Labour pains

Last month, I registered as a supporter of the Labour Party in order to vote for the leader and deputy leader. I am a lifelong Labour voter, and no, I don’t care what you think about that, and if you tell me what you think about that in the comments, I will let your comment through solely so that I can edit it to replace your drivel with the word “Bellend”. WordPress lets me do this, friends, so choose wisely.

The choice of candidates for Leader is as tempting as being asked whether you want a smack in the face or a kick up the arse, while the inevitability of Deputy Tom Watson is just horrible. There are few experiences as emetic as opening an envelope to find Watson’s huge smug face staring out at you. If only I had a dartboard. Nevertheless, if the party is going to let me participate in the process of choosing which leader will lose the 2020 election, it seems churlish to pass up the opportunity. I actively want to vote for Stella Creasy, so there is some crumb of meaning in there somewhere, apart from the fact that she’s not going to win.

When I signed up, the Labour Party required me to agree to receive communications from the party. There was no more to it than that, and no terms and conditions for me to consult before signing up. It was a fait accompli – sign up and get the messages or go away and don’t vote. This is a straightforward breach of the Privacy and Electronic Communications Regulations 2003 (PECR). Communications from a political party are marketing. Regulation 22 states that marketing emails can only be sent if the recipient has notified the sender that they have consented to receive them. Consent is the same ‘freely given, specific and informed’ consent that you need for Data Protection. If there is any doubt about what that means for marketing emails, the Information Commissioner’s excellent guidance on Direct Marketing is – by ICO standards – uncharacteristically clear: “Consent cannot be a condition of subscribing to a service or completing a transaction”.

Labour cannot lawfully make the receipt of marketing emails and texts a condition of registering as a supporter. Every email and text sent to a registered supporter who has not actively and separately consented to receiving the emails and texts is a breach of PECR. The breach is particularly serious in my case, because in 2013 I exercised my rights under Section 11 of the Data Protection Act with all of the serious English political parties (and UKIP); this means that none of them can send me marketing, and so even the junk mail that each of the campaigns is sending me by post is unlawful. This is not my view; this is the view clearly expressed in the ICO guidance. The fact that I can opt-out is irrelevant. I should not have to (and anyway, I already have). Labour is arrogantly and cynically ignoring legislation that it passed when in government in order to hassle its most active supporters.

Inevitably, privacy champion Tom Watson has sent me the most emails, and demonstrated the least compliant approach. One of the emails had an option to tell Watson if you were going to vote for him, and so I clicked on the link to say no. I was then presented with a webpage asking me who I was going to vote for, as well as two pre-ticked boxes for ‘Send me email updates’ and ‘Send me text message updates’. A pre-ticked box doesn’t constitute consent (consent has not been ‘given’), but nevertheless, I unticked the boxes, clicked the box for ‘Stella’ and submitted.

Instantly, despite having told Watson’s campaign that I don’t want to vote for him and I don’t want to receive his email updates, I received a further email from Watson telling me how brilliant he is and how I should give him my second preference. There is no chance of this: not only will I never vote for Watson, I have always been fond of Ben Bradshaw, because he is Alan Dransfield‘s MP and he looks like he has skinned Hugh Grant and is wearing his face as a trophy. The second preference email was yesterday, and today, I have already received another email from a Watson supporter who has (no doubt spontaneously) written a paean to Watson that happens to include most of the examples the Watson campaign is using elsewhere. I am absolutely thrilled that the Watson campaign has apparently shared my email address with random strangers.

Needless to say, I have emailed Watson to point out his bad practice (and I didn’t use the word ‘hypocrite’, so see how I have matured) and more importantly, I have written a detailed letter of complaint to Iain McNicol, the party’s General Secretary. This is not my first rodeo with McNicol, so I know that all I will get is a reply stating ‘we’re perfectly entitled to do this and if you don’t like it, then opt out’. This reply is useful solely because the ICO understandably expects me to complain to the offending organisation first before going to them, and complaining to them is the only thing I can apart from write this blog for people who probably already agree with me.

