“masterclass in not answering questions”

Just about a month ago, I had a little Twitter disagreement with Paul-Olivier Dehaye, patron saint of subject access requests. He said his tool for making subject access was brilliant and revolutionary, and I said it was shit. There was a bit more to it than that, but I was hoping to make this a short blog.

The use of third parties to make subject access requests on one’s behalf is not new – solicitors have always done it, and companies have made batched SARs at least since the bank charges furore of the last decade. The problem with a third party – or automation of the process – is that it gives the Data Controller something to play with. Dehaye admitted to me that in all the time he spent developing his SAR tool, he didn’t speak to anyone with any experience of dealing with SARs from the controller’s perspective, and it shows.

Even though one of Dehaye’s tedious cheerleaders told me that SARs were going to be “frictionless” post-GDPR, there are inevitably some bumps in the road when asking for data even in this Brave New World. The Data Controller needs to identify the application properly, and the involvement of a third party might complicate that – or might be exploited to complicate that, as anyone who has ever dealt with a poorly-written solicitor SAR can probably tell you. If there is a lot of data, the controller can ask the subject to narrow the scope of their request. If they believe that the request is unfounded or excessive, they can make a charge, or even refuse. An automated third party doesn’t make any of this easier.

Ironically given his status as pro-DP activist, I think Dehaye wants SARs to seem difficult. “In my own experience, SARs are complicated to do in a way that properly defends data subject rights” he said, but given that he’s building a business based on data, he kind of would say that. When I first encountered him, Dehaye told me that he was planning to charge subjects for using his tool; while that plan might have changed, he gets evasive when you ask whether he might charge for add-on services in the future. One of the main advantages of GDPR for the subject is that SARs are now free – the best way to exercise the right is to ask for the data direct, without the involvement of a politically-motivated middleman whose company isn’t even in the EU. I voted Remain and I think Brexit is moronic, but that doesn’t mean that weaponising SARs is a good idea. After all, someone might turn round and do it to you.

I decided to make a SAR to Dehaye’s company on the 25th May. His response, though admirably swift, wasn’t exactly the zenith of transparency that one might have hoped for. One might even describe it as a masterclass in not answering questions. I provided a variety of different email addresses and phone numbers that the company might hold in relation to me – the purpose of this was to allow the data controller to identify whether any of my data was held. I did the same thing with my request to Experian – I don’t know what data Experian holds on me, so I provided all the possible identifiers that I could think of. I don’t know what, if any, data Dehaye or his company might hold, so I needed to provide a variety of different identifiers.

EDIT: in response to a request from the data controller, click here for the full text of my request (redacted only to remove personal data that is not in the public domain) and the full text of their reply.

Article 12 of GDPR states that “The controller shall facilitate the exercise of data subject rights under Articles 15 to 22” and shall answer requests unless it “demonstrates that it is not in a position to identify the data subject” – it is plainly correct for the controller to want to know who the applicant is, in order to avoid giving data to the wrong person. However, Recital 64 says that the controller’s measures to identify the subject must be “reasonable“. Dehaye demanded that I send a separate request from each of the email addresses I specified. This means that he thinks that if an organisation has harvested emails from a variety of sources, the controller only has to disclose data if they receive confirmation from that account that it is linked to the subject. So if a person applies from a Gmail account, and the controller has harvested a work email address, even if they have linked the two together, Dehaye doesn’t think that the subject is entitled to the work-related data unless they make a separate request.

Similarly, I provided my home address, my 2 mobile numbers (business and personal) and my landline. Bear in mind, a data controller may have harvested all of this data, so the SAR applicant might need to provide it in order to say this is me, this is my data, do you have it? Dehaye’s response to this part of my request was to demand copies of phone bills for each account, and a recent utility bill for the home address. Clearly, this is the approach he would advocate for any data controller faced with such a request. As it happens, my girlfriend’s name is on the landline account, so I cannot prove that the landline is my personal data, even though it is. One of my mobiles is pay-as-you-go, so I don’t get bills, and the work mobile is on my website, and so can be linked to me without the need for unnecessary proof. As with most people, I receive electronic utility bills, and do not have them immediately to hand. Dehaye’s approach seems to be that if a Data Controller has harvested your data, subject access requires the applicant to provide a lot more personal data in order to get access.

The point of the ID check is to ensure that the person is who they say they are – once that’s done, if the controller has doubts about whether an identifier does link back to the subject (i.e. an email address), they can check, or just send any relevant data to that separate identifier. If Dehaye thinks that his approach is legally correct, there is no reason why Leave.EU, Vote Leave or any other organisation shouldn’t do exactly the same thing if they receive a SAR from now on. When I asked him in April how his tool would deal with the ID element he said “Let’s set the standard” – now we know what that looks like. It looks like giving huge quantities of personal data to someone you don’t trust.

This is a no-win – either Dehaye’s approach is right, and I have to go through an administrative nightmare when SAR-ing organisations that grab data from anywhere they can get it, providing them with a fat dossier of extra information before I can get access, or Dehaye is a hypocrite who complains about hurdles to subject access but builds a wall when asked to practice what he preaches. In any case, if Dehaye’s obstructive and unhelpful approach was correct, it would still be easier to handle without the added complication of a middleman.

UPDATE 28/5/18: Mr Dehaye has admitted that he deliberately adopted an obstructive approach because he thinks I am a trouble-maker. I believe that this is a clear breach of the GDPR; if the Data Controller Personal Data.IO is capable of playing these kinds of games, and deliberately discriminates against data subjects, I think this seriously undermines their credibility to act as an agent for other people’s SARS. The company is setting a cynical, obstructive example, and it would be catastrophic for subject rights if other controllers followed their lead.

