slides

Agenda
• Alastair Barter – Information Commissioner’s
Office
• Giancarlo Lagonegro – APCM
• Peter Reynolds – First Data
• Bernadette McEvilly – Credit Competence
• Charlie Gordon - Legal Ombudsman
• Workshops
• Panel Debate/Q&A
Alastair Barter
Information Commissioner’s Office
Data Protection and PECR:
an update from the ICO
Alastair Barter – Senior Policy Officer - ICO
The role of the ICO
• Enforce and regulate
–
–
–
–
Freedom of Information Act
Data Protection Act
Privacy and Electronic Communications Regulations
Environmental Information Regulations
• Provide advice to individuals and organisations
• Adjudicate on complaints
• Promote good practice
Subject Access
• Fundamental to data protection
• Assistance via SARs Code of Practice
• Our focus will take into account nature of
interactions between data controller and data
subject
Subject Access Requests: Requests
made on behalf of the Data Subject
The DPA does not prevent a subject access request being made on behalf of
an individual.
•
Data Controller must satisfy themselves that the person is acting on behalf
of the data subject.
•
Responsibility for providing this rests with the third party.
•
If there are concerns about the nature of the information to be provided,
then the response can be sent straight to the data subject rather than to
the third party.
SARs from CMCs
• Apply usual SAR rules
• A data controller should look for clear customer authority for
a 3rd party to act on their behalf
• Data can be sent to the customer directly if there are
concerns
• Consider the scope of the request – does the client know
what you are asking for?
• Do any restrictions or exemptions apply?
Regulating PECR
•
ICO able to issue penalties of up to £500,000 for serious
breaches of the PECR
•
Recent ICO enforcement activity - DM Design fined £90,000
for making thousands of unwanted marketing calls
•
Comes after fines of £440,000 were issued in November
2012 to owners of a company responsible for sending
hundreds of thousands of spam texts
•
ICO online reporting tool has received over 140,000
complaints
PECR – Civil Monetary Penalties
•
“Serious” – 1945 complaints over sustained period with no
effective steps taken to prevent further compliance issues
•
“Damage and distress” – number and nature of calls,
repeated calls were “unnerving and intimidating”
•
Cumulative distress – lots of people on many occasions
•
“Knew or ought to have known” – contact with
organisation from complainants, TPS, ICO
•
“Reasonable steps” – no evidence of policies and
procedures to assist staff
Tackling the issue
• Multi-agency drive
• OFT, OFCOM, MoJ, NFIB, CAB, Which?, DMA,
GSMA
• Strategic threat assessment shows that the
approach has to be joined up
• Not just enforcement but guidance also
Future regulation
•
Proposals to change the data protection framework across Europe
issued by EC
•
Subject access to be free of charge?
•
One month to reply – or two?
•
Retention policies
•
Right to data portability
•
Strengthening of consent
•
Sanctions
Keep in touch
Subscribe to our e-newsletter at www.ico.gov.uk
or find us on…
www.twitter.com/iconews
Giancarlo Lagonegro
Peter Reynolds
Bernadette McEvilly
Introduction to the
Legal Ombudsman
Charlie Gordon
Confidential and Legally Privileged
<copyright Legal
Ombudsman>
Who we are
• Legal Ombudsman for England and Wales
• Set up by the Office for Legal Complaints (OLC)
under the Legal Services Act 2007
• Based in Birmingham
• One of a number of Ombudsman schemes eg
FOS
Our jurisdiction
Complaint about the service
received, or
Complaint about:
- Unreasonably been refused a service or
- Persistently or unreasonably offered a service that
they did not want
We always give the party complained about a reasonable
opportunity to resolve complaint
Time limits apply:
6 years from date of problem, or
3 years from date of awareness, and
6 months from final complaint response
* The problem must
have happened after 5
Oct 2010. If it occurred
before, the consumer
must have become
aware of the problem
after 5 Oct.
