Small change

Some senior figures in the charity sector have sought to deal with the Information Commissioner’s recent enforcement against the RSPCA and the British Heart Foundation by suggesting that the ICO’s action is disproportionate and unfair. The fundraiser sorry, academic, Ian MacQuillin has written two blogs which touch on the theme, while a few days ago, Robert Meadowcroft, the Chief Executive of Muscular Dystrophy UK tweeted:

If the is impartial regulator it will investigate practices of and not simply pursue charities

As 2016 is now disappearing over the horizon, I thought it was worth testing the hypothesis that the ICO is taking disproportionate action against charities, and the fines and other enforcement against charities are unrepresentative. TL:DR – it’s complete nonsense.

In 2016, the ICO issued 34 civil monetary penalties – 11 under the Data Protection Act, and 23 under the Privacy and Electronic Communications Regulations (PECR). There are a number of different ways of looking at the figures, and none of them show any evidence of disproportionality.

1) Charity CMPs as a proportion of the total in 2016

Of the 34 penalties, 2 were against charities, so 6% of the ICO’s CMPs in 2016 were against charities.

2) Amount charities were fined, as a proportion of the total in 2016

The CMP total was £3,225,500. The total of CMPs issued against charities was £43,000. This is 1.3% of the total.

3) Proportion of Data Protection CMPs issued to charities in 2016

If you look only at the CMPs issued under Data Protection, the charity proportion is not insignificant – there were 11 DP CMPs, so the 2 charity CMPs are 18% of the total – the same as the police, 1 more than councils, but less than the private sector or the NHS (3 each). However, this is the only comparison where charities feature significantly, and they are not the dominant sector. The next two comparisons are also instructive.

4) Proportion of PECR CMPs issued to charities in 2016

None. This is despite widespread breaches of PECR by charities, including phoning donors who are on TPS and sending texts and emails without consent (for example, the vast majority of mobile numbers gathered via charity posters in 2016 were obtained in breach of PECR).

5) Proportion of CMPs issued for marketing related activities in 2o16

There were 21 PECR CMPs related to marketing, and 2 DP CMPs related to marketing, making 23 marketing CMPs in all. 2 were against charities, which is 9.5% of the total. Given the big charities’ disastrous approach to marketing, this relatively small number is astonishing.

6) Level of CMPs in 2016

The average DP CMP was £108,500; the average charity DP CMP was £21,500.

The average PECR CMP was £84,666.75; there were no charity PECR CMPs.

The highest DP CMP was £400,000; the highest charity DP CMP was £25,000.

7) Other enforcement in 2016

There were 22 enforcement notices issued by the ICO in 2016, 8 under DP and 14 under PECR. 1 of the 8 DP enforcement notices was against a charity, which is 4.5% of the total, or 12.5% of the total DP enforcement notices. Either way, it is a small percentage of the total. Again, if you count the number of marketing related enforcement notices, there were 15, of which 1 was against a charity. This is 6.6% of the total.

8) CMPs since 2010

There have been 69 DP CMPs since 2010 that I can find (they drop off the ICO’s website after a few years); 4 were issued against registered charities, which is 5.8% of the total. The average DP CMP was £114, 163, whereas the average charity was £78,250. It is worth noting that these figures are slightly skewed by the £200,000 penalty against the British Pregnancy Advisory Service, which is a registered charity but receives most of its funding from the NHS.

The CMP against the British Heart Foundation was the 8th lowest CMP overall, while the CMP against the RSPCA was the 9th lowest. The only organisations to receive lower penalties than the charities were small businesses, unincorporated associations, and a bankrupt lawyer.

There have been 47 PECR CMPs that I can find since 2012; none have been issued on charities, which is 0% of the total.

Conclusion

These figures will likely be different in 2017. The ICO has signalled that more DP enforcement against charities is coming, and so the proportion of DP penalties may rise when the totals are in, but that depends on a variety of different factors including the number of other penalties and the ICO’s general approach. However, when you look at the facts for 2016, MacQuillin and Meadowcroft are wrong. Despite years of ignoring the Data Protection and PECR requirements in favour of a flawed, fundraiser-driven approach, the ICO has not taken disproportionate action against the charities. The action taken is a small percentage of the overall total. Special pleading and blame-shifting will not help the sector. Compliance with the law will.

