2011-06-21

Cold calling and the Information Commissioner's Office (ICO) - another regulator who doesn't

It is perhaps unsurprising that the bodies who "regulate" quack medicine are as bogus as the "medicine" they purport to regulate (see previous blog post). What is more difficult to explain is why so many others - of the dozens of regulators responsible for different domains of commerce and everyday life - are so utterly ineffectual.

Below I reproduce my recent correspondence with the Information Commissioner's Office - which is supposed to regulate data protection and online and telecoms based marketing.

After a couple of cold calls from a firm with whom I have never had dealings and who specialize in conning vulnerable people out of their meager savings on the pretext of taking claims forward or sorting out debt problems, I decided to track them down and report them to the ICO.

All my phones are registered with the Telephone Preference Service (TPS) and the ICO is responsible for enforcing the law against firms that ignore TPS registration.

I am still waiting to hear about this specific case, but in the meantime, I put in a Freedom of Information (FOI) request:

Please could you inform me exactly (since the ICO was formed) how many criminal prosecutions, cautions, enforcement notices, monetary penalty notices, injunctions, or enforcement orders* have been successfully sought or applied by the ICO against UK firms that, in violation of the relevant law, repeatedly call numbers that have been registered with the TPS.

* “Forms of regulatory action” listed at http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/data_protection_regulatory_action_policy.pdf


I received the following response:


Information Held

Before answering your specific request, it may help to explain that since November 2007 the ICO and the Telephone Preference Service (TPS) have had a procedure in place for complaints about the receipt of unsolicited ‘live’ (as opposed to automated) telephone calls to be referred to the ICO for investigation where the person receiving the call has previously complained to the TPS and, after the TPS have written to the offending organisation, further calls have been received. This constitutes a breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003, known as ‘PECR’. These ‘repeat breach’ complaints are notified to the ICO on a fortnightly basis and on receipt are set up on our electronic case management system in the same way as complaints made directly to the ICO. All of these ‘repeat breach’ cases referred by the TPS are also recorded on a separate spreadsheet.

Since this arrangement began in 2007 the TPS has, to date, referred 665 complaints to the ICO in this way. Each complaint referred to us by the TPS is individually pursued by the ICO until it is resolved. Depending on the organisation that is complained about the outcome may be that we write to the organisation and seek their assurances that the complainant’s telephone number is suppressed from their marketing lists. Alternatively, in some cases we may use an individual complaint to determine that formal action is appropriate, which would usually be either a formal undertaking (which requires the organisation concerned to commit to a particular course of action in order to improve its compliance), or an Enforcement Notice.

Because a breach of PECR is not a criminal offence we cannot initially instigate a prosecution against an organisation for a breach of the regulations. Instead, where appropriate we can take enforcement action requiring the data controller to cease their practices. Failure to comply with an Enforcement Notice is a criminal offence, so if an organisation fails to comply with a notice served by the ICO we can then consider whether prosecution is appropriate.

You may find the following link to our website helpful, which gives information about the way in which the ICO considers complaints made under PECR:

http://www.ico.gov.uk/tools_and_resources/document_library/privacy_and_electronic_communications.aspx

The following link also explains about the amendments which have recently been made to PECR, and the new powers which have been given to the Information Commissioner as a result of these amendments:

http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/~/media/documents/library/Privacy_and_electronic/Practical_application/enforcing_the_revised_privacy_and_electronic_communication_regulations_v1.pdf

In response to your actual request I can confirm that since PECR came into effect the ICO has issued 8 formal undertakings and served 9 enforcement notices against organisations for breaches of PECR in connection with live telephone calls. The details are as follows:



Details of all undertakings and enforcement action taken against organisations since August 2009 (including copies of the relevant undertakings and enforcement notices) can be found on the ICO website via the following link:

http://www.ico.gov.uk/what_we_cover/privacy_and_electronic_communications/enforcement.aspx

When regulatory action is taken against an organisation, it is usually as a result of a number of complaints being made to the ICO from individuals directly affected as well as those referred to us by the TPS. The two enforcement notices which are available on the ICO website (relating to SAS Fire & Security Systems and Direct Response Security Systems) have both been served on the basis of complaints received by the ICO from members of the public direct and via the TPS.

