DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER NOTICE OF INTENT

Similar documents
PRIVACY AND ELECTRONIC COMMUNICATIONS (EC DIRECTIVE) REGULATIONS 2003 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER FIXED MONETARY PENALTY NOTICE

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER ENFORCEMENT NOTICE

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENAL TY NOTICE

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE

ICO fine Advanced VoIP Solutions Ltd 180,000

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER ENFORCEMENT NOTICE. Dated 5 July 2013

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE

Data Protection Act Monetary Penalty Notice. Dated: 17 March Address: Force Headquarters, Sutton Road, Maidstone, Kent ME15 9BZ

Data Protection Policy

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE

BACKGROUND INFORMATION

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER ENFORCEMENT NOTICE DATED 18 JUNE 2013

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER ENFORCEMENT NOTICE DATED 27 AUGUST 2014

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

REGULATION (EU) 2016/679 General Data Protection Regulation

Schools Subject Access Request Procedures

Customer Data Annual Privacy Agreement

Freedom of Information Review

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

Freedom of Information Act 2000 (FOIA) Environmental Information Regulations 2004 (EIR) Decision notice

OTrack Data Processing Terms

New Scotland Yard, Victoria Embankment, London, SWlA 2JL

Request under the Freedom of Information Act 2000 (FOIA)

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

Norfolk and Suffolk Constabularies have considered your request for information and our response is below.

OFFICE OF THE POLICE AND CRIME COMMISSIONER FREEDOM OF INFORMATION ACT 2000 PUBLICATION SCHEME

EU STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

Law Enforcement processing (Part 3 of the DPA 2018)

PROCEDURE RIGHTS OF THE DATA SUBJECT PURSUANT TO THE ARTICLES 15 TO 23 OF THE REGULATION 679/2016

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Commission Decision C(2010)593 Standard Contractual Clauses (processors)

Request under the Freedom of Information Act 2000 (FOIA)

Freedom of Information Act 2000 (Section 50) Decision Notice

RESTREINT UE/EU RESTRICTED

Freedom of Information Act 2000 (FOIA) Decision notice

DATA PROCESSING ADDENDUM. 1.1 The User and When I Work, Inc. ("WIW") have entered into the Terms of Service, for the provision of the Service.

FUJITSU Cloud Service K5: Data Protection Addendum

Freedom of Information Act 2000 (Section 50) Decision Notice

Thames Valley Police Chief Constable Francis Habgood QPM

CCTV CODE OF PRACTICE

EUROPEAN UNION. Brussels, 3 February 2006 (OR. en) 2005/0182 (COD) PE-CONS 3677/05 COPEN 200 TELECOM 151 CODEC 1206 OC 981

Exhibit MC - Standard Contractual Clauses (processors)

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Directorate C: Fundamental rights and Union citizenship Unit C.3: Data protection

Policy: Notifiable Data Breach

Freedom of Information Act 2000 (FOIA) Decision notice

Freedom of Information Act 2000 (FOIA) Decision notice

Request under the Freedom of Information Act 2000 (FOIA)

THE DATA PROTECTION BILL (No. XIX of 2017) Explanatory Memorandum

COUNCIL OF THE EUROPEAN UNION. Brussels, 13 September 2011 (OR. en) 10093/11 Interinstitutional File: 2011/0126 (NLE)

8557/16 SHO/ra 1 DGD 2

EU GDPR - DATA PROCESSING ADDENDUM INSTRUCTIONS FOR CDNETWORKS CUSTOMERS

Request under the Freedom of Information Act 2000 (FOIA)

Coordinated text from 10 August 2011 Version applicable from 1 September 2011

Merrydale Infant School Freedom of Information Act

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

Freedom of Information Policy, Procedures and Requests

Freedom of Information Act 2000 (Section 50) Decision Notice

Freedom of Information Act 2000 (FOIA) Decision notice

Request under the Freedom of Information Act 2000 (FOIA)

Freedom of Information Act 2000 (FOIA) Decision notice

SCHEDULE Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Freedom of Information Act 2000 (FOIA) Decision notice

Attachment 1. Commission Decision C(2010)593 Standard Contractual Clauses (processors)

