Virgin Berth

If there could be anything worse than the provenance and target of a Wallasey brick spawning an industry of conspiracy theorists, then it’s probably the Burning Question of whether Virgin Trains East Coast’s release of CCTV images of Jeremy Corbyn spurning unoccupied seats to enjoy the proletarian solidarity of the vestibule floor breached Data Protection laws. If I get through today without reading The Canary’s take on the matter, I will be a happy man.

Of course, the only sensible answer to the question is “It doesn’t matter“. But let’s ignore that obvious fact in favour of the following.

First, if Virgin Trains released unpixelated images of other passengers, this would be a breach of the first Data Protection principle on the basis that it would be unfair. There is no legitimate interest in doing so, and it is plainly unfair to publish images of ordinary passengers minding their own business. There is NO CHANCE ON EARTH than the Information Commissioner will take any action against Virgin for this as there is no harm to the passengers concerned, and harm is a vital threshold for any enforcement action. Individual passengers could sue, but again, they would have to demonstrate at least distress. I went from London to Edinburgh on Virgin East Coast once so I have some sympathy with this argument.

Of course, nobody would give a toss about this if it were not for the perceived slight to JC, so let’s get to that.

The first Data Protection principle requires that personal data should be processed fairly, lawfully and according to a set of conditions. Virgin’s disclosure must clear all three hurdles.

Fair – in the general sense of the word, I believe that the processing of Corbyn’s data was fair. Presumably without the company’s consent, Corbyn filmed a publicity stunt about the state of their trains. Even if the content was true, I believe Corbyn opened the door for Virgin to reply about the state of the train that Corbyn was on. Fairness does have a separate, specific meaning, which requires the organisation to tell the Data Subject who they are, what purposes the data is being used for, and anything else necessary to make the processing fair.

I can’t find the privacy notice for Virgin Trains East (if it’s not on the trains, that’s a breach), but Virgin Trains West Coast has a detailed policy on its website that includes improving customer service, monitoring operational incidents and verifying claims. If something similar is on the East Coast trains, I don’t think Corbyn has much room for complaint. I think that responding to an unauthorised publicity stunt on one of their trains is probably compatible with verifying claims and monitoring operational incidents. And besides, the Information Commissioner’s Office has invented and long tolerated a notion of ‘reasonable expectations’ – that you can do anything with personal data that the person would reasonably expect you to do. If Corbyn didn’t expect Virgin to look at their CCTV to verify his claim that the train was ‘ram-packed‘ (or even ‘rammed’ or ‘jam-packed’), he’s an idiot.

There is the nugget of an issue here – the public perception of CCTV is that it is used solely as a means of detecting and investigating crime. It isn’t – it’s used for a variety of civil, disciplinary and publicity purposes and there’s nothing in the Data Protection Act to prevent this. However, companies like the West and East Virgins tend to stress security and crime over all things when dealing with CCTV, and this creates an expectation of its own. Everything depends on the information available on the train that JC travelled on.

There is one exemption that might come to Virgin’s aid – Section 32 renders all of the First Principle void (and most of the others) if a disclosure is made for ‘journalistic purposes’ and the public interest in publication is incompatible with compliance with the principles. The language is important – one does not need to be a journalist, only to be processing for the purposes of journalism. This opens the door to widespread and enthusiastic flouting of DPA by all sorts of corporate interests, but I find it hard to dismiss the possibility altogether.

Lawful – I believe that the disclosure was lawful. A train is not a private place (except in the toilets and this probably not the time for me to raise the urban myth about CCTV in train toilets), and Corbyn’s personal data in this context is not confidential or private. I can see no other law that disclosing this data would breach, so I think they’re in the clear.

Condition – Schedule 6(2) of the Data Protection Act states that data can be processed (in this context, disclosed) if it is necessary for the purposes of a legitimate interest, as long as the processing does not prejudice the rights, freedoms or legitimate interests of the subject. Corbin made a claim about the conditions he found on a particular train – I believe that Virgin unquestionably have a legitimate interest in disclosing Corbyn’s personal data in order to comment on the accuracy of his claim. If Virgin released images of Corbyn unprompted, legitimate interests are out of the window. But Corbyn started the ball rolling, and I cannot see how the use of overt CCTV for this purpose prejudices his interests. Of course, if the images were used in a misleading way, again, legitimate interests is dead, but frankly, that’s a much bigger problem.

