Culture, Media and Spam

Most of the news and comment I heard about the Queen’s Speech suggested that it was a hole in the air, with the Government wanting to avoid doing anything of any consequence before the resolution of the EU vote in June. It was a surprise, therefore, to see provisions in the proposed Digital Economy Bill that will change the face of direct marketing.

At the moment, the rules for direct marketing are a mixture of Data Protection (for postal marketing) and PECR (for email & texts, live calls, automated calls and fax). PECR breaks down into subsets, with some forms of marketing requiring consent (email & text, automated calls, fax) and some done without consent and with opt-out (live calls, with the ability to opt-out of all calls via the Telephone Preference Service.

But consider this line from the full version of the Queen’s Speech:

Protection for consumers from spam email and nuisance calls by ensuring consent is obtained for direct marketing, and that the Information Commissioner is empowered to impose fines on those who break the rules.

My first reaction to this was that the Department for Culture, Media and Sport were incompetent: PECR already requires consent for email, and the Information Commissioner already has the power to impose fines for breaches of consent. Whatever else, this is still true, and DCMS should explain why they are announcing things that have been in place since 2003 (consent for email) and 2011 (fines) respectively. Nevertheless, it’s impossible to interpret this sentence as meaning anything other than a change in the rules for live calls. It’s not earth-shattering: it’s only lawful to cold-call people who aren’t on TPS and who haven’t directly opted out, which is probably a minority of the overall population. But nevertheless, the proposal as written abolishes the need for the Telephone Preference Service and inverts current practice.

It certainly has the merit of neatness: PECR would make more sense if all electronic direct marketing had to be opt-in. However, it will have consequences far and wide. There are plenty of lead generators and telemarketing companies who still make cold-calls, and they would be dead in the water. I would shed no tears over this (I think the lead generation and list broking industry is fundamentally unlawful, and most of the folk in the call centres would just end up in hopefully less rancid call centres). However, killing off the telemarketing industry is bold.

It will also create an even more stark contrast with the Fundraising Preference Service, which in its current form allows someone to stop all contact with all charities. It’s not even clear whether a person will technically be able to opt-in to individual charities that they do want to hear from if they’re on the FPS. It would be moronic if this situation wasn’t clarified, but people who do moronic things tend to be good at maintaining their standards. Given that the Digital Economy Bill apparently puts all* electronic marketing on an opt-in basis, charities might legitimately argue that the FPS is unnecessary, and they would have a point.

There are other issues. If all email marketing has to be done on the basis on consent, this also presumably kills off the ‘soft opt-in’. The ‘soft opt-in’ allows a company to send email marketing on an opt-out basis, as long as the email address in question has been obtained in the course of a sale, and as long as the products being marketed are their own, and are similar to the one that was originally purchased. Requiring all email marketing to be done on the basis of consent would remove this option (NB: if you think the absence of an opt-out can be interpreted as consent, you are a moron).

Finally, the proposal doesn’t mention texts, hence my * above. Texts are as much of a nuisance for people as live calls or emails, and have been the subject of routine enforcement action by the Information Commissioner since 2011. PECR treats email and text as the same, so it’s entirely possible that the Government are treating them so. It’s equally possible that this is a back of a fag packet proposal to bulk out a weak bill in a thin speech. One indicator that this might be the case is that the Information Commissioner, explicitly mentioned in the proposal, has not reacted to it in any way. There is no press release, and not a single tweet, despite a run of tweets this week about nuisance calls and other PECR related action. One could be forgiven for thinking that they didn’t know about it (I will be doing an FOI to find out).

You might think that spinning 833 words out of a single sentence is overkill, but on the face of it, the proposed change will have a considerable impact. Like me, I hope you will be watching the progress of the Digital Economy Bill with interest.

Red tape

Dark times on the Wirral, as confidential memos about web filtering fly around, suggesting skullduggery on the corridors of Council power. The headlines are remarkable: “Confidential memo tells shocked Wirral councillors their emails are being read by town hall bosses“, which would be quite a thing if it was true. Following the receipt of offensive emails about Hillsborough, the Chief Executive of Wirral Council suggested that the Council could filter the emails out so that councillors would not receive them. The opposition members worked themselves up into a lather, with one, Councillor Chris Blakeley, declaring: “I think it is outrageous that the council should determine which emails we should receive”. Another, Councillor Lesley Rennie opined “My colleagues and I are absolutely appalled that there could have even been a suggestion that emails from the public could be considered for filtering“.

