https://ico.org.uk/global/rss-feeds/enforcement/https://ico.org.uk/action-weve-taken/enforcement/birmingham-childrens-trust-community-interest-company/https://ico.org.uk/action-weve-taken/enforcement/birmingham-childrens-trust-community-interest-company/ Reprimand issued to Birmingham Children’s Trust Community Interest company in respect of Article 5(1)(f) and 32(1)(b) and 2. A child protection plan containing inappropriate personal data, in the form of criminal allegations against a child, was sent to the family the plan was produced for. Although the care plan itself was authorised for the family to view, the criminal allegations were not relevant to the plan, or authorised for the family’s view. The investigation highlighted that appropriate technical and organisational measures were not in place at the time of the breach. Tue, 14 May 2024 09:56:36 +0100https://ico.org.uk/action-weve-taken/enforcement/the-central-young-men-s-christian-association-reprimand/https://ico.org.uk/action-weve-taken/enforcement/the-central-young-men-s-christian-association-reprimand/ The Central YMCA sent an email to individuals participating in a programme for people living with HIV using “CC” rather than “BCC”, revealing the email addresses to all recipients. 166 individuals could be identified or potentially identified from their email address. As a result, it could be inferred that these individuals were likely to be living with HIV. The Central YMCA have been fined £7,500 and issued a reprimand. Tue, 30 Apr 2024 09:48:28 +0100https://ico.org.uk/action-weve-taken/enforcement/the-central-young-men-s-christian-association-mpn/https://ico.org.uk/action-weve-taken/enforcement/the-central-young-men-s-christian-association-mpn/ The Central YMCA sent an email to individuals participating in a programme for people living with HIV using “CC” rather than “BCC”, revealing the email addresses to all recipients. 166 individuals could be identified or potentially identified from their email address. As a result, it could be inferred that these individuals were likely to be living with HIV. The Central YMCA have been fined £7,500 and issued a reprimand. Tue, 30 Apr 2024 09:48:12 +0100https://ico.org.uk/action-weve-taken/enforcement/outsource-strategies-ltd-en/https://ico.org.uk/action-weve-taken/enforcement/outsource-strategies-ltd-en/ Outsource Strategies Ltd made 1,346,503 unwanted marketing calls between 11 February 2021 and 22 March 2022 to numbers registered with the TPS. The ICO received 74 complaints from people variously saying they received repeated calls despite requests to stop and that the callers were aggressive. Wed, 24 Apr 2024 10:23:44 +0100https://ico.org.uk/action-weve-taken/enforcement/outsource-strategies-ltd-mpn/https://ico.org.uk/action-weve-taken/enforcement/outsource-strategies-ltd-mpn/ Outsource Strategies Ltd made 1,346,503 unwanted marketing calls between 11 February 2021 and 22 March 2022 to numbers registered with the TPS. The ICO received 74 complaints from people variously saying they received repeated calls despite requests to stop and that the callers were aggressive. Tue, 23 Apr 2024 15:54:10 +0100https://ico.org.uk/action-weve-taken/enforcement/dr-telemarketing-monetary-penalty-notice/https://ico.org.uk/action-weve-taken/enforcement/dr-telemarketing-monetary-penalty-notice/ Between 11 February 2021 to 24 January 2022, there were 80,240 connected calls unsolicited direct marketing calls being made to subscribers who were registered with the TPS and who had not notified DRT that they were willing to receive such calls, and two complaints being submitted as a result. Calls were about the Irish Lottery. DRT stopped engaging with the Commissioner part way through the investigation and failed to provide a satisfactory explanation for the Lotto Express calls involved in the contravention. Tue, 23 Apr 2024 15:50:50 +0100https://ico.org.uk/action-weve-taken/enforcement/dr-telemarketing-enforcement-notice/https://ico.org.uk/action-weve-taken/enforcement/dr-telemarketing-enforcement-notice/ Between 11 February 2021 to 24 January 2022, there were 80,240 connected calls unsolicited direct marketing calls being made to subscribers who were registered with the TPS and who had not notified DRT that they were willing to receive such calls, and two complaints being submitted as a result. Calls were about the Irish Lottery. DRT stopped engaging with