Other conditions might be engaged but unless Virgin have actively defamed Corbyn by photoshopping them to look like the train had seats when it didn’t (which is what I presume The Canary’s take is), I believe that the use of images was adequate, relevant, and not excessive (principle 3), and accurate (principle 4). One might question how long the images have been retained for (principle 5), but there is no statutory time period – Virgin simply have to justify that the retention period matches the purposes outlined under the first principle.

At its absolute worst, the release of Corbyn’s images might be unfair if the privacy notices on the train do not reasonably envisage the possibility of something like this happening. If Mr Corbyn was damaged in some way by this, the seriousness of the breach is increased, but not by much. It would be unlawful, but I see no public interest in taking action. Politics is a dirty business. Corbyn’s party breaches Data Protection all the time, so if he wants to take this up, he should do some digging in his own backyard.

And reserve a bloody seat next time.

Caesar’s Wife

In May 2016, the Labour member for Heatons North, Alex Ganotis, became Leader of Stockport Council, having been a councillor for some years. A month or so later, I read a story mentioning him in the Manchester Evening News, and his name rang a bell. Alex Ganotis is also a Group Manager at the Information Commissioner’s Office – I know this because he has signed hundreds of FOI Decision Notices on behalf of the Commissioner.

I made an FOI request to the ICO to find out more about Mr Ganotis’ role – in particular, I wanted to know how likely it was that a professional politician might be involved in complaints to the ICO involving political parties or local government. If Mr Ganotis worked on financial services or health, for example, he would need to maintain a high degree of professionalism and neutrality, but there would be no immediate conflict of interest. So I asked the ICO what team he manages. The answer:

Mr Ganotis manages a team of staff who deal with complaints and concerns about councils and political parties

I had to read this several times before I could take it in.

The ICO’s Policy on party political activities is helpfully published on its website. It makes reassuring reading:

The ICO is an independent body and it is important for it to be free from party political bias, and to be clearly seen and acknowledged as being free from such bias……. It is of paramount importance that the ICO is acknowledged as being free from party political bias and influence. The work that we do can often be of a politically sensitive nature and any substantiated allegations of bias would have serious repercussions for the future of the ICO.

The policy sets out a process through which an ICO employee can gain approval for party political activities. I asked when Ganotis went through this process, and the ICO revealed that he was approved in October 2008, which means that his dual ICO / councillor role went on for nearly eight years before he became Leader – he did not seek re-approval when he became Leader, so it seems that the ICO has not reassessed his role now he is a council leader, nor has he asked for this to happen.

I asked for recorded information about the approval process for his role. The ICO has nothing. I asked for any recorded information about measures taken to ensure, in the Policy’s words, that ‘potential for conflicts of interest’ have been minimised with regard to Mr Ganotis’ role. Nothing is held. The ICO added “Mr Ganotis’ line manager and his peers are responsible for assigning decision notices and make a judgement on a case-by-case basis as to what he is assigned, taking into account whether individual cases could pose a potential conflict of interest.” There are no formal arrangements, no written criteria or parameters, nothing to measure or audit against. The ICO enthusiastically fines organisations hundreds of thousands of pounds for failing to maintain properly documented processes, but in the case of having a professional politician managing a team that deals with hundreds of complaints about political parties and councils, the ICO itself sees no need for rigour. Trust whoever decided that this is OK, Wilmslow says, because we have nothing else to offer.

Mr Ganotis is a Group Manager, answering to a Head of Department, but the ICO’s response makes clear that the former Information Commissioner himself, Richard Thomas, approved of the arrangement: “the Commissioner at that time was made aware of his standing and subsequent election“. When I wrote this blog originally, I assumed it was Christopher Graham who was Commissioner, but he did not take over until 2009. ICO trivia fans may remember that Graham was himself once a councillor (for the Liberal Party) and a twice-unsuccessful parliamentary candidate – one wonders if he knew about Ganotis’ status, and if he did not, why nobody told him.

