Information Commissioner's Office

We're #hiring a new Workforce Planning Manager in Wilmslow, England. Apply today or share this post with your network.

NEWYDD: Rydyn ni wedi dirwyo dau gwmni sy’n creu cysylltiadau a hynny am wneud galwadau digroeso i bobl sydd wedi cofrestru gyda'r Gwasanaeth Dewisiadau Ffôn. Mewn rhai achosion, roedd y galwadau’n hynod o ecsbloetiol ac yn defnyddio tactegau gwerthu dan bwysau mawr i dargedu pobl oedrannus. 👉 Darllenwch ragor am y camau rydyn ni wedi’u cymryd: https://lnkd.in/e5jNAdBp Rydyn ni wedi dirwyo Dr Telemarketing (DRT) £100,000 am wneud 80,240 o alwadau i rifau sydd wedi’u cofrestru gyda’r Gwasanaeth Dewisiadau Ffôn yn groes i Reoliad 21 o’r PECR. Daethom o hyd i rwydwaith o bump o bobl ac wyth o gwmnïau i gyd yn ymwneud â gwneud y galwadau digroeso yn fwriadol. Dadleuodd DRT fod y manylion ynglŷn ag optio i mewn wedi'u cyflenwi gan eu partner busnes a bod y gwaith sgrinio yn cael ei wneud gan gwmni arall. Canfu'r ICO nad oedd dull ar waith i nodi galwadau digroeso ac nad oedd y gwaith sgrinio wedi'i gontractio i gynnwys yr holl ddarparwyr data dan sylw. Darllenwch ragor am yr hysbysiad cosb ariannol i Dr Telemarketing: https://lnkd.in/eZaK3ywE Rydym wedi rhoi dirwy o £240,000 i Outsource Strategies Ltd (OSL) am wneud 1,346,503 o alwadau i rifau sydd wedi’u cofrestru gyda’r Gwasanaeth Dewisiadau Ffôn. Honnodd OSL mai eu partneriaid mewn contract oedd yn gyfrifol am sgrinio’r Gwasanaeth Dewisiadau Ffôn gan ddweud bod ganddyn nhw systemau mewnol ar waith i sicrhau na fyddai hyn yn digwydd. Gwelsom fod hyn yn anghywir, gan fod 141,914 o alwadau wedi’u gwneud i bobl oedd wedi'u nodi â "peidiwch â’u ffonio". 👉 Darllenwch ragor am yr hysbysiad cosb ariannol ar gyfer Outsource Strategies Ltd: https://lnkd.in/ey_GRHc2 Dywedodd Andy Curry, Pennaeth Ymchwiliadau: "Dylai pob cwmni sydd wrthi mewn marchnata uniongyrchol sylwi ar hyn. Os byddwch chi’n parhau i ddiystyru'r gyfraith, gallwch ddisgwyl i'r ICO ddefnyddio grym llawn eu pwerau rheoleiddio yn eich erbyn. "Ac, fel yn yr achos hwn, does dim ots pa mor gymhleth yw'r rhwydwaith o gwmnïau ac unigolion, fe weithiwn ni drwy'r dystiolaeth i ddod o hyd i’r rhai sy’n gwneud y galwadau anghyfreithlon hyn a chymryd camau yn eu herbyn er mwyn diogelu'r cyhoedd." Mae ein canllawiau ar farchnata uniongyrchol yn ei gwneud yn glir bod rhaid i sefydliadau sy'n prynu rhestrau marchnata gan drydydd parti gyflawni gwiriadau trylwyr i’w bodloni eu hunain fod yr wybodaeth bersonol wedi'i sicrhau'n deg ac yn gyfreithlon. Darllenwch ein canllaw yn llawn: https://lnkd.in/ewShc7pB

🆕 We’ve fined two lead generation companies for unsolicited calls to people registered with the Telephone Preference Service. In some cases, calls were particularly exploitative and used high-pressure sales tactics to target elderly people. Read on for more details of the fines. 👉 Read more about our action: https://lnkd.in/e6NWyRwu We have fined Dr Telemarketing (DRT) £100,000 for making 80,240 calls to Telephone Preference Service registered numbers in contravention of Regulation 21 of the PECR. We uncovered a network of five people and eight companies all involved in deliberately making the unwanted calls. DRT argued opt-in details were supplied by its business partner and screening was provided by another company. We found there was nothing in place to identify and mitigate against making unwanted calls and that screening was not contracted to cover all the data providers involved. 👉 Read more about the monetary penalty notice for Dr Telemarketing: https://lnkd.in/eZaK3ywE We have fined Outsource Strategies Ltd (OSL) £240,000 for making 1,346,503 calls to Telephone Preference Service registered numbers. OSL blamed the Telephone Preference Service screening responsibility on its contracted partners and stated it also had internal systems in place to ensure this did not happen. We found this to be incorrect, as 141,914 calls were still made to individuals marked as “do not call”. 👉 Read more about the monetary penalty notice for Outsource Strategies Ltd: https://lnkd.in/ey_GRHc2 Andy Curry, Head of Investigations said: “All companies engaging in direct marketing should take note. If you continue to flout the law, you continue to expect the ICO to use the full force of its regulatory powers against you. “And, as in this case, it also doesn’t matter how complicated the network of companies and individuals are, we will work through the evidence to find and take action against the perpetrators of these unlawful calls to protect the public.” Our direct marketing guidance makes it clear that organisations acquiring marketing lists from a third party must undertake rigorous checks to satisfy themselves that the personal information was obtained fairly and lawfully. Organisations must: • explain to people why they want to use their information; • tell people if they will share information with other organisations; and • make people aware of their data protection rights. Read our guidance in full: https://lnkd.in/ewShc7pB

