If you register under the Data Protection Act, you will likely receive one of these letters. One of my clients received one this week. From a company called ‘Data Protection Agency Services – Enforcement Section’, this letter explains how failure to comply with the Data Protection Registrar constitutes a criminal offence, and you need to send them £95.
As you may have guessed from the fact I’m posting it at all, this letter is not what it seems.
It’s not a con, it’s just brazen. This company have nothing to do with the ‘Information Commissioner’, who handles all data protection registrations.
The first bullet point says ‘You are not held on our records as having registered under the Data Protection Act 1998, to comply with the Data Protection Registrar”. This is likely to be true, they probably don’t have any records of these things or they couldn’t send out the letters. It then warns you of the dangers associated with not registering and various gumph about the reasons behind it etc. There’s a little booklet you have to fill in, which is remarkable in its lack of spelling / grammatical errors (which makes me wonder if it’s just taken from something that actually is official). Then we come to the following:
“Once your cheque has reached us we will register you with the Notification Department, and provide you with helpful documentation for developing your codes of practice, under the legislation set within the Data Protection Act 1998″ (bold type theirs)
Whoop tee do.
The official term for registering under the DPA is ‘notification’, so many people assume this is an offical government thing, but it isn’t. The “Notification Department” of this company isn’t an official body, so it won’t matter one jot whether you are registered with them. It will, however, cost you £95.
The “Data Protection Agency Services” do exactly what they say they’ll do, so there’s nothing against the law about this. It’s just that many people will read the letter, assume it is from the government, and send off a cheque. Personally, I would say that’s the whole point, but that’s just my opinion. It’s a bit like me sending you an invoice that says “I thought about your computer last week – you owe me £50”. Most people would see this for what it is, but if I made it look similar to Microsoft documentation and crammed it full of warnings about how failure to comply with the EULA can get you fined, there’d be people who would simply send the money without paying too much attention.
According to the official website, the annual statutory notification fee for official notification is £35. There are no other charges.
I’ve just found this page on the official DPR website, warning about this kind of thing, and listing the addresses of the companies involved.
UPDATE on 18/05/04
Well, this page seems to have helped a fair few people! For a while I was in the top three google results under a ‘data protection agency services’ search, but I appear to have now disappeared from that. I appreciate all the kind words, although, please, if you want to go on an anti-government rant, this isn’t the place (and mentioning cars in the same sentence is a sure fire recipe for an email on road safety 😉 )
I’m updating to add a copy of the letter you’ll receive if you really do have to pay. You can see that the scam attempts to copy as much as possible from the official documentation. The real letter comes from the ‘Notification Department’ at ‘Wycliffe House’ and does, to be honest, look more professional. The official email address of ‘firstname.lastname@example.org’ doesn’t help in this regard! It is, however, only £35 as opposed to the newly-increased total of £135.
The Information Commissioner’s Website (down at the time of writing) apparently maintains a list of the addresses of these scammers. Trading Standards will also take action if informed – you can find your local office from the central Trading Standards website.
UPDATE on 23/11/05:
Somebody has commented that the fraudsters have been prosecuted successfully. Excellent news!