A month ago, the redoubtable information rights expert and blogger Jon Baines wrote about an odd change on the ICO’s website. Just after the EU referendum vote, the ICO published a bold statement, calling for Data Protection standards in the UK to be equivalent to those in the EU. Shortly after, the statement disappeared. Around a week later, it was replaced by something more bland. Jon wondered why the ICO had resiled from their original position. He was, however, fortunate to receive a comment from an ICO spokesman:
“We noted the debates about different options that emerged following the referendum result and we decided to move to a simpler statement to avoid being too closely associated to any one particular position”
I believe that this statement is untrue.
After a conversation with Jon, I made an FOI request to the ICO for “Any recorded information on the decision to remove the statement, including who made the decision to remove it, and why it was removed“. Remarkably, the ICO claims to hold just one email that is relevant to my request (I’m not convinced, so I am following this up), but I think it’s reasonable to conclude that the ICO did not change the statement because they “noted the debates“. They changed the statement because the Department for Culture, Media and Sport, the government department responsible for Data Protection, asked them to.
A DCMS official emailed Christopher Graham, the former Information Commissioner, directly on 28th June:
The revised version is identical to the statement that you’ll find here on the ICO website.
The DCMS position is understandable – a few days after an unexpected vote, it’s not hard to imagine that they hadn’t reached a final position on GDPR. I’d be surprised if they were certain now, frustrating as that might be for the likes of me. But when the DCMS talks about it being far to early for “us” to be so definitive, they are not talking about the ICO, which is legally separate from and independent of Government. If the former Commissioner and his staff believed that the DPA is out of date and not fit for purpose, they were right to say so. Bear in mind that the statement in question was made after the vote, not when the ICO view could in any way have influenced its outcome (or when such an allegation could be made). DCMS are free to disagree with them, and indeed to ignore them if they so choose. I think GDPR-lite is a terrible idea, but they can pursue if they think it’s right. I’m not even sure I want to criticise the DCMS request – it’s quite clearly not an instruction.
However, for the ICO to change their statement (and by default, their official position on the GDPR) is a significant and worrying step. The ICO’s position can be identical to the DCMS one, but only if that’s because the ICO thinks DCMS is correct. It would be in no-one’s interests for the ICO to challenge and contradict DCMS merely to show that they’re nobody’s poodle. But Wilmslow’s reaction to the Brexit vote was clear, and now it’s not. Was the original position wrong? Is there any reason why the ICO cannot be allied to one particular position if they think it’s the right one?
Equally, if the ICO is going to change its public position, it should be honest with the public about why it is doing so. The statement on the ICO website says
At the annual report launch on 28 June 2016, Information Commissioner Christopher Graham updated the ICO statement
Whereas, what it should say is:
At the request of the DCMS, at the annual report launch on 28 June 2016, Information Commissioner Christopher Graham updated the ICO statement
As embarrassing as this might be, if the ICO is content to follow the debate about the future of the GDPR in the UK rather than leading it, it should be honest enough to admit that this is their position. I’ve already blogged about the bizarre situation that the ICO team that deals with complaints about political parties and councils are managed by a serving Labour Council leader. Here is another situation where the ICO’s ability to make robust, independent decisions appears to be compromised.
This depressing episode happened in the dying days of the previous Commissioner’s tenure; more than ever, I am glad that he is gone. We have a new Commissioner about whom I have seen and heard nothing but encouraging things. I can only hope that when faced with decisions like this in the future, Elizabeth Denham takes an more independent approach.
June is a significant time for Data Protection in the UK. At the end the month, we have the EU vote (where a vote to leave will throw at least the timetable for implementation of the new General Data Protection Regulation into disarray) and Christopher Graham steps down as Information Commissioner, to be replaced by Elizabeth Denham. There are several reasons to be optimistic about Denham’s appointment – she is the first Information Commissioner to have previous experience of privacy and FOI work, she has already taken on big corporate interests in Canada, and she isn’t Richard Thomas.