the Commissioner part way through the investigation and failed to provide a satisfactory explanation for the Lotto Express calls involved in the contravention. Tue, 23 Apr 2024 12:58:11 +0100https://ico.org.uk/action-weve-taken/enforcement/clyde-valley-housing-association/https://ico.org.uk/action-weve-taken/enforcement/clyde-valley-housing-association/ Clyde Valley Housing Association have received the following reprimand because of an infringement that occurred in July 2022 when they released a new customer portal. This portal included personal data of data subjects and residents found they were able to view personal information such as names and addresses about other residents. A resident reported this to Clyde Valley Housing Association, however this concern was not escalated appropriately which led to data remaining viewable on the portal for a further 5 days until further residents reported the issue and Clyde Valley Housing Association suspended the portal.   Thu, 18 Apr 2024 10:00:00 +0100https://ico.org.uk/action-weve-taken/enforcement/university-hospital-of-southampton-nhs-foundation-trust/https://ico.org.uk/action-weve-taken/enforcement/university-hospital-of-southampton-nhs-foundation-trust/ A reprimand is being issued to University Hospital of Southampton NHS Foundation Trust as they have only responded to 59% of incoming SARs within the statutory timeframe during the period of 01 August 2022 to 01 July 2023. Fri, 05 Apr 2024 09:58:26 +0100https://ico.org.uk/action-weve-taken/enforcement/home-office/https://ico.org.uk/action-weve-taken/enforcement/home-office/ An enforcement notice and a warning have been issued to the Home Office for failing to assess the privacy risks posed by the electronic monitoring of people arriving in the UK by unauthorised means. The ICO has been in discussion with the Home Office regarding its pilot to place ankle tags on, and track the GPS location of, up to 600 migrants who arrived in the UK and were on immigration bail. Although the pilot ended in December 2023, the Home Office has retained the GPS location data collected by the tags and will continue to be able to access and use that data including sharing it with other third-party organisations. The enforcement notice orders the Home Office to update its internal policies, access guidance and privacy information in relation to the data retained from the pilot. The warning issued also states that any future processing on the same basis will be in breach of data protection law and will attract enforcement action. Thu, 21 Mar 2024 09:51:17 Zhttps://ico.org.uk/action-weve-taken/enforcement/dover-harbour-board/https://ico.org.uk/action-weve-taken/enforcement/dover-harbour-board/ A reprimand is being issued to Dover Harbour Board in respect of the creation and use of a social media distribution group, initially created in WhatsApp but later migrated to Telegram. From the evidence provided to the ICO, the distribution groups were used by multiple UK police forces and international law enforcement agencies for the purpose of combatting vehicle crime. The distribution groups were created by an officer from the Port of Dover Police using his personal mobile phone without organisational oversight or compliance with data protection legislation. Fri, 15 Mar 2024 09:34:05 Zhttps://ico.org.uk/action-weve-taken/enforcement/chief-constable-of-kent-police-1/https://ico.org.uk/action-weve-taken/enforcement/chief-constable-of-kent-police-1/ A reprimand is being issued to Kent Police in respect of an incident in February 2021 when a Kent Police officer took a photograph of an individual’s identity document using her personal mobile phone and uploaded the image onto Telegram, a social media application. From the evidence provided to the ICO, the Telegram distribution group onto which the image was uploaded was being used by multiple UK police forces and international law enforcement agencies for the purpose of combatting vehicle crime. The Kent Police officer did not inform the individual that further processing of his personal data would take place; how it would be processed; or the purpose for doing so. Fri, 15 Mar 2024 09:32:13 Zhttps://ico.org.uk/action-weve-taken/enforcement/mayor-s-office-for-policing-and-crime-mopac/https://ico.org.uk/action-weve-taken/enforcement/mayor-s-office-for-policing-and-crime-mopac/ Within the London.gov.uk website, there was a webform