Fair Cop

The bedrock of Data Protection is fairness. You cannot gain consent without fairness. Your interests are not legitimate interests if they are secret interests. Unless you have an exemption or you claim that telling the person represents disproportionate effort (i.e. the effort of telling outweighs the actual impact), you have to tell the person whose data you are using the purposes for which their data will be used, and any other information necessary to make the processing fair.

The ICO’s Privacy Notices Code of Practice is not ambiguous, nor was its predecessor. It is impossible to read the ICO’s published guidance on fair processing without taking away the key message, consistently repeated for more than a decade: if something is surprising or objectionable, especially if it involves some kind of impact or sharing outside the organisation, it should be spelt out. New-ish Information Commissioner Elizabeth Denham seems to have chosen to reverse the ICO’s previously timid, unimaginative approach to the first principle with a pair of civil monetary penalties against charities. We have one each for the Royal Society for the Prevention of Cruelty to Animals, and the British Heart Foundation, with the promise of more to come. You might say it was unfortunate that charities are first in line rather than, say, credit reference agencies or list brokers (to be a touch tautological). It was the charity sector’s misfortune to fall under the Daily Mail’s Basilisk gaze, and they have to accept that we are where we are.

To issue a civil monetary penalty, there are three hurdles for the ICO to clear. Firstly, there must be a serious breach. Both charities used commercial companies to profile thousands (and in one case, millions) of donors, buying up data from publicly available sources* to assess their wealth and resources, they shared data with other charities whose identity they did not know via a commercial company, and in the case of the RSPCA, they bought contact details to fill in data that donors had provided. The average donor did not have any idea that this was happening. I can see there’s a problem that when everyone in the charity sector knows that wealth screening goes on, it seems normal. But I’ve been using it as an example on my training courses ever since the Mail revealed it, and bear in mind that these are often seasoned data protection professionals who know about data sharing and disclosure, attendees are invariably shocked and some cases revolted by what I tell them.

There is no doubt in my mind that this processing needed to be spelt out, and there is no doubt from the notices that it was not. Carefully selected third parties or partners has been a stupid lie in marketing for years, but not even knowing where the data goes is much worse than the usual flogging it to all comers. At least the list broker knows who he’s flogging it to, even though the only careful selection is the ability to pay.

The second hurdle is the need to show that the breach is likely to cause damage or distress to the affected data subjects. It’s been known for quite some time that the ICO was planning to take enforcement action over the Mail stories, and the gossip I heard from charities was that fines were likely. I’ll be honest, I wasn’t convinced. The Information Commissioner lost a Data Protection Tribunal appeal from Scottish Borders Council because they bungled the damage / distress element of a £250000 CMP over pension records found in recycling bins. ICO made a flawed claim that the loss of paper pension records was likely to result in identity theft, but Borders had an expert witness who could argue convincingly that this was not true. The link between the breach (the absence of a contract with the company processing the data) and the damage was broken, and the ICO lost.

But this case is different. The ICO does not need to make a link between an incident and a breach, because they are bound up together here. Both notices show that the ICO has given considerable thought to the distress angle. There is no question that the charities breached the first principle, and their only hope for an appeal is to convince the Tribunal that people would not be caused substantial distress by secret profiling and data sharing after an act of generosity. This is not science, and all I can say is that I am persuaded. But for an appeal to be successful, the charities will need to persuade a Tribunal with strong experience and knowledge of DP and PECR from the numerous (and almost exclusively doomed) marketing appeals.

The third element requires the breach to be deliberate or a situation where the charities ought reasonably to have known about the breach. As I have already said, the ICO’s position on fair processing is well known in my sector and available to anyone who can type the ICO’s web address. I think it’s possible that the charities didn’t know what they were doing was a breach, but in my opinion, this is because the Institute of Fundraising and the Fundraising Standards Board effectively acted as a firewall between charities and reality. The advice (often inaccurate and out of date) came from the IoF, and complaints about charities went to the FRSB and no further. When your code of practice is written by the people who earn their living from fundraising and most in your sector are doing the same thing as you are, it’s not hard to fool yourself into thinking it’s OK. But ‘everybody does it’ will cut no ice with the Tribunal. The RSPCA and the BHF are not tiny charities flailing in the dark – they are massive, multi-million pound operations with vastly greater resources than many of my clients.

