Category Archives: Data Protection

August 31, 2014 · 10:03 am

Data protection implications of MPs crossing the floor

Douglas Carswell MP is a data controller.

It says so on the Information Commissioner’s register:

carswell

(I hope he remembers to renew the registration when it expires next week  it’s a criminal offence to process personal data as a data controller without a registration, unless you have an exemption).

But, more directly, he is a data controller because as an MP he is a person who determines the purposes for which and the manner in which the personal data of his constituents is processed.  Sensible guidance for MPs is provided by Parliament itself

A Member is the data controller for all personal data that is handled by their office and they have overall responsibility for ensuring that this is done in accordance with the DPA.

I have already written recently raising some concerns about Carswell’s alleged handling of constituents’ personal data. But this week he decided to leave the Conservative Party, resign his seat, and seek re-election as a member of the UKIP party. James Forsyth, in the Daily Mail, talks about the constituency knowledge Carswell will bring to UKIP, and reports that “one senior Ukip figure purrs: ‘The quality of Douglas’s data is amazing'”.

As a data controller an MP must process constituents’ personal data in accordance with the eight data protection principles of the Data Protection Act 1998 (DPA). Failure to do so is a contravention of the data controller’s obligation under section 4(4). Data subjects can bring legal claims for compensation for contravention of that obligation, and for serious contraventions the ICO can take enforcement action, including the serving of monetary penalty notices to a maximum of £500,000.

The second data protection principle requires that

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes

A person’s political opinions are “sensitive personal data”, afforded even greater protection under the DPA. It is not difficult to understand the historical basis for this, nor, indeed, the current basis for its still being so. Data protection law is in part an expression of and development of rights which were recognised by the drafters of the Universal Declaration of Human Rights and European Convention on Human Rights. Oppression of people on the basis of their politics was and remains distressingly common.

If constituents have given Carswell their details on the basis that it would be processed as part of his constituency work as a Conservative MP they might rightly be aggrieved if that personal data were then used by him in pursuit of his campaign as a UKIP candidate. As Paul Bernal tweeted

If I gave my data to help the Tories and found it was being used to help UKIP I’d be livid
Such use would also potentially be in breach of the first data protection principle, which requires that personal data be processed fairly and lawfully. It would not be fair to share data with a political party or for the purposes of furthering its aim in circumstances where the data subject was not aware of this, and might very reasonably object. And it would not be lawful if the data were, for instance, disclosed to UKIP in breach of confidence.

An interesting twitter discussion took place this morning about whether this apparent use of constituents’ data might even engage the criminal law provisions of the DPA. As well as Carswell, there may be other data controllers involved: if some of the data he was in possession of was for instance, being processed by him on behalf of, say, the Conservative Party itself, then the latter would be data controller. Section 55 of the DPA creates, in terms, an offence of unlawfully disclosing personal data without the consent of the data controller. However, as was agreed on twitter, this would be a complex knot to unpick, and it is unlikely, to say the least, that either the ICO or the CPS would want to pursue the matter.
Notwithstanding this, there are serious questions to be asked about the DPA implications of any MP crossing the floor. The use of personal data is likely to be a key battleground in the forthcoming general election, and throw even sharper focus on European data protection reform. I would argue that this is a subject which the ICO needs to get a grip on, and quickly.

 

UPDATE: Paul Bernal has written a superb piece on the broader ethical issues engaged here.

4 Comments

Filed under Confidentiality, Data Protection, human rights, Information Commissioner

Tagged as , , ,

August 30, 2014 · 6:27 pm

Due to data protection, an apology

Earlier today I noticed a tweet from British Airways, in response a query from someone who had apparently tweeted their booking reference number. BA said

Hi…for data protection we must ask you remove the booking ref from your feed. We’ll look into this and get back to you.

I thought it was mildly amusing and irritating that “data protection” was being cited as the reason for the request to delete the tweet. “Data protection” sometimes seems like a catch-all term companies trot out when they’re asked for any sort of information which they’re reluctant to disclose. This time it seemed like BA were extending this to a paternalistic oversight of people’s twitter feeds.