Of course, the most the ICO will probably do is tell Labour to stop emailing me, which makes them (at least in this context) the world’s most convoluted unsubscribe button. But nevertheless, rather like voting for Creasy even though she’s going to lose because I honestly think she is the best candidate, I will complain about Labour’s habitual breaches of PECR because they need to be called out on it, even though no enforcement will follow.

A bunch of Tw*ts

The Englishman who wades into Scottish politics on either side, especially if he lives in England, is probably taking a huge risk of being disagreed with vehemently, no matter what he says. Nevertheless, the explosion of interest into the so-called ‘Clypegate‘ list has a Data Protection angle that I cannot resist.

To summarise, it seems that the Scottish Labour Party have assembled a list of supporters of the Scottish National Party who have said things on Twitter and Facebook that the Scottish Labour Party do not like. The list – inevitably tagged a dossier – has been passed to the tabloids to stir up some kind of frenzy about the so-called ‘Cybernats’. Some of the statements are fairly strong, but I doubt they are worse than anything said in the average pub conversation about politicians. I’m certain every term applied to Gordon Brown and Donald Dewar has been said of Alex Salmond by Labour supporters. As someone who voted Labour in the recent election, I can think of a few more constructive things that the smouldering remnants of Labour in Scotland could be doing with their time, but this is what they decided to do, so we are where we are.

Now, if you were hoping for anything more in the way of politics, you’re going to be disappointed. From here on in, it’s ANORAK TIME!

The Data Protection Act has many requirements for the processing of data, but the chief hurdle is the first DP principle, which requires three things. The processing of personal data must be fair, lawful, and conditions must be met. Regular readers will know that consent is not required, as there are alternatives to consent in the lists of conditions. Let’s consider the three elements in turn;

FAIR: fair has two meanings. The use of data has to be fair in the dictionary sense of the word and it also has to be fair in the DP sense, which means the Data Controller (Labour) has to tell the subject (the SNP tweeter) how their data will be used unless an exemption applies. Many organisations believe that because personal data is in the public domain, it is fair game. The Information Commissioner’s own guidance on personal data online stated in 2010 that this was not the case, and we have a very recent example (Samaritans Radar, which also focused on tweets) where the ICO stated that tweets were personal data (depending on their content), and so DP applied.

Labour fail on both counts. Gathering together tweets and providing them to a newspaper to name and shame the individuals is not fair in my opinion. But more importantly, Labour did not tell the subjects that their data would be used in this way. Clearly members of the Scottish Labour Party will look at what is being tweeted; they may analyse and try to counteract it. If you don’t like the idea of people you don’t like reading your tweets, go private or stop tweeting. However, the conscious selection and specific analysis of a person’s tweets is processing personal data as is passing it to a newspaper, and none of the DP exemptions allows Labour to do this in secret.

The use of the data was not fair.

LAWFUL: this is a tricky one where I expect I will get little agreement, especially from people who might read this hoping to see Labour eviscerated. DP requires that data processing should not breach other relevant laws e.g. Human Rights privacy or confidentiality. I do not believe that Labour’s use of the data was unlawful – Carina Trimingham’s Facebook account was pruriently raided by the Daily Mail so that they could make cheap jibes about her, but she still lost her Human Rights privacy case. Twitter and Facebook are not private places unless you lock your account. Get used to that.

CONDITIONS: DP requires that one of a prescribed set of conditions is met to justify the use of personal data, and one from a second list if the data is defined as ‘sensitive’. A person’s political opinions are sensitive data, so this means that Scottish Labour needed not one condition, but two. The tricky part is usually the sensitive data condition, but as it happens, I don’t think Labour have a problem here. One of the conditions for processing sensitive personal data is that the sensitive data has “been made public as a result of steps deliberately taken by the data subject‘. I think this box is ticked – the political opinions were tweeted out into a public forum by the subject.

But that’s not the problem. The problem is that a condition is also required from the first set, and here Labour are stuffed. They don’t have consent, a contract, a legal power or obligation, and they are not protecting anyone’s vital interests. The only condition left is ‘legitimate interests‘, where they have to claim that their legitimate interest in monitoring and publicising rude tweetersis not ‘unwarranted’ because of ‘prejudice to the rights and freedoms or legitimate interests of the data subject’. I am not remotely convinced that monitoring of ordinary folk – even if they are supporters or members of a party – is a legitimate interest in this context.