Daniel Fluskey, head of Policy for the Institute of Fundraising, whose apparent lack of experience or qualifications in Data Protection does not prevent him from writing inaccurate articles for the charity sector on GDPR, has already weighed in, saying that the ICO should be providing the specific wording that charities require: “Charities need more detail on the ICO’s view of what lawful practice looks like: what form of words would have passed the test?” The Information Commissioner is the regulator for every organisation, of every size and shape, that processes personal data. If they start writing tailored wording for charities, they will have to do it for everyone else as well. It is a ridiculous demand. I think the ICO should move on to the data pools, wealth screeners and list brokers, but if she could find the time to issue an enforcement notice on the Institute of Fundraising, forbidding them ever to speak or write on Data Protection matters again, the third sector would have a fighting chance of complying.

Besides, how hard is it to find compliant wording? Nobody – especially not the trade association for fundraisers – should be allowed to present this as a byzantine and complex task. The individual doesn’t need to know what software you’re using, or whether cookies are involved. They need to understand the purpose – what are you collecting, what are you going to do with it, who are you going to give it to? This should be presented without euphemism or waffle, but it’s when you strip out the legalistic nonsense, you see the problem. It isn’t that the poor charities were labouring under the burden of complex data protection rules. They could not comply with the Data Protection Act because what they were doing (and in RSPCA’s case, are apparently still doing) is so unattractive:

  • We will share your details with unspecified charities via a commercial company. We don’t know who they are.
  • We will buy your phone number, postal or email address from a commercial company if you have not given it to us.
  • We will use commercial companies to compile a profile of your wealth and property to work out whether to ask you for further donations. If you are likely to be worth a lot when you die, we will use this information to ask you for a bequest.

When Reactiv Media appealed their PECR penalty, the Tribunal rejected their appeal and increased the penalty. Like a lot of the spammers, they put themselves into administration to avoid paying up, but this option is not available to household name charities. If either the RSPCA or BHF appeal, they are dragging themselves deeper into the mud, and very possibly spending thousands more of donors’ money to do so. If they say that what they did wasn’t a breach, or that they couldn’t have been expected to know that it was, their officers, advice and business model will be scrutinised to a doubtlessly painful extent. The claims management company Quigley and Carter found themselves described as “feckless” and “most unimpressive” in the course of being filleted during a recent failed appeal. Do charities really want that? Even if they decide to roll the dice solely on distress, does either charity really want to acknowledge a serious breach that they knew or ought to have know about in the hope of getting the fine overturned on a technicality? Do they want ICO to call donors as witnesses?

The business model of pressure selling, TPS-busting, heavy texting, data sharing and donor-swapping adopted by some of the UK’s most celebrated charities resembles nothing so much as the activities of the claims management, PPI spammers (i.e. the scum of the earth). For all the noise and bluster on Twitter and in the charity press this week, there is an uncomfortable truth that has to be faced. The hated Daily Mail unearthed it, and the ICO has rightly acted on it. Some big charities have run an end-justifies-the-means approach to marketing and they have got away with it for a decade. Fundraisers ruled the roost, and compliance has been sidelined or ignored. Given how much money the RSPCA and the BHF have raised from fundamentally unlawful practices, they should pull back and rethink how they get donations in the future. They should ignore the Institute of Fundraising’s every word on Data Protection and PECR, and like every other charity, concentrate on reading and applying the ICO’s Code on Privacy Notices and guidance on Direct Marketing.

And right now, if there is a fundraiser sitting with the two CMP notices working out how to at the same time devise a method to raise loads of cash for their cause while complying with Data Protection and PECR, I hope they wipe the floor with everyone else.

*citation needed

Actually asked questions

One of the annoying things about working on documents or advice for the public is the inevitable moment where someone asks “shouldn’t we have some FAQs?”. And then someone proceeds to write a series of questions that the organisation wants the public to know the answers to, rather than the answers to questions the public have actually asked. Frequently asked by who, is what I frequently want to know.