In this instance, though, BA responded politely to my tweet, explaining why they discourage customers from posting booking numbers on social media, and others politely rallied to their cause.

So I’m just posting to say to BA – I’m sorry. I think you’re right to discourage the public posting of private information, and I understand why you sent that tweet. It was puerile of me to pick it up and tweet about it.

But, even though the issue is related to the processing of personal data, I do still think it was a bit silly to use “data protection” to justify your sensible suggestion to a customer to delete one of their tweets.

6 Comments

Filed under Data Protection

August 29, 2014 · 7:14 am

Some observations on the MoJ £180,000 data protection “fine”

1. It wasn’t a fine: section 55A of the Data Protection Act 1998 (DPA) gives the Information Commissioner’s Office (ICO) the power to impose a monetary penalty notice (MPN) to a maximum of £500,000 on a data controller which has made a serious contravention of its obligation to comply with the data protection principles, and the contravention was of a kind likely to cause substantial damage or substantial distress (and the data controller knew or should have known about the risk). There is often confusion over the civil and criminal sanctions in the DPA, perhaps not helped by the fact that the main criminal sanction is at section 55, and the main civil sanction at section 55A. However, although the incorrect use of the term “fine” is understandable in some circumstances, I don’t think the ICO themselves should use it.

2. The money goes straight back to the government: this is true – monetary penalties do not get paid to the ICO. Rather, they are paid into the Consolidated Fund – the government’s bank account. While this does have an element of absurdity (and similar complaints are sometimes made when the ICO serves MPNs on other public bodies, such as the NHS, or local authorities) recent research (and personal anecdotal experience) suggests that the MPNs are effective in improving data controller compliance. One wonders if alternative methods, like individual liability for data controller failings (which would require major primary legislation), would have similar effects.

3. The Ministry of Justice funds the ICO: in part, at least. The MoJ funds the ICO for its freedom of information work. Its data protection work comes from the fees data controllers pay the ICO to appear on its register. Nonetheless, penalising the MoJ could be seen as biting the hand that feeds – it is commendable that the ICO is not afraid to do so.

4. The MoJ is data controller for prisoner data within prisons: being the person or persons who determine the purposes for which and the manner in which any personal data are, or are to be, processed. That’s a heck of a lot of highly sensitive personal data to be responsible for. And such responsibility carries potential huge liability for errors.

5. This is not the first MPN the MoJ has received: less than 12 months ago the MoJ received an MPN of £140,000 for a remarkably similar set of events to those which prompted the latest MPN. Both MPNs involved insecure processes to safeguard prisoner databases – in the first an unencrypted database file was emailed to a member of the public, and in the second a hard disk containing a prisoner database, which should have been encrypted but wasn’t, has been lost. As MPNs are often served (as these were) for contraventions of the obligation to have appropriate organisational and technical measures in place to safeguard against loss of data, one might argue that a second such serious contravention might have warranted even more severe sanctions. The ICO even notes that the second contravention was because of a botched attempt to put right what happened in the first, and deems the second contravention “very serious” (as opposed to the first’s “serious”). I am not the only person I have spoken to who is surprised this latest MPN was not higher.

and finally

6. Data security is not just about technology: it’s also about people. In this instance the MoJ, after its first MPN (see above), sent hard drives to all relevant prisons which were capable of holding data in encrypted format.

But they forgot to tell the prison staff to switch encryption on.

1 Comment

Filed under Data Protection, Information Commissioner, monetary penalty notice

Tagged as , ,

August 28, 2014 · 4:20 pm

Data Protection Act non-pecuniary damages in the County Court

The Data Protection Act 1998 (DPA) is, as its regulator the Information Commissioner (IC) concedes, “complex and, in places, hard to understand”. Moreover, it has been observed that 

there is…little case law…most damages claims under the DPA go to the County Court, where unless you were in the case it is hard to know that it happened or get hold of a judgment

To which one would add that, as most damages claims go no further than the County Court those cases we do hear about don’t set precedent anyway.

