The order was requested by credit card issuers and is the result of three years of negotiation between the industry and the Home Office according to a spokeswoman for issuers' organisation APACS, the UK payments association.
"We asked for this because at the moment if someone uses a card to purchase illegal pornography there is no way under data protection legislation for the Police to pass that information on to card issuers," said an APACS spokeswoman. "We already have the power to take a card from someone but if they committed one of these offences we wouldn't know about it."
The order relates specifically to offences relating to child pornography and allows the authorities to inform a credit card issuer of the identity of someone who has used one of its cards to commit a child pornography offence.
The purpose of the order, as outlined in its explanatory note, is to change the legislation so that information about a criminal conviction or caution may be processed for the purpose of administering an account relating to the payment card (or for cancelling the payment card) used in the commission of one of the listed offences relating to indecent images of children and for which the data subject has been convicted or cautioned under the relevant legislation in England and Wales, Scotland or Northern Ireland".
Data protection expert Dr Chris Pounder of Pinsent Masons, the law firm behind OUT-LAW.COM, said that the draft order was tightly enough drawn not to raise privacy concerns.
"Although the order will legitimise the processing of these sensitive personal data that does not exclude application of the other principles," said Pounder. "For example, the sensitive personal data have to be retained for no longer than is necessary and have to be relevant to the purpose. Additionally, these personal data might be subject to an enhanced security regime."
In a separate case, data protection rights were strengthened in Europe with the ruling of the European Ombudsman that a German local government violated the EU Data Protection Directive.
When the State of Hamburg handed personal information to third parties for use in direct marketing, one resident complained to the European Commission. The Commission said that while Hamburg could not use the information for its own direct marketing, it could send it to third parties.
The resident took the case to the European Ombudsman, who said that the Commission's ruling had been too narrow. In order to avoid further action, the Ombudsman recommended that the Commission review its interpretation of the directive. The Commission has agreed to do so.
Footnote: Dr Chris Pounder was a consultant with Pinsent Masons until September 2008. He now runs a new training business, Amberhawk.