Privacy Advisor

Global Privacy Dispatches- UK- ICO Enforcement Spree

April 1, 2008

By Eduardo Ustaran

Information Commissioner continues enforcement spree

The Information Commissioner's Office (ICO) is not showing any signs of relaxation as far as its reinvigorated enforcement policy is concerned. In recent weeks, the ICO has successfully prosecuted a Manchester debt-recovery firm and two London lawyers for various offences under data protection law. Following thousands of complaints from individuals and businesses to the ICO, ADC Organisation Ltd. plead guilty to six charges under the Privacy and Electronic Communications Regulations and must pay a total of £2,500 in fines and costs. In addition, Olubi Adejobi of Grier Olubi Solicitors and Robert Bentley of Bentley's Solicitors, both based in London, were each fined £300 and ordered to pay costs of £500 for failing to notify, as data controllers, despite repeated reminders from the ICO.

The ICO has also found Skipton Financial Services (SFS) in breach of the Data Protection Act. This follows the theft of an unencrypted laptop which contained the personal information of 14,000 SFS customers. The laptop contained names, dates of birth, national insurance numbers, and investment amounts, and was stolen from an SFS contractor. It is the ICO's view that SFS should have had appropriate encryption measures in place to keep the data secure.

Names of conference delegates are not personal data
The UK Information Tribunal has ruled that, taking into account the two factors of "biographical significance" and "focus on the individual" identified in Durant v. Financial Services Authority, the disclosure of the names of those attending an event would not involve the release of personal data. The same applied to the disclosure of the organisations they represented, provided that the two could not be correlated.

The Tribunal also had some difficulty reconciling the approach in the Information Commissioner's 2007 guidance note on determining personal data under the Data Protection Act 1998 and the Durant case, commenting that the guidance had broadened the definition again.

Eduardo Ustaran is the Head of the Privacy and Information Law Group at Field Fisher Waterhouse LLP, based in London. He is a member of the IAPP Education Advisory Board, co-chair of KnowledgeNet London, editor of Data Protection Law & Policy and co-author of E-Privacy and Online Data Protection. He may be reached at eduardo.ustaran@ffw.com