Authorities fail to protect unwary businesses from data protection scandal

IT directors have been left to fend for themselves against companies demanding excessive fees for registration under the Data...

IT directors have been left to fend for themselves against companies demanding excessive fees for registration under the Data Protection Act. Tony Collins reports

Company director Paul Heavens was more than a little concerned when he received a "final notice" warning him that he was committing a criminal offence by not registering his business under the Data Protection Act 1998.

In nearly every respect it had the appearance of an official letter and it would have been easy to be taken in. On either side of the heading "Data Protection Agency" were emblems of the scales of justice; underneath were the words, "Notification Under the Data Protection Act".

The letter said that his business had failed to submit a notification to the information commissioner in accordance with the Data Protection Act 1998.

"Failure to register is a criminal offence; on conviction an offender is liable to a maximum fine not exceeding level five on the criminal justice scale. At present this level is no greater than £5,000," the letter said.

Heavens was one of many directors of small and medium-sized businesses who received the same or a similar letter asking them to complete a detailed data registration form and return it with a cheque for £95.

An IT director or manager who is too busy to want to worry about another official form could be tempted to pay the £95 even if they did not need to register their business under the Act or it was already registered. Many will probably have thought that paying the money would be quicker and easier than trying to correct an official mistake.

Heavens, who helps to run a car business in Bristol, was one of the lucky ones. He was not prepared to part with £95 without checking whether his business needed to register.

When he rang a number on the form several times and could not get an answer he realised he had nearly fallen prey to the sort of clever money-making exercisethatis regularly exposed byconsumer watchdogs.

He believes his family garage business is exempt from notification requirements and has taken no notice of the form.

One might suppose that government authorities or the police could act to save countless businesses from being ensnared in the future. But the authorities appear to be powerless.

Warnings about the letters have been issued by trading standards officers, and on the Web site of the information commissioner, Elizabeth France, who is responsible for data protection.

The information commissioner's Web site, in naming companies that include Data Protection Agency Services, says that France is "concerned about the volume of telephone calls and correspondence received by her office in relation to the activities" of the named businesses.

France said, "I advise data controllers to ignore any approach made by these businesses, which appear to be charging up to £95 plus VAT for notification. Other than paying the annual statutory notification fee of £35, on which no VAT is payable, there is no charge made by this office to any data controller wishing to notify."

The Office of Fair Trading (OFT), a government agency, has gone further. Earlier this year it issued High Court injunctions to stop some of the letters - and it announced in press releases that it had put a stop to the misleading claims.

John Vickers, director general of the OFT, said, "It is good for business that the misleading mailings have been stopped. We will continue to crack down on advertisers who make false and misleading claims."

An OFT spokesman said the notices were misleading because they gave the impression that they were from an official body and businesses were under a legal duty to register immediately, at a cost of between £85 and £117.

The forms also "failed properly to explain which persons were exempt from notification," the spokesman said.

But Computer Weekly has learned that the OFT's injunctions impeded the activities of only named companies and individuals - and since then companies with different addresses have begun issuing new threatening letters to businesses.

Despite the High Court injunctions, John Lamb, a former editor of Computer Weekly, received a letter recently from a company calling itself Data Protection Agency Services, based in Blackpool. Lamb said that police should investigate. But a local police spokesman said no referral of the matter had been made by the OFT.

Meanwhile trading standards officers say that the companies behind the latest forms are expanding their operations. "It appears that the practices are being franchised," said one trading standards officer.

It seems that those issuing the leaflets cannot be stopped because they operate on the indistinct borders of civil and criminal law, and are also exploiting ambiguities about who should take any legal proceedings to stop them: the police or the OFT.

So far, the OFT has been in charge of enforcement. But the legal process is slow and cumbersome compared to the nimbleness of those who issue the forms. As one trading standards officer said, "Civil actions are not very effective. A criminal action means the people can be stopped once and for all."

Police said they can investigate if they receive a complaint from the OFT or it hands over documents. But OFT spokespeople appeared reluctant to part with the department's papers and gave Computer Weekly no assurances that they would refer the matter to the police.

Meanwhile all that the various authorities can do is issue more warnings.

Those who almost fell victim

  • Peter Blakey, who runs a post office, received a letter from the "Data Protection Registration Agency". It was a "final notice" demanding he filled out a form, sending it with £95 to register under the Data Protection Act 1998. Blakey said, "It was addressed to the proprietor and was asking for £95, which struck me as a bit odd so I contacted the trading standards department and they told me not to pay it. If I had been a bit less wary, I would have sent off the money"

  • David Mason, of Mason & Stokes Funeral Directors in Cheltenham, also received a demand for money. Mason said, "We had an official-looking letter saying our business had not submitted notification to the information commissioner in accordance with the Data Protection Act 1998. I rang SAIF, [the National Society of Allied and Independent Funeral Directors], and they said it was a scam"

  • When London-based optometrist Monte Karbaron received the letter he contacted the information commissioner to check its validity, as he is already registered. He was told that notices had been sent out to all opticians, whether or not they had already registered. "Apparently, dentists and other professionals have already been targeted," he said.

The culprits
The Office of the Information Commissioner and the Office of Fair Trading have named companies that are giving her cause for concern. They include:

  • Data Protection Act Registration Service
  • Data Protection Agency Services Limited
  • Data Protection Agency Services
  • Data Protection Registration Agency
  • Data Collection Enforcement Agency
  • Data Registration Agency
  • Data Protection Act Registration Agency

Read more on Privacy and data protection