ICO - Rancom Security Limited
From GDPRhub
| ICO - Rancom Security Limited | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Section 55A Regulation 21 |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 27.01.2021 |
| Published: | |
| Fine: | 110000 GBP |
| Parties: | Rancom Security Limited |
| National Case Number/Name: | Rancom Security Limited |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | ICO's Website (in EN) |
| Initial Contributor: | alex.tracks.privacy |
The Information Commissioner's Office (UK) has issued a fine to a security systems company that received 94 complaints because of unsolicited direct marketing calls violating the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR).
English Summary
Facts
Between 1 June 2017 and 31 May 2018, the ICO received 94 complaints about unsolicited direct marketing calls made by Rancom. Of those, 66 complaints were made to the TPS, with a further 28 made direct to the Commissioner. All of these complaints were made by individual subscribers who were registered with the TPS.
Dispute
On 3 July 2018, the Commissioner wrote to Rancom to explain that she could issue civil monetary penalties of up to £500,000 for PECR breaches. The letter informed Rancom that the Commissioner and the TPS had received complaints from individual subscribers in relation to unsolicited calls.
Rancom was asked a number of questions about its compliance with PECR. The Commissioner received a response from Rancom explaining that it purchased TPS screened data from third parties and also had acquired some data from other security companies it had taken over. They advised that no further due diligence or screening of the data was carried out. A contrary response was later provided to the Information Commissioner's Office indicating that they screen approximately 10% of the data they received against the TPS list.
The Commissioner found that there is no record of Rancom itself possessing or ever having possessed a TPS license. They explained that when a complaint was received that person's data would be removed immediately from their system.
Holding
The Commissioner has issued statutory guidance under section 55C (1) of the DPA about the issuing of monetary penalties that has been published on the ICO’s website. The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe that the amount of any penalty determined by the Commissioner must not exceed £500,000.
Comment
Here are two examples of the complaints received by the ICO which in a practical manner what should not occur:
“I was very annoyed that someone was targeting my mother with lies in the hope she would buy something from them. She told them the first time that she wasn't interested but they phoned twice more. She is anxious about them phoning again.”
“Promoting security service offer in 'my area'. When I mentioned that I was registered with the Telephone Preference Service, the lady told me that if I had registered for the 'free' service they were still allowed to call me. When I complained, she became aggressive and would not stop reading from what appeared to be a prepared script. I hung up.”
In the UK, you can register your number in the TPS (Telephone Preference Services Limited) which is a "blacklist" of telephone numbers that should not be contacted for direct marketing. The number of calls made to TPS registered individuals accounts for 66% of the total call volume, this shows a disregard for the legislation surrounding the making of marketing calls and suggests that Rancom made very little effort to screen the data they were using against the TPS.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
•
ICO.
InformationCommissioner's ffice
DATA PROTECTION ACT 1998
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER
MONETARY PENALTY NOTICE
To: Rancom Security Limited
Of: Serenity House, 31 Gate Lane, Boldmere, Sutton Coldfield, West
Midlands, B73 5TR
1. The Information Commissioner (“Commissioner”)has decided to issue
Rancom Security Limited (“Rancom”) with a monetary penalty under
section 55A of the Data Protection Act 1998 (“DPA”). The penalty is
being issued because of a serious contravention of regulation 21 of the
Privacy and Electronic Communications (EC Directive) Regulations 2003
(“PECR”).
2. This notice explains the Commissioner’s decision.
Legal framework
3. Rancom, whose registered office is given above(companies house
registration number:04673465), is the person stated in this notice to
have used a public electronic communications service for the purpose
of making unsolicited calls for the purposes of direct marketing
contrary to regulation 21 of PECR.
1 •
ICO.
InformationCommissioner's ffice
4. Regulation 21 applies to the making of unsolicited calls for direct
marketing purposes. It means that if a company wants to make calls
promoting a product or service to an individual who has a telephone
number which is registered with the Telephone Preference Service Ltd
(“TPS”), then that individual must have given their consent to that
company to receive such calls.
5. Regulation 21 paragraph (1) of PECR provides that:
“(1) A person shall neither use, nor instigate the use of, a public
electronic communications service for the purposes of making
unsolicited calls for direct marketing purposes where-
(a) the called line is that of a subscriber who has previously
notified the caller that such calls should not for the time being
be made on that line; or
(b) the number allocated to a subscriber in respect of the called
line is one listed in the register kept under regulation 26.”
