The Yellow Peril

A few months ago, I blogged about a session of the House of Common’s Culture Media and Sport Committee where the Chief Executive of Which? talked a bit of nonsense about unsolicited calls. Not to be outdone, the MP for Exeter Ben Bradshaw decided to indulge in a bit of (reported) hogwash of his own. Opining on the interesting  suggestion to ban unsolicited calls altogether, Bradshaw described the idea as “an affront to democracy“. After all, he said, “I am there to help my constituents, but you are saying you want to make it more difficult for me to help them.” I don’t know whether an unsolicited call from Mr Bradshaw – a man who unnervingly resembles Hugh Grant’s mummified remains – is what the fine folk of Exeter really need, but the claim is stupid. If a constituent asks an MP for assistance, any call would be solicited. If a constituent hasn’t asked the MP for help, the MP should leave them alone.

I was inspired by Mr Bradshaw’s comments to do something I have been meaning to do for a long time, and which the faint rumblings of the campaign for the 2015 General Election suggest as a sensible step for anyone. I made a request under Section 11 of the Data Protection Act asking the three main political parties to cease or not to begin processing my personal data for the purposes of direct marketing. In other words, I opted out of receiving any marketing / campaigning / promotional material from Labour, the Conservatives and the LibDems, either at a national or a local level.

So how did they get on?

I deliberately chose the bog-standard national address from the front page of each party’s website and made no effort to find out who in each organisation is responsible for Data Protection or general compliance, just to see what happened. So on the same day (using the nice paper, since you ask), I wrote to ‘the Data Protection Officer’ at each party. It took the LibDems and the Conservatives a day to respond – I think I posted the letters on a Tuesday and I had both of their responses on the Thursday, which is very good. Labour lose some customer service points for needing a follow-up letter to prompt a response, but cannot really be criticised as a) they sent a nice apology for the delay and b) an organisation has no legal obligation to acknowledge a Section 11 request, they simply have to comply with it. All equal so far.

Purely from a blogging perspective, I will admit to being disappointed with both Labour and the Conservatives’ substantive responses. Both were exemplary, doing nothing more than politely agreeing to my request. There was no quibbling, no attempt to nose out a loophole. I expected at least one of the parties to claim that political campaigning isn’t marketing, but neither of the big two took the bait. They even promised to ‘suppress’ my details, meaning that my information will be retained but kept on a suppression list so even if they acquire my data from some survey or other list, I will be flagged as ‘no contact’. It’s entirely possible that they won’t follow through and comply, but it’s a good start. Bit a pain though, as I have a blog to fill and DOING STUFF PROPERLY ISN’T GOING TO HELP ME DO THAT, IS IT? IS IT?

And so, Thank Goodness for the Liberal Democrats.

The letter from the party’s ‘Head of Compliance and Constitutional Support’ contained a fascinating attitude to Data Protection. Firstly, he spelled my street wrong (‘Honeysuckel’ not ‘Honeysuckle’) and the second half of the postcode was completely incorrect (none of the same letters or numbers). The fact that when responding to a member of the public who is raising concerns about data protection, you are so sloppy as to get the address wrong when it’s probably easier to get it right is telling. Secondly, his opening gambit ‘I am afraid there are a number of misunderstandings of the Data Protection Act in your letter‘ is probably red rag / bull territory for someone like me, but it is also not true. He identified no misconceptions about the DPA at all; instead, he went on to quote ICO guidance – ICO guidance and the DPA are very different things and I think it’s remarkable that a ‘Head of Compliance’ doesn’t appear to know that. His point is that Section 91 of the Representation of the People’s Act 1983 gives parties the right to send either one “unaddressed postal communication” or one “postal communication addressed to each elector“. The reference to ICO guidance comes from ‘Guidance for political parties and candidates‘, and as he observed, the ICO guidance does indeed say that Section 91 ‘applies even if the individual has asked you not to contact them‘.

This is interesting. Section 11 of the Data Protection Act does not contain any exemptions or qualifications. It says this:

An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.

And that’s all. The unaddressed communication is fine – it will be delivered with the pizza leaflets, but an unaddressed leaflet clearly does not offend Data Protection and I have no argument with it. However, if Section 91 of the Representation of the People’s Act 1983 gives parties an automatic right to send an addressed communication, that appears to be in conflict with my Data Protection rights. DPA says one thing, RPA another. I’m not remotely an expert in the UK constitution versus EU law, but even I know (and a more reliable person reminded me) that generally speaking, where EU and domestic law are in conflict, EU law wins. It’s curious that the ICO line appears to be wrong and their guidance to parties – clearly written with awareness of the conflict – sides against the ICO’s own legislation. For what it’s worth, I think the LibDems and the ICO guidance is wrong. I believe Section 11 takes precedence.

However, even if I’m wrong, the LibDem’s high-handed approach is striking. Their attitude can be paraphrased like this: ‘we know you don’t want to hear from us, but we think our rights trump yours, so tough’. The communication in question – if it comes – will be designed to persuade me to vote Liberal Democrat, and I find it very difficult to reconcile the two ideas. Do I really want to vote for people whose attitude to my rights is so dismissive? Even if the RPA does give the parties an unchallenged right to send marketing to unwilling recipients, what kind of organisation is dumb enough to use that right?

Insert knob gag here

Last night, I received a charming email message from Theresa May, revelling in all the foreigners she has kept out of the country before asking me for money. I’m paraphrasing slightly. I regret that politicians don’t have the time to keep me in the loop as much as I’m sure they’d like – I’d really like to know more about Michael Gove’s crusade to keep rudeness out of politics (presumably, he just wants it directed at his civil servants). So perhaps I should not be churlish when one of them gets in touch.

But as Theresa is supposed to be responsible for law and order, I find myself pedantically drawn to point out that her email was almost certainly illegal.

The Privacy and Electronic Communications (EC Directive) Regulations – universally and hilariously known by the acronym PECR (say it out loud) – require organisations wanting to send direct marketing emails to obtain prior consent before doing so. Much as politicians would like to think different, exhorting a member of the public to vote, to donate or support a campaign is direct marketing – both the Information Commissioner and the Tribunal have said this, and the four major political parties in the UK (Conservatives, Labour, LibDems and the Scottish Nationalists) have all received enforcement notices under PECR as a result. So unless the Conservatives have obtained my direct consent to send me these marketing emails, they’ve breached PECR and possibly Data Protection as well.

I have three email addresses – one I use for business purposes which is published on the internet. In PECR terms, I am a corporate subscriber for this address, and cannot complain about spam if I receive it. My other two email addresses are personal ones – in PECR terms, I am an individual subscriber for both. One I use for a lot of general correspondence, the other I use for competitions, surveys and other situations where I think that the person I am giving it to might send me spam emails. If I was to fill in a survey or a petition – the only place I can imagine the Tories might have obtained my email address from – I would always use the third spammy one. What’s interesting about Theresa’s email is that it was sent to the middle one – the personal address that I am more likely to read, but which is not published on the internet like my business one, but is not on all the dodgy databases that list brokers hawk, often illegitimately, as ‘opted-in data’.

In short, the Conservative Party must be able to explain how they fairly obtained an email address that I am 99% certain I would not have ever given to them, or anyone affiliated to them. This is not because I am particularly anti-Tory – I am left-wing, but I have equal contempt for all parties and politicians and avoid them all with the same diligence. Unless they can show me clearly where they got my email from and that they did so fairly (as opposed to scraping it from somewhere or buying a shonky database), they may well have breached the First Data Protection principle.

And that’s the sideshow. PECR is engagingly blunt – even if I have answered a petition or survey and unintentionally used this email address, the Conservative Party would still need my consent before sending me emails. The so-called ‘soft opt-in’ – which allows an opt-out in prescribed circumstances – applies only to sales or negotiation for a sale, conditions which would not apply to a political party.

I’ve written to the Conservatives to ask for the following information:

  • Where they obtained my email address from
  • How they obtained my consent, and a copy of the web page or document on which I indicated my consent to receive emails from them

Under Section 7 of the Data Protection Act, the Conservatives are obliged to provide me with any personal data they hold about me, and also to confirm the source from which they obtained my personal data (in this case, my personal email address). They could, of course, charge me £10 for this information, but given that the person responsible for maintaining law and order in this country has put their name on  correspondence that I am pretty certain breaks the law, I think it would be polite of them to waive the fee.

