Otherwise responsible

Last week, the Information Commissioner issued a civil monetary penalty on Direct Assist Limited, a TPS-busting personal injury firm. As Direct Assist has been wound up by HMRC, all this means is that the ICO has added itself to Direct Assist’s list of creditors and the CMP will never be paid. It turns out the ICO had served its final notice before HMRC delivered the coup de grace, so perhaps the CMP made sense at the time. However, the ICO’s PECR blog stated the following on 2nd April:

When deciding on fines, our office has to consider the financial position of the company involved. Although we need to hold unscrupulous companies to account, the law says we can’t make a company bankrupt causing it to close.

This isn’t true. The statutory Monetary Penalty guidance – the ‘law’ in question – makes clear several times that CMPs cannot “impose undue financial hardship on an otherwise responsible person“. It’s wrong for the ICO to say that they can’t bankrupt their CMP targets; they’re only prevented from crippling an otherwise responsible organisation. So what kind of organisation is Direct Assist?

Well, firstly, they’re the kind of organisation that gets wound up by HMRC. Secondly, they’re the kind of organisation that, according to the ICO press release, called someone 470 times despite them being on the Telephone Preference Service. If you Google them, you will find Direct Assist was also involved in one of the most notorious Data Protection cases of recent years. In 2011, Martin Campell, a Direct Assist employee, plead guilty to using confidential medical information to generate claims. The data was stolen by his then-girlfriend Dawn Makin, who was a nurse at an NHS walk-in centre in Bury. When the thefts were revealed, Makin murdered her daughter and tried to kill herself. I cannot say for certain that Direct Assist knew what their employee was doing, but as the data controller, they were responsible for ensuring that any data used for their purposes was fairly and lawfully obtained. This they clearly failed to do, and one might ask why the ICO didn’t pursue this angle. But in any case, aside from their torrent of illegal cold calls, are Direct Assist otherwise responsible? Don’t make me laugh.

It’s not just Direct Assist. In February, an outfit called HIS Energy was prosecuted at Manchester Minshull Street Crown Court for a single breach of the Health and Safety At Work Act 1974. HIS had installed cavity wall insulation in the home of Joyce Moore, a 82 year old resident of Middleton, a town to the north of Manchester. In the process, they blocked the boiler flue. An HIS employee noticed insulation beads in the flue (apparently a tell-tale sign of the problem), but rather than mention it to Mrs Moore or her son Bob, who also lived in the house, he did nothing. He did mention it to his manager, but a decision was made to take no action that day. That night, Mrs Moore put the heating on, and she was killed by carbon monoxide poisoning caused by the blocked flue. Bob Moore and two paramedics were also taken to hospital, although they recovered.

The jury took 10 minutes to find HIS guilty, and they were fined £500,000, plus prosecution costs, although it is unlikely that the fine will ever be paid, as HIS has gone into liquidation. Until the liquidation, HIS Energy was part of the Save Britain Money Group, an organisation made famous by the BBC’s nauseating programme ‘The Call Centre‘. Indeed, Mrs Moore was originally cold-called by Nationwide Energy Services whose staff featured heavily in the programme, before her details were passed to HIS to carry out the work that killed her. The Save Britain Money Group is currently in administration after a court dispute. Nationwide Energy Services was put into administration after receiving a Civil Monetary Penalty of £125,000 from the Information Commissioner in 2013 for illegal cold calling. Coincidentally, We Claim U Gain, another member of the Save Britain Money family whose staff appeared in ‘The Call Centre’, went into administration after it received a CMP for cold calling. Neither CMP has been paid. Despite the BBC’s despicable decision to celebrate the odious Wilshire, are we seriously supposed to believe he and his companies qualify as ‘otherwise responsible’ people?

On Monday, the PECR rules changed. Gone is the requirement for damage or distress before a PECR CMP is issued – all the ICO needs to do is demonstrate a serious breach. The ICO has a good track record on PECR enforcement, so we can expect further action. I would welcome this. But there are two lessons that can be learned from these awful stories. Firstly, the law change is not enough. Direct Assist is gone, but other equally reprehensible organisations remain and its owners will probably surface in another part of the swamp. Until the ICO has powers to take painful action against the individuals, rather than the hydra-headed organisations they hide behind, they will be putting out fires and no more. However, it’s equally important that the ICO uses its revised powers to the fullest extent. Even if Direct Assist’s owners return to cold calling, HMRC’s actions have at least inconvenienced them. There is no reason why the ICO cannot do the same.

There may be otherwise responsible people breaching PECR through ignorance rather than wilful law-breaking, but I suspect they are the minority. Most cold callers and spammers are parasites, using dodgy data, feeding off the vulnerability of others, and causing misery as they line their pockets. The ICO should not shrink from shutting them down, and nothing prevents them from doing so.

What’s the damage?

BTO Solicitors recently marked the publication of the Information Commissioner’s annual report with a blog by two of their advocate solicitors about the Commissioner’s recent enforcement activity. BTO enjoyed a notable coup in 2013 by overturning the ICO’s £250,000 civil monetary penalty against Scottish Borders Council. I agree with the blog’s authors, Laura Irvine and Paul Motion, that the Borders case was hopeless; it is the low point in the ICO’s obsessive pursuit of “data breaches”. For several years, Wilmslow seemed to believe that [incident = breach] was a winning formula, and when tested in the Borders case, they were found wanting. The blog asserts that in several other cases, the ICO would equally have found it difficult to defend their CMPs, and again, I agree. Borders is not the only flawed CMP, and others could probably have been overturned.

Having said that, I think their review of recent action is eccentric, even myopic. They assert that the Commissioner “has not changed his approach to “likelihood” since the Scottish Borders appeal“, selecting two examples (Jala Transport and Bank of Scotland) to support their contention. I don’t know whether these two CMPs are sustainable, but they exemplify the difference between a one-off incident and an ongoing breach. I am certain that both are the latter. Jala’s *director* routinely carried the sole copy of his customer database on an unencrypted hard drive which he placed on the passenger seat of his car, while the Bank of Scotland proved incapable of preventing staff from sending faxes to the wrong destination even after the ICO started to investigate them. I think it’s instructive that neither organisation appealed.

Moreover, the argument that the ICO is on the same track is a lot easier to make if you stick rigidly to action taken in 2013, so that’s what Irvine and Motion’s blog does. There have only been 3 CMPs for Data Protection in 2014, and I believe that each would survive Tribunal scrutiny. As always, the incidents are eye-catching – an anti-abortion hacker gets access to the identity of women potentially seeking abortion, a police station is sold with evidence tapes identifying suspects, victims and witnesses, and a filing cabinet is sold with despite containing personal data about compensation payments paid to victims of terror attacks. However, I think it is likely that if BPAS did not properly maintain their website, it would come under attack from anti-abortion campaigners. It is likely that if Kent Police did not properly organise and monitor the clearance of their buildings, evidence would be left behind – and the same goes for the Department of Justice. In each case, the data was sensitive personal data, and to steal a word from BTO’s own blog, to argue that the loss of such data would not be likely to cause damage is frankly bizarre. The 2014 decisions may not be perfect, but they must have been made with the outcome of the Borders case in mind, and I think these three cases show a more robust process and defensible process at work.

The blog ends by considering Christopher Niebel’s successful appeal over the ICO’s £300,000 CMP for his industrial-scale spamming. It’s unlikely that anyone will mount a campaign larger than Niebel’s, which Judge Wikeley described as “a considerable public nuisance“, so the outcome of his appeal may effectively make the UK’s current PECR regime unenforceable. Wikeley suggested that had the bar been set lower (nuisance, rather than damage or distress), the outcome of the appeal might have been different. In response, the Government is currently consulting on whether to make precisely that change. BTO’s blog opposes this, fitting the Niebel case into the narrative of a wayward, overreaching Commissioner:

The likelihood of damage must be based on more than conjecture and distress has to be more than mere irritation. If evidential thresholds are getting in the way of monetary penalties the answer is to provide the requisite evidence, not to call for the lowering of the threshold and potentially criminalising conduct that is undeserving of such categorisation.

