What has happened?

Building on JP’s blog post of this morning, the ICO has written to 1,000 companies who are involved in the buying and selling of personal data and asked them to explain in detail how they comply with the law.

The letters (codenamed Operation HIDA) are part of a wider effort by the ICO to crackdown on the nuisance calls industry and inappropriate data sharing practices. This particular action represents an attempt to go after the organisations which may be supplying the nuisance call operators with the data they use to run their campaigns.  The recipients of the letters are all companies who have indicated on the Data Protection Register, which is maintained by the ICO, that they are in the business of trading or sharing personal data.  Responses to the letter, which are required within 21 days, must address a 15 point questionnaire, which asks for information such as the following:

  • a description of the consents relied on to buy, sell, share or rent personal data;
  • a list of the companies from which personal data has been purchased or rented in the last 6 months; and
  • confirmation of whether the organisation screens individuals against the Telephone Preference Service (“TPS“) list.

In addition, each organisation is also required to send the ICO a sample copy of a contract which it uses to buy, sell or rent personal data.One issue which the ICO is particularly concerned about involves organisations making calls to subscribers on the TPS list, and relying on the data they have purchased from third parties having sufficient consent to allow the call to be made. However, when the ICO has investigated these consents, it has often found them to be insufficient to override the TPS registration.

What steps should targeted organisations take?

As well as preparing a detailed response to the letter, if you represent a targeted organisation you may wish to take some of the following practical steps to strengthen your compliance in the eyes of the ICO:

  1. maintain an accurate internal suppression list of those individuals who have expressed a desire not to be contacted (and not simply delete individuals’ details as they may ask you to do);
  2. ensure the notice you give to customers when data is collected, in the form of a privacy policy, the terms and conditions of sale or elsewhere, clearly covers the trading or sharing of data with third parties for marketing purposes if this is what you wish to do;
  3. where third parties want to carry out electronic direct marketing (email, text, fax and automated calling) with data purchased from you, your customers must give explicit opt-in consent to marketing by those third parties (see the recent Optical Express decision);
  4. put in place strong contracts with any companies which buy, rent or share personal data from or with you, to ensure both parties understand how the data should be used and who will be liable for what if things go wrong and how queries/complaints from individuals will be resolved;
  5. have a retention policy in place to guide the business on how long it should retain and use someone’s personal details for – details may change, and relying on a dated consent can be risky – but tracking technologies allow you to see when people open emails and whether they click through to websites for example, supporting continued retention.


Companies which have received an Operation HIDA letter might be tempted to view it as a time-consuming compliance hurdle. However, it can also be seen as a useful opportunity to review the way in which personal data is traded and passed on to third parties by the business, which should lead to positive outcomes in terms of increased understanding, tighter controls of data flows, and better use of customer consents.  Ultimately, addressing these issues will lead to increased trust from, and better relations with, members of the public, many of whom find unwanted marketing to be a major irritant.