The Bad Samaritan

The Samaritans have launched a new tool for the persecution of the vulnerable… Sorry, a nannyish attempt to spy on your friends, No, I mean, they’re trying to use technology to do what real friends would be doing anyway…. I’ll try this again. There’s this app they have. You’ve probably heard of it; it runs in the background monitoring tweets of those you follow on Twitter, and analyses them to look for indications that a person may be in need of support. The Samaritans are convinced it’s marvellous and has no Data Protection or privacy implications.

The Data Protection Act 1998 applies to the processing of any personal data, anywhere by any person. Certain areas are carved out – the use of personal data for national security purposes is inevitably and depressingly exempt, as is the use of data for purely personal, domestic reasons, and to an extent, the use of data for journalism. Beyond that, although the Data Protection principles are flexible, they apply to all uses of personal data.

At no point in the text of the Data Protection Act does it say that personal data that is public or published is exempt from the Act’s provisions. There is no section that says that, and no section that can be interpreted as meaning that. Moreover, I can use the same quote I used from the Information Commissioner’s Code of Practice on Online data that I used in my last blog about monitoring of blogs:

“If you collect information from the internet and use it in a way that’s unfair or breaches the other data protection principles, you could still be subject to enforcement action under the DPA even though the information was obtained from a publicly available source.”.

And “You should only use their information in a way they are likely to expect and to be comfortable with.”

As the Samaritans have claimed that their app is entirely legal and has no Data Protection implications, I am certain that they will have no problem answering the following questions:

Principle 1:

  • No consent is being obtained; which data protection conditions allow the Samaritans to monitor and – crucially – to analyse and interpret the state of mind of Twitter users without consent?
  • How are data subjects to be informed that their tweets are being monitored and – crucially – analysed with a notification to any third party who chooses to register?
  • The first principle requires the processing of data to be ‘fair’: what steps have the Samaritans taken to ensure that those registering to receive notifications via the app have no malicious intentions towards the subject and will not use the notification for malicious purposes?

Principle 2:

  • What assessment has been carried out to ensure that the processing (i.e. attempting to identify the subject’s state of mind in order to notify secretly a third party of that) is compatible with the subject’s original purpose in publication? How is that original purpose identified?

Principle 3:

  • How have the Samaritans established that their gathering of data and analysis of Twitter users’ state of mind is relevant and not excessive?

Principle 4:

  • Principle 4 states that personal data ‘shall’ be accurate for the purpose – there is no qualification to this. How have the Samaritans ensured that the analysis of a Twitter user’s state of mind is accurate when alerting a third party to it?

Principle 6:

  • What provisions have the Samaritans in place to provide the following:
  • Subject Access: data subjects are entitled to know what data is held about them, and who has received it. Will data subjects be told who has received alerts about them if they ask? If not, which exemption applies?
  • Section 10 Right to object to damaging / distressing processing: data subjects have a right to object to damaging processing – will such requests be honoured? If not, why not?
  • Section 12: Data subjects have a right to request that any automated processing will be carried out by a human being. Will Section 12 requests be honoured and if not. why not? How many members of Samaritans staff are available to carry out the analysis?

Principle 7:

  • What technological and organisational security measures are in place to ensure that the analysis of Twitter users state of mind (potentially sensitive personal health data as defined by the Act)?

Principle 8

  • How have the Samaritans ensured that the sharing of personal data about Twitter users’ state of mind is restricted to the European Economic Area? If it has not, how is the sharing of information about Twitter users’ state of mind outside the EEA justified under Principle 8.

For the record, I think the 30 day retention period of data (principle 5) may be OK.

Angry birds

With two blogs already published on the question of Tweeted FOIs, there is every reason not to add to the noise. Alistair (@alistair_sloan) Sloan, from a legal perspective, has argued persuasively that a Tweeted FOI request has enough of the characteristics of a FOI request to often be valid. Bilal (@FOIkid) Ghafoor, from a more instinctive position, argues strongly that a Tweeted FOI is a ‘waste of everyone’s time’. Even the most pro-FOI advocates are very much against the idea of using Twitter for FOI, with no less than Paul (@FOIMan) Gibbons commenting  that applicants ought to be “discouraged” from using Twitter. All in all, the consensus seems to be in. Go back to your quill pens and vellum, citizens, we will have none of your modern technology here.