6. Regulation 21 paragraphs (2), (3), (4) and (5) provide that:
“(2) A subscriber shall not permit his line to be used in contravention
of paragraph (1).
(3) A person shall not be held to have contravened paragraph (1)(b)
where the number allocated to the called line has been listed on the
register for less than 28 days preceding that on which the call is
made.
2 •
ICO.
InformationCommissioner's ffice
(4) Where a subscriber who has caused a number allocated to a line of
his to be listed in the register kept under regulation 26 has notified
a caller that he does not, for the time being, object to such calls
being made on that line by that caller, such calls may be made by
that caller on that line, notwithstanding that the number allocated
to that line is listed in the said register.
(5) Where a subscriber has given a caller notification pursuant to
paragraph (4) in relation to a line of his —
(a) the subscriber shall be free to withdraw that notification at any
time, and
(b) where such notification is withdrawn, the caller shall not make such
calls on that line.”
7. Under regulation 26 of PECR, the Commissioner is required to maintain
a register of numbers allocated to subscribers who have notified them
that they do not wish, for the time being, to receive unsolicited calls for
direct marketing purposes on those lines. The Telephone Preference
Service Limited (“TPS”) is a limited company which operates the
register on the Commissioner’s behalf.Businesses who wish to carry
out direct marketing by telephone can subscribe to the TPS for a fee
and receive from them monthly a list of numbers on that register.
8. Section 122(5) of the DPA18 defines direct marketing as “the
communication (by whatever means) of any advertising material which
is directed to particular individuals”. This definition also applies for the
purposes of PECR (see regulation 2(2) PECR & Schedule 19 paragraph
430 & 432(6) DPA18).
3 •
ICO.
InformationCommissioner's ffice
9. Under section 55A (1) of the DPA (as amended by PECR 2011 and the
Privacy and Electronic Communications (Amendment) Regulations
2015) the Commissioner may serve a person with a monetary penalty
notice if the Commissioner is satisfied that –
“(a) there has been a serious contravention of the requirements of the
Privacy and Electronic Communications (EC Directive) Regulations
2003 by the person, and
(b) subsection (2) or (3) applies.
(2) This subsection applies if the contravention was deliberate.
(3) This subsection applies if the person –
(a) knew or ought to have known that there was a risk that
the contravention would occur, but
(b) failed to take reasonable steps to prevent the
contravention.”
10. The Commissioner has issued statutory guidance under section 55C (1)
of the DPA about the issuing of monetary penalties that has been
published on the ICO’s website. The Data Protection (Monetary
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe
that the amount of any penalty determined by the Commissioner must
not exceed £500,000.
11. PECR implemented European legislation (Directive 2002/58/EC) aimed
at the protection of the individual’s fundamental right to privacy in the
electronic communications sector. PECR were amended for the purpose
4 •
ICO.
InformationCommissioner's ffice
of giving effect to Directive 2009/136/EC which amended and
strengthened the 2002 provisions. The Commissioner approaches the
PECR regulations so as to give effect to the Directives.
12. The provisions of the DPA remain in force for the purposes of PECR
notwithstanding the introduction of the Data Protection Act 2018 (see
paragraph 58(1) of Part 9, Schedule 20 of that Act).
Background to the case
13. Rancom is a security firm which provides fully monitored security
systems for the home, as well as connected systems for fire, medical
and police response.
14. Between 1 June 2017 and 31 May 2018, the ICO received 94
complaints about unsolicited direct marketing calls made by Rancom .
Of those, 66 complaints were made to the TPS, with a further 28 made
direct to the Commissioner. All of these complaints were made by
individual subscribers who were registered with the TPS.
15. The following are examples of the complaints received by the ICO:
• “The caller asked for confirmation of my name and address,
then proceeded to say that due to an increase in false home
security alarms in my area the police no longer responded to
them. Then he said somebody will be in my area to advise on
'home security.”
• “I was very annoyed that someone was targeting my mother
with lies in the hope she would buy something from them.
She told them the first time that she wasn't interested but
5 •
ICO.
