Press Release
For immediate release
Date: 21 June 2007
Orange and Littlewoods in breach of the Data Protection Act
The Information Commissioner’s Office (ICO) has found Orange Personal
Communications Services Ltd and Littlewoods Home Shopping in breach of the Data
Protection Act following an investigation into the way in which customers’ personal
information is processed.
The ICO received a complaint regarding the way in which Orange processed
personal information, and in particular the way in which new members of staff were
allowed to share user names and passwords when accessing the company IT
system. Following its investigation, the ICO found that Orange was not keeping its
customers’ personal information secure and therefore was in breach of the Data
Protection Act.
In a separate investigation the ICO ruled that Littlewoods had failed to process
customers’ data in line with the Data Protection Act. This follows a customer’s
attempt to stop the company using her personal data for direct marketing purposes.
Despite her requests Littlewoods continued to send her marketing materials.
The ICO has now required these organisations to sign a formal undertaking to
comply with the Principles of the Data Protection Act. Failure to meet the conditions
of the undertaking is likely to lead to further enforcement action by the ICO and could
result in prosecution by the Office.
Mick Gorrill, Head of Regulatory Action at the ICO, said: “Organisations that process
individuals’ personal information must do so in compliance with the Data Protection
Act. If they do not, they not only risk further action from the Information
Commissioner but also risk losing the trust of their customers. Individuals must feel
confident that organisations are safeguarding their personal information.”
Last month the Information Commissioner called for stronger powers to allow his
office to carry out inspections and audits to ensure organisations are complying with
the Data Protection Act. Currently, the Commissioner must gain consent before
inspecting an organisation for compliance.
Copies of the signed undertakings are available on the ICO website at:
Enforcement - Data protection
ENDS
If you need more information, please contact the Information Commissioner’s press
office on 020 7025 7580 or visit the website at: ICO – Information Commissioner's Office
Notes to Editors
1. The Information Commissioner promotes public access to official information and protects
personal information. The ICO is an independent body with specific responsibilities set out in
the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental
Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
2. For more information about the Information Commissioner’s Office subscribe to our e-
newsletter at ICO – Information Commissioner's Office
3. Anyone who processes personal information must comply with eight principles, which make
sure that personal information is:
• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection
For immediate release
Date: 21 June 2007
Orange and Littlewoods in breach of the Data Protection Act
The Information Commissioner’s Office (ICO) has found Orange Personal
Communications Services Ltd and Littlewoods Home Shopping in breach of the Data
Protection Act following an investigation into the way in which customers’ personal
information is processed.
The ICO received a complaint regarding the way in which Orange processed
personal information, and in particular the way in which new members of staff were
allowed to share user names and passwords when accessing the company IT
system. Following its investigation, the ICO found that Orange was not keeping its
customers’ personal information secure and therefore was in breach of the Data
Protection Act.
In a separate investigation the ICO ruled that Littlewoods had failed to process
customers’ data in line with the Data Protection Act. This follows a customer’s
attempt to stop the company using her personal data for direct marketing purposes.
Despite her requests Littlewoods continued to send her marketing materials.
The ICO has now required these organisations to sign a formal undertaking to
comply with the Principles of the Data Protection Act. Failure to meet the conditions
of the undertaking is likely to lead to further enforcement action by the ICO and could
result in prosecution by the Office.
Mick Gorrill, Head of Regulatory Action at the ICO, said: “Organisations that process
individuals’ personal information must do so in compliance with the Data Protection
Act. If they do not, they not only risk further action from the Information
Commissioner but also risk losing the trust of their customers. Individuals must feel
confident that organisations are safeguarding their personal information.”
Last month the Information Commissioner called for stronger powers to allow his
office to carry out inspections and audits to ensure organisations are complying with
the Data Protection Act. Currently, the Commissioner must gain consent before
inspecting an organisation for compliance.
Copies of the signed undertakings are available on the ICO website at:
Enforcement - Data protection
ENDS
If you need more information, please contact the Information Commissioner’s press
office on 020 7025 7580 or visit the website at: ICO – Information Commissioner's Office
Notes to Editors
1. The Information Commissioner promotes public access to official information and protects
personal information. The ICO is an independent body with specific responsibilities set out in
the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental
Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
2. For more information about the Information Commissioner’s Office subscribe to our e-
newsletter at ICO – Information Commissioner's Office
3. Anyone who processes personal information must comply with eight principles, which make
sure that personal information is:
• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection