Virgin Berth

If there could be anything worse than the provenance and target of a Wallasey brick spawning an industry of conspiracy theorists, then it’s probably the Burning Question of whether Virgin Trains East Coast’s release of CCTV images of Jeremy Corbyn spurning unoccupied seats to enjoy the proletarian solidarity of the vestibule floor breached Data Protection laws. If I get through today without reading The Canary’s take on the matter, I will be a happy man.

Of course, the only sensible answer to the question is “It doesn’t matter“. But let’s ignore that obvious fact in favour of the following.

First, if Virgin Trains released unpixelated images of other passengers, this would be a breach of the first Data Protection principle on the basis that it would be unfair. There is no legitimate interest in doing so, and it is plainly unfair to publish images of ordinary passengers minding their own business. There is NO CHANCE ON EARTH than the Information Commissioner will take any action against Virgin for this as there is no harm to the passengers concerned, and harm is a vital threshold for any enforcement action. Individual passengers could sue, but again, they would have to demonstrate at least distress. I went from London to Edinburgh on Virgin East Coast once so I have some sympathy with this argument.

Of course, nobody would give a toss about this if it were not for the perceived slight to JC, so let’s get to that.

The first Data Protection principle requires that personal data should be processed fairly, lawfully and according to a set of conditions. Virgin’s disclosure must clear all three hurdles.

Fair – in the general sense of the word, I believe that the processing of Corbyn’s data was fair. Presumably without the company’s consent, Corbyn filmed a publicity stunt about the state of their trains. Even if the content was true, I believe Corbyn opened the door for Virgin to reply about the state of the train that Corbyn was on. Fairness does have a separate, specific meaning, which requires the organisation to tell the Data Subject who they are, what purposes the data is being used for, and anything else necessary to make the processing fair.

I can’t find the privacy notice for Virgin Trains East (if it’s not on the trains, that’s a breach), but Virgin Trains West Coast has a detailed policy on its website that includes improving customer service, monitoring operational incidents and verifying claims. If something similar is on the East Coast trains, I don’t think Corbyn has much room for complaint. I think that responding to an unauthorised publicity stunt on one of their trains is probably compatible with verifying claims and monitoring operational incidents. And besides, the Information Commissioner’s Office has invented and long tolerated a notion of ‘reasonable expectations’ – that you can do anything with personal data that the person would reasonably expect you to do. If Corbyn didn’t expect Virgin to look at their CCTV to verify his claim that the train was ‘ram-packed‘ (or even ‘rammed’ or ‘jam-packed’), he’s an idiot.

There is the nugget of an issue here – the public perception of CCTV is that it is used solely as a means of detecting and investigating crime. It isn’t – it’s used for a variety of civil, disciplinary and publicity purposes and there’s nothing in the Data Protection Act to prevent this. However, companies like the West and East Virgins tend to stress security and crime over all things when dealing with CCTV, and this creates an expectation of its own. Everything depends on the information available on the train that JC travelled on.

There is one exemption that might come to Virgin’s aid – Section 32 renders all of the First Principle void (and most of the others) if a disclosure is made for ‘journalistic purposes’ and the public interest in publication is incompatible with compliance with the principles. The language is important – one does not need to be a journalist, only to be processing for the purposes of journalism. This opens the door to widespread and enthusiastic flouting of DPA by all sorts of corporate interests, but I find it hard to dismiss the possibility altogether.

Lawful – I believe that the disclosure was lawful. A train is not a private place (except in the toilets and this probably not the time for me to raise the urban myth about CCTV in train toilets), and Corbyn’s personal data in this context is not confidential or private. I can see no other law that disclosing this data would breach, so I think they’re in the clear.

