Liberal Spamocrats

The Varsity newspaper reports a scandal in academia, as Julian Huppert stands accused of spamming Cambridge’s students with crass emails about revenge porn. As well as reflecting the understandable annoyance of students at the spam and its triggering content, Varsity links Huppert’s spam to a similar incident at Bath University in April. Bath students received unwelcome missives from the outgoing LibDem MP Don Foster (who based on the photo in the Bath Chronicle is presumably stepping down to spend more time running Gringotts Bank).

The question raised by Varsity is whether Huppert, Foster and the LibDems have breached Data Protection and wider privacy law. There is an entirely separate question about election law which I am not qualified to answer, so I won’t. Two piece of legislation could impinge on the LibDem spam – Data Protection and the Privacy and Electronic Communications Regulations. As the emails are plainly marketing, aimed at encouraging students to take the yellow pill, it’s tempting to assume that the more important law is PECR. This is not the case. PECR does require the sender of marketing emails to have consent from the recipient, but only if that recipient is an ‘individual subscriber’. As long as the spam was sent to a student’s university email address (which appears to be the case in both incidents), they are not individual subscribers. The university is a corporate subscriber, and so the requirements of Regulation 22 (which covers email and text marketing) do not apply. So, game over, but only for PECR.

I cannot see a sensible argument that the email addresses that contain a student’s name are not personal data, so even if PECR is off the table, Data Protection is still in play. It’s impossible to tell exactly how the LibDems obtained the addresses in either case, but given that they can’t deny that masses of emails were sent, and there is no suggestion that consent was obtained (which would clear up most of the DP problems at a stroke), I’d be fascinated to hear how Huppert, Foster and their party ensured that the Data Protection requirements were met.

The first Data Protection principle requires that data be obtained fairly, lawfully and according to a set of conditions. If they wanted to harvest the emails for marketing purposes, the LibDems at either university would need to do so fairly. The only hint about how the data was obtained comes in the Bath story, where the LibDems state that the email system was not accessed without university authorisation, and that emails addresses were “all in the public domain”. The public domain issue would be irrelevant if the university had provided the emails to the party, so I assume that the emails were harvested by a LibDem supporting student or staff member from the University address book (any member of the LibDems is welcome to correct me, but only if they’re willing to tell me what happened if this didn’t). The Information Commissioner recently told the Samaritans that data on Twitter was still personal data even though tweets really are in the public domain, but email addresses held in a University address book or similar source are not in the public domain. They’re available to staff and students, but I’m not a Bath or Cambridge student, so I can’t get them. The universities are the Data Controllers for the email addresses, and while I’m sure that it is true that whoever hoovered them up had legitimate access to the system, their use of the data was problematic. Section 55 of the Data Protection Act states that it is a criminal offence for a person to ‘obtain or disclose’ personal data ‘without the consent of the data controller’. I’d be keen to see evidence that the LibDems had consent from the universities to use the emails, and will happily publish it here if it is provided to me.

To use the email address for political marketing is a new purpose, so the LibDems would either need to tell students that their email addresses were being harvested (which they didn’t), they would need an exemption from fair processing (which they don’t have) or they would need to claim that telling students that their email addresses were being harvested for unsolicited marketing purposes involved disproportionate effort (I believe the technical term for that is ‘bollocks’). Moreover, the LibDems would need a condition for processing the email addresses for marketing. They don’t claim that they had consent, so they must think that the use of the email addresses was necessary for a legitimate interest, and their use of the email addresses did not cause any unwarranted prejudice to the rights and freedoms of the students, which is the only available condition. If that’s their argument, they should say so, and be willing to defend it against an equally legitimate argument that sending unsolicited political messages is a breach of students’  privacy. Of course, what I think really happened was that they snorted up the email addresses without any consideration of the DP implications, which is shameful, especially as Huppert claims to be in favour of privacy.

