WIREDGOV

The ICO will this week write to more than 1,000 companies involved in buying and selling people’s names and numbers, as part of its ongoing crackdown on nuisance calls.

The companies are all believed to play some role in the compiling and trading of lists of names and numbers used by cold callers.

The ICO expects the companies to set out exactly how they comply with the law, including what data they share, how they get people’s consent to share their data, as well as a list of all the companies they’ve worked with in the last six months.

Information Commissioner Christopher Graham said:

“We already know a lot about this sector. We know that it prompts 180,000 complaints a year from consumers, who take the time to report to us the calls they’re getting.

“That information has helped us to make some big breakthroughs in the nuisance calls business, alongside the intelligence we build up from elsewhere, from whistleblowers for instance, or from the network providers.

“We see clear patterns building up and can identify who would benefit from guidance, and who the truly bad actors are. This enables us to execute search warrants, to drag people before the courts, and to issue fines. We’ve got three fines lined up for this week, and that’ll bring us to a total of a million pounds worth of penalties in this area over the past four months alone. It’s clear we’re getting the job done.

“But there’s a danger that where we remove one of this Hydra’s head, two grow back in its place. By targeting the illegitimate aspects of the list broking business that fuels this industry, we have the chance to truly strike down this monster.”

The companies being written to have been identified as they are registered with the ICO (as all data controllers must be under law), and their registration indicates they trade or share personal data, some of which may be used for direct marketing purposes.

Details such as how organisations are ensuring they have the proper consent in place to share personal data will inform the regulator’s data protection compliance and enforcement work.

How lists are screened against the telephone preference service, what suppression lists are operated, and the contract terms used when the information is sold will inform compliance and enforcement work under Privacy and Electronic Communication Regulations.

The information will also help to better inform the ICO’s work in providing guidance and education, both to the list broking sector and the companies who buy from it.

Where companies do not respond to our letter, the ICO will look to take action to require the information to be provided. The ICO has the power to issue Information Notices, which legally oblige an organisation to provide us with information, with the threat of court action if they do not. One such company was prosecuted in October, and the courts fined them £2,500.

The work comes in the week after Christopher Graham reiterated his call for powers to oblige companies in the lead generator and list broker sectors to be audited by his office.

Speaking before the Science and Technology Committee on Tuesday 17 November, Christopher Graham said:

“There would be a question of resources to do this, but I think the lead generator and the list broker sector is also one that it would be very logical for there to be powers to compulsory audit.”

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn. Read more in the ICO blog and e-newsletter.Our Press Office page provides more information for journalists.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection

5. Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
6. Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).