Condition – Schedule 6(2) of the Data Protection Act states that data can be processed (in this context, disclosed) if it is necessary for the purposes of a legitimate interest, as long as the processing does not prejudice the rights, freedoms or legitimate interests of the subject. Corbin made a claim about the conditions he found on a particular train – I believe that Virgin unquestionably have a legitimate interest in disclosing Corbyn’s personal data in order to comment on the accuracy of his claim. If Virgin released images of Corbyn unprompted, legitimate interests are out of the window. But Corbyn started the ball rolling, and I cannot see how the use of overt CCTV for this purpose prejudices his interests. Of course, if the images were used in a misleading way, again, legitimate interests is dead, but frankly, that’s a much bigger problem.

Other conditions might be engaged but unless Virgin have actively defamed Corbyn by photoshopping them to look like the train had seats when it didn’t (which is what I presume The Canary’s take is), I believe that the use of images was adequate, relevant, and not excessive (principle 3), and accurate (principle 4). One might question how long the images have been retained for (principle 5), but there is no statutory time period – Virgin simply have to justify that the retention period matches the purposes outlined under the first principle.

At its absolute worst, the release of Corbyn’s images might be unfair if the privacy notices on the train do not reasonably envisage the possibility of something like this happening. If Mr Corbyn was damaged in some way by this, the seriousness of the breach is increased, but not by much. It would be unlawful, but I see no public interest in taking action. Politics is a dirty business. Corbyn’s party breaches Data Protection all the time, so if he wants to take this up, he should do some digging in his own backyard.

And reserve a bloody seat next time.

UPDATE (24/8/16): The Information Commissioner has stated that they are “making enquiries” into Virgin’s disclosure of the CCTV images. The two possible enforcement routes available are a monetary penalty or an enforcement notice. The penalty requires the ICO to establish that there has been a serious breach of the Data Protection Act, likely to cause substantial damage or distress, and the data controller (Virgin Trains East Coast) either deliberately set out to breach the DPA, or knew (or ought to have known) that the breach would occur, and that the damage / distress would follow as a consequence. If you think that this incident meets that threshold, would you be interested in buying a used car?

The alternative is an enforcement notice. The enforcement notice can only apply if there is an ongoing breach that the data controller cannot or will not remedy. In other words, if Virgin promised never to disclose CCTV for publicity purposes again, it would be very difficult for the ICO to issue an enforcement notice. It would be disproportionate to take such significant action if it was clear that Virgin would not do the same thing again.

All this may be disappointing to those who wish to see Virgin, and its bearded figurehead, chastised for their assault on the integrity of JC, but this is not a serious breach. The NHS ignored opt-outs from the sharing of medical data for thousands of people over a prolonged period of time, and the worst that happened is that they were asked to sign an undertaking (an unenforceable public promise to behave better) at a time which best suited them in publicity terms. If you think that embarrassing Corbyn is worse than that, you ought to be ashamed of yourself.

The one good thing is that I don’t think the Labour Leader of Stockport Council, who moonlights as a Group Manager at the ICO, will end up dealing with the case. But who knows?

Labour pains

Saving Labour is a new organisation dedicated to replacing Jeremy Corbyn as leader of the Labour Party. It may quickly need to be saved from itself. An extract from a document that appears to be from Saving Labour is being circulated on Twitter by Corbyn supporters, annoyed about what it contains. The documents contains advice on how to obtain personal data of lapsed members who are likely to be anti-Corbyn because they left the party when around the time he became leader. The document then advocates contacting them for support.

Two things: I do not know the provenance of the document, and the allegation that it comes from Saving Labour or Progress may be untrue. This may be the work of a rogue individual, and so Saving Labour may not be responsible. If this is the case, they should make this clear, urgently and ensure that data is not obtained or processed in their name.

Second thing: I am a member of the Labour Party, and I do not support Jeremy Corbyn. I’m not even one of those ‘Corbyn can’t win’ people; if he could win, I wouldn’t want him to. Nevertheless, there is a strong likelihood that the Data Protection Act is being breached, and I think this needs to be addressed.

