Keep your PECR up (I know, I’m sorry)

The BBC reports that Bournemouth and Poole NHS PCT have got themselves into hot water by calling a member of the public using an external company in order to offer him some health screening as he was in an at-risk group. The PCT were, it seems, attempting to deal with a target imposed on them by the Department of Health. The Trust felt that it was not “practical” for them to get consent in this case.

Given that my only source is the BBC news website, I cannot make any definitive judgement about what went on, although it’s clear that the person concerned managed to convince the Information Commissioner’s Office that the use of his data was unfair. The ICO is quoted as follows: “Individuals should have been informed by the trust that they would be receiving a call inviting them to attend a risk assessment, and that this letter should ideally give them some method for asking not to be contacted”

It’s at this point, however, that I feel entitled to mount my hobby horse and ride it up and down the public highway.

The Information Commissioner’s own definition of direct marketing, found in his guidance on the subject, is ‘the offer for sale of goods or services, or the promotion of an organisation’s aims and ideals’. The rules covering any form of electronic direct marketing (i.e. phone, email, and text) come from the Privacy and Electronic Communications Regulations (usually pronounced ‘Pecker’), not from the Data Protection Act. PECR does not contain any discussion of harm, benefit of legitimate interest – its rules are simple and relatively easy to explain.

Direct marketing cold-calling by phone is legal – unless the person is on the Telephone Preference Service or has told the organisation not to call. Therefore, to make a marketing call, the organisation (in PECR terms, the ‘person’) must screen the numbers they are using against the TPS lists (which they must rent or buy from the TPS itself or a marketing company who has done so). Direct marketing emails and texts are opt-in – you cannot text or email someone without their permission, and the same is true of automated marketing phone calls.  There are some wrinkles – business and personal emails are treated differently – but for direct marketing, that’s about it.

As described in the BBC story, the PCT’s call was a marketing call. They were not calling the person to tell him results, to arrange an appointment for treatment that had already been consented to, to discuss something that was already happening. The PCT’s aims include the hitting of a target for screening of a specific group, and without previous consent, the only possible interpretation of the call is that recruiting people to join the screening is a form of direct marketing. Having worked – briefly and without particular distinction – in the NHS and having had this argument several times, I know that few health staff would agree with me. Indeed, when looking at this issue many in the public sector have the same problem – if a message is clearly of benefit to the recipient, how can we not be allowed to do it?

Although some in the private sector find ways around PECR or ignore it altogether, I have never spoken to a private sector person who didn’t see how the regulations applied to what they do. Public sector, voluntary and charity organisations are obsessed with the value or justification of their message. Labour, the Lib-Dems, the Conservatives and the Scottish Nationalists have all received enforcement notices under PECR for their use of automated marketing calls – the Scottish Nationalists perhaps personified the wider misunderstanding of how PECR works but claiming that being prevented from using automated calls of Sir Sean Connery was a breach of their human rights. It’s not. I have a right not be bothered by what you think I should be interested in, whoever you are. And PECR gives me that.

PECR is a single-minded law in this respect, caring only about the content of the message. If your call, your email, your text is designed to sell, promote, persuade or influence – it’s direct marketing. If you want to change behaviour, get people to make better choices, or even tell them something that will change or save their lives, PECR doesn’t care. Even if you don’t know who the recipient is, that’s irrelevant – this isn’t Data Protection.

Of course, the BBC coverage doesn’t mention PECR and screening against the TPS, which implies that some people in the ICO don’t know what their own position on PECR and direct marketing is, but that’s not a surprise. The point is, the next time someone has a smart idea for a communication campaign, whether it’s health promotion, news of how you’re dealing with anti-social behaviour, or the benefits of recycling, just remember to think about PECR.

Which is a bit funnier if you say it out loud.