The sense of entitlement here is overwhelming. Cambridge LibDems limply defended their spam with the following: “We have sent a number of emails to students over the last two years to keep them informed of Julian’s activities. All of these have included the appropriate opt-outs“, while the Bath contingent had already said that they would stop sending emails after a previous incident in February. All the political parties are guilty of the same arrogance (although the LibDems have recently been warned off by the ICO, and were the only political party who outright refused to stop sending me marketing). The rules are simple. You cannot obtain personal data and use it for your own purposes just because the data is available or easy to obtain. You have to tell people that you are obtaining and processing their data unless you have an exemption. You cannot send unsolicited marketing to people and justify it purely on the basis that they can opt-out. The subject does not have to do the work: you have to do the work. The sight of political parties who seek to make the law acting as if it does not apply to them is one of the worst aspects of the election season, and whatever happens after May 7th, at least we might enjoy a period of being left alone.

Whoops!

Yesterday, after at least a year of pondering it, the Information Commissioner asked the Universities and Colleges Admissions Service (UCAS) to sign an undertaking, agreeing to change the way in which they obtain consent to use students’ data. The data is obtained as part of the application process and subsequently used for marketing a variety of products and services, and UCAS has agreed to change its approach. It’s important to note that this is an undertaking, so UCAS has not been ordered to do anything, nor are there any direct consequences if they fail to do what is stated in the undertaking. An undertaking is a voluntary exercise – it is not served, it does not order or require, it simply documents an agreement by a Data Controller to do something.

Aspects of the story concern me. The ICO’s head of enforcement is quoted as saying: “By failing to give these applicants a clear option to avoid marketing, they were being unfairly faced with the default option of having their details used for commercial purposes” but given that the marketing was sent by text and email, the opportunity to “avoid” marketing is not what should have been in place. If UCAS wanted to sell access to university and college applicants, they needed consent – which means opt-in, not opt-out. As the undertaking itself points out, consent is defined in the EU Data Protection Directive as freely given – an opt-out cannot constitute this in my opinion. If you think that an opt-out does constitute consent, try transposing that thinking into any other situation where consent is required, and see how creepy your thinking has suddenly become. Consent should be a free choice, made actively. We should not have to stop commercial companies from texting and emailing us – the onus should be on them to make an attractive offer we want to take up, not on consumers to bat away their unwanted attentions.

It’s entirely possible that the ICO’s position on consent is better expressed in the undertaking itself, but here we have a little problem. At least when it was published yesterday, half of the undertaking was missing. Only the oddly numbered pages were published, so presumably the person who scanned the document had a double-sided original and didn’t notice that they had scanned it single-sided. The published document also included one page of UCAS’ covering letter and the final signed page of the undertaking, which the ICO never normally publishes. This mistake reveals some interesting nuggets that we wouldn’t normally know, from the trivial (the Chief Executive of UCAS signed the undertaking with a fountain pen, something of which I wholeheartedly approve) to the potentially significant (the covering letter sets out when UCAS might divert resources away from complying with the undertaking).

But that’s not the point. The point is that the ICO uploaded the wrong document to the internet, and this is not the first time it has happened. I know this because on a previous occasion, I contacted the ICO to tell them that they had done it, and many people on my training courses have also seen un-redacted enforcement and FOI notices on the ICO website. The data revealed in the UCAS case is not sensitive (although I don’t know how the UCAS Chief would feel about her signature being published on the internet), but that’s not the point either. The ICO has spent the last ten years taking noisy, self-righteous action against a variety of mainly public bodies for security slip-ups, and the past five issuing monetary penalties for the same, including several following the accidental publication of personal data on the internet.

The issue here is simple: does the ICO’s accidental publication of this undertaking constitute a breach of the 7th Data Protection Principle? They know about the risk because they’ve done it before. Have they taken appropriate technical and organisational measures to prevent this from happening? Is there a clear process to ensure that the right documents are published? Are documents checked before they are uploaded? Does someone senior check whether the process is being followed? Is everyone involved in the process properly trained in the handling of personal data, and in the technology required to publish documents onto the web? And even if all of these measures are in place, is action taken when such incidents are identified? If the ICO can give positive answers to all these questions, then it is not a breach. Stuff happens. But if they have not, it is a breach.

