The order was requested by credit card issuers and is the result
of three years of negotiation between the industry and the Home
Office according to a spokeswoman for issuers' organisation APACS,
the UK payments association.
"We asked for this because at the moment if someone uses a card
to purchase illegal pornography there is no way under data
protection legislation for the Police to pass that information on
to card issuers," said an APACS spokeswoman. "We already have the
power to take a card from someone but if they committed one of
these offences we wouldn't know about it."
The order relates specifically to offences relating to child
pornography and allows the authorities to inform a credit card
issuer of the identity of someone who has used one of its cards to
commit a child pornography offence.
The purpose of the order, as outlined in its explanatory note,
is to change the legislation so that information about a criminal
conviction or caution may be processed for the purpose of
administering an account relating to the payment card (or for
cancelling the payment card) used in the commission of one of the
listed offences relating to indecent images of children and for
which the data subject has been convicted or cautioned under the
relevant legislation in England and Wales, Scotland or Northern
Ireland".
Data protection expert Dr Chris Pounder of Pinsent Masons, the
law firm behind OUT-LAW.COM, said that the draft order was tightly
enough drawn not to raise privacy concerns.
"Although the order will legitimise the processing of these
sensitive personal data that does not exclude application of the
other principles," said Pounder. "For example, the sensitive
personal data have to be retained for no longer than is necessary
and have to be relevant to the purpose. Additionally, these
personal data might be subject to an enhanced security regime."
In a separate case, data protection rights were strengthened in
Europe with the ruling of the European Ombudsman that a German
local government violated the EU Data Protection Directive.
When the State of Hamburg handed personal information to third
parties for use in direct marketing, one resident complained to the
European Commission. The Commission said that while Hamburg could
not use the information for its own direct marketing, it could send
it to third parties.
The resident took the case to the European Ombudsman, who said
that the Commission's ruling had been too narrow. In order to avoid
further action, the Ombudsman recommended that the Commission
review its interpretation of the directive. The Commission has
agreed to do so.
