Category Archives: privacy notice

July 14, 2024 · 11:34 am

Based

For reasons I found myself browsing the privacy notices on the websites of some data protection consultancies this morning. In a large number of cases, where they address the situation of a potential client (which is highly likely to be a corporate entity) instructing them, they say/imply that they will process the personal data of people working for that potential client under the lawful basis of “contract”.

As well as this being, er, wrong, it concerns me for a couple of reasons.

First, why it’s wrong.

Article 5(1)(a) of the UK GDPR obliges a controller to process personal data lawfully. Article 6(1) provides a list of bases of which at least one must be met for processing to be lawful. The basis at Article 6(1)(b) is “processing is necessary for the performance of a contract…”.

I fear that many people stop there (in fact, I fear more that they don’t look at the actual law, and merely refer to some template or notes that were wrong in the first place). But there’s a reason I put an ellipsis: the full lawful basis is “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.

A service contract with a corporate entity does not constitute the sort of contract which is dealt with by Article 6(1)(b).

The reason this really concerns me is that if these consultancies can’t get this fundamental point right in their own documentation, they are presumably advising clients along similar lines.

Such advice might well be negligent. Assuming the consultancies have professional indemnity insurance, it might be affected by matters like this. And there might be notification obligations arising if they become aware of the fact that they’ve given incorrect, and possibly negligent, advice.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, privacy notice, UK GDPR

Tagged as , ,

July 8, 2023 · 9:03 am

ICO guidance on domestic CCTV – more hindrance than help

An article in the Mail on the use of connected doorbells has led me again to one of the oddest pages on the ICO’s website, on the use of domestic CCTV. Odd, because (behoven to the outdated, and frankly somewhat silly, decision of the CJEU in the 2014 Ryneš case) it approaches the issue on the basis that if a camera captures footage outside the curtilage of one’s home, then the home owner cannot avail themselves of the carve-out from the UK GDPR (at Article 2(2)) for “processing of personal data by an individual in the course of a purely personal or household activity”. But the law says nothing at all about the location or visual range of cameras – it is all about the processing purposes.

Also odd is that the ICO goes on to say that people operating CCTV that captures footage beyond their home’s curtilage will be required to comply with data subject rights (such as providing a privacy notice, and responding to access/erasure/stop requests). But, says the ICO, “we probably won’t do anything if people ignore us”:

You can complain to us when a user of domestic CCTV doesn’t follow the rules. We can send a letter asking them to resolve things, eg put up the appropriate signage or respond to data protection requests. 

There is a limited amount of action the ICO can take after this point to make the person comply. It is highly unlikely the ICO will consider it fair or balanced to take enforcement action against a domestic CCTV user.

But oddest of all, the ICO says:

“These rules only apply to fixed cameras. They do not cover roaming cameras, such as drones or dashboard cameras (dashcams) as long as the drone or dashcam is used only for your domestic or household purposes”

I simply don’t understand this distinction between fixed cameras and “roaming” cameras, despite the fact that the ICO states that “data protection law” says this. I’m unaware of any law that provides a basis for the assertion (if anyone knows, please let me know). I would, in fact, be prepared to mount an argument that “roaming” cameras are more, or have the potential to be more, intrusive on others’ rights than fixed cameras.

The Article 2(2) “purely personal or household activity” carve-out is a complex provision, and one that has got the ICO into choppy waters in the past (see the trenchant criticism of Tugendhat J in the “Solicitors from Hell” litigation, at paras 93-101, which considered the similar carve-out under the prior law). There are some very interesting questions and arguments to be considered (especially when the gloss provided by recital 18 is taken into account, with its reference to online personal or household activities also being outwith the material scope of the law). However, the ICO’s guidance here will likely serve only to confuse most householders, and – I suspect – has the potential in some cases to escalate private disputes.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under CCTV, GDPR, Information Commissioner, material scope, privacy notice, surveillance, UK GDPR

Tagged as , , , , ,

July 4, 2023 · 5:56 am

Labour’s Grubby Data Grab

Nine years ago (I’ve been doing this a long time) I wrote about the Labour Party harvesting details by hosting a page inviting people to find out “what baby number” they were in relation to the NHS. At that time, no privacy notice information was given at all. Fast forward to today, and Labour is once again hosting a similar page. This time, there is a bit more explanatory information, but it’s far from reassuring.

As an aside, I note that, when a person inputs their date of birth, what the website does is simply calculate, by reference to broad census data, approximately how many babies would have been born since the NHS started and that birth date. So the idea that this gives a “baby number” is ridiculous from the outset.

