License to share?

Last month, I renewed my car tax disc. I am certain that Francis Maude and the Cabinet Office will be thrilled beyond measure to learn that I did it online. During the process there were some tick boxes, one which stated the following:

 The email address and/or mobile number supplied by you, may also be used by DVLA and other Government Motoring Agencies to inform you of other services which may be of interest.

Needless to say, I opted out, but I found this intriguing, as I couldn’t imagine what else the Government might want to tell me about motoring issues. So I made an FOI request to the DVLA to ask what the other services that might be of interest were and which other government agencies and departments get access to the data.

I received a prompt response. 

 DVLA does not hold details of the other services. The statement relates to the fact that DVLA may contact you via the e-mail address you have used to ask about your experience of using that service, or to gain further insight around motoring services. Whilst this insight is normally used internally (within DVLA) for us to improve our services, findings may be shared within Government beyond DVLA. However, no other government departments have access to the mobile phone numbers and email addresses when a customer renews their car tax online.

I think the two quotes above are impossible to reconcile. The text on the site is not vague or ambiguous – it describes information sharing to promote other services. If the DVLA were going to share people’s details with other parts of government, effectively for marketing purposes, as stated by the statement on the website, this wouldn’t be unreasonable. I think the text should be clearer about the ‘who’ and ‘what for’ and it should be opt-in not opt-out, but that’s not the point. The DVLA’s FOI response describes a different activity altogether. 

The use of email and mobile phone numbers to ask further questions about the service, and sharing the results with their colleagues is obviously acceptable. The Information Commissioner (I think rightly) considers research or ‘customer insight’ to be separate from marketing, and probably wouldn’t even expect an opt-out if it was going to be carried out. I certainly wouldn’t have bothered to opt out, if only for the opportunity to tell them how dull and clunky the registration process was.

The requirement placed on the DVLA to provide drivers’ details to the broadest conceivable spectrum of parking companies (including many that stray close to illegality) has not given them the best reputation amongst the public. The abolition of the paper tax disc in October, based apparently on DVLA’s conviction that the prevalence of Automatic Number Plate Recognition cameras make the paper discs unnecessary, has already given rise to some hysterical reaction in the media. In particular, Guy Walters’ almost parodic attempt to tick as many paranoid boxes as possible (Big Brother! Cameras! Minority Report Style Adverts! Immigrants!) shows how far suspicion of the DVLA can go.

In this context, it’s remarkable that the DVLA seem to want to give the impression of greater data sharing than is actually the case. The only alternative is that their FOI response is untrue – I’m not leaping to that conclusion, although I am asking for an internal review to clear up the apparent confusion. Perhaps they haven’t changed the website since such data sharing happened; perhaps they wrote it anticipating data sharing which hasn’t come off, or hasn’t started yet. Whatever happens, it underlines the importance of clarity and fairness. If the website had clearly stated what they were doing (whatever that turns out to be), I would never have made the FOI request in the first place. If there wasn’t a disparity between the website and the response, I wouldn’t be asking for an internal review. If you have any spare time soon, it might be worth looking at whether your organisation’s website is a fair reflection of what you actually do.

Concerns

At the end of July, the Information Commissioner issued a Civil Monetary Penalty on Think W3, an online travel company. Think W3 had flawed security and audit processes, and when a hacker gained access to Think W3’s customer data via a subsidiary company, the ICO (I think reasonably) concluded that the flawed framework was to blame. Think W3 received a Civil Monetary Penalty of £150,000.

When the ICO published the notice on their website, on page 3 of the notice, a sentence or two was tantalisingly redacted. My friend and fellow blogger Jon Baines wrote about the case at the time, noting in particular that Think W3 were not a random small travel company, but a wholly owned subsidiary of Thomas Cook. Thomas Cook bought the company in 2010 and sold it in January this year. The ICO made no mention of Thomas Cook, but Jon made short work of identifying the connection. He suggested to me that perhaps the missing sentence in the CMP was a reference to the parent company, and so I decided to make an FOI request to the Commissioner to find out whether he was right.

The ICO responded (by remarkable coincidence, on the last of the available 20 working days) by providing me with the redacted information:

Both companies were part of the Thomas Cook Group at the time of the below mentioned incident until they were sold on 24 January 2014.

