242 complaints were made within two months, due to an automated call marketing campaign offering “free” solar panels. The firm attempted to blame the technology used by a sub-contractor for which they claimed they had no control over. The information commissioner, Christopher Graham said the firm’s ignorance of the law was “beyond belief” and that they had to take responsibility for a clear breach of the rules.
The law (Data Protection Act 1998), is clear:
Data controllers cannot subcontract their legal responsibility for the handling of personal data.
In July 2015, we posted this article: Charity cold calling Investigation: You can’t subcontract liability. This week, an energy company promoting “Free” Solar panels has been fined for irresponsible use of personal data, via a data processor.
Christopher Graham, the Information Commissioner Photo: DAVID ROSE
“Christopher Graham, the information commissioner, dismissed the company lawyer’s attempts to blame a third party company for the breach.”
The telegraph news article reports:
A green energy company which made six million nuisance calls has been handed a record £200,000 fine.
Glasgow-based Home Energy & Lifestyle Management Ltd (Helms) was investigated by the Information Commissioner after 242 consumers contacted the Information Commissioner’s Office (ICO) in two months to complain about the calls.
The company blamed a third party firm it hired to make calls and said it was appealing against the ruling.
In this case, the firm “Helms” (data controller) is liable for their sub-contractor’s (data processor) technology failures that resulted in the breach of rules, despite, as the firm claims that they had no control over the sub-contractors technology. As the firm is liable they will incur the £200,000 penalty.
This point of highlighting this news item is that it relates to organisations and who they use to dispose of their confidential waste. Organisations must ensure that sub contractors who handle confidential waste on their behalf must have the assurances and certifications in place to prevent security incidents regarding personal data.
It is therefore vital that data controllers routinely review how their shredding company will handle the data in a safe way.
Related articles:
News: Charity cold calling Investigation: You can’t subcontract liability
Download centre: What is the Data Protection Act?