In any event, the person is then required to give their first name, email address and postcode.

(There is also an odd option to “find out the baby number” of a relative, or friend, by giving that person’s date of birth. Here, the person completing the form is only required to give their own email address and postcode (not their own first name).)

The person completing the form then has the option to agree or not agree to be kept “updated via email on the latest campaigns, events and opportunities to get involved”. This initially seems acceptable when it comes to compliance with the emarketing rules in the Privacy and Electronic Communications (EC Directive) Regulations 2003, so perhaps an improvement on how things were nine years ago. However, in smaller print, the person is then told that “We may use the information you provide, such as name and postcode, to match the data provided to your electoral register record held on our electoral database, which could inform future communications you receive from us”. So it appears that, even if one declines to receive future emails, the party may still try to match one’s details with those on the electoral register and may still send “future communications” (although query how accurate – or even feasible – this will be: how many Johns, say, potentially live in postcode SK9 5AF?).

This suggests that some sort of profiling is going on, but it is all a bit unclear, and opaque, which are not words that really should be associated with the processing of personal data by a political party. But if one clicks the link to “know more about how we use your information” the first thing one encounters is a cookie banner with no option but to accept cookies (which will, it is said, help the party make its website better). Such a banner is, of course, not lawful, and – if the ICO is to be believed – puts the party at current risk of enforcement action. If, teeth gritted, one clicks through the banner, one is faced with a privacy notice which, dear readers, I think needs to be the subject of a further blog (maybe with a comparative analysis of other parties’ notices). Suffice to say that the Labour Party appears to be doing one heck of a lot of profiling, and “estimation” of political opinions, from a range of statutory and/or public information sources.

For now, the TL;DR of this post is that the “NHS Baby Number” schtick from the Labour Party seems to be as much of a (although maybe a different) grubby data grab as it was nine years ago when I last wrote about it. There’s a lot that the ICO could, and should, do about it, but nothing was done then, and – I fear – nothing will be done now.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under fairness, Information Commissioner, PECR, political parties, privacy notice, profiling

Tagged as , ,

March 12, 2023 · 12:49 pm

Where’s the Tories’ privacy notice? (just don’t mention the footballer)

The Conservative Party, no doubt scrabbling to gather perceived support for its contentious immigration policies and measures is running a web and social media campaign. The web page encourages those visiting it to “back our plan and send a message” to other parties:

Further down the page visitors are invited to “send Labour a message”

Clicking on either of the red buttons in those screenshots results in a pop-up form, on which one can say whether or not one supports the Tory plans (in the screenshot below, I’ve selected “no”)

One is then required to give one’s name, email address and postcode, and there is a tick box against text saying “I agree to the Conservative Party, and the wider Conservative Party, using the information I provide to keep me updated via email about the Party’s campaigns and opportunities to get involved”

There are two things to note.

First, the form appears to submit whether one ticks the “I agree” box or not.

Second, and in any case, none of the links to “how we use your data”, or the “privacy policy”, or the “terms and conditions” works.

So anyone submitting their special category data (information about one’s views on a political party’s policies on immigration is personal data revealing political opinions, and so Article 9 UK GDPR applies) has no idea whatsoever how it will subsequently be processed by the Tories.

I suppose there is an argument that anyone who happens upon this page, and chooses to submit the form, has a good idea what is going on (although that is by no means certain, and people could quite plausibly think that it provides an opportunity to provide views contrary to the Tories’). In any event, it would seem potentially to meet to definition of “plugging” (political lobbying under the guide of research) which ICO deals with in its direct marketing guidance.

Also in any event, the absence of any workable links to privacy notice information means, unavoidably, that the lawfulness of any subsequent processing is vitiated.

It’s the sort of thing I would hope the ICO is alive to (I’ve seen people on social media saying they have complained to ICO). But I won’t hold my breath on that – many years ago I wrote about how such data abuse was rife across the political spectrum – but little if anything has changed.

