ICO - Who are they?

[Onthebrightside]

Someone in our company received an email last year from the Information Commissioners Office (ICO) to be on a Data Protection Register. It seems you don't have to do anything to achieve this but pays ye money (forty quid this year) and get on their register. They have an online questionnaire which seems somewhat loaded in their favour. I did a bit of digging and they seem vaguely connected to a government department (but are not part of the government).

Online people seem to to suggest that you only need to sign up to the ICO if you are dealing with credit cards/personal information of members of the public (which we are not) or holding pay details (i.e. bank accounts) for members of staff (which we are not). It seems to suggest that if we are only keeping our accounts and business information online we don't need to sign up to it. On the flip side I don't want to incur a fine if we should be signed up to it. They never answer their phone and 3 emails in 4 months hasn't produced a response.

Can anyone assist by shedding some light on what the ICO is and if we (as really a one man band as everyone else is self employed) need to sign up to it?

Thanks in advance for any assistance anyone can give.

 

[Scalloway]

If you are only holding information for your business accounting purposes then I wouldn't worry about registering. They may ask you to confirm this to them and fine you if you don't.

 

[Onthebrightside]

If you are only holding information for your business accounting purposes then I wouldn't worry about registering. They may ask you to confirm this to them and fine you if you don't.

Thanks for the info/advice. How would we be able to confirm that to them?

 

[fisicx]

Thanks for the info/advice. How would we be able to confirm that to them?

By doing this:

Data protection fee self assessment

ico.org.uk

 

[Scalloway]

That is the process that I followed when they contacted a business I am a director of. We did not need to register.

 

[Onthebrightside]

That is the process that I followed when they contacted a business I am a director of. We did not need to register.

That was the process someone followed last year and signed us up - needlessly I feel because they misunderstood what they were being asked. This year that have simply sent us an email asking us to pay up or be fined with a link to a payment process. So I don't think that link is going to help me.

 

[Scalloway]

I had dealings with them for another business I had but is now closed down. As I need to hold confidential information for a few years before I can destroy it I got in touch with them to change the contact details etc and they were very helpful.

Did you include all your details when you contacted them in the past, such as their references?

 

[Onthebrightside]

I had dealings with them for another business I had but is now closed down. As I need to hold confidential information for a few years before I can destroy it I got in touch with them to change the contact details etc and they were very helpful.

Did you include all your details when you contacted them in the past, such as their references?

Absolutely, their reference, our address my company email, the company phone, my mobile phone, the lot, but they haven't replied to any of the emails and don't answer their phone. Perhaps it's a covid thing and they are short staffed and I'll just have to wait.

Are they actually anything to do with the government - I am assuming if they contact all new businesses they are alerted by the company registration site?

 

[Scalloway]

From Wikipedia

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Digital, Culture, Media and Sport (DCMS). It is the independent regulatory office (national data protection authority) dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications (EC Directive) Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland.

 

[Newchodge]

Absolutely, their reference, our address my company email, the company phone, my mobile phone, the lot, but they haven't replied to any of the emails and don't answer their phone. Perhaps it's a covid thing and they are short staffed and I'll just have to wait.

Are they actually anything to do with the government - I am assuming if they contact all new businesses they are alerted by the company registration site?

Information Commissioners Office. Google it.

 

[BustersDogs]

When I started my business I phoned them up to ask if I needed to register, as I hold personal details. I didn't need to, as I only hold their data to provide services. And dogs don't have personal data. If you can't get through you will have to keep trying, or write a letter!

They're really useful for reporting businesses who won't take no for an answer though. Have done it for a couple of pet type directories, and I reported TV licencing to them when they kept bombarding me with emails after I told them I no longer needed a licence.

 

[fisicx]

@Onthebrightside - it’s a little worrying that nobody in the organisation knows about the ICO and your responsibilities for data protection. Who is your Data Controller? Have the data processors been trained? How are you keeping personal data safe? The ICO exists to help you with all this. If you don’t have the necessary policies in place paying your annual fee is the least of your worries.