There is no possibility, no matter how hilarious it would be, that the ICO will issue a CMP on itself following this incident, although it is technically possible. What should happen is that the ICO should quickly and effectively take steps to prevent this from happening again. However, if the Information Commissioner’s Office does not ask the Information Commissioner Christopher Graham to sign an undertaking, publicly stating what these measures will be, they cannot possibly speak and act with authority the next time they ask someone else to the same. Whether they redact Mr Graham’s signature is entirely a matter for them.

UPDATE: without acknowledging their mistake, the Information Commissioner’s Office has now changed the undertaking to be the version they clearly intended to publish. One wonders if anything has been done internally, or if they are simply hoping that only smartarses like me noticed in the first place.

Otherwise responsible

Last week, the Information Commissioner issued a civil monetary penalty on Direct Assist Limited, a TPS-busting personal injury firm. As Direct Assist has been wound up by HMRC, all this means is that the ICO has added itself to Direct Assist’s list of creditors and the CMP will never be paid. It turns out the ICO had served its final notice before HMRC delivered the coup de grace, so perhaps the CMP made sense at the time. However, the ICO’s PECR blog stated the following on 2nd April:

When deciding on fines, our office has to consider the financial position of the company involved. Although we need to hold unscrupulous companies to account, the law says we can’t make a company bankrupt causing it to close.

This isn’t true. The statutory Monetary Penalty guidance – the ‘law’ in question – makes clear several times that CMPs cannot “impose undue financial hardship on an otherwise responsible person“. It’s wrong for the ICO to say that they can’t bankrupt their CMP targets; they’re only prevented from crippling an otherwise responsible organisation. So what kind of organisation is Direct Assist?

Well, firstly, they’re the kind of organisation that gets wound up by HMRC. Secondly, they’re the kind of organisation that, according to the ICO press release, called someone 470 times despite them being on the Telephone Preference Service. If you Google them, you will find Direct Assist was also involved in one of the most notorious Data Protection cases of recent years. In 2011, Martin Campell, a Direct Assist employee, plead guilty to using confidential medical information to generate claims. The data was stolen by his then-girlfriend Dawn Makin, who was a nurse at an NHS walk-in centre in Bury. When the thefts were revealed, Makin murdered her daughter and tried to kill herself. I cannot say for certain that Direct Assist knew what their employee was doing, but as the data controller, they were responsible for ensuring that any data used for their purposes was fairly and lawfully obtained. This they clearly failed to do, and one might ask why the ICO didn’t pursue this angle. But in any case, aside from their torrent of illegal cold calls, are Direct Assist otherwise responsible? Don’t make me laugh.

It’s not just Direct Assist. In February, an outfit called HIS Energy was prosecuted at Manchester Minshull Street Crown Court for a single breach of the Health and Safety At Work Act 1974. HIS had installed cavity wall insulation in the home of Joyce Moore, a 82 year old resident of Middleton, a town to the north of Manchester. In the process, they blocked the boiler flue. An HIS employee noticed insulation beads in the flue (apparently a tell-tale sign of the problem), but rather than mention it to Mrs Moore or her son Bob, who also lived in the house, he did nothing. He did mention it to his manager, but a decision was made to take no action that day. That night, Mrs Moore put the heating on, and she was killed by carbon monoxide poisoning caused by the blocked flue. Bob Moore and two paramedics were also taken to hospital, although they recovered.

The jury took 10 minutes to find HIS guilty, and they were fined £500,000, plus prosecution costs, although it is unlikely that the fine will ever be paid, as HIS has gone into liquidation. Until the liquidation, HIS Energy was part of the Save Britain Money Group, an organisation made famous by the BBC’s nauseating programme ‘The Call Centre‘. Indeed, Mrs Moore was originally cold-called by Nationwide Energy Services whose staff featured heavily in the programme, before her details were passed to HIS to carry out the work that killed her. The Save Britain Money Group is currently in administration after a court dispute. Nationwide Energy Services was put into administration after receiving a Civil Monetary Penalty of £125,000 from the Information Commissioner in 2013 for illegal cold calling. Coincidentally, We Claim U Gain, another member of the Save Britain Money family whose staff appeared in ‘The Call Centre’, went into administration after it received a CMP for cold calling. Neither CMP has been paid. Despite the BBC’s despicable decision to celebrate the odious Wilshire, are we seriously supposed to believe he and his companies qualify as ‘otherwise responsible’ people?

