Catch the Pidgeon

Even before the fundraising sector met its Data Protection nemesis in December, with two charities cruelly hung out on the rack, forbidden ever to raise funds again (CORRECTION: given two of the smallest fines in Data Protection history and not forbidden from doing anything), various blogs, and tweets showed that anguished tin-rattlers were confused about what they were accused of.

A classic of the genre was published just over a week ago by Third Sector, penned by Stephen Pidgeon, a “consultant and teacher” (one assumes modesty prevented the publication from mentioning that until recently he chaired the Institute of Fundraising’s Standards Committee, responsible for the until-recently legally incorrect Code of Fundraising Practice). Pidgeon made a series of assertions in his article, and the most important of them is wrong.

Pidgeon describes profiling as a serendipitous activity – a fundraiser innocently planning some door-drops (not a hint of pestering spam in this charming scenario, nor any resort to a data-mining outfit like Prospecting for Gold) happens to notice that a donor has sold a business, and so decides to add his details to an existing campaign. The scheme is ruined by the ICO who says: “That’s not allowed – it’s against the Data Protection Act without express permission“. As Pidgeon points out, the DPA is much vaguer than that. If the Commissioner had indeed said this, it would be nonsense. The problem is, they didn’t.

Both charity notices set out the ICO’s position on charity profiling – it cannot be secret. The same is true for data sharing and appending new data to records that the subject didn’t provide. Neither notice finds profiling without consent to be a breach. Admittedly, of the Data Protection only offers one other option to justify profiling in these circumstances (legitimate interests), but either Pidgeon doesn’t know what the notice says, or he is deliberately misleading his audience. The word ‘permission’ does not appear in either notice, and the word ‘consent’ isn’t mentioned either.

Pidgeon also asserts that wealth profiling is not confined to charities:

This issue is not confined to charities. Yet, in all the 100-plus ICO adjudications in 2016, I could not find a single commercial firm censured for wealth screening.

To be pedantic, they’re not unenforceable ‘adjudications’, they’re formal legal notices, and if you add up all of the DP and PECR monetary penalty and enforcement notices in 2016, you don’t get to 100. He might be including the undertakings, which could be compared to the blancmange adjudications that charities have grown used to, but they’re irrelevant in a conversation about enforcement. The more important point is that like others, including the fundraising apologist academic Ian McQuillin and the researcher Matt Ide, Pidgeon claims that everyone does wealth screening but only the charities are getting punished for it. The Daily Mail hasn’t exposed Marks and Spencers or Greggs for wealth screening – possibly because they’re good at keeping it secret, but a more likely explanation is that they don’t do it. Until someone in the charity sector shows evidence of another organisation doing secret profiling, it’s just a distraction from the fact that – as Pidgeon claims – most of the charity sector have been doing it unlawfully for years.

Many in the sector also seem persuaded that the ICO action is a weird anti-charity vendetta. MacQuillin’s contributions to the Critical Fundraising Blog pondered the mystifying question of why the data protection regulator has taken action when household name organisations have been exposed for breaching data protection. The ICO takes action for three reasons – an organisation reports itself for something, ICO gets lots of complaints about something, or something makes a big splash in the press. There were thousands of complaints about charity fundraising, but all went to the toothless Fundraising Standards Board, who hardly ever passed them on to ICO. So it was the Daily Mail’s headlines that did the trick – the heartbreaking story of Olive Cooke but more importantly for the ICO’s purposes, the flamboyantly unlawful way in which charities treated Samuel Rae, trading his data relentlessly with anyone who wanted it.

In pursuing his false claim about consent, Pidgeon derisively summarised what charities might have to say to prospective donors: “We want to find out how rich you are; tick here to agree”! As a first draft, this has some merit, but a charity involved in wealth screening should also add ‘We want to know whether you are worth more alive or dead‘. The consent claim is a red herring, but perhaps unwittingly, Pidgeon has hit on the real problem for fundraisers: daylight. The foundation of Data Protection is fairness, and the only way to achieve it, regardless of whether consent is part of the mix, is to tell the subject the purposes for which their data will be used. Stretching the law as far as they can, the ICO has invented the concept of ‘reasonable expectations’. Reasonable expectations doesn’t appear in the Data Protection Act, but the ICO’s idea is that if you are only doing something that the person would expect, you don’t have to spell it out. One might take issue with this because it’s not in the Act, but it’s a sensible idea. The ICO’s emphasis has always been on being transparent over unexpected or objectionable processing.