Fair Cop

The bedrock of Data Protection is fairness. You cannot gain consent without fairness. Your interests are not legitimate interests if they are secret interests. Unless you have an exemption or you claim that telling the person represents disproportionate effort (i.e. the effort of telling outweighs the actual impact), you have to tell the person whose data you are using the purposes for which their data will be used, and any other information necessary to make the processing fair.

The ICO’s Privacy Notices Code of Practice is not ambiguous, nor was its predecessor. It is impossible to read the ICO’s published guidance on fair processing without taking away the key message, consistently repeated for more than a decade: if something is surprising or objectionable, especially if it involves some kind of impact or sharing outside the organisation, it should be spelt out. New-ish Information Commissioner Elizabeth Denham seems to have chosen to reverse the ICO’s previously timid, unimaginative approach to the first principle with a pair of civil monetary penalties against charities. We have one each for the Royal Society for the Prevention of Cruelty to Animals, and the British Heart Foundation, with the promise of more to come. You might say it was unfortunate that charities are first in line rather than, say, credit reference agencies or list brokers (to be a touch tautological). It was the charity sector’s misfortune to fall under the Daily Mail’s Basilisk gaze, and they have to accept that we are where we are.

To issue a civil monetary penalty, there are three hurdles for the ICO to clear. Firstly, there must be a serious breach. Both charities used commercial companies to profile thousands (and in one case, millions) of donors, buying up data from publicly available sources* to assess their wealth and resources, they shared data with other charities whose identity they did not know via a commercial company, and in the case of the RSPCA, they bought contact details to fill in data that donors had provided. The average donor did not have any idea that this was happening. I can see there’s a problem that when everyone in the charity sector knows that wealth screening goes on, it seems normal. But I’ve been using it as an example on my training courses ever since the Mail revealed it, and bear in mind that these are often seasoned data protection professionals who know about data sharing and disclosure, attendees are invariably shocked and some cases revolted by what I tell them.

There is no doubt in my mind that this processing needed to be spelt out, and there is no doubt from the notices that it was not. Carefully selected third parties or partners has been a stupid lie in marketing for years, but not even knowing where the data goes is much worse than the usual flogging it to all comers. At least the list broker knows who he’s flogging it to, even though the only careful selection is the ability to pay.

The second hurdle is the need to show that the breach is likely to cause damage or distress to the affected data subjects. It’s been known for quite some time that the ICO was planning to take enforcement action over the Mail stories, and the gossip I heard from charities was that fines were likely. I’ll be honest, I wasn’t convinced. The Information Commissioner lost a Data Protection Tribunal appeal from Scottish Borders Council because they bungled the damage / distress element of a £250000 CMP over pension records found in recycling bins. ICO made a flawed claim that the loss of paper pension records was likely to result in identity theft, but Borders had an expert witness who could argue convincingly that this was not true. The link between the breach (the absence of a contract with the company processing the data) and the damage was broken, and the ICO lost.

But this case is different. The ICO does not need to make a link between an incident and a breach, because they are bound up together here. Both notices show that the ICO has given considerable thought to the distress angle. There is no question that the charities breached the first principle, and their only hope for an appeal is to convince the Tribunal that people would not be caused substantial distress by secret profiling and data sharing after an act of generosity. This is not science, and all I can say is that I am persuaded. But for an appeal to be successful, the charities will need to persuade a Tribunal with strong experience and knowledge of DP and PECR from the numerous (and almost exclusively doomed) marketing appeals.

The third element requires the breach to be deliberate or a situation where the charities ought reasonably to have known about the breach. As I have already said, the ICO’s position on fair processing is well known in my sector and available to anyone who can type the ICO’s web address. I think it’s possible that the charities didn’t know what they were doing was a breach, but in my opinion, this is because the Institute of Fundraising and the Fundraising Standards Board effectively acted as a firewall between charities and reality. The advice (often inaccurate and out of date) came from the IoF, and complaints about charities went to the FRSB and no further. When your code of practice is written by the people who earn their living from fundraising and most in your sector are doing the same thing as you are, it’s not hard to fool yourself into thinking it’s OK. But ‘everybody does it’ will cut no ice with the Tribunal. The RSPCA and the BHF are not tiny charities flailing in the dark – they are massive, multi-million pound operations with vastly greater resources than many of my clients.

