ICO issues first website enforcement order
Search site breaches data protection laws
The operator of a website designed to allow searches for people's contact details has been issued with an enforcement order by the Information Commissioner's Office (ICO). It is the first time the ICO has issued an order over a website.
The ICO says that B4U, a Birmingham company which performs searches for information on individuals at b4usearch.com, is in breach of the Data Protection Act (DPA). B4U says it has not received any notification of an order.
The ICO says B4U has breached the Act by using electoral roll data from before 2002. After 2002, people filling in an electoral roll form could choose to be excluded from the public register. The ICO also says the company ignored requests from individuals for their details to be removed, which is in contravention of the Act.
"We will take action against organisations that don't process personal information in line with the requirements of the Act and cause significant concern to individuals," said Mick Gorrill, head of regulatory action at the ICO. "People have an important right under the Data Protection Act to know that their personal information is sufficiently protected."
The ICO said that it had received 1,600 complaints about the site, many saying that B4U did not remove their personal details when requested.
B4U owner Raj Banga said no notice has been received, and the company has never refused anyone a request for data removal. "We don't refuse anyone removal from the site, that has never happened," said Banga. He said that at one point requests for removal were so numerous that they were taking up to three weeks to process, but that none was refused.
"People who complained to the ICO about b4usearch.com included a police officer whose family's names and addresses, along with a map to their house, appeared on the website and an individual who had previously been a victim of identity fraud," an ICO statement said. "Both were concerned about the availability of their personal information and the fact that their requests to b4usearch.com asking for their details to be removed had been ignored."
The B4U website says that written requests for removal will take five days to process and details a premium rate fax line which costs £1.50 per minute which can be used for more immediate removals.
"Some people were looking for much faster removals so we brought in the premium rate fax line. We had to do that because I had to employ more people to process them and the company can only sustain that loss for so long," he said.
Banga said any rulings the company does receive will be adhered to. "We have been co-operative with the ICO and we are not in a position to argue with them," he said. "We are not the type of company to do that. If something is illegal, then we can't do it."
The ICO's statement said because of B4U's breaches of the DPA, "damage or distress to individuals was likely to have been caused by information being processed in this way". A spokesman confirmed that this could open the way to a civil case against B4U for damages, but that no such case had yet been brought.
"I can't comment on whether there will be a case, but all this information has been readily available for years, this is information you can find in your local library," said Banga.
Copyright © 2006, OUT-LAW.com
OUT-LAW.COM is part of international law firm Pinsent Masons.
Sponsored: Customer Identity and Access Management