I have registered to vote in the Labour leadership elections, and had to declare that I support the aims and values of the Labour Party. That was not an easy declaration to make, but I definitely don’t support any other party and I never have. If Labour wanted to find out whether I was in fact a Conservative or SNP supporter pretending to be Labour, and looked at my Twitter account to find out, I believe that would be a legitimate interest. They would still have a problem with fairness, and would have to tell me that this was going to happen (they didn’t).

I don’t believe the two situations are comparable however. But even if I did, even if Scottish Labour monitored their opponents legitimately, it’s impossible to argue that legitimate monitoring is not undermined by passing the data to journalists, especially as journalists are (under Section 32) virtually exempt from the Data Protection Act. If the monitoring was done to identify genuine abuse and report it to Twitter or Facebook, I believe that would be legitimate and would not be unwarranted. But this all seems to be for PR and political points scoring. I cannot read this as legitimate interests with no unwarranted harm.

There are other questions – does the dossier breach the DP requirement for accuracy for example? But we don’t need to get into that. Two significant breaches of the first principle are sufficient to say that Labour has breached the Act. That’s it.

The only remaining question is what should happen now. I believe Scottish Labour should stop in their tracks, grow up and apologise. If that doesn’t happen (and even if it does), this is a gift to their opponents that will undoubtedly result in complaints to the ICO. Regular readers will know that I am always sceptical that the ICO will stray outside their comfort zone of security fines, but it is open to them to issue either an enforcement notice stopping Labour from doing this, or (very unlikely) issue a penalty. It is worth noting that by the time the ICO quietly disposed of complaints about the Samaritans, the charity had stopped their Radar project and may never restart it. Political parties are rarely so intelligent, and if the ICO are faced with an intransigent Labour response, not admitting that they have done wrong, anything is possible. Much as I would like to see Labour pick themselves up and offer something more optimistic, it seems that they have instead blundered into another bruising debacle of their own design.

Are You Now, or Have You Ever Been

The Labour Party’s recent – if belated – interest in the Consulting Association is a good thing. The late Ian Kerr ran a secret blacklist for a range of big-name construction companies, and there is simply no defence for what he and they did. The fundamental principle of Data Protection is fairness, and fairness is not just about the general notion of being equal and proportionate – the DPA specifically requires organisations to inform individuals about how their data is used. Even if the construction industry needed a quick central system for checking the reliability of casual employees, it would be vital for workers to know about and have access to it to ensure that the facts were correct and the decisions justifiable. The secret nature of the system, of course, was to cover the real aim of rooting out people who might ask awkward questions about health and safety or working conditions.

It is hard to imagine anything more squalid than a hugely successful industry – bloated with public sector contracts and many establishment connections – targeting ordinary working people who want to prevent deaths, accidents and unfair working practices. This activity is a stain on their reputations and they must not be allowed to forget it. The anger directed by unions, Liberty and individual workers is justified. The fact that the construction companies escaped largely unpunished is a scandal. The chief responsibility for this disgraceful business lies at their door.

However, much of the ire is bizarrely directed at the Information Commissioner. Despite his cack-handed defence on the Today programme, the current Commissioner Christopher Graham is not to blame for the construction companies’ apparent impunity, nor is his predecessor. I think Richard Thomas’ tenure as Information Commissioner was fairly disastrous (especially for FOI), but the Consulting Association prosecution was possibly the biggest success of his time in the job. Few of the criticisms hold any water. Unions have demanded that the entire CA database should be handed over to them – using publicity and FOI to achieve this. This would be a breach of the Data Protection Act. The ICO obtained the database as part of an investigation, and whatever the motives of the unions, it would be unfair to every person on that list for their information to be given out to every angry union that demands it.

The ICO has also been criticised for not proactively contacting all of the people on the list. As someone who already thinks that the ICO does not put enough resources into enforcement, the idea that they would spend the doubtless huge sums of money contacting thousands of people (after sorting through the information to identify them properly) is ludicrous. The ICO is not there to help people pursue claims – they are there to enforce the law, not to take sides and support individual actions. It was their job to take on the problem – they did that.

