Jump to content

Unregistered data controllers -- best strategy?

Wizard of ID

style="text-align: center;">  

Thread Locked

because no one has posted on it for the last 4927 days.

If you need to add something to this thread then


Please click the "Report " link


at the bottom of one of the posts.


If you want to post a new story then


Start your own new thread

That way you will attract more attention to your story and get more visitors and more help 



Recommended Posts

I know the Data Protection Act is legislation with teeth. But what is the maximum penalty for processing people's personal information if you're not registered as a data controller with the Information Comissioner?


I'm asking because I'm surprised how many DCA's are unregistered, and I believe handling personal information when unregistered is a crimnal offence.


If you do receive demands from a DCA that turns out to be unregistered (search the register here: Information Commissioners - Data Protection Public Register ), would you:

a) write the DCA a curt note demanding they explain what they're doing handling your personal information?

b) write them a longer note explaining that you know they're committing a criminal offence, and you won't tell anybody if they go away and stop annoying you?

c) follow strategy b) but then report them anyway, just for the pleasure of it (yes, it's bad faith, but do you give a damn?)

d) ignore the DCA and just report them to the Information Commissioner without further ado?

e) wait till the DCA takes you to court and tell the magistrate that he's endorsing criminal activity?

f) call the police, report the crime, get an incident number, call the DCA, tell them you've reported their crime to the police and you've got an incident number to prove it.

Link to post
Share on other sites

The application for registration as a data controller requires details of other trading names, so a DCA using a trading name should still show up. The internet facility isn't infallible, however, and a call to Information Commissioners Office is worthwhile if you intend to report a company.


Separate companies require individual registration with Information Commissioners Office, so for example Triton (which is a dormant company, but which appears to operate as part of RBS), has its own registration.


Even where a company is registered, it's worth checking firstly that their registration is in date (one DCA only has until Tuesday to renew...), and that they are correctly registered.


In terms of enforcement, though, don't hold your breath. I've asked Information Commissioners Office what action they'd take in two circumstances - in the first, a company were processing sensitive medical data, yet were not registered for the purpose; Information Commissioners Office's response - we'll just write and ask them to amend their entry. In the second case, a company who were processing data without consent - Information Commissioners Office's response was that court action should be taken by the complainant, as they wouldn't do anything more than write and ask them to comply. It's not clear what constitutes a breach sufficient to bring Information Commissioners Office's Hammer of Doom down upon a miscreant.

Link to post
Share on other sites

In the second case, a company who were processing data without consent - Information Commissioners Office's response was that court action should be taken by the complainant

Ok. So how does one take court action?

Since it's a crime, can one report the DCA to the police and ask them to investigate? I doubt the DCA would enjoy coppers showing up at their office asking questions.

Or would it mean issuing a summons for law suit? If you did sue, I can't believe the DCA would go to court about it.

Link to post
Share on other sites

You would need to bring an action in the County Court asking the Court to make an order for the DCA to stop whatever they are doing that you think they should not be. I'm not sure the police would take any interest.


As to whether a DCA would go to court, I would never underestimate their stupidity...

Link to post
Share on other sites

  • 2 months later...
In terms of enforcement, though, don't hold your breath.
It a recent class at uni on the DPA, I questioned the lecturer closely about unregistered debt collectors. He told me not only that he was unaware of the Information Commissioner EVER taking action against an unregistered data handler, he'd actually written to the Information Commissioner asking whether they were going to take action over the government's loss of 5 million people's personal details recorded on two CDs that they just put in an envelope and dropped into a letter box.


The Information Commissioner replied that they had no plans to prosecute anybody. My lecturer commented that if they won't take action over a negligence that blatant and public, he didn't think I could expect much from them.


It makes one wonder what exactly the Information commissioner is for. It's OUR taxes that fund it, but they seem to exist primarily to cover the arses of the dogs that persecute us! :mad:

Link to post
Share on other sites


  • Recently Browsing   0 Caggers

    No registered users viewing this page.

  • Have we helped you ...?

  • Create New...