However, thanks to the website LegalBeagles we do now have another judgment which deals with the DPA, and which was handed down in June this year in the County Court at Taunton. In the judgment (.pdf, 12MB), in rather dense prose, Deputy District Judge Stockdale ruled on a money claim against Lloyds Bank for unfair bank charges (the primary claim) and a claim for damages under section 13 of the DPA. Holding that the specific bank charges between 2007 and 2009, for unauthorised overdraft facilities, were indeed unfair (for reasons I am rather ill-equipped to explore), the Judge went on to hold that the referral of a default to credit reference agencies was in breach of the first data protection principle (Schedule One, DPA) which obliged the bank to process the claimant’s personal data fairly (and lawfully). This was because, by reference to the then IC Guidance “Filing of defaults with credit reference agencies”, the relationship between the lender and the individual had not broken down. The guidance said

The term ‘default’, when recorded on a credit reference file should be used to refer to a situation when the lender in a standard business relationship with the individual decides that the relationship has broken down

In this case, as the claimant and the bank, at the time the latter registered the default, had entered into a repayment arrangement (which the claimant was keeping to), it could not be said that the relationship had broken down.

An interesting point about this judgment is that the claimant’s case was bolstered by the fact he could point to a prior assessment opinion by the IC. He had complained about the bank’s actions to the IC, who had determined (in line – although this is unsaid in the judgment – with his duties under section 42 DPA to assess processing) that it was unlikely that the bank had complied with its DPA obligation. This clearly carried weight for the judge (as did the Guidance).

Another interesting point is that, in assessing the remedy for the contravention, the judge followed the (compelling) dicta of Tugendhat J in Vidal -Hall & Ors v Google Inc [2014] EWHC 13 (QB) and awarded compensation  for what was non-pecuniary damage of £1000, in recognition of the trouble to which the claimant had been put in pursuing the matter and bringing the claim. The claimant was also successful in an application under section 14(1) DPA for erasure/destruction of the default on his credit reference files.

Vidal-Hall has not yet come to trial. If, when it does, Tugendhat J’s “preliminary view” that “damage in s.13 does include non-pecuniary damage” is upheld, it could lead to a rush of similar claims being made.

1 Comment

Filed under damages, Data Protection, Information Commissioner

Tagged as , ,

August 28, 2014 · 1:30 pm

A fishy way of boosting party membership?

A tweet today referred me to a New Statesman article from October last year which contains what I think are actually quite serious allegations against Tory MP Douglas Carswell (who has today announced his intention to resign his seat and re-stand for UKIP) or, perhaps, against his local party machine. The magazine alleges that

A snout rang with the tale of an Essex man who went along to a Clacton fish-and-chip supper organised by the local MP, Douglas Carswell. The chap paid his £10, enjoyed his cod and then listened to the debate before going home unconvinced by the Tory case on Europe. So imagine his perturbation at a letter from Carswell’s office informing him that his tenner would be converted into membership of the constituency association unless he wrote back renouncing the party. The chap couldn’t be bothered to reply and – hey presto! – an unwanted Tory membership card duly popped through his letter box.

I do not know if if this is true*. I’ve asked Mr Carswell via his twitter account whether it is, but, understandably, he may have more pressing priorities today. He was certainly in the habit of hosting such events, as his personal blog shows.

But if it is true, it raises concerns about the handling of constituents’ personal data. The second principle of the Data Protection Act 1998 (DPA) provides that

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes

and by section 4(4) of the DPA a data controller (the person or persons who determine the purposes for which and the manner in which any personal data are, or are to be, processed) must comply with the eight data protection principles. Failure to do so renders the data controller liable to private legal action by aggrieved data subjects, as well as regulatory enforcement action by the Information Commissioner (which can consist of monetary penalties to a maximum of £500,000 for especially serious contraventions). Mr Carswell’s entry on the Commissioner’s register confirms he accepts his status as data controller, as does the entry for his local Conservative Constituency Association. Any personal data of a constituent attending fish-and-chip suppers had to processed in accordance with eight principles, and wrongly recording someone as a member of a political party would involve the processing of sensitive personal data (a category which includes information about political allegiance, and which is afforded even higher protection).

And, as well as being in contravention of the second principle, such processing would be in breach of the first, which requires that personal data be processed fairly and lawfully. I’m not going to make a party political point, but as of today, even Mr Carswell might feel that, in broader terms, it would be particularly unfair to wrongly categorise someone as a member of the Tory party.