Anyone who has political beliefs or leanings and works in local or central government knows the awkward but vital requirement to set those beliefs aside and act neutrally in the public interest. As a Labour voter in every election since 1992, I have done it myself. It is not easy, but you don’t need to be a saint to achieve it. I cast no doubt on Mr Ganotis’ personal integrity, or ability to do the same. But anyone who thinks that’s the point just needs to Google the title of this blog.

Mr Ganotis has signed hundreds of FOI decision notices on behalf of the Information Commissioner, exercising the Commissioner’s statutory powers. Those notices include  councils across the UK, and government departments run by ministers who, in his other role, Mr Ganotis publicly opposes, and he has been doing so for years. The ICO disclosed to me a spreadsheet of the cases that Ganotis’ team has dealt with since January 2014 (records before that are routinely destroyed). A quick glance at the organisations concerned give a flavour of the issues that pass across the team’s desk in just one month. In July 2016, I can see the Labour Party (8 times), Momentum, Saving Labour, and Progress. It is hard to imagine any team would be more steeped in politics and arguments about political activity than this one, and the (former) Information Commissioner decided that a professional politician was the right person to manage it.

Over the past few years, the Labour Party has carried out its obnoxious and unfair purge, struggled with allegations of member data misuse on all sides (Corbyn, Momentum and Owen Smith), and demonstrated the traditional party blindness to PECR. I have myself blogged sorrowfully but repeatedly about Labour’s Data Protection and privacy woes for several years. In all of that time, only David Lammy’s doomed automated calls have faced any enforcement action (and he wasn’t even an official Labour candidate in the election concerned). To be clear, I have no evidence of any influence being brought to bear on this. But, as the ICO’s own policy states explicitly, “the organisation does seek to ensure that the potential for conflicts of interest is minimised as is the possibility of the ICO being accused of being politically biased“. In this, Mr Ganotis, his line manager and the former Commissioner have failed, and failed spectacularly. How can anyone in politics have confidence in the ICO’s decisions?

Any FOI decision notice involving a council or a government department signed by Mr Ganotis could be tainted, and there are hundreds of them. The ICO’s failure to take action against the Labour Party for a consistently terrible approach to Data Protection and privacy issues is no longer just over-caution, but potentially something far more objectionable. Every case Mr Ganotis has been involved in could be perfect, but the ICO cannot guarantee this with a straight face; their own policy recognises the problem of perception, but their practice is blind to it. They could have moved Ganotis at any point since 2008 to another job of equal standing, and the problem would have evaporated. He is still in place.

That Mr Ganotis could not see that continuing to manage a team responsible for complaints about political parties and councils was incompatible with his role first as councillor and then as Council Leader raises a question about his judgement. That the ICO’s management was either unwilling or incapable of identifying and remedying the potential conflict of interest is a matter of serious public concern.

I have spent a decade and a half criticising, satirising and annoying the ICO in the hope that for no other reason than to spite me, they will become a more effective, more enthusiastic regulator of Data Protection. But this is too much. This is a genuine failure of governance. It could pollute a host of formal decisions (and indecisions) stretching back for years. It has to be dealt with.

I don’t understand how Mr Ganotis could ever sensibly manage the team responsible for political parties and enjoy the confidence of the public. Richard Thomas and Chris Graham should have stopped it, and I hope that the new Commissioner will ask questions about how her managers and Human Resources team could allow such a shocking situation to occur. But if all this isn’t put right, if this bizarre conflict of interest continues acknowledged but unaddressed, we should all look very closely at every decision that emerges from Wilmslow with a more sceptical eye than even I thought possible.

Brand new key

Parents at schools in Suffolk recently received an interesting piece of correspondence about an exciting initiative called ‘Suffolk SAFEKey‘, offered by Suffolk Police. For as little as £1 a month, subscribers to the service receive a special key fob with a reference number on it. Once registered, if the keys are lost, the person can use the reference number to contact Suffolk Police’s commercial partner (Keycare Limited) to get keys and owner reunited, incentivised by a £10 reward.