At the risk of starting another barney in the comments, I don’t think the Council was suggesting anything inappropriate. Whatever you think of Wirral Council (feel free not to tell me), I think it’s likely that the Council was simply offering to block offensive emails, rather than making decisions about which emails Councillors receive. The Chief Executive stated that he had received complaints about the emails, so clearly felt that some kind of response was required. As feelings across Merseyside are still understandably raw over Hillsborough, even if the Council response was inelegant, I can see why the offer was made.

However, the Councillors’ reaction and some of the comments on the Wirral Globe’s story (the commenter ‘2040TIM’ sounds like he knows what he’s talking about), raise an interesting question that I suspect many councils and most councillors have not considered. If you are not a Data Protection nerd or a dedicated council watcher, look away now.

Councillors wear up to three hats in the normal course of their activities. As participants in Council Committees and decision-making, they are part of the Council. For Data Protection purposes, they are covered by the Council’s DP notification and any incident or breach involving them would be the Council’s problem. Hat number 2 comes with membership of a political party. They may sometimes receive personal data from their party for campaigning purposes. In this scenario, the party is responsible for Data Protection. The strangest hat is the one they wear as constituency representatives. Here, neither the council nor the party is responsible. The Councillor is a Data Controller in their own right.

Much of the controversy about Councillors and Data Protection revolves around the technical issue of notification (still often called ‘registration’, despite that term belonging to the 1984 Act), and in particular who pays for it. Some councillors notify, some don’t. One Wirral blogger was told by a councillor that notification was ‘a load of tosh‘, which is an odd way for an elected representative to describe a legal requirement. Some councils pay for all of their councillor’s notifications, some don’t. However, despite the fact that numerous councillors across the UK remain without a notification, and despite the fact that the ICO has prosecuted estate agents, bar owners, solicitors and hairdressers for non-notification, no councillor in the UK has ever been prosecuted for non-notification.

The reason for this is probably that by prosecuting an errant elected member, the ICO would be crossing Eric Pickles, the Secretary of State for Communities and Local Government and an opponent of the ‘red tape’ that member notification represents. In 2011, Pickles told Conservative Home that notification for members was a ‘tax on volunteering’. In 2013, he proposed amending the DPA to exempt parish and town councillors from notification altogether (which is a good idea) and allowing councils to make a single payment for all Councillors’ notifications, which is unnecessary given that since the middle of the last decade, the ICO has accepted notification forms for all of a council’s members in one go with a single payment. I know this, because I used to do the notifications for my council’s members.

But this is all a red herring. Notification is an administrative tick-box. Under the 1984 Act, if you processed data electronically, you were covered by the Act and you had to register. If you didn’t process data electronically, you didn’t have to register and you didn’t have to comply. Under the 1998 Act, you have to comply regardless of whether you notify. If you’re exempt from notification, you still have to comply with all other aspects of the 1998 Act. If you refuse to notify, you’re committing an offence, but you still have to comply with all other aspects of the 1998 Act.

Just before Christmas, another Northern Council – Craven Council in the Yorkshire Dales – had a councillor / Data Protection controversy. The Council proposed rolling out iPads to its elected members as part of an upgrade to its IT security. Some councillors objected, and one Independent member was reported as offering “to sign up as his own data handler“, in other words, he was offering to notify as a data controller in order to avoid having the iPad. And so we come to the punchline. The Councillor was already a Data Controller whether he liked it or not. All councillors have to ensure that they are compliant with the DPA for the areas not covered by the Council or their party. Notification – and who pays the £35 – is just about the least significant aspect of this process.

