The wheels of the Ministry of Justice

do they turn so slowly that they’ll lead to the Lord Chancellor committing a criminal offence?

On 21 December last year, as we were all sweeping up the mince piece crumbs, removing our party hats and switching off the office lights for another year, the Information Commissioner’s Office (ICO) published, with no accompanying publicity whatsoever, an enforcement notice served on the Secretary of State for Justice. The notice drew attention to the fact that in July 2017 the Ministry of Justice (MoJ) had had a backlog of 919 subject access requests from individuals, some of which dated back to 2012. And by November 2017 that had barely improved – to 793 cases dating back to 2014.

I intended to blog about this at the time, but it’s taken me around nine months to retrieve my chin from the floor, such was the force with which it dropped.

Because we should remember that the exercise of the right of subject access is a fundamental aspect of the fundamental right to protection of personal data. Requesting access to one’s data enables one to be aware of, and verify the lawfulness of, the processing. Don’t take my word for it – look at recital 41 of the-then applicable European data protection directive, and recital 63 of the now-applicable General Data Protection Regulation (GDPR).

And bear in mind that the nature of the MoJ’s work means it often receives subject access requests from prisoners, or others who are going through or have been through the criminal justice system. I imagine that a good many of these horrendously delayed requests were from people with a genuinely-held concern, or grievance, and not just from irritants like me who are interested in data controllers’ compliance.

The notice required MoJ to comply with all the outstanding requests by 31 October 2018. Now, you might raise an eyebrow at the fact that this gave the MoJ an extra eight months to respond to requests which were already incredibly late and which should have been responded to within forty days, but what’s an extra 284 days when things have slipped a little? (*Pseuds’ corner alert* It reminds me of Larkin’s line in The Whitsun Weddings about being so late that he feels: “all sense of being in a hurry gone”).

Maybe one reason the ICO gave MoJ so long to sort things out is that enforcement notices are serious things – a failure to comply is, after all, a criminal offence punishable on indictment by an unlimited fine. So one notes with interest a recent response to a freedom of information request for the regular updates which the notice also required MoJ to provide.

This reveals that by July this year MoJ had whittled down those 793 delayed cases to 285, with none dating back further than 2016. But I’m not going to start hanging out the bunting just yet, because a) more recent cases might well be more complex (because the issues behind them will be likely to be more current, and therefore potentially more complex, and b) because they don’t flaming well deserve any bunting because this was, and remains one of the most egregious and serious compliance failures it’s been my displeasure to have seen.

And what if they don’t clear them all by 31 October? The notice gives no leeway, no get-out – if any of those requests extant at November last year remains unanswered by November this year, the Right Honourable David Gauke MP (the current incumbent of the position of Secretary of State for Justice) will, it appears, have committed a criminal offence.

Will he be prosecuted?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, Directive 95/46/EC, GDPR, human rights, Information Commissioner, Ministry of Justice, Uncategorized

Prospective customers and PECR

Who is a “prospective customer”, and can businesses rely on the PECR soft opt-in to send such persons unsolicited direct electronic marketing?

The law says – in terms – that one cannot send unsolicited direct marketing by electronic means (for instance by email) to an email address belonging to an “individual subscriber” (in broad terms, this will be a person’s home, or private, email address) unless the recipient has consented to receive it, or if the sender has obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or service to that recipient, the marketing is in respect of the sender’s similar products and services only and the recipient was given the option to opt out of such marketing at the time their details were collected, and in any subsequent communication. This is what regulation 22 of the Privacy and Electronic Communications (EC Directive) 2003 (PECR) says, and has done for fifteen years (the General Data Protection Regulation (GDPR) has slightly altered what is meant by consent, but, other than that, is largely irrelevant here).

For the purposes of this blog post I want to focus on the following words in italics:

…if the sender has obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or service…

This clearly means that direct electronic marketing can be sent, in appropriate circumstances, to someone who is not yet, and indeed might not ever become, an actual retail customer of the sender.

