The Information Commissioner’s Office is going to play an ever-increasing role in retailers’ lives.


From early April this year, serious breaches of the Data Protection Act (DPA) will begin to warrant a fine of up to £500,000.

At the same time, the Information Commissioner’s Office (ICO) is still pushing for individuals who recklessly misuse personal data to be jailed, and the result of a consultation by the Ministry for Justice into if this will happen awaits.

With limited resources, until now the ICO’s focus has mainly been on public bodies and companies within regulated industries, such as the telecoms sector. But 2010 will be the year that this broadens, and with retailers holding increasing amounts of data on customers they should prepare for the ICO to take more notice of what they are using this personal data for.

The ICO has been campaigning for its new fining powers for many years. And while the organisation says that the fines have been put in place as a deterrent and to promote compliance with the DPA, it is clear that it will use fines as the stick as well as the carrot.

Information Commissioner Christopher Graham has been clear about how his organisation intends to behave. “I remain committed to working with private bodies to help them stick to the rules and comply with the act, but I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law,” he says.

One retailer who already has experience of engaging with the ICO to understand whether his plans for sharing information on alleged shoplifters stayed within the DPA rules is Richard Lawrance, of the Retail Loss Prevention Fashion Forum.

Lawrance, who is also head of audit at Monsoon, explains the ICO was invited to come and speak to the forum’s members six months ago to help them understand what kind of information they can legally share to help prevent the organised crime they all suffer from.

He says: “We wanted to demystify the situation about what was and wasn’t possible.”

He continues: “We were talking about it in terms of travelling bands of criminals,” explaining that the retailers in the forum wanted to be able to share data to identify if it is the same people targeting all their stores. The group found the ICO was open to the idea of them sharing information for this discrete purpose as long as all those involved adhered to the same rules.

Lawrance says that for any retailers wanting to put together a data-sharing programme, it is worth running it by the ICO, as you need to be clear on the information you are sharing and be able to defend why you are sharing it.

He explains: “The ICO was very willing to come and speak - so we would say pick up the phone, as it is a very can-do organisation in terms of working to understand the types of information you can share and how you can do it legally. It was quite an enlightening experience.

“The ICO’s message was don’t be afraid to seek advice… but be prepared to be challenged on how you will use the data.”

The ICO publicises a helpline through its website that retailers can ring if they want help or clarification on the way they are using the personal data they hold on their customers.

Retailer input

As well as seeking advice on specific matters, the ICO also invites the private sector to give feedback in consultations when it launches new codes of practice.

These codes of practice are published in order to give companies a better understanding of how to implement the DPA. One such consultation that is most relevant to retailers - concerning new guidance on protecting privacy online - is taking place at the moment and ends on March 5.

Deloitte privacy expert Simon McDougall says it is worth retailers taking part in this consultation and giving comment on the proposals for the code of practice. The ICO is very open to comments, and he doesn’t believe decisions have already been made on the new code of practice before the consultation is complete.

If retailers don’t speak out now, they will have to live with the code for the next few years at a time when their use of information collected online is likely to develop substantially. McDougall says: “The ICO is short on resource, and hasn’t got the staff to carry on pushing this. Once it comes out it is what we will be working with for the next few years.”

He adds: “The document is a perfectly good document in what it is trying to do. It is focused more on SMEs than it has to be, and it is clear that the ICO is trying to have an impact in that area, but there is scope for larger organisations to have more impact on this.”

Retailers could have a lot of input on the new code, as the ICO hasn’t really focused on the retail industry so far, and doesn’t have the experience internally of handling data in the way large-scale online retail businesses do.

McDougall says: “The underlying principles of data protection are quite straightforward: transparency, security, etc. Those are principles that all organisations should be able to sign up to, and are what their customers would expect.” However, the code of practice could benefit from some industry examples to help illustrate how retailers can ensure they stay the right side of the law.

With the ICO having increased the annual fees that all large organisations that process data have to pay as a notification fee at the end of 2009, it intends to expand its audit and investigation activity this year.

Retailers can choose whether they proactively engage with the ICO or keep their heads down and wait for it to inevitably turn its attention to them.

The eight principles of data protection

Ensure customer data is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than necessary
  • Processed in line with an individual’s rights
  • Not transferred to other countries without adequate protection

Working with the ICO

What retailers have to do:

  • All retailers that process personal information with a turnover of more than £25.9m and 250 or more staff must notify the ICO and pay an annual notification fee of £500. Groups of companies must make a submission for each single legal entity
  • Failure to notify is a criminal offence
  • An entry about each such retailer, including details of the information it processes, is then made public in the Register of Data Controllers

What retailers can do:

  • Speak to the ICO about your plans for processing customers’ personal data. The organisation is open to working in this collaborative way
  • Get involved with the consultations on new codes of practice while they are at the draft stage, and make sure that they represent the realities of how retailers do business

What the ICO can do to retailers:

  • The ICO can issue an Enforcement Notice to a retailer, and require a chief executive to sign a formal undertaking to pledge future security improvements, all of which can be made public
  • From April, the ICO will be able to issue fines of up to £500,000 for serious breaches of the Data Protection Act
  • The ICO is pushing for reckless personal data misuse to be made a criminal offence