Baroness Neville-Rolfe on data protection and nuisance calls
Speaking at the DMA conference on data protection, Baroness Neville-Rolfe spoke about government work on data protection and nuisance calls
Introduction
Good morning. I would like to thank the Direct Marketing Association for this opportunity to talk about my priorities as Minister for Data Protection and Nuisance Calls policy.
I will focus today on nuisance calls but will also talk briefly about two important European matters on the horizon: implementation of the Data Protection Regulation and the changing arrangements for the transfer of personal data to the US.
DCMS context
My responsibilities in the Department for Culture, Media and Sport cover data protection, including sponsorship of the Information Commissioner’s Office, nuisance calls, and The National Archives. It was a great pleasure to take on these new duties last October as they are complementary to my Business Department portfolio which includes Intellectual Property and the EU Single Market.
As a Business Minister, I am especially keen to increase competitiveness, including in the creative and digital industries championed by DCMS. DCMS is at the heart of the digital economy – promoting the wider use of digital technology, benefiting from the digital market in the EU and beyond. And to do that we have to handle data appropriately.
My role in DCMS is to balance the drive for greater competitiveness, while limiting the costs for business and securing the right levels of protection for personal data. Consumer rights are top of our list of concerns especially the rights of the vulnerable. Regulation around data protection and nuisance calls are fundamental to this objective.
EU Data Protection Regulation
The EU is close to adopting a new data protection regulation. The draft covers much of the same ground as our domestic Data Protection Act. When adopted Member States will need to give effect to the regulation in domestic legislation within two years of adoption, so we are looking at Spring 2018 for UK implementation.
It is clear that the final text will be complex and demanding. This complexity means that our planned work with the Information Commissioner’s Office to support organisations in the transition to the new regime will be all the more important. I understand that the Information Commissioner will talk about this a little later.
I am committed to doing all I can to support your organisations in making the necessary changes too. For your part, I would encourage you to prioritise preparation for this significant change now.
‘Safe Harbour’
You will all recall the case of Max Schrems that led to the EU’s Court of Justice striking down the agreement known as ‘Safe Harbour’. This had provided the legal basis for the transfer of EU personal data for commercial purposes to US companies.
There have been intense negotiations between the EU and US to secure a replacement agreement. I was in Washington in January and was glad to find how determined the US were to agree a way through in good time. I very much welcomed the recent announcement of the provisional new ‘EU-US Privacy Shield’, as it will be known. But there is some way to go before this is in place.
Meanwhile the ICO have published updated guidance. Until the new arrangement has been formally accepted, they advise that organisations should continue to take stock of the transfers they make and be on top of the legal basis for any alternative arrangements they are using. I’d like to thank the ICO for all the work they have done on this difficult issue and the timely guidance they have provided.
Nuisance calls
I turn now the scourge of nuisance calls. We should not dismiss this as an unfortunate by-product of the rapid growth in data-led marketing. It is a form of harassment.
As I’m sure many of you recognise, the stress and anxiety these calls cause can be immense, especially for vulnerable people for whom the phone is the main or only means of communication.
In 2015, the ICO received nearly 170,000 complaints about nuisance calls. Last month there were 9,633 concerns reported to the ICO, which was slightly higher than the previous month but compares favourably with that for January 2015 when 10,296 concerns were reported. We will continue to monitor figures on nuisance calls and take further action where necessary.
I have here a letter, which reveals the shocking impact for just one individual of this scourge. The phone was this person’s only means of communication, and an essential one given their complex medical needs.
After a barrage of increasingly aggressive and ultimately abusive, sales calls, this individual was left totally isolated with the phone unplugged and close to suicide. All in the name of telesales marketing. That is an absolute disgrace.
The tragic death of poppy seller Olive Cooke, whose personal details were in the possession of 99 charities adds a further human dimension and led to the recent exposure of unacceptable charity fundraising practices uncovered in the media last year.
The Government acted quickly. We amended the Charities Bill to increase transparency and reiterate trustees’ responsibilities for fundraising.
The Government has accepted Sir Stuart Etherington’s cross-party review of fundraising. These include looking at a new fundraising regulator and other changes to ensure higher standards in charity fundraising. I encourage representatives from that sector here today to engage constructively with the plans.
The Government is not seeking to undermine legitimate fundraising activity, in which direct marketing plays an important role. We want to address bad practice but at the same time encourage even more people to make donations and give up their time to support charities. The Government recognises the value of the direct marketing sector and the legitimate role telemarketing has to play in giving consumers what they want.
Of course the frustration for many of you here today is that the actions of a minority of rogue organisations undermine your reputations. Organisations such as the DMA are a vital partner in this work, both in supporting your industry and Government in targeting those rogue few.
The Government published its Nuisance Calls Action Plan in March 2014. By lowering the legal threshold to make it easier for the ICO to take action against organisations that breach the rules, there has been an increase in enforcement action.
Between January and February this year, the ICO has issued £150,000 worth of fines alone.