If Saving Labour (or rogue individuals) are attempting to recruit Labour members back into Labour, then the processing of data is likely to be a breach of Data Protection’s fairness requirements. If Saving Labour are trying to recruit members to Saving Labour’s mailing list or retaining data for its purposes, it’s potentially a lot worse. The most important thing here is that Saving Labour is not a faction of Labour; it is a separate Data Controller with its own Data Protection notification. If Saving Labour are obtaining data or getting others to obtain it on their behalf and for their purposes without Labour’s knowledge, it’s at least a civil breach of Data Protection.

Section 55 of the Data Protection Act makes it a criminal offence to obtain, disclose or procure the disclosure of personal data without the authorisation of the Data Controller. It’s not a criminal offence to obtain and disclose personal data without consent. The crucial element of S55 is the procuring or disclosing personal data without the authorisation of the Data Controller. The Data Controller isn’t an individual person (a common misconception) but it is the organisation as a whole. Nevertheless, if an individual who is clearly entitled to make decisions on the organisation’s behalf approved the disclosure, it’s not a criminal offence. If this data is being obtained and processing on behalf of  Saving Labour, there are specific defences that can be used, but these should be tested.

Of course, if the data has been obtained without Saving Labour’s knowledge and is being used for purposes that have not be authorised by the Labour Party, the individuals responsible for harvesting and processing the data could themselves be potentially in the frame for S55 offence, rather than Saving Labour.

Even if a senior Labour Party official gave explicit approval for someone to harvest personal data and use it, the likelihood of a Data Protection breach is still high. Unless the Labour Party told members that that their data would be shared with another organisation or processed after their membership had lapsed for marketing purposes, then the disclosure / processing would be a breach of the First Data Protection principle, which requires all processing of personal data to be fair. The chief element of fairness is that the person is told about how their data will be processed.

Though it’s possible that Labour told members that their information might be passed to affiliated organisations (which is relevant if Saving Labour receive the information or it is used on their behalf), it’s exceptionally unlikely that Labour would told members that their data would be processed after their membership had lapsed. Regardless of whether Saving Labour receive the data, processing it after the membership has lapsed is likely to breach the First principle unless Labour can demonstrate that members were told explicitly.

Of course, if Labour approved this, then Saving Labour could be considered to be a Data Processor carrying out a recruitment drive on the party’s behalf. If this is the case, unless Saving Labour is covered by a legally binding contract, this is a breach of the Seventh Principle.

It doesn’t end there. The document encourages MPs and councillors to “call” lapsed members to encourage them to join. As I blogged only yesterday, every part of the Data Protection system has made clear that calls made for the purposes of political campaigning are marketing – so if the callers do not screen any telephone numbers against the Telephone Preference Service, it would be a breach of the Privacy and Electronic Communications Regulations. If they send emails or texts without explicit consent from the person, it would be a breach of PECR. It’s extremely hard to imagine that any consent given to the Labour Party could survive a lapsed membership, and Saving Labour would not have that consent in the first place. Let me emphasise for new readers: there is no political exemption from PECR, there is no ‘we can call our members / ex-members’ exemption.

The ICO has already shown itself willing to enforce on political campaigning by issuing Enforcement Notices in the last decade against the SNP, the Labour Party, the Conservatives and the Liberal Democrats, and by issuing a monetary penalty for unsolicited texts against Leave.EU a few months ago, Last year, I blogged wearily about Labour’s idiotic and unfair purge of registered supporters. I and others have constantly pointed out their terrible marketing practices. And here we are again; another mess, another possible misuse of data, and at some point, the ICO dragged into it all over again to sort out another family dispute.


Here’s what you could have won

The worst experience for many data protection officers (apart from conversations which include the question ‘was it encrypted?’) is when their employer has spent a large amount of time and money developing some amazing, world-changing initiative involving personal data without asking them about it. A finger hovers metaphorically or sometimes literally over the start button, and somebody finally says ‘Hey, shouldn’t we ask DP guy about this?’. And so DP guy trudges from whatever mouldy corner of the organisation they have been exiled to after the last time this happened, and they are asked something along these lines. “This is all fine, ISN’T IT?”

