Roast Lamb

Politicians rarely handle data protection with anything like aplomb. The political parties’ record on compliance with DP and PECR is awful, and they often seem to think privacy laws don’t apply to them. An impressive example of this emerged today, with a largely nonsensical tale of skullduggery in the Liberal Democrat leadership campaign.

FULL DISCLOSURE: I wouldn’t be interested in the outcome of the Liberal Democrat leadership campaign unless it was being decided using swords.

The story seems to be that the campaign teams of the gratingly folksy Tim Farron and the ponderous Norman Lamb have been given the LibDem membership lists by the party. The Farron camp complain that while conducting polls using the data, Lamb’s team have asked pointed questions that apparently reveal that Farron may not be all that liberal on issues like abortion and LGBT rights, including gay marriage. If you can find the Data Protection breach here, you’re a better nerd than me. Nevertheless, The Daily Telegraph reports:

The Information Commissioner, the information watchdog, is set to be asked to investigate whether there was a breach of data laws in a move which could land the party with heavy fines

THIS WON’T HAPPEN. NOT NOW, NOT EVER.

Meanwhile the Independent states: “There will be a formal discussion with the party’s data controller* tomorrow morning over a potential self-referral to the Information Commissioner.

THIS IS A COMPLETE WASTE OF TIME.

I don’t doubt that the Information Commissioner’s Office will feel obliged to accept the complaint and pick at it for a while, and there is the entertaining prospect of some discomfort for the Commissioner himself, a former LibDem candidate before his switch to Commissionering. Unless there is more to the story than unfair push-polling however, there’s nothing to see here, because what is the breach?

If Lamb’s team had purloined the membership list for the purpose of polling, that would be a criminal offence, but it seems clear from every version of the story that I have read, the party gave the list to the candidates for the purposes of campaigning. No breach. If both teams had accepted the data on the basis that they would not use the data for polling, Lamb’s use of the data would be a breach of the first data protection principle on the basis that it was unfair, but again, there is no hint of that in the coverage. The only two conceivable uses of the membership list would be polling or marketing, and if you were going to restrict the use of the data, preventing marketing would make more sense. Of course, if the *polling* is a breach, then presumably Farron’s team hasn’t done any polling, because otherwise, they would have the same problem that Lamb has.

You could, if you really wanted to stretch the point as far as it could possibly go, say that using the LibDem membership list to ask skewed questions is processing personal data for an unfair purpose. But if whoever first raised DP in this context thinks that this is how it should be enforced in the UK, it would mean that every instance of direct marketing with an exaggerated claim or biased message would be illegal. The Information Commissioner would be issuing CMPs every other minute, and they certainly wouldn’t start with this case.

Every journalist who types a sentence about an alleged data protection breach needs to ask this question (ask me, I’m available through a variety of channels): WHICH PRINCIPLE DID THEY BREACH? DP isn’t anywhere near as woolly or generic as it is cracked up to be. The ill-informed, fact-free way that this story has been reported is a good example of why the legislation is so widely misunderstood. From a political perspective, the best part of it is that the fuss must originally have been kicked up by supporters of Tim Farron. I had no idea that he was not a full-throated supporter of gay marriage and abortion, but I do now, as presumably do many people within the LibDem movement who, unlike me, might be voting in the upcoming election.

FOOTNOTE: Organisations do not have a ‘data controller’; the organisation is the data controller. To misunderstand the Act’s concepts at such a basic level is a very bad sign. In my experience, the Liberal Democrat Party has the worst grip on data protection and privacy of any of the major parties in the UK, so it isn’t a surprise.

Liberal Spamocrats

The Varsity newspaper reports a scandal in academia, as Julian Huppert stands accused of spamming Cambridge’s students with crass emails about revenge porn. As well as reflecting the understandable annoyance of students at the spam and its triggering content, Varsity links Huppert’s spam to a similar incident at Bath University in April. Bath students received unwelcome missives from the outgoing LibDem MP Don Foster (who based on the photo in the Bath Chronicle is presumably stepping down to spend more time running Gringotts Bank).

