Rancom Security Limited v The Information Commissioner

Rancom Security Limited (“Rancom”) appeal against a monetary penalty notice (“MPN”) imposed by the Information Commissioner for contravention of regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) in the sum of £110,000. Rancom is a home security business aimed primarily at the domestic market, it installs alarms and provides a monitoring service.

Over the course of one year, between 1 June 2017 and 31 May 2018, the Information Commissioner received 94 complaints about unsolicited direct marketing calls made by Rancom. Of those, 66 complaints had been referred via the TPS, and 28 had been made direct to the Commissioner. All of the complainants were registered with the TPS. These complaints were about calls made by Rancom as part of a direct marketing telephone campaign in respect of which 565,344 calls were made to TPS registered numbers.

The Appellant has provided no evidence that the TPS-registered subscribers who received unsolicited calls had consented to receive those calls. The company sought to rely on a number of explanations that it was submitted explained a “large number” or “very large number” of the 565,344 calls.

We have concluded that the Information Commissioner’s decision to impose an MPN was in accordance with law and that the penalty imposed was appropriate and proportionate. The Information Commissioner exercised her discretion appropriately.

The hearing was conducted by video hearing on 14 September 2021. The Tribunal was satisfied that it was fair and just to conduct the hearing in this way. I apologise to the parties for the time it has taken to promulgate this decision which was taken in October 2021.

We were provided with a bundle of 752 pages including indices, supplemental documents and skeleton arguments accompanied by a bundle of authorities.

Mr Hosking, one of the company directors at the time of the contravention gave oral evidence.

The case could not be completed on the allocated day because the tribunal wished to receive further evidence in the form of documents referred to by Mr Hosking that were said to substantiate his evidence but were not in the bundle. The case was adjourned and directions made for the filing of those documents and closing submissions. Those further documents were received and submissions exchanged in writing. Then panel convened in private session thereafter to consider the material with which they had been provided and to take our decision on 14 October 2021.

The panel notes that on 17 September 2021 (following the hearing on 14 September 2021), there had been a change in the status of the Appellant. Mr Hosking has ceased to be on record as the person with significant control of the company, being replaced by a limited company.

This appeal is brought under s.55B(5) Data Protection Act 1998 (“DPA 1998”) against a Monetary Penalty Notice (“MPN”) issued by the Commissioner. The notice was issued due to a contravention of the regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

A contravention of regulation 21 occurs if a person makes an unsolicited direct marketing call to a number registered on the Telephone Preference Service (“TPS”) register for 28 days or more unless the caller has obtained consent. That consent must be freely given, specific, informed and unambiguous, which requires that it by demonstrated by “active” behaviour: see Planet49 GmbH C-673/17 (ECLI:EU:C:2019:801).

Section 49(1) DPA 1998 sets out the test to be applied on appeal as follows

The Tribunal conducts a full-merits hearing, considering the substance of the contravention rather than the procedure of the Commissioner’s investigation, see Central London Community Healthcare NHS Trust v Information Commissioner [2013] UKUT 0551 (AAC).

PECR implements Directive 2002/58/EC (“the E-Privacy Directive”). Regulation 21(1)-(5) relevantly states:

Consent is defined in Article 4(11) of the General Data Protection Regulation 2016/679 as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

A “subscriber” is defined in regulation 2(1) of PECR as “a person who is a party to a contract with a provider of public electronic communications services for the supply of such services”.

Regulation 26 PECR provides:

The Commissioner discharges the duty in regulation 26 through the TPS. People wishing to make direct marketing calls may subscribe to the TPS and receive periodic updates so that they can avoid calling numbers on the register and thereby avoid acting unlawfully under regulation 21(1)(b).

The definition of direct marketing is in s.122(5) DPA 18, which applies to the PECR by virtue of regulation 2(2) - “communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”.

Section 55A DPA 1998 (as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 and the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2015) relevantly provides:

Penalties issued under that power are capped at £500,000.

The provisions of the DPA 1998 remain in force for the purposes of PECR notwithstanding the introduction of the Data Protection Act 2018, see paragraph 58(1) of Part 9, Schedule 20 of that Act.