ICO’s use of conjecture is flawed and it’s what lost them the Borders case. But the above statement takes a seemingly ideological position that PECR breaches must go unpunished unless substantial damage can be established, without explaining why the law should not be used protect the public from intrusion and irritation. It’s not clear why Irvine and Motion are keen to keep a regime that lets spam go unpunished, and I’m convinced that leaving the threshold as it is will have that effect. Wikeley did not argue that ICO should have done a better job, but that the evidence wasn’t there to hit the target. By implication, with the test as it is, it won’t ever be. More importantly, neither the ICO or the DCMS (the department responsible for PECR) have suggested ‘criminalising’ any conduct. To claim otherwise is a red herring.

The sending of text messages, emails or automated calls without clear consent is already unlawful; the only debate is what the penalty should be for doing so. In wanting to keep the current threshold, Irvine and Motion seem more keen to protect the rights of spammers than the public. There’s a difference between criticising a poor case (Borders) and defending a target that no-one can hit. Damage and distress is not a concept that comes from the Directive – as Wikeley says, setting the bar there was a UK decision. The Directive demands ‘an effective, proportionate and dissuasive penalty‘ and Niebel shows that we don’t have one. Leaving the substantial damage threshold in place is not (as Irvine and Motion put it) “a realistic approach to assessment of the human consequences of data breaches and PECR breaches“; to do so ignores those consequences and by default, protects the illegal spam business model.

Like Irvine and Motion, I think the ICO approach is flawed and inconsistent. However, I support civil monetary penalties for breaches of both Data Protection and PECR and I think they should be maintained and improved. Evidence of the ineffectiveness of the criminal regime abounds. A few weeks ago, the Information Commissioner announced that they had successfully prosecuted Stephen Siddell, manager of an Enterprise car rental outlet in Southport. Mr Siddell was selling data about their clients to a claims management company. When the private sector is sometimes less forthcoming about their security problems than the public sector, Enterprise should be praised for calling the ICO rather than sacking their errant manager and keeping a lid on the problem. Mr Siddell was fined £500 (plus £300 in costs and victim surcharges). The claims management firm remains under investigation and so for the moment is not being named. Meanwhile, the Mail on Sunday reports today that Jayesh Shah, a man who boasted to an undercover reporter that he sent 500,000 spam text messages a day, has been fined £4000 for non-notification (plus costs of around £3000 in costs and surcharges) by magistrates in North London.

Mr Siddell’s future employment prospects are probably bleak, but with such small penalties, someone else will take his place. Police officers are treated fairly mercilessly when caught for data theft, but there is a still a queue of cops willing to raid the PNC. Meanwhile, though the comments about his weight and dress sense in the Mail’s comment section will have been unwelcome, Mr Shah can treat the £7000 outcome as an acceptable business expense. The criminal portion of the DPA provides scant punishment for data thieves (small fines and no criminal record as the offences are not recordable). It is possible for the ICO to issue enforcement notices against spammers and those who breach DP, but the only punishment for breaching an enforcement notice is the same paltry fines. A company prosecuted for breaching an enforcement notice can be closed down and replaced by a clean twin in next to no time.

I enjoy kicking the ICO as much as the next person, and their mishandling of CMP enforcement in recent years is a matter of concern. However, across the UK, Data Protection and privacy are still more honoured in the breach than the observance. There is big money to be made out of exploiting data, and as with health and safety, too many are willing to cut corners, regardless of the harm and distress that might be caused. Indeed, I think CMPs should be broken out of the security stranglehold and applied to damaging inaccuracy and unfairness as well. Rather than keeping the PECR threshold at an unattainable level, I think we should drop it to a straightforward tariff, with a flat rate penalty for every unlawful contact (say £1 per email, £5 per text and £10 per phone call). Post Niebel, private sector organisations that comply with the law will be priced out of the market by those who don’t unless there is a change. Without effective penalties, public sector organisations without a functioning privacy culture will continue to make decisions that put data – and in some cases, the public – at risk.

