Brand new key

Parents at schools in Suffolk recently received an interesting piece of correspondence about an exciting initiative called ‘Suffolk SAFEKey‘, offered by Suffolk Police. For as little as £1 a month, subscribers to the service receive a special key fob with a reference number on it. Once registered, if the keys are lost, the person can use the reference number to contact Suffolk Police’s commercial partner (Keycare Limited) to get keys and owner reunited, incentivised by a £10 reward.

Alerted to this by a concerned citizen, I made an FOI request to Suffolk Police to find out more about the scheme, the arrangement with Keycare Limited, and how the email came to be sent. Suffolk Police told me that they contacted all 18 secondary schools in the county (by phone, so I don’t know how the request was couched), and of those, 8 forwarded the invitation to join SAFEKey to all parents. The force were unhelpfully vague about who else had been approached. I asked who they had contacted, and their answer conflated those they approached and those they claim had approached them. This means I know that those involved are charities (Suffolk Community Foundation / Age UK), “advocacy groups” (whatever that means), Neighbourhood Watch, the University of Suffolk and “lunch clubs and other such groups”, but I don’t know who contacted who.

On one issue, Suffolk Police were admirably clear. I asked them how they had obtained consent to send the email. This was their reply:

The parentmail service is not controlled by the Constabulary and the information provided is not personal data and as such, there is no requirement for us to obtain consent from those third party recipients.

Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (AKA PECR)  applies to emails and texts, and it is remarkably unambiguous, despite all the dodgy marketers and list brokers who purport not to understand it.

a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender

Suffolk Police instigated the sending of the email to parents by making an unsolicited approach to schools, asking them to send it. The email would not have been sent unless they had asked for it to be sent. Regulation 22 does not require them to be the sender. Should there be any doubt about this, the ICO asked Better Together to sign an undertaking following their misbegotten texts during the Scottish Independence campaign. Better Together used an agency – they never held the data and they didn’t send the texts. This is exactly the same situation. There are only two ways that marketing emails could be sent in this way: either parents would have to give consent direct to Suffolk Police, or give consent to the school to receive marketing from the force. This second possibility is one the ICO is keen to play down, as their Direct Marketing Guidance makes clear:

Indirect consent may therefore be valid if that organisation was specifically named. But if the consent was more general (eg marketing ‘from selected third parties’) this will not demonstrate valid consent to marketing calls, texts or emails.

Of course, as the senders of the emails, the schools have also breached PECR. And taking it one stage further, you could argue that Suffolk Police have also breached the Data Protection Act by processing personal data unfairly and unlawfully. If they don’t have a data processor contract with the schools, they may even have breached the seventh principle.

Many public bodies and charities struggle with PECR because they perceive ‘marketing’ as a purely commercial activity. This means that they think the messages they send are somehow not marketing, and are surprised when PECR bites. Suffolk Police can be under no such illusion. SAFEKey is not a policing activity, it is a wholly commercial venture, with the income split 50/50 between the force and Keycare Ltd. Moreover, there is an argument that the force is exploiting its position as a law enforcement body to promote its commercial activities – it’s unlikely that secondary schools would forward information about double glazing or PPI. The force might want this to seem like an aspect of their crime prevention work, but it isn’t – it’s a purely commercial venture. No public body, but especially not the police, should exploit their position as partners with other, smaller public bodies to plug their commercial activities.

There are other concerns. The force didn’t carry out a Privacy Impact Assessment before launching the SAFEKey scheme, which is surprising, as the project involves the force gathering personal data it does not need to carry out its legal functions, purely for the purpose of a commercial venture, using a variety of unrelated bodies as a conduit for the data and transmitting it to a commercial partner. At the very least, you would expect them to consider the risks. Moreover, although the extract I received from the contract between Keycare and Suffolk Police does make it clear that Keycare cannot use or share the personal data they receive for their own purposes, the security demands made by the police are relentlessly generic.

I don’t think the police should exploit the significant position of trust they enjoy to flog commercial services at all. But even if you disagree, there can be no question than when they do, the police should at all times obey the law. They haven’t done so here, and the ICO should investigate. As I did not receive one of the emails, they would ignore any complaint that I made, but they should intervene to make clear to all public bodies how PECR works.

 

Wanted

Many of today’s newspapers report (once again) that police forces are refusing to name wanted suspects because of Data Protection and Human Rights. It’s tempting to assume that by now, everyone knows that the Data Protection Act does not prevent the disclosure of wanted suspects’ names and photos, so when another newspaper makes an FOI request for the most wanted, the inevitably craven and risk-averse responses don’t really need to be debunked. Surely we all know that the cops either don’t want to get into nuanced conversations about the operational reasons not to name the suspects, they are too cowardly to use Data Protection to justify disclosure, or they just plain don’t understand the process? Is it really worth pointing out why the decision is so knuckle-headed?