InformationCommissioner's ffice
they phoned twice more. She is anxious about them phoning
again.”
• “Our phone is registered with TPS and is ex-directory, how
did he get our phone number. He knew my wife's name and
that he knew the street that we lived in. Also claiming that
he was doing a security checkIt is of course very worrying
that he had our details with out our permission. After looking
the phone number it is very worrying that that this company
is targeting older people.”
• “Promoting security service offer in 'my area'. When I
mentioned that I was registered with the Telephone
Preference Service, the lady told me that if I had registered
for the 'free' service they were still allowed to call me. When I
complained, she became aggressive and would not stop
reading from what appeared to be a prepared script. I hung
up.”
16. On 3 July 2018, the Commissioner wrote to Rancom to explain that she
could issue civil monetary penalties up to £500,000 for PECR breaches.
The letter informed Rancom that the Commissioner and the TPS had
received complaints from individual subscribers in relation to
unsolicited calls. Rancom was asked a number of questions about its
compliance with PECR.
17. The Commissioner received a response from Rancom explaining that it
purchased TPS screened data from third parties and also had acquired
some data from other security companies it had taken over. They
advised that no further due diligence or screening of the data was
carried out. A contrary response was later providedto the
6 •
ICO.
InformationCommissioner's ffice
Commissioner indicating that they screen approximately 10% of the
data they received against the TPS list. The Commissioner found that
there is no record of Rancom itself possessing or ever having
possessed a TPS license. They explained that when a complaint was
received that persons data would be removed immediately from their
system.
18. Rancom further explained in correspondence that the majority of the
dialled numbers listed in the provided complaints were obtained from
two different third party data providers. They reiterated that they
believed that the numbers were TPS screened and provided standard
form contracts and terms and conditions to that effect. These were
found by the Commissioner to contain non liability clauses that state
the data provided may not be accurate, and neither of the contracts
were signed or data. Rancom explained that it could not confirm the
specific sources of the data as the data had been deleted by two
former employees when they left in July 2017.
19. Despite repeated requests from the Commissioner, Rancom were
unable to confirm how many of their outb ound calls made during the
contravention period were made for marketing purposes.They
indicated that this was because a number of organisations used their
telephone system. These organisations were based in the same
building and with whom they had a commercial arrangement where
they were permitted to use the lines in exchange for contributions
towards the telephony costs. It revealed that ‘some’ marketing staff
made calls on behalf of various companies from the same number . As
Rancom did not keep, or no longer had access to, records on these
calls, the number attributable to marketing was therefore unable to be
determined.
7 •
ICO.
InformationCommissioner's ffice
20. In later representations provided to the Commissioner(see para 50
below), Rancom disputed that the calls at the heart of th is
contravention were made for direct marketing purposes, instead
stating that these were ‘market research’ calls made at a time when
Rancom was considering a change of business model utilising private
security responders. Rancom provided the Commissioner with no
material evidence supporting the existence of a research project, other
than a script apparently used in those calls. Rancom also stated that it
made calls for other general business purposes such as calls to
nominated keyholders and relatives. Rancom has not however been
able to provide any evidence as to how many calls were made for
these purposes.
21. The Commissioner has considered the narrative of complaints, and
remains unconvinced that the calls leading to those complaints were
not for direct marketing purposes. The definition of direct marketing
(see para 8 above) covers all advertising or promotional material. If a
survey includes any promotional material or collects details to use in
future marketing campaigns, the survey is for direct marketing
purposes and the rules apply. Furthermore, the Commissioner’s Direct
Marketing Guidance: states that “if an organisation claims it is simply
conducting a survey when its real purpose (or one of its purposes) is to
sell goods or services, generate leads, or collect data for marketing
purposes, it will be breaching the DPA when it processes the data. It
might also be in breach of PECR if it has called a number registered
with the TPS, sent a text or email without consent, or instigated
someone else to do so.” Whilst Rancom say they were conducting
market research (which the Commissioner does not accept), the
_____________________________________________________________
https://ico.org.uk/media/for-organisations/documents/1555/direc-marketing-
guidance.pdf
8 •
ICO.
InformationCommissioner's ffice
Commissioner’s view, following her own guidance and evidenced by
complaints, which referenced offers of security checks and advice, is
that those calls also included marketing or promotional material, and
as such the rules apply.
