I’m a customer of the mobile phone service provider O2. They’re OK. Probably much the same as the rest, but I’ve been with them for a few years now, and I’ve had no real problems with them. And every so often they give me an “upgrade” to a nice shiny new smartphone which half fools me into thinking I’m getting a nice deal.
This morning a corner (my favourite corner) of twitter was buzzing with news of a potential security flaw (or was it deliberate coding?) discovered by a twitter user by the name of @lewispeckover which meant that customers using O2’s mobile network to access the internet were inadvertently revealing their mobile phone number in the headers delivered when they visited a website. As Lewis succinctly put it
So, @O2 send my phone no in an HTTP header to every site I browse. WTF? Is this normal?
No, it’s not normal. Some people have very good reasons for not wanting their mobile numbers handed to third parties, especially when they aren’t aware that it’s being done, and I’m one of them (actually, I haven’t got a “very good reason”, other than I just don’t like it). I had intended blogging about why this incident might involve breaches of the first, second, seventh and eighth data protection principles in the Data Protection Act 1998 (DPA), regulations 6 and 7 of the Privacy and Electronic Communications Regulations 2003 (PECR) and chapter II of the Regulation of Investigatory Powers Act 2000 (RIPA). However, as the news got picked up, first by specialist media then mainstream, and as I realised that people were complaining in numbers to the Information Commissioner (IC), who regulates compliance with both the DPA and the PECR (although not RIPA), I decided that the issue was in the appropriate hands.
But I still intended, when I got home from work tonight, making a complaint to that statutory regulator. This is a) an issue that concerns me, b) one I know something about, c) one that has made me a bit angry, and d) one I’m prepared to rant about. However, I noted, on my bus journey home, browsing the internet on my shiny smartphone via O2’s network, that the IC had updated his home page, and was saying
Today we’ve received a large number of complaints about an alleged data breach on the O2 mobile phone network.
We now have enough information to take this matter further, so there is no need for customers to complain to us.
Great. They’re taking the matter further. But hang on – they don’t want us to complain now, because they have enough information? Well, that’s a bit presumptuous, and risky (how do they know they’ve got enough information?). But also, it’s quite concerning. The IC has many powers available to him if he finds that a data controller has breached the DPA or the PECR. In assessing how bad a breach might be, he has to take into account various factors. For instance, from his own guidance on imposing Monetary Penalty Notices,
The number of individuals actually or potentially affected by the contravention
Hang on a minute.
The number of individuals actually or potentially affected by the contravention
Er.
I just question how can you can properly assess how many people have been affected by an alleged contravention if you discourage people from complaining about that alleged contravention?
And not satisfied with this attempt at dissuasion, the IC took to tweeting the same message, earlier this evening. He clearly doesn’t want any more people to send him complaints, but this could lead to a misleading assessment of the number of people actually affected. I’m sure that O2, in assisting the IC in his subsequent investigation, will tell him how many people were potentially affected, but, if were them, I would say “well, only a small number actually complained, so it wasn’t that bad a breach, after all”.
And this is not the first time the IC has done this. Currently, the first question and answer on his “Data Protection for the Public” FAQs page are
Q: I have received a letter from Welcome Financial Services Limited. What should I do?
We have recently been informed of a data breach involving Welcome Financial Services Limited including its business Shopacheck. We believe they are taking steps to inform those affected. We will be making enquiries into the circumstances of the apparent breach of the Data Protection Act before deciding what action, if any, needs to be taken.
As we are already aware of this issue and in contact with Welcome Financial Services Limited, there is no need to submit further complaints to this office. [emphasis added, as if you needed to know]
I do try to defend the IC and his office, and I know they are always sorely lacking funds, but when a regulator, who is supposed to be receptive to complaints about alleged failures to comply with laws he regulates, actively discourages people from complaining, my enthusiasm for defending falters.
To the IC I ask, do you want me to complain, and say how I have been affected by O2’s handling of my personal data? And if not, why not?
informationrightsandwrongs 
Excellent post – and of course, there’s nothing to stop those with a legitimate complaint from making that complaint to the ICO. And not just to spite them.
The Welcome Finance CMP explains the loss involved more than 500,000 peoples data so I think its a fairly understandable position to say that its not necessary for each of those people to individually inform the ICO as to what happened.
Re your own desire to complain about O2 – the ICO’s website explains that in such circumstances you should first write to the organisation itself “to give it an opportunity to put things right”. At the stage you wanted to complain it doesnt sound like you had done this – likewise any of the other large number of people who had already complained to the ICO presumably based on what they had read on Twitter.
In both case perhaps the ICO could have asked for individuals with specific accounts of having suffered damage to contact them – but to characterise an attempt of efficiency from an organisation with limited resources as “Stop bothering us” seems a harsh account.
Or, to put it more succintly, as Tim Turner said today – “Complaints are separate to the large security and accuracy breaches that result in ICO CMPs”.