Tesco’s Clubcard scheme is a useful example. Clubcard is a loyalty scheme, clearly based on profiling. The user knows that when they swipe their card, their purchases are analysed so that tailored offers and vouchers can be provided. Needless to say, Tesco also use the data for their sales and marketing strategy. If you look at the T&Cs for the Clubcard scheme, you will not find references to data sharing with third parties for wealth screening. They don’t need to – they can analyse your purchases instead. The user knows that profiling is inherent to the scheme, and they are not required to participate when shopping at Tesco. I have a Clubcard because I understand the system and I don’t believe that Tesco flogs my data. The profiling is the basis on which the whole thing operates. I have a choice about whether to shop at Tesco, and separately, whether to have a Clubcard when I do.

On the other hand, the RSPCA profiled seven million donors after they donated; presumably the lion’s share of all people who donated to the charity. The RSPCA did not tell people that this was the purpose for which their data will be used, and nobody outside the charity sector was aware of what was happening. Unlike Clubcard, donors could not participate without being screened and analysed by the charity. I have used the wealth-screening example on many of my training courses. The reaction is always surprise, and often revulsion.  Nobody ever leaps to the charity’s defence because secret profiling is a dodgy way to do business.

Pidgeon’s squeamishness about describing the process – the daft example of the story in the newspaper, his emphasis on data being gathered from the public domain – suggests that fundraisers are more ambivalent about their methods than they might like to admit. The existence of five facts in five separate publicly accessible places is different to the combination of those facts in one place, gathered with the intention of tailored marketing. A profile is greater than the sum of its parts, and people should be told that it exists. Pidgeon isn’t alone in his approach – Chris Carnie, the founder of ‘prospect research’ company Factary erroneously characterised myself and others as saying that using public domain data is “an intrusion into an individual’s privacy. That searching for a named individual in Companies House fundamentally affects the rights of that person“. All I said was that such research should be transparent, but this isn’t news that Carnie and his colleagues find palatable. Ide’s company goes as far as to assess the ‘ethical credentials‘ of a donor, which sounds a world away from noticing a story in a paper.

The Daily Mail is a revolting newspaper – the worst combination of small-minded, petty conservatism and curtain-twitching prurience. It is a matter of ongoing annoyance to me that the Mail is one of the very few national news outlets that covers Data Protection issues with any enthusiasm. I really wish the Guardian or the Times had exposed the ghastly exploitation of vulnerable people like Samuel Rae, or their hunger for information about possible donors. I wish Dispatches’ fine work on the shameful state of some fundraising call centres had got more attention. Nevertheless, none of this is the Mail’s fault, and fundraisers’ relentless blame-shifting needs to be called out for the cant that it is. Everyone knows whose fault this is.

The charity and fundraising sector isn’t in a mess over data protection because of the Daily Mail, and it isn’t there because of the Information Commissioner. This problem is the fault of some fundraisers and their agents not obeying the law, and trustees who didn’t ask them enough questions. MacQuillin claims that almost everything that has happened to the fundraising sector over the past two years is because of ‘fake news‘; Olive Cooke’s death wasn’t, her family says, the result of the spam tsunami that charities subjected her to. For one thing, this claim disgracefully ignores Samuel Rae, whose story would have caused the same interest even if it wasn’t the sequel to Olive Cooke. Moreover, it is itself fake news. If some of Pidgeon and MacQuillin’s compadres had done their job with a greater interest in the law, they wouldn’t be here now. This is the second or third time I have written this blog. With 11 more possible fines, and fundraisers still in denial about what they have done, I’ll probably have to write it again before long.

Small change

Some senior figures in the charity sector have sought to deal with the Information Commissioner’s recent enforcement against the RSPCA and the British Heart Foundation by suggesting that the ICO’s action is disproportionate and unfair. The fundraiser sorry, academic, Ian MacQuillin has written two blogs which touch on the theme, while a few days ago, Robert Meadowcroft, the Chief Executive of Muscular Dystrophy UK tweeted:

If the is impartial regulator it will investigate practices of and not simply pursue charities

As 2016 is now disappearing over the horizon, I thought it was worth testing the hypothesis that the ICO is taking disproportionate action against charities, and the fines and other enforcement against charities are unrepresentative. TL:DR – it’s complete nonsense.