On Monday, the PECR rules changed. Gone is the requirement for damage or distress before a PECR CMP is issued – all the ICO needs to do is demonstrate a serious breach. The ICO has a good track record on PECR enforcement, so we can expect further action. I would welcome this. But there are two lessons that can be learned from these awful stories. Firstly, the law change is not enough. Direct Assist is gone, but other equally reprehensible organisations remain and its owners will probably surface in another part of the swamp. Until the ICO has powers to take painful action against the individuals, rather than the hydra-headed organisations they hide behind, they will be putting out fires and no more. However, it’s equally important that the ICO uses its revised powers to the fullest extent. Even if Direct Assist’s owners return to cold calling, HMRC’s actions have at least inconvenienced them. There is no reason why the ICO cannot do the same.

There may be otherwise responsible people breaching PECR through ignorance rather than wilful law-breaking, but I suspect they are the minority. Most cold callers and spammers are parasites, using dodgy data, feeding off the vulnerability of others, and causing misery as they line their pockets. The ICO should not shrink from shutting them down, and nothing prevents them from doing so.

Raising hell

One of the irritating things about the introduction of the EU Data Protection Regulation, the timing and final shape of which is still up in the air, is the way in which marketing companies are buzzing around, fearful of what the changes might mean. Most of them fret about the perceived emphasis on unambiguous consent, and what irritates me is that none of these idiots seem to be aware that active consent has been needed for email and text marketing since 2003 (under the Privacy and Electronic Communications Regulations, or PECR). The big change they are worried about happened more than ten years ago.

A slightly different take on the problem is doing the rounds in the charity fundraising sector. An article on the Civil Society News website encapsulates it with a suitably hysterical headline: “EU data protection proposals would kill fundraisers’ mailing lists, says report“. If the regulation contained provisions to ban marketing in general or marketing by charities in particular, this would be true and terrible. Stephen Pidgeon, a “fundraising consultant” and trustee of the Institute for Fundraising is quoted:

“if the EU introduce compulsory ‘opt-ins’ for direct mail then the cold mailing lists that still drive minor donor fundraising will disappear and, with them, millions of pounds”

Full marks for the euphemism ‘cold mailing list’ there, when what Mr Pidgeon means is ‘junk mail’. The author of a report into this nefarious proposal, Andy Taylor, a consultant at a charity marketing agency called ‘The Desired Effect’, is equally scathing:

“There is a balance to be struck between the donor’s right to privacy and our ability to fundraise, and the current draft of the proposals doesn’t get this right.” 

The factual content of the article is awful – it asserts that charities can make marketing calls unless told not to, ignoring the existence of the Telephone Preference Service which applies to charities as it does to everyone else. It also claims that charities can use the ‘soft opt-in’ for email marketing, which allows an organisation to operate a tight opt-out system when marketing similar products to existing customers. PECR clearly refers to the soft opt-in being engaged during a ‘sale’, and the Information Commissioner’s guidance is unambiguous about what that means:

“the ‘soft opt-in’ exception can only apply to commercial marketing of products and services… [not for profit organisations] will not be able to send campaigning texts or emails without specific consent, even to existing supporters” (page 12)

The Civil Society article also complains about the possibility that the Regulation may interfere with a charity’s ability to profile potential donors. What this means is made more explicit in a recent piece published by Fundraising UK, which complained:

“charities would no longer be able to target direct marketing campaigns at specific donor profiles and would severely hamper the ability to build up prospect donor information”

I think some charities’ good works can be diluted by a sense of entitlement (I’ve blogged about the human embodiment of this in the past), and their fund-raising methods can be awful. Few commercial organisations would expect to get away with the antics of chuggers, but charities expect a free pass when hassling unwilling citizens in the street and paying a cut of donations to the companies they employ to do so. The attitude on display by Fundraising UK is even worse – would you be happy if a charity assembled information about you without your consent and then sent unsolicited marketing to you? I’d be fascinated to know if charities that profile ‘prospect donors’ comply with the first Data Protection principle by informing the ‘prospect’ that they were doing so – regardless of consent, there is no exemption from fair processing available.

I hope that those fundraisers agitating against explicit consent for marketing fail. Expecting an organisation to have permission before sending marketing isn’t just a legitimate way of setting up privacy law, it’s basic courtesy. There are already a lot of circumstances where our data is used without consent – many justified, some not. But where there is not some legal or security requirement that makes consent inappropriate, it should be the default for everyone, regardless of the effect on profit, innovation or donation. One vital aspect of privacy is having a right to be left alone, to be able to close your door and not be bothered by anyone else. The position of these fundraisers and consultants is that charities should be able to override that to get their cash. The headline of the Civil Society article is nonsense because explicit consent doesn’t kill charity mailing lists, it just makes them fair. It ensures that those people who are on the lists want to be on the lists. If fundraisers are concerned about the effect of Data Protection on their income, perhaps they should approach their targets with more respect.

Mum’s the Word

A few days ago, the organisers of the Parklife Festival in Heaton Park in Manchester sent out badly spelt text messages to those who had booked to attend. The Manchester Evening News reports that the texts purported to be from the recipient’s mum, but in fact were a plug for the festival’s after parties.

A running theme of this blog is the way in which organisations sometimes overlook or ignore the rules in order to win business, and the casual intrusion and impoliteness that this represents. Assuming that the story is accurate, I think the Parklife organisers may have breached both the law and the advertising standards code (the CAP Code).

Of course, for starters, the festival organisers need consent from recipients to send them text marketing. This has to be active, clear consent, and not some bollocks buried in the T&Cs. Even if they can satisfy the so-called ‘soft opt-in’ (where messages for similar products and services can be sent subject to an opt-out), this would need to have been done explicitly. The fact that a person has booked tickets or expressed an interest would not be enough to infer consent. Parklife’s organisers may well have done this, but given the other problems, it’s a reasonable question to ask.

Regulation 23 of the Privacy and Electronic Communications Regulations states that a marketer cannot ‘disguise or conceal‘ their identity. By sending what is in fact a marketing text in the guise of a message from Mum, Parklife’s organisers have apparently breached this section. As the MEN points out and the BBC have confirmed, some of the recipients will have lost their mums, and so a text message from ‘Mum’ isn’t just crass marketing, it’s distressing. Whether or not the ICO will take action is a matter for them and presumably, may be based in part on whether they get any complaints. However, if they do take action, the NME reports that Parklife’s organisers have already apologised for ‘unnecessary personal distress‘, which would presumably be a factor in any proposed PECR civil monetary penalty. A CMP can only be issued if the communication would or would be likely to cause substantial damage or distress, which seems like a high threshold. However, getting a text message from what seems to be your dead mother is probably the kind of thing that CMPs were designed to address, especially if the text arrives the day before the deceased’s birthday.

As well as PECR, many marketing communications are covered by the CAP Code, which is enforced (to the extent of forcing advertisers to withdraw offending items) by the Advertising Standards Authority. The CAP Code has a number of interesting sections:

3.1 Marketing communications must not materially mislead or be likely to do so.

+

3.3 Marketing communications must not mislead the consumer by omitting material information. They must not mislead by hiding material information or presenting it in an unclear, unintelligible, ambiguous or untimely manner.

+

3.5 Marketing communications must not materially mislead by omitting the identity of the marketer.

+

4.2 Marketing communications must not cause fear or distress without justifiable reason

And finally, just for good measure,

4.3 References to anyone who is dead must be handled with particular care to avoid causing offence or distress.

I’m not as familiar with the CAP Code as I am with DP and PECR, but this sounds like a fairly open and shut case.

The MEN reports that Sacha Lord, who runs the company behind the festival tweeted ‘So this is what it feels like to be a jar of Marmite! #LoveItOrHateIt’. I’m certain it’s more what it feels like to be a bellend, but it may be more than that. Any of the folk who received this moronic marketing may wish to consult with the ICO‘s website, or that of the ASA. It’s also a good example of where marketing law isn’t complex or confusing, as some marketers and their apologists like to claim. You don’t send text messages that look like they’re from people’s mum, especially because she might be dead.