I can confirm that the ICO has not prosecuted any organisation for failing to comply with an enforcement notice relating to unsolicited live telephone calls, nor has it issued any cautions, monetary penalty notices, injunctions or enforcement orders for the same reason.


Summary: we have taken meaningful action against zero firms and served "enforcement notices" against nine.

I wrote back:


Since signing up all our phones with the TPS a number of years ago (and checking regularly to make sure we are still registered) I have been plagued by nuisance calls on my home and office phones. I have complained occasionally to the TPS and the ICO about these calls, but beyond asking the companies concerned to stop - which they usually do anyway after speaking to me (only to have their place taken by another firm) - it seems there is nothing you are prepared to do.
I realize most of these companies are based overseas and/or withhold their numbers (quite why they are allowed to do this I fail to understand) but some of them (such as the firm who rang me twice recently) are UK based and didn't even bother to hide their number.
In addition to reporting this firm to you (and not holding my breath) I also did a bit a research. It seems that this firm have a long history of ignoring TPS registration, are a bunch of fraudsters, and had an "Enforcement Notice" served on them several years ago by the ICO[*]. I also disvovered that the ICO has a range of penalties at its disposal that it can impose on firms that repeatedly and wilfully break the law in this way.
Armed with this information I decided to put in a FOI request to the ICO and discovered that, since the ICO began regulating in this area, exactly zero firms have been prosecuted or subjected to finacial penalties or cautioned or penalized in any meaningful way. I suggest that this fact entirely explains the problems I describe above.
So to come to the subject of my complaint: This is not about any specific case, it is about the ICO's manifest failure to regulate cold calling and punish firms that ignore TPS registration.
If your complaints department is not able to deal with general complaints of this nature, please advise me to whom I should redirect my complaint.


[*] I have since realized that the firm who rang me has a slightly different spelling from the firm listed above as under an "enforcement notice" and so (I assume) this firm has not previously been served with such a notice. I suppose the corollary of this is that I have no reason to assume that any of the above firms are fraudsters - though they are lawbreakers and pests. Sorry for mistake. The firm who rang me are, however, a bunch of fraudsters.


I received a paper reply which "appreciate[d] my frustration" but made it quite clear that the ICO has no intention whatsoever of regulating firms who ignore TPS any time soon.

I have just replied:


Dear ######

Thank you for your letter, but I’m afraid it entirely fails to explain what goes on (or, more accurately, doesn’t go on) behind the scenes at the ICO.

You say you can’t consider prosecution unless an organization fails to comply with an enforcement notice. Fine, so why not issue some enforcement notices to more than nine of the hundreds of firms involved? And why not prosecute the firms in this list of nine who have failed to comply with the enforcement notices they have been given.

You say you can issue civil monetary penalties of up to £500,000. Why not issue civil monetary penalties of up to £500,000 to more than zero of the firms who ignore TPS?

You suggest it is difficult to gather evidence, but this seems to be a matter of policy on your part rather than an obstacle to your policy: Why not:

1) Collect the evidence in one place rather than two (ie the TPS site and the ICO site – you could put in a through link)?
2) Use a simple web form instead of requiring complainants to fill in a Word form and then email it to you?
3) Receive complaints where only the number is known rather than requiring the complainant to track down the owner of the number (you could use the internet to trace the numbers yourself or even ask Ofcom who happily hand out the numbers to the spammers and scammers and presumably keep records).
4) Prohibit the use of CLI withholding by cold callers (OK you might need to involve Ofcom here).
5) Solicit the submission of evidence by engaging with sites like http://whocallsme.com/ and http://www.the-scream.co.uk/forums/f30.html?

I realize that you couldn’t possibly comment on what I am about to say next, but I also realize that you must know it to be true:

The firm “######” is clearly as bent as a £6 note. You would be doing everyone a favour (the victims of their frauds and the victims of their illegal cold calling) if you fined them £500,000 and put them out of business for good. Then publicized what you had done in the media!

