Otherwise responsible

Last week, the Information Commissioner issued a civil monetary penalty on Direct Assist Limited, a TPS-busting personal injury firm. As Direct Assist has been wound up by HMRC, all this means is that the ICO has added itself to Direct Assist’s list of creditors and the CMP will never be paid. It turns out the ICO had served its final notice before HMRC delivered the coup de grace, so perhaps the CMP made sense at the time. However, the ICO’s PECR blog stated the following on 2nd April:

When deciding on fines, our office has to consider the financial position of the company involved. Although we need to hold unscrupulous companies to account, the law says we can’t make a company bankrupt causing it to close.

This isn’t true. The statutory Monetary Penalty guidance – the ‘law’ in question – makes clear several times that CMPs cannot “impose undue financial hardship on an otherwise responsible person“. It’s wrong for the ICO to say that they can’t bankrupt their CMP targets; they’re only prevented from crippling an otherwise responsible organisation. So what kind of organisation is Direct Assist?

Well, firstly, they’re the kind of organisation that gets wound up by HMRC. Secondly, they’re the kind of organisation that, according to the ICO press release, called someone 470 times despite them being on the Telephone Preference Service. If you Google them, you will find Direct Assist was also involved in one of the most notorious Data Protection cases of recent years. In 2011, Martin Campell, a Direct Assist employee, plead guilty to using confidential medical information to generate claims. The data was stolen by his then-girlfriend Dawn Makin, who was a nurse at an NHS walk-in centre in Bury. When the thefts were revealed, Makin murdered her daughter and tried to kill herself. I cannot say for certain that Direct Assist knew what their employee was doing, but as the data controller, they were responsible for ensuring that any data used for their purposes was fairly and lawfully obtained. This they clearly failed to do, and one might ask why the ICO didn’t pursue this angle. But in any case, aside from their torrent of illegal cold calls, are Direct Assist otherwise responsible? Don’t make me laugh.

It’s not just Direct Assist. In February, an outfit called HIS Energy was prosecuted at Manchester Minshull Street Crown Court for a single breach of the Health and Safety At Work Act 1974. HIS had installed cavity wall insulation in the home of Joyce Moore, a 82 year old resident of Middleton, a town to the north of Manchester. In the process, they blocked the boiler flue. An HIS employee noticed insulation beads in the flue (apparently a tell-tale sign of the problem), but rather than mention it to Mrs Moore or her son Bob, who also lived in the house, he did nothing. He did mention it to his manager, but a decision was made to take no action that day. That night, Mrs Moore put the heating on, and she was killed by carbon monoxide poisoning caused by the blocked flue. Bob Moore and two paramedics were also taken to hospital, although they recovered.

The jury took 10 minutes to find HIS guilty, and they were fined £500,000, plus prosecution costs, although it is unlikely that the fine will ever be paid, as HIS has gone into liquidation. Until the liquidation, HIS Energy was part of the Save Britain Money Group, an organisation made famous by the BBC’s nauseating programme ‘The Call Centre‘. Indeed, Mrs Moore was originally cold-called by Nationwide Energy Services whose staff featured heavily in the programme, before her details were passed to HIS to carry out the work that killed her. The Save Britain Money Group is currently in administration after a court dispute. Nationwide Energy Services was put into administration after receiving a Civil Monetary Penalty of £125,000 from the Information Commissioner in 2013 for illegal cold calling. Coincidentally, We Claim U Gain, another member of the Save Britain Money family whose staff appeared in ‘The Call Centre’, went into administration after it received a CMP for cold calling. Neither CMP has been paid. Despite the BBC’s despicable decision to celebrate the odious Wilshire, are we seriously supposed to believe he and his companies qualify as ‘otherwise responsible’ people?

On Monday, the PECR rules changed. Gone is the requirement for damage or distress before a PECR CMP is issued – all the ICO needs to do is demonstrate a serious breach. The ICO has a good track record on PECR enforcement, so we can expect further action. I would welcome this. But there are two lessons that can be learned from these awful stories. Firstly, the law change is not enough. Direct Assist is gone, but other equally reprehensible organisations remain and its owners will probably surface in another part of the swamp. Until the ICO has powers to take painful action against the individuals, rather than the hydra-headed organisations they hide behind, they will be putting out fires and no more. However, it’s equally important that the ICO uses its revised powers to the fullest extent. Even if Direct Assist’s owners return to cold calling, HMRC’s actions have at least inconvenienced them. There is no reason why the ICO cannot do the same.

