Today's announcement indicates that the Commissioner is
increasing his leverage against data controllers, according to one
data protection expert.
The case against Orange Personal Communications Services
followed a complaint about the way in which Orange processed
personal information, in particular the way in which new members of
staff were allowed to share usernames and passwords when accessing
the company IT system.
Following its investigation, the ICO found that Orange was not
keeping its customers’ personal information secure and therefore
was in breach of the Data Protection Act.
In a separate investigation the ICO ruled that Littlewoods Home
Shopping had failed to process customers’ data in line with
the Data Protection Act. This follows a customer’s attempt to stop
the company using her personal data for direct marketing purposes.
Despite her requests Littlewoods continued to send her marketing
materials.
The ICO has now required each company to sign a formal
undertaking to comply with the Principles of the Data Protection
Act.
In addition to a general promise to comply, Orange's undertaking
states: "The sharing of user names and passwords by Customer
Service Representatives, to access computer systems, shall not be
allowed under any circumstances."
Again, in addition to a general promise, Littlewoods'
undertaking states that the company will ensure that the personal
details of the individual "are suppressed from all company
databases thereby ensuring that she will not receive any future
marketing material from the data controller."
Failure to meet the conditions of the undertaking is likely to
lead to further enforcement action by the ICO and could result in
prosecution by the Office.
Mick Gorrill, Head of Regulatory Action at the ICO, said:
"Organisations that process individuals’ personal information must
do so in compliance with the Data Protection Act. If they do
not, they not only risk further action from the Information
Commissioner but also risk losing the trust of their
customers. Individuals must feel confident that organisations
are safeguarding their personal information."
Last month the Information Commissioner called for stronger
powers to allow his office to carry out inspections and audits to
ensure organisations are complying with the Data Protection
Act. Currently, the Commissioner must gain consent before
inspecting an organisation for compliance.
Dr Chris Pounder of Pinsent Masons, and Editor of Data
Protection and Privacy Practice, said: "This action is evidence
that the Information Commissioner is using undertakings as a way of
increasing his leverage against data controllers. Where an
assessment by him concludes that a data controller has failed in a
key obligation under the Act, then the Commissioner is asking for
an undertaking that 'it won't happen again'. This ensures that if
something were to happen again, the Commissioner can proceed to
immediately to enforcement. It is only when there is a further
failure will criminal prosecution occur."
"In other words, the Information Commissioner is trying to
establish the data protection equivalent of the 'three strikes and
your out' rule," he said.
