PDV – Complaint about direct marketing
September 2015 - updated June 2016
This case was referred to the Commission from the Direct Marketing Association following a recent investigation undertaken by the Fundraising Standards Board (FRSB) into a complaint from a TPS registered consumer who had received an unwanted call from Insight CCI, a telemarketer fundraising on behalf of Breast Cancer Campaign.
PDV Ltd, acting as a broker, had confirmed that it had supplied the complainant’s number to two selected clients, one of which was Insight CCI, after it had been supplied to them by a company based in India called Dynaxon IT Services. Dynaxon had conducted a telephone survey designed to create ‘opt-in’ leads for a variety of charities and commercial companies.
The Commission concluded that PDV had relied on assurances and documented processes signed with their off-shore supplier to comply with the UK TPS regime. Dynaxon, in turn, used another sub-contractor to provide a database of UK numbers to call and to check this database against the TPS register. PDV knew little of the sub-contract arrangement, had not themselves visited Dynaxon and did not seem at the time to have arrangements in place to test effectively whether the processes thay had set were being followed. At the time PDV did not themselves check the leads supplied by Dynaxon against the TPS register, although once they became aware of the problem, PDV assumed responsibility for this.
PDV’s supplier was a young and offshore business, that itself relied on data from a third party that supposedly had responsibility for compliance actions. PDV accepted the arrangement had not worked properly, that the original TPS complainant had been called wrongly and that this was not likely to be an isolated incident. We were also concerned about the overall vagueness of the information given to those who were called in terms of what consent they were being asked to give in agreeing to receive future marketing calls as a result of answering survey questions.
Given PDV is a data brokerage of some size and with a number of offshore partners the Commission thought PDV would have been more aware of its responsibility to ensure data is properly sourced, cleaned and permissioned and understood it was responsible for the behaviour of these suppliers specifically in terms of how they source data, check to ensure calls are not made to TPS registrants unless they have given prior consent, and that permissible calls are clear in terms of the marketing permissions they secure.
The Commission found four breaches of the DMA Code rules relating to the buying and renting of personal data. The Code says that members must satisfy themselves that data is properly sourced, permissioned and cleaned; they must take responsibility for action taken on their behalf by their suppliers; they must follow all legislation relating to the processing of data and they must act decently, fairly and reasonably.
PDV assured the Commission that changes were now underway to improve its audit process on its suppliers and presented revised processes and checks. The Commission welcomed these changes, and informed PDV that off-shore suppliers should be subject to a robust risk assessment and a high level of scrutiny if PDV and its clients are to be assured that data suppliers are operating to the standards set. The Commission concluded that these changes and assurances were critical to continued DMA membership. It has made this clear to PDV and invited the company to make changes and present these to the DMA. The Commission suggests the DMA review the matter in three months. If the DMA do not see changes during this period that would give an assurance that PDV and suppliers are Code-compliant, the Commission’s advice to the DMA would be to suspend membership until matters are on an acceptable footing.
It is clear that there is a great deal of public concern about the collection of personal data, where it comes from and how it is traded. The Commission appreciated that the issues with managing suppliers and the more specific issues with offshore call centres were not unique to PDV. The Commission will support the DMA in any work needed to reinforce the fundamental message that data companies have responsibility for the data they trade. Data must be properly, sourced, permissioned and cleansed and members will be held responsible the actions of their suppliers and sub-contractors when these duties are passed to others.
Following a review of amendments to PDV’s procedures, the DMA was comfortable that their recommendations had been incorporated and therefore decided to allow PDV to remain in membership.