A relatively new, but unwelcome, aspect of modern life is under the spotlight: the misuse of people’s data by so-called ‘text pests’. These individuals use personal information that has been provided to them in a business context to make romantic or sexual propositions. For example, a customer might order a product, only for the delivery driver to contact them later to ask them on a date.
The Information Commissioner’s Office (ICO), commissioned research into this nefarious practice in May. It found that, of the 2,289 UK adults surveyed, 17% had experienced unwanted contact after supplying their personal information for a business reason. Analysis of the age categories showed this figure climbing to nearly one-third of 18−34-year-olds, and only dipping slightly to one-quarter for the 35−44 age bracket.
Is it legal?
One of our Partners, Stephanie Pritchett, was quizzed on this in a recent edition of ITV West Country News, alongside Joanne Stones, an ICO spokesperson. Summarising the legal situation, Stephanie said, “It is a clear breach of the GDPR. You can’t just take someone’s personal information and use it for your own purposes. Absolutely not.”
The ICO’s study revealed that younger people were more likely to believe – mistakenly – that use of their data in this way was legal. Yet, as Stephanie pointed out, it is a clear breach of the General Data Protection Regulation (GDPR): information that organisations collect should only be used for their legitimate business purposes, and those that individuals have been informed about via privacy notices, etc. Using personal data for a different business purpose is not allowed, let alone for personal purposes outside the business.
How can text pests be stopped?
As part of its research and subsequent call for evidence, the ICO has contacted some of the UK’s major customer-facing employers to remind them of their legal obligations and learn more about the safeguards that they have in place.
As Stephanie explained in her ITV News interview, organisations “could be at fault if they haven’t carried out appropriate training to tell their staff that they can’t use information like that, or if they don’t have policies in place to make sure that staff are clear about it”.
The ICO can take action to address this, making organisations liable:
- For fines up to the statutory maximum of 4% of annual worldwide turnover or £17.5 million, whichever is greater.
- For other regulatory action such as audits, and naming and shaming organisations.
- To individuals for compensation if they have been damaged or distressed by the situation.
When the ICO exercises its powers in this way, it creates huge reputational risk to businesses.
Depending on the circumstances, text-pest incidents may be treated as crimes, and the individuals who perpetrate them may be prosecuted. Such proceedings can be started by the ICO or by the organisation itself. Individuals who unlawfully access and use personal data may be guilty of a criminal offence under section 170 of the Data Protection Act 2018. If so, they are likely to be taken to court, be fined and have a criminal record.
Employers may also decide to investigate perpetrators for gross misconduct, and dismiss them if they find them guilty.
What can organisations do?
To help avoid text-pest incidents arising, there are several things that organisations can do:
- Carry out, and keep under review, appropriate data protection training. This should be tailored to job roles and ensure that workers are aware of key dos and don’ts.
- Have in place a suite of clear policies and ensure that these are effectively implemented.
- Establish technical controls such as ensuring that information can’t be downloaded easily from company-issued devices or apps.
In addition, organisations should ensure that it is easy for victims to report any text pest incidents to them. If organisations become aware of such incidents, they should respond robustly by taking appropriate steps against perpetrators’ actions. These may include investigating individuals for gross misconduct and even dismissing them where appropriate.
In light of this, if your organisation needs help with data protection compliance or a review of its policies and procedures , we can help. We also offer bespoke training or off-the-peg one-day courses , so please get in touch to find out more.