Home > News
Mind my data Click to visit the homepage

The Information Commissioner is likely to be "all talk" over pension pot abuse

Based on my experience of submitting many complaints to the ICO, it's not clear what the ICO can do

This week it was reported in the news that companies found to have breached data protection law by selling people's pension pot details face fines of up to £500,000 [Source the Daily Mail]. I'd take this with a pinch of salt because it's unlikely that the Information Commissioner or the Head of Enforcement has any intention of taking legal action. As such, this is just a PR exercise.

Let's be clear, if the ICO really wanted to take legal action against a company for abusing the rights of their data subjects then I gave them a gift horse in Dennis Publishing and their million strong marketing database. The ICO's Intelligence Hub investigated my complaint but did nothing. Neither did they bother to explain to me why they are not going to prosecute abuse on such a grand scale. Have Dennis Publishing agreed to change their ways - I don't know. What I do know is that I wasted my time bringing the matter to the attention of the ICO. There's always some excuse. "We will only take action if it's a major breach." "We will only take action if it's a criminal offence." "We only take action if enough people have complained." What about taking action because the company has clearly processed personal data in a way that conflicts with the view of the Commissioner and that company has no intention of changing their ways?

What I don't understand is how the Commissioner is able to draw a distinction between Dennis Publishing and those legitimate companies that pay good money to purchase a dodgy pension pot mailing list. What is the criteria for prosecution? Is it because the data controller obtained the mailing list from a third party? If so, then is it okay for data controllers to abuse the rights of data subjects by building their own dodgy mailing list but if they purchase a dodgy third party mailing list they are liable for prosecution? If the data controller is failing to obtain valid consent prior to targeting individuals with unsolicited electronic marketing then does it matter whether the mailing list is home grown or third party? What if the UK data controller uses an overseas company to send the e-mails? The UK data controller will be untouchable right? According to the ICO they will be. This view was clearly expressed in my complaint against Aspect Web Media (AWM) last year (RFA0554944). Indeed, AWM informed me that they were not liable, they told me:

Given your familiarity with data protection laws, I am certain you know the ICO cannot investigate issues arising from marketing emails sent by overseas companies. Ergo you are trying to establish a connection between the data controller and data processor by naming UK companies.

I was indeed trying to establish that AWM was the data controller and that the third party overseas company was just the data processor. However, AWM were adamant that because their company didn't send me the marketing e-mails, it had nothing to do with them. I wonder how many of the pension pot marketing companies that the Commissioner has vowed to prosecute are going to rely on the same argument? As is often the case the ICO were utterly useless, they said:

From the information you have provided to us it does not appear that Aspect Web Media has breached the DPA and the issue you have raised does not suggest any wider concerns about Aspect Web Media’s information rights practices. Aspect Web Media does not appear to be a data processor or data controller – it acts as an agency for clients who want to advertise with email marketing. Aspect Web Media do not appear to have processed your personal data. We have not raised your concern with Aspect Web Media and are not taking any further action in relation to your concern.

Yeah, so who made the decision about how the mailing list should be processed? AWM signed a contract with the third party overseas company so I tried to argue that they were either the data controller or joint data controller. I haven't written this case up yet. Well I have but when I showed AWM a preview of the article they suggested that parts of it were likely to be libellous so I'm going to take my time writing it up and probably run it by the solicitors first.

Aspect Web Media have now changed their company name to Conectia yet funnily enough, on their homepage today, the 25 August 2016, they state that they've been providing a service for over a decade - really? I find that hard to believe when Conectia Limited didn't start trading until 2009. Which was also when they registered as a data controller with the ICO. Nice way to greet potential clients.

In this case, the mailing list that contained my e-mail address was apparently obtained from a dodgy Singapore website and it made its way into the UK and was eventually used by a legitimate company to promote their products to me. I made the ICO aware of every aspect of this case yet, as you can see, they didn't have any concerns. Just as they had no concerns about Dennis Publishing.

They're all talk! The ICO has no intention whatsoever of taking any actioin against any company unless they are bombarded with complaints about the same company. Dennis Publishng is a prime example. It's likely to be abuse on a massive scale yet becuase just one person has brought the matter to the attention of the ICO they're not interested.