However, Denham inherits a series of headaches as she begins her reign as Elizabeth II, and it’s difficult to know which of them will be the hardest to shake off. There is the GDPR implementation, which would be a challenge even without the uncertainty that Brexit will create. She also has to tackle the ICO’s lack of independence from Government, which results in scandalous outcomes like the admission in an FOI response that Wilmslow takes orders from its sponsor department (see answer 3 here). But perhaps biggest of all is the ICO’s approach to enforcement.
On FOI, the ICO doesn’t approach enforcement – it does pointless monitoring and audits without any evidence of success, and the major government departments use the ICO as their internal review, sometimes not bothering to answer requests unless ordered to do so by an ICO case officer. The sole enforcement notice in the past five years wasn’t even promoted by the office because the now departed Deputy Commissioner Graham Smith didn’t want to draw attention to the failure to tackle Whitehall’s FOI abuses.
On Data Protection, the approach is to enforce against self-reported security breaches. There is nothing wrong with lots of enforcement on security – it’s a significant requirement of the legislation and many people are concerned about it. The problem is that Wilmslow doesn’t enforce on anything else, despite breaches of the other principles being widespread and obvious. Unless I missed one, the ICO has issued 61 Data Protection monetary penalties since getting the power to do so. Two have been for non-security breaches: Pharmacy 2U (1st principle data sharing without consent) and Prudential Insurance (accuracy). The overwhelming majority of enforcement notices (and undertakings, if you count them, which you shouldn’t) are on security matters. This is despite the fact that the UK has a massive culture of unlawful data sharing, over-retention, flouted subject access and perhaps most obvious, rampant, damaging inaccuracy. The ICO does nothing about it.
A classic example is a story reported in the Observer about the Dartford Crossing between Kent and Essex. Automatic Number Plate Recognition is used by Highways England to issue penalty charges to drivers who use the crossings without paying by phone or web within a fixed period of time. The only problem is that drivers who have never used the crossing are getting the penalties, but it is more or less inconceivable that the ICO will take action.
Having used the crossing myself, I can confirm that there are some Data Protection issues with the signage around the bridge / tunnel – the Observer article explains well how the signs can easily be confused with those for the London congestion charge, which works entirely differently. This is, in itself, a potential data protection breach, as personal data needs to be obtained fairly, especially when the data being obtained (the license plate) will not only be used to levy a charge, but because court action may result for non-payment.
One person is quoted in the article as having being charged because the system misread a ‘C’ as a ‘G’. The Observer also reports that hire car users sometimes find penalties aimed at the wrong person because Highways England don’t specify a date that the charge applies to. In another case, the person receiving the charge had sold the car in question, and had a letter from DVLA to prove it. As with most of these situations, terrible customer service and inflexible processes mean that even when a charge is applied to the wrong person, nobody in the food chain has the authority or the inclination to sort things out. Both of the individuals cited in detail by the Observer were headed for the baliffs until the Observer got involved, and all action was terminated. Research by Auto Express notes that only 1 in 25 people appeal their penalty, but 80% of those that do are successful.
Every time Highways England / Dart Charge issues a penalty against the wrong person, it is a breach of the fourth Data Protection principle, which states that “Personal data shall be accurate, and where necessary, up to date”. Note the lack of any qualification or context here – data is accurate, or it’s a breach. Clearly, this means that most organisations are breach DP every minute of every day simply because of typos, but even adopting a flexible approach, there can be no doubt that demanding money and threatening court action is a situation where the Data Controller must be certain that the data is accurate, and if they get the wrong person, it’s a breach. The security principle talks about “appropriate measures” to prevent incidents, but the fourth principle doesn’t: it’s absolute.
Highways England / Dart Charge have breached the DPA, but would it be possible for the ICO to take action? In order to issue a monetary penalty, the ICO has to meet a series of tests.
1. The breach is serious
Dart Charge are pursuing people for debts they don’t owe. It’s serious.
2. The breach is deliberate
This one is potentially tricky, as we would need evidence that Highways England know that they are operating on the basis of inaccurate information in order for the breach to be deliberate. I can’t prove that Highways England are deliberately pursuing people, knowing that they are the wrong targets, although one of the Observer readers quoted gives clear evidence that they might be: “I spent 20 minutes trying to get through to someone who kept telling me I had to pay, even though he could see the problem”. However, we don’t need deliberate if we have:
3. The Data Controller knew or ought to have known about the risk and failed to take steps to prevent it
This test is clearly met – Highways England know that most of their penalty charges are overturned on appeal, they know that their system misreads licence plate characters, that it fails to properly distinguish dates, and they know that people contact them multiple times with evidence that the charge is wrong, but they ignore this evidence until they are embarrassed into action by a national newspaper. The breaches are still happening.