The question raised by Varsity is whether Huppert, Foster and the LibDems have breached Data Protection and wider privacy law. There is an entirely separate question about election law which I am not qualified to answer, so I won’t. Two piece of legislation could impinge on the LibDem spam – Data Protection and the Privacy and Electronic Communications Regulations. As the emails are plainly marketing, aimed at encouraging students to take the yellow pill, it’s tempting to assume that the more important law is PECR. This is not the case. PECR does require the sender of marketing emails to have consent from the recipient, but only if that recipient is an ‘individual subscriber’. As long as the spam was sent to a student’s university email address (which appears to be the case in both incidents), they are not individual subscribers. The university is a corporate subscriber, and so the requirements of Regulation 22 (which covers email and text marketing) do not apply. So, game over, but only for PECR.

I cannot see a sensible argument that the email addresses that contain a student’s name are not personal data, so even if PECR is off the table, Data Protection is still in play. It’s impossible to tell exactly how the LibDems obtained the addresses in either case, but given that they can’t deny that masses of emails were sent, and there is no suggestion that consent was obtained (which would clear up most of the DP problems at a stroke), I’d be fascinated to hear how Huppert, Foster and their party ensured that the Data Protection requirements were met.

The first Data Protection principle requires that data be obtained fairly, lawfully and according to a set of conditions. If they wanted to harvest the emails for marketing purposes, the LibDems at either university would need to do so fairly. The only hint about how the data was obtained comes in the Bath story, where the LibDems state that the email system was not accessed without university authorisation, and that emails addresses were “all in the public domain”. The public domain issue would be irrelevant if the university had provided the emails to the party, so I assume that the emails were harvested by a LibDem supporting student or staff member from the University address book (any member of the LibDems is welcome to correct me, but only if they’re willing to tell me what happened if this didn’t). The Information Commissioner recently told the Samaritans that data on Twitter was still personal data even though tweets really are in the public domain, but email addresses held in a University address book or similar source are not in the public domain. They’re available to staff and students, but I’m not a Bath or Cambridge student, so I can’t get them. The universities are the Data Controllers for the email addresses, and while I’m sure that it is true that whoever hoovered them up had legitimate access to the system, their use of the data was problematic. Section 55 of the Data Protection Act states that it is a criminal offence for a person to ‘obtain or disclose’ personal data ‘without the consent of the data controller’. I’d be keen to see evidence that the LibDems had consent from the universities to use the emails, and will happily publish it here if it is provided to me.

To use the email address for political marketing is a new purpose, so the LibDems would either need to tell students that their email addresses were being harvested (which they didn’t), they would need an exemption from fair processing (which they don’t have) or they would need to claim that telling students that their email addresses were being harvested for unsolicited marketing purposes involved disproportionate effort (I believe the technical term for that is ‘bollocks’). Moreover, the LibDems would need a condition for processing the email addresses for marketing. They don’t claim that they had consent, so they must think that the use of the email addresses was necessary for a legitimate interest, and their use of the email addresses did not cause any unwarranted prejudice to the rights and freedoms of the students, which is the only available condition. If that’s their argument, they should say so, and be willing to defend it against an equally legitimate argument that sending unsolicited political messages is a breach of students’  privacy. Of course, what I think really happened was that they snorted up the email addresses without any consideration of the DP implications, which is shameful, especially as Huppert claims to be in favour of privacy.

The sense of entitlement here is overwhelming. Cambridge LibDems limply defended their spam with the following: “We have sent a number of emails to students over the last two years to keep them informed of Julian’s activities. All of these have included the appropriate opt-outs“, while the Bath contingent had already said that they would stop sending emails after a previous incident in February. All the political parties are guilty of the same arrogance (although the LibDems have recently been warned off by the ICO, and were the only political party who outright refused to stop sending me marketing). The rules are simple. You cannot obtain personal data and use it for your own purposes just because the data is available or easy to obtain. You have to tell people that you are obtaining and processing their data unless you have an exemption. You cannot send unsolicited marketing to people and justify it purely on the basis that they can opt-out. The subject does not have to do the work: you have to do the work. The sight of political parties who seek to make the law acting as if it does not apply to them is one of the worst aspects of the election season, and whatever happens after May 7th, at least we might enjoy a period of being left alone.