National insecurity

In all the furore over the announcement of the Government’s draft Investigatory Powers Bill, one detail caught my eye. The Daily Telegraph published an article by Peter Wanless, Chief Executive of the NSPCC. Mr Wanless was keen that whatever else, we did not forget about the children:

We have heard plenty from groups extolling privacy principles and spies unveiling foiled terrorist threats, but let’s also hear the voices of thousands of children placed in jeopardy while the trade in abusive images continues to flourish

I don’t doubt Mr Wanless’ sincerity in combating the menace of child abuse and exploitation, but I found this a bit odd. How exactly does an article like this come into being? Did Wanless contact the Telegraph, keen to offer his support for the proposed legislation? Was it the other way around, with the Telegraph searching for an appropriately unimpeachable source to back up Theresa May’s plans? Or was it box number three: is it the Home Office who brought the article about, contacting Wanless and asking him to contribute?

You may disagree, but I find the idea of the Home Office persuading charity bosses to back Government policy in the press – especially without acknowledging it in the article – a deeply unattractive proposition. To find out whether this was the explanation, I made an FOI request four weeks ago to the Home Office, asking for correspondence between the Home Office and Wanless on the subject of the new bill.

A day before the deadline, I received an interesting email from the Home Office’s FOI team:

Although the Act carries a presumption in favour of disclosure, it provides exemptions which may be used to withhold information in specified circumstances. Some of these exemptions, referred to as ‘qualified exemptions’, are subject to a public interest test. This test is used to balance the public interest in disclosure against the public interest in favour of withholding the information. The Act allows us to exceed the 20 working day response target where we need to consider the public interest test fully.”

So far, so not much of a problem: this is an entirely legal move. The deadline can be extended for this reason. The one mistake that organisations often make at this point is not quoting an exemption, as if the public interest test floats free. But this is not what they did:

The information which you have requested is being considered under the exemption in section 23 (1) of the Act, which relate to information supplied by, or relating to, the bodies dealing with security matters.

The first thing to say is that this response appears to confirm that the Home Office has been in correspondence with Mr Wanless about the bill, which is interesting enough in itself (no correspondence, no need for an exemption). However, there are two more interesting elements. On the one hand, the response suggests that the correspondence contains information provided by the security services. Given that Wanless’ article is effectively a PR exercise, this is remarkable, if not scandalous and appalling. On the other hand, Section 23 is not a qualified exemption; it is an absolute exemption and has no public interest test. Either the Home Office don’t understand FOI properly, or they are just spouting legally inaccurate bollocks to avoid responding to my request on time.

Ever keen to help, I emailed the Home Office to point out that Section 23 is an absolute exemption and to enquire whether they in fact meant Section 24 (which applies to national security issues more widely, and does have a public interest test). With remarkable speed, the Home Office replied. I was invited to disregard the original email, and provided with the following explanation:

We apologise for the delay in sending you a substantive response. We always aim to respond to requests within the statutory period under the Freedom of Information Act (FOIA). Unfortunately, due to pressing business and other Ministerial priorities, it is not always possible to do so, and in this instance, we regret that we have not been able to respond within the statutory period.

What to make of it? Is it still reasonable to assume that the Home Office did put Mr Wanless up to it? Am I the first person to receive the phoney Section 23 letter? If they are going to delay replying, doesn’t the Home Office care enough to at least pick an exemption with a PI test, or just go for the old Dransfield Vexatious routine? At the very least, I think it is reasonable to assume that the Home Office is not really considering the use of an exemption, and is merely stalling on what might be an embarrassing answer. If there was a genuine exemption at play, they would have corrected their mistake in the follow-up. If they really did think Section 23 applied, I would have got a refusal.

Whatever happens next, reader, I have a feeling it will be worth looking out for.

Return to Sender

The Home Office is in the news again, coming under fire for the latest in a series of questionable wheezes to bully unwelcome foreigners. After the Racist Van, now we have the Racist text messages, brusquely telling the recipient:

Message from the UK Border Agency. You are required to leave the UK as you no longer have right to remain.

You have to wonder where they get their ideas from; one imagines civil servants sitting around a table just spitballing ideas until someone suddenly says ‘Make them all wear flares until they go home’. One can only hope that none of the team has seen the Blaxploitation film ‘Three The Hard Way’, in which a racist millionaire called Monroe Feather develops a toxin that kills only black people. The problem with the text idea, apart from the fact that it is horrible and uncivilised, is that they keep texting the wrong people.

The Home Office is quoted as saying:

Where it is identified that Capita have contacted an individual in error, Capita and Home Office records are immediately updated and contact is ceased. Furthermore, if an error has been made at the triage stage of handling the case, this is fed back, any learning incorporated into training and, where applicable, processes are amended.”

You’ll notice that they don’t say ‘and we inform the Information Commissioner about a breach of the fourth Data Protection principle on the basis that the personal data we are using is inaccurate’. I think the media coverage has led the ICO to investigate, but the interesting thing about the fourth principle is that it is fairly blunt.

Personal data shall be accurate and, where necessary, kept up to date.

The only qualification comes later, when the Act says the principle 4 has not been breached if “having regard to the purpose or purposes for which the data were obtained and further processed, the data controller has taken reasonable steps to ensure the accuracy of the data”. Given that the Home Office (or their henchmen) is texting people telling them to piss off out of the country, they will surely have to demonstrate a significant effort to verify the numbers. Merely saying ‘these are the numbers they have us’ will surely not be enough.

The ICO will presumably get to the bottom of it, and it’s foolish to pre-empt any decision they might make. It is nevertheless worth asking whether sending a person an erroneous text telling them to go home is ‘likely to cause substantial damage and distress’. And accuracy is only the beginning of the explaining the Home Office should be asked to do. Where did these numbers come from? What were the people told when their numbers were obtained? What Data Protection condition has the Home Office satisfied before processing the mobile numbers for the purpose of mild intimidation?

And now we come to the payoff: is Data Protection the only legislation to which the Home Office is subject here, and to which the Information Commissioner should pay heed?

The ICO’s sturdy new guidance on Direct Marketing retains a definition from previous documents about electronic marketing:

Direct marketing is not limited to advertising goods or services for sale. It also includes promoting an organisation’s aims and ideals.

These text messages do not form direct part of any legal process, and I doubt that the Home Office will have given itself the power to send them in any legislation. In other words, as far as I can see, there is only one definition that explains the purpose of the texts. The Home Office is trying to encourage who are in the country illegally to go home. The texts do nothing but promote the Home Office’s aims and ideals. No matter what you think of those aims, what else are the messages designed to do? I believe that the Home Office’s text messages meet the definition of direct marketing Under Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), specific consent is required to send direct marketing electronic mail to an individual, and the definition of electronic mail includes text messages. The recipients should have been asked to opt in, and if they were not, the messages should not have been sent.

Unlike the possible breach of the 4th Data Protection principle – which has only occurred if the Home Office cannot show that they took reasonable steps to ensure that their data was accurate – PECR is much more prescriptive. Without consent, the sending of direct marketing texts is a straightforward contravention. So despite the extremely regrettable decision of the Tribunal to overturn their  attempts to beat back the plague of PPI texts this week, highly distressing marketing texts are still on the agenda.

Unless the Home Office obtained consent, I think this idea should be sent back to the drawing board.