U.K. Privacy Office Urges Post-Brexit Data Protection

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ali Qassim

May 5 — In April, the U.K. Information Commissioner's Office (ICO) highlighted the need for the U.K. to continue to implement effective data protection laws, even if the country decides to leave the European Union after a June 23 referendum and said it planned unannounced visits to the officers of private investigators to see if their practices comply with the U.K. data protection rules.

The ICO—U.K.'s data protection authority—handed a total of 150,000 pounds ($217,321) in fines against a police force for failing to protect sensitive data, and a home improvement firm and a marketing claims company for making nuisance calls.

Additionally, it announced in April a court order against an insurance firm for unlawfully obtaining personal data; ordered a public health body to change its opt-out policy’; and issued a ‘stop-now’ enforcement notice to a Scottish government entity for repeatedly failing to train staff on data protection.


U.K. citizens will vote June 23 on whether the U.K. should exit the European Union—known as Brexit. The ICO April 19 said that the U.K. “will continue to need clear and effective data protection laws, whether or not the country remains part of the EU.”

“The U.K. has a history of providing legal protection to consumers around their personal data,” the ICO said. “Our data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU,” it said.

“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and is also central to the sharing of data that international trade relies on,” the ICO said.

In a blog post, the ICO said April 12 that it planned to carry out unannounced doorstep visits to private investigators (PIs). The ICO's Criminal Investigation Team Manager Damian Moran said his team received “reports about the use of surveillance and tracking devices by PIs, and of PIs failing to give individuals access to information held about them” which are actions “which may be in breach” of the Data Protection Acts.

Enforcement Actions

The ICO April 21 fined the Kent Police department 80,000 pounds ($115,877) for passing on sensitive data contained in the mobile phone of a woman who accused her partner—a police officer—of domestic abuse.

The woman's phone, which was passed on to her husband, contained a video recording supporting her accusation against her partner as well as text messages and family photographs, the ICO said.

Also in April, the data protection authority fined Scotland-based Nevis Home Improvements Ltd. 50,000 pounds ($72,400) for making 2.5 million unauthorized automated marketing calls promoting its energy saving services, in violation of the Privacy and Electronic Communications Regulations.

The ICO April 1 announced that it fined Advice Direct Ltd. 20,000 pounds ($28,900) for making nuisance sales calls claiming to help people recover damages for hearing loss caused by working in a noisy environment, it said April 1.

Further, under new rules effective May 16, U.K. telemarketers will have to display their phone number when making unsolicited marketing calls to potential customers (15 PVLR 918, 5/2/16).

In addition to the enforcement action fines, the ICO announced April 8 that the Bournemouth Magistrates' Court fined an individual 1,000 pounds ($1,448) for trying to get an employee of insurance company LV= Liverpool Victoria to sell him customer data.

Further, the ICO said April 20 that it issued Health and Social Care Information Centre (HSCIC), a non-departmental unit of the Department of Health, an undertaking—a signed agreement committing organizations to make data protection improvements or face further enforcement action. The ICO initiated that action after finding that HSCIC, a national provider of information, data and information technology systems, failed to provide patients with an option to opt out of having their data shared with other organizations.

Also in April, the ICO handed West Dunbartonshire Council in Scotland an enforcement notice, ordering it to train its staff on data protection measures following the theft of the medical reports of a child registered with the council.

To contact the reporter on this story: Ali Qassim in London at correspondents@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com

For More Information

The ICO's monetary penalty notices, enforcement notices and undertakings are available at https://ico.org.uk/action-weve-taken/enforcement/.

The ICO's blog on private investigators is available at https://iconewsblog.wordpress.com/2016/04/12/private-investigator-crackdown-by-ico/.

The ICO's statement on Brexit is available at https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/04/statement-on-the-implications-of-brexit-for-data-protection/.

Request Bloomberg Law Privacy and Data Security