ICO to audit Banks’ Eldon Insurance to check customer data is secure

Eldon Insurance is facing an audit from the Information Commissioners Office (ICO), after a report today revealed evidence of personal customer data being shared with Leave.EU.

Alongside fines totalling £135,000 handed to Arron Banks-owned Eldon and Leave.EU, the ICO will audit the firm to ensure the company is now compliant with data protection law.

The report revealed customer data was accessed by staff working for Leave.EU and “was used to unlawfully send political marketing messages”.

“We have concerns about the overall management of personal data within the company particularly about the arrangements for sharing personal data handled by the company and its associated entities”, the report states.

The ICO has issued a preliminary enforcement notice on Eldon requiring immediate action.

And the report added: “We are considering the apparent weakness of controls in Eldon allowing its customer information to be accessed by Leave.EU staff in this way on different occasions, and we are still considering the evidence in relation to a breach of principle seven of the Data Protection Act 1998.”

Breach

The report states that Eldon admitted to one incident where a Leave.EU newsletter was incorrectly emailed to 319,000 Eldon customers. It claimed this was to “an error in managing an email distribution system”.

Two separate campaigns were also identified by the ICO where over one million emails were sent to Leave.EU supporters featuring marketing information for GoSkippy Insurance, the trading name of Eldon.

In its notice of intent to Eldon, the ICO stated that to send these direct marketing emails, it required valid consent from the recipients. The ICO investigation found it did not have this consent.

The notice states: “Having reviewed the Privacy Policy relied upon by Leave.EU, it is clear to the Commissioner that GoSkippy are not specifically named, or identified in such a way that would suggest they could lawfully instigate direct marketing to subscribers.”

Both Leave.EU and Eldon were provisionally fined £60,000 each for sending marketing emails without specific consent. Leave.EU was provisionally fined an additional £15,000 for sending Eldon customers the newsletter. Both have until 5 December to respond before a final decision is made on the fines.