*If Mr Carswell refutes the allegations in the story I will be very happy to amend this blog post accordingly

1 Comment

Filed under Data Protection, Information Commissioner

Tagged as , ,

August 21, 2014 · 7:46 pm

Red light for ICO spam text “fines”

A week ago I noted that the Information Commissioner’s Office (ICO) had effectively conceded that, since the Upper Tribunal’s decision in the Niebel case, it could not realistically serve monetary penalty notices (MPNs) on spam texters. I observed that

the result of the Niebel litigation has been to remove their powers to serve MPNs for spam texts, [with the ICO saying] it had “largely [rendered] our power to issue fines for breaches of PECR involving spam texts redundant”.

This perception has been reinforced by the press release today from the ICO, reporting a raid on a claims management call centre “thought to be connected to a spam text operation”. Information and hardware were seized in the raid, but the ICO says it

will now consider whether an enforcement notice compelling the organisation to comply with the rules regarding text marketing can be issued

Notably, no reference to an MPN is made. To recap, MPNs can be served under section 55A of the Data Protection Act 1998 to serve such a notice if there has been a serious contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) of a kind likely to cause substantial damage or substantial distress. The Niebel litigation, in very broad terms, cast doubt on whether receiving spam texts could ever cause substantial damage or substantial distress (as opposed to, say, irritation).

Whether this Llanelli operation was in contravention of the law, and if so what sanctions will flow will no doubt be determined on the basis of the seized information and other information.

And although enforcement notices are serious sanctions, with breach of one being a criminal offence (although not a recordable one) whether people running spam texting operations see them as a real deterrent is another matter.

 

 

Leave a comment

Filed under Data Protection, Information Commissioner, marketing, monetary penalty notice, PECR, Upper Tribunal

August 19, 2014 · 6:39 pm

One for the Environmental Information Regulations + Data Protection nerds

In 2010 the Court of Justice of the European Union (CJEU) held that, insofar as they required the automatic publication of the name and other particulars of natural persons (as opposed to legal persons) of beneficiaries of funds deriving from the European Agricultural Guarantee Fund (EAGF) and the European Agricultural Fund for Rural Development (EAFRD), certain articles of European Council Regulation (EC) No 1290/2005 of 21 June 2005 on the financing of the common agricultural policy were invalid. This was because they imposed an obligation to publish personal data relating to these beneficiaries (who might be private individuals or sole traders) without permitting criteria such as the periods, frequency and amounts involved to be considered.

Rip-roaring start to a blog post eh?

In the words of the First-tier Tribunal (Information Rights) (FTT) which has recently had to consider the impact of those CJEU cases on an Environmental Information Regulations 2004 (EIR) case

[the CJEU] ruled that such a requirement for publication was incompatible with an individual’s right for privacy where the agreement holder concerned was a private individual or sole trade

The relevance of the European judgments was that Natural England, which had until 2010 published information about beneficiaries of funds granted to farmers and landowners under the European Stewardship Agreement (ESA), even when it consisted of personal data of private individual or sole trader beneficiaries, ceased such automatic publication and removed previously published information from its website. This was despite the fact applicants for an ESA had, until 2010, been given a privacy notice in a handbook which explained that the information would be published, and had signed a declaration accepting the requirements.

Notwithstanding this, when it received a request for agreements reached with farmers and landowners in the River Avon flood plains area, Natural England decided that the personal data of the beneficiary (there appears to have just been one) was exempt from disclosure under regulations 12(3) and 13 of the EIR (which broadly provide an exception to the general obligation under the EIR to disclose information if the information in question is personal data disclosure of which would be in breach of the public authority’s obligations under the Data Protection Act 1998 (DPA)).

The Information Commissioner’s Office had agreed, saying

although consent for disclosure has been obtained [by virtue of the applicant’s declaration of acceptance of the handbook’s privacy notice], circumstances have changed since that consent was obtained. As Natural England’s current practice is not to publish the names of those who have received grants with the amounts received, the Commissioner is satisfied that the expectation of the individuals concerned will be that their names and payments will not be made public.