Complaints data
Per year we:
• Receive around 70,000 contacts by phone,
letter or email of which 30,000 are registered
as complaints
• Accept investigations into around 8,000
cases
Our business process
Contact
Initial
analysis
and
allocation
Resolution
Regulator
Decision
Enforcement
Our approach
• Informal and quick (informal
resolution)
• Non-legalistic
• Inquisitorial – not adversarial
• Independent
• Free to consumers
Confidential and Legally Privileged
How we investigate…
Was service
received
reasonable?
If not, was
there any
detriment?
What
remedy
would be
appropriate?
Our aim.
<copyright Legal
Types of remedy
Non-financial
• Order an apology
• Order work for complainant
Financial
• Compensation for direct financial loss of up to
£50,000
• Compensation for inconvenience suffered
• Reduce or waive fees
What is fair and reasonable in all
the circumstances?
Case fees
Statute requires us to charge case fees - £400
fee for every complaint investigated
Can exercise discretion to waive if:
- The complaint was settled, resolved or determined in
favour of the party complained about; and
- We are satisfied that all reasonable steps were taken
under the internal complaints procedure to try and
resolve the complaint.
Preparing for the Legal Ombudsman
1. Most importantly, ensure you have a good
internal complaint handling process in place
2. Make sure you recognise complaints
3. Keep records to show what’s happened
4. Look at Legal Ombudsman website for
information about our approach and
complaint handling guidance
What we will expect from CMCs
• Tell clients we exist
• Co-operate with the Ombudsman
• Be prepared to agree informal settlement
• Pay up - enforcement
Confidential and Legally Privileged
Thank you
Charlie Gordon
Ombudsman
[email protected]
Confidential and Legally Privileged
PPI visits
an overview of issues arising
and what to expect.
Background
Year End
% of authorised firms
operating in the
financial products and
services sector
Actual £ turnover
generated by these
firms.
2009/2010
36%
£104 million
2010/11
29%
£189 million
2011/12
32%
£312.7 million
Background
Around 1/3 of total CMCs are authorised for
financial products and services
but………
but they account for 93% of complaints
received by the MoJ.
MoJ Visits
No PPI
Standard claims letters
MoJ Visits
MoJ Visits
What should firms be doing?
No PPI
• Making all reasonable attempts to verify that
PPI is held.
• Where client is adamant but unable to provide
evidence then should be able to demonstrate
“reasonable endeavours” and the discussion
with has been held with the client.
MoJ Visits
What should firms be doing?
No PPI
• Not engage in tactics such as “give it a try” or
“nothing to lose” where client has no idea
whether PPI held.
• Make use of Subject Access Request
provisions.
• Monitor “no PPI” levels and be prepared to
review business practices.
MoJ Visits
What should firms be doing?
Template Letters
• Seek confirmation from clients as to the misselling issues.
• Where SAR held review information and base
claim upon client specific issues identified in
file as well as those discussed with client.
• Avoid “one size fits all” claim letters which do
not reflect individual client circumstances.
MoJ Visits
What should firms be doing?
Template Letters
• Avoid “one size fits all” claim letters which do
not reflect individual client circumstances.
• Review letters of claim to avoid conflicting
information, e.g. customer didn’t know that
PPI existed on account but then next
paragraph states “felt pressurised”.
MoJ Visits
Other Issues
• Notifying changes to regulator
• Monitoring of “Refer a Friend”
• Monitoring of other introducers/agents
MoJ Visits
Other Issues
• Advertising
• Annual Accountant’s Report
• Evidence of Staff Competence
MoJ Visits
Summary
•
•
•
•
More challenging landscape
Must take control of your business practices
Adapt practices where issues found
Real threats to business
Panel Debate / Q&A
Sarah Mutton Claims Management Regulator
Alastair Barter ICO
Bernadette McEvilly Credit Competence
Giancarlo Lagonegro APCM
Closing Remarks