Alerted to this by a concerned citizen, I made an FOI request to Suffolk Police to find out more about the scheme, the arrangement with Keycare Limited, and how the email came to be sent. Suffolk Police told me that they contacted all 18 secondary schools in the county (by phone, so I don’t know how the request was couched), and of those, 8 forwarded the invitation to join SAFEKey to all parents. The force were unhelpfully vague about who else had been approached. I asked who they had contacted, and their answer conflated those they approached and those they claim had approached them. This means I know that those involved are charities (Suffolk Community Foundation / Age UK), “advocacy groups” (whatever that means), Neighbourhood Watch, the University of Suffolk and “lunch clubs and other such groups”, but I don’t know who contacted who.

On one issue, Suffolk Police were admirably clear. I asked them how they had obtained consent to send the email. This was their reply:

The parentmail service is not controlled by the Constabulary and the information provided is not personal data and as such, there is no requirement for us to obtain consent from those third party recipients.

Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (AKA PECR)  applies to emails and texts, and it is remarkably unambiguous, despite all the dodgy marketers and list brokers who purport not to understand it.

a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender

Suffolk Police instigated the sending of the email to parents by making an unsolicited approach to schools, asking them to send it. The email would not have been sent unless they had asked for it to be sent. Regulation 22 does not require them to be the sender. Should there be any doubt about this, the ICO asked Better Together to sign an undertaking following their misbegotten texts during the Scottish Independence campaign. Better Together used an agency – they never held the data and they didn’t send the texts. This is exactly the same situation. There are only two ways that marketing emails could be sent in this way: either parents would have to give consent direct to Suffolk Police, or give consent to the school to receive marketing from the force. This second possibility is one the ICO is keen to play down, as their Direct Marketing Guidance makes clear:

Indirect consent may therefore be valid if that organisation was specifically named. But if the consent was more general (eg marketing ‘from selected third parties’) this will not demonstrate valid consent to marketing calls, texts or emails.

Of course, as the senders of the emails, the schools have also breached PECR. And taking it one stage further, you could argue that Suffolk Police have also breached the Data Protection Act by processing personal data unfairly and unlawfully. If they don’t have a data processor contract with the schools, they may even have breached the seventh principle.

Many public bodies and charities struggle with PECR because they perceive ‘marketing’ as a purely commercial activity. This means that they think the messages they send are somehow not marketing, and are surprised when PECR bites. Suffolk Police can be under no such illusion. SAFEKey is not a policing activity, it is a wholly commercial venture, with the income split 50/50 between the force and Keycare Ltd. Moreover, there is an argument that the force is exploiting its position as a law enforcement body to promote its commercial activities – it’s unlikely that secondary schools would forward information about double glazing or PPI. The force might want this to seem like an aspect of their crime prevention work, but it isn’t – it’s a purely commercial venture. No public body, but especially not the police, should exploit their position as partners with other, smaller public bodies to plug their commercial activities.

There are other concerns. The force didn’t carry out a Privacy Impact Assessment before launching the SAFEKey scheme, which is surprising, as the project involves the force gathering personal data it does not need to carry out its legal functions, purely for the purpose of a commercial venture, using a variety of unrelated bodies as a conduit for the data and transmitting it to a commercial partner. At the very least, you would expect them to consider the risks. Moreover, although the extract I received from the contract between Keycare and Suffolk Police does make it clear that Keycare cannot use or share the personal data they receive for their own purposes, the security demands made by the police are relentlessly generic.

I don’t think the police should exploit the significant position of trust they enjoy to flog commercial services at all. But even if you disagree, there can be no question than when they do, the police should at all times obey the law. They haven’t done so here, and the ICO should investigate. As I did not receive one of the emails, they would ignore any complaint that I made, but they should intervene to make clear to all public bodies how PECR works.

 

What do they know?

A few months ago, a dispute arose between the popular / reviled* FOI request website What Do They Know and a landlord in Bournemouth, after his address was inadvertently included in an FOI response. The landlord asked for his address to be removed, and What Do They Know refused. WDTK volunteer Richard Taylor described all this on the site, drawing attention to the fact that the address was still there. I can see no evidence that WDTK informed the landlord that they would publicise the fact that he had complained; my guess is that they did not.

The landlord complained to the ICO. Replying to the ICO on behalf of the charity, Taylor claimed that there was a legitimate interest in continued publication, but hedged his bets by stating that WDTK was exempt under DP’s S32 journalistic purposes exemption. The ICO rejected both arguments and asked WDTK to remove the original spreadsheet. Again, Taylor wrote in detail about this on the site, revealing in the process that the landlord had complained to the ICO. It’s worth noting that the ICO never reveals the identity of those who make complaints to it, and I can find no evidence that the complaint was made public anywhere else. None of my correspondence with the charity has revealed any.

