An impossible thing before breakfast

The Information Commissioner, Christopher Graham, made one of his occasional appearances on BBC Radio 4’s Today programme this morning. He was there to talk about the Daily Mail’s blistering investigation into the call centres used by charities to raise money over the phone, often with high-pressure sales tactics and abundant breaches of PECR. As regular blog readers will know, I have always been a fan of Mr Graham personally on the basis that he is not his predecessor, but it was painful listening.

There was the obligatory yet pointless literary reference (Alice in Wonderland), some generalities about investigating and getting the bottom of things and, as is often the case with Mr Graham, an attempt to steer the story to something else. The trade in personal data is a massive concern but it is not what he was on the programme to talk about. It wasn’t hard to detect an element of squeamishness about the issue because it involves charities. Even though I would normally defend the ICO’s record on PECR breaches, I am certain that nothing will happen as a result of the Mail’s revelations because the ICO doesn’t have the guts to enforce the law on charities, no matter how badly behaved they might be.

As an FOI request revealed a few years ago, Mr Graham appears to be a stickler for the proper use of language: he went as far as to make his ‘Most Hated’ list available to his staff, although a subsequent FOI response rather confusingly claimed that the information was not held. Whatever his literary standards might be, Graham’s comments about PECR and consent showed that he doesn’t care much for getting the law right.

The worst mistake was when Graham claimed that where an organisation has an “established relationship” with a person, they have a “right” to call them. There is a very widespread misconception across a number of sectors, charities among them, that a customer or donor relationship trumps the TPS requirements. It doesn’t. There is nothing about this in PECR; the text says:

Where a subscriber who has caused a number allocated to a line of his to be listed in the register kept under regulation 26 has notified a caller that he does not, for the time being, object to such calls being made on that line by that caller, such calls may be made by that caller on that line, notwithstanding that the number allocated to that line is listed in the said register

The subscriber (the person being called) has to “notify” the caller that they do not object. You can’t do this by implication, or because you have given a donation. As the Information Commissioner’s Direct Marketing guidance states “This needs to be a positive step to express their wishes”. There is an argument that it doesn’t matter what the Commissioner says on the radio, what matters is what the law says. However, Graham’s words are a gift to every charity and double-glazing company  – we have an “established relationship”, so we can call them. To describe the companies as having a ‘right’ to call people on the TPS because of an “established relationship” is an unforgivably sloppy use of language, and vulnerable people may pay the price for Mr Graham’s inattention to detail.

The other mistake Graham made was almost as serious, although to be fair to him, he made up some ground with subsequent comments. Senior people in the ICO have a habit of talking about consent being obtained through endless terms and conditions. His statement today was “we don’t realise we’re giving consent”. This is a completely false understanding of how consent works. Think of what the Data Protection Directive says: consent should be a freely given, informed and specific indication of the subject’s wishes. Look at what the ICO’s own guidance says (I wonder if Mr Graham has):

the person must understand what they are consenting to… Including information in a dense privacy policy or hidden in ‘small print’ which is hard to find or difficult to understand, or rarely read will not be enough to establish informed consent”.

Mr Graham did go on to question whether such consent was ‘valid’, clearly indicating the possibility that it might not be. But some of the damage was done. Misunderstandings about consent are everywhere, and the uncertainty is ruthlessly exploited. I’ve even seen a Twitter conversation where a high-profile and respected privacy lawyer said “consent can technically be “obtained” even when people are unaware”. This is nonsense, but it is popular nonsense among organisations that want to breach PECR and the DPA.

Data Protection law can be subtle and flexible. Especially if you’re being quizzed by the permanently bewildered self-parody of John Humphrys that presides over the Today programme, it might be tricky to get the detail right. However, PECR is not subtle: it is made up of rules. The ICO has explained clearly in its guidance how those rules work. If there is a point to having a figurehead like the Commissioner, it should be that they can confidently and accurately explain the law, especially when the office’s position is actually clear. Unlike his predecessor, Christopher Graham will rightly be remembered for taking action at least some of the time. The problem with his comments to day is that he may do more harm than good.


  1. Disapproving charity DPO says:

    I’ve had the “relationship does not trump TPS” argument many times but it always comes down to a business cost/benefit decision – unless all charities implement true PECR compliance at once, any single one that is more diligent will suffer by losing out on the limited pot of voluntary income out there. Only big CMPs can break this deadlock.

    • I agree, but I don’t see the ICO ever issuing a significant penalty against a charity, no matter how flagrant the breach.

      • They issued one of their highest ever DPA penalties to the charity BPAS.

      • Technically yes, BPAS is a charity, although the majority of what it does is paid for not out of donations from the public, but from work paid for by the NHS. I doubt many people are aware that it is a charity.

        But to take into account your entirely correct observation that in no way misses the point of what I was trying to say, allow me to rephrase my comment. The ICO lacks the confidence to issue monetary penalties against large, popular charities working on cancer or other serious diseases, the elderly and dementia, overseas aid and development. They do this because avoiding criticism and controversial decisions is – always has been, and always will be – more important to them corporately than enforcing the laws that they exist to enforce. They would rather not do their job than get a bad headline.

        Fascinated to know whether you agree with this.

  2. No, I don’t agree they wouldn’t have ‘the guts’ to enforce against hugely popular organisations who do much admired work to combat dementia, cancer etc. Otherwise they wouldn’t have issued 3 of the 5 highest penalties to NHS Trusts, at least one of whom predictably publically announced how many chemotherapy treatments the CMP equated to.

    The other 2 were to a charity and a large private sector organisation, both sectors you also believe they are frightened to take on.

    • I don’t think “much admired work” should be a get out of jail free card for enforcement, though I am sure it will prove to be here. Can you tell me what percentage of the ICO’s Data Protection Civil Monetary Penalties have been against private sector organisations?

      • I don’t know the exact figures – certainly a minority, probably a significant minority. Equally, the % of overall CMP’s will probably be weighted towards the private sector.

        Returning to my point:

        1. Despite your comments to the contrary, the ICO have already proven they will take significant action against a charity (however ‘technical’ you personally consider BPAS to be)
        2. They have also proven they will take action again popular organisations and forces for good, such as the NHS.

        The latter point is noteworthy because this very issue was raised by fellow blogger Jon Baines, who I recall queried whether the ICO would have the appetite for such unpopular action when CMP’s were first introduced.

      • If I had mentioned the NHS, I would understand why you did. If you think that charities and the NHS are a force for good in DP and PECR, you are delusional.

        The figures for Data Protection CMPs are (as far as I can see) these: Charities 4% (2), Private Sector 18% (10), and public sector 78% (42). Three of the private sector are small businesses, with each fine less than £10000, and totalling less than £20000. No public sector fine was less than £60,000. The overall (PECR + DP) figures are irrelevant because the public sector does not, in the main, do electronic marketing, so PECR is inevitably skewed towards the private. If the ICO did not do private sector PECR CMPs, it would not do PECR CMPs. But while we are on the subject, there have been no PECR CMPs on charities, large companies, financial services institutions, betting companies or other high profile organisations with questionable PECR records.

        The ICO’s DPA enforcement strategy is skewed towards self-reported security breaches which the public sector slavishly and dutifully go along with, while the private sector do not. The ICO has acknowledged on a number of occasions the problems it has with the private sector not reporting incidents, but does nothing to rectify the problem. It just carries on. The ICO prefers (overwhelmingly) to target the public sector because they plead guilty and pay up. I’m sure Wilmslow is touched by your loyalty, but the few outliers and some pedantry don’t hide the fact that for DP, the ICO is predominantly a regulator of public sector security and surveillance. Furthermore, I will happily donate £100 to a charity of your choosing if any of the charities named in the Daily Mail’s article today receive a CMP under PECR or DP. Nothing would make me happier than to be proved wrong.

  3. I’ve not said they are a force for good in DP/PECR, and nor do I think that.

    Your initial comment was around the apparent lack of enforcement against charities. I stated there was previous form against charities and you creatively retorted that it wasn’t a well known/supported charity, i.e. one with public support because of it’s lack of funding and popularity. It appears you went from saying the ICO wouldn’t enforce against charities to they wouldn’t enforce against popular organisation’s. Apologies if I didn’t make it clear but that’s why the NHS became involved.

    Fundamentally, (if I’ve understood correctly?) you believe the ICO won’t take action again popular organisations – I think otherwise. I’ve said why, which is based on evidence, although I also have personal anecdotal reasons. I await your comments on Jon Baines blog that I’ve referenced.

    We could discuss the ICO’s wider enforcement strategy allday. I certainly agree with some of your observations, but we will have to disagree if you think they won’t enforce against charities because of lack of ‘guts’, because I think they will. And have.

    As an aside, I would certainly be interested to hear of a handful examples of breaches of the DPA/PECR that you think the ICO should/could have taken CMP action for? I’d certainly be willing to re-consider my position if such examples were forthcoming.

    • You haven’t understood me correctly. I said the ICO will not take action against charities, and admittedly I was speaking in the context of the charities mentioned in the Daily Mail article. The ICO has only issued CMPs against two charities which are almost exclusively funded by the public sector. I’m not sure how this undermines my argument that ICO goes after the public sector, epecially as 78% of their action proves my case, but feel free to disagree with me. I didn’t mention popularity in itself, I said the ICO would be gutless in the face of popular charities. I stand by that. The only thing that will prove me wrong is the ICO issuing CMPs against popular charities. It won’t happen, but please come back to gloat / nominate your charity in the meantime.

      I’m not going to reel off a list of examples of where the ICO should have taken action because 1) there are too many and 2) I’m not trying to convince you of anything. I don’t care whether you agree with me or not. I don’t want you to agree with me. If I thought you agreed with something I wrote, I might delete it.

      Finally, I don’t have reconcile anything with a blog Jon Baines wrote about the NHS years ago because a) it’s not relevant to what I am saying and b) I am not Jon Baines.

  4. Comments are closed. Ain’t I a stinker?

%d bloggers like this: