Data Protection

12 March 2015 

A former customer service assistant at Lloyds Banking Group has been prosecuted at Burnley Magistrates Court for unlawfully accessing a former partner’s bank account. They were fined £250 and ordered to pay a victims surcharge of £25.


26 February 2015 A former support clerk working for Transport for London has been prosecuted at Westminster Magistrates Court for unlawfully accessing the oyster card records of five individuals who were family members and neighbours. They were fined £240, ordered to pay a victims surcharge of £20 and £618 prosecution costs.


24 February 2014 An online holiday insurance company has been fined £175,000 by the ICO after IT security failings let hackers access customer records. More than 5,000 customers had their credit cards used by fraudsters after the attack.

Attackers potentially had access to over 100,000 live credit card details, as well as customers’ medical details. Credit card CVV numbers, the security number on the signature strips of the cards, were also accessible despite industry rules that they should not be stored at all.


6 January 2015 A green deal energy company, has been prosecuted for failing to respond to an information notice. The company was fined was fined £5000, ordered to pay a £120 victim surcharge and £489.85 prosecution costs.


22 December 2014 The Information Commissioner’s Office (ICO) has fined a marketing company based in London £90,000 for continually making nuisance calls targeting vulnerable victims. In several cases, the calls resulted in elderly people being tricked into paying for boiler insurance they didn’t need.


5 December 2014 The company behind Manchester’s annual festival, the Parklife Weekender has been fined £70,000 after sending unsolicited marketing text messages.

The text was sent to 70,000 people who had bought tickets to last year’s event, and appeared on the recipients’ mobile phone to have been sent by “Mum”.


13 November 2014 A former pharmacist working for West Sussex Primary Care Trust has been prosecuted for unlawfully accessing the medical records of family members, work colleagues and local health professionals. They were fined £1000, ordered to pay a £100 victim surcharge and £608.30 prosecution costs.


11 November 2014 A company director has been fined after illegally accessing one of Everything Everywhere’s (EE) customer databases. He used details of when customers were due a mobile phone upgrade to target them with services offered by his own telecoms companies.


5 November 2014 A hotel booking website was fined £7,500 following a serious data breach where a vulnerability on the company’s site allowed attackers to access the full payment card details of 3,814 customers.


1 October 2014 The ICO has issued a £70,000 fine to a Devon marketing firm responsible for hundreds of nuisance calls. The company was responsible for 630 complaints to the ICO and the TPS between 1 March 2013 and 28 February 2014. They failed to make sure that those registered with the TPS, or who’d previously asked not to be contacted, weren’t being called.


26th August 2014. A monetary penalty notice has been served on a Ministry for £180,000 over serious failings in the way prisons in England and Wales have been handling people’s information.


28 July 2014. The information Commissioner’s Office served a company with a £50,000 fine after an investigation discovered they had made unsolicited calls to hundreds of people who had registered with the Telephone Preference Service.


23 July 2014. An online travel services company, has been served a £150,000 monetary penalty after a serious breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker.


3 April 2014. A home improvement company  was served with a £50,000 fine after an investigation discovered they had made unsolicited marketing calls to people who had registered with the Telephone Preference Service.


19 March 2014. A Police Service fined £100,000 after highly sensitive and confidential information, including copies of police interview tapes, were left in a basement at the former site of a police station.


7 March 2014. A charity was fined £200,000. Hacker threatened to publish thousands of names of people who sought advice on abortion, pregnancy and contraception. The charity didn’t know that its website was storing the names, address, date of birth and telephone number of people who asked for a call back for advice. This personal data wasn’t stored securely and a vulnerability in the website’s code allowed a hacker to obtain the information.


14 January 2014. A monetary penalty of £185,000 has been served on Government Department after a filing cabinet containing details of a terrorist incident was sold at auction.


16 December 2013. A monetary penalty of £175,000 has been served on a pay day loans company who sent millions of spam text messages. Pay day loans company and its director prosecuted for failing to register. If you handle personal data you are required to register unless you are exempt. Failing to register is not only a criminal offence but the ICO says “that it shows that a company holds a clear disregard for looking after and protecting the personal information of their customers”.


29 October 2013. A monetary penalty of £80,000 has been served on a Council after the loss of an unencrypted memory device containing personal data and sensitive personal data relating to 286 children.


22 October 2013. A monetary penalty notice (£112,000) has been served on a Ministry for failing to keep personal data securely, after spreadsheets showing prisoners’ details were emailed to members of the public in error.


26 September 2013. A monetary penalty of £5,000 has been served on a small money-lending business, after the theft of an unencrypted portable hard drive containing its customer database. A sole trader was fined £5000 after an unencrypted laptop was stolen from a car. Business owners must take adequate care to ensure customers information is protected from unauthorised or unlawful access.  Encryption means that even if a device is lost or stolen, the information will remain secure as long as the encryption key remains secure.


29 August 2013. A monetary penalty of £100,000 has been served on a City Council after inadequate homeworking arrangements led to 39 pages of personal data being uploaded onto the internet by a Council employee.


23 August 2013. A monetary penalty notice of £70,000 has been served to a Borough Council after personal details of over 2,000 residents were released online via the What Do They Know (WDTK) website.


20 March 2013. A monetary penalty of £90,000 has been served to a bedroom design company. The company has been the subject of nearly 2,000 complaints to the ICO and the Telephone Preference Service. The company consistently failed to check whether individuals had opted out of receiving marketing calls and responded to just a handful of the complaints received.


28 November 2012. Monetary penalties of £300,000 and £140,000 have been served to the joint owners of a telecoms company. The company had sent millions of unlawful spam texts to the public over the past three years.


6 November 2012. A monetary penalty of £50,000 was issued to an insurance company after a mix-up over the administration of two customers’ accounts led to tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account.