And finally, the most remarkable thing of all is that I’ve written a whole post on what is a pressing and high-profile issue without once mentioning Gary Lineker.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, marketing, PECR, privacy notice, social media, spam, UK GDPR

Tagged as , , , ,

February 22, 2023 · 8:24 am

Monitoring of lawyers by the state

In the Commons on Monday Robert Jenrick, minister for immigration, said, in the context of a debate on the implications of the violent disorder outside a hotel providing refuge for asylum seekers, in Knowsley on 10 February, and in answer to a question about why no “small boats bill” has been introduced into Parliament

this is one of the most litigious areas of public life. It is an area where, I am afraid, human rights lawyers abuse and exploit our laws at times, and where the courts have taken an expansive approach in the past. That is why we must get this right, but we will be bringing forward that legislation very soon

When pressed on his reference to abuse of the law by lawyers, and asked “how many solicitors, advocates and barristers have been reported by the Home Office in the last 12 months to the regulatory authorities”, Mr Jenrick replied

We are monitoring the activities, as it so happens, of a small number of legal practitioners, but it is not appropriate for me to discuss that here.

This is a remarkable statement, both in its lack of detail and in its potential effect. The prospect of the monitoring of lawyers by the state carries chilling implications. It may well be that Mr Jenrick had no intention of making what could be interpreted as an oppressive statement, but words are important, and words said in Parliament carry particular weight.

It may also be that the “monitoring” in question consists of legitimate investigation into potential criminality by that “small number” of lawyers, but if that was the case, why not say so?

But “monitoring”, in itself, must be done in accordance with the law. If it is in the context of a criminal investigation, or surveillance, there are specific laws which may apply.

And to the extent that it involves the processing of personal data of the lawyers in question (which, inevitably, it surely must, when one considers that “processing” means, among other things “collection, recording, organisation, structuring or storage” performed on personal data) the monitoring must comply with applicable data protection laws).

As a fundamental general principle, processing of personal data must be transparent (see Articles 5(1)(a), 13 and 14 UK GDPR, or, for law enforcement processing, section 44 of the Data Protection Act 2018 (DPA), or, for Intelligence Services Processing, section 93 of the DPA.

There are qualifications to and exemptions from this general principle, but, in the absence of circumstances providing such an exemption, a data subject (here, the lawyers who are apparently being monitored) should be made aware of the processing. The information they should receive includes, among other things: the identity and the contact details of the person directing the processing; the legal basis and the purposes of the processing, and; the recipients or categories of recipients of the personal data.

We tend to call the notices we receive under these provisions “privacy notices”. Those of us who have practised data protection law for a long time will remember the term “fair processing notice” which is arguably a better term. Whatever one calls them, though, such notices are a bedrock of the law – without being aware of the processing, and the risks, rules, safeguards and rights in relation to it, data subjects cannot properly exercise their rights.

With all that in mind, has the Home Office – or whoever it is who is directing the monitoring of the “small number of lawyers” – informed them that they are being monitored? If not, why not?

Returning to my earlier comments about the oppressiveness of comments to the effect that, or the giving of a perception that, the coercive powers of the state are being deployed against lawyers by monitoring them, one wonders if the Information Commissioner should take steps to investigate the background to Mr Jenrick’s comments.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, Home Office, human rights, Information Commissioner, law enforcement, monitoring, privacy notice, surveillance, transparency

Tagged as , , , ,

June 1, 2021 · 9:33 am

ICO not compliant with post-Schrems II data protection law?

In which I finally receive a reply to my complaint about ICO’s Facebook page.

The issue of the transfer of personal data to the US has been the subject of much debate and much litigation. In 2015 the Court of Justice of the European Union (CJEU) struck down one of the then key legal mechanisms (“Safe Harbor”) for doing so. And in 2020 the CJEU did so with its successor, “Privacy Shield”. Both cases were initiated by complaints by lawyer and activist Max Schrems, and focused on the transfer of data from the EU to the US by Facebook.

Put simply, European data protection law, in the form of the GDPR and (as we must now talk about the UK in separate terms) UK data protection law, in the form of UKGDPR, outlaw the transfer of personal data to the US (or any other third country), unless the level of protection the data would receive in the EU, or the UK, is “not undermined” (see Chapter V of and recital 101 of GDPR/UKGDPR).