However, the FTT was not convinced by this. Although it accepted that it was possible “that the applicant no longer expected the relevant personal data to be disclosed” it considered whether this would nevertheless be a reasonable expectation, and it also took into account that the effect of the CJEU’s decision had not been expressly to prohibit disclosure (but rather that the validity of automatic publication had been struck down):

When one combined the facts that an express consent had been given, that there had been no publicity by NE or mention on its website of the ECJ decision and finally, that the effect of that decision had not, in the event been to prohibit disclosure, [the FTT] concluded that such an expectation would not be reasonable

Furthermore, given that there was no real evidence that disclosure would cause prejudice or distress to the applicant, given that some identifying information had already been disclosed into the public domain and given that there was a legitimate interest – namely “accountability in the spending of public monies” – in the information being made public (and disclosure was necessary to meet this legitimate interest) the disclosure was both fair and supported by a permitting condition in Schedule 2 of the DPA. For these reasons, disclosure would not, said the FTT, breach Natural England’s obligation to process personal data fairly under the first data protection principle.

So maybe not the most ground-breaking of cases, but it is relatively rare that an FTT disagrees with the ICO and orders disclosure of personal data under the EIR (or FOI). The latter is, after all, the statutory regulator of the DPA, and its views on such matters will normally be afforded considerable weight by any subsequent appellate body.

Leave a comment

Filed under Data Protection, Environmental Information Regulations, Europe, Freedom of Information, Information Commissioner, Information Tribunal

Tagged as , , ,

August 17, 2014 · 10:14 am

ICO indicates that (non-recreational) bloggers must register with them

I think I am liable to register with the ICO, and so are countless others. But I also think this means there needs to be a debate about what this, and future plans for levying a fee on data controllers, mean for freedom of expression

Recently I wrote about whether I, as a blogger, had a legal obligation to register with the Information Commissioner’s Office (ICO) the fact that I was processing personal data (and the purposes for which it was processed). As I said at the time, I asked the ICO whether I had such an obligation, and they said

from the information you have provided it would be unlikely that you would be required to register in respect of your blogs and tweets

However, I asked them for clarification on this point. I noted that I couldn’t see any exemption from the obligation to register, unless it was the general exemption (at section 36) from the Data Protection Act 1998 (DPA) where the processing is only for “domestic purposes”, which include “recreational purposes”. I noted that, as someone writing a semi-professional blog, I could hardly rely on the fact I do this only for recreational purposes. The ICO’s reply is illuminating

if you were blogging only for your own recreational purposes, it would be unlikely that you would need to register as a data controller. However, you have explained that your blogging is not just for recreational purposes. If you are sharing your views in order to further some other purpose, and this is likely to impact on third parties, then you should consider registering.

I know this is couched in rather vague terms – “if”…”likely”…”consider” – but it certainly suggests that merely being a non-professional blogger does not exempt me from having to register with a statutory regulator.

Those paying careful attention might understand the implications of this: millions of people every day share their views online, in order to further some purpose, in a way that “is likely to impact on third parties”. When poor Bodil Lindqvist got convicted in the Swedish courts in 2003 that is just what she was doing, and the Court of Justice of the European Union held that, under the European Data Protection Directive, she was processing personal data as a data controller, and consequently had legal obligations under data protection law to process data fairly, i.e. by not writing about a fellow churchgoer’s broken leg etc. without informing them/giving them an opportunity to object.

And there, in my last paragraph, you have an example of me processing personal data – I have published (i.e. processed) sensitive (i.e. criminal conviction) personal data (i.e. of an identifiable individual). I am a data controller. Surely I have to register with the ICO? Section 17 of the DPA says that personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the ICO, unless an exemption applies. The “domestic purposes” exemption doesn’t wash – the ICO has confirmed that1, and none of the exemptions apply. I have to register.