The Purge

Throughout the campaign for the Labour leadership, various people applying to be registered supporters have had their applications rejected. The list is varied, from the film director Ken Loach and the comedian Mark Steel, through to the human equivalent of genital herpes, Toby Young. Those registering to be supporters must agree that they support the aims and ideals of the Labour Party: Loach and Steel have explicitly and recently advocated voting for other parties, while Young is a high-profile Conservative. I’m not going to lose any sleep, frankly. However, in the past couple of days, a substantial number of less well-known people have received similar missives – some were recently candidates for other parties so Labour’s ban may have some merit. But others are just ordinary people on the left. Some of them are critics of austerity, some may have said that they are voting for the Greens or the Trades Union and Socialist Coalition, or just slagged off the Labour leadership online. I think Tony Blair is a war criminal and have said so often, so I still wonder if my vote yesterday counts. Is that acceptable for Labour High Command in the current climate?

The Data Protection problem for Labour is that when we signed up to be registered supporters, there was no clear fair processing information explaining that we would be vetted or how this would be done. Some form of vetting has clearly happened – I’ve even seen copies of emails and Facebook posts that suggest a full-on witch-hunt for anyone who isn’t an uncritical supporter of the party. I’m not sure whether these are real, but there are a lot of them.

As I have previously written, Labour does not need consent to look at websites and Twitter accounts. Even though the stuff on Twitter is sensitive personal data as it relates to political opinions, Data Protection allows for sensitive data to be used if it has been put into the public domain by the data subject. Furthermore, I agree that Labour has a legitimate interest in preventing full-on Tories from voting. This means that they can rely on the ‘legitimate interest’ justification to use personal data. However, they are required not to cause unwarranted prejudice to the rights and freedoms of data subjects when doing so. This is all part of the first Data Protection principle. I believe that legitimate interest requires the vetting process to be carried out objectively and accurately. Without some form of appeal, I think the rights and freedoms of the data subjects have been prejudiced.

More fundamentally, Labour must also process data fairly. The blurb for registered supporters was thin, so as someone who signed up, I have no idea what process was gone through. Even if you are one of those (wrong) people who thinks that trawling Twitter doesn’t engage Data Protection, receiving and acting on tip-offs and reports isn’t just disturbingly McCarthyite, it would be a breach of the Data Protection Act unless registered supporters were told. There are in fact a host of potential problems (accuracy, relevance, security), but the fairness one is enough because it is insurmountable. We should have been told – we weren’t.

Even if you think such a process would be legitimate, there is no exemption from the Data Protection Act, nothing that allows Labour to do these things secretly. The exemptions in Data Protection cover legal proceedings, criminal investigations, cases referred to regulators – situations where handling personal data secretly can be justified. None of the exemptions applies to the kind of process currently at work in the Labour Party. The foundation stone of Data Protection is fairness and transparency – letting people know how their data is used, so that they can ensure it is used properly. Not for the first time, the Labour Party is acting secretively, and so I have not faith in the vetting process. I suspect it breaches the first Data Protection principle.

Data Protection gives every person a right of subject access, a right to request copies of their personal data held by any organisation. In this case, the data on which the decision was made to ban a person from voting in the leadership election will undoubtedly be personal data. Admittedly, Labour could claim that no data was recorded, but this would reveal that process to be slapdash in the extreme.

Therefore, my advice to anyone rejected by the Labour Party is as follows: make a subject access request. Find out what it was that made Labour reject you, and then publicise that. Expose this process, and dig it over. Labour did not want this to be a transparent process, but they cannot stop you from finding out what happened in your case.

To make a subject access request, you need three things:

  1. A written request, setting out your name, address and the email address you registered with as a supporter
  2. Proof of your ID. Send a copy of a passport or driving license and ask them to destroy it when they have validated your request. They can refuse to deal with your request without proof of ID, so don’t give them the opportunity to delay by asking for it
  3. A cheque for £10. Having already lost the £3 supporter fee, this will be annoying, but I doubt Labour will accept a subject access request without the statutory fee, and they can refuse to process the request without it. If you want to know what happened (or find out that it was a flawed process), you will have to sacrifice the tenner. If they are feeling generous, they won’t cash the cheque. The Information Commissioner cannot order them to waive the fee, so don’t waste your time asking them.

You may well want to send this by recorded or registered post, which ratchets up your costs even more. If you are throwing your hands up in despair at spending another £12, I’m sorry. I didn’t say you would like my advice. Explain clearly and simply that you want all of the personal data held about you as a registered supporter, including any and all information that was used to ban you from voting. You are entitled to a permanent copy of the data. It is unlikely they will tell you the names of those involved in the decision, but the reasons you have been banned must be made available. It doesn’t matter of hundreds of Labour supporters make a subject access request at once – there is no provision to refuse vexatious requests, and the Information Commissioner’s Code of Practice on Subject Access makes clear to organisations that they must be prepared to respond to peaks in demand.

Subject Access is an imperfect tool: organisations sometimes don’t record the information you expect them to. But Labour took their supporters’ money and then denied many of them a vote. Either they have to account for these decisions, or admit that they have not done so fairly. Those calling for the election to be halted to avoid a Corbyn victory should be full-throated in their demands that the banned should either get a proper explanation as required by Data Protection, or the vote should instead be halted until a proper process is undergone.

The address Labour publish to contact their Data Protection Officer is

Compliance Unit, Labour Party, One Brewer’s Green, London, SW1H 0RH

If you go for it, good luck. Drop me a line and let me know how you get on.