In “Schrems II” – the 2020 case – the CJEU not only struck down Privacy Shield – it effectively also laid down rules which needed to be followed if the alternative mechanisms, for instance using “standard contractual clauses” were to be used for transfers of personal data. Following the judgment, the European Data Protection Board (EDPB) issued guidance in the form of FAQs, which recommended an “assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place”. The EDPB guidance was subsequently endorsed by the UK’s own Information Commissioner’s Office (ICO)

The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere

What struck me as odd in all this is that the ICO themselves have a Facebook page. Given that Facebook’s own data governance arrangements involve the transfer of EU and UK users’ data to the US, and given that ICO don’t just operate their page as a newsletter, but actively encourage users to comment and interact on their page, it seemed to me that ICO were enabling the transfer of personal data by Facebook to the US. But even further than that, another CJEU judgment has previously made clear that operators of corporate Facebook pages may well function as a controller under the GDPR/UKGDPR, where they set parameters on the page. The Wirtschaftsakademie case held that – in the case of someone operating a “fan page”

While the mere fact of making use of a social network such as Facebook does not make a Facebook user a controller jointly responsible for the processing of personal data by that network, it must be stated, on the other hand, that the administrator of a fan page hosted on Facebook, by creating such a page, gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account.

By extension, it seemed to me, the ICO were in this position with their page.

So I put the point to them. After four months, and some chasing, I received a reply which not only confirmed my understanding that they are, and accept that they are, a controller, but that, nearly a year on from the Schrems II decision, they have not finished reviewing their position and have not updated their privacy notice to reflect their controller status in respect of their Facebook processing. (They also say that their legal basis for processing is “Article 6 (1) (e) of UK GDPR, public task” because “as a regulator we have a responsibility to promote good practice and engage with the public at large about data protection issues via commonly used platforms”, but I’d observe that they fail to give any attention to the proportionality test that reliance on this condition requires, and fail to point to the justification in domestic law, as required by Article 6.)

What the ICO response doesn’t do is actually respond to me as a data subject in respect of my complaint nor explain how they are complying with the international data transfer provisions of Chapter V of the GDPR/UKGDPR, and whether they have conducted any sort of transfer impact assessment (one presumes not).

As I said in my original complaint to ICO, I am aware that I might be seen as being mischievous, and I’m also aware I might be seen as having walked ICO into a trap. Maybe I am, and maybe I have, but there’s also a very serious point to be made. The cost to UK business of the Schrems II decision has been enormous, in terms of the legal advice sought, the internal governance reviews and risk assessments undertaken, and the negotiating or novation of contracts. At the same time the business and legal uncertainty is significant, with many wondering about their exposure to legal claims but also (and especially) to regulatory enforcement. If, though, the regulator is not complying with the relevant law, ten months on from the judgment (and five months on from my raising it with them as a concern) then what are controllers meant to do? And where do they turn to for guidance on the regulatory approach?

THE ICO RESPONSE

Firstly, it may be helpful to explain that following the findings of the CJEU in Wirtschaftsakademie, we started a review of the transparency information we provide to visitors of the page. The review was delayed when Schrems11 decision was issued as we needed to consider the impact of the judgement on any transfer element to the US.

We agree that as the Facebook page administrator, we are processing personal data of the visitors of our page and therefore we are controllers for this information. We process the names of the users as they appear on their Facebook profiles and any personal data they may share through their comments on our posts or via messages to us. We process this information in reliance on Article 6 (1) (e) of UK GDPR, public task. We consider that, as a regulator we have a responsibility to promote good practice and engage with the public at large about data protection issues via commonly used platforms.

For the cookies and similar technologies, Facebook is responsible for setting the cookies, when you visit our Facebook page.

We also receive anonymous information from Facebook in the form of aggregate statistics of all those who visit our page, regardless of whether they have a Facebook account or not. In line with the findings of the CJEU in Wirtschaftsakademie we are joint controllers with Facebook for this information. We process this information under Article 6 (1) (e) as well. The Insights include information on page viewings, likes, sharing of posts, age range, the device used and how it was accessed and breakdown of demographics. All Insights are received from Facebook by the ICO in aggregate format. Our PN will updated shortly to reflect the above information.

Like other regulators, the ICO is currently reviewing its position on international transfers following the judgment in Schrems II. As part of that review, it will, amongst other things, consider the questions that you have raised about the ICO’s use of Facebook. The ICO intends to publish its guidance on how UK organisations should address the question of international transfers, in due course, and will act in accordance with its guidance. That work is still in progress, and it will be published in due course.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adequacy, data sharing, EDPB, facebook, GDPR, Information Commissioner, international transfers, privacy notice, privacy shield, safe harbor, Schrems II, UK GDPR

Tagged as , ,

April 5, 2019 · 1:09 pm

ICO hasn’t given own staff a GDPR privacy notice

The first principle of GDPR says that personal data shall be processed in a transparent manner. Articles 13 and 14 give details of what information should be provided to data subjects to comply with that principle (and that information should be provided at the time it is collected (if it is collected directly from the data subject)).