A similar issue arose last year. Another council published the name of a Unison official (apparently in error) and What Do They Know refused to take it down. Again, Taylor revealed the fact that the individual had complained to the ICO, although on this occasion the ICO chose to take no action. Taylor also researched the complainant and published information about his wife on the WDTK page. Though the information Taylor gathered was clearly in the public domain, at best, it suggests an unsympathetic attitude to those who raise concerns when their data gets published on the site.

The first Data Protection principle requires Data Controllers to process data fairly, lawfully and according to a set of conditions. In this case, the data controller is UK Citizens Online Democracy, the charity which runs My Society. Data Protection requires that people must be told how their data will be used, while the only condition available to What Do They Know is legitimate interest, which must be balanced against any prejudice to the rights and freedoms of data subjects. If you complain to What Do They Know, or to the ICO about What Do They Know, they’ll make this public and a volunteer may research your family relationships and publish that too. As Taylor’s comments are always couched in terms of ‘we’ and ‘us’, I believe that that this approach is endorsed by the charity as a whole. This blows the legitimate interest argument out of the water: if a person cannot complain to either What Do They Know or the ICO without the matter being published by What Do They Know, there is clearly prejudice to their rights and freedoms.

The doomed use of S32 piqued my interest, so last month I asked What Do They Know for copies of: “any procedures or guidance available to control how personal data is obtained and published by My Society in the context of the What Do They Know website”. Of course, the charity isn’t covered by the Freedom of Information Act, but for an organisation whose public commitment to FOI and transparency verges on the obsessive, it’s not unreasonable to ask them to apply FOI standards to themselves. A month later, I received a reply:

“Personal data generally comes from users and public bodies and the site, and emails sent by it, contain lots of warnings when material is to be published online. We do our best to ensure our users, including those responding to requests at public bodies, are fully aware of what we do with the information we obtain.

NB: if you’re writing a blog post, please note how we write mySociety.”

That’s right – they didn’t give me the guidance, but Heaven Forbid I get the branding wrong. I persisted, pointing out they’d dodged the request for procedures in favour of a vague narrative answer. This time, I received a reply from Mark Cridge, the Chief Executive, setting out the decision-making process for What Do They Know (there was an opportunity for him to distance the charity from Taylor’s actions here, and he didn’t take it). On the specific request for procedures, despite the fact I’d pointed out that my request had been sidestepped, this was his reply:

We also have policies on our private internal wiki, which volunteers can refer to which provide more detailed guidance on our established policies, specific data protection guidance and key learnings from our experience of running the service for the past eight years

But he didn’t provide them, though this was what I had asked for twice. Yes, the charity is not covered by FOI and can do what it likes when annoying people like me ask them questions. No, this approach is not consistent with the values of an FOI campaigning organisation. In any case, it doesn’t matter, because I already know what the Private Wiki says about Personal Data:

Personal data in general

  1. We only consider takedown requests when we get them. We don’t pre- or post-moderate the site.
  2. The source of personal data is irrelevant, whether it is inadvertent, leaked with intent, or from someone who later develops “Google remorse”. The source of complaint/takedown request is also irrelevant, whether it comes from the data subject or a third party.
  3. Our responsibilities are therefore about deciding whether to continue to publishing or not, in line with our obligations as Data Processors, when a complaint about personal data drawn to our attention, i.e. on a case-by-case basis
  4. We have DPA Section 32 on our side, so we look at the PCC code and weigh up the public interest

The guidance proves that Taylor’s use of S32 isn’t just a randomly clutched straw. S32 is an immense exemption – it removes more or less every Data Protection requirement except security. The fact that it doesn’t apply to What Do They Know (and we know that this is the ICO’s position) isn’t the only problem. The reference to What Do They Know being ‘Data Processors’ is even more stupid. Data Processors have no data protection responsibilities – they are merely agents of someone else. There are two problems here. First, it’s impossible for the charity to be simultaneously a data controller using S32 and a data processor – they’re either one or the other. Second, the subtext of both positions is that the operation of What Do They Know exists in a vacuum – whether it’s because they’re journalists or data processors, they’re not answerable for DP issues.