The biggest criticism levelled against the ICO is the lack of prosecutions for the construction companies. The Unions and various Labour figures have been loud and self-righteous in their outrage over the perceived lack of action. The £5000 fine for Kerr was paltry, and the enforcement notices issued to the construction companies lacked the required sting. But all of this is Labour’s fault. Exposing Kerr and seizing his database was the most the ICO could do – as his operation depended on secrecy, the raid killed it. The only criminal offence that the ICO could charge Kerr with was non-notification and the maximum penalty for non-notification was £5000. It was not a criminal breach of the Data Protection Act to run or use a blacklist when the construction companies encouraged Kerr to do so and paid his bills and fine for him. In 2009, the ICO did not have the power to issue Civil Monetary Penalties. No regulator can prosecute without a specific offence, and there were no offences on the statute book. His current CMP powers are not retrospective, and if they should have been, it was Labour’s decision not to make that happen.

It’s easy to attack the ‘disgraceful belligerence’ of Chris Graham’s performance on Today, as Val Shawcross, a Labour London Assembly Member, did on Twitter. Jessica Asato, prospective Labour candidate in Norwich, does the same on Labour List: “Scandalously, when prosecution was sought for Ian Kerr the CEO of the Consulting Association (and apparently a previous employee of the Economic League) he was only fined £5000 for data protection issues and none of the firms who paid for the information were fined at all.” If this is a scandal, it is a scandal that Asato’s party devised. A fine for the companies was more or less impossible, unless the ICO also prosecuted them for not notifying their use of the CA database. The maximum fine would have been £5000, even if the prosecution had been successful.

The Data Protection Act 1998 and its associated regulations were created and passed by a Labour Government. If the ICO’s response –  the strongest possible legal response – was inadequate, it was because the Blair and Brown governments made it that way. Breaches of data protection had no adequate punishment until the shambolic data handling within Government embarrassed Brown into a U-turn. Labour still backed away from making data theft an imprisonable offence under pressure for the Daily Mail, and even now, Section 63 even makes it impossible for the ICO to prosecute the Government or the Royal Household for a criminal DPA breach. Any union, any worker, any ambitious politician who wants to raise the issue of why the construction companies got out of jail free cannot go after the ICO, and they are being dishonest if they do.

Chuka Ummuna, the Shadow Business Secretary, is making a lot of what is an unfashionable issue and he deserves credit for doing so. He wasn’t an MP when Labour set Data Protection up without any teeth, and so his hands are fairly clean. Nevertheless, I can’t help thinking that the party’s enthusiasm for the issue now might have something to do with the fact that they are no longer in government making decisions, and awarding humongous PFI contracts to the businesses that were guilty of the ‘affront to justice’ that Asato finds so offensive.

One strong element of Asato’s article still rings true, and brings us round (inevitably) to the part of this post which allows me to revert to type and have a dig at the Commissioner. She points out that blacklisting and stigmatising of union and other activists in construction is an ancient business, going back to the founding of the McCarthy-like Economic League in the 1920s. I think it’s safe to assume that there is a version of the Consulting Association running right now. Kerr is dead, but the idea that a practice that is at least 90 years old will suddenly stop because it was exposed is idiotic. Panorama exposed the League in 1994 and blacklisting didn’t die then. Deputy Commissioner David Smith sets out the ICO’s approach to the Consulting Association fairly on the office’s website, but he loses credibility with this unnecessary final flourish:

The construction blacklist remains a black spot on the history of employment in this country. While the work to close it down is long completed, our work to help those whose lives were affected by the blacklist continues.

Everyone involved in the Consulting Association case should be proud of the good work they did. If I was a very suspicious person, I would wonder whether Labour and the Unions see the ICO as a convenient whipping boy to cover up their own failings on this matter. But I support Asato when she says that the work on closing down blacklists is almost certainly not over. Rather than attacking the ICO for doing the right thing, workers, unions, politicians and advocates for better Data Protection should chide the ICO for resting on its laurels. It should be knocking on doors across the construction industry and demanding evidence that the 2009 enforcement notices – which have presumably not been withdrawn – are still being complied with. The stick they wield now is a lot bigger, and they should not persuade themselves that they don’t need to use it.