Admittedly, without seeing all of the responses, I can’t be certain how bad they really are – all we have are selected quotes. I must also acknowledge that my judgement is clouded by having recently made FOI requests to a number of police forces, an experience that makes me assume that everything these forces have done is wrong. Nevertheless, it doesn’t look good – Humberside Police apparently told the Daily Mail that it wasn’t in the public interest to disclose sensitive personal data, despite the DP exemption in FOI not having a public interest test. Meanwhile, Leicestershire Police claimed a suspected murderer and rapist, could not be named because it went against the ‘principles of fairness’, while Staffordshire said its response was “processed in line with individuals’ rights”, which means either that Staffordshire have received a valid Section 10 notice from each of the suspects in question, or they don’t know what they are talking about. 18 other forces are cited by the Mail as having claimed that Data Protection prevents disclosure.

The only force who appear to have a leg to stand on are Nottinghamshire, who used Section 30(1) of FOI. S30 applies to investigations, so presumably Nottinghamshire are arguing that if they haven’t already named the suspects, it isn’t in the public interest to release them in response to an FOI. I can’t say for certain if this decision is correct, but the use of S30 suggests that Nottinghamshire’s decision is based on operational reasons related to their ongoing investigation. On that basis alone, they deserve the benefit of the doubt in a way that any force using S40 does not.

Rather than spend another 500 words calling police FOI and DP decision makers an assortment of rude names (which was my original plan for this blog), permit me to explain exactly why the use of Data Protection is always nonsense in these situations.

HOW DOES SECTION 40 WORK?

Section 40 of FOI defers entirely to the Data Protection Act when the request is for personal data about someone else. Essentially, if a disclosure of personal data would breach any of the Data Protection principles, if it would breach a valid Section 10 notice issued by the data subject, or if it would be exempt from subject access (i.e. the subject would not receive it themselves if they asked for it). In practice, the Information Commissioner considers that if the disclosure will not breach the first Data Protection principle, S40 is not a barrier. The forces must be arguing that disclosure of the wanted suspect’s data breaches the first principle.

HOW DOES THE FIRST PRINCIPLE WORK?

The first principle says that the processing of data – here, the disclosure – must be FAIR, LAWFUL, and ACCORDING TO A SET OF CONDITIONS.

FAIR

Fair means what it says in the dictionary, and it also means that the data subject must be informed of how their data will be used. The ICO is fond of the notion of ‘reasonable expectations’ – you don’t need to tell people how their data will be used if it’s obvious. This would plainly apply in these circumstances; a suspect cannot expect that their data will be suppressed while they are being hunted. In any case, S29 of Data Protection removes the requirement to use data fairly in any situation where doing so would prejudice the apprehension or prosecution of offenders. Therefore, if disclosure of the suspects’ identities would assist in their capture, fairness is no barrier.If disclosure will prejudice attempts to recover them, the FOI S30 exemption used by Nottinghamshire is the right exemption. The problem that would motivate the police is the effect on their investigation rather than the personal data issue.

LAWFUL

Lawful means that police forces cannot breach *other* laws by the processing of personal data. This could be why Human Rights were cited by some of the forces. If disclosure of the personal data would breach a suspect’s Article 8 rights to privacy, the disclosure would be unlawful, and so DP would be a barrier. But this is nonsense. The right to privacy is not an absolute right, and can be interfered with in a variety of circumstances, including where it is necessary in the interests of national security, public safety, for the prevention of disorder or crime. You can, if you like, argue that naming the suspects interferes with their privacy (I don’t think it does) but even if it does, if publication of the names will assist in their capture, the interference would clearly be necessary to protect public safety or prevent crime. It’s lawful, unless the police argue that disclosure will impair their investigation. If they thought that, they would use Section 30 of FOI.

CONDITIONS

The data in question is sensitive personal data, as it relates to the alleged commission of crime. This means that each force has to meet two conditions in order to disclose: once from Schedule 2  and one from Schedule 3.

Schedule 2 is easy – we can pick from 5 (the processing is necessary for the administration of justice or the processing is necessary for the exercise of public functions in the public interest) or 6 (the processing is necessary for legitimate interests that do not cause unwarranted prejudice to the rights and freedoms or interests of the subject). The first two might be preferable to the balancing exercise required by the third, but if you really think that disclosing the name of a wanted man causes unwarranted prejudice to their rights, you are a moron.

