ICO - Rancom Security Limited
|ICO - Rancom Security Limited|
|Parties:||Rancom Security Limited|
|National Case Number/Name:||Rancom Security Limited|
|European Case Law Identifier:||n/a|
|Original Source:||ICO's Website (in EN)|
The Information Commissioner's Office (UK) has issued a fine to a security systems company that received 94 complaints because of unsolicited direct marketing calls violating the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR).
English Summary[edit | edit source]
Facts[edit | edit source]
Between 1 June 2017 and 31 May 2018, the ICO received 94 complaints about unsolicited direct marketing calls made by Rancom. Of those, 66 complaints were made to the TPS, with a further 28 made direct to the Commissioner. All of these complaints were made by individual subscribers who were registered with the TPS.
Dispute[edit | edit source]
On 3 July 2018, the Commissioner wrote to Rancom to explain that she could issue civil monetary penalties of up to £500,000 for PECR breaches. The letter informed Rancom that the Commissioner and the TPS had received complaints from individual subscribers in relation to unsolicited calls.
Rancom was asked a number of questions about its compliance with PECR. The Commissioner received a response from Rancom explaining that it purchased TPS screened data from third parties and also had acquired some data from other security companies it had taken over. They advised that no further due diligence or screening of the data was carried out. A contrary response was later provided to the Information Commissioner's Office indicating that they screen approximately 10% of the data they received against the TPS list.
The Commissioner found that there is no record of Rancom itself possessing or ever having possessed a TPS license. They explained that when a complaint was received that person's data would be removed immediately from their system.
Holding[edit | edit source]
The Commissioner has issued statutory guidance under section 55C (1) of the DPA about the issuing of monetary penalties that has been published on the ICO’s website. The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe that the amount of any penalty determined by the Commissioner must not exceed £500,000.
Comment[edit | edit source]
Here are two examples of the complaints received by the ICO which in a practical manner what should not occur:
“I was very annoyed that someone was targeting my mother with lies in the hope she would buy something from them. She told them the first time that she wasn't interested but they phoned twice more. She is anxious about them phoning again.”
“Promoting security service offer in 'my area'. When I mentioned that I was registered with the Telephone Preference Service, the lady told me that if I had registered for the 'free' service they were still allowed to call me. When I complained, she became aggressive and would not stop reading from what appeared to be a prepared script. I hung up.”
In the UK, you can register your number in the TPS (Telephone Preference Services Limited) which is a "blacklist" of telephone numbers that should not be contacted for direct marketing. The number of calls made to TPS registered individuals accounts for 66% of the total call volume, this shows a disregard for the legislation surrounding the making of marketing calls and suggests that Rancom made very little effort to screen the data they were using against the TPS.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the English original. Please refer to the English original for more details.
• ICO. InformationCommissioner's ffice DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE To: Rancom Security Limited Of: Serenity House, 31 Gate Lane, Boldmere, Sutton Coldfield, West Midlands, B73 5TR 1. The Information Commissioner (“Commissioner”)has decided to issue Rancom Security Limited (“Rancom”) with a monetary penalty under section 55A of the Data Protection Act 1998 (“DPA”). The penalty is being issued because of a serious contravention of regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). 2. This notice explains the Commissioner’s decision. Legal framework 3. Rancom, whose registered office is given above(companies house registration number:04673465), is the person stated in this notice to have used a public electronic communications service for the purpose of making unsolicited calls for the purposes of direct marketing contrary to regulation 21 of PECR. 1 • ICO. InformationCommissioner's ffice 4. Regulation 21 applies to the making of unsolicited calls for direct marketing purposes. It means that if a company wants to make calls promoting a product or service to an individual who has a telephone number which is registered with the Telephone Preference Service Ltd (“TPS”), then that individual must have given their consent to that company to receive such calls. 