In Leave.EU Group Ltd & another v Information Commissioner [2021]UKUT 26 (AAC), one of the emails had prompted only two complaints. The Upper Tribunal stated that “the volume of complaints cannot be a reliable let alone determinative metric for deciding whether there has been a PECR breach, given that subscribers have easier default options than lodging a formal complaint with the Commissioner”.

Rancom Security Ltd are a company registered at Companies’ House which was incorporated on 20 February 2003. At the material time there were 2 directors one of whom, Mr Hosking, was acting as company secretary. During the relevant period Rancom had approximately 10,000 customers.

Between 1 June 2017 and 31 May 2018, 565,344 telephone calls were made from Rancom’s phone line to TPS-registered numbers. The Information Commissioner received 94 complaints about unsolicited direct marketing calls made by Rancom. Of those, 66 complaints had been referred via the TPS, and 28 had been made direct to the Commissioner. All of the complainants were registered with the TPS.

The complaints included the following comments:

In June and July 2017, the Information Commissioner had drawn the company’s attention to her Guidance on several occasions.

On 3/7/18 the Information Commissioner notified Rancom of her concerns and attached the complaints and a list of 22 questions. Rancom were asked to provide evidence of consent for the calls. Rancom’s response indicated that it had purchased the telephone numbers from third parties. At that stage Rancom asserted that it had carried out no due diligence or screening of the numbers that it had been supplied with. Later Rancom was to contradict this assertion with a suggestion that they screened approximately 10% of the data against the TPS register.

Further correspondence was exchanged between the Information Commissioner and Rancom throughout August through the autumn until December, the Commissioner extending the deadlines for receipt of the responses on more than one occasion.

On 10 December 2018 Rancom confirmed that during the relevant year it had made “in the region of 1,043,669 calls, but they are unable to ascertain how many of these calls were for marketing purposes”. It was suggested that many of the calls identified by the Information Commissioner might have emanated from different companies that shared Rancom’s telephone facilities, but we do not accept that suggestion, see below.

Further correspondence followed during which Rancom provided what it described as a fair processing notice provided to individuals who personally provided their own data and a “Rolling telemarketing Contract” between it and the provider of the majority of the data it purchased. The latter was neither signed nor dated. Further documents said to be scripts for market research calls were not attached.

Two of the contracts relied on by Rancom expressly disclaimed any warranty that the data would be accurate and excluded liability on the supplier for “any inaccuracy, incompleteness or other error in the Data”.

The “scripts” were provided at a later date they read as follows

The text of the first script is inconsistent with the text of the complaints received. The first is undated and the second dated 24/03/2017. Neither mentions market research. No completed surveys were provided to us.

On 30/4/2019 the Information Commissioner reminding Rancom that the company bore the onus of showing that the calls made were not unsolicited, i.e. that consent had been provided and with further queries about the assertion that other parties were using the same phone line as the company. The Information Commissioner again extended the deadlines for the provision of this information and four reminders were sent before a response was eventually received on 24 June 2019.

That response asserted that the evidence requested could not be provided as the database within which it was held had been corrupted due to ransomware. Mr Hosking said in his evidence that there were no records of the research or minutes of the meetings about that research because they had all been on approximately 30 computers that had a computer virus meaning they lost all customer information going, he went on to say that members of staff had left the company and taken the results with them. We do not accept the suggestion that other persons were using the telephone line nor the suggestion that evidence could not be provided, see below.

The Notice of Intent to issue a monetary penalty was sent to Rancom on 12 October 2020.

On 14 October 2020 Rancom responded suggesting that the Information Commissioner had failed to take account of material it had provided, complaining about the length of the investigation and referring to asserted financial hardship. The Information Commissioner requested supporting evidence in relation to the financial position on 20/10/2020.