Schedule 3(7)(1)(a) gives us administration of justice again while 3(7)(1)(b) gives us exercise of functions conferred on any person. The DPA was amended in 2000, which also allows any disclosure of sensitive data necessary to prevent or detect an unlawful act.

The only problem here would be if the force believed that disclosure would prejudice their ability to catch the wanted suspects. For the third time, if this is the case, Data Protection is not what they are worried about. They may have good operational reasons not to want to disclose, but they are choosing instead to hide behind Data Protection, which has the dual problem of making them look like politically correct idiots, and damaging the reputation of Data Protection which, as I have demonstrated, can easily be used to justify the disclosure. It took me 30 minutes to write this, and I would happily use it as a justification to disclose personal data; the only reason not to would be an operational reason, and FOI provides much better exemptions to protect the integrity and effectiveness of police investigations.

The only possible explanation I can think of for why the police cling to this idea that DP is a barrier to disclosure is that someone is feeding them terrible advice and guidance about how DP really works, and nobody is willing to stick their necks out and question it. This paints a terrible picture of the information rights culture in policing, and someone needs lay down the law as a matter of urgency.

 

Eye in the sky

There’s nothing that says ‘Silly Season’ more than a Twitterstorm about a photograph of the top of a comedian’s head. After the National Police Air Service (NPAS) tweeted an image of the comedian Michael McIntyre, inviting their followers to guess who it was (it was Michael McIntyre), a variety of human rights lawyers, legal commentators, data protection experts and morons weighed in to give their view. In itself, the incident was not significant and seemingly no harm was done to Mr McIntyre. However, there are serious questions to be answered here. While I could forgive the Information Commissioner for brushing it off as a lot of fuss about nothing, they shouldn’t.

Firstly, it is a Data Protection breach to tweet a photograph of an individual in such circumstances. If you are new to this blog (Hi, how are you, that’s a lovely item of clothing you have on), then you might not understand my impatience with the argument that McIntyre was in public and therefore DP does not apply, McIntyre has no expectations of privacy, blah, blah, stupid blah. I’ve dealt with it many times before. Data Protection applies whenever personal data is gathered: filming someone in the street is less intrusive and therefore less likely to breach the DPA fairness and excessive provisions than filming someone in the shower, but the law still applies.Data Protection always requires the person gathering the data to meet a data protection condition. Nothing in the Act removes this requirement if the data is gathered from a public place, which is why the Information Commissioner has published detailed codes of practice on public space CCTV since the current DPA’s inception, and has had to revise it significantly twice because of CCTV’s complexity. If you don’t agree, tell me in the comments which section of the Act says that I am wrong.

While I am writing this, Radio 4’s Today programme is covering the story, and John Humphrys has just asked the crucial question: “what on earth does this have to do with policing?“. That’s what makes it a breach, because the answer is ‘nothing’. Policing organisations have wider scope to process personal data than other bodies, but only for national security and crime prevention & detection. Celeb-spotting comes under neither heading. NPAS would need to demonstrate that tweeting a picture of McIntyre was fair, lawful, and was necessary for a legitimate interest causing no unwarranted harm to McIntyre’s interests (the only data protection condition for processing that would apply here. They would have to show that the use of personal data outside the original policing purpose (which is what they’re up there for) was not incompatible. They would need to demonstrate that the use of McIntyre’s image was relevant to the policing purpose and not excessive. If you’re wondering, what I’m doing here is simply running through the Data Protection principles, and I’ve got multiple breaches just from the first three.

Even this innocuous image could have caused harm. The woman standing next to McIntyre in the picture is his publicist and they were leaving Global Radio’s studios after an interview. But what if NPAS inadvertently tweeted a picture of a celebrity and the person they were having an affair with? In 1995, CCTV operators in Brentwood Council once saw a man walking down the street carrying a knife and contacted the police. After the incident was resolved, Brentwood proudly shared images of the man to show how their CCTV system had tackled a dangerous individual, and his identity was subsequently revealed in the media. Except that Mr Peck wasn’t a danger to anyone but himself, and the Council obliged Mr Peck to reveal the details of his suicide attempt to family and friends who may not otherwise have known, as well as effectively libelling him. After eight years, Mr Peck rightly won a privacy case at the European Court of Human Rights. Bodies with the power to watch and record us should not casually toss images of us around without a proper justification.