In light of this, I’m surprised to note the following words in the Information Commissioner’s Office’s guidance on PECR

The soft opt-in rule means you may be able to email or text your own customers, but it does not apply to prospective customers or new contacts

It seems to me that “prospective customers” is capable of a range of meanings. On one hand, a prospective customer might be (as the ICO goes on to mention as an example) someone from a bought-in contact list, and with whom the sender who proposes to send electronic marketing has no relationship whatsoever. But, on the other hand, someone who enters into “negotiations for the sale of a product or service” is surely also a “prospective customer”?

I can’t see the ICO’s guidance here as anything but confusing and potentially misleading.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under consent, Information Commissioner, PECR

GDPR – an unqualified right to rectification?

Can FCA – or any data controller – any longer argue that it’s too expensive to have to rectify inaccurate personal data?

Amidst all the hoo-ha about the General Data Protection Regulation (GDPR) in terms of increased sanctions, accountability requirements and nonsense about email marketing, it’s easy to overlook some changes that it has also (or actually) wrought.

One small, but potentially profound difference, lies in the provisions around accuracy, and data subjects’ rights to rectification.

GDPR – as did its predecessor, the 1995 Data Protection Directive – requires data controllers to take “every reasonable step” to ensure that, having regard to the purposes of the processing, personal data which are inaccurate are erased or rectified without delay. Under the Directive the concomitant data subject right was to obtain from the controller, as appropriate the rectification, erasure or blocking of data. Under Article 16 of GDPR, however, there is no qualification or restriction of the right:

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

I take this to mean that, yes, a controller must in general only take every reasonable step to ensure that inaccurate data is rectified (the “proactive obligation”, let us call it), but, when put on notice by a data subject exercising his or her right to rectification, the controller MUST rectify – and there is no express proportionality get-out (let us call this the “reactive obligation”).

This distinction, this significant strengthening of the data subject’s right, is potentially significant, it seems to me, in the recently-reported case of Alistair Hinton and the Financial Conduct Agency (FCA).

It appears that Mr Hinton has, for a number of years, been pursuing complaints against the FCA over alleged inaccuracies in its register of regulated firms, and in particular over an allegation that

a register entry which gave the impression both him [sic] and his wife were directors of a firm which the regulator had publicly censured

This puts into rather simple terms what appears to be a lengthy and complex complaint, stretching over several years, and which has resulted in three separate determinations by the Financial Regulators Complaints Commissioner (FRCC) (two of which appear to be publicly available). I no doubt continue to over-simplify when I say that the issue largely turns on whether the information on the register is accurate or not. In his February 2017 determination the FRCC reached the following conclusions (among others)

You and your wife have been the unfortunate victims of an unintended consequence of the design of the FSA’s (and now FCA’s) register, coupled with a particular set of personal circumstances;

…Since 2009 the FSA/FCA have accepted that your register entries are misleading, and have committed to reviewing the register design at an appropriate moment;

Although these findings don’t appear to have been directly challenged by the FCA, it is fair to note that the FCA are reported, in the determinations, as having maintained that the register entries are “technically and legally correct”, whilst conceding that they are indeed potentially misleading.

The most recent FRCC determination reports, as does media coverage, that the Information Commissioner’s Office (ICO) is also currently involved. Whilst the FRCC‘s role is not to decide whether the FCA has acted lawfully or not, the ICO can assess whether or not the FCA’s processing of personal data is in accordance with the law.

And it occurs to me that the difference here between the Directive’s “reactive obligation” and GDPR’s “reactive obligation” to rectify inaccurate data (with the latter not having any express proportionality test) might be significant, because, until now, FCA has apparently relied on the fact that correcting the misleading information on its register would require system changes costing an estimated £50,000 to £100,000, and the FRCC has not had the power to challenge FCA’s argument that the cost of “a proper fix” was disproportionate. But if the Article 16 right is in general terms unqualified (subject to the Article 12(5) ability for a controller to charge for, or refuse to comply with, a request that is manifestly unfounded or excessive), can FCA resist a GDPR application for rectification? And could the ICO decide any differently?