 

[Frank the Insurance guy]

Can anyone assist by shedding some light on what the ICO is and if we (as really a one man band as everyone else is self employed) need to sign up to it?

Do you hold personal information on all the self employed? If so this is personal data (whether its in a physical file or on the computer).

Do you make payments to the self employed? If so, you must have their account details?

These may mean that you have to register. For the sake of £40 I would just register!

 

[WaveJumper]

I would suggest another visit to their website and a take a real good look at the responsibilities regarding data control before you land yourself in hot water. It only takes one little issue and if you have not got all your ducks in a row ie written procedures etc they will make things rather unpleasant.

And on @BustersDogs idea I think I must report the TV licensing people as well they are also bombarding me with emails, plus they must have also now spent the equivalent licence fee costs in slow mail.

 

[IanSuth]

I am tempted to query Nationwide Building society with them
Whilst 200 miles away on hols my daughter got an email from her bike insurance co saying her auto renewal had failed (it was cheapest quote so was letting auto happen), she rang and tried to manually pay and again it failed.

Rang Nationwide and they said her card was blocked and Natiuonwide had triggered it with multiple payment attempts

Got transferred to Fraud - not Insurance Co's fault, they had received notification form Visa that a 3rd party had informed them of a data breach and as such her card details may have been compromised so her card had been flagged and next time an online transaction was attempted it blocked.
She asked what she was meant to do with 24hrs until insurance ran out as insurance will only do payments via their app or over the phone both of which use blocked card detail and Nationwide refused to do a push transaction - why had they not informed her before about this risk
They said "we posted a new card to you over a week ago", she said "i am on hols, why no notification by email or in the mobile app" "Oh that would be a security risk", "how ?" "in case a fraudster intercepted the message" "But you have blocked everything and won't even do a single push transaction to my insurance so how would that help the fraudster" "Oh I will pass that on"
"Can you tell me who has had the breach" "No, Visa don't tell us, ring them"

Rang Visa who said nope, Nationwide have to tell you we cant

Rang nationwide who refused to give detail saying it is market sensitive confidential information

So some (I am guessing large) firm has had a data breach which is big enough to have told Visa who have instructed banks to block cards, but those people aren't allowed to know who they gave their details to who might be untrustworthy

(we actually in the end rang a neighbour who has a key who popped round opened the letter to my daughter and gave her the new card number and cvc so she could ring back the insurance company and pay, a far bigger data security risk than an email telling her what was happening. When we got back the letter had been sent the day we left and said "this is not for any particular reason - we just sometimes change customers cards as an extra security measure" - ROLLOCKS)

 

[WaveJumper]

Probably a Nationwide breach the same as my son had 3 breachs in one month on his business account held with a major high street bank. Funds were paid immediately back into his account each time the same line used "market sensitive confidential information" from his second round of phones calls with the bank he felt sure it was an internal breach but they would not admit anything.

 

[Newchodge]

Probably a Nationwide breach the same as my son had 3 breachs in one month on his business account held with a major high street bank. Funds were paid immediately back into his account each time the same line used "market sensitive confidential information" from his second round of phones calls with the bank he felt sure it was an internal breach but they would not admit anything.

I thought hey had to declare a breach to every customer potentially affected?

 

[WaveJumper]

I thought hey had to declare a breach to every customer potentially affected?

First hit was when he went to pay supplier and found his funds had been frozen, not a word from the bank at that time. Long story short as I said funds immediately replaced into a new account, cards sent out, another breach on new account which he had not even had time to use, so who knew the details. And then blow me the same again on the third new account. When asked how did anyone other than the bank know the details of these two new accounts ....... a wall of silence, he's no longer with them

 

[Onthebrightside]

@Onthebrightside - it’s a little worrying that nobody in the organisation knows about the ICO and your responsibilities for data protection. Who is your Data Controller? Have the data processors been trained? How are you keeping personal data safe? The ICO exists to help you with all this. If you don’t have the necessary policies in place paying your annual fee is the least of your worries.