In their understandable enthusiasm to knock the ICO, I fear Irvine and Motion have lost sight of the purpose of the legislation. It is there to protect the public and to facilitate lawful, legitimate business activities. Personal data should be respected and handled with care. People have a right to a private and a home life without being pestered by spivs. The law and its implementation should penalise and deter misuse, intrusion and abuse. Some organisations will comply without sanction, but we need a strong, effective regime for those who won’t.

VOTE FOR SPAM

In what is probably a precursor to a busy period of anxious politicos making a mess of marketing law, the Conservative MP for Gloucester Richard Graham has fallen foul of both Data Protection and the Privacy and Electronic Communications Regulations. Anyone, it seems, who contacted Mr Graham was added to his marketing list, and received his campaigning emails. Given that ‘anyone’ included Labour Councillor Barry Kirby, I think it’s reasonable to assume that rather than painstakingly selecting his correspondents’ details, Mr Graham was harvesting anyone who contacted him (I’m happy to be corrected if this wasn’t the case, although it makes the appearance of Councillor Kirby on his list even more bizarre). A well-known information rights training company does a similar thing, and gets very shirty when you point out that it’s illegal.

Like many spammers caught on the hop, Mr Graham fell back on the ‘anyone can unsubscribe at any time‘ defence, and graciously offered to remove their data from his list. I apologise for making the obvious point, but it should not be too much to expect that people who make the law understand it. Taking the complainant’s names off the list is only the beginning. The Information Commissioner found Mr Graham in breach of both DP (the data was obtained unfairly because Graham did not tell people how their data was going to be used) and PECR (because the only mainstream option for electronic marketing is opt-in).

I think Mr Graham’s entire marketing list is contaminated. Removing the names of people who complained is not enough; because he did not ask for consent and did not tell people how their data was going to be used, potentially every email address he holds was obtained unfairly (DP breach) and the recipients of his marketing did not notify him that they wanted to receive it (PECR breach). In short, to put things right, the only thing that Mr Graham can do now is contact all of the people on his list, and ask for permission to send them marketing. If he doesn’t, he’s still in breach. UPDATE: as a commenter observes below, he should probably just trash it and start again.

This is not a political point. The Conservative Party’s use of misleading surveys recently attracted some well-deserved scrutiny, but few political party have clean hands on marketing. Labour, the Conservatives, the Liberal Democrats and the Scottish Nationalists all have enforcement notices against them for PECR-breaching automated phone calls – the SNP even tried to argue that stopping them from using their recorded call of Sir Sean Connery breached their human rights. There is a lot of ignorance, and a strong sense of entitlement. This won’t do. Many of us will be caught up in the political cut and thrust of the next year, but others have a right to be left alone – not pestered until they unsubscribe, but for electronic communications, left alone unless we invite contact. That’s the law.  So, ever enthusiastic to help, and with a view to a brutal Scottish Independence campaign with the 2015 General Election hard on its heels, I finish with a brief guide for the political parties on marketing:

The definition of marketing includes political messages, either party-specific, or more general. Encouraging people to vote for or against Scottish Independence is a marketing message. Encouraging people to vote, or to register to vote, even if you don’t mention the party, is a marketing message. There is no distinction between selling a fridge and selling a party.

There are specific rules for each form of communication:

AUTOMATED PHONE CALLS: Specific opt-in to automated calls.

TEXTS and EMAILS: Opt-in to receiving the specific communication. An unticked opt-out box is not valid, a pre-ticked opt-in box is not valid. If I haven’t actively told you that I want your emails or texts, I don’t want them.

LIVE CALLS: Opt-out, but you have to screen all calls against the TPS list, which you have to pay for if you don’t already, and you can’t call people who have told you not to call, even if they aren’t on the TPS.

POST: Opt-out.

There is no exemption for your members, for those who have filled in surveys, or those made a donation. Politicians made these laws. No matter inconvenient they might seem, they protect the public from being pestered by anyone with something to sell, even if it is an idea, even if it is the best idea anyone has ever had.