I have wider concerns. If NPAS are merrily spotting celebrities and tweeting the results to thousands of people, what else are they doing? What do they do if they spot someone that they know? Will we get down-top shots of young women? Fat-shaming tweets if they see someone who is massively obese? The ICO’s CCTV Code of Practice places a strong emphasis on the requirement for CCTV operators to receive detailed training, but this casually intrusive incident doesn’t suggest that it’s working. In fact, I suspect that this incident is the tip of an iceberg that goes very deep. We’ve already seen police CCTV operators jailed for voyeurism; if the police don’t treat their surveillance with single-minded professionalism, that’s where this will end up. The tweet has been deleted, but if someone somewhere isn’t investigating what else has gone wrong, they should be.

The question of who should be doing that is a good one. NPAS describes itself as “a truly national (England and Wales) policing service“. It is hosted by West Yorkshire Police, but provides air support to all police forces in England and Wales. When scouring the skies of London for stand-up comedians, it is clearly providing a service to the Metropolitan Police. There are therefore a range of possibilities as to who is responsible, in Data Protection parlance, who is the Data Controller? Is NPAS a data processor for each force, in which case Met Police should answer for what happened here (and more importantly for the other more serious breaches of DP that I suspect have occurred). Is NPAS a data controller jointly with the Met Police, so they are both responsible? This is my guess, but my esteemed colleague Jon Baines has already noted that NPAS hasn’t completed a Data Protection notification, which if they are a Data Controller would be a criminal offence. If NPAS is a processor for the forces, each one of them would need to subject NPAS to a legally binding contract meeting all of the requirements of the 7th Data Protection principle. It’s a mess, but not one that the forces and Information Commissioner should be allowed to ignore.

I have already met a few people on Twitter whose knee-jerk understanding of Data Protection convinces them that this is nonsense. It’s not a breach, it’s not even personal data. It’s all in the public domain, and there’s nothing to see here but Michael McIntyre’s head. If those people are happy with this, they’re saying that the next time they furtively pick their nose, adjust their balls or their boobs while nobody is looking, or just walk down the street minding their own business, the police can record it and broadcast it to the world, and that’s just fine. I don’t think they should be allowed to make that decision for everyone else.

Call the Cops

In June 2013, the Swansea-based company CPR Global proudly announced that their nuisance-call-busting Call Blocker had received a significant accolade – the device was now endorsed by the Association of Chief Police Officers. Having been vetted by their approved agent, the Call Blocker now carries ACPO’s ‘Secured By Design’ logo. It is police approved. Every police force in the UK effectively recommends that the public purchase this fine item to protect themselves from the hydra-headed menace of cold calls, foreign scammers and stalkers.

CPR Global offer several products. One is the Call Prevention Register. The Register’s proposal is that instead of exercising your legal rights by signing up to the free, statutory Telephone Preference Service, you pay CPR so that they can give your number to a variety of unnamed foreign companies with a request – backed by no law, enforcement powers, no international legal agreements or sanctions – that they do not call you again. One can imagine the stupefied reaction of a international phone spammer after receiving a demand for no more calls from CPR Global’s high-tech offices on a side street behind Eddie Rockets in Swansea. One of the “advantages” offered by CPR over the TPS is that the TPS do not offer guarantees to stop all calls (how could they?), whereas CPR Global ‘aim’ to prevent 100% of all unwanted calls. This is a bit like me saying that I am better than my competitors because it is my ‘aim’ to look like the actor Christian Bale. I don’t achieve it, but hey, that my aim. Even on their own website, CPR Global admit that if their efforts are unsuccessful, their only recourse is a complaint on your behalf to the Information Commissioner. If you are registered with CPR Global, but not the TPS, it’s possible that an unsolicited call would be legal and the ICO would be able to do nothing.

CPR Global’s other product is the ‘Call Blocker’. It stores and blocks all dodgy numbers known to the CPR, all 200 of them. That’s right, the Call Blocker will stop “nuisance calls, harassment calls, stalkers, cold calls, silent calls, overseas call centres, spam faxes & recorded messages“, but CPR Global only seem to know 200 phone numbers (otherwise, why not programme it with more?) and the device can store a maximum of 1200, as if the entire international nuisance / spam / silent / stalker calling community is an inherently finite entity.  The Call Blocker does have useful options – the ability to immediately block the person calling, and an option to block all callers who withhold their number. However, these features are not unique. BT allows you to block withheld numbers, and the range of trueCall products do similar things with considerably less hype, plus evidence to back them up. For example, they carried out a recent study with a local trading standards body. CPR publish no evidence on their website of how effective their product is – no statistics, no research. Instead, they have assertions, endorsements and bad grammar.

If you think this little black box is the answer to international phone spammers, silent calls and stalkers, get out your credit card. That’s not the point. The point is why ACPO are giving this stuff their official seal of approval. 