to contact the London Victims’ Commissioner as well as other webforms. Between 11-14 November 2022, a member of GLA intended to give four members of MOPAC permission to the webforms. However, instead of granting permission to the four members of MOPAC, they made two web forms public. On 23 February 2023 MOPAC were made aware by a member of the public that it was possible for users to click a button that would enable users to access information on every query that had been submitted via the form. 394 people were later notified of the breach due to the nature of the personal data that was made publicly accessible on the forms. Wed, 13 Mar 2024 16:12:48 Zhttps://ico.org.uk/action-weve-taken/enforcement/pinnacle-life-limited-en/https://ico.org.uk/action-weve-taken/enforcement/pinnacle-life-limited-en/ Between 5 May 2021 to 5 May 2022, there were 47,998 connected calls unsolicited direct marketing calls being made to subscribers who were registered with the TPS and who had not notified Pinnacle Life Limited that they were willing to receive such calls, and four complaints being submitted as a result. Thu, 07 Mar 2024 10:42:52 Zhttps://ico.org.uk/action-weve-taken/enforcement/pinnacle-life-limited-mpn/https://ico.org.uk/action-weve-taken/enforcement/pinnacle-life-limited-mpn/ Between 5 May 2021 to 5 May 2022, there were 47,998 connected calls unsolicited direct marketing calls being made to subscribers who were registered with the TPS and who had not notified Pinnacle Life Limited that they were willing to receive such calls, and four complaints being submitted as a result. Thu, 07 Mar 2024 10:42:43 Zhttps://ico.org.uk/action-weve-taken/enforcement/penny-appeal/https://ico.org.uk/action-weve-taken/enforcement/penny-appeal/ The Information Commissioner’s Office (ICO) has issued an Enforcement Notice to Penny Appeal, for sending 461,650 spam text messages over a ten day period. These messages were sent to a database of individuals who had never agreed to receive marketing communication from Penny Appeal. Fri, 01 Mar 2024 11:40:34 Zhttps://ico.org.uk/action-weve-taken/enforcement/chief-constable-west-midlands-police/https://ico.org.uk/action-weve-taken/enforcement/chief-constable-west-midlands-police/ A reprimand has been issued to West Midlands Police after the force repeatedly incorrectly linked and merged the records of two individuals with similar personal data. West Midlands Police failed to ensure the accuracy of the personal data of these two individuals, resulting in multiple incidents where officers attended a wrong address, including on one occasion when there were serious safeguarding concerns relating to one of the individuals. Fri, 01 Mar 2024 09:57:59 Zhttps://ico.org.uk/action-weve-taken/enforcement/ministry-of-defence-1/https://ico.org.uk/action-weve-taken/enforcement/ministry-of-defence-1/ The MOD sent emails inadvertently using the “To” field rather than the “BCC” field. 265 unique email addresses were disclosed in breach of GDPR Article 5(1)(f). The MOD were fined £350,000. Mon, 26 Feb 2024 09:25:45 Zhttps://ico.org.uk/action-weve-taken/enforcement/serco-leisure-operating-limited-and-relevant-associated-trusts/https://ico.org.uk/action-weve-taken/enforcement/serco-leisure-operating-limited-and-relevant-associated-trusts/ Serco Leisure, Serco Jersey and seven associated community leisure trusts have been issued enforcement notices ordering them to stop using facial recognition technology and fingerprint scanning to monitor employee attendance. The ICO's investigation found that Serco and the trusts have been unlawfully processing the biometric data of more than 2,000 employees at 38 leisure facilities for the purpose of monitoring attendance. Fri, 23 Feb 2024 09:21:25 Zhttps://ico.org.uk/action-weve-taken/enforcement/chief-constable-devon-and-cornwall-police/https://ico.org.uk/action-weve-taken/enforcement/chief-constable-devon-and-cornwall-police/ Chief Constable Devon and Cornwall Police have continuously infringed Article 12(3) of the UK GDPR and Part 3, Chapter 3, Section 54 of the DPA 2018 for over four years. In this case, Devon and Cornwall Police have had a subject access request backlog since 2018 which has resulted in a large number of subject access requests not being responded to within the legislative timeframe of one or three (where extension is appropriately applied) calendar months. Fri, 02 Feb 2024 09:29:34 Z