In 2016, the ICO issued 34 civil monetary penalties – 11 under the Data Protection Act, and 23 under the Privacy and Electronic Communications Regulations (PECR). There are a number of different ways of looking at the figures, and none of them show any evidence of disproportionality.

1) Charity CMPs as a proportion of the total in 2016

Of the 34 penalties, 2 were against charities, so 6% of the ICO’s CMPs in 2016 were against charities.

2) Amount charities were fined, as a proportion of the total in 2016

The CMP total was £3,225,500. The total of CMPs issued against charities was £43,000. This is 1.3% of the total.

3) Proportion of Data Protection CMPs issued to charities in 2016

If you look only at the CMPs issued under Data Protection, the charity proportion is not insignificant – there were 11 DP CMPs, so the 2 charity CMPs are 18% of the total – the same as the police, 1 more than councils, but less than the private sector or the NHS (3 each). However, this is the only comparison where charities feature significantly, and they are not the dominant sector. The next two comparisons are also instructive.

4) Proportion of PECR CMPs issued to charities in 2016

None. This is despite widespread breaches of PECR by charities, including phoning donors who are on TPS and sending texts and emails without consent (for example, the vast majority of mobile numbers gathered via charity posters in 2016 were obtained in breach of PECR).

5) Proportion of CMPs issued for marketing related activities in 2o16

There were 21 PECR CMPs related to marketing, and 2 DP CMPs related to marketing, making 23 marketing CMPs in all. 2 were against charities, which is 9.5% of the total. Given the big charities’ disastrous approach to marketing, this relatively small number is astonishing.

6) Level of CMPs in 2016

The average DP CMP was £108,500; the average charity DP CMP was £21,500.

The average PECR CMP was £84,666.75; there were no charity PECR CMPs.

The highest DP CMP was £400,000; the highest charity DP CMP was £25,000.

7) Other enforcement in 2016

There were 22 enforcement notices issued by the ICO in 2016, 8 under DP and 14 under PECR. 1 of the 8 DP enforcement notices was against a charity, which is 4.5% of the total, or 12.5% of the total DP enforcement notices. Either way, it is a small percentage of the total. Again, if you count the number of marketing related enforcement notices, there were 15, of which 1 was against a charity. This is 6.6% of the total.

8) CMPs since 2010

There have been 69 DP CMPs since 2010 that I can find (they drop off the ICO’s website after a few years); 4 were issued against registered charities, which is 5.8% of the total. The average DP CMP was £114, 163, whereas the average charity was £78,250. It is worth noting that these figures are slightly skewed by the £200,000 penalty against the British Pregnancy Advisory Service, which is a registered charity but receives most of its funding from the NHS.

The CMP against the British Heart Foundation was the 8th lowest CMP overall, while the CMP against the RSPCA was the 9th lowest. The only organisations to receive lower penalties than the charities were small businesses, unincorporated associations, and a bankrupt lawyer.

There have been 47 PECR CMPs that I can find since 2012; none have been issued on charities, which is 0% of the total.

Conclusion

These figures will likely be different in 2017. The ICO has signalled that more DP enforcement against charities is coming, and so the proportion of DP penalties may rise when the totals are in, but that depends on a variety of different factors including the number of other penalties and the ICO’s general approach. However, when you look at the facts for 2016, MacQuillin and Meadowcroft are wrong. Despite years of ignoring the Data Protection and PECR requirements in favour of a flawed, fundraiser-driven approach, the ICO has not taken disproportionate action against the charities. The action taken is a small percentage of the overall total. Special pleading and blame-shifting will not help the sector. Compliance with the law will.

Culture, Media and Spam

Most of the news and comment I heard about the Queen’s Speech suggested that it was a hole in the air, with the Government wanting to avoid doing anything of any consequence before the resolution of the EU vote in June. It was a surprise, therefore, to see provisions in the proposed Digital Economy Bill that will change the face of direct marketing.

At the moment, the rules for direct marketing are a mixture of Data Protection (for postal marketing) and PECR (for email & texts, live calls, automated calls and fax). PECR breaks down into subsets, with some forms of marketing requiring consent (email & text, automated calls, fax) and some done without consent and with opt-out (live calls, with the ability to opt-out of all calls via the Telephone Preference Service.

