications/2018/Tobaji-Limited-130464-f.ashx?la=en&hash=4B1476A6A4C70C4901E01431BE560C592FB67E16

Powertel Limited has been fined £200,000. Powertel bought up unused numbers which were either previously used by brands or were close to brands’ current contact numbers and placed recorded messages on them. The recorded messages advised callers that the number was out of service and to call a 118 directory enquiries number to be redirected. These numbers were charged at £6.98 per call plus £3.49 per minute!

www.psauthority.org.uk/-/media/Files/PSA/00NEW-website/Tribunal-adjudications/2018/Powertel-Limited-128953.ashx?la=en&hash=76FC4926AF3C878A8829C8BF15F6BD76ADB6AB58

Xplosion Limited was subject to three separate rulings and fines, totalling £1,040,000. Xplosion operated quiz, joke and video content services, using brands such as QuizM8 and PayForIt, charged at £4.50 per week. Invariably, complaining customers said they did not understand what they had signed up for or how it would be charged for. The PSA concluded that Xplosion’s approach was to be deliberately unclear about its charging techniques – including the use of ‘iFraming’ which in effect hides and replaces what consumers are clicking to accept.

The TPS data cleanse https://dma.org.uk/press-release/dma-and-ico-update-to-tps-system appears to be paused half-way through, with invalid landlines scrubbed but no mobile numbers as yet. We should get an update from John Mitchison when he joins the next Council meeting in November.

Nothing of note over the past few weeks, though we’re still hoping to have an Ofcom representative to join us for a Contact Centre Council meeting in the autumn.

No pause for ‘pause & resume’. Yet…

In line with recent updates from John Greenwood (www.compliance3.com) and our own Tom Davies (www.ultracomms.com), the long-delayed PCI DSS guidelines on Securing Telephone-based Payment Card Data – which specifically address contact centres and new phone and digital based scope reduction technologies – are expected before the end of the year.

These is now long overdue, but if your contact centre is using ‘pause & resume’ to take card payments out of scope of PCI DSS then be careful what you wish for – the guidelines are expected to deem this approach to be unacceptable.

No news or changes of note from the Fundraising Regulator, this month.

DMA Privacy Taskforce

The Privacy Taskforce is continuing to work on two main areas:

• Collaboration between DMA, its brand members and ISBA (www.isba.org.uk) to get some common ground on the implications of GDPR on advertising and big data
• Creating practical guidance around the requirements of implementing Privacy by Design

Brexit News

A brief and – depending on your perspective – largely worrying and/or partly reassuring note from the DMA’s Zach Thornton on the marketing implications of a no-deal Brexit: www.dma.org.uk/article/4-things-you-didnt-know-about-brexit

DMA Awards

Proving that every challenge can be an opportunity, this year’s DMA Awards include a GDPR category. Here’s the shortlist: www.dma.org.uk/award/dma-awards-shortlist-2018

GDPR, the new Data Protection Act and ICO

ICO Enforcement – Direct Marketing

This month, perhaps the most interesting enforcement case was the one over which the ICO mysteriously changed its mind and reversed a previous £60,000 fine.

However, first this month’s relevant new cases:

Boost Finance Limited, a London-based financial services sector lead generator, has been fined £90,000 for sending over 4 million spam funeral plan marketing emails between January and September 2017. The emails were intended to drive prospect traffic to Boost’s www.findmeafuneralplan.com landing page.

The ICO’s aversion to companies using poorly controlled or understood affiliates to despatch their marketing emails is well known. Boost’s funeral plan promotions were dependent on their affiliates and the ICO’s investigations found that only one of the affiliate sites correctly described Boost for consent purposes – and that none of them had mechanisms in place to allow customers to opt-out of marketing. For reference, the ICO only received 4 complaints from the 4 million emails sent.

www.ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/10/ico-fines-firm-90-000-for-nuisance-emails-about-pre-paid-funeral-plans/

Oaklands Assist of Manchester has been fined £150,000 for making over 60,000 calls between May and July 2017 promoting claims management services to consumers who were registered on the TPS. The ICO’s Monetary Penalty Notice described Oaklands as being “thoroughly uncooperative”, lacking any due diligence or record keeping and the complainants to the ICO reported the calls they received as being aggressive and abusive. As part of its investigation the ICO has intervened with Companies House to stop Oaklands Assist being struck off by its directors in an attempt to dodge the ICO’s enforcement actions and fine.

www.ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/10/ico-fines-firm-90-000-for-nuisance-emails-about-pre-paid-funeral-plans/

