The Information Commissioner's Office
(ICO) will investigate the practices of the mobile phone companies
whose call centres were allegedly the source of the information.
The investigation starts immediately.
"It appears that some mobile phone companies' call
centres in India are being targeted by criminals intent on
unlawfully obtaining UK citizens' financial records and this will
be the focus of our investigation," said David Smith, deputy
information commissioner.
"We are concerned by any breaches of security particularly if
they involve confidential banking details," said Smith. "We provide
clear guidance to organisations that outsource overseas to help
them ensure people’s personal information is secure and is
processed in line with data protection principles."
The ICO could prevent some companies sending their data outside
of the UK for processing, forcing them to carry out back office
functions in the UK. "Depending on the outcome of our investigation
we will consider whether we need to use our formal enforcement
powers to prevent incidents like this happening again in the
future," said Smith. "Ultimately this could include ordering a
company to stop processing personal information outside the
UK."
The Dispatches programme showed one man who claimed to be
prepared to sell the credit card details of 200,000 people to the
programme's reporter. Another claimed to be able to sell the mobile
phone details of 8,000 people to the programme. Some of the
information was available for as little as £8 per person.
UK organisations are responsible for the security of their
customer information. If they use an outsourced call centre whether
in the UK or India, the Data Protection Act requires them to ensure
that adequate security is in place in the call centre.
Smith said that companies which outsource their data processing
or any back office functions are entirely responsible for that data
and its security. It is not permissible, he said, for a company to
simply pass blame on to a contractor.
"UK organisations are responsible for the security of their
customer information. If they use an outsourced call centre whether
in the UK or India, the Data Protection Act requires them to ensure
that adequate security is in place in the call centre," he
said.
Employee fraud is increasingly a problem for all companies.
Fraud consultancy BDO Stoy Hayward reported earlier this year that
employee fraud levels had almost tripled between 2003 and 2005 to
almost £1 billion in the UK. Financial services companies were the
hardest hit, said the report.
Smith said that the problem was by no means solely an Indian
one. "This issue – where people sell on personal information
for a price – is not confined to India," he said. "As our
report, What Price Privacy?, shows it happens in the UK and it is a
criminal offence. Where we find evidence of breaches of the Data
Protection Act we do have powers to take formal action and we do
bring prosecutions."
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