But consider this line from the full version of the Queen’s Speech:

Protection for consumers from spam email and nuisance calls by ensuring consent is obtained for direct marketing, and that the Information Commissioner is empowered to impose fines on those who break the rules.

My first reaction to this was that the Department for Culture, Media and Sport were incompetent: PECR already requires consent for email, and the Information Commissioner already has the power to impose fines for breaches of consent. Whatever else, this is still true, and DCMS should explain why they are announcing things that have been in place since 2003 (consent for email) and 2011 (fines) respectively. Nevertheless, it’s impossible to interpret this sentence as meaning anything other than a change in the rules for live calls. It’s not earth-shattering: it’s only lawful to cold-call people who aren’t on TPS and who haven’t directly opted out, which is probably a minority of the overall population. But nevertheless, the proposal as written abolishes the need for the Telephone Preference Service and inverts current practice.

It certainly has the merit of neatness: PECR would make more sense if all electronic direct marketing had to be opt-in. However, it will have consequences far and wide. There are plenty of lead generators and telemarketing companies who still make cold-calls, and they would be dead in the water. I would shed no tears over this (I think the lead generation and list broking industry is fundamentally unlawful, and most of the folk in the call centres would just end up in hopefully less rancid call centres). However, killing off the telemarketing industry is bold.

It will also create an even more stark contrast with the Fundraising Preference Service, which in its current form allows someone to stop all contact with all charities. It’s not even clear whether a person will technically be able to opt-in to individual charities that they do want to hear from if they’re on the FPS. It would be moronic if this situation wasn’t clarified, but people who do moronic things tend to be good at maintaining their standards. Given that the Digital Economy Bill apparently puts all* electronic marketing on an opt-in basis, charities might legitimately argue that the FPS is unnecessary, and they would have a point.

There are other issues. If all email marketing has to be done on the basis on consent, this also presumably kills off the ‘soft opt-in’. The ‘soft opt-in’ allows a company to send email marketing on an opt-out basis, as long as the email address in question has been obtained in the course of a sale, and as long as the products being marketed are their own, and are similar to the one that was originally purchased. Requiring all email marketing to be done on the basis of consent would remove this option (NB: if you think the absence of an opt-out can be interpreted as consent, you are a moron).

Finally, the proposal doesn’t mention texts, hence my * above. Texts are as much of a nuisance for people as live calls or emails, and have been the subject of routine enforcement action by the Information Commissioner since 2011. PECR treats email and text as the same, so it’s entirely possible that the Government are treating them so. It’s equally possible that this is a back of a fag packet proposal to bulk out a weak bill in a thin speech. One indicator that this might be the case is that the Information Commissioner, explicitly mentioned in the proposal, has not reacted to it in any way. There is no press release, and not a single tweet, despite a run of tweets this week about nuisance calls and other PECR related action. One could be forgiven for thinking that they didn’t know about it (I will be doing an FOI to find out).

You might think that spinning 833 words out of a single sentence is overkill, but on the face of it, the proposed change will have a considerable impact. Like me, I hope you will be watching the progress of the Digital Economy Bill with interest.

Consenting adults

Around two months ago, the Etherington Review into charity fundraising and governance published a series of recommendations about the way the sector should be run. The most eye-catching and ridiculous is the Fundraising Preference Service, which I wrote about at the time. The reaction to the FPS from charities has been almost universally negative, with a series of articles appearing in charity publications and on charity websites, all condemning the idea that the public should be able to stop communications from charities.

There is nothing in Data Protection, the Privacy and Electronic Communications Regulations (PECR) in general or the Telephone Preference Service (TPS) provisions in particular that stops a charity from contacting a person who wants to be contacted. The FPS is non-statutory, and so cannot change it. Since 1995, Data Protection law has been built on a requirement that any contact based on consent requires a freely given, specific and informed indication of the subject’s wishes. That’s what the Directive says, so any claim that somehow the upcoming DP Regulation represents a significant shift in how consent works is exaggerated. The problem for some charities is they have ignored this. When I make a donation, that is a freely given, specific and informed indication of my wish to make that donation. If the charity wants to call me, or text me and rely on consent, they need a freely given, specific and informed indication that I want to be called.

