March 12, 2023 · 12:49 pm

Where’s the Tories’ privacy notice? (just don’t mention the footballer)

The Conservative Party, no doubt scrabbling to gather perceived support for its contentious immigration policies and measures is running a web and social media campaign. The web page encourages those visiting it to “back our plan and send a message” to other parties:

Further down the page visitors are invited to “send Labour a message”

Clicking on either of the red buttons in those screenshots results in a pop-up form, on which one can say whether or not one supports the Tory plans (in the screenshot below, I’ve selected “no”)

One is then required to give one’s name, email address and postcode, and there is a tick box against text saying “I agree to the Conservative Party, and the wider Conservative Party, using the information I provide to keep me updated via email about the Party’s campaigns and opportunities to get involved”

There are two things to note.

First, the form appears to submit whether one ticks the “I agree” box or not.

Second, and in any case, none of the links to “how we use your data”, or the “privacy policy”, or the “terms and conditions” works.

So anyone submitting their special category data (information about one’s views on a political party’s policies on immigration is personal data revealing political opinions, and so Article 9 UK GDPR applies) has no idea whatsoever how it will subsequently be processed by the Tories.

I suppose there is an argument that anyone who happens upon this page, and chooses to submit the form, has a good idea what is going on (although that is by no means certain, and people could quite plausibly think that it provides an opportunity to provide views contrary to the Tories’). In any event, it would seem potentially to meet to definition of “plugging” (political lobbying under the guide of research) which ICO deals with in its direct marketing guidance.

Also in any event, the absence of any workable links to privacy notice information means, unavoidably, that the lawfulness of any subsequent processing is vitiated.

It’s the sort of thing I would hope the ICO is alive to (I’ve seen people on social media saying they have complained to ICO). But I won’t hold my breath on that – many years ago I wrote about how such data abuse was rife across the political spectrum – but little if anything has changed.

And finally, the most remarkable thing of all is that I’ve written a whole post on what is a pressing and high-profile issue without once mentioning Gary Lineker.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, marketing, PECR, privacy notice, social media, spam, UK GDPR

Tagged as , , , ,

March 10, 2023 · 2:47 pm

Meet the new Bill, same as the old Bill

I’ve written a piece for the Mishcon de Reya website on the return to Parliament this week of the data protection reform legislation

https://www.mishcon.com/news/the-new-data-protection-reform-bill-same-as-old-the-bill

Leave a comment

Filed under Uncategorized

February 28, 2023 · 8:29 pm

FOI embarrassment

At a recent awards event, recognising high-performing Freedom of Information officers and teams (fantastic idea by the organisers/sponsors, by the way*) I gave a brief talk where I stressed that it was important to recognise how much FOI has achieved in its 23 (or 18**) years, and to remember that every day thousands of disclosures are made by thousands of public authorities. It’s very easy to snipe at bad practice, and I often do, but if we don’t acknowledge the benefits, the real opponents of FOI might start arguing for its repeal.

So. Celebrate success. Accentuate the positive. Eliminate the negative.

However.

Then you see a decision notice from the Information Commissioner (ICO), in which a large London council had refused to disclose, under FOI, information on how many enquiries (MEQs) each of its councillors*** had submitted to the council on behalf of constituents. The reason for refusal was that this was the personal data of the councillors (well, yes) and that disclosure would infringe those councillors’ rights under the data protection law (hell, no).

This isn’t time for legal analysis. It really is as extraordinary as it sounds.

Thankfully, the ICO had no truck with it (and the notice does have legal analysis).

Frankly, though, the council should be ashamed.

______________________

*I have no personal or professional interest

**The Act commenced in 2000, but the main provisions didn’t commence until 2005

***At the end of the notice there is a big hint as to the role of the person who made the request – see if you can guess

.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, Freedom of Information, Information Commissioner, local government

Tagged as , ,

February 22, 2023 · 8:24 am

Monitoring of lawyers by the state

In the Commons on Monday Robert Jenrick, minister for immigration, said, in the context of a debate on the implications of the violent disorder outside a hotel providing refuge for asylum seekers, in Knowsley on 10 February, and in answer to a question about why no “small boats bill” has been introduced into Parliament

this is one of the most litigious areas of public life. It is an area where, I am afraid, human rights lawyers abuse and exploit our laws at times, and where the courts have taken an expansive approach in the past. That is why we must get this right, but we will be bringing forward that legislation very soon

When pressed on his reference to abuse of the law by lawyers, and asked “how many solicitors, advocates and barristers have been reported by the Home Office in the last 12 months to the regulatory authorities”, Mr Jenrick replied

We are monitoring the activities, as it so happens, of a small number of legal practitioners, but it is not appropriate for me to discuss that here.

