1

Similar documents
BTs response to Ofcom s Call for inputs. Review of how we use our persistent misuse powers - Focus on silent and abandoned calls

Lords Bill Committee on Digital Economy Bill Information Commissioner s briefing

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

DATA PROTECTION POLICY VERSION 1.0

The Information Commissioner s response to the Competition and Market Authority s Energy market investigation: notice of possible remedies paper.

The use of consumers energy consumption data emanating from smart meters is governed by the Data Access Privacy Framework (DAPF).

Baptist Union of Scotland DATA PROTECTION POLICY

Reactiv Media Ltd OfCom Response

Section a What this Policy is for Policy Statement. 2. Why this policy is important... 3

Numbering arrangements for Voice over Broadband services. Internet Telephony Service Providers Association ( ITSPA )

Introduction. Summary

Scottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY

EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY

General Data Protection Regulation. What should community energy organisations be doing to prepare?

GENERAL DATA PROTECTION REGULATION.

DELL BANK INTERNATIONAL D.A.C DATA PROTECTION STATEMENT - USE OF PERSONAL DATA 1

Australian Communications and Media Authority s Calling the Emergency Call Service Review of Arrangements Discussion Paper

Discussion Paper on innovative uses of consumer data by financial institutions

Both companies are privately held and not affiliated, while sharing their management teams and some staff.

Leicestershire Police CCTV on Police Premises Policy

1 Revised statement of policy on the persistent misuse of an electronic communications network or service 2010

Code of Practice for the sales and marketing of subscriptions to mobile networks

Conducting privacy impact assessments code of practice

ARTICLE 29 DATA PROTECTION WORKING PARTY

PRIVACY POLICY. VERSION 1.3 Keystone Property Finance 42 Kings Hill Avenue, Kings Hill, West Malling, Kent M19 4AJ

Human Resources. Data Protection Policy IMS HRD 012. Version: 1.00

DATA PROTECTION POLICY 2018

27 April GDPR Implementation Challenges: A Summary of CIPL GDPR Project Participants Feedback

UoW takes measures to enable data to be restored and accessed in a timely manner in the event of a physical or technical incident.

Current Account Credit Card. Privacy Notice

Guidance on the General Data Protection Regulation: (1) Getting started

10/02/2017 Version pptx. 1

7 Estimating consumer harm

Introduction to the General Data Protection Regulation (GDPR)

Ofcom s response to the BIS consultation: Enhancing Consumer Confidence by Clarifying Consumer Law on the Supply of Goods Services and Digital

Scottish and Southern Energy plc. Telephone: Our Reference: Facsimile: Your Reference:

DATA PROTECTION POLICY 2016

FCA Mission: Our Future Approach to Consumers

UCD Human Resources. UCD HR Privacy Statement - Employee

Next Generation Networks Consultation

Intellect s Response to Ofcom s Consultation related to New Voice Services

Information Commissioner s Office. Consultation: GDPR consent guidance

Quick guide to the employment practices code

CONSULTATION ON USE OF RESOURCES AND WELL- LED ASSESSMENTS - NHS Providers response

General Optical Council. Data Protection Policy

NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY. Adopted: 20 June 2018 To be reviewed: June 2021

Utility Warehouse. Privacy and Electronic Communications Regulations audit report

Nissa Consultancy Ltd Data Protection Policy

Privacy notices, transparency and control

Introduction. Welcome to the OAG Aviation Group privacy notice.

Procedure If you are reading a paper version of this document it may not be the latest version. Please check on Insite.

GDPR digest ARE YOU GDPR READY? {More than a MORTGAGE CLUB}

STAFF PRIVACY NOTICE

BT Response A review of consumer complaints procedures - Ofcom consultation

St Mark s Church of England Academy Data Protection Policy

Reality Solutions Data and Privacy Policy

Using reported concerns to improve how organisations deal with information rights. Performance Improvement Business Plan 2015 / 16

Chelsea & Westminster Hospital NHS Foundation Trust. Data protection audit report

Version 1.0 (final)

GDPR factsheet Key provisions and steps for compliance

Ernst & Young Data Protection Binding Corporate Rules Programme

Update on Communications Consumer Panel and ACOD activities

Privacy Policy PURPOSE SCOPE POLICY. Data Collection

PRIVACY NOTICE - DRIVER HIRE TRAINING

Staffordshire Police. Data Protection Audit Report. Executive Summary

Data Protection Practitioners Conference 2018 #DPPC2018. Lawful basis myths

Conducting privacy impact assessments code of practice

Data Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General

External Supplier Control Obligations

REDDISH VALE HIGH SCHOOL PRIMARY PRIVACY NOTICE

Communications Consumer Panel and Advisory Committee for Older and Disabled People: draft Priorities and Work Plan 2017/18

GPEN Sweep 2018 Privacy Accountability

Public Procurement: A consultation on changes to public procurement rules in Scotland

Staff Briefing Session

HEALTHY WORKPLACE PRIVACY POLICY

Findings from ICO audits of 16 local authorities

Our Privacy Principles

Parliamentary and Health Ombudsman. Data protection audit report

Data Privacy Notice Personal Effective from 25 May 2018

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

Trinity is committed to protecting the privacy and security of personal data.