Every time you attack the Data Protection Act, a fairy dies

According to comments reported in the Daily Mail (, Baroness Deech says that a school should be able to tell a university that a prospective applicant’s mother is an alcoholic, and their father abandoned them, without fear that the parent or child be able to find out. The inability to share information so vital to the matriculation process, coupled with the drastic effect on job references that Deech is so exercised about she cannot actually cite any examples, is so damaging that were she to be made Prime Minister for the morning, abolishing the whole Data Protection Act would be her first task.
In the years I have been working on Data Protection, I have encountered some ludicrous views on the Act’s idiosyncrasies, so I cannot say for certain that the noble Baroness’ musings are the worst. I still have a soft spot for Tom Utley’s haunting account of his niece’s flute exam results not being accessible allegedly because of the machinations of the Data Protection Act. He was clearly so thunderstruck by the story he used it twice, first in the Daily Telegraph ( and later in the Daily Mail ( I like the tale because its account of a daft teacher mistakenly using the DPA as an excuse not to give out the results, and then said results actually being obtained because a request was made under the DPA, is an advert for the legislation, not a condemnation. At worst, all Mr Utley’s story does is underline the vital need for good quality, pragmatic Data Protection training, if you know what I mean.
Anyway, Deech’s opinions are more troubling because she is not trying to fill a newspaper column, but is (ostensibly) a sensible and serious establishment figure with a seat in the House of Lords. In her fantasy PM moment, she would prevent social services clients from finding out what happened to them as children, stop individuals from correcting inaccuracies in their credit records, and ban patients from seeing their medical records. There would be no right to stop marketing, no ability to sue for damages for unfair or inaccurate uses of data. Your records would not need to be adequate or accurate. Security would be optional. And of course, the foundation of the DPA, the obligation on organisations to tell you what they’re doing with your data and why, that would be gone as well. All so that important people who know best can exchange their opinions without having to justify them. We’ve already had GPs bleating about having to hand over medical records without being able to charge insurance companies £97 for them (, and now the establishment wants to kill vital legislation so we can get back to the good old days when you could exchange information in secret. Because that never did anyone any harm, right?
It’s possible that Deech doesn’t know what else the DPA does, and in wishing to allow institutions to provide life-changing references without those affected (and other third parties) being able to assess fairness and accuracy, she doesn’t know what else she is wishing away. I doubt it – I’m sure her genuinely illustrious career in the law, academia and public service would have introduced her to its wider implications. And besides, Wikipedia claims ( that her first cousin is the UK’s Blackbelt Openness Champ Maurice Frankel, so perhaps he might have given her a few pointers. But even on its own terms, her antipathy to transparency would shift power from individuals back to organisations, allowing them to say what they like about people with impunity. It’s an elitist and undemocratic approach – but I did mention that she is a member of the House of Lords.
When writing a reference, you have to be objective, fair, and accurate. If you have a valid opinion that the person might not like, you should include it and stand by it. If organisations really want to send or receive references written by people too spineless to justify their comments, they’ll end up with references written by people who might make them up to settle scores. Indeed, Deech’s proposal would facilitate that.
The Data Protection Act is often abused. Organisations routinely hide behind ‘Data Protection’ as a cover for poor or unhelpful customer service (for example, there are several ways to quickly and easily allow family members legitimate access to a relative’s account which DP does nothing to prevent). People who are confused, uncertain or indecisive about the use and sharing of personal information sometimes use Data Protection as a shield for their hesitancy. As we enter the festive season, head teachers up and down the land may tell parents that ‘Data Protection’ prevents them from filming their kids at Nativity Plays (parents are, in that context, absolutely exempt from the Data Protection Act under Section 36). But the Act is solid and sensible, and gives us rights and protections we need to protect us from the powerful, the arrogant and the lazy. We need a better explained, better regulated DPA, not an abolished one.
So I would like to add the first item to my Christmas list for Santa’s perusal. I would like Baroness Deech to get her wish, but only for herself. Like George Bailey’s journey to a Bedford Falls where he didn’t exist in ‘It’s A Wonderful Life’, I request that Santa lets the Baroness experience a world where the admittedly imperfect but nevertheless essential Data Protection Act simply doesn’t apply to her, and anyone can share any information about her, regardless of purpose, quality or relevance. People who don’t need to can read her personnel file or her medical records, and write references that she isn’t allowed to see, or even know about. She can’t correct inaccuracies, and her data is strewn around the streets on lost pen-drives and files left on the rooves of cars.
OK, we’re all apparently experiencing that last bit, but you get the idea.

Cambridge in Thermal Image Sex Shocker

Important privacy news reaches us, hot from the virtual presses of . The council is sponsoring a plan for surveyors to tour the Cambridge area, using thermal imaging cameras to take pictures of houses. Those that are revealed to have poor insulation will be asked if they want a visit from experts who will assist them in improving the situation, and as part of the process, homeowners will be shown the thermal image of their property.
Some people will resent the idea of the council touring the streets, taking day-glo photos of residents’ homes. They could conceivably record images that may embarrass or annoy. However, Councillor Sarah Brown, an elected member who lacks nothing in imagination, has wider fears. Should amorous residents of the area be engaged in passionate relations, emitting copious body heat near the windows, their activities will be recorded.
Councillor Brown is concerned at the potential problems should the participants not be man and wife. The scheduled visit of the home insulation police could rapidly degenerate into the revelation of extra-marital affairs. You can just picture the scene: “Marjorie, what were you doing in the garage with those three men?” Or perhaps “Colin, can you explain why you are silhouetted in the front bedroom with a Rhinoceros?” OK, Councillor Brown didn’t come up with anything that specific, but I’m only following her lead.
The website has one of those wonderful news headlines at which the Daily Express is so adept: “Will thermal images catch love cheats?”. Erm, no. The company running the scheme are clear-cut in demolishing this idea, stating that the sensors cannot see through glass, and if a person was visible, they would appear only as a blur. Perhaps influenced by this, the rest of the website’s coverage is balanced and fair, concentrating on reporting the opposing views of the debate’s participants. Any hack worth their salt would at least have embellished the thermal image illustration on the story with a mocked-up image of saturnalian goings-on in the lounge. They don’t even make anything of the fact that the Council’s principal scientific officer is a Mr Dicks.
Nevertheless, despite the fact that there appears to be no real privacy worry at all, I think Councillor Brown deserves points for creativity. The average councillor tends to just find some fly-tipping or dodgy paving, and then gets themselves photographed in front of it looking cross. But no, here we have sex, invasions of privacy, domestic turmoil, and even the possibility that incriminating pictures will be sent to the wrong address and thus the infidelity broadcast to the neighbourhood in an array of strange colours. If you’re going to make a mountain out of a molehill, this is how to do it in style. So, 10/10 for technique.
My only other observation is that the story does contain the popular nugget, cited by the council in its defence, that lots of other local authorities have already signed up. In my experience, this might simply mean that they’re all wrong. But nevertheless, one can hope that if Councillor Brown’s concerns are shared in other places, they are offered a more firm reassurance than this somewhat equivocal quote from the Councillor with lead responsibility for housing: “I can’t offer you a 100 per cent guarantee but I’m reasonably confident and data protection is something I care about, and I’m reasonably confident we should be OK
So that’s OK then.