5. Regulation 21 paragraph (1) of PECR provides that: “(1) A person shall neither use, nor instigate the use of, a public electronic communications service for the purposes of making unsolicited calls for direct marketing purposes where- (a) the called line is that of a subscriber who has previously notified the caller that such calls should not for the time being be made on that line; or (b) the number allocated to a subscriber in respect of the called line is one listed in the register kept under regulation 26.” 6. Regulation 21 paragraphs (2), (3), (4) and (5) provide that: “(2) A subscriber shall not permit his line to be used in contravention of paragraph (1). (3) A person shall not be held to have contravened paragraph (1)(b) where the number allocated to the called line has been listed on the register for less than 28 days preceding that on which the call is made. 2 • ICO. InformationCommissioner's ffice (4) Where a subscriber who has caused a number allocated to a line of his to be listed in the register kept under regulation 26 has notified a caller that he does not, for the time being, object to such calls being made on that line by that caller, such calls may be made by that caller on that line, notwithstanding that the number allocated to that line is listed in the said register. (5) Where a subscriber has given a caller notification pursuant to paragraph (4) in relation to a line of his — (a) the subscriber shall be free to withdraw that notification at any time, and (b) where such notification is withdrawn, the caller shall not make such calls on that line.” 7. Under regulation 26 of PECR, the Commissioner is required to maintain a register of numbers allocated to subscribers who have notified them that they do not wish, for the time being, to receive unsolicited calls for direct marketing purposes on those lines. The Telephone Preference Service Limited (“TPS”) is a limited company which operates the register on the Commissioner’s behalf.Businesses who wish to carry out direct marketing by telephone can subscribe to the TPS for a fee and receive from them monthly a list of numbers on that register. 8. Section 122(5) of the DPA18 defines direct marketing as “the communication (by whatever means) of any advertising material which is directed to particular individuals”. This definition also applies for the purposes of PECR (see regulation 2(2) PECR & Schedule 19 paragraph 430 & 432(6) DPA18). 3 • ICO. InformationCommissioner's ffice 9. Under section 55A (1) of the DPA (as amended by PECR 2011 and the Privacy and Electronic Communications (Amendment) Regulations 2015) the Commissioner may serve a person with a monetary penalty notice if the Commissioner is satisfied that – “(a) there has been a serious contravention of the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 by the person, and (b) subsection (2) or (3) applies. (2) This subsection applies if the contravention was deliberate. (3) This subsection applies if the person – (a) knew or ought to have known that there was a risk that the contravention would occur, but (b) failed to take reasonable steps to prevent the contravention.” 10. The Commissioner has issued statutory guidance under section 55C (1) of the DPA about the issuing of monetary penalties that has been published on the ICO’s website. The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe that the amount of any penalty determined by the Commissioner must not exceed £500,000. 11. PECR implemented European legislation (Directive 2002/58/EC) aimed at the protection of the individual’s fundamental right to privacy in the electronic communications sector. PECR were amended for the purpose 4 • ICO. InformationCommissioner's ffice of giving effect to Directive 2009/136/EC which amended and strengthened the 2002 provisions. The Commissioner approaches the PECR regulations so as to give effect to the Directives. 12. The provisions of the DPA remain in force for the purposes of PECR notwithstanding the introduction of the Data Protection Act 2018 (see paragraph 58(1) of Part 9, Schedule 20 of that Act). Background to the case 13. Rancom is a security firm which provides fully monitored security systems for the home, as well as connected systems for fire, medical and police response. 14. Between 1 June 2017 and 31 May 2018, the ICO received 94 complaints about unsolicited direct marketing calls made by Rancom . Of those, 66 complaints were made to the TPS, with a further 28 made direct to the Commissioner. All of these complaints were made by individual subscribers who were registered with the TPS. 15. The following are examples of the complaints received by the ICO: • “The caller asked for confirmation of my name and address, then proceeded to say that due to an increase in false home security alarms in my area the police no longer responded to them. Then he said somebody will be in my area to advise on 'home security.” • “I was very annoyed that someone was targeting my mother with lies in the hope she would buy something from them. She told them the first time that she wasn't interested but 5 • ICO. InformationCommissioner's ffice they phoned twice more. She is anxious about them phoning again.” • “Our phone is registered