Call for evidence: Regulatory Sandbox

Operating procedure. Managing customer contacts

Job applicant privacy notice (compliant with the General Data Protection Regulations (GDPR)

ACTING IN THE SPIRIT OF SERVICE Information gathering and public trust

Data Protection Policy

Complaint about your ad What happens now?

TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION

GDPR: An Evolution, Not a Revolution

Allstate Northern Ireland Limited Data Privacy Notice

SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY. Adopted: [ ]

NCVO recruitment & GDPR applying for a job with us

Tesco Telecoms Response to Ofcom consultation. Strategic Review of Customer Switching. Submitted: 26 November

Complaint handling: under the spotlight. EY point of view

THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER

GDPR Factsheet - Key Provisions and steps for Compliance

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

The General Data Protection Regulation in health & social care. 6 October 2016 Leeds

Transcription:

The Information Commissioner s response to the Department for Culture, Media and Sport s consultation on requiring direct marketing callers to provide Calling Line Identification The Information Commissioner has responsibility for promoting and enforcing the Data Protection Act 1998 (DPA), the Privacy and Electronic Communications Regulations 2003 (PECR), the Freedom of Information Act 2000, and the Environmental Information Regulations. He is independent from government and upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Commissioner does this by providing guidance to individuals and organisations, solving problems where he can, and taking appropriate action where the law is broken. The Information Commissioner welcomes the opportunity to respond to DCMS s consultation on requiring direct marketing callers to provide Calling Line Identification (CLI). The Commissioner s remit extends to the oversight and enforcement of unsolicited direct marketing contact via electronic means including live and automated telephone calls. In undertaking this role, the Commissioner investigates complaints, gathers intelligence from numerous sources and coordinates his activities with other relevant regulators. The Commissioner supports the proposed changes, noting in particular the potential for these changes to assist him in his enforcement work. He remains committed to taking action against organisations which breach PECR when his regulatory powers allow him to do so with a view to tackling the nuisance, anxiety and distress these calls cause to the public. Ofcom has recently estimated that 1.7 billion live sales calls and 940 million recorded sales calls are made annually to UK consumers 1. With this scale of direct marketing calls being undertaken, it is vital that individuals are able to exercise their rights in respect of those calls and that complaints can be appropriately investigated and addressed by the Commissioner and other regulators as appropriate. 1 http://stakeholders.ofcom.org.uk/binaries/consultations/review-of-how-we-use-persistent-misusepowers/annexes/annexes_7-8.pdf

Do you agree that the Government should amend PECR to make it a requirement for direct marketing callers to provide CLI? Yes. The Commissioner strongly supports the idea of requiring callers to provide CLI when making direct marketing calls. The Commissioner is supportive of this requirement for several reasons. Firstly, it sends out a message to callers and call recipients alike that direct marketing should and can be carried out in a legitimate, transparent and accountable manner, with CLI acting as insurance of that. By insurance, we mean that requiring the provision of CLI should empower individuals to choose whether to answer a call at all. If they do choose to answer and the call is one they wish to complain about, having the caller s CLI should enable them to make a better informed complaint. Inclusion of CLI should also enable individuals to contact the calling organisation directly to express their dissatisfaction about being contacted, enable them to ask to be removed from any relevant call database and also potentially be a first step in exercising their rights under the DPA. From an enforcement perspective, requiring a valid CLI should ensure that more detailed, and consequently more useful, evidence and intelligence can be obtained relating to individual breaches of PECR. It should also assist us in identifying those organisations we most need to target with enforcement activity. However, there is a strong need to ensure that the information obtained is as useful as possible. The requirements of regulation 24 of PECR should be used as the basis for any amendment. We have identified a number of potential issues which need to be addressed to ensure that any amendment is fit for purpose. Specifically, we would want any amendment to include a requirement for a valid CLI to be provided and we would want clarity as to what constitutes valid CLI, addressing the following issues: the CLI needs to be dialable - meaning capable of receiving inbound calls. the CLI needs to be a direct contact number for the organisation that is the subject of the direct marketing or for that organisation s delegated or contracted representatives (the instigator of calls or caller). The CLI could legitimately be for a third party organisation provided that a contract with the marketed organisation governs the relationship. However, inclusion of the genuine CLI for an organisation other than the subject of the marketing or any kind of spoofing need to be specifically excluded;