Facebook posts can mean prison

When I lived in Wigan, the most common response to seeing a copy of the local weekly, the Wigan Observer, was to turn to the page that showed who had been up in front of the magistrates. Like most people, what I wanted to know was whether anyone I had been to school with had broken into a shed or got drunk and hit a policeman with a fire extinguisher. In recent days, the Manchester Evening News, normally a paper with a rich and varied coverage, has been transformed by marathon court sittings into a multi-page version of the same thing. It’s an endless succession of self-destructive anecdotes – the guy identified by his Batman jumper, the chef who stole a camera ‘because he did not have one’, and the squaddie who tried to sell a £2000 Les Paul guitar that he claimed he had bought during the riots.
Today, I assume the MEN will go for the comparatively huge sentences for two chaps in Cheshire who tried (and thankfully, failed) to use Facebook to incite riots in Northwich and Warrington: However, the story is an object lesson in how so many people do not understand social media or electronic communications.
I’m paranoid. As far as possible, I never write anything in an email that I wouldn’t want to have broadcast. I had an email exchange recently where a friend sent increasingly rude and abusive jokes about a third party we both know, and all of my responses were basically “                    “ . I didn’t want my opinions on record, especially as the tone of an email is incredibly hard to judge.
On the other hand, Facebook, instant messaging and email allow some parts of society to extinguish the concept of an unexpressed thought. The Daily Mail is a rich seam of stories about people saying ridiculous and damaging things on Facebook and similar sites – the teacher who criticised her pupils or the girl sacked after describing her new job as ‘boring’ The Mail still hasn’t thought of different way of illustrating these stories than asking the subject to pose in front of a computer, as if it’s impossible to understand the situation otherwise. In both of these cases, people’s careers are damaged; in others, (a quick Google search will show you many), people also get sacked, or damage their reputations or ruin their family lives.
Fast forward to today, and we see these two young men going to prison (and the Mail has another one here: Meanwhile, the DisabledGo News blog reports Facebook comments allegedly made by employees of Atos, the firm delivering the work programme, describing disabled clients as ‘parasitic wankers’ and ‘down and outs’: This could have consequences both for their careers, and for the company’s contracts.
I’m far from the first to say this, but much as social media has connected the world in new and interesting ways, it has also opened the door for a lot of people to cause themselves huge damage. No matter who you are, the lesson has to be learned: THINK BEFORE YOU TYPE. Who might read what I have said? How might it be misinterpreted? Can I trust the recipients not to forward it on to everyone they know? Facebook encourages lots of friends, while an email is the ultimate form of portable, airborne information.

Naming and shaming

Last week, David Cameron asserted that “we will not let any phoney concerns about human rights” prevent the publication of images that might help identify rioters. I didn’t hear anyone raising such concerns, but Cameron clearly felt that the privacy and human rights mob were waiting in the wings to take over where the looters had left off. This weekend, Theresa May compounded this by stating that she thought that reporting restrictions should be lifted more often, replacing the standard line of ‘a 17 year old who cannot be named for legal reasons’ with the real name of the disagreeable young hoodlum.

I’ll leave the debate on stigma and shame for Peter Hitchens. The important point for information law is simply that there is nothing in the Human Rights Act or Data Protection that stops law enforcement agencies from publishing pictures of perps in order to identify them, nothing to stop them sharing images with the media to achieve this, and nothing to stop members of the public sending their own images to the media or the police. Even if the publication interfered with the privacy of rioters (which I doubt), identification of offenders would surely be necessary in a democratic society for the purposes of preventing or detecting crime (Article 8’s condition for interfering with privacy). Meanwhile, Data Protection neatly uses the same wording to allow the sharing of data in an exemption, while the sharing of images to identify rioters would surely be a “legitimate interest” that wouldn’t cause unwarranted harm.
Cutting through the schedules and sections, the summary is that you don’t have to ignore Human Rights and Data Protection – they fall entirely into line behind the sensible use of images to identify and apprehend offenders. What I’d like to know is why Cameron felt the need to make this remark as part of his landmark speech in Downing Street. I’m sure the Prime Minister’s Human Rights Act is as well-thumbed as mine, so surely he knows that privacy law supports criminal investigations. Was this a little smash-and-grab against Human Rights, just because the opportunity was there, and he couldn’t resist it?
Sounds familiar.