Daniel Fluskey, head of Policy for the Institute of Fundraising, whose apparent lack of experience or qualifications in Data Protection does not prevent him from writing inaccurate articles for the charity sector on GDPR, has already weighed in, saying that the ICO should be providing the specific wording that charities require: “Charities need more detail on the ICO’s view of what lawful practice looks like: what form of words would have passed the test?” The Information Commissioner is the regulator for every organisation, of every size and shape, that processes personal data. If they start writing tailored wording for charities, they will have to do it for everyone else as well. It is a ridiculous demand. I think the ICO should move on to the data pools, wealth screeners and list brokers, but if she could find the time to issue an enforcement notice on the Institute of Fundraising, forbidding them ever to speak or write on Data Protection matters again, the third sector would have a fighting chance of complying.

Besides, how hard is it to find compliant wording? Nobody – especially not the trade association for fundraisers – should be allowed to present this as a byzantine and complex task. The individual doesn’t need to know what software you’re using, or whether cookies are involved. They need to understand the purpose – what are you collecting, what are you going to do with it, who are you going to give it to? This should be presented without euphemism or waffle, but it’s when you strip out the legalistic nonsense, you see the problem. It isn’t that the poor charities were labouring under the burden of complex data protection rules. They could not comply with the Data Protection Act because what they were doing (and in RSPCA’s case, are apparently still doing) is so unattractive:

  • We will share your details with unspecified charities via a commercial company. We don’t know who they are.
  • We will buy your phone number, postal or email address from a commercial company if you have not given it to us.
  • We will use commercial companies to compile a profile of your wealth and property to work out whether to ask you for further donations. If you are likely to be worth a lot when you die, we will use this information to ask you for a bequest.

When Reactiv Media appealed their PECR penalty, the Tribunal rejected their appeal and increased the penalty. Like a lot of the spammers, they put themselves into administration to avoid paying up, but this option is not available to household name charities. If either the RSPCA or BHF appeal, they are dragging themselves deeper into the mud, and very possibly spending thousands more of donors’ money to do so. If they say that what they did wasn’t a breach, or that they couldn’t have been expected to know that it was, their officers, advice and business model will be scrutinised to a doubtlessly painful extent. The claims management company Quigley and Carter found themselves described as “feckless” and “most unimpressive” in the course of being filleted during a recent failed appeal. Do charities really want that? Even if they decide to roll the dice solely on distress, does either charity really want to acknowledge a serious breach that they knew or ought to have know about in the hope of getting the fine overturned on a technicality? Do they want ICO to call donors as witnesses?

The business model of pressure selling, TPS-busting, heavy texting, data sharing and donor-swapping adopted by some of the UK’s most celebrated charities resembles nothing so much as the activities of the claims management, PPI spammers (i.e. the scum of the earth). For all the noise and bluster on Twitter and in the charity press this week, there is an uncomfortable truth that has to be faced. The hated Daily Mail unearthed it, and the ICO has rightly acted on it. Some big charities have run an end-justifies-the-means approach to marketing and they have got away with it for a decade. Fundraisers ruled the roost, and compliance has been sidelined or ignored. Given how much money the RSPCA and the BHF have raised from fundamentally unlawful practices, they should pull back and rethink how they get donations in the future. They should ignore the Institute of Fundraising’s every word on Data Protection and PECR, and like every other charity, concentrate on reading and applying the ICO’s Code on Privacy Notices and guidance on Direct Marketing.

And right now, if there is a fundraiser sitting with the two CMP notices working out how to at the same time devise a method to raise loads of cash for their cause while complying with Data Protection and PECR, I hope they wipe the floor with everyone else.

*citation needed

Less than ideal

Last week, Stephen Lee, an academic and former fundraiser was reported as having attacked the Information Commissioner’s Office for their interpretation of direct marketing at a fundraising conference. It was, he said “outrageous” that the Commissioner’s direct marketing guidance stated that any advertising or marketing material that promoted the aims and ideals of a not-for-profit organisation was covered by Data Protection. According to Lee, only fundraising activities should be considered to be marketing.