Regulators must keep pace with technological change in the wider economy and invest in horizon scanning activities. Our Executive Director of Regulatory Risk, Stephen Almond, spoke at the techUK and Digital Regulation Cooperation Forum (DRCF) event about how effective regulation enables innovation. Providing regulatory certainty is key to supporting responsible innovation. Regulators need to be clear about their desired outcomes and to collaborate internationally as well as domestically, tackling new and developing issues such as the open/closed source debate on Large Language Models (LLMs). Stephen also encouraged organisations to take advantage of the new DRCF AI and Digital Hub which will help innovators bring products and services to market in a responsible manner. The free pilot service will be evaluated in a year's time, so Stephen's message to organisations is to use it or lose it! Read more about the free service: https://lnkd.in/eW3-wPhk

❓How do I get a privacy notice to show my customers and suppliers, or staff and volunteers how I handle their information? ⏱️ Our privacy notice generator will create one for you in just 10-15 minutes. Your privacy notice needs to include details about people’s information rights, such as: 👉 their right to withdraw consent; 👉 the reasons why you hold their information known as your lawful basis; and 👉 how people can complain if they’ve got concerns about the way you’re using their information. But our tool will do all of that for you. All you have to do is answer a few questions. Create a bespoke privacy notice now for your business: https://lnkd.in/eFTC3AzB We’d love to hear about your experience using the new generator tool so we encourage you to complete our short five minute survey after using it. #HereToHelpSMEs

🎉We are proud to be part of Digital Regulation Cooperation Forum (DRCF)’s new AI and Digital Hub. Read on to learn more about how this exciting service will help innovators. 👇 The free service will provide a single source of advice to help unlock innovation and support UK economic growth. Innovators developing new products, services or business models can now seek support from two or more regulators at once, via the DRCF website, rather than having to approach each one separately. As part of our continued collaboration with the Competition and Markets Authority (CMA), the Financial Conduct Authority (FCA) and Ofcom, this new service is being piloted for a year to measure its impact. For more information on the Hub, check out DRCF’s website: https://www.drcf.org.uk

It’s #NationalTeaDay so grab a cup of tea and watch DPPC! ICYMI we announced 8 October as the date for #DPPC24 and registration opens on 2 May for FREE. While you wait for this year’s conference, our recordings from last year are still available on demand on our website. ☕ So grab a cuppa and watch now! https://ico.org.uk/dppc

💡Lessons learned from First Tier Tribunal cases - are you expected to provide advice and assitance in cases of 'oppressive burden'? You can use section 14(1) of FOI to refuse a single, burdensome request if the amount of time it would take you to collate and prepare material for disclosure would be grossly oppressive, although you should always consider section 12 first. But do you need to offer advice and assistance? The First-tier Tribunal in appeal reference EA/2022/0260 supported the approach in our guidance, noting that you should offer advice and assistance to the requester if you’re applying section 14(1) on grounds of oppressive burden. ❓ What does this decision mean for public authorities?  • When you decide to refuse a request because it would place a grossly oppressive burden on your resources, you should offer advice and assistance to the requester. • This applies where the burden is the sole ground for refusal. You should normally include advice on narrowing the scope of the request. Read the decision in full: https://lnkd.in/eHXPNk3C

🕵️ We have cracked the latest Taylor Swift easter egg in her new album... Did you spot her hidden message for DPOs? 🔎

🆕 We have reprimanded Clyde Valley Housing Association (CVHA) for exposing the personal information of 139 people after the launch of a new online customer portal. Read on for more details and guidance on how your organisation can avoid this kind of issue. Clyde Valley Housing Association provides social housing to 3,000 homeowners in the Lanarkshire and East Dunbartonshire areas of Scotland. It’s new customer portal went live on 14 July 2022. ❓ What went wrong? On the same date, a resident logged into the portal and could view personal information about other residents. They reported it to CVHA customer service who did not escalate the issue. The data remained visible for 5 more days until a mass email was sent to residents promoting the new portal to them. Later that day another three residents reported the same issue. These reports were correctly escalated and all portal user accounts were locked, and the portal was then fully suspended. 394 data entries linked to anti-social behaviour were accessible and, of those, 286 contained sufficient information to identify 139 people. 👉 Read the reprimand in full: https://lnkd.in/eFCSwmBx ❓ What happens now? CVHA could have prevented the escalation of the breach at several key moments. We have recommended that Clyde Valley Housing Association should take steps ensure its compliance with data protection law, including: • ensuring rigorous testing is undertaken that focuses on data protection prior to the rollout of a portal in the future; and • conducting a review of data protection training to ensure that training provided is relevant to, and adequate for, the staff members receiving it. ✔️Guidance on staff training Staff training in data protection is an important part of your organisation’s accountability and governance: https://lnkd.in/eMFTuvdV