In this section

Protecting your personal information: data protection and privacy and electronic communications

The Data Protection Act and the Privacy and Electronic Communications Regulations were put in place with the aim of protecting the privacy of our personal information. This aim has solid foundations. It stems directly from the right to respect for private life enshrined in the European Convention on Human Rights. But its roots go even deeper – they are in the need we all have, to varying degrees, for a private space which we control and which is free from unwarranted intrusion.

The collection of biometrics and other personal information as a weapon in the fight against terrorism and serious crime, the increased sharing of our personal information to improve public services, and ever more inventive forms of electronic marketing, are all examples of ways in which this private space is under challenge. Legitimate aims are, for the most part, being pursued but protecting the privacy of our personal information in a measured and responsible way has never been of more importance.

The existence of a law is not, on its own, enough to achieve this. The law must be applied in practice. Effective risk-based enforcement is important but we have to go further. Delivering protection of personal information is dependent on public confidence in the law and in us. This is why we work hard to explain and apply the law in a way that is simple, sensible, easily understood and consistent with good business practice. Educating and advising individuals and businesses about their rights and responsibilities is one of our key roles. We encourage individuals to make direct use of their own legal rights and we support them in this with our complaints handling service.

Generating public confidence in the law, and a public that is confident in using its rights, is at the heart of how we approach our data protection work. We need to be influential and imaginative. This is why we also work hard to persuade those whose role impacts on data protection, whether as law makers, policy makers or business leaders, that a reduction in data protection risk is a meaningful and valid objective in its own right. It is also why we place great emphasis on our regional offices, enabling us to become increasingly influential with the devolved administrations and with our regional stakeholders.

Our Corporate Plan translates this approach into specific data protection aims. We have delivered and continue to deliver against those aims.

Resolving complaints

Through 2006/07 we provided an efficient casework and public advice service that:

• dealt with more than 23,000 written data protection enquiries and complaints from individuals and organisations throughout the UK;
• answered more than 115,000 telephone enquiries, of which more than 80% were about data protection;
• resolved complaints in high profile, high volume cases such as subject access requests to banks and web-based look-up services

Running an efficient and helpful Notification service

During 2006/07 we increased the numbers on the register of data controllers to over 287,000 and achieved a significant increase in renewals from automatic chase-up letters.

On 18 August 2006 a Yorkshire businessman was found guilty at Bingley Magistrates Court for failing to notify as a data controller. Despite requests from the ICO, he didn’t notify and was subsequently prosecuted. He was fined £300 and was ordered to pay costs of £500.

Getting tough

We are committed to using legal and other regulatory sanctions against those organisations who refuse to accept their obligations. We have adopted an approach that we believe to be firm but fair.

What price privacy?

It has become increasingly clear that there is a thriving and lucrative market for personal information which has been illegally obtained. The Investigations Unit of the ICO looks into complaints about the unlawful obtaining of personal data. Section 55 of the Data Protection Act 1998 makes it an offence to unlawfully obtain, disclose or procure the disclosure of personal information knowingly or recklessly without the consent of the organisation holding the data.

One of the ICO’s largest investigations was Operation Motorman, which began in November 2002. It uncovered an organised and large scale trade in personal information involving private investigators and corrupt officials who had access to personal information held by the DVLA and the police.

In May 2006, the Information Commissioner, using special powers under the Act, presented the report ‘What price privacy?’ to Parliament. The report called for the government to introduce a custodial sentence for individuals convicted under the Data Protection Act for unlawful obtaining, buying and selling of personal information.

The Commissioner also made proposals to organisations representing the media and the finance industry, as well as the Security Industry Authority and the Association of British Investigators. Progress with these was catalogued in a second report presented in December 2006, ‘What price privacy now?’

In January 2007 the Department for Constitutional Affairs (DCA) announced the government’s intention to introduce legislation bringing in a custodial sentence for individuals convicted of illegally buying or selling personal information.

Since the publication of ‘What price privacy?’ the Investigations Unit has concluded a number of cases where individuals have been prosecuted for unlawfully obtaining personal information:

• In July 2006 a private investigator was found guilty and fined £1,750 with £600 costs at Salisbury Magistrates Court for unlawfully obtaining personal data. The private investigator had been making telephone calls to British Telecom purporting to be a BT employee and attempted to obtain personal data of BT customers.
• In November 2006 a married couple pleaded guilty to 25 offences of unlawfully obtaining personal data following an ICO investigation. The couple asked the court to take into consideration a further 65 offences. They had obtained personal information from a number of organisations by ‘blagging’ the information. They also had purported to be employees of various organisations to enable them to unlawfully obtain the personal information. They were fined a total of £7,500 and ordered to pay £3,694 costs.
• In December 2006, a private investigator was sentenced to community service at Kingston upon Thames Magistrates Court after pleading guilty to the unlawful obtaining of personal data. He impersonated individuals to obtain information such as bank account details and ex-directory telephone numbers which he later sold to interested parties.