This is a remarkable statement, both in its lack of detail and in its potential effect. The prospect of the monitoring of lawyers by the state carries chilling implications. It may well be that Mr Jenrick had no intention of making what could be interpreted as an oppressive statement, but words are important, and words said in Parliament carry particular weight.

It may also be that the “monitoring” in question consists of legitimate investigation into potential criminality by that “small number” of lawyers, but if that was the case, why not say so?

But “monitoring”, in itself, must be done in accordance with the law. If it is in the context of a criminal investigation, or surveillance, there are specific laws which may apply.

And to the extent that it involves the processing of personal data of the lawyers in question (which, inevitably, it surely must, when one considers that “processing” means, among other things “collection, recording, organisation, structuring or storage” performed on personal data) the monitoring must comply with applicable data protection laws).

As a fundamental general principle, processing of personal data must be transparent (see Articles 5(1)(a), 13 and 14 UK GDPR, or, for law enforcement processing, section 44 of the Data Protection Act 2018 (DPA), or, for Intelligence Services Processing, section 93 of the DPA.

There are qualifications to and exemptions from this general principle, but, in the absence of circumstances providing such an exemption, a data subject (here, the lawyers who are apparently being monitored) should be made aware of the processing. The information they should receive includes, among other things: the identity and the contact details of the person directing the processing; the legal basis and the purposes of the processing, and; the recipients or categories of recipients of the personal data.

We tend to call the notices we receive under these provisions “privacy notices”. Those of us who have practised data protection law for a long time will remember the term “fair processing notice” which is arguably a better term. Whatever one calls them, though, such notices are a bedrock of the law – without being aware of the processing, and the risks, rules, safeguards and rights in relation to it, data subjects cannot properly exercise their rights.

With all that in mind, has the Home Office – or whoever it is who is directing the monitoring of the “small number of lawyers” – informed them that they are being monitored? If not, why not?

Returning to my earlier comments about the oppressiveness of comments to the effect that, or the giving of a perception that, the coercive powers of the state are being deployed against lawyers by monitoring them, one wonders if the Information Commissioner should take steps to investigate the background to Mr Jenrick’s comments.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, transparency, surveillance, human rights, Home Office, privacy notice, Data Protection Act 2018, law enforcement, monitoring

Tagged as , , , ,

February 20, 2023 · 8:40 am

NADPO February webinar

NADPO’s online webinars continue on Tuesday 28th February 2023 at 1.30pm, with the following speakers and topics.

Professor Ross Anderson – ‘Will the online harms bill protect children? Is there a case for breaking encryption?’

Justin Sherman, Duke University Sanford School of Public Policy: “Your Data’s for Sale: The Data Brokerage Ecosystem and Risks to Privacy and Security”

The Zoom link will be sent to NADPO members the day before the webinar.

If you are not a member but would like to “test the water” please contact me at chair at nadpo dot co dot uk – I can normally be persuaded to offer a free place!

Leave a comment

Filed under Uncategorized

February 12, 2023 · 10:17 am

Who’s yer da? Language misunderstandings in the courts

The stereotype of the out-of-touch judge goes back centuries, and is epitomised by the (probably apocryphal) example in the 1960s of the judge asking plaintively “who are the Beatles?” Often, one suspects, a judge will in fact be asking a question to which she knows the answer, but which she feels would benefit from explanation by counsel, or a witness.

But I noticed an interesting example of what might be a real misunderstanding in a recent judgment on an application to strike out claims arising from publication of a screenshot from Facebook, with associated statements. The claims have been brought in defamation, harassment, data protection and misuse of private information.

The screenshot was of a photograph of the claimant, said to have been taken outside a school, and in one case, posted on Twitter, it was accompanied by words, having the effect of a caption, saying “I see yer Da is doing ‘community watch’ again”.