[NB: Third Sector articles are sometimes open to all and sometimes limited to subscribers. If the links don’t work, please accept my apologies!]

He is quoted as saying “Who says that’s right? Just the ICO. Who did it consult? No one.” and  went on to say “Why and how and in what way should we be compelled to comply with that proposition?”

Who says that’s right? Who did the ICO consult? Well, let me see now.

1) The Council of Europe

In 1985, the Council of Europe issued a Recommendation on the protection of personal data used for the purposes of direct marketing. The definition of direct marketing includes both the offer of goods or services and “any other messages” to a segment of the population. The recommendation predates the guidance Mr Lee disparages by more than 30 years.

2) The 1995 Data Protection Directive

The Directive makes clear that direct marketing rules apply equally to charitable organisations and political parties as they do to commercial organisations, and emphasises the need for people to be able to opt-out of direct marketing. By redrawing the definition, Mr Lee would contradict this fundamental right.

3) The Data Protection Act 1998

Given that Mr Lee feels qualified to make bold statements about the interpretation of the Data Protection Act, it’s odd that he doesn’t seem to have taken the time to read it. Section 11 of the Act states that the definition of Direct Marketing “the communication (by whatever means) of any advertising and marketing material which is directed at particular individuals”. The important word there is “any” – organisations do not get to pick and choose which of their promotional messages are covered and which are not.

4) The Privacy and Electronic Communications Regulations 2003

PECR sets up the rules for consent over electronic direct marketing (consent for automated calls, opt-out and TPS for live calls, consent for emails and texts). It does not define direct marketing, but instead says this “Expressions used in these Regulations that are not defined in paragraph (1) and are defined in the Data Protection Act 1998 shall have the same meaning as in that Act”. Therefore, the DPA definition applies to PECR.

5) The Information Tribunal (now the First Tier Tribunal)

In 2005, the Information Commissioner served an Enforcement Notice on the Scottish National Party after they repeatedly and unrepentantly used automated calls featuring Sean Connery to promote the party in the General Election. The SNP appealed, and in 2006, the Information Tribunal considered the issue. One of the main elements of the SNP appeal was against the ICO’s definition of direct marketing. Although the case is about a political party, the ICO’s submissions are based on the proposition that charities as well as political parties are covered by the definition of direct marketing, and that the definition cannot be restricted to fundraising alone. The Tribunal accepted the ICO’s view in full, and dismissed the appeal.

6) The charity sector and anyone else who wanted to be consulted

The ICO may have issued guidance in the 1980s or 1990s on the definition of direct marketing, but the idea that promoting aims and ideals is part of it has been their view since 1999. In guidance issued on the precursor to PECR, the ICO stated clearly that direct marketing includes “not just to the offer for sale of goods or services, but also the promotion of an organisations aims and ideals”. They specifically mentioned charities, as they have ever since. Virtually every iteration of the ICO’s guidance on PECR and direct marketing has been subject to public consultation – indeed, the very guidance Lee is talking about was subject to a public consultation.

Here’s the problem. Lee is an Honorary Fellow of the Institute of Fundraising, and has a long association with it. The IoF has been the most consistently pernicious influence on the charity sector’s compliance with data protection and privacy law in the past ten years. Their guidance and public utterances on data protection are often misleading, and they recently had to change their own Code of Practice because it was legally incorrect. At best, they haven’t noticed the ICO position on charities and direct marketing for more than 15 years. At worst, they deliberately ignored it in favour of an interpretation that largely suits fundraisers. Lee complained at the conference about the “appalling” communication between the ICO and charity umbrella bodies, but Richard Marbrow of the ICO summed the problem up all too well:

One of the things the sector asked for was clarity, and I will try and bring you that. The trouble is, if you then say ‘we don’t like that clarity, could we have some different clarity please?’, we’re not going to get on very well.”

The most important thing about Lee’s outburst is the subtext – if any form of communication is not covered by the definition of direct marketing, then your consent is not required  in the first place and you have no right to stop receiving it. His interpretation is nonsense, but it is also ethically unsound. At its most basic level, privacy means the right to be left alone, the right to have an area of your life which is yours, which others can’t intrude into. Lee seems to want to erode that right. If his view was correct (it’s not), charities could bombard people with phone calls, texts or emails to tell them how marvellous they are, how important their work is, how vital they are for society. As long as they don’t ask for money, the logic of his argument is that people wouldn’t be able to stop them.

