Scam Warning - CTO DTO (Updates)

Brace yourself - there's going to be some pirate jokes

Updated March 2017  Accountancy practises seem to vary and I'm in the middle of moving my own corporate accounts to a new firm. There's so many accountants that it can be difficult to choose so you really have to define your objectives and ask some searching questions of each practise you review.

After spending a few weeks getting a list of practises I've just about whittled down the list of possible candidates to under five and am also planning a system migration in parallel.

One thing that is immediately obvious is that if a firm is too busy (over allocated with too many books to manage), works on more generic approaches or has very thin borders with tax avoidance schemes you should steer clear. Any firm that actively cold calls in this sector should also set off alarm bells.

I received unsolicited marketing from one such firm in Q4 2015 - at the time called Contractor Tax Optimisation - who claimed to be able to give me an 82% take-home income specifically aimed at "all IT freelancers and contractors".

As you may be able to gather from other posts across my blogs I'm pretty good at ensuring I opt-out of all unsolicited marketing and read terms & conditions very carefully. I'd never heard of them so sent them a subject access request and set about doing some detective work. If there's one thing that annoys me more than anything else it's a company whom I've never heard of trying to sell me something I didn't ask for or want.

In the last 18 months or so I've done quite a lot of investigation work, legal reading, arguing with spammers and trading blows with lawyers; but I've never seen the breadth of complexity in just the organisational make-up alone that I found with CTO.
Click to enlarge - this is just a small slice of the findings
 A subject access request is a formal request which is a right of the individual under section 7 of the Data Protection Act. It is the statutory duty of a company to respond properly to this request and cannot be ignored. At the moment a company can force a charge of £10 but only for a copy of any personal data they hold. They must confirm to you first whether or not they hold your data before they can charge money for it and ICO is looking to abolish this charge completely in the future.

However CTO - or CTO DTO as they are now known, after several company name changes in a month - failed to respond at all. They definitely received the email as their mail server accepted it without error.

Let's wind this back a little: it was a very specifically targeted spam email addressing me by name and containing information for contractors (I'm a director of two firms so will assume this classification matches somehow). I only distribute the email address they've used as part of my dealings with recruitment agencies for contract roles. Ergo there was personal (PII) data at stake - even if it was in the public domain you cannot reuse for unsolicited marketing without prior explicit consent to do so (PECR).

CTO DTO didn't respond to my SARs or follow ups - but they did respond to my Notice Before Action email after the SAR expired; suddenly claiming my SARs had been put into their spam folder. How ironic. Would all their new business requests replying to their unsolicited marketing also be caught in their spam folder? Either way they would be checking it daily so the excuse just doesn't hold water (ahar! nautical!).

I sent a question out on Twitter about them and got a response back within hours - I don't have many followers which amplifies the potential hit rate of CTO spam though. Had anyone else been spammed by them?

Can duly opened

So this is a firm generating leads for the Ascendis companies using data bought / traded from recruiters - in some of whom they have a financial interest - I suspect as soon as my case in the small claims court against them is marked as settled they'll scuttle the LTD and re-badge something else for the purpose. Perhaps Ascendis Contractor Solutions Ltd? Or Ascendis Tax? or All Matters Financial Ltd? All their websites look to have been boiler-plated from pretty much the same template.

As well as settling the claim with admission of liability, Richard Fleming - the director in the middle of most of this - also has to respond to a complaint I've raised with ACCA (concerns about conduct of it's members). ICO are aware of the situation and I would be surprised if this is the first time they've heard of all or parts of this structure - so far they've only questioned how I can prove the SAR was received so I've invested in additional tracking capability.

CTOs director recently replied to my direct complaint (a required pre-cursor to the formal ACCA complaint) with a total lack of remorse and a other worldly interpretation of data protection law.

I'm not sure how that inspires trust in an industry that's supposed to be based on it.

P.S. I lied about the pirate jokes

Updates October 2016 & January 2017

Fleming shuttered CTO DTO not long after settling a handful of claims - it looks like his other companies are intact and I'm still waiting for ICO to respond about his recruitment firm (who clearly passed personal data from their candidate database to Richard's accountancy firms). Richard was ambivalent that he had done nothing wrong so expect him to resurface in the future. People like him have no concept of data protection and privacy law whatsoever.

The recruitment firms within the Ascendis umbrella have read my SARs but are yet to respond over six months later.

ICO took four months to respond about the concern I'd registered then told me that as it had been more than three months since the SAR they were unable to look at it. Despite them taking six months to respond to me (to ask me for documents I'd already provided them). I've asked them to escalate it to a senior case office and re-label it as a complaint.

Round we went again - only to receive the blunt response a month or so later that ICO "...saw no reason to investigate the issue further". In the past I've had case officers try to tell me that ICO don't deal with PECR issues (despite the regulator having an email spam investigation team), and another case officer incorrectly read the DPA itself. Despite Venturi reading and ignoring my SAR, ICO decided they don't want to deal with it. It's no wonder then that individuals are left no option but direct legal action isn't it?

I hope GDPR allows ICO to actually ensure all its case officers are doing their jobs properly in future. I've spoken to a total of three case officers and investigators over the last three years who actually know what they're doing.

Comments

Popular posts from this blog

Scam Warning - SpellJobs.com

[Belated] Naughty List 2016

Scam Alert - Ian Burrows a.k.a. Alex (P) Haynes (Updated)