For one thing, Councillors are Data Controllers for any equipment, any email account, any electronic system that they use to communicate with their constituents. The Council is their Data Processor in this context. Buried deep in the back of the Data Protection Act are surprisingly specific requirements for the relationship between a Data Controller and Data Processor – there must be a contract made or evidenced in writing, security guarantees given by the processor (the Council) to the Controller (the Councillor), and a reasonable check that the contract is being complied with. In other words, if the Wirral Councillors up in arms about what may or not be happening to their emails have not obtained a written contract from Wirral, ensuring that Wirral will act only on their instructions when handling their constituency correspondence, the Councillors are in breach of the Data Protection Act. The Council – as a data processor – is not.

It goes further. Councillors should clearly inform their constituents about the way in which their data is used. They should respond to subject access requests. The Wirral Councillors are upset about what they believe is happening to their Wirral.gov.uk email addresses, but many Councillors use Hotmail or Yahoo mail for constituency business, or at the very least have all of their Council emails auto-forwarded to an outside account. This carries both security risks that might breach the 7th DP principle, but also raises the spectre of the 8th Principle, which governs how to transfer information outside the European Economic Area (many web-based email providers use servers outside Europe).

Many senior Council officers and IT and DP specialists will weep at the thought, and I can think of one or two who will give me a smack for bringing it up. But Councils cannot dictate to their Councillors. It is clearly logical for Councillors to use systems and kit provided to them by the Council, but ultimately, they are responsible for a big slice of the data that they use as part of their work and it’s their decision. The Council is a processor, a service provider. Sticking with the robust corporate system is a reasonable idea, but they can work outside of it and if they do, Councillors are wholly responsible for what happens. In the meantime, any Councillor planning to kick up a fuss about emails or iPads or anything else should remember that if something goes wrong, the Council has a get-out-of-jail-free card for non-Council business. Perhaps they should be more shocked about that.

Keep your PECR up (I know, I’m sorry)

The BBC reports that Bournemouth and Poole NHS PCT have got themselves into hot water by calling a member of the public using an external company in order to offer him some health screening as he was in an at-risk group. The PCT were, it seems, attempting to deal with a target imposed on them by the Department of Health. The Trust felt that it was not “practical” for them to get consent in this case.

Given that my only source is the BBC news website, I cannot make any definitive judgement about what went on, although it’s clear that the person concerned managed to convince the Information Commissioner’s Office that the use of his data was unfair. The ICO is quoted as follows: “Individuals should have been informed by the trust that they would be receiving a call inviting them to attend a risk assessment, and that this letter should ideally give them some method for asking not to be contacted”

It’s at this point, however, that I feel entitled to mount my hobby horse and ride it up and down the public highway.

The Information Commissioner’s own definition of direct marketing, found in his guidance on the subject, is ‘the offer for sale of goods or services, or the promotion of an organisation’s aims and ideals’. The rules covering any form of electronic direct marketing (i.e. phone, email, and text) come from the Privacy and Electronic Communications Regulations (usually pronounced ‘Pecker’), not from the Data Protection Act. PECR does not contain any discussion of harm, benefit of legitimate interest – its rules are simple and relatively easy to explain.

Direct marketing cold-calling by phone is legal – unless the person is on the Telephone Preference Service or has told the organisation not to call. Therefore, to make a marketing call, the organisation (in PECR terms, the ‘person’) must screen the numbers they are using against the TPS lists (which they must rent or buy from the TPS itself or a marketing company who has done so). Direct marketing emails and texts are opt-in – you cannot text or email someone without their permission, and the same is true of automated marketing phone calls.  There are some wrinkles – business and personal emails are treated differently – but for direct marketing, that’s about it.

As described in the BBC story, the PCT’s call was a marketing call. They were not calling the person to tell him results, to arrange an appointment for treatment that had already been consented to, to discuss something that was already happening. The PCT’s aims include the hitting of a target for screening of a specific group, and without previous consent, the only possible interpretation of the call is that recruiting people to join the screening is a form of direct marketing. Having worked – briefly and without particular distinction – in the NHS and having had this argument several times, I know that few health staff would agree with me. Indeed, when looking at this issue many in the public sector have the same problem – if a message is clearly of benefit to the recipient, how can we not be allowed to do it?