Of course, one must acknowledge that there is a general principle of proportionality at European law (enshrined in Article 5 of the Treaty of the European Union) so a regulator, or a court, cannot simply dispense with the concept. But there was clearly an intention by European legislature not to put an express qualification on the right to rectification (and by extension the reactive obligation it places on controllers), and that will need to be the starting point for any assessment by said regulator, or court.

 

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under accuracy, Data Protection, GDPR, Information Commissioner

(Data)setting an example

Is the ICO failing to comply with its own obligations under FOI law?

Some UK regulators are subject to the laws or rules they themselves oversee and enforce. Thus, for example, the Advertising Standards Authority should avoid advertising its services in contravention of its own code of advertising practice, the Environment Agency should avoid using a waste carrier who is not authorised to carry waste, and the Information Commissioner (ICO) – as a public authority under Schedule 1 of the same – should not breach the Freedom of Information Act 2000 (FOIA). However, I think I can point to numerous examples (I estimate there are 57 on its own website at the time of writing this) where the last has done precisely this, possibly unknowingly, or – if knowingly – with no contrition whatsoever.

In 2012 sections 11 and 19 of FOIA were amended by the Protection of Freedoms Act 2012 (POFA). POFA inserted into FOIA what are colloquially known as the “dataset provisions”. For our purposes here, what these say is that

Under its publication scheme a public authority should publish datasets that have been requested [under FOIA], and any updated versions it holds, unless it is satisfied that it is not appropriate to do so.

In short – and I take the wording above from ICO’s own guidance – if someone asks ICO for a dataset under FOIA, ICO must disclose it, put it on its website, and regularly update it (unless it is “not appropriate” to do so).

“Dataset” has a specific, and rather complex, meaning under POFA, and FOIA. However, the ICO’s own guidance nicely summarises the definition:

A dataset is a collection of factual information in electronic form to do with the services and functions of the authority that is neither the product of analysis or interpretation, nor an official statistic and has not been materially altered.

So, raw or basic data in a spreadsheet, relating to an authority’s functions, would constitute a dataset, and, if disclosed under FOIA, would trigger the authority’s general obligation to publish it on its website and regularly update it.

Yet, if one consults the ICO’s own disclosure log (its website page listing FOI responses it has made “that might be of wider public interest”), one sees multiple examples of disclosures of datasets under FOI (in fact, one can even filter the results to separate dataset disclosures from others – which is how I got my figure of 57 mentioned above) yet it appears that none of these has ever been updated, in line with section 19(2A)(a)(ii) of FOIA.

Some of the disclosures on there are of datasets which are indeed of public interest. Examples are: information on how many FOI etc requests ICO itself receives, and how timeously it handles them; information on the numbers and types of databreach reports ICO receives, and from which sectors; information on how many monetary penalties have been paid/recovered.

It’s important to note that these 57 disclosures are only those which ICO has chosen, because they are “of wider public interest”, to publish on its website. There may well be – no doubt are – others.

But if these dataset disclosures are, as declared, of wider public interest, I cannot see that ICO could readily claim that its reason for not updating them is because it is “not appropriate” to do so.

It may be that ICO feels, as some people have suggested, that the changes to FOIA wrought by POFA might not have met any pressing public demand for amended dataset-access provisions, and, therefore, compliance with the law is all a bit pointless. But there would be two problems with this, were it the case. Firstly, ICO is uniquely placed to comment on and lobby for changes to the law – if it thinks the dataset provisions are not worth being law, then why does it not say so? Secondly, as the statutory regulator for FOIA, and a public authority itself subject to FOIA, it is simply not open to it to disregard the law, even were it to think the law was not worth regarding.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, datasets, Freedom of Information, Information Commissioner

What’s in a name?

For reasons which will become obvious I have replaced the names of two people referred to in this post to “John Doe” and “Jane Doe”: I’ve no wish to perpetuate a possible wrong.

Last night I was reading a recent judgment of the High Court in the matter of an appeal by a barrister from a decision of sanction by the Bar Tribunals and Adjudication Service. The judge, Mr Justice Warby, is one of the most senior media law judges in the country. Indeed, as judge in charge of the Media and Communications List, he is arguably the most senior such judge.