And they are obliged to say no. Sometimes it’s just a bloody stupid idea, but most of the time, the project is at the very least achievable in some form, but asking at the end of the process means that the easiest, cheapest and most convenient solutions are lost because they needed to be included in the design of the process. The organisation has the unattractive choice of breaching the DPA or bolting on expensive and unwieldy solutions to the problem. Different organisations react in different ways, but DP guy is usually blamed. The way to avoid the above problem is to carry out a privacy impact assessment – as early as possible, the people designing the new amazing thing look at what they’re planning to do, think deeply (and with as many views as they can find) about what might go wrong from a data protection and privacy perspective, and then build the solutions into the design of the project. Alternatively, they decide to leave the thing as it is, but knowing what risks they are running, rather than living in denial.

There are three problems with the PIA approach, First, you have to be willing to do one. Second, you have to be willing to imagine what might go wrong with your new amazing thing. Third, you must be willing to change your new amazing thing if the risks are sufficiently great. And thus, we return for my fourth blog on the Labour leadership election, if you can call it that.

I am certain that Labour has breached the the Data Protection Act in a variety of different ways, and yet all of it could have been avoided had they done a PIA. Here are some of the possible breaches:

  • Labour did not informed those registering as supporters that their data would be obtained from a variety of formal and informal sources, and their social media accounts would searched. This is particularly true for information like canvass data, which was obtained for a separate purpose This is a breach of principle 1, which requires data subjects to be informed how their data will be used. This could easily have been prevented by developing a clear set of criteria in advance and explaining this and the vetting process when supporters signed up.
  • Labour did not obtain Twitter names and other social media information from supporters, so the data obtained was not adequate for the purpose – this in turn is likely to lead to data being inaccurate. This is a breach of principle 3 and 4. This could have been prevented by realising that a vetting process would be required, and would need to be robust and fair, requiring more than the sparse details that were actually requested.
  • Registered supporters cannot appeal their decision properly, which means that data is not be processed fairly (principle 1), or adequately (principle 3). As above, clear criteria would have allowed such appeals.
  • Data is being obtained and shared from a wide variety of sources, and shared across different locations. Harriet Harman has said that vetting is going on in constituencies as well as Labour’s offices in Newcastle. Unless the data (which is sensitive personal data about political beliefs) is shared and stored securely, Labour will have breached the 7th principle, which requires appropriate technical and organisational security measures.
  • Data Protection requires an organisation to justify its use of personal data from a list of conditions set out in the Act. The only two possible conditions for the vetting are consent and legitimate interests. Consent must be freely given, specific and informed – supporters cannot be assumed to have consented to a process that they were not told about. There is no such thing as ‘implied’ or ‘assumed’ consent. An organisation can infer consent from a person’s actions – tell me that you want to do a blood test and I willingly offer you my arm, you can reasonably infer that I am consenting to the test. But by taking my £3 and offering me a vote, you cannot pretend that I have consented to a bargain-bin witch-hunt that you didn’t mention. What remains for Labour is the legitimate interests condition, which only applies when there is no unwarranted harm to the rights of the data subject. They could have relied on that, but only with a proper process. Without a right of appeal, based on hearsay and Tweets possibly taken out of context, done in a rush, and with no clarity about the criteria or even the people doing it, this condition is not made out. I do not believe that the party has a legal basis to do what it is doing because of the way it is doing it.

An election is not just an important political process; it is a massive exercise in the processing of personal data, and Data Protection applies to it. There is no exemption, and for a party election no legal obligation to allow Labour to skate around the tricky bits. Equally, a vetting exercise is not just a necessary step to deny Matthew Parris’s Llamas a vote – it is another massive instance of processing that requires a sensitive and intelligent approach. I suspect Labour has panicked and made the process up as it went along (no doubt partially in a doomed attempt to prevent a Corbyn win), and in the process breached most of the DP principles.

Supporters should have been told exactly who would be excluded and why. Labour should have asked for enough data to be certain that they were looking at the right people. The process for vetting should have been open, transparent, consistent and with a right of appeal. PIAs are evolving, living processes, so when all of these problems started to surface, Labour should have reacted, either by dropping the vetting altogether because they couldn’t do it legally at this stage, or perhaps pausing or extending the election to allow something more watertight to go ahead.

