BILL CHISHOLM reports on Avocet Natural Capital's 'clear breach' of privacy regulations
Regular readers of these columns will be aware of the never ending threats of legal action levelled at many of us by Avocet Natural Capital [ANC] PLC in newsletters circulated to hundreds of shareholders by the company's 'controversial' chairman, Martin Frost.
And every one of those newsletters carries a unique warning which states: "ANC Plc shareholders correspondence is identified with a tracker so please do not breach your shareholder NDA [Non Disclosure Agreement] by passing on the contents of this shareholders communique to third parties without first obtaining permission from Mrs. Eirlys Lloyd".
However, we can now report that these sticklers for sticking to the terms of the Data Protection Act chose to forget their own data protection obligations before ignoring instructions from the Information Commissioner's Office (ICO) to address and rectify the situation they'd created.
It's a long story, and may require several chapters to do it justice, but as a first step here is an outline of what could be described as the irony of ironies.
As I reminded readers only recently Mrs. Lloyd, ANC's company secretary, emailed me on July 12th 2020 claiming I might have been involved in a crime.
She wrote: "A number of Avocet Natural Capital Plc shareholders have brought to the directors' attention that a breach of section 170 of the Data Protection Act 2018 has occurred, in that a person or persons have unlawfully obtained or disclosed personal data without the consent of the company. It is understood that you may have been involved in this crime. This has been brought to the attention of the police who are now investigating."
It seemed Avocet did not approve of our coverage of the company's activities, and the firm was keen to find out who might be 'leaking' Mr Frost's correspondence to Not Just Sheep & Rugby.
But in an almost unbelievable twist just three weeks later it was my turn to complain to Mrs Lloyd about a potential 'crime' by ANC against me.
I was astonished and dismayed to discover that in a shareholder letter of August 3rd 2020 my personal email address was on display, included as part of Mr Frost's written report to hundreds of investors.
A quick Google search confirmed the following: "The Data Protection Act stipulates that you must take all reasonable measures to ensure the data you hold, such as people's email addresses, are not divulged to third parties unless they have given you permission to do so. This is a clear breach of the Data Protection Act".
I immediately wrote to Mrs Lloyd, explaining: "On page one of a letter to the 650 shareholders of Avocet Natural Capital dated 3/8/2020 on Avocet Natural Capital headed notepaper and tailed with your own company’s name the text includes my email address. There can be no element of doubt that this is a flagrant data breach, presumably approved and signed off by Mr Frost, by (fellow director) Mr Jennings whose name appears on the letter, and by yourself."
But my request for an explanation prior to contacting the ICO did not receive Mrs Lloyd's attention. Instead, she asked on three separate occasions for the identity of my source for Mr Frost's offending newsletter.
She wrote: "As courtesy to the ICO, I believe you are aware that shareholder letters from the company do not emanate from me or Eirlys Lloyd Company Services Ltd. Also, perhaps you would be so good as to provide details of the person/persons who forwarded a confidential shareholder communication to you. These shareholder communications are covered by the company Group NDA and, if a former employee/shareholder, also their personal NDA."
Following the futile email exchange I complained to the ICO on August 4th 2020. But there was to be no swift resolution by the regulator.
I heard nothing further until April 31st this year when the ICO informed me they had 'now established contact' at ANC.
The Commission email stated: "We have considered the issues that you have raised with us and our decision is that there is more work for the organisation to do. We have therefore raised your issues with the Data Protection Officer, explaining that we want them to work with you to resolve any outstanding matters.
"In your case, we expect the organisation to fully address your complaint by telling you what they are going to do to put things right, or if they believe they have met their data protection obligations by explaining fully how they have done so. We have allowed the organisation 28 days to consider the issues that you have raised with us and to consider next steps in your case. As such we have closed your case and don’t intend to take any further action. However, if you don’t hear back from the organisation after 28 days then please let us know."
Because the ICO had not confirmed that ANC had breached privacy rules I asked for a review and was eventually told on May 12th: "You have requested a definitive outcome from the ICO. I can confirm that as your personal email address was passed to shareholders in a letter to them it is likely that the organisation has failed to comply with their data protection obligations relating to security. It is hoped that the response you receive from Avocet Natural Capital PLC should clarify whether they believe they had a lawful basis to share this data or if they did not, what they intend to do to rectify the situation."
The 28 day period for a response from ANC expired on May 28th, and in the event of the company's failure to obey the ICO's instruction I have asked the Commission what further action it plans to take.
In the meantime I have been advised: "You do have the right to seek your own compensation for material or non-material damages arising from a breach of GDPR [General Data Protection Regulation]. This is not something the ICO can assist you with. We would recommend that you seek independent legal advice if you decide to take this action."
No comments:
Post a Comment