Mr Justice Warby knows a lot, then, about privacy, and data protection, and harm to reputation. As the judge who decided the landmark NT1 and NT2 cases, he also knows a lot about the concept of the “right to be forgotten” and how historic, outdated or inaccurate information on the internet has the potential to cause unwarranted harm in the future.

Yet in the case I will discuss here, I think he adopts a course of action in writing his judgment (one which he implies he may well repeat in future) which has the potential to cause great harm to wholly innocent individuals.

The facts of the case are not particularly relevant. Suffice to say that the barrister in question (named Khan) was suspended because it was found that he had engaged in serious misconduct in inter alia discussing in a robing room serious allegations of sexual offences made by a former client of his against another practising barrister.

In reading the description of the agreed facts I was perturbed, to say the least, to note that the names of the former client and the alleged offender were apparently given in full:

What Mr Khan did, in summary, was this. On two occasions, in the robing rooms of two Courts in the Midlands, he spoke words that suggested to those who were present and heard him that a fellow barrister, [John Doe], had (a) stalked and then (b) raped another, female, lawyer who had been Mr Khan’s client and, (c) when she complained of this, caused serious threats to her life to be made, in an attempt to cover up what had taken place. All the information that Mr Khan had about these matters came from his former client, [Jane Doe], who was the complainant.

The explanation for using apparent full names was given by Warby J in the following paragraph:

I have…changed the name of the complainant because, as someone who has alleged rape, she is entitled to lifetime anonymity (Sexual Offences (Amendment) Act 1992, s 1). To make anonymity effective in her case, I have also changed the name of the barrister she accused. [John Doe] is not his real name. I have used this method of anonymisation, in preference to the use of initials, as it is at least as effective, less artificial, and reduces the potential for confusion

This strikes me as, with respect to the learned judge, profoundly misguided. The use of initials (obviously not the person’s actual initials) does not just anonymise the person to whom they relate, but also avoids the risk of someone else inadvertently being associated.

Because – here’s the rub – there does appear (unsurprisingly) to be a former barrister (now solicitor) called “[John Doe]”. He is clearly not the [John Doe] Warby J refers to (not least because [John Doe] in the judgment is of course a pseudonym. But, as is all too obvious in the modern world, snippets of information can sometimes become separated from their context, and used, inadvertently, or even maliciously, to harmful effect.

It is by no means unlikely that the first paragraph I quote above could be later quoted, or extracted, and read in isolation, and that the practising barrister who is really called [John Doe], but who has no connection whatsoever to the events in the judgment, could be defamed or otherwise harmed as a result.

Put it this way – if I were the practising barrister who is really called [John Doe] I would be horrified, and greatly aggrieved, by paragraph 5 of Warby J’s judgment.

A while ago, my enjoyment of a silly internet game, whereby one Googles the phrase “X was convicted of” (where X is one’s own name), was swiftly replaced by abject dismay, when I found that someone sharing my name had been convicted of a horrific offence. This was pure, if unfortunate, coincidence. What Mr Justice Warby appears to have done in this judgment, and is – I fear – proposing to do in future judgments, is deliberately try to develop (for the best of reasons) a judicial naming convention which risks great harm to wholly innocent and unwitting individuals. I hope he rethinks.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under anonymisation, defamation, Open Justice, sexual offences amendment act

GDPR doesn’t always mean “opt in”

TL;DR – the law says that when you’re buying something from them companies only have to offer you an opt out from marketing. GDPR hasn’t changed this.

I see a lot of criticism of companies on social media by people who accuse the former of not complying with the General Data Protection Regulation (GDPR). Here’s an example:

But the criticism is generally misguided. GDPR does not itself deal directly with direct marketing (other than to provide for an unqualified right to opt out of it (at Article 21(3)) and a statement in one of the recitals to the effect that the processing of personal data for the purposes of direct marketing may be regarded as carried out for a legitimate interest).

The operative law in the UK regarding electronic direct marketing is, and remains, The Privacy and Electronic Communications (EC Directive) Regulations 2003 (which implement a 2002 European Directive).

