Data protection, careless moments and the £4.4 million fine  | Moorepay
August 31, 2023

Data protection, careless moments and the £4.4 million fine 

password screen on laptop

Are you old enough to remember the hysteria of the Millenium/Y2K bug? Computer systems programmed to recognise two-digit year dates may fall over when 99 became 2000. Every organisation frantically reviewing and updating their systems.  

Roll forward to 2018 and the advent of GDPR and UK Data Protection Act. It was Y2K all over again. Scrambling round like headless chickens trying to understand horrifically complex and far-reaching legislation. Many took matters very seriously. And some still do. Others have taken their foot off the gas.  

This week I reviewed guidance prepared for clients in 2018. And guess what? The same issues crop up in 2023. Extensively. What’s changed is an unforgiving Information Commissioner now imposes draconian penalties. 

Interserve fined £4.4m for employee data breach 

For example, the construction group Interserve were recently fined £4.4 million for putting the identities of over 100,000 staff at risk. As with many issues, it started with ill-informed staff. An employee forwarded what turned out to be a ‘phishing’ email to a colleague who opened an attachment which contained malware. Staff training was inadequate and – in one case – non-existent. 

The immediate problem was soon extinguished. But the company failed to carry out a full impact analysis. Smouldering malware then extensively compromised servers, systems and accounts. The attacker successfully uninstalled the company’s anti-virus solution and ‘ransomed’ staff data including national insurance numbers, bank accounts, salaries – even disabilities and emergency contacts. 

What are the key takeaways from this cyber-attack? 

Essentially, if staff had been adequately trained, this wouldn’t have happened. And if such a problem arises, always undertake a full impact analysis. 

The risk of reputational damage 

Similarly, a customer of an online retailer believed they had been hacked following a transaction on their website. The retailer argued their 3rd party IT consultant was to blame. ICO found to the contrary. The retailer had commissioned no updates, vulnerability scanning, penetration tests etc. for over two years. For very little outlay the National Cyber Security Centre would have offered support. Presumably because they were small, they only received a reprimand. But reputational damage to a business promoting itself to ‘some of the UK’s most prestigious schools and businesses’ could be significant. 

If you don’t have in-house technical expertise, make sure your 3rd party provider is contracted to do everything you need. And consider investing a few hundred pounds for an NCSC (allied to the UK Government’s GCHQ) audit.  

The importance of BCC when sending emails 

Another thorny old chestnut is CC and BCC. ALWAYS use BCC or a specialist mail programme when emailing subscribers. The Northern Ireland Interim Advocate’s Office sent out 250 newsletters using CC not BCC. Recipients included victims and survivors of historical child abuse – all their email addresses were visible.  

It may be worth explaining why they only received a reprimand for this. The ICO considers that fining public sector bodies deprives already financially hard-pressed organisations; inadvertently hurting those who rely on their services. But the ICO inevitably returns and reviews. More stringent measures will follow if infringements persist. 

If you’re sending multiple copies of an email, BCC rather than CC is wise. Or use a specialist mailing programme.  

Do your employees take data protection seriously? 

Maybe you don’t feel your staff take data protection seriously – dipping into databases they shouldn’t be accessing (question: why does your system allow this to happen?). It might be time to remind them they can be personally liable for infringements.  

A former 111 call advisor was fined for illegally accessing medical records relating to a child and their family. He was fined £630 plus a victim surcharge and court costs of over £1,000. Note the word former. He was sacked for gross misconduct. 

Similarly, an ex-RAC employee was prosecuted for gathering personal data from drivers involved in traffic accidents. 21 of them complained they were subsequently harassed by claims companies. The fine in this case was £5,000 plus court costs of £900 and a victim surcharge of £170. Again, note the word ‘ex’. 

A major high street bank engaged a tracing consultant. He used voice changing software and other subterfuges to successfully impersonate and obtain personal and financial information. He fed this to the bank, who eventually became suspicious. They shared concerns with the ICO. He pleaded guilty to six sample counts against him, was fined £10,560 plus court costs, taking the total to more than £15,000. A Proceeds of Crime order secured another £38,000.  

Staff and contractors must understand they can be held personally liable for data protection infringements. Determine who can access what. Lock down internal databases from prying eyes whenever possible. 

Two companies alone were fined £120,000 and £130,000 respectively for unsolicited marketing calls 

Nuisance calls are still the bane of everyone’s life. The ICO is now determinedly trying to stamp them out. In just over 12 months it has issued penalties exceeding £2,500,000. Two companies alone were fined £120,000 and £130,000 respectively for unsolicited marketing calls, falsely claiming to be UK Government and other official bodies. 

Be very cautious about marketing calls you, or third parties on your behalf, make. Respect Telephone Preference Service subscribers and don’t call them.  

The importance of responding promptly to subject access requests 

And finally, if you’re a data controller and receive dreaded subject access requests, respond promptly. Always within a month, wherever possible. Two London Boroughs were reprimanded for only responding to 60% and 74% of their SARs respectively. Virgin Media was also reprimanded for failing to respond to 14% of its SARS over a six-month period. 

If you’re a data controller and receive a subject access request, respond promptly.  

Need support? Moorepay can organise an HR data protection audit where one of our consultants works with you to help ensure you’re GDPR compliant.

Share this article

Want a round-up of stories like this delivered to your inbox?

Pop in your email address below.

mike fitz
About the author

Mike Fitzsimmons

Mike is a Senior HR Consultant within the Moorepay Policy Team. He is responsible for the developing of employment documentation and is an Employment law advisor. With over 30 years of senior management and HR experience, Mike has managed teams of between 30 and 100 employees and is familiar with all the issues that employing people brings. He has also served as a non-executive director on the Boards of several social enterprises and undertook a five year tour of duty as Executive Chair of a £30+ million annual turnover Government agency.