Lee’s other question (“Why and how and in what way should we be compelled to comply with that proposition?”) has an easy answer. Ignore it. Carry on breaching the law, ignoring the rules. I went to the cinema last night and saw adverts for two different charities that plainly breached PECR, so that seems to be the plan. Given that the furore over charities began with an innocent person bombarded with unwanted correspondence, it’s remarkable that senior figures in the charity sector are ready for another go, but if Mr Lee wants to drag charities’ reputations deeper into a swamp that they share with PPI scammers and payday loan merchants, he’s welcome.

But the ICO should not listen to their concerns, or open friendly channels of communication with the sector. They should apply the law firmly and regularly until the charities get the message. If this results in more enforcement against charities than other sectors, that will be only because the big charities are among the worst offenders and they haven’t put their houses in order. If charity giving suffers as a result, even amongst the many charities that have not transgressed, they should stop blaming others and look to their fundraisers, their colleagues and themselves.

A very bad call

A few weeks ago, I heard someone on the radio talking about why American bankers are prosecuted and imprisoned (sometimes), whereas British bankers almost invariably are not. The commentator said that American banking regulation is rules-based, whereas British banking regulation has historically been principles-based. Therefore, the American system is more black and white and it’s easier to cuff someone, as compared to a system that requires interpretation and analysis.

The same is true of the difference between Data Protection and the Privacy and Electronic Communications Regulations (PECR). Although Data Protection has some concrete rules (accuracy, the need for clear retention schedules), most of them are subject to interpretation. Imagine the delight of people I train when I tell them that there is often more than one correct answer, and all they need to do is explain why they think what they think. They love it.

PECR is different. PECR is rules. There are some areas for argument (for example, what counts as a ‘similar’ product or service when using PECR’s version of the offside rule, the soft opt-in). But most of the direct marketing section of PECR can be boiled down to rules. Texts and emails are opt-in. Phone is opt-out subject to screening against the TPS. Faxes are don’t be so stupid nobody sends marketing by fax these days. There are a lot of misconceptions around PECR; I read in The Times a few weeks ago that the charity exemption from the TPS was to be removed, even though it has never existed. Trawl the forums and comments of marketing websites, and you will find a widespread belief that customers can be considered to have opted in to marketing automatically, even though this is nonsense. However, because of all this hogwash, the application of the PECR rules can cause panic in the marketing world.

This week, I was sent an email that has been circulated to a variety of charity clients by a marketing company that specialises in making fundraising calls. It was sent after the Fundraising Standards Board (FSB), a self-regulating body for fundraisers, recommended changes to the FSB’s code of practice. Bearing in mind that the FSB code is just an industry standard, it’s not a big issue. The Direct Marketing Association’s Code of Practice is actually stricter than the law, and so is an entirely good thing. The tone is generally depressing. Having mentioned the tragic death of Olive Cooke, the email talks of “the continued focus on the treatment of vulnerable people, all of which can be considered valid points to consider improving“. That’s right: the treatment of vulnerable people is a ‘valid point‘ to ‘consider improving‘, but that not what they’re worried about. There are areas of “extreme concern” that they really want to talk about.

The first issue of extreme concern is a proposed change to the FSB code that states that fundraisers cannot call anyone on the TPS unless they have given clear permission to receive calls.  This is because “The Information Commissioner’s Office has confirmed that it is not sufficient to assume that a TPS registered supporter has given consent to receive calls simply due to the fact that they have made a donation.

The marketing agency says in bold type: This potential requirement to TPS, prior to calling, is extremely alarming and could have devastating consequences for the future of telephone fundraising”. Bear in mind, it has been a requirement to screen all marketing calls against the TPS since the regulations came into force in 2003. There is no charity exemption, no existing customer or donor exemption; those words or concepts simply do not appear. The email talks a lot about ‘warm calling’, which is a marketing term that refers to contacting people with whom you have a relationship. Warm calling has no relevance on the PECR rules at all. It is a red herring. If I am on the TPS, you can’t call me unless I have given you consent. Consent cannot be inferred from another action – either I have consented or I have not. You can count me as a sceptic on the issue of tick-boxes and whether people have truly consented in many cases, but to bring in the concept of warm calling strongly suggests the absence of any meaningful consent at all.