But here we have the second and third problems with PIAs. Politicians and political people are peculiarly incapable of thinking that things might go wrong. Everything has to be presented as wonderful, inspirational, positive. Even if the risks had occurred to them, I suspect Labour’s leaders would have been unwilling to present the kind of strict rules that a compliant process would have required. They wanted to welcome people, to have a summer of vibrant inclusive debate. We all know what the British summer is like: stormy and disappointing. They should have anticipated these storms and brought an umbrella. They went out in shorts.

My experience of all political parties is that they are incapable of complying with Data Protection and Privacy law: I’ve already written about the rampant direct marketing breaches, and I’ve heard about worse. It’s pointless to expect them to do it any differently. Instead, let this rolling disaster be a lesson to others, for any organisation trying something new. Think about what you’re doing, and how you want to achieve it. Think about what might go wrong. Put measures in place to manage the risks. Whoever wins this election will inherit a smouldering mess; how much better would it have been not to set it on fire in the first place?

The Purge

Throughout the campaign for the Labour leadership, various people applying to be registered supporters have had their applications rejected. The list is varied, from the film director Ken Loach and the comedian Mark Steel, through to the human equivalent of genital herpes, Toby Young. Those registering to be supporters must agree that they support the aims and ideals of the Labour Party: Loach and Steel have explicitly and recently advocated voting for other parties, while Young is a high-profile Conservative. I’m not going to lose any sleep, frankly. However, in the past couple of days, a substantial number of less well-known people have received similar missives – some were recently candidates for other parties so Labour’s ban may have some merit. But others are just ordinary people on the left. Some of them are critics of austerity, some may have said that they are voting for the Greens or the Trades Union and Socialist Coalition, or just slagged off the Labour leadership online. I think Tony Blair is a war criminal and have said so often, so I still wonder if my vote yesterday counts. Is that acceptable for Labour High Command in the current climate?

The Data Protection problem for Labour is that when we signed up to be registered supporters, there was no clear fair processing information explaining that we would be vetted or how this would be done. Some form of vetting has clearly happened – I’ve even seen copies of emails and Facebook posts that suggest a full-on witch-hunt for anyone who isn’t an uncritical supporter of the party. I’m not sure whether these are real, but there are a lot of them.

As I have previously written, Labour does not need consent to look at websites and Twitter accounts. Even though the stuff on Twitter is sensitive personal data as it relates to political opinions, Data Protection allows for sensitive data to be used if it has been put into the public domain by the data subject. Furthermore, I agree that Labour has a legitimate interest in preventing full-on Tories from voting. This means that they can rely on the ‘legitimate interest’ justification to use personal data. However, they are required not to cause unwarranted prejudice to the rights and freedoms of data subjects when doing so. This is all part of the first Data Protection principle. I believe that legitimate interest requires the vetting process to be carried out objectively and accurately. Without some form of appeal, I think the rights and freedoms of the data subjects have been prejudiced.

More fundamentally, Labour must also process data fairly. The blurb for registered supporters was thin, so as someone who signed up, I have no idea what process was gone through. Even if you are one of those (wrong) people who thinks that trawling Twitter doesn’t engage Data Protection, receiving and acting on tip-offs and reports isn’t just disturbingly McCarthyite, it would be a breach of the Data Protection Act unless registered supporters were told. There are in fact a host of potential problems (accuracy, relevance, security), but the fairness one is enough because it is insurmountable. We should have been told – we weren’t.

Even if you think such a process would be legitimate, there is no exemption from the Data Protection Act, nothing that allows Labour to do these things secretly. The exemptions in Data Protection cover legal proceedings, criminal investigations, cases referred to regulators – situations where handling personal data secretly can be justified. None of the exemptions applies to the kind of process currently at work in the Labour Party. The foundation stone of Data Protection is fairness and transparency – letting people know how their data is used, so that they can ensure it is used properly. Not for the first time, the Labour Party is acting secretively, and so I have not faith in the vetting process. I suspect it breaches the first Data Protection principle.