Unaudited accounts for year ending 30 April 2018 were provided and later also accounts for the year ending 30 April 2020 which showed that the company was trading in a deficit of £940,128 and an operating loss for the year of £334,000. This was down from a profit of £41,142 in the year ending 30 April 2019 and this change was due to in part to a revaluation of intangible assets resulting in a loss of over half a million pounds as well as to a larger operating loss. The wage bill had increased over £300,000 pounds to over 1 million pounds and the directors’ salaries had been increased to over £200,000; an increase in the accounts of £90,000. At the time of the contravention there were 2 directors, the second director had resigned on 2 March 2020. The unaudited accounts for the year ended 30 April 2020 show Rancom to be insolvent on a balance sheet basis.

On 19 January 2021 the Information Commissioner decided to issue the final MPN.

In 2010 the Commissioner had issued an enforcement notice against the Appellant company (under its previous name, Direct Response Security Systems Limited). The company had acknowledged the Guidance and committed to screen the data against the TPS itself; nevertheless, on its own case it did not do so for more than approximately 10% of the data.

The central issue is whether the MPN is in accordance with law or whether the Tribunal considers the Commissioner ought to have exercised her discretion differently.

The issues within that overarching question for the Tribunal are

The grounds of appeal are that

Rancom suggested via submissions relying on the evidence of Mr Hosking that a “very large number of calls” were made for reasons

We determined the issues with reference to the facts we have found proved and within the legal framework set out above.

We have found that this is not a case where procedural deficiencies were “so flagrant, the consequences so severe, that the most perfect of appeals or re-hearings will not be sufficient to produce a just result’ ’ per Lord Wilberforce in Calvin v Carr [1980] AC 574 and see also Leave.EU at paragraphs [23] and [ll3]—[ll6]. The Information Commissioner’s investigation was thorough, and gave the Appellant more than ample opportunity to provide evidence about each of the concerns raised by the regulator. This tribunal has conducted a full merits rehearing of the substance of the appeal.

It is not in dispute that 565,344 calls were made from the Appellant’s phone line to TPS-registered numbers We have considered the explanations tendered on behalf of Rancom and have concluded that none of these satisfactorily explain the situation. We note that Rancom has provided no evidence of the number of calls that would fall within any or all of the explanations it seeks to rely upon.

We do not accept the suggestion made on behalf of the appellant company that the large volume of calls is explained by calls made for personal or business reason apart from direct marketing. Rancom assert they have 10,000 customers. Even assuming five calls to both keyholders for each account in the course of a year, being 100,000 calls, this would leave hundreds of thousands of calls unexplained (465,344).

Looking at this from the perspective of employees making calls, if the average number of employees (60) made 10 personal calls on each working day of the year (253) this would amount to only 151,800 and even if they did so on every single day of the year this would not explain all the unexplained calls. The use of the company’s business lines for personal reasons to the extent claimed by Rancom appears to us to be implausible given the diversion of time and resource that would be incurred were it to be true.

This explanation tendered by the appellant company effectively relies on the assumption that every such customer, key holder or family member or call by a staff member happened to have been to a TPS subscriber and thus should be regarded as part of the 565,344 calls if it is to be successful. This is implausible and unevidenced.

However, the total number of calls from the one line in issue in this case included a further 286,048 calls to subscribers who had not been TPS-registered for 28 days, and thus not falling within the context of the contravention but giving a total of 851,392 calls.

None of these assertions are evidenced by Rancom and we do not accept that the calls are explained in the ways claimed by the company whether those claims under this head are taken individually or as a whole.

We do not accept Rancom’s suggestion that many of the calls identified by the Information Commissioner might have emanated from different companies that shared Rancom’s telephone facilities. If that was right this would not necessarily assist the company as it demonstrates a lack of control over the use of electronic communications for which they were responsible. The calls indisputably originated from Rancom’s telephone lines. Regulation 21(2) prohibits persons from permitting their line to be used in contravention of that prohibition.

Rancom has made unsubstantiated claims in this regard; in its letter of 21 February 2019, it claimed that “at least a quarter to half of the calls are likely to have emanated from these companies”. Then on 24 June 2019, it said that “up to about half of all outgoing calls were made by these organisations and not by Rancom”. The suggestion was that there were no formal contracts in place to cover that usage and no evidence in support of the assertion was provided to the tribunal.