22. The Commissioner’s investigation revealed that at least 1 outbound CLI
was being used to make unsolicited marketing calls. Call dialler records
obtained for this number show that a total of 851,392 calls were made
by Rancom within the period of 1 June 2017 to 31 May 2018. This list
was filtered to establish the number of calls m ade to numbers which
were registered with the TPS at least 28 days before receiving a call to
show that there were 565,344 such calls made.
23. The Commissioner has made the above findings of fact on the
balance of probabilities.
24. The Commissioner has considered whether those facts constitute a
contravention of regulation 21 of PECR by Rancom and, if so, whether
the conditions of section 55A DPA are satisfied.
The contravention
25. The Commissioner finds that Rancom contravened regulation 21 of
PECR.
26. The Commissioner finds that the contravention was as follows:
9 •
ICO.
InformationCommissioner's ffice
27. Between 1 June 2017 and 31 May 2018, Rancom used a public
telecommunications service for the purpose of making 94 unsolicited
calls for direct marketing purposes to subscribers where the number
allocated to the subscriber in respect of the line called was a number
listed on the register of numbers kept by the Commissioner in
accordance with regulation 26, contrary to regulation 21(1)(b) of
PECR; and
28. The Commissioner is also satisfied for the purposes of regulation 21
that these calls were made to subscribers who had registered with the
TPS at least 28 days prior to receiving the calls and had not given their
prior consent to Rancom to receive calls.
29. The Commissioner has gone on to consider whether the conditions
under section 55A DPA are met.
Seriousness of the contravention
30. The Commissioner is satisfied that the contravention identified
above was serious. This is because there have been multiple breaches
of regulation 21 by Rancom’s activities over a 12 month period, and
this led to a significant number of complaints about unsolicited direct
marketing calls to the TPS and the Commissioner.
31. In addition, it is reasonable to suppose that the contravention could
have been far higher because those who went to the trouble to
complain represent only a proportion of those who actually received
calls.
32. The Commissioner is therefore satisfied that condition (a) from
section 55A (1) DPA is met.
10 •
ICO.
InformationCommissioner's ffice
Deliberate or negligent contraventions
33. The Commissioner has considered whether the contravention identified
above was deliberate. In the Commissioner’s view, this means that
Rancom’s actions which constituted that contravention were deliberate
actions (even if Rancom did not actually intend thereby to contravene
PECR).
34. The Commissioner considers that in this case Rancom did not
deliberately contravene regulation 21 of PECR in that sense.
35. The Commissioner has gone on to consider whether the contravention
identified above was negligent.
36. First, she has considered whether Rancom knew or ought reasonably to
have known that there was a risk that this contravention would occur.
She is satisfied that this condition is met, given that Rancom relied
heavily on direct marketing due to the nature of its business, and the
fact that the issue of unsolicited calls has been widely publicised by the
media as being a problem. In its representations to the Commissioner,
Rancom stated that it no longer conducts direct marketing, instead
focussing upon maintaining its existing database, however the
Commissioner remains satisfied that Rancom was reliant upon direct
marketing, at the very least prior to changing its business model , and
as such should have been aware of the risk of contraventions of this
type.
37. Rancom, previously named Direct Response Security Systems Limited,
had been subject to an Enforcement Notice issued by the
Commissioner in 2010. This also related to Regulation 21 of PECR and
11 •
ICO.
InformationCommissioner's ffice
outlined steps it was to incorporate with regards to how it used data for
marketing purposes, including the need to screen against the TPS. The
current directors of Rancom were in place at the time of the
Commissioner’s previous enforcement action. It is therefore reasonable
to assume that Rancom were aware of the requirements of PECR and
should have had appropriate measures in place to ensure compliance.
They were also aware of the consequences of not doing so.
38. Each time a complaint is made to the TPS, the TPS inform the company
complained about. Rancom would therefore have been aware that
complaints were being made by TPS subscribers which should have
prompted them to take steps to investigate the reasons for this and to
address any deficiencies in their practices.
39. The number of calls made to TPS registered individuals accounts for
66% of the total call volume, this shows a disregard for the legislation
surrounding the making of marketing calls and suggests that Rancom
made very little effort to screen the data they were using against the
TPS.