The absurdity of the charity thinking it’s a data processor is plain as soon as you try to work out on whose behalf they would be operating. They’re definitely not data processors for the public authorities, who have no option but to send data to the website. It’s equally ridiculous for the charity to think that they’re Data Processors for the applicants. If this was true, UKCOD wouldn’t be allowed to remove material from requests without the applicants’ permission, applicants would be the ones dealing with the ICO over complaints, and every What Do They Know user would need a binding legal contract with the charity, or find themselves in breach of the Data Protection Act’s seventh principle.

Guidance like this could easily create a sense of immunity and entitlement – whatever happens, we’re not covered. Worse that that, the volunteer who seems to take the lead on Data Protection issues is Taylor, an anti-privacy zealot who films people without their permission, without properly identifying himself and publishing the results despite their explicit requests for him not to. When I contacted him about this intrusive behaviour earlier this year, he justified his antics with similarly vague S32 arguments. He also compared himself to Channel 4 News and Roger Cook, although I don’t think they ever stood in the rain filming a meeting through a window despite being invited inside. He also told me that he didn’t need to provide a Data Protection notification for his website because he claims the ICO says that ‘personal websites’ are exempt. They’re not, and the ICO doesn’t say so. I can’t prove that Taylor wrote the WDTK guidance, but I think it’s a safe assumption.

Whenever I write a blog like this about people who perceive themselves to be doing the right thing for the right reasons, one of the criticisms that is thrown back at me is that I am being deliberately negative. Why can’t I offer something constructive? Indeed, the last time I criticised What Do They Know, this is exactly what the former Director of My Society Tom Steinberg said. I did write a blog with some helpful suggestions of how What Do They Know could be improved, but none of my suggestions were taken up. This time around, I put my money where my mouth is. Last year, long before I corresponded with UKCOD or Taylor about these matters, I offered free Data Protection training to the volunteers at a time and venue of their convenience. I didn’t want any PR; indeed, I would have asked them to keep it a secret. Of course, I am not a cheerleader for What Do They Know – I think it can be an unhelpfully ideological enterprise, sometimes showcasing the worst aspects of FOI – but the offer was genuine and it fell by the wayside for reasons that were never explained.

So here we are. Cridge told me that the policies and procedures he didn’t want to show me will be reviewed, but how long has the above-quoted nonsense held sway? A What Do They Know volunteers can shame complainants and dig into their backgrounds, while the organisation fails to be transparent over its flawed guidance. Of course, I didn’t tell anyone at What Do They Know that I knew what the guidance said, but if transparency is such an unalloyed positive, why couldn’t I prise it out of them?

It’s impossible to blame UKCOD for the fact that public authorities sometimes inadvertently disclose information in response to FOI requests. It would be unacceptable if data was accidentally sent to a single applicant. Nevertheless, What Do They Know magnifies the problem by publishing all responses and failing to moderate what goes onto the site. I’m not convinced Richard Taylor is qualified to be involved in complex decisions about the publication or removal of personal data on behalf of a charity. I certainly don’t have confidence in a system based on wildly illogical guidance, and which allows volunteers to publish information about complainants and research their backgrounds. Complainants must be treated with respect, even if their complaints fail.

UKCOD’s management and trustees cannot hide behind the volunteer nature of What Do They Know – the website is not a naturally occurring phenomenon, and it needs to be managed and controlled. They created it, they run it, knowing that they lack the resources to proactively moderate it. In the light of this, if it is in the public interest for FOI requests to be broadcast, exactly the same approach should be taken for how What Do They Know is run.

 

(*delete as appropriate)


 

Labour pains

Saving Labour is a new organisation dedicated to replacing Jeremy Corbyn as leader of the Labour Party. It may quickly need to be saved from itself. An extract from a document that appears to be from Saving Labour is being circulated on Twitter by Corbyn supporters, annoyed about what it contains. The documents contains advice on how to obtain personal data of lapsed members who are likely to be anti-Corbyn because they left the party when around the time he became leader. The document then advocates contacting them for support.

