ICO to audit Leave.EU and Eldon Insurance

The Information Commissioner’s Office (ICO) is to review how an EU referendum campaign and an insurance company are complying with data protection laws after fining the organisations a total of £120,000 for serious breaches of electronic marketing laws.

The ICO announced an audit and issued a preliminary enforcement notice as well as three notices of intent to fine Leave.EU and Eldon Insurance – trading as Go Skippy Insurance – in November 2018 as part of its investigation into data analytics for political purposes.

After considering the companies’ representations, the ICO has issued the fines, confirming a change to one amount, with the other two remaining unchanged. The regulator has also issued two assessment notices to Leave.EU and Eldon Insurance to inform both organisations that they will be audited.

The ICO investigation found that Leave.EU and Eldon Insurance were closely linked and that systems for segregating the personal data of insurance customers from that of political subscribers were ineffective.

This resulted in Leave.EU using Eldon Insurance customers’ details unlawfully to send almost 300,000 political marketing messages. Leave.EU has been fined £15,000 for this breach. Eldon was found to have carried out two unlawful direct marketing campaigns.

The campaigns involved sending more than one million emails to Leave.EU subscribers without sufficient consent. Leave.EU has been fined £45,000, adjusted down from £60,000, and Eldon Insurance has been fined £60,000 for breaching the Privacy and Electronic Communications Regulations (PECR) 2003.

Information commissioner Elizabeth Denham said it is “deeply concerning” that sensitive personal data gathered for political purposes was later used for insurance purposes, and vice versa.

“It should never have happened,” she said. “We have been told both organisations have made improvements and learned from these events. But the ICO will now audit the organisations to determine how they are using customers’ personal information.”

The assessment notices give the ICO access to Leave.EU and Eldon’s joint offices, staff and documentation. It is a criminal offence to obstruct an ICO audit or destroy information covered by it.

The ICO’s audit team will be looking at data protection practices, including observing how personal data is processed, considering what policies and procedures are in place, and looking at the types of training available for staff.

ICO auditors will also interview key employees across both organisations, including directors, staff and data protection officers. The ICO’s audit findings will be made public.

Eldon Insurance has also received an enforcement notice from the ICO ordering the company to take steps to ensure it complies with electronic marketing regulations.

The ICO has published two reports as part of its wide-ranging data analytics investigation, which has been described as the “biggest and most far-reaching” investigation the organisation has ever conducted.

The Democracy disrupted? Personal information and political influence report looks at the broader policy issues identified during the investigation, along with findings and the information commissioner’s recommendations for future action.

The Investigation into the use of data analytics in political campaigns report is the latest update for the investigation.

As a result of the investigation, the ICO fined Facebook £500,000 in October 2018 for “serious breaches” of data protection law. And in August 2018, the ICO confirmed a monetary penalty of £140,000 for Lifecycle Marketing (Mother and Baby), also known as Emma’s Diary, for illegally collecting and selling personal information belonging to more than one million people.

Then, in July 2018, the ICO issued an Enforcement Notice to Cambridge Analytica’s parent company, SCL Elections, and issued an enforcement notice for Aggregate IQ to stop processing retained data belonging to UK citizens.