As always, the ICO was unable to leave it at a bald answer (hint to FOI officers, less is often more). They explained the redaction as follows:

“The information was redacted following concerns raised by Thomas Cook, about its inclusion. The concerns focused on the fact that Thomas Cook considered it to be irrelevant and potentially prejudicial. They have said that Think W3 Ltd operated independently of other companies in the Thomas Cook Group and the system that was the subject of the security breach was in no way connected to the systems used in any other part of the Thomas Cook Group. Further, that the Essential Travel computer system that was the subject of the security breach was a legacy system that was used by Think W3 Ltd/Essential Travel before those companies became part of the Thomas Cook Group in 2010 and that system has at no time been connected to the systems used by any other part of the Thomas Cook Group.

As these concerns were only raised at a time when the civil monetary penalty notice was final and could not be altered the information could not be removed, but had to be redacted”

My request was made on the same day that the notice was published, and the response was provided to me within a calendar month. If disclosure is not prejudicial now, it was not prejudicial then. As I said above, it took Mr Baines minutes to make the connection between Think W3 and Thomas Cook, so any notion of prejudice is fanciful. Moreover, Thomas Cook’s claim that their ownership of the company at the time of the breach is “irrelevant” is twaddle. For one thing, Thomas Cook owned the errant company during the time of the incident and more importantly, during the period when their security was inadequate. They also paid the CMP, which makes their claim of irrelevance an insult to our collective intelligence.

Crucially, no matter how independently Thomas Cook allowed Think W3 to operate, what happened in Think W3 reflects on Thomas Cook. The public – providing their data to the range of companies owned by the group – are entitled to know that Thomas Cook do not check whether proper controls are in place in its members. The ICO should have rejected these wholly spurious claims out of hand, and instead, they meekly complied: the information “had to be redacted“.

There are two important reasons why these redactions run entirely counter to what the ICO should be about. Firstly, there are quite a few of us who believe that the ICO’s enforcement of the Data Protection Act is unfairly skewed against the public sector. Out of dozens of Data Protection CMPs since 2010, only a handful have been against private sector companies. Nevertheless, senior figures in the ICO cling to the idea that ‘market forces’ play a part in deterring organisations from misuing our data. Personally, I don’t believe them, but editing the notice prevents the ICO’s own pet theory from being tested. Market forces cannot be influenced as the ICO wishes if they themselves hide the information.

The other problem is that the ICO is not just the regulator of Data Protection, but also of Freedom of Information. Instead of championing openness and transparency, the ICO cravenly removed the Thomas Cook reference when there was no reason to do so other than Thomas Cook’s (pointless) sensitivities. There was no exemption under FOI (as my request demonstrated), just a regulator all too keen to accommodate big data controllers. Indeed, although they have told me what they removed, the redacted notice is, at the time of writing, still on the website.

This is far from the first time the ICO has issued a redacted CMP notice, and it probably won’t be the last. But this one demonstrates that the reasoning behind such censorship is flawed, and we should be quick to ask questions when they do it again.

What’s the damage?

BTO Solicitors recently marked the publication of the Information Commissioner’s annual report with a blog by two of their advocate solicitors about the Commissioner’s recent enforcement activity. BTO enjoyed a notable coup in 2013 by overturning the ICO’s £250,000 civil monetary penalty against Scottish Borders Council. I agree with the blog’s authors, Laura Irvine and Paul Motion, that the Borders case was hopeless; it is the low point in the ICO’s obsessive pursuit of “data breaches”. For several years, Wilmslow seemed to believe that [incident = breach] was a winning formula, and when tested in the Borders case, they were found wanting. The blog asserts that in several other cases, the ICO would equally have found it difficult to defend their CMPs, and again, I agree. Borders is not the only flawed CMP, and others could probably have been overturned.

Having said that, I think their review of recent action is eccentric, even myopic. They assert that the Commissioner “has not changed his approach to “likelihood” since the Scottish Borders appeal“, selecting two examples (Jala Transport and Bank of Scotland) to support their contention. I don’t know whether these two CMPs are sustainable, but they exemplify the difference between a one-off incident and an ongoing breach. I am certain that both are the latter. Jala’s *director* routinely carried the sole copy of his customer database on an unencrypted hard drive which he placed on the passenger seat of his car, while the Bank of Scotland proved incapable of preventing staff from sending faxes to the wrong destination even after the ICO started to investigate them. I think it’s instructive that neither organisation appealed.