As a matter of principle, I don’t think that ACPO should be recommending any products, whether it’s anti-climb paint or security fences. The organisation is exploiting a crime-fighting monopoly, as no other organisation can offer a comparable crime prevention hallmark. Anyone unwilling to pay the fee ACPO charges for approval is automatically at a disadvantage, even if their product is a good one, even if it is a better one than those who seek ACPO approval.

Last year, I made an FOI request to ACPO to ask them about their approval of the Call Blocker – I asked what evidence had been obtained from CPR Global, whether any kind of technical assessment of the Call Blocker had been carried out, whether ACPO consulted OFCOM or the ICO (the bodies with statutory responsibility for nuisance / unsolicited marketing calls in the UK), and how much CPR Global had paid for ACPO’s approval. They delayed their response in order to consider Section 43 (the exemption that prevents disclosures causing commercial prejudice). In a bid to demonstrate their transparency, ACPO told me this in a password-protected PDF which prevented me from copying and pasting from it. When they finally responded (over a month late), they claimed that much of my request was “wide-ranging and does not appear to identify the precise recorded information that you are seeking“. However, they did seek to address several of the issues I had raised informally, indulging in that most successful of FOI techniques – answering a different question than the one the punter asked. The only thing I asked ACPO that they were willing to tell me straight is that CPR paid them £650 + VAT for the approval.

I asked for an internal review, which ACPO took more than 2 months to complete, and they only responded when I chased them. The internal review admitted that I had requested recorded information. They claimed that their confusion about me asking straight questions should have been resolved by asking for clarification (which would have been “do you really just want to know this?”). The sudden disappearance of commercially sensitive considerations was accounted for by the fact that information that they had considered to be in the scope of my request turned out not to be. Five months after my initial request, ACPO finally admitted that they hadn’t consulted any of the relevant bodies who work on nuisance, silent or marketing calls.

OFCOM have statutory responsibility for much of the law on phone calls; they have contracted out operation of the TPS to a specially created offshoot of the Direct Marketing Association. The Information Commissioner is responsible for enforcing PECR, the law which governs other mischief that the Call Blocker is designed to prevent. Consulting people who know what they’re doing in this area would be good practice; consulting people who enforce the law in this area would be – to say the least – good manners. ACPO did not talk to any of them before approving the Call Blocker.

Beyond confirming the lack of contact, ACPO did not refer to OFCOM or the TPS in either response, but both responses mentioned the ICO. Despite not answering most of my questions, ACPO’s first response nevertheless commented that they were not obliged to contact the ICO, though I had asked them whether they had, not whether they had to. In the internal review, they stated that consultation had “not been considered necessary“, implying (I suspect erroneously) that they had considered consulting the ICO and then changed their minds. It is impossible to imagine any organisation with law enforcement powers straying onto police territory without consulting ACPO, the local force or both. I expect that ACPO would protest loudly if anyone did. For them to be so disrespectful to their fellow enforcers is very regrettable, but to approve a commercial product without understanding the regulatory context it works in is irresponsible.

I can’t predict what the ICO or OFCOM would have said if consulted. They may have chosen not to get involved. We’ll never know. But to find out what TPS think of the company, all you have do is look at their website, where CPR Global is listed as making ‘exaggerated claims’. In my request, I pointed the TPS’ opinion out but in their first, dismissive response, ACPO demonstrated their detective skills by telling me that the reference isn’t there, despite the fact that it is one click from the TPS front page.

ACPO’s tests to see if the company is a suitable one to receive police endorsement extended only to seeing if it actually exists (by checking with Companies House) and solvent (by doing a credit reference check). 2040 training has a company registration and can be found by Experian, but that does not mean anything. The integrity of CPR and its owners isn’t in question. This goes for anyone seeking ACPO’s approval. To receive a police endorsement, a company should be beyond reproach and ACPO won’t find that out by simply checking the company registration. A firm of burglars could set up a security company and this wouldn’t show up at Companies House.

Beyond that, ACPO received a ‘demonstration’ of the product and some CPR commercial bumpf. Based on what they told me, ACPO did not examine how the product worked, or receive any factual information about how it works. They did receive some Chinese electrical compliance certificates, so ACPO can at least assure citizens that the item will not explode.

This will not do. ACPO is not just a private company, or a standards body minding its own business. It is a publicly funded lobby group representing an elite who are already amongst the most powerful people in the country. If they are going to give commercial products a seal of approval that derives its value from ACPO’s role as public servants, as police, they should do an aggressively rigourous, transparent job, with proper information from organisations who actually know what they are talking about. I don’t think they should do this sort of thing at all, but the approach they’re taking at the moment is a scandal.