ICO letters about the trade of personal data

DMA Member organisations may have received letters from the Information Commissioner (ICO) asking about their processes and activities in processing data. If you have had such a letter, read this blog for some guidance

Many DMA member organisations will have received a letter from the ICO headed “The Data Protection Act 1998” as they have listed on their entry in the data protection register, which is maintained by the ICO, that they trade or share in personal data, some of which may be used for direct marketing purposes.

The ICO has contacted more than 1,000 similar organisations - some will be DMA members - in order to obtain an understanding of how these organisations process personal data, and whether or not such processing is compliant with the Data Protection Act 1998.

The letter is accompanied by a request for information contained in a questionnaire which organisations are asked to return to the ICO within 21 days of the date of the letter.

A number of member organisations have contacted the DMA Legal Advice helpline for assistance in responding to the questionnaire and the DMA has also discussed the letter and questionnaire directly with the ICO. This blog explains what members should do and the ICO’s plans.

1. Members should respond to the ICO letter and complete the questionnaire. The ICO is aware that the letters were sent out by second class post and some may have taken a week to reach recipients. Given the Christmas and New Year holiday period the ICO is prepared to grant a general extension until at least Friday 8 January. The ICO will be prepared to grant longer extensions in specific cases.
2. The ICO is aware that some organisations may have simply ticked the box on the notification form that they are involved in data sharing or trading in personal data when in fact they do not do these activities. If this applies to member organisations who have received the letter from the ICO then they should respond to the ICO, telling them that this is the case and amend their notification entry on the data protection register.
3. The ICO has engaged on a fact finding mission to find out what is going on in the industry. The ICO is aware that some lead generators and list brokers are selling personal data and claiming that it is fully opted-in for third party use and may be TPS screened when in fact it isn’t. Buyers of such data may be paying a premium for it and are then receiving a large number of complaints when they use it.
4. Members should consult the following documents on their responsibilities when buying and selling personal data: DMA Buying and Selling Toolkit; DMA Supplementary guidance to the ICO Direct Marketing Guidance; ICO Direct Marketing Guidance
5. Responses to the questionnaire will enable the ICO to identify those lead generators and list brokers who are creating the biggest problem in the one-to-one marketing industry. Any enforcement action which the ICO takes will follow its normal principles and the ICO will not go after those member organisations who respond to the questionnaire and who are not creating major problems for the industry.
6. Here is some clarification on specific points in the questionnaire

Question 6 refers to list brokers

Question 7 refers to data controllers

Question 10 refers to data pools.

Question 12 is simply asking for confirmation of consent for telemarketing which is unsubscribe/opt-out for live voice calls but subscribe opt-in for automated recorded calls.

DMA members who have any further queries or require specific guidance about responding to the questionnaire should contact the DMA Legal Advice helpline via legaladvice@dma.org.uk