I am the last person to claim that because the Information Commissioner’s Office have issued guidance that Tweeted FOIs are valid, public authorities should acquiesce. Some of their guidance is muddy and vague, some of it is just plain wrong (the recent rewrite of their position on Data Processors is as worthless as anything issued by Wilmslow in this decade). Any public authority that wants to blow a loud raspberry at the ICO has nothing but my encouragement – the appropriate reaction to much of what they say and do is often scepticism, if not sarcasm. Moreover, when I first heard about the ICO line on Twitter, I thought it was stupid. I tweeted them an FOI request to show them how daft it was, and they had the bad taste to answer it quickly and clearly.

But since then, I’ve changed my mind.

Years ago, the local authority planning system was a closed system. If a new development was in prospect, typewritten signs would be fixed to lampposts or telegraph poles informing locals. The planning documents were only available for inspection. Those with time on their hands would turn up to Council meetings and sit mutely while Councillors made their decisions. I’m not arguing that the planning system necessarily works any better now, but at least the documents are likely to be published on the internet. Members of the public use their smartphones to film meetings, even if the councillors don’t want them to. It’s a lot easier to know what’s going on, and to get involved. The system has been shaken up. This is what technology does. I hate to use a buzzword, but in both the new jargon and the old-fashioned dictionary senses of the word, technology has a great capacity to be disruptive.

In 2000, Parliament decided that you don’t have to cite ‘FOI’ to make a valid request. FOI isn’t specialist; it’s for everyone, not just journalists and angry middle-aged men with time on their hands. All you need is a coherent request for information, expressed in a written format. It’s true that Tweeted FOI requests don’t work like email – the request sits on a Twitter App or the internet, rather than a copy of the request being delivered to the public authority’s mail server. But who cares? The tweeted FOI request is “capable of being used for subsequent reference” because it has appeared in an electronic channel that you have opened up, and you can (almost certainly will) copy it onto your FOI system and get going.

I know quite a few people who don’t use email except at work – their personal interaction is via Twitter and Facebook. Fax is dead. I don’t know anyone who routinely sends letters except myself. I still enjoy the shock and awe that most people under 30 exhibit when I use a fountain pen in a meeting, especially when they realise that this is an artefact I bought new, rather than having scavenged it from a time capsule. If you deny people the opportunity to use the tools that they already have, and force them to use the channels you think are appropriate, proper, or serious, you’re condemning the legislation to a well-meaning, specialised ghetto.

FOI should not be open only to the cognoscenti. The applicant should not have to track down the FOI email address, find the (often buried) FOI page on the spin-strewn website. You’re there on Twitter, I can find you easily using a tool that is on my phone. Why shouldn’t I be able to use that for FOI if I can formulate a 140 character FOI request?

Would an epidemic of tweeted FOI requests be easy to deal with? No. Will it increase costs for public authorities? Perhaps. But if you want to use the inconvenient and expensive argument, then you might as well abolish the legislation altogether, because the same case could be made for FOI as a whole.

I know that many supporters of FOI believe in all that ‘sunshine is the best disinfectant’ stuff, but the jury is way, way out on that. I honestly don’t know whether I believe that FOI will ultimately improve the public sector. Much of it is fine already, and a bit of it is probably irredeemable. I believe in FOI because I think the public should have access to information, because information is power and a few votes over the electoral cycle aren’t enough. You shouldn’t be able to use FOI to browbeat and punish public servants you don’t like, but beyond that, if FOI requests are annoying and uncomfortable, they’re probably doing their job. Last year, public authorities were given the gift of Dransfield, allowing them to refuse a wide variety of FOI requests on vexatious grounds, even those that are plainly in the public interest (like Laura McInerney’s recent interrogations of the DfE). Swings, meet roundabouts.

There are many awful consequences that spin off from FOI’s existence, and I don’t doubt that tweeted FOI requests annoy FOI Officers and public sector staff more widely. And before you say it, it’s true that I write this knowing that I don’t work in the public sector, and I don’t have to deal with FOI requests at all. I just make them. Nevertheless, nobody made public bodies open their Twitter accounts. Nobody forced you to open these doors. Twitter is not just a loudhailer.

Replace ‘I’ with ‘A’ and it’s funnier

A lot of people who I know – regardless of politics – admit having a soft spot for Boris Johnson. When playing the left-leaning parlour game of “Name A Senior Tory You Wouldn’t Slap”, Boris seems to win out quite a lot (I’m virtually the only person I know who likes Eric Pickles). I’m a member of the Mercutio* party anyway, but Johnson never gets my vote. I don’t know if it’s the self-conscious hair, his exceptionally grating silly ass persona, or simply the fact that despite being a calculating and ideological politician, he has convinced so many that he is some sort of cuddly figure of fun – whatever it is, I can’t stand him.

