The modern digital economy allows us to order goods (and have them delivered) with a few taps on our phones. But the infrastructure behind locating, packaging and delivering those goods necessitates that a chain of people have access to the specific of our orders, and, in some cases, our contact details. A consequence of this appears to be an extraordinary prevalence of customers receiving unwanted contact as a result: research commissioned by the Information Commissioner’s Office (ICO) indicates that 29% of 18-34-year-olds have received unwanted contact after giving their personal details to a business.
It is to the ICO’s credit that it is looking at this issue, and calling for evidence of what it correctly calls this “illegal behaviour”. But I found it surprising that the ICO did not explain, in its communications, that if someone obtains a customer’s contact details from a business, and uses it for personal purposes which are different from (and not approved by) the business, they are very likely to be committing the criminal offence of unlawfully obtaining personal data without the consent of the controller, under section 170(1)(a) of the Data Protection Act 2018 (DPA).
The ICO says it will be contacting
some of the major customer-facing employers in the country to emphasise their legal responsibilities as well as to learn more about what safeguards they have in place
Which is all fine, but maybe a quicker and more effective action would be to remind those employers in turn to make their staff aware that using customer data for such purposes may well see them ending up with a criminal record.
Under section 197 of the DPA prosecutions for section 170 offences can only be brought, in England, Wales and Northern Ireland at least, by the ICO itself (or with the permission of the Director of Public Prosecutions or equivalent). One wonders if the sheer numbers of incidents where customer data is being obtained and misused in this way means that the ICO’s criminal prosecution team simply doesn’t have the capacity to deal with it. If so, maybe Parliament needs to look at giving the CPS a role, or even whether private prosecutions could be allowed.
informationrightsandwrongs 