Protecting personal information on electoral registers

In July 2006, the ICO issued an enforcement notice against B4U Business Media Limited, operators of the B4usearch website. The notice ordered the company to stop using personal information from electoral registers published before 2002. This action resulted from many hundreds of complaints made to the ICO.

Before 2002, people had no choice over whether their personal details from the electoral register were sold on to other organisations. After that date individuals could opt out of the public register. The ICO received complaints from people who had subsequently opted out of the public register but whose details were freely available on the website.

B4U allowed people to search pre-2002 electoral registers to obtain the names and addresses of some individuals who had subsequently chosen not to be included on the public register. As a result of the ICO’s intervention, information from pre-2002 electoral registers was removed from B4U’s website.

Protecting the right to see information held about you

A former employee of Liverpool City Council asked the council to see some personal information they held about her. Liverpool City Council provided some information but not all so the former employee complained to the ICO.

The ICO started an investigation. Liverpool City Council failed to respond to written requests for information. As a result the ICO issued an information notice requiring the council to provide us with specified information. Again no response was received so the ICO brought a prosecution against the council.

Liverpool City Council pleaded guilty at Liverpool City Magistrate’s Court on 14 December 2006. When sentencing, the District Judge said the Council had shown an “appalling breakdown of communication” and “a clear lack of compliance with the Data Protection Act 1998”. The Council was fined £300 and agreed to allow the ICO to audit its data protection processes.

Protecting bank details

Following an ICO investigation into complaints concerning the disposal of customer information, 11 banks and other financial institutions were found to be in breach of the Data Protection Act.

As a result formal undertakings were signed by Alliance & Leicester, Barclays Bank, Clydesdale Bank, Co-operative Bank, HBOS, HFC Bank, Nationwide Building Society, Natwest, Royal Bank of Scotland, Scarborough Building Society, The Post Office and United National Bank. They were found to have discarded personal information in waste bins outside their premises. The Immigration Advisory Service was also found to have disposed of personal information in similar circumstances

Stopping spam and junk mail

Individuals and organisations who do not want to receive marketing calls can register with the Telephone Preference Service – the TPS. The Privacy and Electronic Communications Regulations ban unsolicited marketing calls to people who have registered with the TPS.

The TPS and the ICO receive many complaints from individuals who have received unsolicited marketing telephone calls even though they have indicated that they do not wish to receive them.

On 5 December 2006, we issued enforcement notices against five companies who had been making unsolicited marketing calls to individuals without their consent, or to individuals who were registered with the Telephone Preference Service. The notices ordered the companies to stop telephoning individuals who had objected.

Data protection health checks

During the year we conducted eight data protection audits to assess the processing of personal data. The organisations involved, all public authorities, co-operated fully in the exercise and recognised the mutual benefits.

Our audit team, in conjunction with other EU data protection authorities, also undertook a survey of medical health insurance companies with the objective of taking a pan-European view of compliance across a single sector.

The audit programme provides us with a chance to examine, at first hand, policies and working practices and an understanding of how compliance is approached on a day to day basis. Whilst at the most simplistic level the audits raise awareness of data protection in the participating organisations, they also afford the opportunity to highlight non-compliance and make recommendations on how data protection responsibilities might better be managed.

Audit is seen as an increasingly important function of ours. In consequence we are not only looking to expand the audit unit and number of audits conducted but also to increase our powers in this area.

Appeals to the Information Tribunal

The Information Tribunal, to whom complainants and public authorities can appeal if they are unhappy with our decision, continues to make rulings which provide useful commentary and interpretation.

Tribunal Ruling May 2006 – The Information Tribunal delivered a ruling which affects the way political parties canvass support. In dismissing an appeal by the Scottish National Party the Tribunal upheld the view of the Information Commissioner that the Privacy and Electronic Communications Regulations 2003 apply to political parties making appeals for funds or support.