It’s only words

The word ‘fine’ is easier and quicker to say than the phrase ‘civil monetary penalty’. Even if you truncate it to ‘CMP’, problems still arise when you get to verbs. ‘Fined’ is OK, but ‘CMPeed’ sounds silly. Occasionally, I am guilty of using ‘CMP’ and ‘fine’ interchangeably. The average attendee on a training course needs to know that there might be financial consequences for a faltering Data Protection framework, but what they really need to get to grips with is how to build and sustain that framework. Even so, if I catch myself using ‘fine’, I correct myself, even though it might not matter in context. To be clear, when you breach Data Protection, you *UPDATE* generally *UPDATE ENDS* run the risk of receiving a Civil Monetary Penalty, and not a fine. Both involve you handing over large sums of money, but the legal context is different.

News reporting is very different to a bald man doing jazz hands on a training course. When the marketing news website The Drum reported Roddy Mansfield’s success in suing John Lewis over unsolicited emails, their clumsy use of terminology meant that their story was wrong. The headline states that John Lewis were ‘fined‘ – they weren’t, they were ordered to pay damages. If John Lewis were being fined by a court, that would mean they had been found guilty of a criminal offence. Saying that John Lewis were ‘successfully prosecuted’ is the same mistake – John Lewis were sued (civil matter) not prosecuted (criminal matter). A bigger – and in context, more damaging – error came when the article stated ‘Existing EU legislation bans businesses from promoting their wares through marketing emails unless it can be proven that the recipient consented to them or was a customer‘. The relevant law here – the Privacy and Electronic Communications (EC Directive) Regulations 2003 – does not say that organisations can market to customers. It’s consent or nothing. There is a mechanism by which, during negotiations for a sale, the standard opt-in can be switched to an explicit opt-out for marketing about similar products or services. But that’s very different to saying ‘marketing to customers is OK’.

It’s a problem that The Drum is touting this misinterpretation because it is a common misconception / excuse for badgering people. PECR doesn’t give a right to market to your customers unless they have consented. If a website that is supposed to be a reliable news source is trotting out this nonsense, marketers will keep using it as an excuse for bothering people without consent.

There are some contexts in which precision is not just desirable, but essential. In the fevered rush to leap on the eBay bandwagon a week or so ago, the Information Commissioner once again demonstrated a fondness for the word ‘breach’ when talking about a big, eye-catching incident. Graham’s comment on his website was clear, in circumstances where clarity is absent: “on the face of it, this is a very serious breach“. It is the ICO’s job to decide whether incidents involving personal data indicate a breach of one of the Data Protection principles. When Graham uses the word ‘breach’, it can only mean one thing: a contravention of one of those principles. At the time his comment was issued, the ICO hadn’t even decided whether or not to launch an investigation into the incident. Given that eBay is based in Luxembourg, I think it’s all showboating and what anyone in Wilmslow thinks or doesn’t think is irrelevant.But the terminology is important. Until the matter is investigated, we don’t know if eBay have breached anything.

Graham’s deputy, David Smith, came unstuck at the Tribunal on the doomed Borders case because he could not separate the incident (papers in a recycling bin) from the breach (lack of proper contracts). I don’t think Borders should have received a CMP, but it’s not hard to see how such confusion hampered the ICO’s case that they should have.

You could argue that the misuse of the word ‘breach’ isn’t that important, and that everyone does it except me. However, can anyone say that it’s unimportant for the ICO to explain the consequences of its actions properly? Last week, they issued an Enforcement Notice on Wolverhampton City Council, following the council’s failure to train enough of its staff by a specific deadline. Unlike undertakings, which are a grandiose slap on the wrist, Enforcement Notices have legal force. There are consequences if the organisation doesn’t comply with them. It takes only a short trip to Section 47 of the Data Protection Act to find out what those consequences are. The text isn’t even ambiguous: “A person who fails to comply with an enforcement notice, an information notice or a special information notice is guilty of an offence“.  So when the ICO’s press release says “The council must now make sure the training is provided to all staff within 50 days, or the matter will be treated as contempt of court“, it’s incorrect. Whoever wrote the press release either doesn’t know or doesn’t care that contempt of court is what happens when you breach an FOI enforcement notice. You’d think they understand the power that they actually use, rather than the one they’ve effectively retired, but apparently not.