Rancom suggests the lack of corroborative evidence is due to the corruption of computer records. We do not accept the suggestion that other persons were using the telephone line nor the suggestion nor that evidence could not be provided due to corruption of a database or computer virus. Even if some evidence had been corrupted there were alternative sources of evidence. If other companies or persons were using the telephone line we would have expected it to be a simple matter for that to be evidenced via the receipt of contributions towards the costs or with confirmation from those other users. No bank statements were produced nor other documentation to sustain this explanation, even when the tribunal gave further opportunity for evidence to be produced after the hearing.

As to the computer virus/corruption of a database, Mr Hosking had suggested that all the 30 computers infected with a virus were wiped and since that time the company has backed up its systems. Contracts were kept in hard copy according to Mr Hosking and every call was recorded, he also said the company had consent forms. The tribunal asked to be directed to where we could view the contracts with companies using the phone lines and the consent forms in the bundle and Mr Hosking did not know. He then suggested the consent forms would have been destroyed in accordance with data protection procedures.

The tribunal was provided with information after the oral hearing but before it took its decision this included a report from a company that had dealt with an incident with a computer at Rancom, said to be ransomware. The incident was logged at 29.06.2017 3:05pm and resolved 02.07.2017 4:56pm. We note that report shows that the issue was that a person opened a malicious email from a source that appeared genuine, this launched a virus that then spread to the network and other workstations. This was resolved as follows

Rancom suggest that the calls were not direct marketing but were market research or what Mr Hosking called an “awareness campaign”. No satisfactory evidence has been produced of the scope of the research being undertaken nor of the outcome. We reject the evidence of Mr Hosking about the purpose of the calls and to the effect that family members made complaints because they may have misinterpreted what their elder relatives told them, this assumes that older people are incapable of properly understanding or communicating what is being said to them and does not explain what was said in those complaints, nor the number of complainants putting the same interpretation on the calls received.

The evidence from the complaints about what was said during the calls, the aggressive tone of those calls and the volume and duration of the period over which they were made is inconsistent with the calls being part of bona fide market research.

Furthermore, multiple calls to the same number would not be necessary in those circumstances. The schedules show multiple calls to the same number.

The scripts provided by the company in an effort to sustain this suggestion do not support it but show that the calls did include advertising material and therefore included information which was being communicated for direct marketing purposes. Moreover, the supposed market research element of the script was inconsistent and unfocused.

Rancom relies on training documents to support the suggestion that the calls were for this purpose.

A training record dated 19/5/2017 was provided for the same employee whose training had begun on or before 5 October 2016, this record suggests that Mr Hosking “would be” providing training on TPS and the requirements of PECR to the employee and there is a later document dated 26 May 2017 headed PECR training part 2 which tells the employee

This is accompanied by a “market research training document”, this suggests that each person called would be asked for a preference of whether they would prefer police to respond to their alarm or a guard. It says “you are not allowed to call TPS as this is a survey” and instructs the employee not to book an appointment. We note the reference to data being handed in at the end of a shift to the supervisor from which we infer that this was in hard copy, this is consistent with another document dated 7/8/17 which talks about data research sheets having to be handed in to Mr Hosking by 10am on a Monday and then destroyed after 28 days.

A document dated 5 November 2018 states that “Rob and Ant” were in charge of the “large survey” and that the market research showed that 71% were in favour of private guarding. This analysis would have been based on answers to question 7 on the script “Do you consider that serve that provided a private guarded response to be more of a premium service than a police responded system? (sic)”.

At one stage the company suggested market research calls were not recorded but later sought to criticise the respondent for not having produced any recordings. However, these were Rancom’s calls and they were in the best position to evidence them in support of their own position and did not do so. We have not been provided with any recordings or transcripts of calls, the script tells us nothing about what was actually said.

Whereas the complaints received detail the substance and tone of the calls made, recounting selling tactics such as offering to advise on home security or discuss product options, including references to them being “in the area” and demonstrate a pattern of direct marketing by Rancom, frequently featuring the warning that the emergency services will fail to respond to an alarm.

