ICO puts 1,000 data brokers on warning

The Information Commissioner's Office (ICO) has written to around 1,000 list brokers in the UK, reminding them of their legal obligations and asking them to explain how they propose to keep their business operating within the law

They suspect the companies chosen of playing a role in the compiling and trading of lists of names and numbers used by rogue callers and others.

The ICO will ask:

• Exactly how they comply with the law, including what data they share,
• How they get people’s consent to share their data,
• A list of all the companies they’ve worked with in the last six months

Information Commissioner Christopher Graham said: "We already know a lot about this sector. We know that it prompts 180,000 complaints a year from consumers, who take the time to report to us the calls they’re getting.

"That information has helped us to make some big breakthroughs in the nuisance calls business, alongside the intelligence we build up from elsewhere, from whistleblowers for instance, or from the network providers.

"We see clear patterns building up and can identify who would benefit from guidance, and who the truly bad actors are. This enables us to execute search warrants, to drag people before the courts, and to issue fines. We’ve got three fines lined up for this week, and that’ll bring us to a total of a million pounds worth of penalties in this area over the past four months alone. It’s clear we’re getting the job done.

"But there’s a danger that where we remove one of this Hydra’s head, two grow back in its place. By targeting the illegitimate aspects of the list broking business that fuels this industry, we have the chance to truly strike down this monster.”

All the companies that will receive letters this week are registered with the ICO, as all data controllers must be under law, and their registration indicates they trade or share personal data, some of which may be used for direct marketing purposes.

How these companies respond to the IOC questions will inform the its data protection compliance and enforcement work. The ICO will be looking at how lists are screened against the Telephone Preference Service (TPS), what suppression lists are operated, and the contract terms used when the information is sold.

Where companies do not respond to the ICO letter, the ICO aims to issue Information Notices, which legally oblige an organisation to provide the information. Companies that fail to respond can face court action - one such company was prosecuted in October, fined £2,500.