UPDATE: the ICO picked up on a tweet that I sent over the weekend, and the offending line has now been removed.

You probably don’t care about this. My ‘ICO is clueless’ schtick has served me well over the years but it’s probably a tired routine and I need some new material.  But it matters. News reporting of data protection is terrible – the Drum’s clumsy mishandling of Mansfield’s case is the standard. Misinformation is routinely spread around, especially by those who seek to apply lower standards. If the ICO is as guilty as everyone else of sloppy language and muddy thinking, there’s little hope that anyone will understand what they’re expected to do, or what might happen if they don’t.

Call the Cops

In June 2013, the Swansea-based company CPR Global proudly announced that their nuisance-call-busting Call Blocker had received a significant accolade – the device was now endorsed by the Association of Chief Police Officers. Having been vetted by their approved agent, the Call Blocker now carries ACPO’s ‘Secured By Design’ logo. It is police approved. Every police force in the UK effectively recommends that the public purchase this fine item to protect themselves from the hydra-headed menace of cold calls, foreign scammers and stalkers.

CPR Global offer several products. One is the Call Prevention Register. The Register’s proposal is that instead of exercising your legal rights by signing up to the free, statutory Telephone Preference Service, you pay CPR so that they can give your number to a variety of unnamed foreign companies with a request – backed by no law, enforcement powers, no international legal agreements or sanctions – that they do not call you again. One can imagine the stupefied reaction of a international phone spammer after receiving a demand for no more calls from CPR Global’s high-tech offices on a side street behind Eddie Rockets in Swansea. One of the “advantages” offered by CPR over the TPS is that the TPS do not offer guarantees to stop all calls (how could they?), whereas CPR Global ‘aim’ to prevent 100% of all unwanted calls. This is a bit like me saying that I am better than my competitors because it is my ‘aim’ to look like the actor Christian Bale. I don’t achieve it, but hey, that my aim. Even on their own website, CPR Global admit that if their efforts are unsuccessful, their only recourse is a complaint on your behalf to the Information Commissioner. If you are registered with CPR Global, but not the TPS, it’s possible that an unsolicited call would be legal and the ICO would be able to do nothing.

CPR Global’s other product is the ‘Call Blocker’. It stores and blocks all dodgy numbers known to the CPR, all 200 of them. That’s right, the Call Blocker will stop “nuisance calls, harassment calls, stalkers, cold calls, silent calls, overseas call centres, spam faxes & recorded messages“, but CPR Global only seem to know 200 phone numbers (otherwise, why not programme it with more?) and the device can store a maximum of 1200, as if the entire international nuisance / spam / silent / stalker calling community is an inherently finite entity.  The Call Blocker does have useful options – the ability to immediately block the person calling, and an option to block all callers who withhold their number. However, these features are not unique. BT allows you to block withheld numbers, and the range of trueCall products do similar things with considerably less hype, plus evidence to back them up. For example, they carried out a recent study with a local trading standards body. CPR publish no evidence on their website of how effective their product is – no statistics, no research. Instead, they have assertions, endorsements and bad grammar.

If you think this little black box is the answer to international phone spammers, silent calls and stalkers, get out your credit card. That’s not the point. The point is why ACPO are giving this stuff their official seal of approval. 

As a matter of principle, I don’t think that ACPO should be recommending any products, whether it’s anti-climb paint or security fences. The organisation is exploiting a crime-fighting monopoly, as no other organisation can offer a comparable crime prevention hallmark. Anyone unwilling to pay the fee ACPO charges for approval is automatically at a disadvantage, even if their product is a good one, even if it is a better one than those who seek ACPO approval.

