Last week, the Information Commissioner issued a civil monetary penalty on Direct Assist Limited, a TPS-busting personal injury firm. As Direct Assist has been wound up by HMRC, all this means is that the ICO has added itself to Direct Assist’s list of creditors and the CMP will never be paid. It turns out the ICO had served its final notice before HMRC delivered the coup de grace, so perhaps the CMP made sense at the time. However, the ICO’s PECR blog stated the following on 2nd April:
“When deciding on fines, our office has to consider the financial position of the company involved. Although we need to hold unscrupulous companies to account, the law says we can’t make a company bankrupt causing it to close.”
This isn’t true. The statutory Monetary Penalty guidance – the ‘law’ in question – makes clear several times that CMPs cannot “impose undue financial hardship on an otherwise responsible person“. It’s wrong for the ICO to say that they can’t bankrupt their CMP targets; they’re only prevented from crippling an otherwise responsible organisation. So what kind of organisation is Direct Assist?
Well, firstly, they’re the kind of organisation that gets wound up by HMRC. Secondly, they’re the kind of organisation that, according to the ICO press release, called someone 470 times despite them being on the Telephone Preference Service. If you Google them, you will find Direct Assist was also involved in one of the most notorious Data Protection cases of recent years. In 2011, Martin Campell, a Direct Assist employee, plead guilty to using confidential medical information to generate claims. The data was stolen by his then-girlfriend Dawn Makin, who was a nurse at an NHS walk-in centre in Bury. When the thefts were revealed, Makin murdered her daughter and tried to kill herself. I cannot say for certain that Direct Assist knew what their employee was doing, but as the data controller, they were responsible for ensuring that any data used for their purposes was fairly and lawfully obtained. This they clearly failed to do, and one might ask why the ICO didn’t pursue this angle. But in any case, aside from their torrent of illegal cold calls, are Direct Assist otherwise responsible? Don’t make me laugh.
It’s not just Direct Assist. In February, an outfit called HIS Energy was prosecuted at Manchester Minshull Street Crown Court for a single breach of the Health and Safety At Work Act 1974. HIS had installed cavity wall insulation in the home of Joyce Moore, a 82 year old resident of Middleton, a town to the north of Manchester. In the process, they blocked the boiler flue. An HIS employee noticed insulation beads in the flue (apparently a tell-tale sign of the problem), but rather than mention it to Mrs Moore or her son Bob, who also lived in the house, he did nothing. He did mention it to his manager, but a decision was made to take no action that day. That night, Mrs Moore put the heating on, and she was killed by carbon monoxide poisoning caused by the blocked flue. Bob Moore and two paramedics were also taken to hospital, although they recovered.
The jury took 10 minutes to find HIS guilty, and they were fined £500,000, plus prosecution costs, although it is unlikely that the fine will ever be paid, as HIS has gone into liquidation. Until the liquidation, HIS Energy was part of the Save Britain Money Group, an organisation made famous by the BBC’s nauseating programme ‘The Call Centre‘. Indeed, Mrs Moore was originally cold-called by Nationwide Energy Services whose staff featured heavily in the programme, before her details were passed to HIS to carry out the work that killed her. The Save Britain Money Group is currently in administration after a court dispute. Nationwide Energy Services was put into administration after receiving a Civil Monetary Penalty of £125,000 from the Information Commissioner in 2013 for illegal cold calling. Coincidentally, We Claim U Gain, another member of the Save Britain Money family whose staff appeared in ‘The Call Centre’, went into administration after it received a CMP for cold calling. Neither CMP has been paid. Despite the BBC’s despicable decision to celebrate the odious Wilshire, are we seriously supposed to believe he and his companies qualify as ‘otherwise responsible’ people?
On Monday, the PECR rules changed. Gone is the requirement for damage or distress before a PECR CMP is issued – all the ICO needs to do is demonstrate a serious breach. The ICO has a good track record on PECR enforcement, so we can expect further action. I would welcome this. But there are two lessons that can be learned from these awful stories. Firstly, the law change is not enough. Direct Assist is gone, but other equally reprehensible organisations remain and its owners will probably surface in another part of the swamp. Until the ICO has powers to take painful action against the individuals, rather than the hydra-headed organisations they hide behind, they will be putting out fires and no more. However, it’s equally important that the ICO uses its revised powers to the fullest extent. Even if Direct Assist’s owners return to cold calling, HMRC’s actions have at least inconvenienced them. There is no reason why the ICO cannot do the same.
There may be otherwise responsible people breaching PECR through ignorance rather than wilful law-breaking, but I suspect they are the minority. Most cold callers and spammers are parasites, using dodgy data, feeding off the vulnerability of others, and causing misery as they line their pockets. The ICO should not shrink from shutting them down, and nothing prevents them from doing so.