with TPS and is ex-directory, how did he get our phone number. He knew my wife's name and that he knew the street that we lived in. Also claiming that he was doing a security checkIt is of course very worrying that he had our details with out our permission. After looking the phone number it is very worrying that that this company is targeting older people.” • “Promoting security service offer in 'my area'. When I mentioned that I was registered with the Telephone Preference Service, the lady told me that if I had registered for the 'free' service they were still allowed to call me. When I complained, she became aggressive and would not stop reading from what appeared to be a prepared script. I hung up.” 16. On 3 July 2018, the Commissioner wrote to Rancom to explain that she could issue civil monetary penalties up to £500,000 for PECR breaches. The letter informed Rancom that the Commissioner and the TPS had received complaints from individual subscribers in relation to unsolicited calls. Rancom was asked a number of questions about its compliance with PECR. 17. The Commissioner received a response from Rancom explaining that it purchased TPS screened data from third parties and also had acquired some data from other security companies it had taken over. They advised that no further due diligence or screening of the data was carried out. A contrary response was later providedto the 6 • ICO. InformationCommissioner's ffice Commissioner indicating that they screen approximately 10% of the data they received against the TPS list. The Commissioner found that there is no record of Rancom itself possessing or ever having possessed a TPS license. They explained that when a complaint was received that persons data would be removed immediately from their system. 18. Rancom further explained in correspondence that the majority of the dialled numbers listed in the provided complaints were obtained from two different third party data providers. They reiterated that they believed that the numbers were TPS screened and provided standard form contracts and terms and conditions to that effect. These were found by the Commissioner to contain non liability clauses that state the data provided may not be accurate, and neither of the contracts were signed or data. Rancom explained that it could not confirm the specific sources of the data as the data had been deleted by two former employees when they left in July 2017. 19. Despite repeated requests from the Commissioner, Rancom were unable to confirm how many of their outb ound calls made during the contravention period were made for marketing purposes.They indicated that this was because a number of organisations used their telephone system. These organisations were based in the same building and with whom they had a commercial arrangement where they were permitted to use the lines in exchange for contributions towards the telephony costs. It revealed that ‘some’ marketing staff made calls on behalf of various companies from the same number . As Rancom did not keep, or no longer had access to, records on these calls, the number attributable to marketing was therefore unable to be determined. 7 • ICO. InformationCommissioner's ffice 20. In later representations provided to the Commissioner(see para 50 below), Rancom disputed that the calls at the heart of th is contravention were made for direct marketing purposes, instead stating that these were ‘market research’ calls made at a time when Rancom was considering a change of business model utilising private security responders. Rancom provided the Commissioner with no material evidence supporting the existence of a research project, other than a script apparently used in those calls. Rancom also stated that it made calls for other general business purposes such as calls to nominated keyholders and relatives. Rancom has not however been able to provide any evidence as to how many calls were made for these purposes. 21. The Commissioner has considered the narrative of complaints, and remains unconvinced that the calls leading to those complaints were not for direct marketing purposes. The definition of direct marketing (see para 8 above) covers all advertising or promotional material. If a survey includes any promotional material or collects details to use in future marketing campaigns, the survey is for direct marketing purposes and the rules apply. Furthermore, the Commissioner’s Direct Marketing Guidance: states that “if an organisation claims it is simply conducting a survey when its real purpose (or one of its purposes) is to sell goods or services, generate leads, or collect data for marketing purposes, it will be breaching the DPA when it processes the data. It might also be in breach of PECR if it has called a number registered with the TPS, sent a text or email without consent, or instigated someone else to do so.” Whilst Rancom say they were conducting market research (which the Commissioner does not accept), the _____________________________________________________________ https://ico.org.uk/media/for-organisations/documents/1555/direc-marketing- guidance.pdf 8 • ICO. InformationCommissioner's ffice Commissioner’s view, following her own guidance and evidenced by complaints, which referenced offers of security checks and advice, is that those calls also included marketing or promotional material, and as such the rules apply. 