Last year, I made an FOI request to ACPO to ask them about their approval of the Call Blocker – I asked what evidence had been obtained from CPR Global, whether any kind of technical assessment of the Call Blocker had been carried out, whether ACPO consulted OFCOM or the ICO (the bodies with statutory responsibility for nuisance / unsolicited marketing calls in the UK), and how much CPR Global had paid for ACPO’s approval. They delayed their response in order to consider Section 43 (the exemption that prevents disclosures causing commercial prejudice). In a bid to demonstrate their transparency, ACPO told me this in a password-protected PDF which prevented me from copying and pasting from it. When they finally responded (over a month late), they claimed that much of my request was “wide-ranging and does not appear to identify the precise recorded information that you are seeking“. However, they did seek to address several of the issues I had raised informally, indulging in that most successful of FOI techniques – answering a different question than the one the punter asked. The only thing I asked ACPO that they were willing to tell me straight is that CPR paid them £650 + VAT for the approval.

I asked for an internal review, which ACPO took more than 2 months to complete, and they only responded when I chased them. The internal review admitted that I had requested recorded information. They claimed that their confusion about me asking straight questions should have been resolved by asking for clarification (which would have been “do you really just want to know this?”). The sudden disappearance of commercially sensitive considerations was accounted for by the fact that information that they had considered to be in the scope of my request turned out not to be. Five months after my initial request, ACPO finally admitted that they hadn’t consulted any of the relevant bodies who work on nuisance, silent or marketing calls.

OFCOM have statutory responsibility for much of the law on phone calls; they have contracted out operation of the TPS to a specially created offshoot of the Direct Marketing Association. The Information Commissioner is responsible for enforcing PECR, the law which governs other mischief that the Call Blocker is designed to prevent. Consulting people who know what they’re doing in this area would be good practice; consulting people who enforce the law in this area would be – to say the least – good manners. ACPO did not talk to any of them before approving the Call Blocker.

Beyond confirming the lack of contact, ACPO did not refer to OFCOM or the TPS in either response, but both responses mentioned the ICO. Despite not answering most of my questions, ACPO’s first response nevertheless commented that they were not obliged to contact the ICO, though I had asked them whether they had, not whether they had to. In the internal review, they stated that consultation had “not been considered necessary“, implying (I suspect erroneously) that they had considered consulting the ICO and then changed their minds. It is impossible to imagine any organisation with law enforcement powers straying onto police territory without consulting ACPO, the local force or both. I expect that ACPO would protest loudly if anyone did. For them to be so disrespectful to their fellow enforcers is very regrettable, but to approve a commercial product without understanding the regulatory context it works in is irresponsible.

I can’t predict what the ICO or OFCOM would have said if consulted. They may have chosen not to get involved. We’ll never know. But to find out what TPS think of the company, all you have do is look at their website, where CPR Global is listed as making ‘exaggerated claims’. In my request, I pointed the TPS’ opinion out but in their first, dismissive response, ACPO demonstrated their detective skills by telling me that the reference isn’t there, despite the fact that it is one click from the TPS front page.

ACPO’s tests to see if the company is a suitable one to receive police endorsement extended only to seeing if it actually exists (by checking with Companies House) and solvent (by doing a credit reference check). 2040 training has a company registration and can be found by Experian, but that does not mean anything. The integrity of CPR and its owners isn’t in question. This goes for anyone seeking ACPO’s approval. To receive a police endorsement, a company should be beyond reproach and ACPO won’t find that out by simply checking the company registration. A firm of burglars could set up a security company and this wouldn’t show up at Companies House.

Beyond that, ACPO received a ‘demonstration’ of the product and some CPR commercial bumpf. Based on what they told me, ACPO did not examine how the product worked, or receive any factual information about how it works. They did receive some Chinese electrical compliance certificates, so ACPO can at least assure citizens that the item will not explode.

This will not do. ACPO is not just a private company, or a standards body minding its own business. It is a publicly funded lobby group representing an elite who are already amongst the most powerful people in the country. If they are going to give commercial products a seal of approval that derives its value from ACPO’s role as public servants, as police, they should do an aggressively rigourous, transparent job, with proper information from organisations who actually know what they are talking about. I don’t think they should do this sort of thing at all, but the approach they’re taking at the moment is a scandal.