In closing, should like to point out that I completely fail to understand whose interest you think you are serving by turning a blind eye to the spammers and scammers. It goes without saying that you are not serving the interest of the public. But nor are you serving the interest of commerce. I work for a private company and I know we all complain about “red tape”, but the deregulation and decriminalization of telecoms fraud (in all its forms) is resulting in a situation where normal commerce is becoming impossible. Every time I receive a phone call or an email or an SMS message these days I have to devote precious time and energy to making sure it is genuine. Ninety per cent of the time, it is not. I realize you could never fully eliminate telecoms fraud, but at the moment, you are not making the slightest attempt to even curtail it.

If your letter to me represents your final position, please inform me so I can take this matter to the Ombudsman.

Yours sincerely

Mike Ward


I await a response!

And here it is:

The response begins by pointing out that the company XXXXX who called me twice recently are not the same firm as the firm with a similar name against whom an Enforcement Notice was served - something I had already worked out for myself and corrected in a follow up message to the ICO (see [*] above).

The response goes on to say:


The TPS regularly updates the ICO on the ‘Top 20’ companies complained about and where they receive repeat complaints, we are notified and a case is created at the ICO.

Civil monetary penalties

The use of this power is limited to circumstances where:

• there has been a serious contravention of PECR; and

• the contravention was of a kind likely to cause substantial damage or substantial distress; and

• the contravention was deliberate or the person responsible knew or ought to have known that a contravention would occur and failed to take reasonable steps to prevent it.


The circumstances in which it is appropriate to serve a monetary penalty will be limited. The Commissioner does though take the view that the requirement to demonstrate the potential for “substantial damage or substantial distress” can be met by contraventions where the damage or distress to any one individual is more limited but large numbers of individuals are affected. Thus there is the potential to impose monetary penalties for serious contraventions of the PECR provisions relating to the sending of unsolicited marketing messages.

The Commissioner is required to issue guidance on how he proposes to exercise his powers to impose civil monetary penalties. Now that the power has been extended to contraventions of PECR he will have to revise his existing guidance. The revised guidance will follow broadly the same approach as the current guidance. The revised guidance has to be approved by the Secretary of State and laid before Parliament before it can be issued. In addition the Commissioner will consult those likely to be affected by the revised guidance. This means that the revised guidance is unlikely to be issued before October 2011.

The Commissioner does not intend to impose any civil monetary penalties for PECR contraventions until the revised guidance has been issued. In any case he is not able to impose penalties for breaches that took place before the coming into force of the 2011 Regulations on 26 May 2011. The Commissioner may nevertheless start to gather evidence of non compliance from 26 May 2011 onwards for future use in connection with the imposition of civil monetary penalties. Furthermore, and subject to the provisions of this note, there is still the possibility of the Commissioner using his existing enforcement powers in connection with PECR contraventions. His new third party information notice powers will be available to assist him with this.

What Next?

This letter marks the end of our internal complaints process.

If you believe we have provided you with a poor service, or if you believe we have not treated you properly or fairly then you may be able to complain to

The Parliamentary and Health Service Ombudsman, Millbank Tower, Millbank, London SW1P 4QP

All complaints to the Ombudsman must be made through an MP. I would advise you to first call the Ombudsman’s Helpline on 0345 015 4033 or visit her website at www.ombudsman.org.uk to see if she is able to assist you further.

If, however, your complaint relates to the way in which we have interpreted the law then the Ombudsman cannot help you. If you want to challenge our interpretation of the law, you should consider seeking legal advice.

Yours sincerely
etc.


So there you have it. Cold calling people who are registered with the TPS is (like phone hacking) illegal, but no action is ever taken against firms who break that law - though it might one day if one of them causes "substantial damage or substantial distress".

This is rather like saying: "it's illegal to drive at 100mph in a 30mph limit, but we'll only actually fine you if you knock someone down".

[NOTE I don't of course suggest that being called by these fraudulent scumbags is equivalent to being run over by a car, but if one of them ever stood in front of my car I'd be sorely tempted.]

Next stop the Ombudsman. As the ICO point out, he will reject my complaint: "if [...] your complaint relates to the way in which we have interpreted the law then the Ombudsman cannot help you", but perhaps something deep inside him will squirm slightly as he composes his refusal to do anything.