Environmental Information Regulations 2004 (EIR) Decision notice

Freedom of Information Act 2000 (FOIA) Decision notice

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

FREEDOM OF INFORMATION REQUEST

Data Protection Act 1998 Policy

Freedom of Information Act 2000 (FOIA) Decision notice

DATA PROCESSING AGREEMENT

Annex 1: Standard Contractual Clauses (processors)

Privacy notice for parents/carers

DATA MATCHING AGREEMENTS ACT 1 B I L L

Freedom of Information Act 2000 (FOIA) Decision notice

SSLI \6.0 v1.0

Freedom of Information Act 2000 (FOIA) Decision notice

CCTV POLICY. Document Type Corporate Policy. Unique Identifier HS-103

Template Commission pursuant to Section 11 BDSG

Data Protection Bill, House of Lords second reading Information Commissioner s briefing

Request under the Freedom of Information Act 2000 (FOIA)

POLICY_POL04_Data Breach DATA BREACH RESPONSE RATIONALE SCOPE RESPONSIBILITY DEFINITIONS POLICY. 1 TLC_policy_POL04_Data Breach_CBA_1.

Annex - Summary of GDPR derogations in the Data Protection Bill

FREEDOM OF INFORMATION REQUEST

Regulations. entitled. European Communities (Electronic Money) Regulations 2002

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

DocuSign Envelope ID: 93578C7C-0B BEE9-0536AB6EDE32

Data Protection Bill, House of Commons Second Reading Information Commissioner s briefing

Freedom of Information Act Environmental Information Regulations 2004 (EIR) Decision notice

Subject Access Request Procedure

SUPPLIER DATA PROCESSING AGREEMENT

Freedom of Information Act 2000 (FOIA) Decision notice

Access to Personal Information Procedure

GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

DISCLOSURE POLICY. 3.1 The Board of the Commission approved this policy on 19 December 2014.

Transcription:

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER NOTICE OF INTENT To: Hutchison 3G UK Ltd Of: Star House, 20 Grenfell Road, Maidenhead, Berkshire, SL6 1EH 1. The Information Commissioner ( Commissioner ) is minded to issue Hutchison 3G UK Ltd with a fixed monetary penalty under section 5C of the Privacy and Electronic Communications (EC Directive) Regulations 2003 ( PECR ). The penalty is being issued because of a contravention of regulation 5A of PECR. 2. This notice explains the Commissioner s decision. Legal framework 3. Hutchison 3G UK Ltd is a service provider as defined in regulation 5(1) of PECR. 4. Regulation 5A of PECR states: (1) In this regulation service provider has the meaning given in regulation 5(1). 1

(2) If a personal data breach occurs, the service provider shall, without undue delay, notify that breach to the Information Commissioner. (3).. (4) The notification referred to in paragraph (2) shall contain at least a description of- (a) the nature of the breach; (b) the consequences of the breach; and (c) the measures taken or proposed to be taken by the provider to address the breach. 5. Regulation 2 of PECR defines a personal data breach as:.. a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service. 6. Further rules in relation to the notification of personal data breaches are set out in Commission Regulation No 611/2013 (the Notification Regulations ). Article 2(2) of the Notification Regulations states: The provider shall notify the personal data breach to the competent national authority no later than 24 hours after the detection of the personal data breach, where feasible. 7. Service providers must therefore notify the Commissioner within 24 hours of becoming aware that a personal data breach has occurred. There is no 2

threshold for how serious the breach must be all breaches must be notified. 8. Section 5C of PECR states: (1) If a service provider fails to comply with the notification requirements of regulation 5A, the Information Commissioner may issue a fixed monetary penalty notice in respect of that failure. (2) The amount of a fixed monetary penalty under this regulation shall be 1,000. (3) Before serving such a notice, the Information Commissioner must serve the service provider with a notice of intent. (4) The notice of intent must (a) state the name and address of the service provider; (b) state the nature of the breach; (c) indicate the amount of the fixed monetary penalty; (d) include a statement informing the service provider of the opportunity to discharge the liability for the fixed monetary penalty; (e) indicate the date on which the Information Commissioner proposes to serve the fixed monetary penalty notice; and (f) inform the service provider that he may make written representations in relation to the proposal to serve a fixed monetary penalty notice within 21 days of receipt of the notice of intent. (5) A service provider may discharge liability for the fixed monetary penalty if he pays to the Information Commissioner the amount of 800 within 21 days of receipt of the notice of intent. 3