Moreover, the argument that the ICO is on the same track is a lot easier to make if you stick rigidly to action taken in 2013, so that’s what Irvine and Motion’s blog does. There have only been 3 CMPs for Data Protection in 2014, and I believe that each would survive Tribunal scrutiny. As always, the incidents are eye-catching – an anti-abortion hacker gets access to the identity of women potentially seeking abortion, a police station is sold with evidence tapes identifying suspects, victims and witnesses, and a filing cabinet is sold with despite containing personal data about compensation payments paid to victims of terror attacks. However, I think it is likely that if BPAS did not properly maintain their website, it would come under attack from anti-abortion campaigners. It is likely that if Kent Police did not properly organise and monitor the clearance of their buildings, evidence would be left behind – and the same goes for the Department of Justice. In each case, the data was sensitive personal data, and to steal a word from BTO’s own blog, to argue that the loss of such data would not be likely to cause damage is frankly bizarre. The 2014 decisions may not be perfect, but they must have been made with the outcome of the Borders case in mind, and I think these three cases show a more robust process and defensible process at work.

The blog ends by considering Christopher Niebel’s successful appeal over the ICO’s £300,000 CMP for his industrial-scale spamming. It’s unlikely that anyone will mount a campaign larger than Niebel’s, which Judge Wikeley described as “a considerable public nuisance“, so the outcome of his appeal may effectively make the UK’s current PECR regime unenforceable. Wikeley suggested that had the bar been set lower (nuisance, rather than damage or distress), the outcome of the appeal might have been different. In response, the Government is currently consulting on whether to make precisely that change. BTO’s blog opposes this, fitting the Niebel case into the narrative of a wayward, overreaching Commissioner:

The likelihood of damage must be based on more than conjecture and distress has to be more than mere irritation. If evidential thresholds are getting in the way of monetary penalties the answer is to provide the requisite evidence, not to call for the lowering of the threshold and potentially criminalising conduct that is undeserving of such categorisation.

ICO’s use of conjecture is flawed and it’s what lost them the Borders case. But the above statement takes a seemingly ideological position that PECR breaches must go unpunished unless substantial damage can be established, without explaining why the law should not be used protect the public from intrusion and irritation. It’s not clear why Irvine and Motion are keen to keep a regime that lets spam go unpunished, and I’m convinced that leaving the threshold as it is will have that effect. Wikeley did not argue that ICO should have done a better job, but that the evidence wasn’t there to hit the target. By implication, with the test as it is, it won’t ever be. More importantly, neither the ICO or the DCMS (the department responsible for PECR) have suggested ‘criminalising’ any conduct. To claim otherwise is a red herring.

The sending of text messages, emails or automated calls without clear consent is already unlawful; the only debate is what the penalty should be for doing so. In wanting to keep the current threshold, Irvine and Motion seem more keen to protect the rights of spammers than the public. There’s a difference between criticising a poor case (Borders) and defending a target that no-one can hit. Damage and distress is not a concept that comes from the Directive – as Wikeley says, setting the bar there was a UK decision. The Directive demands ‘an effective, proportionate and dissuasive penalty‘ and Niebel shows that we don’t have one. Leaving the substantial damage threshold in place is not (as Irvine and Motion put it) “a realistic approach to assessment of the human consequences of data breaches and PECR breaches“; to do so ignores those consequences and by default, protects the illegal spam business model.

Like Irvine and Motion, I think the ICO approach is flawed and inconsistent. However, I support civil monetary penalties for breaches of both Data Protection and PECR and I think they should be maintained and improved. Evidence of the ineffectiveness of the criminal regime abounds. A few weeks ago, the Information Commissioner announced that they had successfully prosecuted Stephen Siddell, manager of an Enterprise car rental outlet in Southport. Mr Siddell was selling data about their clients to a claims management company. When the private sector is sometimes less forthcoming about their security problems than the public sector, Enterprise should be praised for calling the ICO rather than sacking their errant manager and keeping a lid on the problem. Mr Siddell was fined £500 (plus £300 in costs and victim surcharges). The claims management firm remains under investigation and so for the moment is not being named. Meanwhile, the Mail on Sunday reports today that Jayesh Shah, a man who boasted to an undercover reporter that he sent 500,000 spam text messages a day, has been fined £4000 for non-notification (plus costs of around £3000 in costs and surcharges) by magistrates in North London.