....... another postscript (I expect there will be many):

An email from the ICO about my specific complaint about the specific "claims management" firm that rang me up twice in spite of my TPS registration:

Dear Dr Ward

Thank you for your complaint form regarding the unsolicited marketing calls you have received from XXXXXX.

What we do
The Information Commissioner’s Office regulates the Privacy and Electronic Communications Regulations 2003 (PECR). The PECR are concerned with the way organisations send marketing material by fax, text, email and telephone. Marketing can include the promotion of goods, services, aims or ideals.

Direct marketing calls
Regulation 21 of the PECR says that unsolicited live direct marketing telephone calls cannot be made to a telephone number if:

• that number has been registered with the Telephone Preference Service (TPS) for 28 days or more; or
• the organisation has specifically been asked not to make marketing calls to that number.

Next steps
You have not advised us that you have already contacted the organisation to ask them to stop calling you. In addition you have not advised us of the telephone number on which you received the call. Telephone number xxxxx xxxxxx does not appear to be registered with the TPS although [my mobile number] does appear to be registered.

Unfortunately if the number is not registered with TPS we cannot pursue a complaint about these telephone calls under the PECR at this stage.

If the number is not registered we would strongly recommend that you now consider registering the telephone number with the TPS. TPS registration is free and takes 28 days to become fully effective.

The TPS’s contact details are:

Telephone Preference Service
DMA House
70 Margaret Street
London
W1W 8SS
www.tpsonline.org.uk
Registration line: 0845 070 0707
Complaints department: 020 7291 3320
Alternatively you could write to the organisation that is calling you to ask them to stop. We would suggest that you retain a copy of any correspondence you send as evidence. We would expect the organisation to act on this instruction within 28 days.
If the number you received the call on is registered with the TPS please advise us of the number. To help us deal with your complaint as quickly as possible, please reply to this email, being careful not to amend the information in the ‘subject’ field. Please quote the above case reference number in all future correspondence about this matter.

As we cannot progress your complaint without the information we have asked for it will now be closed until we hear from you again.

Yours sincerely

etc

Of course telephone number xxxxx xxxxxx does appear to be registered with the TPS if you enter it into their website (which I do at least once a year to make sure it is still registered) and I have sent Mr "etc" a link to the relevant confirmation message.

I shall post any responses!

8 comments:

  1. I met a couple of people yesterday who do cold calling for a living. They work for what, as far as I can tell, is a perfectly legitimate company.

    Neither of them had ever heard of the Telephone Preference Service.

    Doesn't that speak volumes?

    ReplyDelete
  2. This is pretty much madness - they could and should be using the possible revenue from fines to finance the ICO or other related government projects.

    ReplyDelete
  3. ICO got back and confirmed that our telephone number IS after all registered with TPS - they apparently have their own software which doesn't work very well.

    ReplyDelete
  4. The Commissioner is required to issue guidance on how he proposes to exercise his powers to impose civil monetary penalties.
    Janine Zargar

    ReplyDelete
  5. Read with interest about your entanglement with the ICO. I despair in equal measure, although, as I get older, I really do believe that Government and its offshoots are very little different from the fictional parody of 'Yes Prime Minister'.

    We hear plenty of disingenuous rhetoric, and obfuscation, cleverly spun from the lectern, although the reality is that nothing much ever changes, irrespectiveof who is in power. To assuage my fevered soul I frequently write to MP's, Ministers and Departments, with that all important 'perception' of life on my side of the ballot box. They never deign to provide so much as a one line reply, yet, come the hustings and I have to hide behind the sofas to avoid their constant obsequious attention.

    As for the TPS, I could not even get the Police to take interest over a blatant attempt at telephone fraud. My 86 year old mother received 2 calls (number withheld) over a period of 24 hours. She was advised that the caller (supposedly a firm of Solicitors) had £3000 to deposit in her bank account, and the account details were requested. Fortunately, mother was sharp enough to foil their attempt, although she informed me straight away of her concerns. I phoned the Police immediately with all the information relating to this attempted scam, and the lame response was "well what do you want us to do about it ?". Surely, I explained, BT could trace the number ? They were totally disinterested. The perception was that they (the Police) were looking for a reason to bin the complaint rather than take some incisive action. Is it any wonder that these scams and spams proliferate ? Not only are the instigators not fined, they are not even investigated !