what needs to happen when an individual who has received a call contacts the number given in the CLI. To ensure the inclusion of a valid CLI assists individuals as well as regulators, we would suggest a requirement that the dialable number be answered in some way, to avoid already frustrated or upset individuals attempting to contact dialable numbers which are never picked up. whether the CLI needs to be a UK number, or whether a non-uk number that is otherwise genuine can be deemed valid; whether a presentation number can be a valid CLI. Any wording needs to take into account that there can be legitimate circumstances when the calling number would not necessarily be the number which the organisation would display as the CLI. For example, where an organisation contacts individuals from multiple different numbers (for example, from different staff) using one overarching CLI would help the call recipient to identify that those calls are from the organisation, as opposed to the individual receiving multiple calls from different numbers. In that situation, the use of one CLI would enable the individual to build an accurate picture of the calls they are receiving; the level at which any charge can be levied for dialling the CLI; and whether geographically targeted CLI can be used. By geographically targeted, we are referring to an organisation choosing to use a local telephone code as opposed to their actual national or non-local number to encourage an individual to answer the call. We have raised potential concerns previously 2 that there may be fairness issues to the localisation of CLI from the perspective of the DPA (in that individuals may be encouraged to pick up a call that they would otherwise not have answered because they believe it to be local). There is a potential for the individual to be misled by targeted use of a local number, and it is our experience that less legitimate organisations use this as a deliberate tactic to improve call pick up rates, relying on individuals to respond to the local number where a generic or national one would be ignored. As well as covering off the basic requirements of valid CLI, any wording included needs to be compatible with VOIP (Voice over Internet Protocol), which is increasingly being adopted. VOIP calls can terminate either at an IP address or be diverted to a landline number. Any amendment to PECR needs to enable enforcement activity and contact from individuals where VOIP calls have been made. 2 ICO s response to Ofcom s call for inputs on Ofcom s persistent misuse of the telecommunications network powers - https://ico.org.uk/media/about-the-ico/consultation-responses/2014/1042777/ico-response-ofcomcall-for-input-persistent-misuse-of-the-telecommunications-network-20141107.pdf

Our concern is that if the requirements for including CLI are insufficiently clear, this may leave loopholes which less ethical organisations may seek to exploit. We also want to avoid situations arising where organisations unwittingly fail to comply, as a result of simply not understanding what is required of them. We are also keen to ensure that any requirement introduced is consistent with the guidance that Ofcom has issued in relation to presentation CLI, to ensure that both the Commissioner and Ofcom can enforce their separate powers (under PECR and the Communications Act 2003 respectively) consistently and tackle the problem of nuisance calls in a cohesive and constructive way. Are there any other costs or benefits that may be associated with this proposal that you think the Government should consider before taking a final decision? We have considered this question both from the perspective of the public, as well as from our perspective as a regulator. It is worth considering that there may, in the short term, be some inconvenience for certain individuals if CLI is required. For example, the requirement to provide CLI when making direct marketing calls could negate individuals use of services which automatically reject or block calls from withheld numbers. Anecdotal evidence also suggests some individuals currently refuse calls on the basis that they come from numbers listed as withheld or unknown. It might be worth considering that the proposed requirement to provide CLI could make those individuals choices as to which calls to refuse more difficult. Depending on how the requirement to provide CLI is received by the public, it could either reduce or increase the information available to regulators. Where the provision of CLI genuinely enables individuals to exercise the power of choice over which calls to answer, an unintended consequence could be that it ultimately acts to reduce the evidence made available to regulators such as the ICO. Where calls go unanswered through choice, and without the call recipient being inconvenienced by the call itself, there may be a reduction in reported complaints and consequently, of the evidence available. Conversely, individuals could choose to make more complaints, with the expectation of increased enforcement action. The side effect of this and cost to individuals - would be an increase in the time spent by individuals completing complaint forms, whether those of the ICO, TPS or their own telephone operators. (Although we are currently taking steps to further improve our online reporting process to reduce the time it takes to complete multiple reports.)

Overall, as a regulator we strongly welcome this proposal. As has been identified in the consultation document, this proposal could result in significant regulatory benefit to the ICO. The adoption of this proposal would enable streamlining of our investigation, evidence and intelligence gathering processes and consequently could have a cost saving impact for the ICO (and consequently free up some resource for additional enforcement activity). We estimate that around 13% 3 of the complaints and concerns that we receive relate to calls received from spoofed CLIs, and as such we spend a disproportionate amount of time identifying the organisation responsible. Removal of this burden would enable us to identify and target organisations more quickly, resulting in shorter investigation times and enabling us to mitigate threats to consumers much earlier. It is therefore our view that any potential costs are significantly outweighed by potential benefits. February 2016 3 It is extremely difficult to identify a definitive number of complaints where CLI is invalid. We are reliant on the data entered in our online reporting tool. For example, where a CLI is one digit short, is this because the CLI was spoofed, or because it was entered incorrectly? The 13% figure is a sample, based on analysis of complaints received in Augsut 2015 where a CLI has not been provided or has been found to be invalid based on previous information or investigation. It is important to note that the real figure could be much higher, depending on calls which are never reported to the ICO or to the TPS.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback