Zero Gravity

In March, I received an unsolicited email from a company called Gravicus. It was scaremongering nonsense, touting their data management software via the threat of director liability for data breaches. So far, so what: I get a lot of spammy junk from GDPR people to my 2040 Training email address, but this was to a personal Gmail address that I don’t give out all that often. The email claimed that it had been sent to me because I was “registered on Leadiro”, who I have never heard of. Under PECR, email sent to an address for which I am an individual subscriber can only be sent with consent (or soft opt-in), and given that I had heard of neither Gravicus or Leadiro before the email arrived, they had neither.

I contacted Gravicus to make a subject access request on 20th March, asking how they had obtained my data, what Leadiro had told them and for any other personal data about me that they held. Separately, I contacted Leadiro and asked them why they were selling my data. Leadiro got back to me, and confirmed that they had not supplied my data to Gravicus.

Having had no reply from Gravicus beyond an automated acknowledgement, I emailed them again on April 2nd, asking for confirmation that my request was being dealt with, and also passing on what Leadiro said. A week went by with no acknowledgement, so I wrote to the company’s registered office address and business address, chasing them up.

Gravicus finally reacted on 16th April via a letter from their lawyers, Keystone Law. Keystone admitted on behalf of their clients that the Leadiro story was false, and that my data had been harvested from the “business oriented and professional website” LinkedIn. I apparently connected “voluntarily” with a named Gravicus consultant, who then exported her connections to obtain contact details of “relevant professionals in the sector”. Nearly a month into my request, Gravicus wanted a copy of my passport and utility bill, certified by a lawyer, accountant or similar professional, as well as the £10 fee. I paid the £10 and sent an uncertified copy of my passport. The lawyers still demanded the utility bill as proof of my address, despite the fact that Gravicus’ own version of events shows that they would have nothing to compare it to – they have only ever dealt with me via email or Twitter. In any case, Keystone had already named the individual who harvested my address, so if it was wrong to reply to my subject access request without proof of address, why was it right to give me the name of the consultant? I threatened to complain to the Information Commissioner, and they backed down. I have no doubt that Gravicus took this approach to obstruct my request, which when they had already breached PECR and Data Protection isn’t the best way to resolve a problem.

It is a breach of LinkedIn’s terms and conditions to

  • “Disclose information that you do not have the consent to disclose”
  • “Copy, use, disclose or distribute any information obtained from the Services, whether directly or through third parties (such as search engines), without the consent of LinkedIn”
  • “Use, disclose or distribute any data obtained in violation of this policy”

Harvesting and using email addresses from LinkedIn in breach of their terms and conditions, without transparency and a legal basis is a clear breach of Data Protection. Gravicus did not have my consent, and by misrepresenting the source of my data in the email that they sent me, they blew any chance of relying on legitimate interests. Their use of my data was unlawful. Gravicus’ lawyers claimed that the confusion over where my data came from was understandable because Leadiro was one source that they were using. But that isn’t true. The CEO of Leadiro told me explicitly: “Gravicus are not a Leadiro customer, and have never been a Leadiro customer“. Added to that, sending a marketing email to an individual subscriber without consent is a breach of PECR, and Gravicus knew I was an individual subscriber because their records had my address marked as ‘Personal’.

Despite the fact that Gravicus’ original spam email touted data breaches as being the personal responsibility of directors, one of the shabbiest things about their response is the way they sought to throw their consultant under the bus. They named her straight away, and claimed that the company didn’t know that she was harvesting emails from LinkedIn, even though their lawyers continually stressed that I had voluntarily made my email available to her. In other words, you asked for it, but we didn’t know it was happening. I don’t believe this, but it doesn’t matter whose idea it was. The directors are responsible for what their company does, not some consultant who blocks people on Twitter when they ask awkward questions. Instead of dealing with me like a human being, Gravicus lawyered up and tried to obstruct my subject access request with bogus demands for unnecessary personal data, itself an additional breach of DP law.

This might seem like a lot of fuss for a spam email. But look at what Gravicus is selling as a data processor. Their product works like this: “Tell Osprey your data sources, provide your access credentials and it will connect automatically to analyse your data“. As a data processor, they will have access to a huge amount of sensitive and possibly special categories personal data held by their clients. The GDPR states that data controllers “shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject“.

Gravicus harvested my data unlawfully, they gave me false information about where personal data has been obtained from, they demanded excessive personal data when dealing with my subject access request, and they sent me unlawful unsolicited emails in breach of PECR. They claim that they’ve stopped gathering data in this way, but it never should have happened in the first place, and suggests that the directors don’t know what’s going on in their company. In any case, when caught out, they hide behind their lawyers and consultants instead of dealing direct. Any organisation thinking of using them as a data processor should think long and hard about whether Gravicus can offer the kind of guarantees that GDPR requires.

Unambiguously yours

There’s an old joke about a tourist in Ireland asking for directions and getting the reply ‘If I was you, I wouldn’t start from here’. To anyone in the position of wondering whether to contact all of the people on their mailing list to get GDPR-standard consent to send marketing, fund-raising or promotional emails and texts, I can only say this: I wouldn’t start from here.

With apologies to regular readers who already know (there must be six of you by now), the problem comes because most of the people advising on the solution don’t seem to know what the problem is. They think that the General Data Protection Regulation makes a significant change to the nature of consent from what is required now, and so they tell their clients and employers that there is an urgent need to carry out a ‘re-consenting’ exercise. A memo has clearly gone out – a distinguished correspondent has sent me two examples of organisations sending out emails to get consent in the past week, and yesterday, the charity Stonewall used Valentine’s Day as a prompt to beg its supporters to ‘not leave us this way’. It was lovely, and it is probably an admission that Stonewall have been acting unlawfully since at least 2003, if not 1998.

Here’s the problem. The 1995 Data Protection Directive defines consent like this:

any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed

and

the data subject has unambiguously given his consent

If you’re new to this, read those sentences a few times. Think about ‘freely given’. Think about the consent being an ‘indication’, something by which the person ‘signifies’ their ‘agreement’. Think about ‘unambiguously given‘. If you think that this be interpreted as an opt-out, where are your car keys? Consent, according to you, is me taking your car keys and leaving you a legalistic note somewhere that says that unless you tell me not to borrow your car, I can borrow your car. Or because I borrowed it another time and you didn’t object, I can keep borrowing your car until you tell me not to.

This is nonsense. Consent cannot be inferred. It cannot be implied. A badly written opt-out buried in terms and conditions, consent assumed because I made a donation, the fact that you have my email address and you assume that I must have given it to you with my consent for marketing rather than (for example) you bought it from a list broker who launders dodgy data like drug money – none of these examples constitute consent. Consent is consent. You asked and I said yes. We all know what it means and to pretend otherwise is to lie so you can persuade yourself that you can spam people.

Yes, the GDPR adds a couple of things. It requires consent to be ‘demonstrable’. It states explicitly that consent can only be obtained by a ‘statement or by a clear affirmative action’. But if you claim that the absence of the above phrase in the Directive is any help to the opt-out model, you’re lying to yourself. An opt-out is inherently ambiguous, and the directive says that consent cannot be unambiguous. I might have misunderstood the wording (especially if the language was clunky or technical, which it often is), the data may have been obtained for a different purpose and the consent option is buried in terms and conditions, I might just have missed it or forgotten. The Directive is clear.

Jump ahead to the Privacy and Electronic Communications Regulations, based on Directive 2002/58/EC (often known the ePrivacy Directive). The definition of consent comes from the Data Protection Directive, and so if the ePrivacy Directive says you need consent, what you need is unambiguous, freely given, specific and informed consent. The ePrivacy Directive is enacted by the Privacy and Electronic Communications (EC Directive) Regulations 2003, or PECR (which all good people pronounce as ‘Pecker’ and revel in the opportunities that doing so affords them).

PECR makes life even harder for the opt-outers. For emails, PECR says that the recipient must have “previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender“. If you think that a person can ‘notify’ you by not doing something (i.e. not opting-out), once again, where are your car keys?

Surprisingly given all the execrable practice to which the Commissioner happily turns a blind eye, Wilmslow fired a shot across everyone’s bows with three enforcement cases last year. Morrisons and Flybe are to some extent red herrings as they deliberately targeted people who had explicitly opted out of receiving direct marketing, so when the companies emailed them asking them to opt back in, it was plainly bullshit. The Honda case is more interesting, in the sense that Honda ignored everyone who had opted in (because they’d opted in) and everyone who had opted out (naturally). They contacted people where they didn’t know either way, where they held no evidence of consent. Despite the fact that in all three cases, the contact itself wasn’t selling anything, all were sent for marketing purposes, and here, the ICO argued that the organisations didn’t have consent for sending emails for marketing purposes. It’s been argued by idiots that all Honda were trying to do was comply with GDPR, but that’s patently false. They were trying to pack out their marketing list before a perceived change in the law (GDPR) while ignoring another law that was just fine thanks (PECR).

And now we come to the payoff. If Stonewall (and all the others) have consent to send fund-raising emails, they don’t need to ask again. If they don’t have freely given, specific, informed and unambiguous consent, they shouldn’t be sending emails for marketing purposes now, even if the purpose is to ask for consent from people who are happy to give it because the email is inherently unlawful. It wouldn’t be unlawful for Stonewall to write to all of its supporters and ask them for consent, because post isn’t electronic so PECR doesn’t apply. I would say that there is plainly a legitimate interest for them to use post to ask people for permission to send fund-raising and promotional correspondence by email, so there is no GDPR problem.

The problem with a re-consenting exercise is that the organisation is basically admitting to a PECR breach. The problem is exacerbated by doing that re-consenting exercise by email, because as Honda have demonstrated, doing so is in itself a breach of PECR. People complained to the ICO about the Honda emails, which is why they enforced. If you do a re-consenting exercise by email, anyone irritated enough by the request may well complain. Then what?

So what do I think organisations should do in the light of all this? Well, I wouldn’t start from here. But ignoring the law for a moment, this might be a time to be pragmatic. If you send people content that they want and you don’t annoy them (email being less annoying and distracting than phone or text in my opinion), if you have nice big bright unsubscribe buttons, and if YOU RESPECT BLOODY UNSUBSCRIBE REQUESTS (Hello Daily Telegraph), what’s the risk? Why draw attention to yourself?

I am convinced that sending emails to people who haven’t opted-in is unlawful unless you’ve got the soft opt-in (which because it’s predicated on data gathered through a sale, most charities won’t have). But many organisations have been content to do that for years despite it being unlawful now. So what’s actually changing? I think everyone should comply with the law because privacy – the right to be left alone – is a vital foundation for a civilised society. But if you’re sitting on a mailing list and you’re not sure what to do with it, I would forgive you if you took a slower, longer path, taking every natural opportunity to get renewed consent from existing contacts, getting strong unambiguous consent from anyone new, and hoping that churn and natural wastage gets you where you need to be. And if you’re wrestling with this right now and you’ve read this far, good luck and best wishes.

Analyse This

With no small amount of fanfare, the Information Commissioner Elizabeth Denham recently announced a “formal” investigation into the use of data analytics for political purposes. The use of targeted ads in political campaigns – especially those where the Right triumphed – has been much in the headlines, and the ICO clearly feels the need to react. Denham blogged on her website: “this investigation is a high priority for my office in our work to uphold the rights of individuals and ensure that political campaigners and companies providing services to political parties operate within UK law.”. The investigation was greeted with enthusiasm – the journalist Carole Cadwalladr who has made a lot of the running over analytics in the Observer was supportive and the Data Protection activist Paul-Olivier Dehaye hailed it as ‘very important’.

Saying that Facebook is probably abusing privacy rights (and acting as a conduit for the abuse of privacy rights) is a bit like saying that rain is wet. Some of Cadwalladr’s reports have drawn fascinating (if hotly disputed) links between various right-wing vampires like Nigel Farage, Dominic Cummings and Steve Bannon, and draw interesting (and hotly disputed) links between various Brexit campaigns and the tech firm Cambridge Analytica. Other of her stories are lame; a recent article complained that people Cadwalladr doesn’t approve of are outbidding people she does approve of when buying Facebook ads, which isn’t really news.

Worse than that, another article enthusiastically repeated Stephen Kinnock MP’s calls for an investigation into Tory data use, ignoring the fact that on the same day, Labour was hoovering up emails on its website without a privacy policy (which, like the marketing emails they will inevitably send) is a breach of Data Protection. The article makes the false claim that it is illegal to use data about political opinions without consent. Several people (including the chair of the National Association of Data Protection Officers) pointed this out to Cadwalladr, but the article is uncorrected at the time of writing. If you want to write about political parties and campaigns abusing data protection and privacy and you only acknowledge the dodgy things that one side gets up to, your allegations should not be taken too seriously. Politics is a swamp, and everyone is covered in slime. Given Cadwalladr’s shaky understanding of Data Protection law, it’s not hard to believe that her interest in the topic is mainly motivated by politics, and the ICO needs to be careful not to be sucked in.

It’s odd that allegations made to the ICO about data misuse by Owen Smith and Jeremy Corbyn, or candidates for the UNITE leadership have come to nothing, and yet here we have a formal investigation announced with great flourish into an issue that is largely perceived as affecting the right. I’m left-wing myself, but if Denham is going to take action over the political use of personal data, I expect her to be scrupulously even-handed.

However, I doubt very much whether action on this issue will ever happen. Just after the announcement, I made an FOI request to the Commissioner’s office about the nature of the investigation – how many people were involved and where from, what powers the ICO was using to conduct the investigation, and who the most senior person involved was. What I was trying to find out was simple – is this an investigation likely to lead to guidance or enforcement?

Here is what my FOI revealed (questions in bold, ICO answers below)

1) Under what specific powers is the investigation being carried out?

Initial intelligence gathering would fall under the general duties of the Commissioner to promote good practice (section 51) of the DPA. This may lead to use of investigatory powers and enforcement where necessary, under the provisions set out in Part V of the DPA, as well as the CMP powers at section 55A.  The Commissioner also has powers of entry and inspection under schedule 9 of the DPA.

2) How many members of staff are involved in the investigation?

It’s difficult to give an exact number, the ‘group’ involved will need to be established and documented in terms of reference which will be done shortly. At this stage, from the information we hold, we can say that 16 member of staff have been involved and another 4 members of staff are also expected to be involved as the investigation progresses.

3, 4 and 5-
 
What are the job titles of the staff involved?
What is the name of the most senior person involved in the investigation?
Which department and team do these staff belong to?

Senior Policy Officer – Private Sector Engagement
Group Manager – Private Sector Engagement
Policy Officer – Private Sector Engagement
Lead Communications Officer – Communication Planning
Senior Policy Officer – Public Policy and Parliament
Intelligence and Research Officer – Intelligence Team
Team Manager (Intelligence) – Intelligence Team
Lead Intelligence and research Officer – Intelligence Team
Team Manager – Enforcement (PECR) – Investigations
Group Manager (Public Policy & Parliament) – Public Policy and Parliament
Senior Policy Officer (Public Policy & Parliament) – Public Policy and Parliament
Team Manager (Enforcement Team 2) – Enforcement
Team Manager – Communications – Communications Planning
Head of Corporate Affairs – Communications Planning
Group Manager – Public Sector Engagement – Public Sector Engagement

The most senior person is Steve Wood – Head of International Strategy & Intelligence – International & Intelligence Management

*************************************************************************************

What does this tell us?

The main contributors are Engagement (which is presumably the successor to the old Strategic Liaison department whose chief role was holding hands with stakeholders), and policy (whose main contribution to the debate on big data is this endless and almost unreadable discussion paper). The most senior person involved is Steve Wood, who has an academic background. Of the 16 involved, just two are from Enforcement, outnumbered even by the comms staff. Apologists for Wilmslow will leap on that bit that says “This may lead to use of investigatory powers and enforcement where necessary“, but my response to that is an armpit fart. The ICO is starting from the perspective of promoting good practice run by an academic, which is just about the silliest response to this issue that I can think of.

Some areas that the ICO regulates are prime candidates for guidance. The public sector, charities and regulated industries are likely to be influenced by what the ICO says. Other areas – list broking and compensation claims spring to mind – are immune to policy and guidance, but politics is the best example. Politics is about power – if a party, campaign or individual can take power while breaching DP law, they will. It isn’t that they don’t understand the law, it is that they don’t care. No political party or campaign will be influenced by ICO guidance, and to pretend otherwise is childish. All major political parties (Labour, LibDems, SNP, Tory) have received a PECR Enforcement Notice over automated calls, and yet they flout PECR all the time with emails and yet more calls, as anyone who heard from David Lammy knows only too well. Even when the ICO fined Leave.EU during the referendum, the campaign’s reaction (“Whatever”) could not have been more derisive because they could afford to pay the fine. Either the ICO comes into politics using its powers to the maximum possible extent against everyone (£500,000 penalties, or more useful, enforcement notices that are backed up by prosecution), or they should leave the field.

We already know that the outcome of this investigation will be revealed long after the election is over, when anything that the Commissioner says or does will have no effect on the real world. On the evidence of my FOI, I predict there will be no fines, no enforcement notices, no action. There will be a long, thorough and thoughtful report that nobody in politics will pay attention to, and only people like me will read. The first task of the Supervisory Authority under GDPR is to ‘monitor and enforce’. Long ago, when I worked there, the joke went around the ICO that senior officers operated under the mantra ‘thinking is doing’, as an excuse to avoid taking any action. I don’t care if no senior officer ever actually said this – on big strategic issues, the ICO has always laboured under this approach. Denham’s first big splash was to follow through on charity enforcement when the easy choice was to back down. She deserves praise for that decision. However, If there is an international right-wing conspiracy to hijack democracy across the world, I don’t think a thought symposium is going to save us.

Fair Cop

The bedrock of Data Protection is fairness. You cannot gain consent without fairness. Your interests are not legitimate interests if they are secret interests. Unless you have an exemption or you claim that telling the person represents disproportionate effort (i.e. the effort of telling outweighs the actual impact), you have to tell the person whose data you are using the purposes for which their data will be used, and any other information necessary to make the processing fair.

The ICO’s Privacy Notices Code of Practice is not ambiguous, nor was its predecessor. It is impossible to read the ICO’s published guidance on fair processing without taking away the key message, consistently repeated for more than a decade: if something is surprising or objectionable, especially if it involves some kind of impact or sharing outside the organisation, it should be spelt out. New-ish Information Commissioner Elizabeth Denham seems to have chosen to reverse the ICO’s previously timid, unimaginative approach to the first principle with a pair of civil monetary penalties against charities. We have one each for the Royal Society for the Prevention of Cruelty to Animals, and the British Heart Foundation, with the promise of more to come. You might say it was unfortunate that charities are first in line rather than, say, credit reference agencies or list brokers (to be a touch tautological). It was the charity sector’s misfortune to fall under the Daily Mail’s Basilisk gaze, and they have to accept that we are where we are.

To issue a civil monetary penalty, there are three hurdles for the ICO to clear. Firstly, there must be a serious breach. Both charities used commercial companies to profile thousands (and in one case, millions) of donors, buying up data from publicly available sources* to assess their wealth and resources, they shared data with other charities whose identity they did not know via a commercial company, and in the case of the RSPCA, they bought contact details to fill in data that donors had provided. The average donor did not have any idea that this was happening. I can see there’s a problem that when everyone in the charity sector knows that wealth screening goes on, it seems normal. But I’ve been using it as an example on my training courses ever since the Mail revealed it, and bear in mind that these are often seasoned data protection professionals who know about data sharing and disclosure, attendees are invariably shocked and some cases revolted by what I tell them.

There is no doubt in my mind that this processing needed to be spelt out, and there is no doubt from the notices that it was not. Carefully selected third parties or partners has been a stupid lie in marketing for years, but not even knowing where the data goes is much worse than the usual flogging it to all comers. At least the list broker knows who he’s flogging it to, even though the only careful selection is the ability to pay.

The second hurdle is the need to show that the breach is likely to cause damage or distress to the affected data subjects. It’s been known for quite some time that the ICO was planning to take enforcement action over the Mail stories, and the gossip I heard from charities was that fines were likely. I’ll be honest, I wasn’t convinced. The Information Commissioner lost a Data Protection Tribunal appeal from Scottish Borders Council because they bungled the damage / distress element of a £250000 CMP over pension records found in recycling bins. ICO made a flawed claim that the loss of paper pension records was likely to result in identity theft, but Borders had an expert witness who could argue convincingly that this was not true. The link between the breach (the absence of a contract with the company processing the data) and the damage was broken, and the ICO lost.

But this case is different. The ICO does not need to make a link between an incident and a breach, because they are bound up together here. Both notices show that the ICO has given considerable thought to the distress angle. There is no question that the charities breached the first principle, and their only hope for an appeal is to convince the Tribunal that people would not be caused substantial distress by secret profiling and data sharing after an act of generosity. This is not science, and all I can say is that I am persuaded. But for an appeal to be successful, the charities will need to persuade a Tribunal with strong experience and knowledge of DP and PECR from the numerous (and almost exclusively doomed) marketing appeals.

The third element requires the breach to be deliberate or a situation where the charities ought reasonably to have known about the breach. As I have already said, the ICO’s position on fair processing is well known in my sector and available to anyone who can type the ICO’s web address. I think it’s possible that the charities didn’t know what they were doing was a breach, but in my opinion, this is because the Institute of Fundraising and the Fundraising Standards Board effectively acted as a firewall between charities and reality. The advice (often inaccurate and out of date) came from the IoF, and complaints about charities went to the FRSB and no further. When your code of practice is written by the people who earn their living from fundraising and most in your sector are doing the same thing as you are, it’s not hard to fool yourself into thinking it’s OK. But ‘everybody does it’ will cut no ice with the Tribunal. The RSPCA and the BHF are not tiny charities flailing in the dark – they are massive, multi-million pound operations with vastly greater resources than many of my clients.

Daniel Fluskey, head of Policy for the Institute of Fundraising, whose apparent lack of experience or qualifications in Data Protection does not prevent him from writing inaccurate articles for the charity sector on GDPR, has already weighed in, saying that the ICO should be providing the specific wording that charities require: “Charities need more detail on the ICO’s view of what lawful practice looks like: what form of words would have passed the test?” The Information Commissioner is the regulator for every organisation, of every size and shape, that processes personal data. If they start writing tailored wording for charities, they will have to do it for everyone else as well. It is a ridiculous demand. I think the ICO should move on to the data pools, wealth screeners and list brokers, but if she could find the time to issue an enforcement notice on the Institute of Fundraising, forbidding them ever to speak or write on Data Protection matters again, the third sector would have a fighting chance of complying.

Besides, how hard is it to find compliant wording? Nobody – especially not the trade association for fundraisers – should be allowed to present this as a byzantine and complex task. The individual doesn’t need to know what software you’re using, or whether cookies are involved. They need to understand the purpose – what are you collecting, what are you going to do with it, who are you going to give it to? This should be presented without euphemism or waffle, but it’s when you strip out the legalistic nonsense, you see the problem. It isn’t that the poor charities were labouring under the burden of complex data protection rules. They could not comply with the Data Protection Act because what they were doing (and in RSPCA’s case, are apparently still doing) is so unattractive:

  • We will share your details with unspecified charities via a commercial company. We don’t know who they are.
  • We will buy your phone number, postal or email address from a commercial company if you have not given it to us.
  • We will use commercial companies to compile a profile of your wealth and property to work out whether to ask you for further donations. If you are likely to be worth a lot when you die, we will use this information to ask you for a bequest.

When Reactiv Media appealed their PECR penalty, the Tribunal rejected their appeal and increased the penalty. Like a lot of the spammers, they put themselves into administration to avoid paying up, but this option is not available to household name charities. If either the RSPCA or BHF appeal, they are dragging themselves deeper into the mud, and very possibly spending thousands more of donors’ money to do so. If they say that what they did wasn’t a breach, or that they couldn’t have been expected to know that it was, their officers, advice and business model will be scrutinised to a doubtlessly painful extent. The claims management company Quigley and Carter found themselves described as “feckless” and “most unimpressive” in the course of being filleted during a recent failed appeal. Do charities really want that? Even if they decide to roll the dice solely on distress, does either charity really want to acknowledge a serious breach that they knew or ought to have know about in the hope of getting the fine overturned on a technicality? Do they want ICO to call donors as witnesses?

The business model of pressure selling, TPS-busting, heavy texting, data sharing and donor-swapping adopted by some of the UK’s most celebrated charities resembles nothing so much as the activities of the claims management, PPI spammers (i.e. the scum of the earth). For all the noise and bluster on Twitter and in the charity press this week, there is an uncomfortable truth that has to be faced. The hated Daily Mail unearthed it, and the ICO has rightly acted on it. Some big charities have run an end-justifies-the-means approach to marketing and they have got away with it for a decade. Fundraisers ruled the roost, and compliance has been sidelined or ignored. Given how much money the RSPCA and the BHF have raised from fundamentally unlawful practices, they should pull back and rethink how they get donations in the future. They should ignore the Institute of Fundraising’s every word on Data Protection and PECR, and like every other charity, concentrate on reading and applying the ICO’s Code on Privacy Notices and guidance on Direct Marketing.