However, I enter the ‘Twittersnatch’ debate not merely to have a pop at the current Mayor of London. After all one of the problems with the current mayoral battle is that, for my money, it resurrects the gag from the 1960 US Presidential election (‘be thankful only one of them can win’).  In my view, the appropriation of the Mayor’s following and the ‘so what’ reaction of Johnson’s people demonstrate that politicians still don’t understand social media or data protection.

The story goes like this: Boris Johnson’s Twitter account was @MayorOfLondon. In order to campaign for re-election, he changed his Twitter name to @BorisJohnson, taking all of his followers with him: http://www.bbc.co.uk/news/uk-politics-17450985. Following a flurry of criticism, a new account was born (@BackBoris2012), and only those who followed that new account will receive the campaigning tweets. If at this point, you’ve lost interest, I don’t blame you. This is not a titantic struggle of ideals, but a playground squabble.

However, what is the Data Protection angle in this spat? Guido Fawkes pointed out (somewhere that I can’t bloody find and will correct when I do!) that Johnson apparently brought many of his followers with him when the @MayorofLondon account was created, so surely, they should have expected whatever promotional guff spews from the excited fingers of whichever Damian or Jemima is operating the account on any given day?

I’m starting from the presumption that a twitter name is personal data. It’s unique, it applies (mostly) a living individual and in most cases, the living individual can readily be identified from the profile page. Many of the @MayorOfLondon followers will be clearly identified as real people merely by knowing their twitter name. I’m told that the @MayorOfLondon account was used as a GLA tool to promote the ceremonial or London-plugging elements of Johnson’s role, so anyone who followed it would have a reasonable expectation that their data (the twitter name) would be processed solely for that purpose. Even if this was a promotional purposes, it is obviously different from the aim of getting Johnson re-elected. The Data Controller of that twitter account – if used to promote the Mayoralty and not Johnson the Conservative politician – was the Greater London Authority. The Data Controller of the Boris Johnson account – if used to get him re-elected – would either be Johnson, the Tory Party or some campaigning hybrid of the two.

Twitter, like most social networks, is a strange world that doesn’t easily fit into the neat definitions of Data Controller or Data Processor – Twitter can’t be the latter because it just sold two years of tweets to Datasift, a company with a name so explicitly Orwellian I have to assume it’s an elaborate corporate joke. Nevertheless, within the overall portal / umbrella, a corporate outfit / campaigning politician asking for personal data in order to send out messages is a data controller to the extent that they decide what happens to their following. They should not act in a high-handed manner, and cannot ignore UK law. Followers cannot fairly be shunted over into a channel devoted to a political purpose without some explicit opt-out (at best). The first Data Protection principle demands that the use of personal data is fair, and it isn’t fair to completely change the purposes for which you process a Twitter follower’s name.

For that reason, I think it’s at least arguable that the data of any identifiable Twitter user was used unfairly, assuming they were individuals as opposed to corporate users like @angrybirds or imaginary ones like @pobgovebot, and especially if they signed up during the @MayorOfLondon phase, rather than being moved over from a previous Johnson account. I can’t imagine that the Information Commissioner’s Office will weigh in heavily now, nor is there much point in them suddenly finding their ass-kicking gear. But if this is the last idiotic wheeze that comes out of either side of the Livingstone / Johnson smackdown, I will be very surprised.

The problem is, in my experience, people involved in politics tend not to know much about data protection, and even less about direct marketing. It’s worth noting that Labour, the Liberal Democrats, the Conservatives and the Scottish Nationalist all have enforcement notices against them from the Information Commissioner’s Officer under the Privacy and Electronic Communications Regulations, forcing them not to make automated telephone calls unless they have explicit consent: see here. A breach of any of these notices would result in prosecution. This despite the fact that everyone I have ever met hates automated calls, even if they feature the voice of Liz Dawn or Sir Sean Connery. Rather than (in Helen Lewis’ apposite tweeted phrase) clutching their pearls in shock, the people responsible for the Twittersnatch should have admitted that it was a clumsy and unreasonable thing to do. And it’s only because they backed down that they didn’t get deeper into the DPA mire.

* Read ‘Romeo and Juliet’ if you didn’t get that reference, or better yet, find a production of the play and see it. This will be the most constructive thing you’ll ever do as a result of reading this blog.