He's a one man band who hires in staff via other organisations, so he doesn't keep their details, there is someone in between.

 

[Onthebrightside]

Do you hold personal information on all the self employed? If so this is personal data (whether its in a physical file or on the computer).

Do you make payments to the self employed? If so, you must have their account details?

These may mean that you have to register. For the sake of £40 I would just register!

No, we don't make payments to the self employed, we pay companies and they pay the self employed.

 

[Onthebrightside]

From Wikipedia

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Digital, Culture, Media and Sport (DCMS). It is the independent regulatory office (national data protection authority) dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications (EC Directive) Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland.

Yep, saw this and realised they were vaguely connected to the government.

 

[Onthebrightside]

Information Commissioners Office. Google it.

See my original post - did that.

 

[fisicx]

He's a one man band who hires in staff via other organisations, so he doesn't keep their details, there is someone in between.

He keeps the details of the staff he hires. Which means he holds personal details. Which means he is a data controller and has to comply with data protection regulations. Just because he is a one-man band doesn’t give him any exemptions.

 

[Onthebrightside]

I am tempted to query Nationwide Building society with them
Whilst 200 miles away on hols my daughter got an email from her bike insurance co saying her auto renewal had failed (it was cheapest quote so was letting auto happen), she rang and tried to manually pay and again it failed.

Rang Nationwide and they said her card was blocked and Natiuonwide had triggered it with multiple payment attempts

Got transferred to Fraud - not Insurance Co's fault, they had received notification form Visa that a 3rd party had informed them of a data breach and as such her card details may have been compromised so her card had been flagged and next time an online transaction was attempted it blocked.
She asked what she was meant to do with 24hrs until insurance ran out as insurance will only do payments via their app or over the phone both of which use blocked card detail and Nationwide refused to do a push transaction - why had they not informed her before about this risk
They said "we posted a new card to you over a week ago", she said "i am on hols, why no notification by email or in the mobile app" "Oh that would be a security risk", "how ?" "in case a fraudster intercepted the message" "But you have blocked everything and won't even do a single push transaction to my insurance so how would that help the fraudster" "Oh I will pass that on"
"Can you tell me who has had the breach" "No, Visa don't tell us, ring them"

Rang Visa who said nope, Nationwide have to tell you we cant

Rang nationwide who refused to give detail saying it is market sensitive confidential information

So some (I am guessing large) firm has had a data breach which is big enough to have told Visa who have instructed banks to block cards, but those people aren't allowed to know who they gave their details to who might be untrustworthy

(we actually in the end rang a neighbour who has a key who popped round opened the letter to my daughter and gave her the new card number and cvc so she could ring back the insurance company and pay, a far bigger data security risk than an email telling her what was happening. When we got back the letter had been sent the day we left and said "this is not for any particular reason - we just sometimes change customers cards as an extra security measure" - ROLLOCKS)

Ooo, sounds like things went very wrong there, very odd. Banks are very strange nowadays because they seem to have cut down on the number of actual staff who will help sort things out, it like a 'not my job' scenario whenever you contact them.

 

[fisicx]

Yep, saw this and realised they were vaguely connected to the government.

Not vaguely connected - they are the regulators. Just like the FCA is for finance.

 

[IanSuth]

Ooo, sounds like things went very wrong there, very odd. Banks are very strange nowadays because they seem to have cut down on the number of actual staff who will help sort things out, it like a 'not my job' scenario whenever you contact them.

Rang ICO and they are unsure of the responsibilities. All they could suggest was my daughter send a subject access request specifically stating the possible breach and wanting any data on that which was tied to her personal details.

But they thought it might be a legal cause for withholding as could end up part of a legal case

 

[Onthebrightside]

Thank you everyone for your help and advice. I think, given the responses, we'll pay the £40.00

 

[WaveJumper]

Don't just pay the £40.00 make sure you put some "systems" in place, guidance is given on their website. In another life dealing with commercial property (a bit different I know) I can can tell you now its not nice being in court defending your in house compliance when some defendants lawyer is trying to rip you apart.

