Included in this edition of Data & Privacy News: Insurance Agent's appeal against ICO's direct marketing fine fails; Charity reports data breach to the ICO; Bank of England issues cybersecurity warning; and more...


Insurance Agent's appeal against ICO's direct marketing fine fails

Our Vault Ltd, an insurance agent and broker, has lost an appeal against a fine of £70,000 issued by the ICO in a final Monetary Penalty and Enforcement Notices.

The insurance agent brought the appeal under s48 of the Data Protection Act 1998 on the basis that the ICO was not right to issue a penalty for serious contraventions of the Privacy and Electronic Communications Regulations.

The Information Rights Tribunal decided that Our Vault relied heavily on direct marketing and so should have known that its actions would risk contravention of the law, even though they did not deliberately contravene the Regulations. The insurance agent had been persistent in making unsolicited direct marketing calls to TPS subscribers, failing to take reasonable steps to prevent the contravention, and so failed to satisfy the Tribunal that it had obtained consent to all or any of the initial calls made to the TPS subscribers.

Charity reports data breach to the ICO 

Mermaids, a transgender support charity, has apologised for a data breach and immediately reported itself to the ICO, after some of its email database was discovered on the internet between 2016-2017.

The charity acted promptly in fixing the breach, as well as contacting those affected in line with ICO guidance, contacting families and stakeholders, reporting the incident to the Charity Commission and examining the information to decide if further measures were required. 

The ICO are currently assessing the information provided by Mermaids.

Bank of England issues cybersecurity warning 

Anil Kashyap, a member of the Bank of England's financial policy committee, has issued a warning that some organisations may struggle to defend themselves against a prolonged state-sponsored cyber-attack that corrupted their records.

Kashyap said that most organisations cyber security efforts have focused on preventing service outages, rather than on attacks that seek to falsify records or corrupt data and so information security teams should look to strengthen their defences against cyber-attacks.

The chair of the Treasury Committee, Nicky Morgan, has also warned that a single data breach could be fatal for the Open Banking sector following the launch of a government backed Open Banking initiative in January 2018 that is steadily gaining traction.

Morgan said for the sector to succeed it will “have to meet the challenge of gaining the trust of their would-be customers”.

UK takes lead in setting surveillance camera security requirements

The surveillance camera commissioner for England and Wales has taken the lead in setting minimum security requirements for surveillance cameras and components to improve the UK's resilience to cyber attacks. 

In recent years, there has been several high profile compromises of CCTV systems caused by inadequate security configurations. This has showed a need for improved manufacturing standards.

Mike Gillespie, cyber security adviser to the surveillance camera commissioner, said the requirements initially apply to systems being procured in the UK, but the ambition is to have a positive impact internationally.

Surveillance camera manufacturers Axiz, Bosch, Hanwah, Hikvision and Milestone Systems helped draw up the minimum requirements and have all pledged to achieve the secure by default certification mark.

Key contacts

Ross McKenzie

Ross McKenzie

Partner, Commercial Services
Aberdeen, UK

View profile
Helena Brown

Helena Brown

Partner, Head of Data
Edinburgh, UK

View profile