In respect of the application to strike out the misuse of private information claim, the judge hearing the application had to consider whether the tweet constituted information in which the claimant had a reasonable expectation of privacy. One of the features he took into account was this:

The location was outside the school which the claimant’s daughter attended. The Facebook Post did not say this (because Ms K made clear that she did not know who the claimant was and there is no sign in the photograph of the claimant’s daughter). But that does not change the fact that the claimant was photographed outside his daughter’s school having just done the school run. The expression “yer Da” (part of the caption to the first tweet of the screenshot) suggested, correctly, that he was a parent. [emphasis added]

I do not think this is right. I do not think the expression did, nor was intended to, suggest the claimant was a parent. Those who spend some time on the internet become familiar with its particular idioms, and “yer Da” is one of those. It is not meant to be taken literally nor to suggest someone is a parent. The Urban Dictionary’s definition is on point:

A common meme of the mid-2010s, most popular in the UK, from the Scottish dialect of “your dad”, which involves someone making statements on a news story through the eyes of a stereotypically right-wing, conservative, reactionary middle aged British man, increasingly baffled and angry at the modern world.

It gives a number of example uses which it’s not necessary to quote here, but suffice to say that I suspect the use of “yer Da” was intended to be mockery, but not to suggest the claimant was a parent.

This is not to say that what I see as a misunderstanding by the judge has any real significance to the case (the phrase was by no means the only factor taken into account, in what is a multi-pronged claim arising from a clearly fractious background).

But it does show that language and idioms and the context in which they are used are complex things. The irony is that this is (partly) a libel case, an area of law where the subtleties of meaning can be profoundly relevant.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under defamation, misuse of private information

Tagged as

February 11, 2023 · 12:07 pm

SNP MP private email hack

UPDATE 13.02.23: it’s been drawn to my attention that Mr McDonald says that his private account is “not used for constituency or parliamentary business” END UPDATE

It was reported last week that the email account of Stewart McDonald, an SNP MP, had been compromised in what he described as a “sophisticated and targeted spear phishing hack”. The BBC appeared to agree with him, describing it as a “highly targeted and sophisticated attack”.

Maybe it was, although surely MPs are told to be wary of unexpected email attachments, and not to put enter system passwords when asked to in palpably suspicious circumstances (McDonald had attempted to open a document apparently sent by a member of his staff, with a military update on Ukraine, and clicking on it brought up a login page for the email account he was using).

But what I haven’t seen raised much in the media is the fact that the account which was compromised appears to have been McDonald’s private email account, and that the offending attachment was sent (or was spoofed to make it look like it was sent) from his staffer’s private email account. The reporting has referred to “personal” email account, from which it is reasonable to infer that these are not official accounts (such as McDonald’s one given on his parliamentary page).

Only last year the Information Commissioner presented a report to Parliament on the use of private communications channels in government. Although the report was prompted by concerns about the use of such private channels within the Department for Health and Social Care, it made clear that it had general application in relation to the “adopting [of] new ways of working without sufficient consideration of the risks and issues they may present for information management”. The report stresses throughout the importance of “maintaining the security of personal and official information” and the risks that private channels present to such security.

Did Mr McDonald and his staff read it? If not, this tweet he made only a couple of years ago is ironic, to say the least.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under data security, Information Commissioner, national security, parliament, security

Tagged as , ,

February 10, 2023 · 7:32 pm

Campaign for Records – Democracy and Rights in the Digital Age

There’s a piece up on the Mishcon de Reya website about the launch event for this campaign, run jointly by ARA and IRMS, at which I was recently invited to speak:

https://www.mishcon.com/news/jon-baines-speaks-at-parliamentary-event-on-foi-and-records-management

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner, records management

February 4, 2023 · 9:56 am

Facial recognition in the school canteen

A piece I wrote for the Mishcon de Reya website on the ICO’s recent letter to North Ayrshire Council on the use of facial recognition technology in schools:

https://www.mishcon.com/news/ico-takes-action-on-facial-recognition-in-schools

Leave a comment

Filed under Biometrics, consent, Facial recognition, Information Commissioner

Tagged as , ,

January 15, 2023 · 7:29 am

NADPO monthly webinar, 24 January

The next NADPO monthly webinar will be on 24 January, with two excellent speakers and topics

Dr Monica Horten, Open Rights Group – “Everything in moderation: social media surveillance and the Online Safety Bill”

Hassan Khan, Jason Ceci and Jonah Stegman: “No Privacy in the Electronics Repair Industry”.

As always, attendance is free for members, who should note that the start time is 13:30 rather than the usual 12:30.

We generally also have a couple of tickets available for anyone who is thinking of joining NADPO and wants to test the waters, so to speak. Contact me at chair at nadpo dot co dot uk if you’re interested.

Leave a comment

Filed under Uncategorized