ICO Enforcement Action against Carphone Warehouse and TalkTalk

January 22, 2008

Carphone Warehouse and sister company TalkTalk have been found in breach of the Data Protection Act 1998. The Information Commissioner made the ruling after investigating complaints concerning the way in which both organisations processed and stored personal information.

The ICO has now issued Carphone Warehouse and TalkTalk with an enforcement notice. The two companies must improve their data protection practices or face prosecution as breach of an enforcement notice is a criminal offence under the Act. Both companies were found by the ICO to be in breach of the basic principles of the Act. In particular, the companies had opened customer accounts in the wrong name and passed inaccurate information to credit reference and debt collection agencies. Furthermore, security failings led to customers being able to view other customers’ account details online. In addition, the companies had not responded to subject access requests in the appropriate manner.

The points raised in the enforcement notice were that both companies:

• had failed to comply with subject access requests
• had unfairly and unlawfully processed data
• failed to take appropriate technical and organisational measures to ensure that there was no unauthorised or unlawful processing
• processed inaccurate and/or out of date data.

The companies must now put in place measures to ensure that each of these points is addressed and must be able to demonstrate to the ICO that such measures are in place within 35 days of the date of the notice.

These cases show that the ICO can take action, but that it is slow and cumbersome and does not act as a real deterrent to companies and organisations to look after data properly. The ICO is pressing for powers to launch prosecutions immediately in cases that involve reckless breaches of the Act. In addition, the ICO has no power to levy on the spot fines in the way that the FSA has been able to do in the case of Norwich Union’s breach of the Act or Nationwide Building Society’s loss of a laptop containing customer data.

The ICO said that the breaches of the Act had caused real damage and distress to customers. As more and more companies move to paperless billing and online services, it is crucial that they ensure that the security of their customers’ data is maintained. In view of the recent high profile breaches in security which seem to be being reported virtually daily, all companies, but particularly companies trading online, need to consider their security arrangements as well the way they train their staff in data protection matters. Many companies (and government departments) seem to have a fairly cavalier approach to data security. They need to get their act together or they may lose custom. Customers may make purchasing decisions at least partially based on their confidence in a service provider’s ability to keep their personal details safe and secure especially where sensitive data such as banking details are concerned.

It is crucial that organisations acknowledge that not only do they have a legal duty to maintain the integrity of personal information, but they should consider data protection good practice for their organisation and in their own interests, not just another piece of expensive red tape.

Helen Hart is a senior associate at Stevens & Bolton LLP and previously worked in-house at Centrica plc and Palm Europe, having trained at Allen & Overy in London and Frankfurt. She can be contacted on helenmhart@gmail.com