The UK Information Commissioner’s Office (ICO) has issued enforcement notices to mobile phone retailer Carphone Warehouse and its retail telecom business Talk Talk for some quite spectacular breaches of the Data Protection Act 1998.
There are 8 data protection principles:
1. Personal data shall be processed fairly and lawfully
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7.Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Now the ICO investigation in this case found that Carphone Warehouse and TalkTalk seemed to have some difficulty with applying HALF of these principles properly when processing customer data. The ICO broke it down thus:
Subject access request – The failure to comply with subject access requests, having clearly received them as cheques were cashed and in certain instances further information was requested when it was not reasonably required.
Accuracy and Fairness – The setting up of accounts using incorrect details such as the name address and bank details, which in some instances had been obtained from old contract or purchase data, together with the refusal to amend inaccurate records without the permission of the account holder.
Security – The ability of customers to view confidential personal data of other customers when logging on to their online account and in some instances the emailing of such data to other customers.
Accuracy – The holding of inaccurate data and its disclosure to credit reference agencies or debt collection agencies and the failure to amend the data unless instructed to do so by the Commissioner.
According to the ICO “Carphone Warehouse and TalkTalk’s use of inaccurate and incorrect personal data has caused real damage and distress to customers.”
And what has happened to them? The ICO sent out an enforcement notice to them both and told them to sort things out within 35 days, and let the ICO what they are doing to sort things out, or face prosecution. What can the ICO do? “A data controller who persistently breaches the Act and has been served with an enforcement notice can be prosecuted for failing to comply with a notice. This offense carries a maximum penalty of a Â£5,000 fine in the magistrates’ court and an unlimited fine in the Crown Court”
In reality the potential fine the companies would currently face would be quite small, whereas it should – be more akin to the £980,000 the Financial Services Authority dished out to the Nationwide Building Society in February last year for failing to have effective systems and controls to manage its information security risks, following the theft of a laptop containing personal information and financial details from a Nationwide employee’s home in 2006. But, then again , I would be prosecuting on the information currently revealed and wouldn’t be giving the companies a month to come up with some undertakings to promise to do better in the future.
- Hazel Says:
January 19th, 2008 atOK the fine is derisory but how about a different kind of punishment? I suggest a viral anti-marketing campaign particularly against TalkTalk — don’t sign up with these people they don’t know the meaning of Data Protection. If this had been in place BEFORE I signed up I would not have done it even though my information is not, as far as I’m aware, at risk.
- Andrew Stewart Says:
February 12th, 2009 atHave MAJOR problems with Carphone Warehouse. Supplied my bank details on over 50 ocassions,they failed to apply them,allowed a debt to occur! Harrassing customers is their forty!Breaching a contract is illegal, they think they can operate above the law!!!