The current practice of charity posters that ask for a quick £3 or £5 text donation for a specific cause are a classic example of how this doesn’t work. Yes, there is minuscule small print on the poster that indicates that further calls or texts will be made and I can opt-out, but unless one has carried a magnifying glass onto the Tube or into the toilet cubicle, the text is impossible to read, and easy to overlook. Many charities using the one-off donation technique seem to be doing so to harvest mobile numbers for fundraising calls. In Data Protection terms, this is unfair and does not represent consent (breach of the 1st principle); in PECR terms, if the number is on the TPS, the charity has not obtained consent and any calls made to a TPS registered number harvested in this way will be unlawful.

An article in Civil Society published shortly after the FPS proposals were first mooted contains this key quote:

The idea is that members of the public would be able to simply and easily add their names to a “suppression list” so they would not be contacted by fundraisers. Rather than rely on charities using the existing mail and Telephone Preference Services, the FPS would allow you to put a stop to all contact with charities.

The TPS already allows you to put a stop to all contact with charities by phone, along with everyone else. Charities are not unfairly discriminated against by the TPS, any more than any other sector might be. The TPS is a blunt instrument, but it is a fair one. The fact that charities see the FPS as being a problem suggests to me that they either don’t understand the TPS (they believe the donation = consent nonsense), or they think they can ignore it. Civil Society reported at the end of October that the Institute of Fundraising (which represents, remember, organisations that make money out of fundraising, rather than charities themselves) was changing its guidance in line with the expectations of the Information Commissioner’s Office. The IoF nevertheless claims that this change (i.e. complying with PECR) “unduly” restricts the ability of charities to “maintain relationships with their supporters“.

Donation = consent isn’t the only myth that has been propagated. Civil Society’s David Ainsworth claimed a few weeks ago that all the blame lies at the door of the ICO (and that’s often a valid argument). The problem is, the story isn’t true. Ainsworth said “In 2010 David Evans, a senior data protection manager at the ICO, explicitly told charities they were allowed to call people registered on the TPS, so long as they received no complaints. Just in case there was any doubt, this was followed up with official guidance which effectively said that the ICO did not intend to apply the law to charities.” I asked Ainsworth on Twitter if he could provide evidence that this is what the ICO said. All he could provide was a note written by the Institute of Fundraising, who are hardly objective. But even that note contradicts Ainsworth’s article, stating the TPS position clearly, with only a little bit of nuance.

TPS regulations ‐ any person registered on the telephone preference service (TPS) cannot be called unless they have advised the calling party that they are happy to receive calls. In practice, a charity might judge that, given the nature of the relationship between them and the supporter, they might be able to make a marketing call to that subscriber despite TPS registration.

In truth, what Evans said is a line I have heard many times from different ICO people – if a data controller thinks it has consent, acts on that consent, and crucially, the ICO doesn’t receive any complaints, then they probably had consent. In other words, the ICO won’t act on complaints it hasn’t received. The ICO did not give charities an exception. Should any charity have bothered to investigate, they would have found that ICO has no power to do so. The problem was, as Christopher Graham told Parliament last month, there were thousands of complaints about charity direct marketing, but they were all going to the Fundraising Standards Board, a self regulatory body that regulates the Institute for Fundraising’s code. The FRSB did not pass any of the complaints on to the Information Commissioner.

**UPDATE: originally, this blog said that the Fundraising Standards Board was ‘run by‘ the Institute for Fundraising, which was poorly worded shorthand, treating the IoF as if they are the embodiment of fundraisers and charities. The FRSB is a membership body, paid for by its members (who are charities and fundraisers), and its role is to act as a self-regulator for the Code of Fundraising Practice drawn up by the IoF. I don’t believe that the FRSB is properly independent of the Institute for Fundraising not least because they ‘enforce’ a code written by the IoF, and which was legally inadequate. I’m not the only person who thinks this: post-Etherington, the FRSB is being abolished, and responsibility for the Fundraising Code is being transferred to a new regulator. The IoF’s Chief Executive welcomed the new regulator’s creation (tacitly welcoming the abolition of the FRSB), and recognised that moving the Code from the IoF to the new regulator was necessary to avoid the perception of a ‘conflict of interest‘.**