22. The Commissioner’s investigation revealed that at least 1 outbound CLI was being used to make unsolicited marketing calls. Call dialler records obtained for this number show that a total of 851,392 calls were made by Rancom within the period of 1 June 2017 to 31 May 2018. This list was filtered to establish the number of calls m ade to numbers which were registered with the TPS at least 28 days before receiving a call to show that there were 565,344 such calls made. 23. The Commissioner has made the above findings of fact on the balance of probabilities. 24. The Commissioner has considered whether those facts constitute a contravention of regulation 21 of PECR by Rancom and, if so, whether the conditions of section 55A DPA are satisfied. The contravention 25. The Commissioner finds that Rancom contravened regulation 21 of PECR. 26. The Commissioner finds that the contravention was as follows: 9 • ICO. InformationCommissioner's ffice 27. Between 1 June 2017 and 31 May 2018, Rancom used a public telecommunications service for the purpose of making 94 unsolicited calls for direct marketing purposes to subscribers where the number allocated to the subscriber in respect of the line called was a number listed on the register of numbers kept by the Commissioner in accordance with regulation 26, contrary to regulation 21(1)(b) of PECR; and 28. The Commissioner is also satisfied for the purposes of regulation 21 that these calls were made to subscribers who had registered with the TPS at least 28 days prior to receiving the calls and had not given their prior consent to Rancom to receive calls. 29. The Commissioner has gone on to consider whether the conditions under section 55A DPA are met. Seriousness of the contravention 30. The Commissioner is satisfied that the contravention identified above was serious. This is because there have been multiple breaches of regulation 21 by Rancom’s activities over a 12 month period, and this led to a significant number of complaints about unsolicited direct marketing calls to the TPS and the Commissioner. 31. In addition, it is reasonable to suppose that the contravention could have been far higher because those who went to the trouble to complain represent only a proportion of those who actually received calls. 32. The Commissioner is therefore satisfied that condition (a) from section 55A (1) DPA is met. 10 • ICO. InformationCommissioner's ffice Deliberate or negligent contraventions 33. The Commissioner has considered whether the contravention identified above was deliberate. In the Commissioner’s view, this means that Rancom’s actions which constituted that contravention were deliberate actions (even if Rancom did not actually intend thereby to contravene PECR). 34. The Commissioner considers that in this case Rancom did not deliberately contravene regulation 21 of PECR in that sense. 35. The Commissioner has gone on to consider whether the contravention identified above was negligent. 36. First, she has considered whether Rancom knew or ought reasonably to have known that there was a risk that this contravention would occur. She is satisfied that this condition is met, given that Rancom relied heavily on direct marketing due to the nature of its business, and the fact that the issue of unsolicited calls has been widely publicised by the media as being a problem. In its representations to the Commissioner, Rancom stated that it no longer conducts direct marketing, instead focussing upon maintaining its existing database, however the Commissioner remains satisfied that Rancom was reliant upon direct marketing, at the very least prior to changing its business model , and as such should have been aware of the risk of contraventions of this type. 37. Rancom, previously named Direct Response Security Systems Limited, had been subject to an Enforcement Notice issued by the Commissioner in 2010. This also related to Regulation 21 of PECR and 11 • ICO. InformationCommissioner's ffice outlined steps it was to incorporate with regards to how it used data for marketing purposes, including the need to screen against the TPS. The current directors of Rancom were in place at the time of the Commissioner’s previous enforcement action. It is therefore reasonable to assume that Rancom were aware of the requirements of PECR and should have had appropriate measures in place to ensure compliance. They were also aware of the consequences of not doing so. 38. Each time a complaint is made to the TPS, the TPS inform the company complained about. Rancom would therefore have been aware that complaints were being made by TPS subscribers which should have prompted them to take steps to investigate the reasons for this and to address any deficiencies in their practices. 