Organisations and companies, unwittingly or not, are buying personal data about consumers which has been illegally obtained, according to the Office of the Information Commissioner (ICO).

The Government's privacy watchdog said there has been an enormous growth in the illegal sale of people's personal details and we are all at risk from this               "flourishing" trade which is not only in breach of the Data Protection Act (DPA) but has serious implications in the battle against identity theft.

The scale of the problem with breaches of the DPA has been highlighted by the recent successful prosecution by the ICO of a husband and wife team selling on people's personal details.

However, the ICO warned, that the activities of the couple, Sharon and Stephen Anderson, who made £140,000 year selling private financial information, only represents the tip of the iceberg.

It said a previous investigation, Operation Motorman, showed that a huge undercover market in obtaining and selling on confidential information lies hidden under the surface of legitimate data sales. The ICO said it has evidence implicating many organisations, even local authorities, in this unlawful trade.

Parallel investigations launched by the police (acting on information provided by the ICO) uncovered evidence of the unauthorised supply of information from the Police National Computer by a civilian police employee.

This information is sold on to many organisations but typically can include private detective agencies, insurance companies, lawyers, debt collection agencies and newspapers.

In what Mr Thomas has described as a thriving black market the pair acted as subcontractors to three detective agencies, although these companies have denied knowledge of the couple's crimes committed on their behalf.

The Anderson's were able to obtain sensitive information through a process known as 'blagging'. This is when bogus phone calls are made to organisations such as banks and utilities to obtain information such as details of people's bank and mortgage accounts and tax returns.

For example, ‘blaggers’ pretend to be employees of these organisations and deceive real members of staff into disclosing personal information about individuals.

Examples of these bogus phone calls are given in the ICO's What Price Privacy report which was published in May this year. One example shows how a private investigator was able to obtain information for an insurance company about an 82-year-old woman.

She received a telephone call purportedly from the Inland Revenue requesting her maiden name, which the caller said was needed to process a tax rebate for her son. She gave it without question.

That same day, the caller, not the private detective, made more bogus calls to the claimant’s bank. Eventually – after using the mother’s maiden name as a security password and answering a further question about direct debits - gained access to information about the claimant’s bank accounts.

Although the couple from St Ives, Cambridgeshire, admitted breaching the DPA and were fined £14,800 in fines and costs, Richard Thomas, the Information Commissioner wants to increase the penalties to two years in jail.

He also wants to prosecute the companies that buy this information illegally. As a result of the recent prosecution, the ICO is now investigating a number of organisations that have bought personal data and it warned of possible raids and prosecutions.

The National Consumer Council, which also said this data could be leaked to criminals, was pleased by the current action.

A representative told us: "We are glad to see the Information Commissioner flexing his muscles. A recent study shows the average Briton is an £85,000 target for ID fraudsters and we feel the penalties must be appropriate for the distress and damage that is done to the individual."