The Information Commissioner’s Office (ICO) has started to issue very high fines to a number of companies and individuals, not just for serious breaches of the Data Protection Act (DPA), but also for breaches of the Privacy and Electronic Communications Regulations (PECR). Below is a summary of the recent fines and the reasons for them being imposed.
Tetrus Telecoms – Fined £440K for sending Illegal Spam Text Messages
Tetrus sent unsolicited text messages to individuals whose numbers they had purchased from lists. Once individuals responded to the spam text, their numbers were then sold on to a third party.
In breach of the PECR, Tetrus were found to be transmitting unsolicited marketing messages (including concealing the identity of the sender). The ICO found that Tetrus was in serious, deliberate and informed breach of the PECR due to the:
- volume of text messages it sent; and
- the number of complaints received.
In addition a criminal prosecution is being pursued against the two individuals for breaches of the DPA.
Scottish Council – Fined £250k for failing to Manage Outsourcers
A Scottish council hired a third party to electronically archive its paper employee pension records. Over 600 paper files containing Council employees names, addresses, national insurance numbers, salary and bank account details were dumped in a supermarket’s paper recycling bank once the records had been electronically stored.
The Council was fined for breaching the DPA due to its failure to:
- have a written contract with the outsourcing company governing the scope of the processing activities; and
- set out its data security requirements.
In particular, the Council failed to have in place proper technical and organisational security measures governing the processing. It also failed to take reasonable steps to ensure compliance of the third party with these obligations. i.e. that the third party would return or destroy the paper documents after digitally archiving them.
Sony – Fined £250K for Security Lapses
The personal data of millions of UK Sony customers (including names, addresses, email addresses, dates of birth and passwords) was stolen when hackers accessed the Sony PlayStation Network Platform.
The ICO found that in breach of the DPA Sony did not have an appropriate standard of security in place to protect the personal data as it had:
- failed to take appropriate technical measures (such as cryptographic controls to protect passwords) to prevent the loss of vast amounts of personal data; and
- stored excessive amounts of personal data.
Sony is currently appealing the decision.
Why these Cases are Important
As a SaaS supplier you will be storing and processing personal data on behalf of your SaaS customers. Under the DPA you are a data processor and you must ensure that you comply with your obligations under the DPA. SaaS customers will often require you to indemnify them for breaches of the DPA in your SaaS agreement i.e. you could become directly liable for ICO fines imposed on your SaaS customers.
How to Avoid Fines
Choose a reputable organisation when outsourcing personal data processing i.e. to a hosting centre.
Have a written contract with the SaaS outsourcer which specifies:
- that appropriate technical and organisational measures are in place to prevent the unauthorised or unlawful processing of personal data and to protect them against accidental loss, destruction or damage; and
- that your outsourcer is obliged to report any security breaches or other problems to you.
Note that under the new proposed EU Data Protection Directive (which has not yet been finalised) the ICO will be given the authority to impose much higher fines for breaches of the DPA – up to 2% of a company’s turnover.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – Prism and US Laws
- SaaS Agreements – Data Protection – Data Commissioner – UK Fines
- SaaS Agreements – Data Protection – Sub-Contractors, Model Clauses
- SaaS Agreements – Data Protection – Liability for Loss of Backup Tapes
- SaaS Agreements – Data Protection – Anonymising Data
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Policies and Procedures
- SaaS Agreements – Data Protection – German Customers and Data Processing Agreements
- SaaS Agreements – Data Protection – Safe Harbor, German Customers
- SaaS Agreements – Data Protection – Customer Privacy Policies
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 2
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 1