Although some in the private sector find ways around PECR or ignore it altogether, I have never spoken to a private sector person who didn’t see how the regulations applied to what they do. Public sector, voluntary and charity organisations are obsessed with the value or justification of their message. Labour, the Lib-Dems, the Conservatives and the Scottish Nationalists have all received enforcement notices under PECR for their use of automated marketing calls – the Scottish Nationalists perhaps personified the wider misunderstanding of how PECR works but claiming that being prevented from using automated calls of Sir Sean Connery was a breach of their human rights. It’s not. I have a right not be bothered by what you think I should be interested in, whoever you are. And PECR gives me that.

PECR is a single-minded law in this respect, caring only about the content of the message. If your call, your email, your text is designed to sell, promote, persuade or influence – it’s direct marketing. If you want to change behaviour, get people to make better choices, or even tell them something that will change or save their lives, PECR doesn’t care. Even if you don’t know who the recipient is, that’s irrelevant – this isn’t Data Protection.

Of course, the BBC coverage doesn’t mention PECR and screening against the TPS, which implies that some people in the ICO don’t know what their own position on PECR and direct marketing is, but that’s not a surprise. The point is, the next time someone has a smart idea for a communication campaign, whether it’s health promotion, news of how you’re dealing with anti-social behaviour, or the benefits of recycling, just remember to think about PECR.

Which is a bit funnier if you say it out loud.

Facebook posts can mean prison

When I lived in Wigan, the most common response to seeing a copy of the local weekly, the Wigan Observer, was to turn to the page that showed who had been up in front of the magistrates. Like most people, what I wanted to know was whether anyone I had been to school with had broken into a shed or got drunk and hit a policeman with a fire extinguisher. In recent days, the Manchester Evening News, normally a paper with a rich and varied coverage, has been transformed by marathon court sittings into a multi-page version of the same thing. It’s an endless succession of self-destructive anecdotes – the guy identified by his Batman jumper, the chef who stole a camera ‘because he did not have one’, and the squaddie who tried to sell a £2000 Les Paul guitar that he claimed he had bought during the riots.
Today, I assume the MEN will go for the comparatively huge sentences for two chaps in Cheshire who tried (and thankfully, failed) to use Facebook to incite riots in Northwich and Warrington: http://tinyurl.com/3utotsu. However, the story is an object lesson in how so many people do not understand social media or electronic communications.
I’m paranoid. As far as possible, I never write anything in an email that I wouldn’t want to have broadcast. I had an email exchange recently where a friend sent increasingly rude and abusive jokes about a third party we both know, and all of my responses were basically “                    “ . I didn’t want my opinions on record, especially as the tone of an email is incredibly hard to judge.
On the other hand, Facebook, instant messaging and email allow some parts of society to extinguish the concept of an unexpressed thought. The Daily Mail is a rich seam of stories about people saying ridiculous and damaging things on Facebook and similar sites – the teacher who criticised her pupils http://tinyurl.com/3c65fkx or the girl sacked after describing her new job as ‘boring’ http://tinyurl.com/d4h9c5. The Mail still hasn’t thought of different way of illustrating these stories than asking the subject to pose in front of a computer, as if it’s impossible to understand the situation otherwise. In both of these cases, people’s careers are damaged; in others, (a quick Google search will show you many), people also get sacked, or damage their reputations or ruin their family lives.
Fast forward to today, and we see these two young men going to prison (and the Mail has another one here: http://tinyurl.com/4xpowny. Meanwhile, the DisabledGo News blog reports Facebook comments allegedly made by employees of Atos, the firm delivering the work programme, describing disabled clients as ‘parasitic wankers’ and ‘down and outs’: http://tinyurl.com/3bpvb66. This could have consequences both for their careers, and for the company’s contracts.
I’m far from the first to say this, but much as social media has connected the world in new and interesting ways, it has also opened the door for a lot of people to cause themselves huge damage. No matter who you are, the lesson has to be learned: THINK BEFORE YOU TYPE. Who might read what I have said? How might it be misinterpreted? Can I trust the recipients not to forward it on to everyone they know? Facebook encourages lots of friends, while an email is the ultimate form of portable, airborne information.