Rogue firms exploit confusion over data

Unscrupulous companies are taking advantage of confusion over data
protection legislation to make businesses unnecessarily pay out hundreds of
pounds.

Personnel Today first uncovered the practice 12 months ago, but readers are
still receiving documents that warn they could face fines up to £5,000 if they
do not register data processing information with the Information Commissioner
through ‘data enforcement companies’.

These agencies often charge more than £100 for the service. However,
notification can be done directly through the online facility of the
Information Commissioner’s Office (ICO) for £35.

The Data Protection Act 1998 requires every organisation which is processing
personal data to notify the ICO, unless the organisation is exempt (see below).
This is so that individuals can consult the register to find out what
processing of personal data is being carried out by a particular data
controller.

Last week’s online poll by Personnel Today showed the extent of confusion
among business over data protection, with 81 per cent of respondents saying the
ICO’s guidance on data protection laws was inadequate.

Judy Hamblen, managing director of Age Positive Recruitment Ltd, was sent an
‘urgent notice’ from a company, which she said played heavily on legal jargon
and ominous warnings about criminal offences.

The agency asked for a £135 fee and advised ‘to avoid further action please
return your forms immediately’.

"They laid it on thick and the forms were probing and convincing,"
she said. "It would be very easy to fall into this trap if you are not
aware of this scam."

Paul Hillier, HR officer at construction firm Smiths Bletchington, received
a notice from a similar firm, telling him that he was in breach of the Data
Protection Act and asking for a fee of £95 to register the company.

He said the [people that ran the] company were "leeches" trading
off the concerns of people confused by their duties under the act.

Graeme Mills from the Office of Fair Trading said the agencies tried to give
the impression of being official government bodies to create a ‘fear factor’,
but any concerns about notification should be addressed directly to the ICO.

Information commissioner, Richard Thomas, said companies should beware of
individuals posing as "collectors on behalf of data protection".

We were unable to contact any of the agencies in question.

By Michael illar

For an exclusive interview with the Information Commissioner visit: www.personneltoday.com/goto/22006

For legal advice see:

www.personneltoday.com/goto/22102
www.personneltoday.com/goto/22122

OFT injunction

The Office of Fair Trading (OFT) has won an injunction against
Data Protection Agency Registrations (Manchester), which restrains the owner
from running ‘misleading advertising for data protection notification
services’. The OFT considers that such adverts are misleading because they give
the impression they are from an official body, that the businesses receiving
them are under a legal obligation to register with the sender and that
notification costs more than usual. They also fail to properly explain which
persons are exempt from notification under the Data Protection Act 1998.

For a list of agencies which the
Information Commissioner has received complaints about go to www.informationcommissioner.gov.uk

Exemptions at a glance

Who/what is exempt from data processing notification under the
Data Protection Act 1998?

– Some not-for-profit organisations

– Processing of data for personal, family or household affairs

– Data controllers who only process personal data for the
maintenance of a public register

– Data controllers who only process personal data for any one
or all of the following purposes for their own business
– staff administration
– advertising, marketing and public relations
– accounts and records

Feedback from the profession
‘Register of workplace relationships’ a cause for concern

At Lancaster City Council it may soon
be alright to sleep with the boss – as long as you tell everyone about it.

A leaked document allegedly reveals that the local authority
has plans to create a ‘register of workplace relationships’ in which staff
would have to declare any relationship with their peers that goes beyond the
strictly professional.

The scheme aims to provide complete transparency in the
council’s business and ensure personal relationships do not get in the way of
work.

Unison union official, Richard Loader, said the move harked
back to the master and servant relationships of old and was unnecessary and
intrusive when the council already had a perfectly good code of conduct.

"I just can’t find a motive or smoking gun for this,"
he said. "It asks for mind-numbing and excruciating details. If a man asks
a woman to the cinema it seems absurd they have to fill out a form."

The council told Personnel Today that it would not comment on a
leaked document.

Jo Fellows – HR adviser, Employers
Organisation for Local Government

"It will be contravening elements of the Human Rights Act,
there could also be data protection issues. Then there is the practical
question of how you keep it up to date. They need to look at what it will
achieve and then look at the alternatives."

Gill Hibberd – assistant director
of personnel, Hertfordshire County Council

"In any workplace there are sensitive issues, but you have
to be sensible and mature and treat people like adults. We would expect staff
to let us know if there are professional conflicts. If you respect their trust
and their privacy, employees will respect the need to tell employers if there
is a problem."

Michael Ball – Employment partner,
Halliwell Landau

"It is OK to have a statement of principle about workplace
relationships to avoid accusations of favouritism and gossip. But a public body
would probably fall foul of human rights legislation if it compelled staff [to
sign a register]. Also, what do you do if there is a breach? It’s good to have
something available, but an employer would not have the right to enforce it."

Comments are closed.