The marketing agency has two solutions, one ridiculous and one concerning. The first is to lobby the Institute of Fundraising with “extensive evidence of the damage this would do”. In other words, keep unlawful wording in a non-statutory code to create the illusion that warm calling is legal. The lack of understanding for the legal framework they are working in is remarkable. The code is irrelevant – the fact that an industry code is wrong make no difference to the law.

The second suggestion (again in bold type) is unacceptable: “contact every donor you do not have explicit consent to contact by telephone, whilst we have the opportunity, and get their expressed opt in”. If the charities already have consent to call TPS registered people, they don’t need to call them again. If they don’t already have consent, then calling them to get their consent is in itself a breach of PECR. All of these proposed calls would either be a waste of time or unlawful, and while the agency generously wants to ‘share the cost of these calls’, I doubt that they will be made at a loss.

The second recommendation to cause ‘extreme concern’ to the agency (rather than the misery and inconvenience they might be causing to the people they call) is a recommendation that the industry practice of making three donation requests during the course of a call could constitute ‘pressure’, rather than ‘reasonable persuasion’. The email goes on to set out the success rate of successive asks, with a 50% success rate on the third ask. The idea that the number of times the caller might ask for money during a call might be restricted to just two is anathema: “this would affect the whole of telephone fundraising”. In other words, we’ll lose money if we’re not allowed to pressure people.

The email ends with a touching moment of self-doubt: “We do also appreciate you may believe our email is driven by this agency’s self interests”. That thought didn’t cross my mind. Not even for a second.

There is a legitimate debate to be had about the morality of fundraising tactics, but only within the law. If chuggers are licensed to operate on public streets, then how they act is more about ethics than law. If charities and their agents have consent to call TPS-registered people, or they cold call people who aren’t on the TPS, the techniques that they use are an issue of morality. There is a strain of “end justifies the means” thinking in some charities that, in my opinion, can drag them down to the PPI, accident-that-wasn’t-your-fault level of marketing. How they square this with their charitable aims is a matter for them. I don’t think that charities should pay agencies to use high-pressure sales techniques on vulnerable people, but if it isn’t illegal, that’s just my opinion.

But the law is the law. A charity (and a marketing agency paid by them) cannot call someone registered on the Telephone Preference Service unless they have explicitly said that they (i.e. the specific charity making or instigating the call) can do so. A charity cannot call someone on TPS to obtain consent to call. There is no exemption, no loophole. An industry code of practice is irrelevant to this, whether it is right or wrong. Any charity which goes along with this is not just acting irresponsibly or selfishly: they are breaking the law. Any such calls should be tackled by the Information Commissioner as mercilessly as the spam texts and calls from claims and double-glazing companies that are their usual fodder. Indeed, there is a strong argument that Wilmslow should intervene to prevent any such calls from happening.

The Yellow Peril

A few months ago, I blogged about a session of the House of Common’s Culture Media and Sport Committee where the Chief Executive of Which? talked a bit of nonsense about unsolicited calls. Not to be outdone, the MP for Exeter Ben Bradshaw decided to indulge in a bit of (reported) hogwash of his own. Opining on the interesting  suggestion to ban unsolicited calls altogether, Bradshaw described the idea as “an affront to democracy“. After all, he said, “I am there to help my constituents, but you are saying you want to make it more difficult for me to help them.” I don’t know whether an unsolicited call from Mr Bradshaw – a man who unnervingly resembles Hugh Grant’s mummified remains – is what the fine folk of Exeter really need, but the claim is stupid. If a constituent asks an MP for assistance, any call would be solicited. If a constituent hasn’t asked the MP for help, the MP should leave them alone.

I was inspired by Mr Bradshaw’s comments to do something I have been meaning to do for a long time, and which the faint rumblings of the campaign for the 2015 General Election suggest as a sensible step for anyone. I made a request under Section 11 of the Data Protection Act asking the three main political parties to cease or not to begin processing my personal data for the purposes of direct marketing. In other words, I opted out of receiving any marketing / campaigning / promotional material from Labour, the Conservatives and the LibDems, either at a national or a local level.