40. The Commissioner has also published detailed guidance for companies
carrying out marketing explaining their legal requirements under PECR.
This guidance explains the circumstances under which organisations
are able to carry out marketing over the phone,by text, by email, by
post or by fax. Specifically, it states that live calls must not be made to
subscribers who have told an organisation that they do not want to
receive calls; or to any number registered with the TPS, unless the
subscriber has specifically consented to receive calls.
12 •
ICO.
InformationCommissioner's ffice
41. Finally, the Commissioner has gone on to consider whether Rancom
failed to take reasonable steps to prevent the contravention. Again, she
is satisfied that this condition is met.
42. Reasonable steps in these circumstances would have included ensuring
that Rancom could evidence consents relied upon to make marketing
calls and screening the data against the TPS register. Rancom stated in
representations to the Commissioner that it screened 10% of its leads
against the TPS database, however there is no evidence that Rancom
had purchased a TPS licence, and any such screening was clearly
inadequate. Rancom also claimed to operate an internal suppression
list, however complaints alluded to multiple calls to the same number
despite suppression requests, and therefore any such system was
ineffective. Contracts being in place with its third party data suppliers
does not absolve Rancom of their own responsibilities to ensure that
the data they use is complaint. Whilst they relied on these contracts
they contained non liability clauses and neither were signed and dated.
43. In addition, Rancom has allowed other organisations to use its lines. It
kept no record of how many calls were made by these other
organisations. This shows poor business practice and is suggestive of a
cavalier approach to PECR. This further suggests that they failed to
take reasonable steps to prevent the contravention.
44. The Commissioner is therefore satisfied that Rancom failed to take
reasonable steps to prevent the contravention.
45. The Commissioner is therefore satisfied that condition (b) from section
55A (1) DPA is met.
The Commissioner’s decision to impose a penalty
13 •
ICO.
InformationCommissioner's ffice
46. The Commissioner has taken into account the following
aggravating features of this case:
• Complainants to both the Commissioner and the TPS referred to
the aggressive and misleading nature of the calls with some
indicating that they have received multiple calls.
• There has been deliberate action for financial or personal gain.
The business was generating leads via marketing calls in order to
create profit;
• Advice and guidance has been ignored or not acted upon. This is
published on the Commissioner’s website and is available via its
advice services.
• Rancom’s directors have been subject to a previous investigation
by the Commissioner for contraventions of Regulation 21 of PECR
which had resulted in an enforcement notice being issued in
2010. They therefore should have been especially aware of the
necessity to the comply with the Regulations .
47. The Commissioner has also taken into account the following
mitigating features of this case:
• Rancom stated that they have stopped making marketing calls
and have only retained their database of existing customers. The
Commissioner has not identified any further complaints that can
be attributed to this company since the 1 January 2019 which
may be indicative that the company’s activities are now
14 •
ICO.
InformationCommissioner's ffice
compliant. For this reason the Commissioner has decided not to
also issue Rancom with an Enforcement Notice.
48. For the reasons explained above, the Commissioner is satisfied that the
conditions from section 55A(1) DPA have been met in this case. She is
also satisfied that the procedural rights under section 55B have been
complied with.
49. The latter has included the issuing of a Notice of Intent dated 12
October 2020, in which the Commissioner set out her preliminary
thinking.
50. In reaching her final decision the Commissioner has considered
representations received from Rancom dated 20 and 27 November
2020. Nothing in Rancom’s representations has persuaded the
Commissioner to alter her view as previously expressed in the Notice of
Intent.
51. The Commissioner is accordingly entitled to issue a monetary penalty
in this case.
52. The Commissioner has considered whether, in the circumstances, she
should exercise her discretion so as to issue a monetary penalty.
53. The Commissioner’s underlying objective in imposing a monetary
penalty notice is to promote compliance with PECR. The making of
unsolicited direct marketing calls is a matter of significant public
concern. A monetary penalty in this case should act as a general
encouragement towards compliance with the law, or at least as a
deterrent against non-compliance, on the part of all persons running
businesses currently engaging in these practices. This is an opportunity
15 •
ICO.
InformationCommissioner's ffice
to reinforce the need for businesses to ensure that they are only
telephoning consumers who want to receive these calls.