39. The number of calls made to TPS registered individuals accounts for 66% of the total call volume, this shows a disregard for the legislation surrounding the making of marketing calls and suggests that Rancom made very little effort to screen the data they were using against the TPS. 40. The Commissioner has also published detailed guidance for companies carrying out marketing explaining their legal requirements under PECR. This guidance explains the circumstances under which organisations are able to carry out marketing over the phone,by text, by email, by post or by fax. Specifically, it states that live calls must not be made to subscribers who have told an organisation that they do not want to receive calls; or to any number registered with the TPS, unless the subscriber has specifically consented to receive calls. 12 • ICO. InformationCommissioner's ffice 41. Finally, the Commissioner has gone on to consider whether Rancom failed to take reasonable steps to prevent the contravention. Again, she is satisfied that this condition is met. 42. Reasonable steps in these circumstances would have included ensuring that Rancom could evidence consents relied upon to make marketing calls and screening the data against the TPS register. Rancom stated in representations to the Commissioner that it screened 10% of its leads against the TPS database, however there is no evidence that Rancom had purchased a TPS licence, and any such screening was clearly inadequate. Rancom also claimed to operate an internal suppression list, however complaints alluded to multiple calls to the same number despite suppression requests, and therefore any such system was ineffective. Contracts being in place with its third party data suppliers does not absolve Rancom of their own responsibilities to ensure that the data they use is complaint. Whilst they relied on these contracts they contained non liability clauses and neither were signed and dated. 43. In addition, Rancom has allowed other organisations to use its lines. It kept no record of how many calls were made by these other organisations. This shows poor business practice and is suggestive of a cavalier approach to PECR. This further suggests that they failed to take reasonable steps to prevent the contravention. 44. The Commissioner is therefore satisfied that Rancom failed to take reasonable steps to prevent the contravention. 45. The Commissioner is therefore satisfied that condition (b) from section 55A (1) DPA is met. The Commissioner’s decision to impose a penalty 13 • ICO. InformationCommissioner's ffice 46. The Commissioner has taken into account the following aggravating features of this case: • Complainants to both the Commissioner and the TPS referred to the aggressive and misleading nature of the calls with some indicating that they have received multiple calls. • There has been deliberate action for financial or personal gain. The business was generating leads via marketing calls in order to create profit; • Advice and guidance has been ignored or not acted upon. This is published on the Commissioner’s website and is available via its advice services. • Rancom’s directors have been subject to a previous investigation by the Commissioner for contraventions of Regulation 21 of PECR which had resulted in an enforcement notice being issued in 2010. They therefore should have been especially aware of the necessity to the comply with the Regulations . 47. The Commissioner has also taken into account the following mitigating features of this case: • Rancom stated that they have stopped making marketing calls and have only retained their database of existing customers. The Commissioner has not identified any further complaints that can be attributed to this company since the 1 January 2019 which may be indicative that the company’s activities are now 14 • ICO. InformationCommissioner's ffice compliant. For this reason the Commissioner has decided not to also issue Rancom with an Enforcement Notice. 48. For the reasons explained above, the Commissioner is satisfied that the conditions from section 55A(1) DPA have been met in this case. She is also satisfied that the procedural rights under section 55B have been complied with. 49. The latter has included the issuing of a Notice of Intent dated 12 October 2020, in which the Commissioner set out her preliminary thinking. 50. In reaching her final decision the Commissioner has considered representations received from Rancom dated 20 and 27 November 2020. Nothing in Rancom’s representations has persuaded the Commissioner to alter her view as previously expressed in the Notice of Intent. 51. The Commissioner is accordingly entitled to issue a monetary penalty in this case. 52. The Commissioner has considered whether, in the circumstances, she should exercise her discretion so as to issue a monetary penalty. 