UK Data Protection E-news - March 2010



  1. Fines in place for Data Protection Act offences from 6 April
  2. ICO makes a business case for privacy
  3. Custodial sentences postponed
  4. Orange exposes customer email addresses
  5. New rules on collecting children’s data

1. Fines in place for Data Protection Act offences from 6 April

The Data Protection (Monetary Penalties) Order was laid before Parliament on 1 March after being approved by the Secretary of State for Justice. This means that fines (up to a maximum of £500,000 for serious data protection breaches of the Data Protection Act) will apply from 6th April as expected. The amount will depend on the type of data and the amount of personal data involved. Fines are applicable for Data Protection Act offences and not for offences against PECR Regulations covering, for example, e-mail marketing.

The ICO will publish a scale of penalties.

See the draft order

2. ICO makes a business case for privacy

A new ICO study gives advice on how to prepare a business case for privacy. The study provides guidance on:

  • The steps involved in a privacy protection scheme to assess the costs and benefits.
  • How to create a business cases for implementing a new system or changing an existing system.
  • How to prepare calculation sheets to assess the value of personal information and add figures to a business case.

Launching the study at the Data Protection Officers Conference in Manchester today the Commissioner Christopher Graham said: “No organisation can neglect to protect people’s privacy. Not only is it the law, but there is also a hard headed business imperative. This report provides organisations with the tools to produce a financial business case for data protection ensuring privacy protection is hardwired into organisational culture and governance.”

More about this topic in the next Privacy Laws & Business United Kingdom Newsletter, to be published mid-April.

3. Custodial sentences postponed

The government is unlikely to introduce custodial sentences for the most severe data protection breaches before the imminent general election. Responding to PL&B’s enquiry on 1 March, the Ministry of Justice said it was considering the responses to the consultation (closed 7 January) and would publish its response in due course. This is disappointing for the ICO, which has been lobbying for such penalty.

4. Orange exposes customer email addresses

Orange compromised the privacy of 1,107 of its customers when a marketing letter from its customer relations division exposed the e-mail addresses of 1,107 Orange users. However, an individual blogging on Ispreview.co.uk wrote: ‘As a recipient of two of these emails from Orange, I've received some 2215 individual email addresses, excluding duplicates.’

The ICO says it received over 100 complaints, all of which have been resolved. ”We have looked into the security breach, how it happened and provided the organisation with the appropriate advice and guidance. We are satisfied with the remedial action which Orange has taken,” a spokesperson said.

An Orange spokesperson said: “We recently sent a small number of customers an email requesting feedback on our Online services. We have apologised for the error which meant that a number of customer's email addresses were not hidden from view in the mail. We are reviewing our email policy to ensure that this doesn't happen again. Please be assured that an extensive internal investigation was launched once the error was discovered and we have contacted the Information Commissioner Officer (ICO) to make them aware."

5. New rules on collecting children’s data

A new Code of Practice, published on 16th March, will prohibit collection of personal data from children under 12 without parental consent. The non-statutory rules, drawn up by the Committee of Advertising Practice (CAP) and the Broadcasting Committee of Advertising Practice (BCAP), will be enforced by the Advertising Standards Authority (ASA) when they come into force in September.

The new Code says that marketers must not knowingly collect from children under 12 their personal information for marketing without the consent of the child’s parent or guardian. It also says that marketers must not knowingly collect personal information about other people from children under 16. This amends the present Code, which does not deal with collection of data from children, although it has some other provisions to protect children under 16.

The new Code is stricter than the Direct Marketing Code of Practice of the Direct Marketing Association, which only requires parental consent for collection of personal data from children under 16. In 2007 the Information Commissioner's Office (ICO) published a Good Practice Note on Collecting Personal Information Using Websites, which referred to Trust UK, an online shopping advice service which has been discontinued, advising that parental consent was required to collect data from children under 12.

For further details on the Privacy Laws & Business UK Newsletter, please click here.

Copyright Privacy Laws & Business 2010