The Information Commissioner’s Office (“ICO”) launches large scale proactive investigation into potential unlawful data trading and sharing.

Following our November briefing on recent ICO enforcement action in respect of unlawful direct marketing, including the ICO’s fine of Pharmacy2U, businesses and organisations should be aware that the ICO is proactively investigating potential Data Protection Act 1998 (“DPA”) breaches in respect of data trading and sharing:

  • The ICO has checked notifications made to it and has identified over 1000 organisations whose entries on the register include trading or sharing personal data and is following up with them. The checks are because the ICO “has become increasingly concerned about the trade of personal data. The ICO is especially concerned that data subjects may be unaware that their data is being sought for commercial purposes, may be unaware of who their data may be passed on to and for what purpose, and for how long their data will be processed”;  
  • Affected organisations are being requested to complete a questionnaire for the ICO before Christmas. The questionnaire seeks to identify affected data but also requires:  
    • full descriptions of consents relied upon;  
    • details of due diligence conducted;  
    • details of Telephone Preference System checking procedures; and  
    • details of suppression processes.  
  • The queries indicate that the ICO is looking at compliance when selling or renting out data and also when buying in or renting data. The investigation is likely to broaden over time, as the questionnaire requires a list of all companies from whom data has been purchased in the last 6 months.  
  • Potentially of even more concern is the fact that checks include provision of details about data sharing with multiple other organisations via a common database, including the names of the other companies involved. This potentially captures many intra-group shared service arrangements and IT platforms, such as for HRIS purposes.

The ICO has already shown that it is willing to use its current fining powers for DPA and PECR breaches, so great care will be needed when submitting requested details. Even those not yet directly affected should review their data trading and sharing arrangements, so that any necessary adjustments can be made to them. Please get in touch with your normal Eversheds privacy and information law team contact if you have any concerns, need more information or would like assistance.