Mr Hosking suggested that as a result of the market research the company had changed its business model to introduce what it called private guarding. It is submitted by the company that the timing shows this change of model following the research. However, we find the lack of any analysis or business planning or company records, to indicate that the real reason for the calls was for marketing purposes for the new business model. This is consistent with the text of the complaints which have repeated references to the non-responsiveness of the police in an attempt to sell a system which relies on private security rather than police response.

We have not seen the outcome of the market research beyond the assertion that the results showed 71% in favour of private guarding. Indeed in cross-examination Mr Hosking seemed to suggest that the only question where data was actually collected was question 7, which is an indication that the “survey” was not genuine.

Even if parts of an individual call could be said to have an alternative purpose, that would not prevent a contravention from being committed in another part of the same call. The Upper Tribunal has made it clear that the definition of “direct marketing” cannot be avoided by packaging the advertising material among or adjacent to some other purpose of communication. Even if the market research itself were genuine, and sincerely acted upon to develop business policy, that would not automatically legitimise the campaign if there were also an unsolicited promotional element being communicated electronically.

We have found that the calls made by Rancom as part of its so called “market research” were for the purposes of direct marketing as defined in s.122(5) DPA 18, being “communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”.

Rancom accepts that between 1 June 2017 and 30 May 2018 that it carried out direct selling by telephone and that it is likely that some calls were erroneously made to TPS registered numbers. It has not been suggested that any consent was provided or sought for the calls made by the company.

We find that the 94 calls about which complaints were received were made for direct marketing purposes and that they were made in contravention of Regulation 21 PECR.

We have decided that it was appropriate to impose a monetary penalty, on Rancom because

Seriousness: We are satisfied that condition (a) from section 55A (1) DPA is met.

We have concluded that the contravention was serious in the light of the following

Deliberate or negligent contravention: There is no suggestion that the contravention was deliberate. In considering whether Rancom acted negligently as opposed to deliberately the requirements of section 55A(3) DPA 1998 apply.

We have concluded that Rancom knew or ought to have known that there was a risk that the contravention would occur: Rancom accepts that between 1 June 2017 and 30 May 2018 that it carried out direct selling by telephone and that it is likely that some calls were erroneously made to TPS registered numbers. Albeit that our findings above are not accepted.

However, Rancom do not accept that any marketing calls were made deliberately or negligently. They rely on training they have provided and contracts they have entered into but this must be seen in the context of the fact that Rancom’s attention had been drawn to the issue by the Information Commissioner in June and July 2017 and in 2010 the Commissioner had issued an enforcement notice against the Appellant company (under its previous name, Direct Response Security Systems Limited). The company had acknowledged the Guidance and committed to screen the data against the TPS itself. However even on its own case it did not do so for more than approximately 10% of the data.

We were provided with an example of training records of one employee. The first document is dated 5/10/2016. This makes it clear that the training being provided was to do with the costs of installation. This is clearly related to sales of the system rather than market research. Another record dated 7/11/16 for the same employee does not mention market research either. There is a third record for same employee dated 10 January 2017, once again this does not mention market research, nor does one from 22 March 2017. A fourth document relating to the same employee dated 10 January 2017 states, inter alia “If an existing customer is on a TPS list please explain we are allowed to call them as they are our customer…”. This suggests that the company was aware of its responsibilities as regards TPS subscribers.

Only one of the questions being asked in the “market research” was actually analysed, and the plan was clearly to call many people regardless of the purpose of the calls. Moreover guidance from the Information Commissioner is easily available. In such circumstances and in the light of previous enforcement proceedings adequate due diligence was imperative.

Rancom relied on having entered into contracts with those who supplied them with the data (the phone numbers). The company took no steps beyond a check of its suppression lists to ensure that communications made on its behalf were not unlawful. The claim that 10% of the numbers provided were checked against the TPS register is inconsistent with the fact that the company does not have a TPS licence and had they done so it would have been clear that many of the numbers were registered but there is no suggestion that this happened nor that there was a change in business practice as a result.