The biggest barrier to charities accepting legal reality – either by complying with the TPS, or with some workable version of the FPS if such a thing is possible – may be the fact that some in the sector don’t really believe in consent at all. Matthew Sherrington, a consultant writing in Third Sector this week, wasn’t exactly subtle: “The awkward truth, which is difficult for charities to argue publicly, is that the generous public (the UK is the most generous in Europe, as it happens) do not give off their own bat, but need to be asked” (my emphasis). The same argument was made by Ian MacQuillin, blogging on behalf of Rogare, a fundraising think tank: “Everyone knows that most people give because they are asked to do so” and later on “I suspect that the FPS would be used not just by people who really are on the receiving end of such a deluge of fundraising material that it was making their lives a misery; but more by people who want to spare themselves the difficult choice of deciding how to respond to a donation request, and the guilt and cognitive dissonance that results when they say no“. The thinking that runs through both articles, and others, is that fundraisers must be able to ask, that the potential donor / prospect / target (which is what we all are to the fundraiser) should not be allowed to opt-out of being asked. We should have to listen to the pitch, and should be forced into the awkward, embarrassing (or in MacQuillin’s word) guilt-ridden option of saying no. There is, in this world, something inappropriate, even immoral in having a choice about whether to be approached in the first place.

**UPDATE: I have had a long Twitter conversation with Matthew Sherrington. He hasn’t put a comment on the blog (which he and anyone is welcome to do) but he thinks I have misrepresented what he said about consent and marketing, and I think that I should mention this. I stand by my comments above, but I’m linking to his article again here so you can read it and make up your own mind about what he says.**

It’s possible that fundraisers and consultants genuinely don’t understand the TPS, don’t understand that it’s already supposed to be possible to opt-out of every marketing phone call, or that texts and emails are opt-in in the first place. Fundraisers see widespread abuse of PECR and Data Protection, so assume that it’s all fine and that daft proposals like the FPS represent unfair singling out of the charity sector. At this point, it is fair to criticise the Information Commissioner for their generally insipid enforcement. I think there is also a sense of entitlement among charities (which is one thing, as most charities have a clear public interest objective), but also among fundraisers (who are, in the main, just private businesses making a profit). There are no exemptions. There is no charity carve-out or defence. The European Data Protection Directive, from which everything in UK DP and PECR law is derived, makes clear that charities are included along with everyone else. It’s in article 30, if you’d like to check.

In amongst all of the anger and self-justification available in the charity press, one article in Civil Society also caught my eye: “Trust in charities is at its lowest point since 2007, with charities now less trusted than supermarkets“, according to a survey carried out by npfSynergy. Some might blame the Daily Mail and Camila Batmanghelidjh, but purely anecdotally, on every training course about direct marketing that I have run in the past five years, the main examples people come up with for poor quality, persistent, sometimes rude marketing calls are either PPI or charities. Fundraisers and charities alike need to ask themselves if they want to be in company with spivs and spammers. Rather than try to rewrite history, or the law, or continue to adopt an approach based on pestering and guilt, perhaps the big charities should look at a business model that is bringing them into disrepute. There is a real question about how they raise funds without marketing calls and other contacts to people who don’t want to receive them but the only solution to this is to get PECR and the DPA amended to remove charities from the marketing requirements, but as this would deprive the public of their existing rights and mean that the UK is in direct breach of EU law, I doubt they’ll get very far. I still think the Fundraising Preference Service is unnecessary in the light of existing provisions, but if it is implemented in some meaningful form, and finally gets the message across to the most unrepentant of charity spammers, maybe I’m wrong.

King Canute famously stood in the waves and ordered back the sea, but only to show that his powers were limited. Some charities and fundraisers are up to their necks in water, but think that they have the ability and the right to turn the tide of history. If they don’t wise up, they will drown.

 

Liberal Spamocrats

The Varsity newspaper reports a scandal in academia, as Julian Huppert stands accused of spamming Cambridge’s students with crass emails about revenge porn. As well as reflecting the understandable annoyance of students at the spam and its triggering content, Varsity links Huppert’s spam to a similar incident at Bath University in April. Bath students received unwelcome missives from the outgoing LibDem MP Don Foster (who based on the photo in the Bath Chronicle is presumably stepping down to spend more time running Gringotts Bank).