54. In this case the Commissioner considers that a monetary penalty is an
appropriate and proportionate response to the finding of a serious
contravention by Rancom.
The amount of the penalty
55. Taking into account all of the above, the Commissioner has decided
that a penalty in the sum of £110,000 (One hundred and ten
thousand pounds) is reasonable and proportionate given the
particular facts of the case and the underlying objective in imposing the
penalty.
Conclusion
56. The monetary penalty must be paid to the Commissioner’s office by
BACS transfer or cheque by 25 February 2021 at the latest. The
monetary penalty is not kept by the Commissioner but will be paid into
the Consolidated Fund which is the Government’s general bank account
at the Bank of England.
57. If the Commissioner receives full payment of the monetary penalty by 24
February 2021 the Commissioner will reduce the monetary penalty by
20% to £88 ,000 (Eighty eight thousand pounds). However, you
should be aware that the early payment discount is not available if you
decide to exercise your right of appeal.
16 •
ICO.
InformationCommissioner's ffice
58. There is a right of appeal to the First-tier Tribunal (Information Rights)
against:
a) the imposition of the monetary penalty
and/or;
b) the amount of the penalty specified in the monetary penalty
notice.
59. Any notice of appeal should be received by the Tribunal within 28 days
of the date of this monetary penalty notice.
60. Information about appeals is set out in Annex 1.
61. The Commissioner will not take action to enforce a monetary penalty
unless:
• the period specified within the notice within which a monetary penalty
must be paid has expired and all or any of the monetary penalty has
not been paid;
• all relevant appeals against the monetary penalty notice and any
variation of it have either been decided or withdrawn; and
• the period for appealing against the monetary penalty and any
variation of it has expired.
62. In England, Wales and Northern Ireland, the monetary penalty is
recoverable by Order of the County Court or the High Court. In
Scotland, the monetary penalty can be enforced in the same manner
as an extract registered decree arbitral bearing a warrant for execution
issued by the sheriff court of any sheriffdom in Scotland.
17 •
ICO.
InformationCommissioner's ffice
Dated the 25th day of January 2021
Head of Investigations
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AFe
18 •
ICO.
InformationCommissioner's ffice
ANNEX 1
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER
1. Section 48 of the Data Protection Act 1998 gives any person upon
whom a monetary penalty notice or variation notice has been served a right
of appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’)
against the notice.
2. If you decide to appeal and if the Tribunal considers:-
a) that the notice against which the appeal is brought is not in accordance
with the law; or
b) to the extent that the notice involved an exercise of discretion by the
Commissioner, that she ought to have exercised her discretion differently,
the Tribunal will allow the appeal or substitute such other decision as could
have been made by the Commissioner. In any other case the Tribunal will
dismiss the appeal.
3. You may bring an appeal by serving a notice of appeal on the Tribunal
at the following address:
GRC & GRP Tribunals
PO Box 9300
Arnhem House
31 Waterloo Way
Leicester
LE1 8DJ
a) The notice of appeal should be sent so it is received by the Tribunal
within 28 days of the date of the notice.
b) If your notice of appeal is late the Tribunal will not admit it unless the
Tribunal has extended the time for complying with this rule.
19 •
ICO.
InformationCommissioner's ffice
4. The notice of appeal should state:-
a) your name and address/name and address of your representative
(if any);
b) an address where documents may be sent or delivered to you;
c) the name and address of the Information Commissioner;
d) details of the decision to which the proceedings relate;
e) the result that you are seeking;
f) the grounds on which you rely;
g) you must provide with the notice of appeal a copy of the
monetary penalty notice or variation notice;
h) if you have exceeded the time limit mentioned above the notice
of appeal must include a request for an extension of time and the
reason why the notice of appeal was not provided in time.
5. Before deciding whether or not to appeal you may wish to consult your
solicitor or another adviser. At the hearing of an appeal a party may conduct
his case himself or may be represented by any person whom he may
appoint for that purpose.
6. The statutory provisions concerning appeals to the First- tier Tribunal
(Information Rights) are contained in sections 48 and 49 of, and Schedule 6
to, the Data Protection Act 1998, and Tribunal Procedure (Firsttier Tribunal)
(General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No.
1976 (L.20)).
20
