While most businesses processing personal data are required by law to notify the Information Commissioner (it's no longer called registration), the fee is only £35 and many small businesses that process personal data for very limited purposes are not required to notify. Businesses usually notify the Information Commissioner direct.
But bogus agencies have targeted businesses throughout the UK, cashing in on a lack of awareness of the proper notification procedure. According to a February 2003 report, the Commissioner's Office received calls from over 60,000 businesses across the UK in an 18-month period who had received notices from the scammers.
Thomas warned last week that these "agencies" were now specifically targeting the IT sector. Typically the letters sent use threatening language and are on official-looking headed notepaper.
Thomas said:
"The golden rule is that if you receive a letter out of the blue demanding more than £35 to register under the DPA this will be a scam. Our simple message to businesses is to throw the letter in the bin and not to pay the fee demanded."
He continued:
"Although I do not have the powers to take action against these agencies myself, I continue to work with the relevant authorities to explore possible legal action. The OFT continues to take action under regulations outlawing misleading advertisements recently obtaining an injunction in the High Court against the Data Processing Corporation Limited."
That company, also known as 'Data Protection Corporation' and 'Data Processing Protection Corporation', was the subject of over 2,000 complaints to the OFT over bogus notification requests.
The OFT is currently investigating 26 other companies in connection with similar complaints.