The Information Commissioner’s Office (ICO) has warned businesses and charities that they face fines as high as £500,000 if they misuse personal data, after evidence emerged of charities passing on people’s details over 200 times.
A report in the Daily Mail said that one man who suffers from dementia had his details sold by numerous established charities many times over. Eventually these contact details ended up on lists used by scammers to target vulnerable people, resulting in his being scammed for over £35,000.
The report noted that the charities claimed that they were able to sell the data because the individual in question had not ticked a box when providing his contact details saying he did not want his information passed on.
However, information commissioner Christopher Graham has now written a blog post reminding firms that this is not permissible and that consent to pass on data must be proactively given, not inferred.
“If people say: ‘I never gave you permission to do that’ and you respond: ‘Well, yes you did, actually, because in 1994 you forgot to tick a box,’ that isn’t consent. That doesn’t give you the right to trade in people’s personal information years after the event,” he wrote.
“The Data Protection Act is very clear: the very first principle is that your data should only be processed fairly and lawfully.”
Graham acknowledged that charities as a whole usually act within the spirit of the law, but warned that all organisations, whatever their remit, must abide by the rules regarding electronic data gathering, storage and sharing.
“The rules on data protection and the rules about privacy and electronic communications apply to all who are processing data, whether businesses or charities. Everyone’s got to stick to the law, and if the law’s been broken we will act.”
Graham added that the ICO is investigating the claims made in the Daily Mail report and promised that anyone found guilty of breaking the law will face action.
“We’ve got the power to issue civil monetary penalties where there have been serious breaches of the Data Protection Act – of up to £500,000. If there’s been criminal activity we’ll prosecute in the magistrates' court,” he added.
The risk of fines to businesses could increase dramatically in the coming months and years, as new EU data protection legislation could see fines based on a proportion of turnover, which could be far more damaging to businesses and charities alike.
Infected apps have been downloaded more than 50 million times
Customers of regular price-raising ISP and cable operator claim nationwide outages started on Monday
Pixel 2 smartphones and a Pixel-branded laptop also planned by Google
The moment you've all been waiting for...