4. The breach is likely to cause damage or distress
Innocent individuals who have not used the Dartford Crossing are being pursued and threatened with legal action if they do not pay money that they do not owe. The breach is causing damage and distress and is highly likely to do so.
The ICO does not enforce on accuracy and they won’t touch this case. If I tried to report it to them, they would ignore my complaint because I have not been affected (if an affected person complained, they would do an unenforceable assessment). They do not ask Data Controllers to report incidents of damaging inaccuracy, and they do not even advocate investigating incidents of inaccuracy in the way that they do for security. This despite that fact that inaccuracy leads to the wrong medical treatment being given, innocent people’s houses being raided by the police, and old men nearly drowning in canals. The ICO took no enforcement action in any of these cases, despite them being in the public domain. I have dozens of others. Meanwhile, the Commissioner chunters on about a series of accidents and mishaps without any direct evidence of harm (ironically, even the pace of security enforcement has slowed, with only three DP monetary penalties at all so far this year).
Whatever Ms Denham’s priorities might be, she cannot ignore this. The ICO has shirked its responsibilities on the other principles for too long. A quick glance at the articles relevant to enforcement show that the GDPR is specifically designed to give breaches of the principles the higher maximum penalty. It’s a riposte to the ICO’s enforcement priorities since the HMRC lost discs incident in 2007, and it’s a bridge that the new Commissioner must be willing to cross.
Ever since the Daily Mail first started to report on the nefarious fundraising activities of certain large charities, confusion and contradiction have reigned supreme. We have had fundraising codes of practice confused with the law, constant claims that the ICO has changed the law (which is something they haven’t done, and couldn’t do anyway), and the bizarre spectacle of undertakings being signed publicly by organisations who, according to Wilmslow, haven’t done anything wrong.
One might hope that the General Data Protection Regulation, designed as it is to clarify the mess of DP across the European continent would come to our aid. But no, sadly and inevitably, people are just as determined to misunderstand the GDPR as they are the Data Protection Act.
John Mitchison, head of preference services, compliance and legal at the Direct Marketing Association was speaking at a fundraising event organised by Third Sector magazine, and he passed comment on the apparent confusion over opt-in and opt-out rules on marketing. I don’t know exactly what he said because I wasn’t there. However, he is reported as saying that charities would not need consent for postal and phone marketing, unless a person was on the telephone preference service. The GDPR requirement for unambiguous consent did not change this position. Mr Mitchison also apparently said that he didn’t understand where all the confusion in the charity sector was coming from.
I think I can tell him. Enter Daniel Fluskey, head of Policy and Research at the Institute of Fundraising (yes, the organisation responsible for much of the confusion with their diabolical fundraising code). He wrote an article on the UK Fundraising website following up on Mitchison’s comments, including this statement.
“Our understanding is the same as the DMA’s and what we’ve heard from solicitors – that ‘unambiguous consent’ does not mean there has to be an ‘opt in’ tick box. Consent will be able to be given ‘unambiguously’ through an ‘opt out’ mechanism. So, statements that ‘opt in’ is coming in through law seem likely to be misleading – what’s coming in is a requirement that the consent is ‘unambiguous’”
Fluskey then invents his own test for unambiguous consent:
“To me, ‘unambiguous’ consent seems like a three-stage test:
- Did someone give their information freely?
- Were they presented with straightforward information so that they had a clear understanding of what marketing/fundraising communications they could expect to receive?
- Did they have a clear and easy ability to choose to accept this, or to object if they didn’t want to receive future marketing?
If the outcome of the engagement leads to these three questions being able to be answered with a ‘yes’ then it would seem very likely that the donor has given ‘unambiguous’ consent. That seems very much like achieving the spirit and ethos of ‘opting in’ even if there isn’t necessarily a tick box.”