    As for the ICO, they are simply another job creation QUANGO . Would we really notice if they were closed down ? What happened to the 'Bonfire of the QUANGO's' promise on the Government's manifesto ?

    Another pointless Quango is the Financial Reporting Council (FRC) which is part Government funded. A constituent Board of the FRC is the Board for Actuarial Standards. This Board supposedly set prudent and risk averse standards for the pensions and insurance industry. Of course, we all remember the actuarial disaster that was Northern Rock Bank. The investigating Treasury Select Committee concluded that Northern Rock were gambling on high risk strategies with no safety net. Singled out for criticism was the Board Director and Head of Risk and Audit at Northern Rock Bank. He was deemed highly culpable in the bank's collapse, and multi-billion taxpayer bail-out. The Select Committees neetings were all televised and transcripted on the Web. That Northern Rock Director, who was deemed by the Treasury Select Committee to be the very antithesis of a prudent actuary, today sits on the Board for Actuarial Standards. It is nothing short of risible cronyism, but that is politicians for you !

    Good luck with the ICO - you will need it ! Why not give up now, and live a lttle longer ?

    http://www.youtube.com/watch?v=fgsTid97h6g

    http://www.frc.org.uk/bas/about/board.cfm

    John

    ReplyDelete
  6. I overlooked to mention that the former Northern Rock director referred to above, and cited in the subsequent Treasury Select Committee Report as culpable, also sat on the Northern Rock's Remuneration Committee. I have trenchant views on the value of the current vogue for bonus incentivised targets. They encourage totally the wrong attitudes, devoid of prudent caveats, and merely lead to fragile short term gain. To use a building analogy, you are simply incentivising your workforce to build the tallest tower in the shortest time, without any foundations or structural integrity. Moreover, when the building inevitably collapses you still pay your workforce a bonus. Am I missing something here ?

    The American social philosopher Upton Sinclair once sagely opined 'it is difficult to get a man to do the right thing, when his salary depends upon him not doing the right thing'. Quite right Upton, if only the banks' remuneration committees agreed with you !

    So, what have we learned from Northern Rock ? The whole concatenation of events in this financial crisis all started at Northern Rock Bank. We now know that the cause of that bank's collapse was an unbridled lust for profit, blind to the risks that were being undertaken, and without making prudent provision for those risks. Furthermore, the Northern Rock executive were incentivised with obscene bonuses that drove imprudent actions. We know that those failures come back to the former Board of Northern Rock, more especially the Head of Risk and Audit, who also sat on the Remuneration Committee.

    Today, that same individual sits on a part Government funded Quango, the Board for Actuarial Standards (part of the FRC) setting prudent protocols for the pensions and insurance industry. It is like putting a fox in charge of your chickens, knowing that the fox has a history of killing chickens. Albert Einstein said 'insanity is repeating the same thing, and expecting a difficult result'.

    Quite right Albert, madness, total, madness !!

    John

    ReplyDelete
  7. These calls are getting worse, we are getting around five a day now at our business address, I have learnt from them they have our phone number with the previous associated with the man who had the same number before us, whose address, name and dob several have given me asking if I was indeed Mr *****.

    These are a nuisance and a constant distraction at out place of work which are costing us time and money.

    More personally my elderly father has recently become a part of this list and is receiving daily calls from mostly the same two companies. This has distressed and agitated him to the point he no longer likes, and sometimes doesn't, answer the telephone at all which can be worrying.

    Both numbers are signed up with the TPS and I have made several complaints but it seems I have been wasting more time in this.

    Something needs to be done about this nuisance.

    ReplyDelete
  8. My approach to these calls is to say that we are registered with the TPS and that they are breaking the law and will be prosecuted - which includes the person actually making the call. The result in 99% of cases is that they never seem to call us again.
    Since being on TPS the rate of calls we get has dropped massively so, on balance, it does work as a prevention process.

    ReplyDelete

Comments are moderated, but you can leave them without registering.