But if I have to register (and I will, because if I continue to process personal data without a registration I am potentially committing a criminal offence) then so, surely, do the millions of other people throughout the country, and throughout the jurisdiction of the data protection directive, who publish personal data on the internet not solely for recreational purposes – all the citizen bloggers, campaigning tweeters, community facebookers and many, many others…

To single people out would be unfair, so I’m not going to identify individuals who I think potentially fall into these categories, with the following exception. In 2011 Barnet Council was roundly ridiculed for complaining to the ICO about the activities of a blogger who regularly criticised the council and its staff on his blog2. The Council asked the ICO to determine whether the blogger in question had failed in his legal obligation to register with the ICO in order to legitimise his processing of personal data. The ICO’s response was

If the ICO were to take the approach of requiring all individuals running a blog to notify as a data controller … it would lead to a situation where the ICO is expected to rule on what is acceptable for one individual to say about another. Requiring all bloggers to register with this office and comply with the parts of the DPA exempted under Section 36 (of the Act) would, in our view, have a hugely disproportionate impact on freedom of expression.

But subsequently, the ICO was taken to task in the High Court on this general stance (but in unrelated proceedings) about being “expected to rule on what is acceptable for one individual to say about another”, with the judge saying

I do not find it possible to reconcile the views on the law expressed [by the ICO] with authoritative statements of the law. The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully

And if now the ICO accepts that, at least those bloggers (like the one in the Camden case) who are not solely blogging for recreational purposes, might be required to register, it possibly indicates a fundamental change.

In response to my last blog post on this subject someone asked “why ruffle feathers?”. But I think this should lead to a societal debate: is it an unacceptable infringement of the principles of freedom of expression for the law to require registration with a state regulator before one can share one’s (non-recreational) views about individuals online? Or is it necessary for this legal restraint to be in place, to seek to protect individuals’ privacy rights?European data protection reforms propose the removal of the general obligation for a data controller to register with a data protection authority, but in the UK proposals are being made (because of the loss of ICO fee income that would come with this removal) that there be a levy on data controllers.

If such proposals come into effect it is profoundly important that there is indeed a debate about the terms on which the levy is made – or else we could all end up being liable to pay a tax to allow us to talk online.

1On a strict reading of the law, and the CJEU judgment in Lindqvist, the distinction between recreational and non-recreational expressions online does not exist, and any online expression about an identifiable individual would constitute processing of personal data. The “recreational” distinction does not exist in the data protection directive, and is solely a domestic provision

2A confession: I joined in the ridicule, but was disabused of my error by the much better-informed Tim Turner. Not that I don’t think the Council’s actions were ill-judged.

 

10 Comments

Filed under Data Protection, Directive 95/46/EC, Information Commissioner, social media

Tagged as , , , ,

August 13, 2014 · 10:52 am

Green light for spam texters – for now

The ICO has effectively conceded he has no current powers to issue monetary penalties on spam texters.

In June this year the Upper Tribunal dismissed the appeal by the Information Commissioner’s Office (ICO) against the quashing of a £300,000 monetary penalty notice (the MPN) served on spam texter Christopher Niebel. The MPN had been issued pursuant to the ICO’s powers under section 55A of the Data Protection Act 1998 to serve such a notice if there has been a serious contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) of a kind likely to cause substantial damage or substantial distress. The Upper Tribunal held that the First-tier Tribunal had not erred in law in finding that the ICO’s relevant interpretation of “distress” was unsustainable:

the tribunal took issue with the Commissioner’s guidance as to the meaning of “distress” and, in my opinion rightly so. According to that guidance, “Distress is any injury to feelings, harm or anxiety suffered by an individual” (at paragraph [12], emphasis added). The tribunal’s conclusion was that if this “involves the proposition that it is not possible to have ‘any injury to feelings’ which falls short of ‘distress’ then, it seems to us, that the definition is at odds with common experience and with the ordinary use of English [¶60]

As the law required evidence that Niebel’s company’s sending of spam texts had been of a kind likely to cause substantial distress, and as the ICO’s evidence did not match up to this, the MPN had been rightly quashed. Implicitly, the Upper Tribunal was suggesting that further MPNs of this kind would also not be sustainable, and, explicitly, it questioned whether, if Parliament wanted to give the ICO powers to financially punish spam texters, it would require a change in the law

[a] more profitable course of action, is for the statutory test to be revisited…a statutory test that was formulated in terms of e.g. annoyance, inconvenience and/or irritation, rather than “substantial damage or substantial distress”, might well have resulted in a different outcome.