I am currently working on a product aimed giving data protection advice to charities. It will be free to access, and should hopefully be ready by the end of the year (early in January is equally likely). It will take into account the current DP and PECR law, the Fundraising Preference Service and associated Regulator, as well as anticipating the GDPR in several key aspects. As part of this, I would like to include an ‘actually asked questions’ section, in which people working on DP or IG for charities ask questions, and I provide the answers.

This is where you (hopefully) come in.

I want to get real questions from practitioners and volunteers working in the charity sector. There are a whole bunch of things I want to say about the topic, but questions from the intended audience are vital to make the guidance meaningful. If you have any questions about Data Protection, PECR, marketing, volunteers, security or other related matters, please send them to the following email address:

mail@2040training.co.uk

You can be specific or general. You can ask about the detail, the background, individual scenarios relevant to your work or issues that cover the whole sector. I would be happy with 5 questions, or 500. You can also tell me things you think DP guidance for charities should include. I have the content more or less planned out, but I might have missed something.

There are a few things you need to know before sending a question in.

1. You will not receive an individual answer to your question. Your question, if at all possible, will be answered in the FAQ section of the product. It may be that your question is answered in the main body of the text, in which case, your question will not feature specifically but the answer will still be there. If it is impossible to answer your question – time permitting – I will reply direct to you to explain why and give some advice if I possibly can.

2. You will not be added to any mailing list, or receive any marketing as a result of participating. If you indicate in your email that you want to know when the product is available (it will be free, and getting access to it will not involve any obligations or commitments), then I will send you a single email to let you know. You will receive nothing else and your details will not be retained for any other purpose.

3. All questions will be treated anonymously. You, and the charity you are associated with, will not be identified or alluded to in the product, no matter what the nature of the question is. Even if the question is “can we sell our donors’ data to a claims management company?’ or “can we buy data even if we think it might have been stolen?”, you will not be identified. The sole purpose of this is to make the product more useful and lively by getting direct input from the intended audience. By the way, the answer to both of the above questions is no.

4. Questions sent in after 15 December probably won’t make the cut (although I will do my best to read anything received after that)

The final shape of the product may go one of several ways, so I am being vague about what it actually is – one option is easy but less interesting, the other is better but more time consuming. Nevertheless, to emphasise the point again, it will be free, and you will receive no marketing or further contact if you choose to participate.

I very much hope that if you have any questions or queries, or other issues you would like to raise, you will send them in. Thanks for reading – if you have the opportunity to tweet or circulate this to people in the charity sector who might have questions they want to ask, I would be very grateful if you would. I cannot promise that anyone who necessarily like what I have to say, but I’m very keen to find out what you’d like to know.

Specific Heights

One of the most annoying things about interactions with organisations is the endless refrain from customer services is that you must do something for ‘Data Protection reasons’ or ‘for Data Protection’. You see it from company accounts on Twitter, from call centres, even in person. Tweak the script slightly, and suddenly it’s fine – ‘for security reasons’ or ‘to make sure I’m speaking to the right person’ are more helpful and more specific.

It’s this clunky, inelegant approach to Data Protection (alongside habitually uncritical tabloid reporting when organisations use DP as an excuse) that gives it such a bad reputation, and leads to the problem reported by the BBC today. Nobody knows what organisations are doing because the information available is turgid, legalistic and misleading.

With this in mind, permit me to provide some advice on how to write / not write privacy policies

  1. If your privacy policy mentions the phrases ‘Data Protection Act’ or “Data Subject’, you’re doing it wrong. The person doesn’t need to be told what the eight principles are or what the IG jargon is. They don’t care, nor should they. If they are reading the text, it’s because you’ve told them to or because they want to know what you’re up to.
  2. If it says how important DP or privacy is to your organisation, you’re wasting the reader’s time – this is something you demonstrate by actions, not assertions
  3. If it contains any jargon or technical language, remove it (with apologies to George Orwell)
  4. If it is written in a legal style, especially in the style of a contract, it’s rubbish. Delete it and start again.
  5. If it is a one-size-fits-all that covers all users of your services or website, it’s unfair. Again, you are wasting the reader’s time telling them about something that may never affect them. If you are telling me about exceptional or unlikely uses of my data, you’re doing it wrong. If you are telling me about things that just won’t happen because I am not that sort of client or customer, you’re doing it wrong. If it might happen but might not, tell me when it does. Fair processing is a processing, not a hurdle you clear once and never again.
  6. If you tell yourself that something is so complicated that you cannot explain it to your customers or clients, you either don’t understand it yourself, or in fact you just don’t want to explain it because people won’t like it. Either way, you’re doing it wrong.