Furthermore in answer to questions from the tribunal Mr Hosking said that Rancom were not aware of how to check whether the data with which they had been provided was free from TPS subscribers and they relied on the person they were calling to tell them. This is inconsistent with the suggestion that contracts were entered into for the purposes of such checks being made and inconsistent with the suggestion that 10% of the data was checked.

Furthermore, the contracts relied on by Rancom between them and the suppliers of the data, expressly disclaimed any warranty that the data would be accurate and excluded liability on the supplier for any inaccuracy, incompleteness or other error in the data see contractual clause 6.1 at bundle page 103 and clause 14.1 on page 119.

Rancom stated in submissions that they had entered into a contract with a third company for the provision of data and Rancom verified that the system used by that company had a cloud based verification of numbers to be called against the TPS system. The contract included the appointment of a compliance officer and monitoring and purported to warranty the information. That company is said to have gone into liquidation. That “Rolling telemarketing Contract” between it and the provider of the majority of the data it purchased was neither signed nor dated and only produced later in the investigation.

Such a contract in itself does not absolve a company that makes direct marketing calls from responsibility to comply with PECR. Rancom asserted it checked 10% of the number provided to it by third party suppliers. Had any numbers been checked it is likely that this would have revealed that the numbers it was calling were TPS registered. This omission is significant given Rancom’s previous contact with the Commissioner, including previous enforcement action in 2010. Furthermore, on 25 July 2017 within the relevant period, Mr Hosking (on behalf of the Appellant company) agreed with the Information Commissioner’s assessment that it was unlikely to be acting in compliance with its obligations, and should be purchasing the TPS list directly rather than relying on third party suppliers. He committed to ensure that the Appellant would implement the Commissioner’s recommendations. However, there is no record of the Appellant ever having obtained the list from TPS.

The argument made by Rancom about possible out-of-date lists of TPS subscribers has no force. The data relied on by the Commissioner was filtered to establish the number of calls made to numbers which were registered with the TPS at least 28 days before receiving a call” in accordance with Regulation 21(3) PECR. According to the Appellant, the data was refreshed every month which, if true, that would certainly have avoided any over-counting. However, that time-lag could not account for more than a tiny proportion of more than half a million calls.

We have concluded that Rancom new or ought to have known that there was a risk that the contravention would occur and failed to take reasonable steps to prevent the contravention. We are satisfied that condition (b) from section 55A (1) DPA is met.

We are satisfied in all the circumstances that the Information Commissioner did not exercise her discretion inappropriately when deciding to issue the MPN.

We then turned to consider the amount of the penalty. The purpose of a monetary penalty notice is not only to punish the contravention but also to deter others from engaging in similar behaviour. They form a deterrent against non-compliance and thus an encouragement towards compliance.

The Information Commissioner agrees that there had been no breach since 1 January 2019 until the date of the hearing, this does not mean that there should not be a penalty but any cessation of the contravening behaviour will be a factor to consider as to the amount of the penalty. This consideration led the information Commissioner to decide not to issue an enforcement notice.

Monetary penalties should not cause undue financial hardship but it could be said that is in their nature and purpose to cause hardship because they are a deterrent. In any event what is required is that the amount of the penalty is proportionate in all the circumstances.

The Information Commissioner adopted a starting point of £140,000. Taking into account the volume of calls and the period over which they were made as set out above, we find this is the appropriate starting point.

We turn then to decide whether the penalty should be increased or decreased in the light of any aggravating or mitigating factors. We have identified the following aggravating factors:

The Information Commissioner increased the penalty to £170,000 in the light of those factors and we agree they are significantly aggravating and justify that increase.

We then considered whether there were any mitigating factors that point to a need for a decrease in the penalty. We have had regard to

Bearing in mind the particular circumstances of this case we have found that the penalty should be reduced to £110,000.

Taking all this into account, we are satisfied that a penalty of £110,000 is reasonable, proportionate and dissuasive in all the circumstances of this case.

We conclude that the MPN was in accordance with the law and we do not consider that the Commissioner ought to have exercised her discretion differently. The MPN stands.

The appeal is dismissed.