The ICO has legal powers to ensure that organisations comply with the requirements of the Data Protection Act. It is important to note that these powers are focused on ensuring that organisations meet the obligations of the Act.
18 December 2008
The Information Commissioner's Office has found Leonard Cheshire Disability in breach of the Data Protection Act. This follows their failure to adequately respond to a subject access request made by one of their service users. The ICO has issued Leonard Cheshire Disability with an Enforcement Notice which requires them to comply with the subject access request. Leonard Cheshire Disability have now complied with this Enforcement Notice.
View PDF of the Leonard Cheshire Disability enforcement notice
26 November 2008
The Information Commissioner’s Office has required NHS Tayside and NHS Lanarkshire to sign formal undertakings after finding the organisations in breach of the Data Protection Act. The ICO was alerted to data breaches earlier this year when members of the public found confidential health records in buildings on the site of the former hospitals.
View PDF of the NHS Tayside undertaking
View PDF of the NHS Lanarkshire undertaking
30 September 2008
A formal undertaking has been signed by Virgin Media Limited, agreeing to comply with the seventh data protection principle. This follows the loss of an unencrypted compact disc containing the personal data of more than 3000 Virgin Media customers.
View PDF of the Virgin Media undertaking
25 September 2008
The Information Commissioners Office is today serving an Enforcement Notice against the Department of Communities and Local Government for contravening the Data Protection Act 1998 in relation to their response to a subject access request received by them.
View PDF of the Department of Communities and Local Government enforcement notice
15 July 2008
The The Information Commissioner’s Office (ICO) is today serving enforcement notices against HM Revenue and Customs and the Ministry of Defence following recent high profile data breaches.
View PDF of the HMRC enforcement notice
View PDF of the MoD enforcement notice
14 July 2008
The Commissioner has cancelled the Enforcement Notice dated 23 January 2008 served on Marks and Spencer PLC following receipt of a letter dated 8 July 2008 confirming that they have now completed the process of laptop hard drive encryption required by the Enforcement Notice.
View PDF of letter from Marks and Spencer PLC dated 8 July 2008 and Cancellation Notice dated 14 July 2008
10 April 2008
A formal undertaking has been signed by the Royal British Legion Club in Shirley, West Midlands, agreeing to comply with the seventh data protection principle, in accordance with their procedures.
View PDF of the Royal British Legion Club undertaking
22 February 2008
The ICO investigation into complaints against Loans.co.uk has completed. Appropriate regulatory action has been taken and an ex-employee of the company has been formally cautioned for a criminal offence of unlawful disclosure of personal data contrary to section 55 of the Data Protection Act 1998.
21 February 2008
The Information Commissioner's Office has found Skipton Financial Services in breach of the Data Protection Act. This follows the theft of an unencrypted laptop which contained the personal information of 14,000 SFS customers.
View PDF of the Skipton Financial Services undertaking
25 January 2008
The Information Commissioner's Office has found Marks & Spencer PLC in breach of the Data Protection Act. This follows the theft of an unencrypted laptop which contained the personal information of 26,000 M&S employees. The ICO has now issued Marks & Spencer with an Enforcement Notice which orders the company to ensure that all laptop hard drives are fully encrypted by April
2008.
View PDF of the Marks & Spencer enforcement notice
16 January 2008
The ICO has found Carphone Warehouse, and its sister company TalkTalk, in breach of the Data Protection Act after investigating complaints concerning the way in which both organisations processed and stored personal information.
View PDF of the Carphone Warehouse enforcement notice
View PDF of the TalkTalk Telecom enforcement notice
20 December 2007
Following the issuing of Enforcement Notices against four police forces, the Information Commissioner has now issued an Enforcement Notices against a fifth police force requiring it to delete old conviction data.
View PDF of the Greater Manchester Police enforcement notice
11 December 2007
The ICO has required the Department of Health to sign a formal undertaking to comply with the principles of the Data Protection Act.
View PDF of the Department of Health undertaking
13 November
The ICO has required the FCO to sign a formal undertaking to comply with the principles of the Data Protection Act.
View PDF of the Foreign and Commonwealth Office undertaking
1 November 2007
After investigating complaints from four individuals, the ICO has issued Enforcement Notices to Humberside, Northumbria, Staffordshire and West Midlands Police. The Information Commissioner’s Office (ICO) has ordered the police forces to delete old criminal convictions from the Police National Computer (PNC).
View PDF of the Humberside Police enforcement notice
View PDF of the Northumbria Police enforcement notice
View PDF of the Staffordshire Police enforcement notice
View PDF of the West Midlands Police enforcement notice
9 July 2007
The Northern Ireland Office has signed an undertaking in relation to their response to future Subject Access requests received by them.
View PDF of Northern Ireland Office undertaking
23 May 2007
Following an investigation into the alleged sharing of user names and passwords by Customer Service Representatives at one of the company’s call centres, the Information Commissioner's Office has required Orange Personal Communications Services Ltd to sign a formal undertaking to comply with the principles of the Data Protection Act.
View PDF of Orange undertaking
21 May 2007
A customer of Littlewoods Shop Direct Home Shopping Ltd had complained to the ICO regarding receipt of unsolicited mailings. The company had, on two previous occasions, given an assurance that the customer’s details had been removed from their customer lists yet despite this (the complainant) still received unwanted mail from them. The company have signed an undertaking agreeing to suppress the customer’s details from all company databases and to review procedures to ensure customer rights under Section 11 of the Data Protection Act 1998 are upheld.
View PDF of Littlewoods undertaking
17 May 2007
Since April 2005, the ICO have received six separate complaints regarding the inappropriate disposal of confidential personal data at different branches of Phones4U. Following an investigation into the latest incidents in Coventry and Swindon, the company agreed to sign an undertaking to ensure their future compliance with the Seventh Data Protection Principle.
View PDF of Phones4U undertaking
23 April 2007
The ICO recently received a complaint that personal data had been recovered from unsecured waste bins outside the premises of Cash Generators in Bridge Street, Nuneaton.
Items removed included paperwork showing the names and addresses and other information linked to purchases made at the premises.
Following an investigation into the matter, the Director of the company agreed to sign an undertaking to ensure the company's future compliance with the Data Protection Act.
View PDF of Dipesh Ltd (trading as Cash Generator) undertaking
13 March 2007
Following an investigation into the disposal of customer's information the Information Commissioner's Office has required the following companies to each sign a formal undertaking to comply with the principles of the Data Protection Act.
Failure to meet the conditions of the undertaking is likely to lead further enforcement action by the ICO and could result in prosecution by the Office.
Further information can be found by reading the press release.