Orange and Littlewoods have been required by the Information Commissioner's Office (ICO) to sign formal undertakings that they will adhere to the Act, following an inquiry into the manner in which personal data was stored and used.
Following complaints submitted to the ICO, Orange stood accused of lacking security with regards to customers' personal data. Amongst other things, staff were allowed to share usernames and passwords when using the computer system that contained the personal data. The ICO found that Orange had breached the Act by failing to keep its customers' personal information secure. The recently signed undertaking states that Orange will ensure that personal data is processed in accordance with the Seventh Data Protection Principle of the Act (1) and in particular that "The sharing of user names and passwords by Customer Service Representatives, to access computer systems, shall not be allowed under any circumstances".
The ICO also received a complaint that Littlewoods was misusing personal data. Having carried out an investigation, it was found that requests from a customer that she no longer have her personal data used for marketing purposes were ignored. The customer continued to receive various forms of advertising after the request was made. Littlewoods was found to be in breach of the Sixth Data Protection Principle of the Act (2), and has undertaken to ensure that personal data is processed in accordance with the Sixth Principle and in particular that the personal details of the customer in question are suppressed from all of the company's databases and Littlewoods reviews the procedures it has in place to ensure compliance with the Act.
Concern has been growing that the proliferation of stored private data brought about through the increased use of internet shopping is not being matched sufficiently by the efforts of the ICO to ensure that the information stays secure. Despite claims that the action taken was in line with its current regulatory strategy, the ICO ruling is unlikely to allay fears that it does not have sufficient scope to bring the necessary action against breaches of the Act. Richard Thomas, the Information Commissioner, recently stood before a Home Affairs Select Committee to request greater powers, including greater independence to carry out audits and searches of companies. At present companies must give their consent before an inspection be carried out.
(1) The Seventh Data Protection Principle provides that "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data" (Part 1 of Schedule 1 of the Act)
(2) The Sixth Data Protection Principle provides that "Personal data shall be processed in accordance with the rights of data subjects under this Act" (Part 1 of Schedule 1 of the Act)