Data Protection gives every person a right of subject access, a right to request copies of their personal data held by any organisation. In this case, the data on which the decision was made to ban a person from voting in the leadership election will undoubtedly be personal data. Admittedly, Labour could claim that no data was recorded, but this would reveal that process to be slapdash in the extreme.

Therefore, my advice to anyone rejected by the Labour Party is as follows: make a subject access request. Find out what it was that made Labour reject you, and then publicise that. Expose this process, and dig it over. Labour did not want this to be a transparent process, but they cannot stop you from finding out what happened in your case.

To make a subject access request, you need three things:

  1. A written request, setting out your name, address and the email address you registered with as a supporter
  2. Proof of your ID. Send a copy of a passport or driving license and ask them to destroy it when they have validated your request. They can refuse to deal with your request without proof of ID, so don’t give them the opportunity to delay by asking for it
  3. A cheque for £10. Having already lost the £3 supporter fee, this will be annoying, but I doubt Labour will accept a subject access request without the statutory fee, and they can refuse to process the request without it. If you want to know what happened (or find out that it was a flawed process), you will have to sacrifice the tenner. If they are feeling generous, they won’t cash the cheque. The Information Commissioner cannot order them to waive the fee, so don’t waste your time asking them.

You may well want to send this by recorded or registered post, which ratchets up your costs even more. If you are throwing your hands up in despair at spending another £12, I’m sorry. I didn’t say you would like my advice. Explain clearly and simply that you want all of the personal data held about you as a registered supporter, including any and all information that was used to ban you from voting. You are entitled to a permanent copy of the data. It is unlikely they will tell you the names of those involved in the decision, but the reasons you have been banned must be made available. It doesn’t matter of hundreds of Labour supporters make a subject access request at once – there is no provision to refuse vexatious requests, and the Information Commissioner’s Code of Practice on Subject Access makes clear to organisations that they must be prepared to respond to peaks in demand.

Subject Access is an imperfect tool: organisations sometimes don’t record the information you expect them to. But Labour took their supporters’ money and then denied many of them a vote. Either they have to account for these decisions, or admit that they have not done so fairly. Those calling for the election to be halted to avoid a Corbyn victory should be full-throated in their demands that the banned should either get a proper explanation as required by Data Protection, or the vote should instead be halted until a proper process is undergone.

The address Labour publish to contact their Data Protection Officer is

Compliance Unit, Labour Party, One Brewer’s Green, London, SW1H 0RH

If you go for it, good luck. Drop me a line and let me know how you get on.

The Yellow Peril

A few months ago, I blogged about a session of the House of Common’s Culture Media and Sport Committee where the Chief Executive of Which? talked a bit of nonsense about unsolicited calls. Not to be outdone, the MP for Exeter Ben Bradshaw decided to indulge in a bit of (reported) hogwash of his own. Opining on the interesting  suggestion to ban unsolicited calls altogether, Bradshaw described the idea as “an affront to democracy“. After all, he said, “I am there to help my constituents, but you are saying you want to make it more difficult for me to help them.” I don’t know whether an unsolicited call from Mr Bradshaw – a man who unnervingly resembles Hugh Grant’s mummified remains – is what the fine folk of Exeter really need, but the claim is stupid. If a constituent asks an MP for assistance, any call would be solicited. If a constituent hasn’t asked the MP for help, the MP should leave them alone.

I was inspired by Mr Bradshaw’s comments to do something I have been meaning to do for a long time, and which the faint rumblings of the campaign for the 2015 General Election suggest as a sensible step for anyone. I made a request under Section 11 of the Data Protection Act asking the three main political parties to cease or not to begin processing my personal data for the purposes of direct marketing. In other words, I opted out of receiving any marketing / campaigning / promotional material from Labour, the Conservatives and the LibDems, either at a national or a local level.