Mr Siddell’s future employment prospects are probably bleak, but with such small penalties, someone else will take his place. Police officers are treated fairly mercilessly when caught for data theft, but there is a still a queue of cops willing to raid the PNC. Meanwhile, though the comments about his weight and dress sense in the Mail’s comment section will have been unwelcome, Mr Shah can treat the £7000 outcome as an acceptable business expense. The criminal portion of the DPA provides scant punishment for data thieves (small fines and no criminal record as the offences are not recordable). It is possible for the ICO to issue enforcement notices against spammers and those who breach DP, but the only punishment for breaching an enforcement notice is the same paltry fines. A company prosecuted for breaching an enforcement notice can be closed down and replaced by a clean twin in next to no time.

I enjoy kicking the ICO as much as the next person, and their mishandling of CMP enforcement in recent years is a matter of concern. However, across the UK, Data Protection and privacy are still more honoured in the breach than the observance. There is big money to be made out of exploiting data, and as with health and safety, too many are willing to cut corners, regardless of the harm and distress that might be caused. Indeed, I think CMPs should be broken out of the security stranglehold and applied to damaging inaccuracy and unfairness as well. Rather than keeping the PECR threshold at an unattainable level, I think we should drop it to a straightforward tariff, with a flat rate penalty for every unlawful contact (say £1 per email, £5 per text and £10 per phone call). Post Niebel, private sector organisations that comply with the law will be priced out of the market by those who don’t unless there is a change. Without effective penalties, public sector organisations without a functioning privacy culture will continue to make decisions that put data – and in some cases, the public – at risk.

In their understandable enthusiasm to knock the ICO, I fear Irvine and Motion have lost sight of the purpose of the legislation. It is there to protect the public and to facilitate lawful, legitimate business activities. Personal data should be respected and handled with care. People have a right to a private and a home life without being pestered by spivs. The law and its implementation should penalise and deter misuse, intrusion and abuse. Some organisations will comply without sanction, but we need a strong, effective regime for those who won’t.

Publishing personal data on the internet: a handy guide for beginners

The sun is shining*, I’ve finished work for the day** and for no specific reason***, I’ve decided to write a brief guide to the main Data Protection issues associated with publishing the names of members of the public on the internet.

FAIRNESS

You have to tell people that you are publishing their data. If they have a particularly bland and common name (e.g. John Smith), and if publication is not linked to a specific locality (like say, a local council area), the names may not be identifiable, so you’re OK. Otherwise, the first Data Protection principle states that in order to process personal data like names fairly, you are obliged to inform the subjects that their data will be published. If you are publishing under some kind of legal obligation, or if informing people would represent a disproportionate effort, you may be able to get out of this. The Information Commissioner may also accept an argument that in some contexts, there is a reasonable expectation that information will be published. This will not apply to a publication of data that nobody else in your sector participates in. It won’t be disproportionate if you have been involved in some kind of transaction with the person and the opportunity to tell them directly has presented itself (to pick an example at random, if they have made an FOI request to you, and you have responded to them).

CONDITIONS

The Data Protection Act also requires that – as well as informing the subject of the data that it will happen – you also meet a condition before publication. Consent is one option, but there are others. However, they are specific – a legal power or obligation, a contractual obligation, or the need to protect that person’s vital interests. There is a tempting condition that allows you to publish data if it would be necessary for legitimate interests, as long as it causes no unwarranted harm to the subject’s rights. That sounds good, but remember, the harm test isn’t the clincher. You have to show that publication is NECESSARY: not convenient, or helpful or just something you really want to do because right now, it seems like a really good idea or something. If it isn’t necessary, even if it’s harmless, you’re still not able to do it.

EXEMPTIONS

Data Protection does have some exemptions, some of them (the national security and journalism ones) are impressively broad. The journalism one (S32) in particular clearly covers a lot of publication of personal data on the internet. However, it’s important that you can justify the publication in terms of the public interest in freedom of expression, and not just publishing a bunch of people’s names for the sake of it.