A privacy policy / privacy notice / fair processing statement (call it what you like) has a single, real purpose. It might seem like you’re writing it to tick a legal box, but if that’s what you think you’re doing, you’re doing it wrong. The purpose of the fair processing statement is to tell the client or customer in simple, everyday language how their data will be used. Anything that does not assist in that specific job is irrelevant, and should be cut out. I don’t care about your security or the fact that you have ISO 10069. I don’t care that you use biodegradable laptops. You can shove your corporate social responsibility aspirations up your carbon footprint: tell me what you’re doing with my data.

Lawyers get a lot of stick for privacy policies (and one or two absolutely deserve it), but the occupation of the person who writes the words is irrelevant – all that matters is their intent. I’ve read many tedious legalistic fair processing statements that were written by Data Protection professionals, while I have read T&Cs written by lawyers that are a model of economy and clarity. Many of the privacy policies I see could be cut to at least 50% of their length without losing any of their meaning. This cannot be tolerated.

Organisations wrap up what they plan to do in waffling, passive-voice, corporate double-speaking Mother-Knows-Best bullshit. This is who we are. When you give us your data, this is what we plan to do with it. The fair processing statement should be short, straightforward and surprising. It should focus on those things that the punter does not expect. We are going to sell your data. We are going to use a data pool to exchange your data with other people who can probably squeeze a few pennies out of you now we’re done with you. We are going to work out what to sell to you based on what kind of person we think you are, based on data we bought from Experian and some Bulgarians we met on Fiverrr. We are going to work out whether it’s worth having you as a customer.

The limits of what you can do with personal data – unless you have an exemption – is what you can explain. In a commercial, charitable or voluntary sector environment, you won’t have an exemption most of the time. Boil the purpose down to its bare essentials and be blunt. If you can’t explain it, you can’t do it.

Any last requests?

A month ago, the redoubtable information rights expert and blogger Jon Baines wrote about an odd change on the ICO’s website. Just after the EU referendum vote, the ICO published a bold statement, calling for Data Protection standards in the UK to be equivalent to those in the EU. Shortly after, the statement disappeared. Around a week later, it was replaced by something more bland. Jon wondered why the ICO had resiled from their original position. He was, however, fortunate to receive a comment from an ICO spokesman:

“We noted the debates about different options that emerged following the referendum result and we decided to move to a simpler statement to avoid being too closely associated to any one particular position”

I believe that this statement is untrue.

After a conversation with Jon, I made an FOI request to the ICO for “Any recorded information on the decision to remove the statement, including who made the decision to remove it, and why it was removed“. Remarkably, the ICO claims to hold just one email that is relevant to my request (I’m not convinced, so I am following this up), but I think it’s reasonable to conclude that the ICO did not change the statement because they “noted the debates“. They changed the statement because the Department for Culture, Media and Sport, the government department responsible for Data Protection, asked them to.

A DCMS official emailed Christopher Graham, the former Information Commissioner, directly on 28th June:

Screen Shot 2016-08-26 at 09.07.02

The revised version is identical to the statement that you’ll find here on the ICO website.

The DCMS position is understandable – a few days after an unexpected vote, it’s not hard to imagine that they hadn’t reached a final position on GDPR. I’d be surprised if they were certain now, frustrating as that might be for the likes of me. But when the DCMS talks about it being far to early for “us” to be so definitive, they are not talking about the ICO, which is legally separate from and independent of Government. If the former Commissioner and his staff believed that the DPA is out of date and not fit for purpose, they were right to say so. Bear in mind that the statement in question was made after the vote, not when the ICO view could in any way have influenced its outcome (or when such an allegation could be made). DCMS are free to disagree with them, and indeed to ignore them if they so choose. I think GDPR-lite is a terrible idea, but they can pursue if they think it’s right. I’m not even sure I want to criticise the DCMS request – it’s quite clearly not an instruction.

However, for the ICO to change their statement (and by default, their official position on the GDPR) is a significant and worrying step. The ICO’s position can be identical to the DCMS one, but only if that’s because the ICO thinks DCMS is correct. It would be in no-one’s interests for the ICO to challenge and contradict DCMS merely to show that they’re nobody’s poodle. But Wilmslow’s reaction to the Brexit vote was clear, and now it’s not. Was the original position wrong? Is there any reason why the ICO cannot be allied to one particular position if they think it’s the right one?

Equally, if the ICO is going to change its public position, it should be honest with the public about why it is doing so. The statement on the ICO website says

At the annual report launch on 28 June 2016, Information Commissioner Christopher Graham updated the ICO statement

Whereas, what it should say is:

At the request of the DCMS, at the annual report launch on 28 June 2016, Information Commissioner Christopher Graham updated the ICO statement

As embarrassing as this might be, if the ICO is content to follow the debate about the future of the GDPR in the UK rather than leading it, it should be honest enough to admit that this is their position. I’ve already blogged about the bizarre situation that the ICO team that deals with complaints about political parties and councils are managed by a serving Labour Council leader. Here is another situation where the ICO’s ability to make robust, independent decisions appears to be compromised.

This depressing episode happened in the dying days of the previous Commissioner’s tenure; more than ever, I am glad that he is gone. We have a new Commissioner about whom I have seen and heard nothing but encouraging things. I can only hope that when faced with decisions like this in the future, Elizabeth Denham takes an more independent approach.

Virgin Berth

If there could be anything worse than the provenance and target of a Wallasey brick spawning an industry of conspiracy theorists, then it’s probably the Burning Question of whether Virgin Trains East Coast’s release of CCTV images of Jeremy Corbyn spurning unoccupied seats to enjoy the proletarian solidarity of the vestibule floor breached Data Protection laws. If I get through today without reading The Canary’s take on the matter, I will be a happy man.

Of course, the only sensible answer to the question is “It doesn’t matter“. But let’s ignore that obvious fact in favour of the following.

First, if Virgin Trains released unpixelated images of other passengers, this would be a breach of the first Data Protection principle on the basis that it would be unfair. There is no legitimate interest in doing so, and it is plainly unfair to publish images of ordinary passengers minding their own business. There is NO CHANCE ON EARTH than the Information Commissioner will take any action against Virgin for this as there is no harm to the passengers concerned, and harm is a vital threshold for any enforcement action. Individual passengers could sue, but again, they would have to demonstrate at least distress. I went from London to Edinburgh on Virgin East Coast once so I have some sympathy with this argument.

Of course, nobody would give a toss about this if it were not for the perceived slight to JC, so let’s get to that.

The first Data Protection principle requires that personal data should be processed fairly, lawfully and according to a set of conditions. Virgin’s disclosure must clear all three hurdles.

Fair – in the general sense of the word, I believe that the processing of Corbyn’s data was fair. Presumably without the company’s consent, Corbyn filmed a publicity stunt about the state of their trains. Even if the content was true, I believe Corbyn opened the door for Virgin to reply about the state of the train that Corbyn was on. Fairness does have a separate, specific meaning, which requires the organisation to tell the Data Subject who they are, what purposes the data is being used for, and anything else necessary to make the processing fair.

I can’t find the privacy notice for Virgin Trains East (if it’s not on the trains, that’s a breach), but Virgin Trains West Coast has a detailed policy on its website that includes improving customer service, monitoring operational incidents and verifying claims. If something similar is on the East Coast trains, I don’t think Corbyn has much room for complaint. I think that responding to an unauthorised publicity stunt on one of their trains is probably compatible with verifying claims and monitoring operational incidents. And besides, the Information Commissioner’s Office has invented and long tolerated a notion of ‘reasonable expectations’ – that you can do anything with personal data that the person would reasonably expect you to do. If Corbyn didn’t expect Virgin to look at their CCTV to verify his claim that the train was ‘ram-packed‘ (or even ‘rammed’ or ‘jam-packed’), he’s an idiot.