The problem is that there are so many small marketing companies operating behind the scenes that the corrupt mailing lists are likely being "laundered" and ultimately sold to legitimate companies. In the AWM case there were many different companies involved so it's not easy to clarify who did what. I encountered a similar situation when I followed up on a PPI text two years ago. I eventually managed to find the company that provided my mobile phone information to the PPI company. I submitted two Subject Access Requests to that company but never received a response. What do you think the ICO did? Nothing! The only option left open to me was to hand over a £5K retainer to my solicitors and take the company to court under section 7(9) of the DPA with no assurance that I would be able to recover my costs. It was a one man band company operating from a house and it's likely that he spent all day just farming mobile phone numbers. And of course the PPI company were adamant that they had obtained the mailing list from a genuine company.

In light of my past experience with the ICO, I fail to see how the Commissioner and the Head of Enforcement can state that they're going to prosecute anyone over the pension pot mailing lists. Forget the ICO - they are a waste of space! It's just some nob-end saying that he's going to do this and that when the reality is, the case officers that deal with with the complaints are largely incompetent while the more senior managers just blow their trumpets to grab the headlines. I can pretty much guarantee that they only way that any company will be prosecuted over pension pot abuse will be if thousands and thousands of individuals submit complaints about a particular company. But if the company knows what it's doing then it's easy to remain below the ICO's radar.

What we need is a change to the law.

Actually, I'd like to see the following changes:

1. I would like to see the data processing purpose of Advertising, Marketing and Public Relations become a non-exempt purpose. This would require any UK company that wishes to process personal data for direct marketing to notify the ICO and register as a data controller. Failure to notify is a criminal offence unless one is exempt. Having said that, over the years I've made the ICO aware of a number of companies that should have notified but hadn't and the ICO didn't do anything. This supports my view that the ICO is reluctant to prosecute anyone.

2. A data controller should be required to register any mailing list that they wish to use to target individuals with unsolicited electronic marketing with the ICO before using it. As part of the registration process the data controller would need to confirm the method used to obtain consent from the individuals contained within the list and the CEO of the company would be liable for prosecution for any incorrect or misleading information provided as part of the registration. This information should be made public.

3. A data controller should be required to prominently quote their ICO registration reference as well as the mailing list reference on all unsolicited electronic mail by law. Failure to quote either should result in prosecution. I should then be able to look-up the mailing list information on the ICO's website to learn how the company has obtained my consent. If I disagree I'll be able to submit a complaint to the ICO. My complaint should have far more impact because the company has already stated how they obtained my consent.

4. Individuals are entitled to seek a court order against any data controller that fails to comply with section 7 of the DPA (subject access) or section 11 of the DPA (direct marketing). At the moment though this is an expensive crown court affair. This should be changed so that individuals are entitled to claim a fixed fee in the small claims court if a company abuses their rights under section 7 or section 11. I can't stress enough how useless the ICO is at dealing with Subject Access Request (SAR) complaints. For example, they have no concept of what constitutes an excessive request in an SAR and this is why the ICO concluded that O2 did not have to comply with my SAR until I provided them with a three year old receipt for my SIM (RCC0518635). Let me just repeat that - O2 demanded that I provide the receipt for my SIM to prove that I am who I claim to be and the ICO said that the O2 did not need to comply with my SAR until I provided that three year old receipt. You've got to be kidding me! You incompetent twats! And when it comes to direct marketing, the ICO is of the view that a promotional service message is not direct marketing (RCC0500824). Utterly, utterly clueless!

Conclusion

It's 2015 yet nearly every single legitimate company in the UK is failing to process personal data in accordance with UK data protection laws and regulations. And what's the Commissioner doing about it? Nothing! In the meantime text and e-mail abuse is out of control. Try it for yourself. Pick any advert slot on the TV, make a note of the companies advertising and at least 70% of those companies will be failing to process personal data in accordance with the Commissioner's guidance. No one gives a toss about the Commissioner's guidance - including his own case officers that deal with complaints.

Let me state it loud and clear - the ICO is not fit for purpose! As such, it's highly unlikely that the Information Commissioner will do anything to curb the abuse of pension pot marketing by dodgy companies. Like I say, the only strategy that I'm aware of is one where they will take action only if they receive thousands of complaints about the same company.

Added: 05.04.2015 | Last updated: 25.08.2016