A pay day loans company based in London and its director have been prosecuted by the Information Commissioner’s Office (ICO) today after failing to register that the business was processing personal information.
Under the Data Protection Act (DPA), organisations processing personal information are required to register with the ICO. Most organisations will be required to pay an annual notification fee of £35 and provide details about the types of information they process. Failure to notify is a criminal offence and could lead to a fine of up to £5,000 in a Magistrates Court, or unlimited fines in a Crown Court.
Hamed Shabani, the sole director of First Financial, was convicted under section 61 of the Data Protection Act at City of London Magistrates Court today. He has been fined £150 and has also been ordered to pay £1,010.66 towards prosecution costs, as well as a £20 victims’ surcharge. The company, was convicted under section 17 of the Act and has been fined £500 and has also been ordered to pay £1,010.66 towards prosecution costs, as well as a £50 victims’ surcharge.
Before the hearing Mr Shabani had attempted to remove his name from the company’s registration at Companies House in order to avoid prosecution.
Stephen Eckersley, ICO Head of Enforcement, said:
“Failure to register is not only a criminal offence, but also shows that a company holds a clear disregard for looking after and protecting the personal information of their customers.
“Pay day loans companies hold important information about some of the most financially vulnerable people in the UK. This makes this company and its director’s decision not to face up to their legal responsibilities all the more concerning.
“Businesses must commit to looking after the information of their customers and this begins with making sure that they are registered. We will continue to use our enforcement powers to safeguard people’s information.”
The ICO has produced advice and guidance on how organisations can register, including an online self-assessment tool which companies can use to find out if they need to register.
1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.
4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
Fairly and lawfully processed
Processed for limited purposes
Adequate, relevant and not excessive
Accurate and up to date
Not kept for longer than is necessary
Processed in line with your rights
Not transferred to other countries without adequate protection
5. If you need more information, please contact the ICO press office on 0303 123 9070.