And right now, if there is a fundraiser sitting with the two CMP notices working out how to at the same time devise a method to raise loads of cash for their cause while complying with Data Protection and PECR, I hope they wipe the floor with everyone else.

*citation needed

Brand new key

Parents at schools in Suffolk recently received an interesting piece of correspondence about an exciting initiative called ‘Suffolk SAFEKey‘, offered by Suffolk Police. For as little as £1 a month, subscribers to the service receive a special key fob with a reference number on it. Once registered, if the keys are lost, the person can use the reference number to contact Suffolk Police’s commercial partner (Keycare Limited) to get keys and owner reunited, incentivised by a £10 reward.

Alerted to this by a concerned citizen, I made an FOI request to Suffolk Police to find out more about the scheme, the arrangement with Keycare Limited, and how the email came to be sent. Suffolk Police told me that they contacted all 18 secondary schools in the county (by phone, so I don’t know how the request was couched), and of those, 8 forwarded the invitation to join SAFEKey to all parents. The force were unhelpfully vague about who else had been approached. I asked who they had contacted, and their answer conflated those they approached and those they claim had approached them. This means I know that those involved are charities (Suffolk Community Foundation / Age UK), “advocacy groups” (whatever that means), Neighbourhood Watch, the University of Suffolk and “lunch clubs and other such groups”, but I don’t know who contacted who.

On one issue, Suffolk Police were admirably clear. I asked them how they had obtained consent to send the email. This was their reply:

The parentmail service is not controlled by the Constabulary and the information provided is not personal data and as such, there is no requirement for us to obtain consent from those third party recipients.

Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (AKA PECR)  applies to emails and texts, and it is remarkably unambiguous, despite all the dodgy marketers and list brokers who purport not to understand it.

a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender

Suffolk Police instigated the sending of the email to parents by making an unsolicited approach to schools, asking them to send it. The email would not have been sent unless they had asked for it to be sent. Regulation 22 does not require them to be the sender. Should there be any doubt about this, the ICO asked Better Together to sign an undertaking following their misbegotten texts during the Scottish Independence campaign. Better Together used an agency – they never held the data and they didn’t send the texts. This is exactly the same situation. There are only two ways that marketing emails could be sent in this way: either parents would have to give consent direct to Suffolk Police, or give consent to the school to receive marketing from the force. This second possibility is one the ICO is keen to play down, as their Direct Marketing Guidance makes clear:

Indirect consent may therefore be valid if that organisation was specifically named. But if the consent was more general (eg marketing ‘from selected third parties’) this will not demonstrate valid consent to marketing calls, texts or emails.

Of course, as the senders of the emails, the schools have also breached PECR. And taking it one stage further, you could argue that Suffolk Police have also breached the Data Protection Act by processing personal data unfairly and unlawfully. If they don’t have a data processor contract with the schools, they may even have breached the seventh principle.

Many public bodies and charities struggle with PECR because they perceive ‘marketing’ as a purely commercial activity. This means that they think the messages they send are somehow not marketing, and are surprised when PECR bites. Suffolk Police can be under no such illusion. SAFEKey is not a policing activity, it is a wholly commercial venture, with the income split 50/50 between the force and Keycare Ltd. Moreover, there is an argument that the force is exploiting its position as a law enforcement body to promote its commercial activities – it’s unlikely that secondary schools would forward information about double glazing or PPI. The force might want this to seem like an aspect of their crime prevention work, but it isn’t – it’s a purely commercial venture. No public body, but especially not the police, should exploit their position as partners with other, smaller public bodies to plug their commercial activities.

There are other concerns. The force didn’t carry out a Privacy Impact Assessment before launching the SAFEKey scheme, which is surprising, as the project involves the force gathering personal data it does not need to carry out its legal functions, purely for the purpose of a commercial venture, using a variety of unrelated bodies as a conduit for the data and transmitting it to a commercial partner. At the very least, you would expect them to consider the risks. Moreover, although the extract I received from the contract between Keycare and Suffolk Police does make it clear that Keycare cannot use or share the personal data they receive for their own purposes, the security demands made by the police are relentlessly generic.

I don’t think the police should exploit the significant position of trust they enjoy to flog commercial services at all. But even if you disagree, there can be no question than when they do, the police should at all times obey the law. They haven’t done so here, and the ICO should investigate. As I did not receive one of the emails, they would ignore any complaint that I made, but they should intervene to make clear to all public bodies how PECR works.