This month, the Information Commissioner’s Office (ICO) issued its first enforcement order against a website operator. What prompted the ICO into action?
Topic: Data Privacy
Who: Information Commissioner's Office ("ICO")
When: July 2006
The ICO has, this month, issued its first enforcement order against a website operator.
B4U.com (B4U) offers people and business finder services. This includes a postcode search facility, directory enquiries finder and access to electoral rolls. The ICO had, at the time of the order, received 1600 complaints against the website. A number of these complaints relate to allegations that B4U ignored individuals who requested that their details be removed from the site. Ignoring such requests is a breach of the Data Protection Act (DPA). However, the owner of B4U has insisted that such requests were never ignored.
The majority of the complaints related to the fact that B4U was using the personal data that it had collected from electoral registers that pre-date 2002.
Before 2002, the Electoral Registration Offices (ERO) were under a duty to sell copies of the electoral register to anyone who requested them. This included commercial companies, which were able to legally obtain and use such electoral data for marketing purposes. However, the ICO had always been of the view that non-electoral uses of electoral information should be kept to a minimum. This view was largely based on the fact that individuals are legally required to provide information to the ERO and yet have no control over who has access to the data and the purposes for which the data is used.
In 2002, specific legislation was introduced which led to the creation of two separate electoral registers; a full register, which cannot be bought by companies, and an edited register, which can be. Since that point, when electoral information is collected, individuals have the choice as to whether or not their name is included in the edited register. The proportion of the public who have chosen to exercise this right has increased since that time reaching approximately 30% by the time of the 2005 electoral register.
Why it matters:
The ICO's website contains the following statement "We take breaches of the Data Protection Act very seriously. As this case demonstrates, we will take action against organisations that don't process personal information in line with the requirements of the Act and cause significant concern to individuals. People have an important right under the Data Protection Act to know that their personal information is sufficiently protected."
The ICO has indicated that it will now investigate other companies using pre-2002 electoral register information in a comparable way. Now that the ICO has demonstrated its willingness to enforce the DPA in the context of the World Wide Web, it will be interesting to see the number of enforcement orders that are issued against website operators in the coming months.