The Information Commissioner’s Office (ICO) has launched a large-scale, proactive investigation into potential unlawful data trading and sharing.

Businesses and organisations should be aware that the ICO is proactively investigating potential Data Protection Act 1998 (DPA) breaches in respect of data trading and sharing:

  • The ICO has checked notifications made to it and has identified over 1,000 organisations whose entries on the register include trading or sharing personal data and is following up with them. The checks are because the ICO “has become increasingly concerned about the trade of personal data. The ICO is especially concerned that data subjects may be unaware that their data is being sought for commercial purposes, may be unaware of who their data may be passed on to and for what purpose, and for how long their data will be processed”
  • Affected organisations are being asked to complete a questionnaire for the ICO before Christmas. The questionnaire seeks to identify affected data but also requires:
    •  full descriptions of consents relied upon
    • details of due diligence conducted
    • details of Telephone Preference System checking procedures
    • details of suppression processes
  • The queries indicate that the ICO is looking at compliance when selling or renting out data and also when buying in or renting data. The investigation is likely to broaden over time, as the questionnaire requires a list of all companies from whom data has been purchased in the last six months.
  • Potentially of even more concern is the fact that checks include provision of details about data sharing with multiple other organisations via a common database, including the names of the other companies involved. This potentially captures many intra-group shared service arrangements and IT platforms, such as for HRIS purposes.

The ICO has already shown that it is willing to use its current fining powers for DPA and PECR breaches, so great care will be needed when submitting requested details. Even those not yet directly affected should review their data trading and sharing arrangements, so that any necessary adjustments can be made to them.