Two things: I do not know the provenance of the document, and the allegation that it comes from Saving Labour or Progress may be untrue. This may be the work of a rogue individual, and so Saving Labour may not be responsible. If this is the case, they should make this clear, urgently and ensure that data is not obtained or processed in their name.

Second thing: I am a member of the Labour Party, and I do not support Jeremy Corbyn. I’m not even one of those ‘Corbyn can’t win’ people; if he could win, I wouldn’t want him to. Nevertheless, there is a strong likelihood that the Data Protection Act is being breached, and I think this needs to be addressed.

If Saving Labour (or rogue individuals) are attempting to recruit Labour members back into Labour, then the processing of data is likely to be a breach of Data Protection’s fairness requirements. If Saving Labour are trying to recruit members to Saving Labour’s mailing list or retaining data for its purposes, it’s potentially a lot worse. The most important thing here is that Saving Labour is not a faction of Labour; it is a separate Data Controller with its own Data Protection notification. If Saving Labour are obtaining data or getting others to obtain it on their behalf and for their purposes without Labour’s knowledge, it’s at least a civil breach of Data Protection.

Section 55 of the Data Protection Act makes it a criminal offence to obtain, disclose or procure the disclosure of personal data without the authorisation of the Data Controller. It’s not a criminal offence to obtain and disclose personal data without consent. The crucial element of S55 is the procuring or disclosing personal data without the authorisation of the Data Controller. The Data Controller isn’t an individual person (a common misconception) but it is the organisation as a whole. Nevertheless, if an individual who is clearly entitled to make decisions on the organisation’s behalf approved the disclosure, it’s not a criminal offence. If this data is being obtained and processing on behalf of  Saving Labour, there are specific defences that can be used, but these should be tested.

Of course, if the data has been obtained without Saving Labour’s knowledge and is being used for purposes that have not be authorised by the Labour Party, the individuals responsible for harvesting and processing the data could themselves be potentially in the frame for S55 offence, rather than Saving Labour.

Even if a senior Labour Party official gave explicit approval for someone to harvest personal data and use it, the likelihood of a Data Protection breach is still high. Unless the Labour Party told members that that their data would be shared with another organisation or processed after their membership had lapsed for marketing purposes, then the disclosure / processing would be a breach of the First Data Protection principle, which requires all processing of personal data to be fair. The chief element of fairness is that the person is told about how their data will be processed.

Though it’s possible that Labour told members that their information might be passed to affiliated organisations (which is relevant if Saving Labour receive the information or it is used on their behalf), it’s exceptionally unlikely that Labour would told members that their data would be processed after their membership had lapsed. Regardless of whether Saving Labour receive the data, processing it after the membership has lapsed is likely to breach the First principle unless Labour can demonstrate that members were told explicitly.

Of course, if Labour approved this, then Saving Labour could be considered to be a Data Processor carrying out a recruitment drive on the party’s behalf. If this is the case, unless Saving Labour is covered by a legally binding contract, this is a breach of the Seventh Principle.

It doesn’t end there. The document encourages MPs and councillors to “call” lapsed members to encourage them to join. As I blogged only yesterday, every part of the Data Protection system has made clear that calls made for the purposes of political campaigning are marketing – so if the callers do not screen any telephone numbers against the Telephone Preference Service, it would be a breach of the Privacy and Electronic Communications Regulations. If they send emails or texts without explicit consent from the person, it would be a breach of PECR. It’s extremely hard to imagine that any consent given to the Labour Party could survive a lapsed membership, and Saving Labour would not have that consent in the first place. Let me emphasise for new readers: there is no political exemption from PECR, there is no ‘we can call our members / ex-members’ exemption.

The ICO has already shown itself willing to enforce on political campaigning by issuing Enforcement Notices in the last decade against the SNP, the Labour Party, the Conservatives and the Liberal Democrats, and by issuing a monetary penalty for unsolicited texts against Leave.EU a few months ago, Last year, I blogged wearily about Labour’s idiotic and unfair purge of registered supporters. I and others have constantly pointed out their terrible marketing practices. And here we are again; another mess, another possible misuse of data, and at some point, the ICO dragged into it all over again to sort out another family dispute.

 

Follow

Get every new post delivered to your Inbox.

Join 1,892 other followers