IT Governance Blog on IT governance, risk management, compliance and information security.

Under the Data Protection Act 1998, anyone who processes personal data has a legal obligation to “notify” the Information Commissioner’s Office (ICO) they are doing so.  In fact it is a criminal offence not to notify, or to fail to keep the ICO up to date with any changes to the way an organisation processes personal data.

This notification can be done online or by phone directly with the ICO, and costs 35 GBP per year (500 for larger businesses).  However it was in 2000 I first became aware when working for the Police of “bogus agencies” who threaten businesses to extort money from them using this law.  It seems the scam is still in operation today.

These businesses often charge up to 200GBP to notify on an organisations behalf.  There is nothing illegal in charging an admin fee for taking this burden from other organisations.  What is wrong about this, is the way they undertake to get their clients, often posing as the information commissioner and writing threatening letters stating that organisations will be fined or people jailed if they do not pay up immediately to that bogus agency concerned.  Often their name or logo is designed to make an organisation think that bogus agency is an official body, and of course they do not state the organisation can do it themselves far cheaper.

The problem with dealing with such organisations, is that as soon as one business closes down, another springs up performing the same scam, only with a new name and targeting a different industry sector (typically by picking a section in the yellow pages and sending out a mail shot to all of the businesses in a given section).  When working for the Police data protection we would find a run of garages one month, restaurants the next etc etc.

The ICO is aware of this scam and works with local trading standards and the office of fair trading to shut them down.  IT Governance conducts data protection consultancy and training courses, please get in touch for more information.

See www.ico.gov.uk for more information, their full statement is below.

http://www.ico.gov.uk/what_we_cover/data_protection/notification/bogus_agencies.aspx