Oaklands Assist of Manchester has been fined £150,000 for making over 60,000 calls between May and July 2017 promoting claims management services to consumers who were registered on the TPS. The ICO’s Monetary Penalty Notice described Oaklands as being “thoroughly uncooperative”, lacking any due diligence or record keeping and the complainants to the ICO reported the calls they received as being aggressive and abusive. As part of its investigation the ICO has intervened with Companies House to stop Oaklands Assist being struck off by its directors in an attempt to dodge the ICO’s enforcement actions and fine.

www.ico.org.uk/media/action-weve-taken/mpns/2259904/oaklands-assist-uk-limited-mpn-20181001.pdf

ICO Enforcement – Data Breaches

The ICO’s enforcement actions have yet to ‘catch up’ with data breaches which occurred after the 2018 Data Protection Act came into force, at the end of May. So, if you’re waiting for multi-million pound fines, then you’ll need to wait a bit longer…

Heathrow Airport has been fined £120,000 by the ICO over the loss of USB data stick containing some employees’ personal data in October last year. The ICO discovered that only 2% of Heathrow’s 6,500 employees had been given data protection training and that Heathrow’s internal policies forbad the use of removal media devices like the USB stick, but that those policies were widely disregarded.

www.ico.org.uk/action-weve-taken/enforcement/heathrow-airport/

BUPA Insurance Services has been fined £175,000 by the ICO after a rogue (now ex-) employee put the personal details of over half a million customers up for sale on the Dark Web. BUPA only became aware of the breach when a business partner informed them. BUPA’s internal processes and procedures for the monitoring and protection of personal data were deemed by the ICO to be wholly inadequate. The employee responsible simply exported the personal data directly from BUPA’s in-house CRM to their personal email account, with no checks or logs to highlight the transfer.

ICO’s Mysterious ‘Reverse Ferret’!

Regular readers with impressive memories will recall that the ICO’s fine of STS Commercial appeared in the August Update.

However, after an appeal the ICO has now reversed its decision in light of (unspecified) “…further information [that] was uncovered through the appeal process…”. We do know that on subsequent review the number of complaints was lower than that first thought, but it’s not at all clear that that would have altered the fundamental bases for the ICO’s enforcement action.

So, is this a genuine injustice righted or something more opaque. The direct marketing equivalent of the Dreyfus Affair or the David Beckham speeding case?

I’ve no idea. However, data privacy guru Jon Baines (www.informationrightsandwrongs.com), who first highlighted the ICO’s revised decision, has asked some further questions to understand more about the basis for STS’ appeal. As and when we know more we’ll share the news in a subsequent monthly Update.

New research shows that corporate data breaches have now surpassed Love Island as 2018’s most popular topic of conversation. Ok, I made that up, but there are a lot of them about:

In a move that will no doubt come as a blow to both of its users, Google+ is being closed by Google. This comes after Google revealed an API bug which meant that 500,000 Google+ users were vulnerable to having their data accessed.

STOP PRESS: On Monday 22^nd October the Court of Appeal rejected Morrisons’ appeal against the High Court’s previous ruling that it is liable to pay compensation to employees whose personal data was breached in 2014. The Court’s ruling holds the company vicariously responsible for a malicious breach of the claimants’ personal payroll data by a disgruntled – and now imprisoned - former employee.

5,000 employees were represented through a Group Litigation Order*, which Morrisons’ own barrister said could result in "compensation claims on a potentially vast scale".

Today’s ruling means that the floodgates may open for compensation claims deriving from data breaches (such as SPG Law’s one planned in the wake of the recent BA breach). However, Morrisons have already said they will take the case to the Supreme Court.

* in other words, that’s a Class Action (to those of us whose legal knowledge is largely based on watching American TV programmes)

Government Cyber Security Breaches Survey

The government is conducting a major survey of UK businesses’ and charities’ experience of and preparedness for cyber breaches. The research is being carried out by MORI using only one channel, the phone… which just goes to show the power of a conversation!

www.gov.uk/government/publications/cyber-security-breaches-survey?utm_source=c04bddc7-61e8-4ae7-ae30-f08b775a9491&utm_medium=email&utm_campaign=govuk-notifications&utm_content=weekly

Operation Linden

The next Linden meeting is tomorrow, 23^rd October. My invitation was clearly lost in the post, but we’ll get an update for next month.

Direct Marketing Commission

No news from the DM Commission this month – and possibly won’t be until next year’s annual report for 2018. www.dmcommission.com/?attachment_id=3507