Privacy Advisor

UK—Company and Its Director Prosecuted for Failing To Register Data Processing Activities

October 22, 2013

By Brian Davidson, CIPP/E

A London-based loans company and its director have been prosecuted by the Information Commissioner’s Office (ICO) after failing to register that the organisation was processing personal data.

Subject to some specific exemptions, the UK Data Protection Act (DPA) requires organisations to register their data processing activities with the ICO. Most organisations will pay an annual notification fee of £35 and provide an overview of their data processing activities, which shall be available to the public via an online register on the ICO website. A failure to register or indeed keep an existing entry up-to-date is a criminal offence and can lead to a fine of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court.

Hamed Shabani, the director of First Financial, was convicted under section 61 of the DPA—which concerns the liability of directors and related “company officers” of corporate bodies—at City of London Magistrate Court. He has been fined £150 and has been ordered to pay £1,010.66 towards prosecution costs and a £20 victims’ surcharge. The company was also convicted under Section 17 of the DPA—which prohibits data processing activities without registration—and has been fined £500 and has also been ordered to pay £1,010.66 towards prosecution costs and a £50 victims’ surcharge.

Before the hearing, Shabani had attempted to remove his name from the company’s registration entry at Companies House in order to avoid prosecution.

Brian Davidson, CIPP/E, is a privacy and information law advisor at Field Fisher Waterhouse, LLP.