As the Information Commissioner’s Office (ICO) says

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. [emphasis added]

and

Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage

If you read the ICO’s Guide to GDPR, it is largely predicated on the understanding that privacy notices will be made available to data subjects, effectively as a prerequisite to overall compliance.

So, one thing a data controller must – surely – prioritise (and have prioritised, in advance of GDPR becoming applicable in May 2018) is the preparation and giving of appropriate privacy notices, including to its own employees.

With that in mind, I was interested surprised astounded well-and-truly-gobsmacked to see an admission, on the “WhatDoTheyKnow” website, that the ICO itself has – almost a year on from GDPR’s start – not yet prepared, let alone given, its own staff a GDPR privacy notice

I can confirm we do not currently hold the information you have requested. The privacy notice for ICO employees is currently under construction.

As getting the right to be informed wrong can leave one open to fines (as well as reputational damage), one wonders if ICO is considering fining itself for this fundamental infringement of a fundamental right?

The views in this post (and indeed all posts on this blog, unless they indicate otherwise) are my personal ones, and do not represent the views of any organisation I am involved with.

10 Comments

Filed under Data Protection, fairness, GDPR, Information Commissioner, privacy notice, transparency

Tagged as , , ,

August 14, 2015 · 7:05 am

Zero rating for fairness

It’s a long time since I took a flight, but when I used to do so, I too would have the experience, when purchasing items in airport shops, of being asked to produce my boarding pass and having it scanned by the retailer. I now know that the reason for this is, contrary to my assumptions, nothing to do with security, and everything to do with the retailer’s VAT pricing structure

I don’t particularly object to the practice itself, but what does concern me, from a privacy and data protection perspective, is the lack of information traditionally given to passengers about the reason for it, and what happens with the information gathered.

The third data protection principle, in Schedule 1 of the Data Protection Act 1998 (DPA) states, in relevant part, that personal data should be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Is the processing by retailers compliant with their obligations under this principle?When retailers scan boarding passes they will be at least potentially collecting (“processing”) passengers’ names, flight numbers and travel destination. The last is the purpose of the exercise: if the passenger is travelling outside the European Union the purchase is zero-rates for the purposes of VAT. But is it necessary therefore to collect all the boarding pass data? Well, HMRC guidance suggests that it is:

Information from the boarding cards or travel documents presented by entitled passengers should be retained by retailers as part of their export evidence.

This suggests that, in order to satisfy any HMRC inspector that zero-rated purchases have been made legitimately, proof of the details of the purchase will need to be retained and provided. 

If that is the case then there’s a good argument that retailers could satisfy the requirements of the third DPA principle. But there is a more fundamental requirement, in the first Schedule One principle, to process personal data fairly, and fairness will not be achieved unless

in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him… [inter alia]…the purpose or purposes for which the data are intended to be processed

And there we are back to the start of this post: I didn’t know what the purpose was of scanning my boarding pass, and it’s very clear from the recent media coverage of the issue that many, probably most, passengers didn’t or don’t realise. In my view this, coupled with the retention of the data for HMRC purposes, renders the processing unfair and unlawful. Whether the relevant data controller is the retailer, who does the act, or HMRC, who appear to require it, is another question (it’s probable that they are acting as joint data controllers) but I think the Information Commissioner’s Office should take a look.

(Thanks to Rich Greenhill for pointing out the HMRC guidance).

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, privacy notice

May 1, 2015 · 6:52 am

Shameless

Only very recently I wrote about how the Liberal Democrats had been found by the Information Commissioner’s Officer (ICO) to have been in breach of their obligations under anti-spam laws (or, correctly, the ICO had determined it was “unlikely” the Lib Dems had complied with the law). This was because they had sent me unsolicited emails promoting their party without my consent, in contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). The ICO told me that “we have written to the organisation to remind them of their obligations under the PECR and ensure that valid consent is obtained from individuals”.

Well, the reminder hasn’t worked: today I went on the Lib Dem site and noticed the invitation to agree that “The NHS needs an extra £8bn”. Who could disagree? There was a box to enter my email address and “back our campaign”. Which campaign did they mean? Who knows? I assumed the campaign to promote NHS funding, but there was no privacy notice at all (at least on the mobile site). I entered an email address, because I certainly agree with a campaign that the NHS needs an extra £8bn pounds, but what I certainly didn’t do was consent to receive email marketing.

