Dear Sir or Madam,

"Notification is a statutory requirement and every organisation
that processes personal information must notify the Information
Commissioner’s Office (ICO), unless they are exempt. Failure to
notify is a criminal offence."

Accordingly, ICO issued an enforcement notice, and threatened
prosecution against the "Consulting Association" for failing to
register. David Smith was quoted "This is a serious breach of the
Data Protection Act. Not only was personal information held on
individuals without their knowledge or consent but the very
existence of the database was repeatedly denied."

Please could you disclose to me

- The date on which 121Media/Phorm first registered as a data
controller

- The date on which 121Media/Phorm first registered as a data
controller handling information for the purpose of "Advertising
Marketing & Public Relations For Others" concerning "COMMERCIAL
CUSTOMERS AND CLIENTS END USERS"

- Copies of all the registration documents supplied to you by
121Media/Phorm since 1 January 2005

- The number of people who were involved in the covert trials of
Phorm Webwise without their knowledge or consent

- The date on which the conduct of covert trials was first revealed
to the ICO by BT and/or Phorm

- Any enforcement notices which have therefore been issued as a
consequence of processing personal information without
registration, and/or operating the system without the knowledge or
consent of the people profiled?

Phorm's present registration number is Z1196938.

Yours faithfully,

Peter John

18th March 2009

Case Reference Number IRQ0239626

Dear Mr John

Request for Information

Thank you for your e-mail of 16 March 2009 in which you have asked us
to provide you with various items of information relating to 121
Media/Phorm.

Your request is being dealt with in accordance with the Freedom of
Information Act 2000 under the reference number shown above. We
will therefore respond to your request by 15 April 2009 which, allowing
for the Good Friday and Easter Monday bank holidays, is 20 working days
from the day after we received your request.

Yours sincerely

Antonia Swann

Assistant Internal Compliance Manager

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Tel: 01625 545894

Email: [1][email address]

[2]www.ico.gov.uk

show quoted sections

http://www.ico.gov.uk or email: [email address]
Information Commissioner's Office, Wycliffe House, Water Lane,
Wilmslow, Cheshire, SK9 5AF
Tel: 01625 545 700 Fax: 01625 524 510

References

1. mailto:[email address]
2. http://www.ico.gov.uk/

9th April 2009

Case Reference Number IRQ0239626

Dear Mr John

Request for Information

Further to my acknowledgement of 18 March 2009 we are now in a position
to provide you with a response to your request for information dated 16
March 2009.

In your e-mail of 16 March you asked for the following items of
information, which are followed immediately by our response:

?

The date on which 121Media/Phorm first registered as a data controller:

Following a search carried out of our current and archive records by
colleagues in our Notification Department, they have confirmed that the
only register entry we have been able to find against the names of
Phorm and 121 Media is the entry you have already identified, ie
Z1196938.? This registration was submitted in the name of Phorm UK Inc
on 30 January 2008.?

The date on which 121Media/Phorm first registered as a data controller
handling information for the purpose of "Advertising Marketing & Public
Relations For Others" concerning "COMMERCIAL CUSTOMERS AND CLIENTS END
USERS":

The date Phorm UK Inc registered the purpose ?Advertising, Marketing &
Public Relations for Others concerning commercial customers and clients
and users? was also 30 January 2008.

Copies of all the registration documents supplied to you by
121Media/Phorm since 1 January 2005:

Please find attached scanned copies of all the registration documents
we have been able to locate which relate to Phorm UK Inc?s register
entry Z1196938.? These documents include a copy of the original
notification (dated 28 January 2008, and stamped as received on 30
January 2008), a copy of the payment remittance advice that we received
on 20 January 2009 at the time of renewal, and two subsequent versions
of the register entry (1^st valid from 30/01/08 to 30/01/09, 2^nd valid
from 23/01/09 to date).?

Two items of information have been redacted from these documents.?

The first item is the signature of Stratis Scleparis, Chief Technology
Officer at Phorm and signatory of the Notification Application Form.?
Whilst Mr Scleparis? contact details are publicly available (from
Phorm?s UK website), his signature is not.? This personal data has
therefore been removed in accordance with section 40(2) of the Freedom
of Information Act 2000, as we take the view to provide it to you would
be unfair to Mr Scleparis, and as a result would contravene the 1^st
Data Protection Principle of the Data Protection Act 1998.

The second item is the name of the member of staff from our
Notification Department who printed out the copy of the Renewal
Invoice.? The member of staff concerned is not in a senior or public
facing role, and it is our policy not to disclose names of staff who do
not meet these criteria.? Again, this personal information is exempt
from disclosure to you under section 40(2) of the Freedom of
Information Act 2000 as we take the view to provide it to you would
contravene the Data Protection Act 1998.

The number of people who were involved in the covert trials of Phorm
Webwise without their knowledge or consent:

We do not have a definitive figure recorded, but we believe that around
15,000 users were involved in the 2006 trial, but we have no recorded
information in relation to the 2007 trial.? We are also aware that
information has been published by bloggers on other websites where they
assert that the figure is likely to be much higher based on their
analysis of an allegedly leaked internal BT report (we don't have a
copy of this report, but understand that it can be accessed online).

The date on which the conduct of covert trials was first revealed to
the ICO by BT and/or Phorm:

The ICO first became aware of the trials from news reports towards the
end of March 2008.? Our first contact with BT about the trials was on 2
April 2008, and our first discussion with Phorm about the trials was on
6 May 2008.?

Any enforcement notices which have therefore been issued as a
consequence of processing personal information without registration,
and/or operating the system without the knowledge or consent of the
people profiled?:

No enforcement notices have been served on Phorm by the ICO, therefore
there is no information to provide in response to this part of your
request.?

By way of background information on this issue, under section 17 of the
Data Protection Act 1998 data controllers established in the
UK are under a duty to register their processing of personal data with
the Information Commissioner's Office unless an exemption applies.
Companies processing personal data solely on the instruction of data
controllers are defined as data processors and the responsibility for
complying with the Act continues to rest with the data controller who
is instructing them. Whilst Phorm UK Inc are a data controller in their
own right regarding some of the personal data they process it is our
understanding that in respect of the 2006 and 2007 trials they were at
all times operating as a data processor under the instruction of
BT. Therefore, to the extent that any personal data may have been
processed by Phorm UK Inc as part of the trials in 2006 and 2007,
BT was the data controller and Phorm UK Inc would not have been
required to notify that particular processing.

I hope that this provides you with the information you require.?
However, if you are dissatisfied with this response and wish to request
a review of our decision or make a complaint about how your request has
been handled you should write to the Internal Compliance Team at the
address below or e-mail [1][email address]

Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request
received after this time will only be considered at the discretion of
the Commissioner.

If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further
right of appeal to this office in our capacity as the statutory
complaint handler under the legislation.? To make such an application,
please write to the Case Reception Team, at the address below or visit
the ?Complaints? section of our website to make a Freedom of
Information Act or Environmental Information Regulations complaint
online.

?

A copy of our review procedure is attached.

Yours sincerely

Antonia Swann

Assistant Internal Compliance Manager

show quoted sections

http://www.ico.gov.uk or email: [email address]
Information Commissioner's Office, Wycliffe House, Water Lane,
Wilmslow, Cheshire, SK9 5AF
Tel: 01625 545 700 Fax: 01625 524 510

References

1. mailto:[email address]

Dear Sir or Madam,

thank you for your prompt response.

Give BT are considered to be the Data Contoller I hope you won't
mind if I make a separate request for BT's corresponding
registration documents covering the same period.

thanks again,
Yours sincerely,

P. John