Influencing to protect personal information

The Identity Cards Act has now passed into law. Electronic health records are on the horizon. The development of databases of children’s personal information, biometric passports and the National Identity Register has stimulated substantial public debate. Transformational government is high on the public policy agenda. The protection of personal information remains a key concern for individuals as the implications of a surveillance society become more widely understood.

We have worked closely with government and others to ensure that respect for personal privacy remains a key part of policy delivery. If society is to gain the benefits of more effective use of personal information, the public’s trust, participation and understanding must be maintained. Data protection compliance ensures that this is the case. It ensures that society’s use of personal information develops in a fair and transparent way, one that respects the people the information is about.

Waking up to a surveillance society

In November we hosted the 28th International Conference of Data Protection and Privacy Commissioners in London. In a departure from previous tradition the conference focused on a single issue, the Surveillance Society. We commissioned a well-received research report on the nature of the surveillance society. This provoked much interest in the media and amongst parliamentarians. We have now developed a surveillance society action plan. This will

help us to co-ordinate our efforts in relation to surveillance society issues over the forthcoming year. It will also help us to develop a consistent and concerted approach to dealing with the challenging issues that we face. The international conference provided an opportunity for Commissioners to agree on approaches and initiatives at an international level. What has become known as the ‘London Initiative’ was adopted. This signals a commitment by data protection authorities to focus on pragmatic effectiveness and improved communication.

Sharing personal information

Over the last year the transformation of government services through the use of technology has been high on the public policy agenda. A key component of this is the sharing of personal information. We have provided our views to Misc. 31, a Cabinet Committee on data sharing. Its aim is to develop the government’s strategy on data sharing across the public sector. In particular, Misc. 31 seeks to identify barriers to sensible information sharing. We continue to receive enquiries from public bodies and members of the public about the application of data protection law in the context of information sharing.

We have met representatives of several government departments to ensure that their initiatives are carried out in a way that respects personal privacy. We have responded to consultation exercises about issues such as serious and organised crime and an index for sharing information about children.

The sharing of personal information can benefit individuals and society, for example by making services simpler to access, or by protecting the public purse more rigorously. Our approach has enabled organisations to obtain the benefits of sharing personal information whilst protecting the people the information is about. Data protection law helps organisations to strike this balance correctly. Our primary concern is to safeguard the privacy and integrity of personal information. We recognise, though, that an overly restrictive application of data protection law can lead to organisations failing to make sensible use of the information they hold. Increasingly, respect for personal privacy is being seen as an essential component of effective information sharing, not as a barrier to it.

ID Cards and the National Identity Register

We have been working to ensure that the practical arrangements for establishing the National Identity published its National Identity Scheme Strategic Action Plan. The new plan involves biographical data gleaned from the Department for Work and Pensions National Insurance database and biometric data held by the Home Office and the Identity and Passport Service. These new arrangements pose some challenges in terms of the quality of these existing information resources, and in ensuring that the safeguards set down in the Identity Cards Act remain effective.

Safeguarding children’s information

Safeguarding our children from harm and ensuring they receive proper care and support are matters of considerable public policy interest. The efforts of government and others to achieve these important objectives involve the recording of more and more information about children. This opens up the possibility of the information being shared more widely. We commissioned research into the growth of such databases, the information flows that take place and the practical use of the information. This has helped us to identify a number of areas worthy of further exploration, such as the use of information to identify children perceived as being at risk of growing up to be criminals, and arrangements for obtaining consent from children for the use of their information. This research has informed our wider work on surveillance society issues. It has helped us develop a Children Database Action Plan. This will help us to ensure that those involved in the compilation and use of information about children are fully aware of, and comply with, their data protection obligations.

Connecting for Health

Plans for the creation of a national health care record system for England has provoked debate involving health professionals and patients. It has also engaged the concerns of parliamentarians. We were pleased to provide evidence to the House of Commons Health Committee as part of its scrutiny of these new developments. Connecting for Health’s intention is to create an electronic summary care record of patients’ basic medical details. This will be available to those treating a patient wherever in England the treatment takes place. This has led to concerns about the quality of the information to be loaded onto the new records, and who will have access to them. We have worked closely with Connecting for Health to insist that such concerns are fully addressed. Connecting for Health are aware of the need to take patient privacy seriously. An example of this is the development of the ‘sealed envelope’. This allows patients to restrict access to certain parts of their health record. Another example is the provision of an opportunity for patients to opt out.