These provide that one cannot send direct marketing to an individual subscriber* by unsolicited “electronic mail” (which these days largely boils down to email and SMS) unless the recipient has consented or unless the sender

has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient…the direct marketing is in respect of that person’s similar products and services only…and the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

In plain language, this means that when you buy, or enter into negotiations to buy, a product or service from someone, the seller only has to offer an “opt out” option for subsequent electronic marketing. Nothing in GDPR changes this.

*”individual subscriber” means the person who is a party to a contract with a provider of public electronic communications services for the supply of such services- in effect, this is likely to be someone using their personal email address, and not a work one).

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under consent, Data Protection, GDPR, marketing, PECR

FOI needs a strong regulator

Slightly more than twenty working days ago I made a request to a government department under the Freedom of Information Act 2000. Following the structure of section 1(1) of the same, I asked

Please confirm whether you hold [X information] regarding [Y]

If you hold this information, please disclose it.

There are relatively mundane reasons why I am keen to know the first point, and, following on from that, to have the information if it exists.

On the twentieth working day (give or take a bank holiday or two) I received a reply to the first point, but total silence on the second:

I can confirm that [government department] does hold [X information] regarding the [Y].

Although this is rather a bizarre approach to an FOI request (FOIA is after all, primarily about access to information, not just knowledge that it exists) I have no reason to think that the failure to note the second point of my very short request was anything other than an innocent mistake.

Accordingly, I pointed the mistake out to the government department, asking them to send the information by return. (I had to do this by email, because no phone number is given on the correspondence or on the relevant (sparse) website (query whether the service is accessible, therefore, to people who may have difficulties in communicating in writing.)) However, not only did I not get the information by return, I got a template reply, and a new reference number, indicating that my follow-up email is being treated as a wholly new request. I would not be surprised for it to take another twenty working days to get a substantive reply (if I’m wrong, I will update this post accordingly).

So what to do? Well, I could complain to the government department, or ask for an internal review, but that would likely take at least another twenty working days to get a response. I could complain to the Information Commissioner’s Office, but, anecdotally, I understand they are taking some months to allocate and deal with complaint, and the only likely outcome would be a declaration that the government department had failed to comply with its section 10 and section 17 FOIA obligations, and giving them another period of days to comply. I can’t make an application for judicial review because a) the idea is completely ridiculous (have you seen my bank balance?) and b) in March the High Court rather peremptorily dismissed an argument that JR should be available for FOIA cases of urgency (on the grounds that the right of appeal under the statutory scheme was sufficient.

And FOIA delays are not isolated incidents; the BBC’s Martin Rosenbaum has written recently, following up his and others’ research, about the apparent contempt with which some public authorities treat FOIA and the Information Commissioner. Yet the latter appears unwilling, despite having the powers to do so, to act. As the Campaign for Freedom of Information recently noted, her recent draft regulatory action policy effectively ignored the fact that she is responsible for FOIA regulation, as well as for data protection and eprivacy.

Data protection and privacy are certainly hot topics (try counting the number of arriviste consultants who’ve sprung up over the last year to get an idea of how hot) but freedom of information laws are a legislative expression of another fundamental human right. I don’t think it’s the case that as a society we just don’t care about FOI (look back to the MPs’ expenses scandal to see how important and high-profile it can be) so why is it that there appears to be no effective mechanism to enforce our rights in a timely way against a recalcitrant public authority?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

5 Comments

Filed under access to information, Article 10, Freedom of Information, Information Commissioner, Uncategorized

It’s not fine

I’m seeing regular discussions on social media about notification of personal data breaches under Article 33 and liability for administrative fines under Article 83 of the General Data Protection Regulation (GDPR). For instance

because Carphone Warehouse had their breach start before GDPR the ICO fines will be tiny…

…Is it breach start or reported date that makes a difference?…

…So all we need to do if you have a breach is say it started in the 24th may…

These sort of discussions overlook two points.

Firstly, the Information Commissioner’s Office has repeatedly given indications that big penalty notices (to adopt the wording of the Data Protection Act 2018, which notably avoids using the word “fine”*) will not be regularly imposed under the new regime, and nor will there be a “scaling up” of penalties.