There may be otherwise responsible people breaching PECR through ignorance rather than wilful law-breaking, but I suspect they are the minority. Most cold callers and spammers are parasites, using dodgy data, feeding off the vulnerability of others, and causing misery as they line their pockets. The ICO should not shrink from shutting them down, and nothing prevents them from doing so.

Keep your PECR up (I know, I’m sorry)

The BBC reports that Bournemouth and Poole NHS PCT have got themselves into hot water by calling a member of the public using an external company in order to offer him some health screening as he was in an at-risk group. The PCT were, it seems, attempting to deal with a target imposed on them by the Department of Health. The Trust felt that it was not “practical” for them to get consent in this case.

Given that my only source is the BBC news website, I cannot make any definitive judgement about what went on, although it’s clear that the person concerned managed to convince the Information Commissioner’s Office that the use of his data was unfair. The ICO is quoted as follows: “Individuals should have been informed by the trust that they would be receiving a call inviting them to attend a risk assessment, and that this letter should ideally give them some method for asking not to be contacted”

It’s at this point, however, that I feel entitled to mount my hobby horse and ride it up and down the public highway.

The Information Commissioner’s own definition of direct marketing, found in his guidance on the subject, is ‘the offer for sale of goods or services, or the promotion of an organisation’s aims and ideals’. The rules covering any form of electronic direct marketing (i.e. phone, email, and text) come from the Privacy and Electronic Communications Regulations (usually pronounced ‘Pecker’), not from the Data Protection Act. PECR does not contain any discussion of harm, benefit of legitimate interest – its rules are simple and relatively easy to explain.

Direct marketing cold-calling by phone is legal – unless the person is on the Telephone Preference Service or has told the organisation not to call. Therefore, to make a marketing call, the organisation (in PECR terms, the ‘person’) must screen the numbers they are using against the TPS lists (which they must rent or buy from the TPS itself or a marketing company who has done so). Direct marketing emails and texts are opt-in – you cannot text or email someone without their permission, and the same is true of automated marketing phone calls.  There are some wrinkles – business and personal emails are treated differently – but for direct marketing, that’s about it.

As described in the BBC story, the PCT’s call was a marketing call. They were not calling the person to tell him results, to arrange an appointment for treatment that had already been consented to, to discuss something that was already happening. The PCT’s aims include the hitting of a target for screening of a specific group, and without previous consent, the only possible interpretation of the call is that recruiting people to join the screening is a form of direct marketing. Having worked – briefly and without particular distinction – in the NHS and having had this argument several times, I know that few health staff would agree with me. Indeed, when looking at this issue many in the public sector have the same problem – if a message is clearly of benefit to the recipient, how can we not be allowed to do it?

Although some in the private sector find ways around PECR or ignore it altogether, I have never spoken to a private sector person who didn’t see how the regulations applied to what they do. Public sector, voluntary and charity organisations are obsessed with the value or justification of their message. Labour, the Lib-Dems, the Conservatives and the Scottish Nationalists have all received enforcement notices under PECR for their use of automated marketing calls – the Scottish Nationalists perhaps personified the wider misunderstanding of how PECR works but claiming that being prevented from using automated calls of Sir Sean Connery was a breach of their human rights. It’s not. I have a right not be bothered by what you think I should be interested in, whoever you are. And PECR gives me that.

PECR is a single-minded law in this respect, caring only about the content of the message. If your call, your email, your text is designed to sell, promote, persuade or influence – it’s direct marketing. If you want to change behaviour, get people to make better choices, or even tell them something that will change or save their lives, PECR doesn’t care. Even if you don’t know who the recipient is, that’s irrelevant – this isn’t Data Protection.

Of course, the BBC coverage doesn’t mention PECR and screening against the TPS, which implies that some people in the ICO don’t know what their own position on PECR and direct marketing is, but that’s not a surprise. The point is, the next time someone has a smart idea for a communication campaign, whether it’s health promotion, news of how you’re dealing with anti-social behaviour, or the benefits of recycling, just remember to think about PECR.

Which is a bit funnier if you say it out loud.