So how did they get on?

I deliberately chose the bog-standard national address from the front page of each party’s website and made no effort to find out who in each organisation is responsible for Data Protection or general compliance, just to see what happened. So on the same day (using the nice paper, since you ask), I wrote to ‘the Data Protection Officer’ at each party. It took the LibDems and the Conservatives a day to respond – I think I posted the letters on a Tuesday and I had both of their responses on the Thursday, which is very good. Labour lose some customer service points for needing a follow-up letter to prompt a response, but cannot really be criticised as a) they sent a nice apology for the delay and b) an organisation has no legal obligation to acknowledge a Section 11 request, they simply have to comply with it. All equal so far.

Purely from a blogging perspective, I will admit to being disappointed with both Labour and the Conservatives’ substantive responses. Both were exemplary, doing nothing more than politely agreeing to my request. There was no quibbling, no attempt to nose out a loophole. I expected at least one of the parties to claim that political campaigning isn’t marketing, but neither of the big two took the bait. They even promised to ‘suppress’ my details, meaning that my information will be retained but kept on a suppression list so even if they acquire my data from some survey or other list, I will be flagged as ‘no contact’. It’s entirely possible that they won’t follow through and comply, but it’s a good start. Bit a pain though, as I have a blog to fill and DOING STUFF PROPERLY ISN’T GOING TO HELP ME DO THAT, IS IT? IS IT?

And so, Thank Goodness for the Liberal Democrats.

The letter from the party’s ‘Head of Compliance and Constitutional Support’ contained a fascinating attitude to Data Protection. Firstly, he spelled my street wrong (‘Honeysuckel’ not ‘Honeysuckle’) and the second half of the postcode was completely incorrect (none of the same letters or numbers). The fact that when responding to a member of the public who is raising concerns about data protection, you are so sloppy as to get the address wrong when it’s probably easier to get it right is telling. Secondly, his opening gambit ‘I am afraid there are a number of misunderstandings of the Data Protection Act in your letter‘ is probably red rag / bull territory for someone like me, but it is also not true. He identified no misconceptions about the DPA at all; instead, he went on to quote ICO guidance – ICO guidance and the DPA are very different things and I think it’s remarkable that a ‘Head of Compliance’ doesn’t appear to know that. His point is that Section 91 of the Representation of the People’s Act 1983 gives parties the right to send either one “unaddressed postal communication” or one “postal communication addressed to each elector“. The reference to ICO guidance comes from ‘Guidance for political parties and candidates‘, and as he observed, the ICO guidance does indeed say that Section 91 ‘applies even if the individual has asked you not to contact them‘.

This is interesting. Section 11 of the Data Protection Act does not contain any exemptions or qualifications. It says this:

An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.

And that’s all. The unaddressed communication is fine – it will be delivered with the pizza leaflets, but an unaddressed leaflet clearly does not offend Data Protection and I have no argument with it. However, if Section 91 of the Representation of the People’s Act 1983 gives parties an automatic right to send an addressed communication, that appears to be in conflict with my Data Protection rights. DPA says one thing, RPA another. I’m not remotely an expert in the UK constitution versus EU law, but even I know (and a more reliable person reminded me) that generally speaking, where EU and domestic law are in conflict, EU law wins. It’s curious that the ICO line appears to be wrong and their guidance to parties – clearly written with awareness of the conflict – sides against the ICO’s own legislation. For what it’s worth, I think the LibDems and the ICO guidance is wrong. I believe Section 11 takes precedence.

However, even if I’m wrong, the LibDem’s high-handed approach is striking. Their attitude can be paraphrased like this: ‘we know you don’t want to hear from us, but we think our rights trump yours, so tough’. The communication in question – if it comes – will be designed to persuade me to vote Liberal Democrat, and I find it very difficult to reconcile the two ideas. Do I really want to vote for people whose attitude to my rights is so dismissive? Even if the RPA does give the parties an unchallenged right to send marketing to unwilling recipients, what kind of organisation is dumb enough to use that right?