 

[Onthebrightside]

Don't just pay the £40.00 make sure you put some "systems" in place, guidance is given on their website. In another life dealing with commercial property (a bit different I know) I can can tell you now its not nice being in court defending your in house compliance when some defendants lawyer is trying to rip you apart.

Thank you WaveJumper, you are right.

 

[SillyBill]

Another quango of government. I used to pay them £40.00 a year every year, another protest of mine not to bother now. Similar with the OBR, evereything gets binned on receipt. I am paying hundreds of £k a year in taxes, and not enough it seems, just leave us alone! Small wins against pettifogging bureaucracy, which is absolutely endemic.

 

[Bob Morgan]

Sounds rather like the Television Licence

 

[WaveJumper]

I remember a while back a thread on this topic and those with dash cams in their work vans suddenly found they needed to sign up to the ICO

Unfortunately unlike the television Licence its not going to go away but at the end of the day we have to be able to report breaches of data loss to someone, and someone has to hold these people / companies to account.

 

[The Byre]

Thank you everyone for your help and advice. I think, given the responses, we'll pay the £40.00

Before you do that, ask yourself if you should have registered in the first place - we, for example, do not sell B2C and are B2B only and we hold no personal information on private individuals whatsoever. Therefore we are not obliged to register.

On the other hand, if you do hold private information on private individuals, then you do have to register.

 

[ctrlbrk]

On the other hand, if you do hold private information on private individuals, then you do have to register.

What about sole traders? Are they not considered private individuals in the eyes of ICO?

 

[The Byre]

What about sole traders? Are they not considered private individuals in the eyes of ICO?

Great question and the ICO is rather wooly on that subject - "Individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal data."

May - what is a bloody may? They sent us a letter and even did a follow-up call and I told them that we are a B2B business only and do not collect any personal information. They seemed happy with that and told me that we were exempt.

You as a private person are specifically exempt from GDPR and privately, you can collect all the information you wish. The moment you put a business hat on, GDPR applies. The only problem is that the legislation is (like so much recent legislation) a dog's breakfast of contradictions and vague non-definitions.

When is a customer a friend or acquaintance?
When am I a business and when am I acting as a private individual?
What is the data status of a friend or acquaintance who then comes to me as a business?
What about all the personal information I have stored in my head?

 

[ctrlbrk]

"Individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal data."

What I read from this:

John Smith is a director of Acme LTD.

• If he creates a UKBF account as AcmeLTD with an address of [email protected] then, in the eyes of ICO, that is not personal data.
• If he creates a UKBF account as John Smith with an address of [email protected] then, in the eyes of ICO, that is personal data.

Any views, for or against this intepretation, welcome.

 

[DontAsk]

On the other hand, if you do hold private information on private individuals, then you do have to register.

Not if the only purpose of holding the data is to fulfill your business purposes, e.g. invoicing.

 

[TBLZ]

Before you do that, ask yourself if you should have registered in the first place - we, for example, do not sell B2C and are B2B only and we hold no personal information on private individuals whatsoever. Therefore we are not obliged to register.

On the other hand, if you do hold private information on private individuals, then you do have to register.

We are B2B too and that was my way of thinking (backed by the ICO's own website) until a client of mine had one of their trustees force us to register. The trustee in question is a lawyer and works in the field of data protection I believe, so we just had to do it in order to keep the client happy, even though I still believe that we don't have to by the letter of the law. There is a lot of conflicting information around. For instance, what staff-employing company does not hold their staff's addresses, or next of kin information? If that constitutes information on private individuals, then all employers should register, but there is nothing as crystal clear as that anywhere on the ICO's website. That makes me think that they are deliberately obfuscating the definitions in order to rake in more of those £40 fees.

 

[fisicx]

You may not need to register but you do need to comply with the regulations. One of which is to appoint a data controller whose is responsible for compliance.

People are getting two different things mixed up.