The question raised by Varsity is whether Huppert, Foster and the LibDems have breached Data Protection and wider privacy law. There is an entirely separate question about election law which I am not qualified to answer, so I won’t. Two piece of legislation could impinge on the LibDem spam – Data Protection and the Privacy and Electronic Communications Regulations. As the emails are plainly marketing, aimed at encouraging students to take the yellow pill, it’s tempting to assume that the more important law is PECR. This is not the case. PECR does require the sender of marketing emails to have consent from the recipient, but only if that recipient is an ‘individual subscriber’. As long as the spam was sent to a student’s university email address (which appears to be the case in both incidents), they are not individual subscribers. The university is a corporate subscriber, and so the requirements of Regulation 22 (which covers email and text marketing) do not apply. So, game over, but only for PECR.

I cannot see a sensible argument that the email addresses that contain a student’s name are not personal data, so even if PECR is off the table, Data Protection is still in play. It’s impossible to tell exactly how the LibDems obtained the addresses in either case, but given that they can’t deny that masses of emails were sent, and there is no suggestion that consent was obtained (which would clear up most of the DP problems at a stroke), I’d be fascinated to hear how Huppert, Foster and their party ensured that the Data Protection requirements were met.

The first Data Protection principle requires that data be obtained fairly, lawfully and according to a set of conditions. If they wanted to harvest the emails for marketing purposes, the LibDems at either university would need to do so fairly. The only hint about how the data was obtained comes in the Bath story, where the LibDems state that the email system was not accessed without university authorisation, and that emails addresses were “all in the public domain”. The public domain issue would be irrelevant if the university had provided the emails to the party, so I assume that the emails were harvested by a LibDem supporting student or staff member from the University address book (any member of the LibDems is welcome to correct me, but only if they’re willing to tell me what happened if this didn’t). The Information Commissioner recently told the Samaritans that data on Twitter was still personal data even though tweets really are in the public domain, but email addresses held in a University address book or similar source are not in the public domain. They’re available to staff and students, but I’m not a Bath or Cambridge student, so I can’t get them. The universities are the Data Controllers for the email addresses, and while I’m sure that it is true that whoever hoovered them up had legitimate access to the system, their use of the data was problematic. Section 55 of the Data Protection Act states that it is a criminal offence for a person to ‘obtain or disclose’ personal data ‘without the consent of the data controller’. I’d be keen to see evidence that the LibDems had consent from the universities to use the emails, and will happily publish it here if it is provided to me.

To use the email address for political marketing is a new purpose, so the LibDems would either need to tell students that their email addresses were being harvested (which they didn’t), they would need an exemption from fair processing (which they don’t have) or they would need to claim that telling students that their email addresses were being harvested for unsolicited marketing purposes involved disproportionate effort (I believe the technical term for that is ‘bollocks’). Moreover, the LibDems would need a condition for processing the email addresses for marketing. They don’t claim that they had consent, so they must think that the use of the email addresses was necessary for a legitimate interest, and their use of the email addresses did not cause any unwarranted prejudice to the rights and freedoms of the students, which is the only available condition. If that’s their argument, they should say so, and be willing to defend it against an equally legitimate argument that sending unsolicited political messages is a breach of students’  privacy. Of course, what I think really happened was that they snorted up the email addresses without any consideration of the DP implications, which is shameful, especially as Huppert claims to be in favour of privacy.

The sense of entitlement here is overwhelming. Cambridge LibDems limply defended their spam with the following: “We have sent a number of emails to students over the last two years to keep them informed of Julian’s activities. All of these have included the appropriate opt-outs“, while the Bath contingent had already said that they would stop sending emails after a previous incident in February. All the political parties are guilty of the same arrogance (although the LibDems have recently been warned off by the ICO, and were the only political party who outright refused to stop sending me marketing). The rules are simple. You cannot obtain personal data and use it for your own purposes just because the data is available or easy to obtain. You have to tell people that you are obtaining and processing their data unless you have an exemption. You cannot send unsolicited marketing to people and justify it purely on the basis that they can opt-out. The subject does not have to do the work: you have to do the work. The sight of political parties who seek to make the law acting as if it does not apply to them is one of the worst aspects of the election season, and whatever happens after May 7th, at least we might enjoy a period of being left alone.