The U.K. Parliament’s home secretary has issued an order for the amendment of the Data Protection Act which will be read in both houses of Parliament. According to the order, police will be able to pass details of child pornography offenders on to banks so that offenders’ credit cards can be revoked.
The order was requested by a coalition of U.K. credit card companies and is the result of negotiations between the industry and the Home Office that have spanned the past three years.
“We asked for this because, at the moment, if someone uses a card to purchase illegal pornography there is no way under data protection legislation for the police to pass that information on to card issuers,” says an APACS spokeswoman. “We already have the power to take a card from someone, but if they committed one of these offenses we wouldn’t know about it.”
APACS is the U.K. trade association for payments and for those institutions that deliver payment services to customers.
Authorities will be allowed to inform a credit card company of the identity of someone who has used one of its cards to commit a child pornography offence. The order is specifically applied only to offenses involving child pornography.
The purpose of the order is to change the legislation so that information about a criminal conviction may be processed for the purpose of administering an account relating to the payment card (or for canceling the payment card) used in the commission of one of the listed offenses relating to indecent images of children and for which the data subject has been convicted or cautioned under the relevant legislation in England and Wales, Scotland, or Northern Ireland, according to an explanatory note that outlines the order.
“Although the order will legitimize the processing of these sensitive personal data that does not exclude application of the other principles,” says Chris Pounder of Pinsent Masons, the law firm behind OUT-LAW.COM. “For example, the sensitive personal data have to be retained for no longer than is necessary and have to be relevant to the purpose. Additionally, these personal data might be subject to an enhanced security regime.”
Pounder, a data-protection expert in the U.K., believes the draft order is stringently drawn not to raise privacy concerns.
The U.K.’s independent supervisory authority, the Information Commissioner (ICO) advised the Home Office against the recent order; although ICO mostly backs the change, it believes that it goes too far in one fundamental aspect.
“We were not persuaded that the part about administering the account was necessary. We think it would have been enough to confiscate the card,” says an ICO spokeswoman, who confirmed that this would leave a person with an account but without the physical card that went with it. “There is nothing to stop that person going to another bank for another card.”
The ICO regulates and enforces the Data Protection Act 1998, the Freedom of Information Act 2000, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and Environmental Information Regulations 2004, and it reports directly to the U.K. Parliament.
The term “payment card” in the legislation refers to credit cards and to debit cards, so the “account” mentioned could be a full bank account, rather than just a credit card account.
In a separate case, data-protection rights were strengthened in Europe with the ruling of the European ombudsman that a German local government violated the EU Data Protection Directive.
When the state of Hamburg handed personal information to third parties for use in direct marketing, one resident complained to the European Commission. The commission said that while Hamburg could not use the information for its own direct marketing, it could send it to third parties.
The case was taken to the European ombudsman, who said the commission’s ruling had been too narrow. In order to avoid further action, the ombudsman recommended that the commission review its interpretation of the directive. The commission has agreed to do so.
