An undercover investigation has claimed that legitimate list brokers are selling illegally gathered sensitive personal and financial information on an industrial scale for as little as 4p a record.
In response to the the probe – carried out by Which? Money – the Information Commissioner’s Office said the findings may provide a new line of enquiry to its ongoing investigation into the buying and selling of personal data.
Which? investigated 14 data-selling companies by posing as a dodgy firm with the intention to contact people about early pension releases – a common pension scam.
Researchers were able to order forms or invoices from 10 firms contacted, but stopped short of actually buying the data on offer. Undercover researchers uncovered numerous examples of irresponsible behaviour and were able to discuss buying personal information for more than half a million people aged 50 and over, including salary, pensions, homes and jobs, the organisation claims.
Rogue practices included one company issuing an invoice for nearly 500,000 pieces of personal information at just 4p each with a household income of £40,000+ including phone number and address
Another firm sent a sample telephone list on which 13 out of 18 people were registered with the Telephone Preference Service (TPS), while a third company issued an invoice containing bank details for 5,000 records at 24p per item with assurances that the data would be sent as soon as payment was made.
Which? insists that by doing some basic research the list brokers could have discovered that the fake business set up by was not listed at Companies House; that it wasn’t FCA regulated – despite the claim it offered investment advice; and that it was not registered with the Information Commissioner’s Office (ICO) – a legal requirement for anyone trading in personal data.
Only four firms of the 14 firms investigated demonstrated best practice by refusing to deal with the fake pensions company from the outset. The other 10 firms still failed to carry out due diligence up to the point where orders were being placed.
When Which? contacted the companies investigated, many defended their actions stating that ‘they would have carried out further checks’ before sharing the data. The company that shared sample data (with 13 of 18 registered with TPS) did admit that it ’did not carry out the necessary checks on this occasion’.
Alarmingly, one of the companies dealt with wasn’t even registered with the ICO at the time of the investigation – a criminal offence. They later admitted to an ‘administrative oversight’ that had caused a 23-day delay to their registration renewal.
Many companies appeared to be in breach of the ICO’s guidance on the consent consumers give to have their details shared, Which? claimed. Some companies were using such vague consent that it was unlikely to pass the ICO’s test.
Harry Rose, Which? Money Editor, said: “Our investigation highlights that sensitive personal and financial data is being traded on a huge scale, with some companies apparently willing to sell to anyone who comes calling.
“Millions are already pestered by nuisance callers and targeted by scammers. To avoid ending up on a list, never give permission for your data to be shared by third parties and if you are called out of the blue about a financial opportunity, hang up and report it to the regulator.”
The ICO said: “The findings are very concerning and appear to raise serious issues about the compliance of organisations with data protection law. People have the right to know what happens with their personal data and be given a choice about how their details are used.
“We will be investigating these findings as they may provide a new line of enquiry to our ongoing work looking at the buying and selling of personal data. Where we have found companies have not followed the law we will consider enforcement action.”