Untitled

But of course I did…within eight hours I received an email from someone called Olly Grender asking me to donate to the Lib Dems. Why on earth would I want to do that? And a few hours later I got an email from Nick Clegg himself, reiterating Olly’s message. Both emails were manifestly, shamelessly, sent in contravention of PECR, only a couple of weeks after the ICO assured me they were going to “remind” the Lib Dems of the law.

Surely the lesson is the same one the cynics have told us over the years – don’t believe what politicians tell you.

And of course, only this week there was a further example, with the notorious Telegraph “business leaders” letter. The open letter published by the paper, purporting to come from 5000 small business owners, had in fact been written by Conservative Campaign Headquarters, and signatories  were merely people who had filled in a form on the Conservative party website agreeing to sign the letter but who were informed in a privacy notice that “We will not share your details with anyone outside the Conservative Party”. But share they did, and so it was that multiple duplicate signatories, and signatories who were by no means small business owners, found their way into the public domain. Whether any of them will complain to the ICO will probably determine the extent to which this might have been a contravention, not of PECR (this wasn’t unsolicited marketing), but of the Data Protection Act 1998, and the Conservatives’ obligation to process personal data fairly and lawfully. But whatever the outcome, it’s another example of the abuse of web forms, and the harvesting of email addresses, for the promotion of party political aims.

I will be referring the Lib Dems matter back to the ICO, and inviting them again (they declined last time) to take enforcement action for repeat and apparently deliberate, or reckless, contraventions of their legal obligations under PECR.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under consent, Data Protection, Information Commissioner, marketing, PECR, privacy notice, spam

Tagged as , ,

February 6, 2015 · 3:35 pm

Labour’s “HowManyOfMe” – legitimate use of the electoral register?

Is Labour’s shiny new web widget “HowManyOfMe” compliant with the party’s obligations under electoral and ePrivacy law?

Regulations 102 and 106 of the Representation of the People (England and Wales) Regulations 2001 (as amended)mean that registered political parties can apply for a copy of the full electoral register, but they can only supply, disclose or make use of the information therein for “electoral purposes”. As far as I can see “electoral purposes” is nowhere defined, and, accordingly, I suspect it permits relatively broad interpretation, but, nevertheless, it clearly limits the use to which a political party can make use of electoral registration information.

With this in mind, it is worth considering whether the apparent use of such information by the Labour Party, in a new website widget, is a use which can be described as “for electoral purposes”. The widget in question invites people to submit their name (or indeed anyone else’s), email address and postcode and it will tell you how many voters in the country have that name. Thus, I find that there are 393 voters who have the name “Christopher Graham”. The widget then encourages users to register to vote. In small print underneath it says

in case you’re interested, this tool uses an aggregate figure from the electoral register and we’ve taken steps to protect the privacy of individuals

Well, I am interested. I’m interested to know whether this use of the electoral register is purely for electoral purposes. If it is, if its purpose is to encourage people to register to vote, then why does it need an email address? The widget goes on to say

The Labour Party and its elected representatives may contact you about issues we think you may be interested in or with campaign updates. You may unsubscribe at any point. You can see our privacy policy here.

But if they are using the electoral register to encourage people to give up email addresses which may then receive political marketing, surely this is stretching the use of “for electoral purposes” too far? Moreover, and despite the small print privacy notice, and the almost-hidden link to a generic privacy policy, any emails received by individuals will be likely to be sent in contravention of Labour’s obligations under The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which give effect to the UK’s obligations under Directive 2002/58/EC. This is because regulation 22 of PECR prohibits, in terms, the sending of electronic direct marketing (and promotion of a political party constitutes such marketing) without the prior consent of the recipient. Consent, the Directive tells us, must be “a freely given specific and informed indication of the user’s wishes”.  A vague description, as the widget here gives us, of what may happen if one submits an email address, and a statement about unsubscribing, do not legitimise any subsequent sending of direct marketing.

The email address I used is one I reserve for catching spammers; I’ve not received anything yet, but I expect to do so. I would be prepared to argue that any email I receive cannot be said to relate to the electoral purpose which permit use of the electoral register, and will be sent in contravention of PECR.  As I said recently, one of the key battlegrounds in the 2015 general election will be online, and unless action is taken to restrain abuse of people’s personal information, things will get nasty.

1The legislation.gov.uk doesn’t provide updated (“consolidated”) versions of secondary legislation, so there’s no point in linking to their version of the regulations.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under consent, Data Protection, marketing, PECR, privacy notice

Tagged as , ,