Background to the case 9. Regulation 5A of PECR does not specify the format in which service providers must notify the Commissioner of personal data breaches. However, and in accordance with the Notification Regulations, the Commissioner has developed an online reporting tool to provide a simple and secure method by which service providers can report breaches. 10. Regulation 5A(7) of PECR requires service providers to also maintain their own log of personal data breaches containing the facts surrounding the breach, the effects of the breach and any remedial action taken. The Commissioner has produced a template log to assist in this and invites service providers to submit completed logs to his office on a monthly basis. 11. On 3 August 2015 Hutchison 3G UK Ltd submitted its completed monthly log for July 2015 to the Commissioner. The log included the following details about three personal data breaches: Agent failed to adhere to password policy and allowed a fraudster with access to customer data to manipulate a security alert on customer account. SIM Swap issue - customer A's SIM was sent to customer B. Error resulted in calls being transferred to customer B. Matter escalated and rectified immediately. 4

Breach in social media where agent accidently emailed response for customer A to customer B. Limited personal data incl (name and email address). 12. Hutchison 3G UK Ltd subsequently confirmed that the three personal data breaches had occurred on 21, 23 and 25 July 2015 respectively. 13. Hutchison 3G UK Ltd explained that it had not notified the Commissioner of the personal data breaches within 24 hours due to resource issues and technical difficulties with the ICO s online reporting tool. Therefore a decision was taken to only report the personal data breaches by way of its monthly report which was submitted on 3 August 2015. 14. The Commissioner is satisfied that Hutchison 3G UK Ltd had sufficient resources in order to notify his office of the personal data breaches within the required time limit. Furthermore, the Commissioner is satisfied that there were no technical issues affecting the ICO s online reporting tool at the time of the personal data breaches. Grounds on which the Commissioner proposes to serve a monetary penalty notice 15. The Commissioner is satisfied that each of the three incidents referred to at paragraph 11 above amount to personal data breaches within the meaning of regulation 2 of PECR. 16. Further, the Commissioner is satisfied that Hutchison 3G UK Ltd has contravened regulation 5A of PECR by failing to notify the Commissioner of those personal data breaches without undue delay. 5

17. The Commissioner s underlying objective in imposing a monetary penalty is to promote compliance with PECR. The requirement to notify the Commissioner of personal data breaches provides an important opportunity for him to assess whether a service provider is complying with its obligations under PECR, including the duty to take appropriate technical and organisational measures to safeguard the security of its service and the duty to notify customers of breaches adversely affecting their privacy. A monetary penalty in this case would act as a general encouragement towards compliance with the requirement to notify personal data breaches, or at least as a deterrent against non-compliance, on the part of all service providers. 18. The Commissioner is satisfied that this objective can be met by imposing a monetary penalty in respect of one of the contraventions of regulation 5A of PECR. The Commissioner therefore proposes to impose a monetary penalty on Hutchison 3G UK Ltd for failing to comply with the notification requirements of regulation 5A of PECR in respect of the personal data breach that occurred on 25 July 2015. The Commissioner considers that this decision is reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty. 19. As provided for by regulation 5C(2) of PECR, the amount of that penalty will be 1000 (one thousand pounds). 20. However, Hutchison 3G UK Ltd may discharge liability for the fixed monetary penalty if it pays the amount of 800 (eight hundred pounds) within 21 days of receipt of this Notice of Intent. 6

Conclusion 21. The Commissioner intends to serve a fixed monetary penalty notice on or after 29 October 2015. If you wish to make any representations in relation to the proposal to serve the fixed monetary penalty notice you should do so within 21 days of the date of service of this Notice of Intent. Representations should be made in writing. All representations will be carefully considered by the Commissioner before a final decision is made. Dated the 1 st day of October 2015 Signed:... David Smith Deputy Information Commissioner Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF 7

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback