It has been revealed this week that Basildon Council have been fined £150,000 by the Information Commissioner’s Office (ICO) for publishing sensitive personal information on its website among details of a planning application.
Alongside the planning application, Basildon Council released details about the family’s disabilities, including mental health issues – all of which were made publically available online. This personal information was found within a supporting written statement of the planning application, and should have been removed before the application was uploaded to the website.
The ICO said that an inexperienced council officer did not notice the personal information, and that there was no procedure in place for the information to go through a second check before being published online. The sensitive information was only removed from the website almost 2 months later, when concerns came to light.
ICO enforcement manager Sally Anne Poole said “This was a serious incident in which highly sensitive personal data, including medical information, was made publically available”. The imposed fine by the ICO in this instance will likely cost a great deal more once the EU General Data Protection Regulation (GDPR) is enforced next May – where fines for breaches of data such as this could be 4% of annual global turnover or €20million, whichever is higher.
This however, is not the only recent incident in which the ICO has been involved, that could land an organisation in fairly hot water under the GDPR. Back in March, two organisations were fined a total of £83,000 for breaking rules about the handling of people’s personal information when sending marketing emails.
The first, UK based airline Flybe, were found to have deliberately sent more than 3.3 million emails to people who had specifically opted out of any email marketing communications from the firm. The fine they received totalled £70,000 for breaking the Privacy and Electronic Communication Regulations (PECR).
A separate ICO investigation found Honda Motor Europe Ltd had sent over 250,000 emails aiming to clarify customer email preferences to receive email marketing, however, Honda couldn’t evidence that the customers in question had ever given consent to receive this type of email in the first place, which is a breach of PECR.
Steve Eckersley, ICO Head of Enforcement, said “Both companies sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing, without the right consent, is still marketing and against the law (unless the party being emailed opted in to email communications in the first place)”.
With the GDPR set to turn email marketing on its head, Mr Eckersley warned “Businesses must understand that they can’t break one law to get ready for another”.
As daunting as GDPR preparations may seem, there are solutions out there to make compliance with the upcoming regulation that little bit easier. Find out more by downloading your copy of the EU GDPR Pocket Guide now.