ICO launches investigation into the sale of personal data - including to fraudsters

'Frequent disregard of laws' may have taken place, warns ICO head of enforcement Steve Eckersley

The Information Commissioner's Office (ICO) has launched an investigation into claims that personal data about medical conditions and pensions is being sold to private businesses - including fraudsters.

The sensitive data has been sold for as little as five pence, according to reports, in what could represent a major breach of the Data Protection Act (DPA), as well as the Privacy and Electronic Communications Regulations.

The launch of the investigation comes after the release of an ICO report that suggested that three-quarters of people are concerned that businesses do not keep their data secure.

ICO head of enforcement Steve Eckersley described the prospect of personal details being sold to fraudsters and cold callers as "very worrying indeed" and that it "suggests a frequent disregard of laws that are in place specifically to protect consumers".

He continued: "The information we've been shown supports the work we've been doing to target the shady industry that operates behind the nuisance of cold calls and spam texts."

He added that the ICO is already "aware of the potential for a huge spike in the number of scam texts and calls linked to pensions when the law changes in April. What we've seen here confirms those fears," Eckersley continued. "The worst case scenario is that this information gets into the wrong hands and is used to target individuals at a critical point in their financial lives."

The ICO has the power to issue fines of up to £500,000 for the most serious breaches of the DPA, while it can also pursue criminal prosecutions against anyone suspected of unlawfully obtaining or accessing personal data.

Allegations surround a company called B2C Data, a "data broker" that is believed to hold a list of the personal information of up to 15,000 people. Consumers are in the dark as to why their details have been sold to the company.

However, a statement issued by B2C Data insisted that the organisation hadn't done anything wrong and welcomed the investigation by the ICO. "B2C Data Limited is registered with the Information Commissioner's Office and is a member of the Direct Marketing Association. It operates an entirely legitimate and legally compliant data business," the company said.

"Importantly, it does not receive or process information other than in respect of those customers of its members who have opted in. Equally, it does not sell highly sensitive details of salaries, investments and pensions," it added.

This week, the ICO fined the Serious Fraud Office £180,000 for sending evidence to a witness.