PUBLICATION BY MISTAKE

A common misconception is that the accidental publication of personal data is automatically a breach of the Data Protection Act’s Seventh Principle (the one about appropriate security measures). It’s entirely possible for someone to make a mistake – I don’t know, let’s say publishing database extracts on your website and accidentally including people’s names – without the Act being breached. The data hasn’t been processed fairly, but that wasn’t the organisation’s intention, so the ICO will probably look kindly on a single human error. Repeating the publication – perhaps on a monthly basis – is evidence that appropriate measures are not in place. Publishing data by mistake because procedures aren’t robust, staff haven’t been trained or managers don’t carry out proper checks are all evidence that the seventh principle has been breached. If the breach is compounded by serious damage to the individuals concerned, a fine is even possible. The best thing to do is to remove the offending information as soon as possible.

NEXT WEEK: A handy guide to the Streisand Effect, and other ways to draw attention to things you’d probably prefer people not to notice

* I live in Manchester, so it looks like it’s about to throw it down
** I am putting off doing something else
*** I am thinking of something very specific

VOTE FOR SPAM

In what is probably a precursor to a busy period of anxious politicos making a mess of marketing law, the Conservative MP for Gloucester Richard Graham has fallen foul of both Data Protection and the Privacy and Electronic Communications Regulations. Anyone, it seems, who contacted Mr Graham was added to his marketing list, and received his campaigning emails. Given that ‘anyone’ included Labour Councillor Barry Kirby, I think it’s reasonable to assume that rather than painstakingly selecting his correspondents’ details, Mr Graham was harvesting anyone who contacted him (I’m happy to be corrected if this wasn’t the case, although it makes the appearance of Councillor Kirby on his list even more bizarre). A well-known information rights training company does a similar thing, and gets very shirty when you point out that it’s illegal.

Like many spammers caught on the hop, Mr Graham fell back on the ‘anyone can unsubscribe at any time‘ defence, and graciously offered to remove their data from his list. I apologise for making the obvious point, but it should not be too much to expect that people who make the law understand it. Taking the complainant’s names off the list is only the beginning. The Information Commissioner found Mr Graham in breach of both DP (the data was obtained unfairly because Graham did not tell people how their data was going to be used) and PECR (because the only mainstream option for electronic marketing is opt-in).

I think Mr Graham’s entire marketing list is contaminated. Removing the names of people who complained is not enough; because he did not ask for consent and did not tell people how their data was going to be used, potentially every email address he holds was obtained unfairly (DP breach) and the recipients of his marketing did not notify him that they wanted to receive it (PECR breach). In short, to put things right, the only thing that Mr Graham can do now is contact all of the people on his list, and ask for permission to send them marketing. If he doesn’t, he’s still in breach. UPDATE: as a commenter observes below, he should probably just trash it and start again.

This is not a political point. The Conservative Party’s use of misleading surveys recently attracted some well-deserved scrutiny, but few political party have clean hands on marketing. Labour, the Conservatives, the Liberal Democrats and the Scottish Nationalists all have enforcement notices against them for PECR-breaching automated phone calls – the SNP even tried to argue that stopping them from using their recorded call of Sir Sean Connery breached their human rights. There is a lot of ignorance, and a strong sense of entitlement. This won’t do. Many of us will be caught up in the political cut and thrust of the next year, but others have a right to be left alone – not pestered until they unsubscribe, but for electronic communications, left alone unless we invite contact. That’s the law.  So, ever enthusiastic to help, and with a view to a brutal Scottish Independence campaign with the 2015 General Election hard on its heels, I finish with a brief guide for the political parties on marketing:

The definition of marketing includes political messages, either party-specific, or more general. Encouraging people to vote for or against Scottish Independence is a marketing message. Encouraging people to vote, or to register to vote, even if you don’t mention the party, is a marketing message. There is no distinction between selling a fridge and selling a party.

There are specific rules for each form of communication:

AUTOMATED PHONE CALLS: Specific opt-in to automated calls.

TEXTS and EMAILS: Opt-in to receiving the specific communication. An unticked opt-out box is not valid, a pre-ticked opt-in box is not valid. If I haven’t actively told you that I want your emails or texts, I don’t want them.

LIVE CALLS: Opt-out, but you have to screen all calls against the TPS list, which you have to pay for if you don’t already, and you can’t call people who have told you not to call, even if they aren’t on the TPS.

POST: Opt-out.

There is no exemption for your members, for those who have filled in surveys, or those made a donation. Politicians made these laws. No matter inconvenient they might seem, they protect the public from being pestered by anyone with something to sell, even if it is an idea, even if it is the best idea anyone has ever had.