Nothing is certain – I’m not going to complain to the Information Commissioner until the Conservatives show me what they did / did not do around consent. However, the current Parliament is past the halfway point, and we’re heading down a long, relentless slope towards a general election which will no doubt inspire a marketing frenzy, especially on social media, email, text and phone. It is very important that all politicians remember that PECR gives us all something very valuable for the latter three channels – easy and straightforward rights to be LEFT ALONE. The law applies to them, just as much as it does to anyone else. If you are bothered by unwelcome marketing from politicians, why not ask them the same questions I have above?

Keep your PECR up (I know, I’m sorry)

The BBC reports that Bournemouth and Poole NHS PCT have got themselves into hot water by calling a member of the public using an external company in order to offer him some health screening as he was in an at-risk group. The PCT were, it seems, attempting to deal with a target imposed on them by the Department of Health. The Trust felt that it was not “practical” for them to get consent in this case.

Given that my only source is the BBC news website, I cannot make any definitive judgement about what went on, although it’s clear that the person concerned managed to convince the Information Commissioner’s Office that the use of his data was unfair. The ICO is quoted as follows: “Individuals should have been informed by the trust that they would be receiving a call inviting them to attend a risk assessment, and that this letter should ideally give them some method for asking not to be contacted”

It’s at this point, however, that I feel entitled to mount my hobby horse and ride it up and down the public highway.

The Information Commissioner’s own definition of direct marketing, found in his guidance on the subject, is ‘the offer for sale of goods or services, or the promotion of an organisation’s aims and ideals’. The rules covering any form of electronic direct marketing (i.e. phone, email, and text) come from the Privacy and Electronic Communications Regulations (usually pronounced ‘Pecker’), not from the Data Protection Act. PECR does not contain any discussion of harm, benefit of legitimate interest – its rules are simple and relatively easy to explain.

Direct marketing cold-calling by phone is legal – unless the person is on the Telephone Preference Service or has told the organisation not to call. Therefore, to make a marketing call, the organisation (in PECR terms, the ‘person’) must screen the numbers they are using against the TPS lists (which they must rent or buy from the TPS itself or a marketing company who has done so). Direct marketing emails and texts are opt-in – you cannot text or email someone without their permission, and the same is true of automated marketing phone calls.  There are some wrinkles – business and personal emails are treated differently – but for direct marketing, that’s about it.

As described in the BBC story, the PCT’s call was a marketing call. They were not calling the person to tell him results, to arrange an appointment for treatment that had already been consented to, to discuss something that was already happening. The PCT’s aims include the hitting of a target for screening of a specific group, and without previous consent, the only possible interpretation of the call is that recruiting people to join the screening is a form of direct marketing. Having worked – briefly and without particular distinction – in the NHS and having had this argument several times, I know that few health staff would agree with me. Indeed, when looking at this issue many in the public sector have the same problem – if a message is clearly of benefit to the recipient, how can we not be allowed to do it?

Although some in the private sector find ways around PECR or ignore it altogether, I have never spoken to a private sector person who didn’t see how the regulations applied to what they do. Public sector, voluntary and charity organisations are obsessed with the value or justification of their message. Labour, the Lib-Dems, the Conservatives and the Scottish Nationalists have all received enforcement notices under PECR for their use of automated marketing calls – the Scottish Nationalists perhaps personified the wider misunderstanding of how PECR works but claiming that being prevented from using automated calls of Sir Sean Connery was a breach of their human rights. It’s not. I have a right not be bothered by what you think I should be interested in, whoever you are. And PECR gives me that.

PECR is a single-minded law in this respect, caring only about the content of the message. If your call, your email, your text is designed to sell, promote, persuade or influence – it’s direct marketing. If you want to change behaviour, get people to make better choices, or even tell them something that will change or save their lives, PECR doesn’t care. Even if you don’t know who the recipient is, that’s irrelevant – this isn’t Data Protection.

Of course, the BBC coverage doesn’t mention PECR and screening against the TPS, which implies that some people in the ICO don’t know what their own position on PECR and direct marketing is, but that’s not a surprise. The point is, the next time someone has a smart idea for a communication campaign, whether it’s health promotion, news of how you’re dealing with anti-social behaviour, or the benefits of recycling, just remember to think about PECR.

Which is a bit funnier if you say it out loud.