The Information Commissioner’s Office has proved even the smallest breach of data laws can result in a monetary penalty – as well as reputational damage – after issuing a fine for nuisance calls triggered by just three complaints.
The company in question, Energy Suite of Nelson, near Burnley, came to light when it emerged that the complaints had been made against the company, which markets boiler, heating, insulation, glazing and other energy-saving grants to homes under Government-funded schemes.
An Information Commissioner’s Office investigation discovered that the firm had purchased details of 11,005 live, validated landlines and 88,995 live HLR-checked mobiles, which it claimed had come pre-screened via the Telephone Preference Service. The name of the data supplier has been redacted from the ruling.
Energy Suite insisted that it had been told the leads in question were not on the TPS and had opted in although it admitted that it did not know how the leads had been obtained. It also used further data it had gathered from its own website, but again could not prove if this was legal.
BT records confirmed that Energy Suite had made 3,415 connected calls between March 1 and November 13 2020, although some of these may have gone to voicemail. Of those calls, more than a third – 1,202 – were made to numbers registered with the TPS, and 44 were made to numbers registered to the Corporate TPS, in breach of the Privacy & Electronic Communications Regulations (PECR). It is thought to be the first time action has been taken for breaching the CTPS.
Further ICO questioning concluded that Energy Suite had no due diligence systems in place, did not have access to the TPS and could not say whether its own data had been gathered legally or not.
The ruling states that, while the regulator did not consider that Energy Suite deliberately set out to contravene PECR, the firm was negligent and it failed to take reasonable steps to prevent the contravention.
Taking into account all of the above, the ICO decided that a penalty of £2,000 was “reasonable and proportionate” given the size of the business (it has net assets of just over £10,000) and the level of contravention.
However, it just goes to show that the ICO is no longer all about show-stopping headlines; small contraventions still carry a risk.
Big issues still to tackle in 2022: Keep your PECR up
Virgin Media fined for illegal email marketing campaign
Govt plots major data law shake-up steered by NZ chief
Unite union fined for abusing data rights of members
Top brands fingered and fined for being PECR wreckers
Will tougher fines bring victory in nuisance call war?
ICO hails rogue call victory as director bans top 100 yrs