PL&B UK E-news, Issue 43

1. Bogus agency fined £1,000 for offences under the DPA 1998

An agency trading as “The Data Protection Act Registration Service” was fined £1,000 by Macclesfield Magistrates in late March for offences under the Data Protection Act 1998. Highpoint Accounting and Consultancy Services Ltd. was fined £400 for failing to notify as a data controller with the Information Commissioner’s Office (ICO). The company secretary and the company director were also prosecuted for the same offence and fined £300 each as well as costs of almost £600.

Philip Taylor, solicitor at the ICO, said: “For some time the Information Commissioner has been aware of third parties or ‘bogus agencies’ posing as a legitimate service to make money out the Data Protection Act. In fact it costs just £35 to notify directly with the ICO, and some agencies charge more than four times this amount.”

2. Information Commissioner publishes guidance on buying and selling databases

The Information Commissioner’s Office published, on April 6th new guidance to help businesses comply with the Data Protection Act 1998 when buying and selling customer databases. The advice is part of a series of good practice notes aimed at making data protection simpler.

Dave Evans, Senior Guidance and Promotion Manager, said: “This good practice note will help businesses understand what they need to do to ensure that personal information on databases is sufficiently protected.”

The Data Protection Act does not prevent a database with details of customers being sold, when a company is insolvent, being sold, or closing down - provided certain requirements are met. The good practice note clarifies these requirements

3. Information Commissioner publishes guidance on outsourcing

Following requests for clarification on outsourcing by companies and individuals concerned about their privacy, the Information Commissioner’s Office has issued guidance on how to comply with data protection rules when outsourcing the processing of personal information. The guidance stresses that when an organisation outsources the processing of personal information, it retains liability for the security and accuracy of personal data. Deputy Commissioner David Smith said: “Companies considering outsourcing must ensure that they choose companies that can be relied upon to take proper care of the personal information they are entrusted with. Further, they should put in place mechanisms so that when the personal information has been outsourced, they can check that it is being properly looked after.

4. Information Commissioner publishes guidance on privacy enhancing technologies

The Information Commissioner’s Office has recently published guidance which aims to bring to a wider audience the use of privacy enhancing technologies (PETs). The ICO considers that the term PET includes any technology which is designed to protect or enhance the privacy of an individual. Deputy Commissioner David Smith sums up the importance of such technologies as follows: “Privacy enhancing technologies can help protect individuals’ privacy as well as give individuals greater powers and control over information held about them. But the technologies can be a winning strategy for the businesses which install them. They help reduced the risks of privacy breaches and the significant costs associated with them at the same time as building trust among customers and clients."

5. Scottish Executive issues identity numbers to pupils

The Scottish Executive has issued a unique pupil identifier to all publicly funded secondary schools in Scotland. The Scottish Candidate Number (SCN) is designed to allow pupil records to be shared between schools and local authorities. The unique identity number is hoped to improve data sharing and help to monitor a child’s progress. Deputy Education Minister, Robert Brown, said: “Child protection is of the utmost importance, so it’s extremely important that key pupil information can be shared quickly and effectively between authorities."


6. Gibraltar’s Government announces dates for implementation of new data protection law

On April 6 the Gibraltar Press Office announced a staged implementation of the 2004 Data Protection Ordinance. Seminars for businesses, government departments and the public, promoting awareness of the new data protection law, were held earlier this year. From April 13 2006, personal data contained in criminal intelligence and for customs co-operation may be transferred to other European countries under the terms of the Schengen Convention. Other aspects of the Ordinance 2004 will come into operation on June 1, although personal data contained in manual records will not be affected until September 1 2006 when the Ordinance comes into full effect.

By Kevin Broadfoot. A longer report will be published in the May edition of the UK PL&B newsletter.

For further details on the Privacy Laws & Business UK Newsletter, please click here.

Copyright Privacy Laws & Business 2006