To no real surprise, since the ICO lost this appeal, no further MPNs have been issued for spam texting (some have been served for spam telephone calls). Now the ICO, in a blog post by their Head of Enforcement Steve Eckersley has effectively conceded that the result of the Niebel litigation has been to remove their powers to serve MPNs for spam texts, saying it had “largely [rendered] our power to issue fines for breaches of PECR involving spam texts redundant”. And Eckersley picks up the call for a law change, confirming that there will be a consultation later this year (whether any of this will see results this side of the general election, however, is another question).  This call echoes one made by the Information Commissioner himself, who said in February

We have just got to lower that hurdle because I think if you ask most people they would say silent calls and unsolicited spam texts are one of the great curses of the age – and if the Information Commissioner can’t protect you it’s a poor lookout.
There are, of course, other strings to the ICO bow, and Eckersley refers to some of them
we are using our existing powers to hold companies to account and to disrupt their unlawful activities….and we are obtaining undertakings from and issuing enforcement notices, effectively cease-and-desist orders, to companies that breach PECR.
This sounds good, but leaves me rather puzzled: as the ICO has confirmed to me, no enforcement notices have been served and only one undertaking obtained, against companies or individuals who have sent spam texts in breach of PECR. Enforcement notices are a strong power – breach of one is a criminal offence – and only require the ICO to consider whether the PECR contravention has caused or is likely to cause any person damage or distress, not “substantial damage or substantial distress”. This lower threshold should make it much more difficult for enforcement to be resisted. Maybe some enforcement notices are on their way? One rather hopes so, because, for the moment, it looks like spam texters have received a green light.
EDITED TO ADD:
Tim Turner points out to me that a conviction for breach of an enforcement notice is not a recordable offence it will not make its way on to the Police National Computer, and will not therefore generally result in disclosure for, e.g. employment purposes. Tim’s view, and it is a compelling one, is that for a lot of spammers the threat of a minor conviction for breach of a legal notice is not one which is likely to dissuade them from their practice.

7 Comments

Filed under Data Protection, enforcement, Information Commissioner, Information Tribunal, marketing, monetary penalty notice, nuisance calls, PECR, Upper Tribunal

Tagged as , ,

August 12, 2014 · 8:12 am

Does your QR code hide personal data?

I remember the first time I saw a demo of a QR code, and being wowed by the potential uses of encoding much larger amounts of information than a conventional barcode. The audience was impressed when the presenter hovered his reader over a code, and was taken to the company website. The mood was rather ruined when someone pointed out that clicking a hyperlink did much the same, and more quickly and consistently (of course, that doesn’t really tell the whole story, but it was a good bubble-pricker). And that, really, is the story of QR codes – they seemed to have a lot of potential, but ultimately they don’t seem to have fulfilled it: their usage outside the advertising industry is low, and they have numerous competing rivals.

But they do potentially hold a lot of information, and they hold it in an encoded format, which means that the information is not immediately apparent to the human eye (that’s the whole idea, I suppose). This was nicely illustrated today to me, when I was alerted to a submission to a government consultation (since – to their credit, suitably edited), by a utilities company, who had included in their response some letters to customers, redacted – for obvious reasons – of obvious identifying features (names, addresses, etc). What had not been redacted though was a QR code, next to the name and address on the letter (one presumes that the company uses this as part of a CRM system) and, sure enough, when I scanned the code with my nifty QR code reader (which I haven’t used since I downloaded it for that first demo a few years ago) it revealed precise address coordinates, with postcode. This is personal data of the customer, and it was needlessly disclosed by the company, in contravention of their obligations under the Data Protection Act 1998.

No doubt the person tasked with redacting the letters didn’t know what the QR code contained. And thereby hangs a old and broader issue: as more and more information has been compressed and encoded, human capacity to read and understand – without technological assistance – what that information is has inevitably reduced. I suppose, in some ways, this is really the story of computing.

Leave a comment

Filed under Data Protection

Tagged as ,