There is the nugget of an issue here – the public perception of CCTV is that it is used solely as a means of detecting and investigating crime. It isn’t – it’s used for a variety of civil, disciplinary and publicity purposes and there’s nothing in the Data Protection Act to prevent this. However, companies like the West and East Virgins tend to stress security and crime over all things when dealing with CCTV, and this creates an expectation of its own. Everything depends on the information available on the train that JC travelled on.

There is one exemption that might come to Virgin’s aid – Section 32 renders all of the First Principle void (and most of the others) if a disclosure is made for ‘journalistic purposes’ and the public interest in publication is incompatible with compliance with the principles. The language is important – one does not need to be a journalist, only to be processing for the purposes of journalism. This opens the door to widespread and enthusiastic flouting of DPA by all sorts of corporate interests, but I find it hard to dismiss the possibility altogether.

Lawful – I believe that the disclosure was lawful. A train is not a private place (except in the toilets and this probably not the time for me to raise the urban myth about CCTV in train toilets), and Corbyn’s personal data in this context is not confidential or private. I can see no other law that disclosing this data would breach, so I think they’re in the clear.

Condition – Schedule 6(2) of the Data Protection Act states that data can be processed (in this context, disclosed) if it is necessary for the purposes of a legitimate interest, as long as the processing does not prejudice the rights, freedoms or legitimate interests of the subject. Corbin made a claim about the conditions he found on a particular train – I believe that Virgin unquestionably have a legitimate interest in disclosing Corbyn’s personal data in order to comment on the accuracy of his claim. If Virgin released images of Corbyn unprompted, legitimate interests are out of the window. But Corbyn started the ball rolling, and I cannot see how the use of overt CCTV for this purpose prejudices his interests. Of course, if the images were used in a misleading way, again, legitimate interests is dead, but frankly, that’s a much bigger problem.

Other conditions might be engaged but unless Virgin have actively defamed Corbyn by photoshopping them to look like the train had seats when it didn’t (which is what I presume The Canary’s take is), I believe that the use of images was adequate, relevant, and not excessive (principle 3), and accurate (principle 4). One might question how long the images have been retained for (principle 5), but there is no statutory time period – Virgin simply have to justify that the retention period matches the purposes outlined under the first principle.

At its absolute worst, the release of Corbyn’s images might be unfair if the privacy notices on the train do not reasonably envisage the possibility of something like this happening. If Mr Corbyn was damaged in some way by this, the seriousness of the breach is increased, but not by much. It would be unlawful, but I see no public interest in taking action. Politics is a dirty business. Corbyn’s party breaches Data Protection all the time, so if he wants to take this up, he should do some digging in his own backyard.

And reserve a bloody seat next time.

UPDATE (24/8/16): The Information Commissioner has stated that they are “making enquiries” into Virgin’s disclosure of the CCTV images. The two possible enforcement routes available are a monetary penalty or an enforcement notice. The penalty requires the ICO to establish that there has been a serious breach of the Data Protection Act, likely to cause substantial damage or distress, and the data controller (Virgin Trains East Coast) either deliberately set out to breach the DPA, or knew (or ought to have known) that the breach would occur, and that the damage / distress would follow as a consequence. If you think that this incident meets that threshold, would you be interested in buying a used car?

The alternative is an enforcement notice. The enforcement notice can only apply if there is an ongoing breach that the data controller cannot or will not remedy. In other words, if Virgin promised never to disclose CCTV for publicity purposes again, it would be very difficult for the ICO to issue an enforcement notice. It would be disproportionate to take such significant action if it was clear that Virgin would not do the same thing again.

All this may be disappointing to those who wish to see Virgin, and its bearded figurehead, chastised for their assault on the integrity of JC, but this is not a serious breach. The NHS ignored opt-outs from the sharing of medical data for thousands of people over a prolonged period of time, and the worst that happened is that they were asked to sign an undertaking (an unenforceable public promise to behave better) at a time which best suited them in publicity terms. If you think that embarrassing Corbyn is worse than that, you ought to be ashamed of yourself.

The one good thing is that I don’t think the Labour Leader of Stockport Council, who moonlights as a Group Manager at the ICO, will end up dealing with the case. But who knows?