Internal mistakes could risk the Information Commissioner’s Office (ICO) being able to carry out its planned fines and audit of Eldon Insurance and Leave EU. In February 2019 the firms were fined a combined total of £120,000. The organisations were found to have had similar customer management systems which couldn’t effectively distinguish insurance customers from those involved in the political group. Following this, the ICO announced both companies would be subject to an audit.
As a result of these procedural errors, Arron Banks who owns both Eldon and Leave EU has brought about an appeal hearing against the ICO which began this week. Eldon and Leave EU are appealing the actions taken by the ICO.
Christopher Knight, a counsel representative from the ICO stated that he thinks there is “room for criticism” on the ICO’s policies and the way in which audits are carried out. He believes that lack of decision-making documents on the part of the ICO didn’t represent good governance and falls short of the standards expected from a government department. Knight also said that if Eldon and Leave EU had wanted to challenge the distribution of the notice (of a fine and audit), then it would have been more prudent to launch a judicial review.
The tribunal proceedings uncovered that there were no internal documents produced by the ICO showing any decision-making procedures before announcing the planned fines and audits of Eldon and Leave EU.
The hearings also disclosed the internal confusion surrounding the decisions over Eldon and Leave EU. The only document seemingly shared before the notifications were released was a drafted internal memo; shared after the decisions about the company had been decided.
In November 2018, the notifications about the ICO’s intentions toward the organisations were sent to journalists just half an hour earlier than Eldon and Leave EU. The tribunal also revealed that a Digital, Culture, Media and Sport select committee also received the documents on the same day, ready for a hearing the next day. Knight also had to deny claims that the ICO scheduled the announcement of the investigation to strengthen its “Investigation into the use of data analytics in political campaigns” report, which was launched on the same day as the hearing.
During the select committee hearing, an ICO representative Elizabeth Denham, said that Eldon and Leave EU were fined following their failure in reporting a data breach, however this was incorrect as at the time, they were only initial notices.
Denham further said that “Eldon Insurance stated in response to our information notice… that they reported the breach when information was shared between Leave EU and Eldon.” She continued by saying that the ICO found no evidence of a report and therefore they had issued fines.
Gerry Facenna, the counsel representative for Eldon and Leave EU maintained that the ICO’s errors during this time was “procedural unfairness” and described the ICO inquiry as a “sham”. Facenna also argued that Eldon had undergone “serious reputational harm” at the hands of the ICO. Organisations such as LV had severed the relationship with Eldon after the ICO’s action; though the ICO denied this. It was suggested that ties were cut between LV and Eldon due to Banks’ negative publicity following a National Crime Agency into his campaign funding for Brexit.
However, in a statement from the NCA in September, they stated that they would take “no further action” on Banks or his affiliates, due to their lack of findings that any criminal offences had been committed.
Though Facenna argued that the errors were due to “unfairness”; Knight disputed this, claiming that the mistakes were simply down to inaccuracies within internal procedures. Knight went on to say that Facenna does not have evidence to suggest the errors were a “sham”; though he accepts it failed to meet best practice standards.
Jamal Ahmed Fellow of Information Privacy and Director of Kazient Privacy Experts said regarding the case: “The British public rely on, and trust The Commissioner to uphold our data privacy human rights. It would be a very sad day, and a travesty, if it transpires they have acted improperly in the execution of their duties and let the public down.”
The initial part of the tribunal occurred over three days earlier this week and a final decision is likely to be made in February 2020.
A decision is expected to be reached in February.
The ICO, Eldon Insurance and Leave EU have refused to comment on these ongoing proceedings.
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.