53. The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with PECR. The making of unsolicited direct marketing calls is a matter of significant public concern. A monetary penalty in this case should act as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices. This is an opportunity 15 • ICO. InformationCommissioner's ffice to reinforce the need for businesses to ensure that they are only telephoning consumers who want to receive these calls. 54. In this case the Commissioner considers that a monetary penalty is an appropriate and proportionate response to the finding of a serious contravention by Rancom. The amount of the penalty 55. Taking into account all of the above, the Commissioner has decided that a penalty in the sum of £110,000 (One hundred and ten thousand pounds) is reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty. Conclusion 56. The monetary penalty must be paid to the Commissioner’s office by BACS transfer or cheque by 25 February 2021 at the latest. The monetary penalty is not kept by the Commissioner but will be paid into the Consolidated Fund which is the Government’s general bank account at the Bank of England. 57. If the Commissioner receives full payment of the monetary penalty by 24 February 2021 the Commissioner will reduce the monetary penalty by 20% to £88 ,000 (Eighty eight thousand pounds). However, you should be aware that the early payment discount is not available if you decide to exercise your right of appeal. 16 • ICO. InformationCommissioner's ffice 58. There is a right of appeal to the First-tier Tribunal (Information Rights) against: a) the imposition of the monetary penalty and/or; b) the amount of the penalty specified in the monetary penalty notice. 59. Any notice of appeal should be received by the Tribunal within 28 days of the date of this monetary penalty notice. 60. Information about appeals is set out in Annex 1. 61. The Commissioner will not take action to enforce a monetary penalty unless: • the period specified within the notice within which a monetary penalty must be paid has expired and all or any of the monetary penalty has not been paid; • all relevant appeals against the monetary penalty notice and any variation of it have either been decided or withdrawn; and • the period for appealing against the monetary penalty and any variation of it has expired. 62. In England, Wales and Northern Ireland, the monetary penalty is recoverable by Order of the County Court or the High Court. In Scotland, the monetary penalty can be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland. 17 • ICO. InformationCommissioner's ffice Dated the 25th day of January 2021 Head of Investigations Information Commissioner’s Office Wycliffe House Water Lane Wilmslow SK9 5AFe 18 • ICO. InformationCommissioner's ffice ANNEX 1 SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 1. Section 48 of the Data Protection Act 1998 gives any person upon whom a monetary penalty notice or variation notice has been served a right of appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’) against the notice. 2. If you decide to appeal and if the Tribunal considers:- a) that the notice against which the appeal is brought is not in accordance with the law; or b) to the extent that the notice involved an exercise of discretion by the Commissioner, that she ought to have exercised her discretion differently, the Tribunal will allow the appeal or substitute such other decision as could have been made by the Commissioner. In any other case the Tribunal will dismiss the appeal. 3. You may bring an appeal by serving a notice of appeal on the Tribunal at the following address: GRC & GRP Tribunals PO Box 9300 Arnhem House 31 Waterloo Way Leicester LE1 8DJ a) The notice of appeal should be sent so it is received by the Tribunal within 28 days of the date of the notice. b) If your notice of appeal is late the Tribunal will not admit it unless the Tribunal has extended the time for complying with this rule. 19 • ICO. InformationCommissioner's ffice 4. The notice of appeal should state:- a) your name and address/name and address of your representative (if any); b) an address where documents may be sent or delivered to you; c) the name and address of the Information Commissioner; d) details of the decision to which the proceedings relate; e) the result that you are seeking; f) the grounds on which you rely; g) you must provide with the notice of appeal a copy of the monetary penalty notice or variation notice; h) if you have exceeded the time limit mentioned above the notice of appeal must include a request for an extension of time and the reason why the notice of appeal was not provided in time. 5. Before deciding whether or not to appeal you may wish to consult your solicitor or another adviser. At the hearing of an appeal a party may conduct his case himself or may be represented by any person whom he may appoint for that purpose. 6. The statutory provisions concerning appeals to the First- tier Tribunal (Information Rights) are contained in sections 48 and 49 of, and Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure (Firsttier Tribunal) (General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No. 1976 (L.20)). 20