The Data Protection Act 1998 requires individuals and organisations that process personal information to register with the Information Commissioner’s Office (ICO), unless they are exempt from doing so. Exemptions are available in limited circumstances, including for some non-profit organisations or where an organisation is not responsible for deciding how information is processed. The cost of registration is £35 for most organisations per year and failure to register can lead to a criminal conviction entailing a fine of up to £5,000 in a magistrates’ court, or an unlimited fine in a Crown Court.
Payday loan company First Financial (UK) Limited was prosecuted under section 17 of the Act, which prohibits processing without registration. Its sole director, Mr Hamed Shabani, was convicted under section 61 of the Act by London Magistrates’ Court. Section 61 extends liability to the director of a company where the act of the company is attributable to them. Mr Shabani was fined £150, in addition to being ordered to pay £1,010.66 towards prosecution costs and a £20 victims’ surcharge. First Financial (UK) Limited was fined £500 and has also been ordered to pay £1,010.66 towards prosecution costs, together with a £50 victims’ surcharge.
The prosecution and subsequent conviction show a marked change in attitude by the ICO, which has previously exercised restraint in exercising its legal powers by attempting to persuade organisations to comply with their data protection duties. Registration is a simple and inexpensive step and demonstrates a prima facie desire to safeguard personal information.