So how did they get on?

I deliberately chose the bog-standard national address from the front page of each party’s website and made no effort to find out who in each organisation is responsible for Data Protection or general compliance, just to see what happened. So on the same day (using the nice paper, since you ask), I wrote to ‘the Data Protection Officer’ at each party. It took the LibDems and the Conservatives a day to respond – I think I posted the letters on a Tuesday and I had both of their responses on the Thursday, which is very good. Labour lose some customer service points for needing a follow-up letter to prompt a response, but cannot really be criticised as a) they sent a nice apology for the delay and b) an organisation has no legal obligation to acknowledge a Section 11 request, they simply have to comply with it. All equal so far.

Purely from a blogging perspective, I will admit to being disappointed with both Labour and the Conservatives’ substantive responses. Both were exemplary, doing nothing more than politely agreeing to my request. There was no quibbling, no attempt to nose out a loophole. I expected at least one of the parties to claim that political campaigning isn’t marketing, but neither of the big two took the bait. They even promised to ‘suppress’ my details, meaning that my information will be retained but kept on a suppression list so even if they acquire my data from some survey or other list, I will be flagged as ‘no contact’. It’s entirely possible that they won’t follow through and comply, but it’s a good start. Bit a pain though, as I have a blog to fill and DOING STUFF PROPERLY ISN’T GOING TO HELP ME DO THAT, IS IT? IS IT?

And so, Thank Goodness for the Liberal Democrats.

The letter from the party’s ‘Head of Compliance and Constitutional Support’ contained a fascinating attitude to Data Protection. Firstly, he spelled my street wrong (‘Honeysuckel’ not ‘Honeysuckle’) and the second half of the postcode was completely incorrect (none of the same letters or numbers). The fact that when responding to a member of the public who is raising concerns about data protection, you are so sloppy as to get the address wrong when it’s probably easier to get it right is telling. Secondly, his opening gambit ‘I am afraid there are a number of misunderstandings of the Data Protection Act in your letter‘ is probably red rag / bull territory for someone like me, but it is also not true. He identified no misconceptions about the DPA at all; instead, he went on to quote ICO guidance – ICO guidance and the DPA are very different things and I think it’s remarkable that a ‘Head of Compliance’ doesn’t appear to know that. His point is that Section 91 of the Representation of the People’s Act 1983 gives parties the right to send either one “unaddressed postal communication” or one “postal communication addressed to each elector“. The reference to ICO guidance comes from ‘Guidance for political parties and candidates‘, and as he observed, the ICO guidance does indeed say that Section 91 ‘applies even if the individual has asked you not to contact them‘.

This is interesting. Section 11 of the Data Protection Act does not contain any exemptions or qualifications. It says this:

An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.

And that’s all. The unaddressed communication is fine – it will be delivered with the pizza leaflets, but an unaddressed leaflet clearly does not offend Data Protection and I have no argument with it. However, if Section 91 of the Representation of the People’s Act 1983 gives parties an automatic right to send an addressed communication, that appears to be in conflict with my Data Protection rights. DPA says one thing, RPA another. I’m not remotely an expert in the UK constitution versus EU law, but even I know (and a more reliable person reminded me) that generally speaking, where EU and domestic law are in conflict, EU law wins. It’s curious that the ICO line appears to be wrong and their guidance to parties – clearly written with awareness of the conflict – sides against the ICO’s own legislation. For what it’s worth, I think the LibDems and the ICO guidance is wrong. I believe Section 11 takes precedence.

However, even if I’m wrong, the LibDem’s high-handed approach is striking. Their attitude can be paraphrased like this: ‘we know you don’t want to hear from us, but we think our rights trump yours, so tough’. The communication in question – if it comes – will be designed to persuade me to vote Liberal Democrat, and I find it very difficult to reconcile the two ideas. Do I really want to vote for people whose attitude to my rights is so dismissive? Even if the RPA does give the parties an unchallenged right to send marketing to unwilling recipients, what kind of organisation is dumb enough to use that right?