This is all – to use a technical term – bollocks.
Mitchison is correct – consent is not necessary for postal marketing and phone-calls to those not on TPS. However, this has nothing to do with the nature of unambiguous consent. The explanation is reasonably straightforward. To use any personal data, you need to meet a condition under the DPA – this is the position now and it remains so under the GDPR. Consent is one of the conditions but not the only one. If an alternative condition can be found, you can forget consent and use the other one instead. The GDPR recognises that the legitimate interests condition can be used to justify marketing, and so this can apply to postal marketing. You don’t need consent because you can use legitimate interests. The opt-out bit is a red herring in this context – the marketer offers an opt-out because it’s good practice and the subject has an automatic right to opt-out of any marketing anyway. It would be nice if such opt-outs were respected instantly and permanently, but that’s an issue for another time.
Electronic forms of marketing are not just covered by Data Protection. They are also covered by the e-Privacy Directive, implemented in the UK as PECR. PECR adds a layer of rules, and in some cases insists that only consent applies. You can’t rely on legitimate interests for automated calls, email or text marketing, because PECR says that only consent will do.
Live calls straddle both conditions. You can rely on legitimate interests for cold calls to people who are not on TPS, but you need consent for those people who are. Again, this is nothing to do with DP, this is an extra rule laid on by PECR. I hold no brief for Mr Mitchison, but the DMA are usually robust about the effect of marketing law, so my guess is that this is the point he was making.
I haven’t explained completely why I think Mr Fluskey’s comments are bollocks. Permit me to do so now. I suspect he hasn’t even read the Regulation, despite the fact that he is issuing clear (if bogus) advice about it to a sector that has wallowed in ignorance for far too long.
The definition of consent in Article 4 is plain for all to see: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” – indication means active, given means active, clear affirmative action means active. Everything about the definition of consent means that the subject has to do something to consent. It’s obvious that Fluskey hasn’t read the regulation because he happily takes ‘freely given’ out of its context as part of the definition of consent and pretends that it relates to the provision of information. If there was any doubt (there isn’t, but we’re here now), Recital 32 helpfully addresses any possible uncertainty:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
Once again, just in case you missed it: “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.” Compare that to what Mr Fluskey says: “‘unambiguous consent’ does not mean there has to be an ‘opt in’ tick box”. They saw him coming. That’s exactly what it does mean, that’s what it says. Consent has to be active, and it has to be demonstrable. Silence or inaction does not mean consent, but that’s exactly what an opt-out model represents – assuming consent from silence or inaction. Under the GDPR, opt-out consent is dead. There’s an argument that this is the case under the current DP as well, but leave that to one side. Nobody who has read the full Regulation can think that opt-out is a valid way to get consent, and only those who have read it should be giving advice to others.
The problem with the Institute of Fundraising is that their code of practice has created a fog of uncertainty about what is law and what is practice or industry standard. And here they are, doing it again: “That seems very much like achieving the spirit and ethos of ‘opting in’ even if there isn’t necessarily a tick box.” Complying with the regulation isn’t about trying to capture some phantom ethos – it’s clear, and unambiguous. No opt-outs, never again.
Don’t get me wrong. Fundraising companies have a problem. For many years, they have built profitable businesses, employed lots of people, and made lots of money, some of it even for the charities who hire them. The GDPR makes clear what was not clear, emphasises what has been underplayed, and gives new rights to subjects that will directly challenge the business model of some fundraisers. Consent has to be clear and it has to be opt-in. Profiling has be to explained to subjects, and they have significant rights to challenge and object to it. Data sharing cannot be justified on tiny, badly-explained clauses buried in interminable terms and conditions. I can understand that the more they delve into the GDPR, the more fundraising companies may despair.
But denial and confusion is not the answer, and this nonsense must end. The Institute of Fundraising has to stop issuing inaccurate and confusing guidance which, let’s assume coincidentally, has the effect of maximising the number of calls, texts and emails that can be made and sent. Charities have been battered for a while now, some with more justification than others. But they have no hope of emerging from the mess and getting back to where they should be if this endless stream of misinformation continues to be sprayed at them. The problem for some fundraisers is not that the GDPR is confusing. It is that it is not.