We are continuing to work with Connecting for Health on the practical arrangements for establishing a national health care record. We want to ensure that appropriate mechanisms are in place for helping patients to exercise the choices they have, for giving them online access to their records through Health Space and for ensuring that security arrangements are effective. We will be working closely with Connecting for Health on their ‘early adopter’ sites to ensure that a comprehensive system of data protection safeguards is in place before the system is rolled out nationally.

Protecting information across international borders

We continue to play our role as the national supervisory authority, and as part of the joint supervisory authorities, for Europol, Customs Information System and Eurojust. We were pleased that David Smith, Deputy Commissioner, was elected for a two year term as Chair of the Europol Joint Supervisory Body. We also co-operate with our European colleagues on the supervision of Eurodac, a database of asylum seekers’ fingerprints. We attend the Schengen Information System Joint Supervisory Authority as observers.

Participation in these supervisory bodies helps us to ensure that there are proper safeguards in place. However, the experience gained here, and in our other European Union co-operative activities, also helps us to provide evidence as part of parliamentary scrutiny of the proposed Data Protection Framework Decision, the United States/Europe Passenger Name Records agreement and the Treaty of Prum. The Treaty provides for greater criminal justice co-operation, including the sharing of DNA profiles.

We continue to work closely with our international colleagues, particularly at European level through our membership of the Article 29 Working Party. The Working Party has continued its efforts to bring about a harmonised approach to implementation of the European Union Data Protection Directive at national level.

Society for Worldwide Interbank Telecommunication

In June 2006 we, along with several data protection authorities in the EU and worldwide, received a complaint about alleged covert disclosure of information relating to European Union nationals by the Society for Worldwide Interbank Telecommunication (SWIFT). SWIFT is an international financial messaging service which connects institutions engaged in international financial transfers. The messages include information such as names and account numbers. The messaging process involves a transfer of information to the United States. According to the complainant, the United States Treasury had issued a number of administrative subpoenas to access this information as part of investigations into terrorist activity. The possibility that United States authorities had been given access to information about UK citizens generated a great deal of media coverage.

To investigate the complaint, we have maintained close contact with other data protection authorities. In November 2006, the Article 29 Working Party issued an opinion saying that the transfer of information to the US authorities had been undertaken in a manner contrary to fundamental data protection principles. It called for steps to be taken to ensure that even when investigating matters as serious as terrorism, the fundamental rights of citizens were respected. We continue to work with our European colleagues, as well as with SWIFT, to achieve this aim. We have asked United Kingdom financial institutions to consider what steps are needed to make sure they comply with data protection legislation.

Information, advice and guidance

We have been particularly active this year in producing advice and guidance for individuals and organisations. A pragmatic regulatory approach has focused on individuals’ real concerns and has given organisations the clear, simple guidance they need to comply with data protection law.

It’s your information

This year we introduced a new type of guidance for the public, called ‘It’s your information’. This guidance gives individuals straightforward, practical advice, particularly about exercising their legal rights.

The topics we have covered so far are:

• Stopping unwanted marketing
• Gaining access to police information
• Claiming compensation
• The use of radio frequency identification tags

Good practice notes

We have continued to publish practical and easy to understand good practice notes. They explain to organisations what they need to do to comply with the law. We have issued guidance on the following:

• Handling requests for access to personal information.
• Outsourcing data processing activities for small and medium sized businesses. This includes advice on using a company that is based abroad.
• Releasing information to prevent or detect crime.
• Automatic renewals of policies or membership using a credit or debit card.
• Advice for tied agents and independent financial advisers.
• Using the Corporate Telephone Preference Service.
• The use of violent warning markers.
• Monitoring under section 75 of the Northern Ireland Act.
• Disclosures of personal information under the Taxes Management Act.

Technical and legal guidance

Sometimes organisations want a more detailed explanation of the requirements of the law. Our technical guidance meets this need. Although technical in nature, it uses clear, plain English. This year technical guidance has been produced on:

• Privacy enhancing technologies.
• Access to pupils’ information held by schools in England, Wales and Northern Ireland.
• Disclosures to members of Parliament carrying out constituency casework.
• Subject access and third party information.
• Radio frequency identification tags.
• Guidance for marketers on the Privacy and Electronic Communications (EC Directive) Regulations 2003.
• Guidance for subscribers on the Privacy and Electronic Communications (EC Directive) Regulations 2003. Guidance on Part 2 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
• The use of personal information held for collecting and administering council tax.
• Legal guidance on international transfers of personal information.

Back to top of page »