One rogue organisation stands out. Direct Security Marketing Ltd made nearly 40,000 automated calls in just one day in an attempt to sell burglar alarms. Of these, approaching 10,000 were made between 1 and 6am. Just imagine that; your household being harassed with calls in the dead of night. The firm were fined £70,000 by the ICO.
Since January 2012, the ICO has issued civil monetary penalties totalling nearly £2.5million in a range of other cases too, with more fines in the pipeline. Since increasing the ICO’s maximum fine capability to five hundred thousand pounds, there is a greater deterrent for those who would breach the rules. Notably, in September last year, the ICO issued a record fine of £200,000 to two companies in breach of the rules.
In April 2015, the ICO issued £1,056,000 civil monetary penalties, with £370,000 total penalties being issued in November 2015 alone. I understand there is a further potential £1million in penalties in the pipeline before the end of the financial year.
We have made it easier for the ICO to share nuisance calls information with Ofcom through an amendment to the Communications Act 2003. We have encouraged the development of call answering and other products to tackle nuisance calls. In addition, the Government has made half a million pounds available for the provision of call blocking devices to vulnerable people.
Progress has therefore been made.
However, it is a complex problem and the Government cannot tackle this problem on its own. I would like to commend the hard work the DMA and its members have done in rooting out bad practice in the direct marketing industry. I think DMA’s direct marketing guidance fits in well with the Government’s proposal on Calling Line Identification, which I will touch on shortly.
But we want to do more. We already are.
We are exploring potential options for further regulation. This could include putting the ICO’s direct marketing guidance on a statutory footing. This would provide clarity on the responsibilities of those who instigate direct marketing calls; clarify the rules around time limits on third party consent; and make it easier for the ICO to take action against those who breach the rules.
We are also considering the possibility of extending the ICO’s powers of compulsory audit to organisations responsible for generating nuisance calls, including data brokerage organisations and list generators. This is similar to the measure we introduced in February last year that enables the ICO to assess the data protection practices of NHS bodies.
Regulation is one tool but it needs to be supported by technical innovation.
As part of the £3.5 million budget measures package announced by the Chancellor last year, my department has been working with our delivery partner Innovate UK and Small Business Research Initiative (SBRI) to run a competition to seek innovative technical solutions to tackle nuisance calls.
Six successful applicants were selected to complete feasibility studies by the end of March. Ideas include a cloud based blocking device and the use of advanced Number Reputation Database to block unwanted calls.
Regrettably some organisations continue to break the law, one of the reasons being the difficulty in tracing them. In a significant proportion of nuisance call cases, failure to provide ‘calling line identification’- that is a recognisable number on your phone’s display - is making it difficult for the ICO and Ofcom to pursue enforcement action. That is why we have recently consulted on a proposal to require all direct marketing callers to provide CLI.
The consultation closed last Tuesday - we are currently analysing responses but my first impression is that there has been overwhelming support for our proposals.
This move has the potential to make a real difference, giving individuals a genuine choice about whether or not to accept a call. If you don’t know a number, or no number is displayed at all, you can choose not to take the call. If you do take it and it turns out to be an unwanted call, you can note the number down and report it to the ICO.
This requirement will work extremely well with BT’s new service to divert nuisance calls within its network before they ring on customers phones. Talk Talk have already done something similar. I would strongly encourage other network providers to do the same.
And to those organisations whose business relies on direct marketing, I would ask you to consider registering your organisation with the Telephone Preference Service Assured Scheme. This scheme complements a lot of the work Government and regulators are doing to help combat nuisance calls. It helps companies by ensuring they comply with the law and best practice guidelines.
Awareness raising will support both our enforcement and regulatory plans. This includes helping people understand how best to report nuisance calls and what technological solutions are available. The ICO provides some excellent guidance in this area and I would encourage even more.
The truth is that as a consumer there are things one can do. I now welcome the occasional nuisance call - I have of course registered with TPS - and telling the unfortunate caller they are not entitled to call again. I know because I am the minister for nuisance calls!
There is also an international dimension to nuisance calls. An increasing number of calls are coming from beyond our jurisdiction. To tackle this, both the ICO and Ofcom engage with the ‘Do Not Call Forum’ of the London Action Plan, which includes overseas regulators with responsibility for tackling nuisance calls.
The ICO works with other members, including the US Federal Trade Commission (FTC) and the Canadian Radio-television and Telecommunications Commission, to drive forward coordinated actions. They are also exploring with the trade association, representing call centres based in India, possible ways to work with relevant regulatory authorities in India to tackle the problem at source.
Much has been done but there is still more to do. I am confident that with determination and with your help and with the work of the ICO, DMA, Ofcom and others, we can make further inroads into the problem of nuisance calls.
Conclusion
Data protection is a complex subject. But it is fundamental to the success of a market that affects each one of us - access to material and services which we increasingly take for granted in our day to day lives depend on it. It is fundamental to all your industries, I’m sure.
At its core, data protection is actually about simple things. Respect, trust, integrity and professionalism. Only with the foundations I have talked about today - transferring data safely, building consumer confidence that will tackle unwanted and aggressive sales calls, and protecting people’s data rights – can this work for all our benefit. I look forward to working with you all on the many opportunities ahead.