Secondly, and crucially, penalties cannot be imposed on controllers merely because they have had, and become aware of, a personal data breach. Under Article 83, penalties can be imposed by a supervisory authority for infringements of the GDPR. The fact that a personal data breach has occurred is not proof that an infringement has also occurred. Article 4 explains that a personal data breach is

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

Such personal data breaches might occur even where the controller has complied with its obligations under Article 5(1)(f) to ensure that personal data are

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

“Protection” does not impose a counsel of perfection. A personal data breach might occur but a supervisory authority might determine that the controller had done all it reasonably could, and not impose a penalty. In fact, I predict that in the vast majority of cases where controllers notify the ICO of personal data breaches, this is exactly what will happen.

So, returning to those social media discussions – what will actually determine whether GDPR applies, when it comes to the imposition of a penalty, is when the infringement took place, not when the personal data breach did.

This is not new. Some of us have been (largely vainly) arguing for years that a data security incident is not equivalent to a statutory breach, but the elision still happens.

* the word “fine” in domestic law is nearly always reserved for penalties as a sentence under criminal law.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Uncategorized

STOP THE NONSENSE PLEASE

5 Comments

Filed under Uncategorized

ICO newsletter: direct marketing, but no need to “reconsent”

I suspect everyone is now fed up to the back teeth of emails from long-forgotten and sometimes never-known businesses and organisations claiming they need us to renew our consent to receive electronic marketing from them. In many cases we never wanted the marketing in the first place and therefore almost certainly never consented to receive it, according to how “consent” has been construed in the operative law (the Data Protection Act 1998 (DPA), and, specifically, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)). Everyone is probably equally fed up with similar emails from businesses and organisations we do have a relationship with, and from whom we do want to hear. I’m not going to rehash the law on this – I’ve written and commented multiple times elsewhere (search “Jon Baines +banging head against a brick wall”), as have other, more sage people (try Tim Turner, Adam Rose or Matt Burgess).

But I did notice that the Information Commissioner’s Office (ICO) recently issued a broadly helpful corrective to some of the misinformation out there. I say “broadly helpful” because it is necessarily, and probably correctly, cautious about giving advice which could be potentially interpreted as “do nothing”. Nonetheless, it makes clear that in some cases, doing nothing may be precisely the right thing to do: although the definition of “consent” from the General Data Protection Regulation (GDPR) will drop into PECR, replacing the definition which currently applies (the one at section 11 (3) of the DPA), this does not represent a significant reconfiguring. In general, if you had proper consent before GDPR, you’ll have proper consent under GDPR, and if you didn’t, well, you probably don’t have consent to send an email asking for consent.

Even though the ICO corrective was welcome, I’d actually already begun some slightly mischievous digging.

For a number of years, through various email addresses, I have subscribed to the ICO’s email newsletter (I invite thoughts, through the “comments” function on this blog, about the adequacy of the privacy notice given when one signs up to it, but this post is not directly about that). All the nonsense emails flying round got me to thinking – the ICO newsletter is probably “direct marketing” according to the law and the ICO’s own guidance, and when it is sent to an “individual subscriber” the PECR consent requirements kick in. So, I wondered, had the ICO reviewed whether it needed to get “GDPR-standard consent”, at least from those individual subscribers?

The answer, in response to my request for information under the Freedom of Information Act 2000, is yes – the ICO have reviewed, and no, they don’t think they need to “reconsent”.

They’ve told me that

We have reviewed our e-newsletter and consent as part of our preparations for the requirements of GDPR…we do think our newsletter constitutes direct marketing [but we] don’t think we need to seek re-consent from individuals who have already consented to receive the newsletter.  The newsletter is only sent to people who asked to receive it, this was done on an opt in basis on the back of a clear question asked separately from other information. We have a record of the date they asked to receive the newsletter. There is an unsubscribe option at the end of each newsletter and we log when people tell us they don’t want to receive it anymore – we’ve reviewed that process to make sure it is robust.

Pretty clear, I think.

I post their response here in the hope it might assist those who are in a similar position are struggling to understand whether they need to send another of those stupid “reconsent” emails flying around.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

10 Comments

Filed under Uncategorized