Mobile phone company Orange recently admitted to breaching the Data Protection Act 1998 (the DPA) by failing to keep customers’ personal details secure. An employee blew the whistle on Orange by revealing that new employees were permitted to share log in details (usernames and passwords) to access the company’s IT system. Little detail has been disclosed however some reports suggest that callers’ bank details and addresses may have been accessed, although Orange has not found any evidence that customer details were disclosed.
The DPA requires data processors to take technical and organisational measures in order to keep personal data (such as customer details) secure and prevent unauthorised use of personal data. This requirement has become increasingly important as the threat of identity theft and unlawful trading of personal data has materialised - so-called ‘blaggers’ often pretend to be someone else in order to gain snippets of personal data, which can then be sold on for profit.
Orange has given an official undertaking that personal data will be processed in accordance with the security provisions outlined in the DPA and that password sharing will not be allowed under any circumstances. The undertaking from Orange is the latest in a series of undertakings received by the Information Commissioner from big businesses. Only last month phone company Phones4U gave an undertaking to process data securely after personal data (which revealed customers’ names, addresses, and bank account details) was found in rubbish bins outside several Phones4U premises.
Home shopping company Littlewoods also submitted an undertaking to the Information Commissioner after it continued to market its services to a customer even after she objected to receiving such material. Littlewoods undertook not only to comply with the relevant provision of the DPA but also to suppress the individual’s details from all of its databases. Such undertakings may not be legally binding, but the publicity they attract makes them a powerful deterrent for companies tempted to ignore data protection laws and customers are growing increasingly concerned that their data is not going to be handled securely.
The undertakings are also a clear admission of a breach of the DPA and would provide the Commissioner with clear grounds to administer an enforcement notice to the offending company. Enforcement notices dictate what the offending company must do in order to comply with the DPA and, if the notice is not complied with, a criminal offence will have been committed. Undertakings can also be used as a guide to other organisations in regard to what they should be doing to comply with data protection laws.
Nonetheless, the current procedure for enforcement remains rather toothless and the Information Commissioner has called for more extensive powers to enforce compliance with the DPA, including the power to carry out spot checks on public and private organisations without the data controller’s consent and the introduction of privacy impact assessments to check compliance. Following a consultation in 2005, the Criminal Justice and Immigration Bill was published this week and, if it is passed in its present form, it will extend the penalties for obtaining, disclosing, or procuring the disclosure of personal data without the consent of the data controller, to include imprisonment for up to two years, a fine, or both.
Interestingly, Orange employees were issued with unique log-in details and had signed a non-disclosure agreement as part of Orange’s email and internet usage policy. The recent undertaking from Orange demonstrates the need for procedures for compliance with the DPA not only to be in place, but also to be followed in practice. With a growing amount of personal data being held on customers, compliance with the DPA is an increasingly useful tool in ensuring customer confidence.
Disclaimer
The material contained in this e-update is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.
