We don’t hold your data! (well… not for long anyway).

temp pic

 

 

 

 

 

 

 

 

Dear Sir or Madam:

I recently received a mailing from you.

I’d like you to send me a copy of the personal data you hold on me.

I am particularly interested in where you obtained my name and address from.

The numbers on your mailing are

8666U501J01101

XA4416175

I’d like you to explain what these mean.

Regards etc

Dear Mr xxxx

Thank you for your email. Firstly, we can confirm that we do not have any of your personal data on our records of any kind.

The recent Christmas appeal which you received, was sent out as part of our Christmas campaign. During this campaign, we purchased some contact details from a third party supplier for temporary use – these details are not stored on our database and are no longer in our possession.

In this instance, your details were selected for The Christmas Appeal – which also includes a Christmas appeal reminder which you are likely to receive in the next 2-3 weeks, and, unfortunately, as the mailings are selected far in advance, it is not currently possible to prevent this mailing from being sent. Please accept our sincere apologies for any inconvenience this may cause you. However, we confirm that we do not hold any of your data on our database.

The DM code you have listed below indicates that your details were temporarily given to us for a one-off use.

The XA code you supplied is your reference number is not stored on our own system in any way.

What a great reply! We don’t have any data on you; we did have a while ago to send you an unsolicited letter but it was only held temporarily and besides we bought it from someone else. We’ve checked the reference numbers you gave us even though we don’t have them on our systems.

 And we won’t be processing your data while we hang onto it for 2 to 3 weeks so we can send you a reminder about the unsolicited begging letter we just sent.

Am I the only person who finds this unacceptable? Or is this the norm for the charity sector?  Just for clarity the ICO says

“Processing in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data”

So that’s 3 processing operations at least – obtaining, mailing and holding. Maybe even destruction if in fact they do delete it. (Next Xmas will tell me this). The ICO doesn’t give an exemption for ‘temporarily” processing it.

When Christmas (the season of good cheer and peace to all data subjects) arrives, is it part of the festive spirit (or even lawful?!) to buy a wodge of names and addresses that you have no relationship with and then mail them two (count them) begging letters; and when someone makes a subject access request say, “We do not hold any data on you – we did last week but it’s disappeared. We might hold it again in a week or two but only for a short time and then it will disappear again.”

This organisation is a good organisation. I support their aims and like listening to their brass bands outside supermarkets in the run up to Christmas, but I find their marketing activities dubious. It may just affect my giving to them this year.

The Investigatory Powers Bill: Implications for Local Authorities

 

 

 

 

 

 

 

 

 

 

 

The government’s controversial Draft Investigatory Powers Bill was published in early November. Amongst other things, the Bill:

  • Requires web and phone companies to store records of websites visited by every citizen for 12 months for access by police, security services and some public bodies.
  • Makes explicit in law for the first time the Security Services’ powers for the bulk collection of large volumes of personal communications data.
  • Makes explicit in law for the first time the powers of the Security Services and police to hack into and bug computers and phones. It also places new legal obligation on companies to assist in these operations to bypass encryption.
  • Requires internet and phone companies to maintain “permanent capabilities” to intercept and collect the personal data passing over their networks. They will also be under a wider power to assist the security services and the police in the interests of national security.

Much has been written about the civil liberties implications of the new Bill, dubbed “the Snoopers’ Charter.” It has been criticised by the United Nations, the Opposition and civil liberties groups.

A Committee has been formed to consider the key issues raised by the Bill, including whether the powers sought are necessary, whether they are legal and whether they are workable and clearly defined. The Committee is now inviting written evidence to be received by 21st  December 2015 (call for evidence).

Some of the questions the Committee are inviting evidence on include:

  • To what extent is it necessary for the security and intelligence services and law enforcement to have access to investigatory powers such as those contained in the draft Bill?
  • Are there sufficient operational justifications for undertaking targeted and bulk interception, and are the proposed authorisation processes for such interception activities appropriate and workable?
  • Should the security and intelligence services have access to powers that allow them to undertake targeted and bulk equipment interference? Should law enforcement also have access to such powers?

The Committee is due to report back by February 2016.

What will the effect be of the Investigatory Powers Bill on local authorities? Is it true that councils will be given powers to view citizens’ internet history (according to the Telegraph)? The answer is no.

Sam Lincoln has written an in-depth analysis of the bill, detailing and dissecting its various points. Please take a look here.

Sam has designed our RIPA E-Learning Package which is an interactive online learning tool, ideal for those who need a RIPA refresher before an OSC inspection. Our 2016 RIPA workshops will include an update on the Bill.

SMILE! You’re on our Mailing List!

Charity envelope time again.  And yet again another organisation I had no relationship with at all. This time it was a big one with offices in…are you ready…

UK, USA, India, China, Philippines, Latin America, Mexico, Brazil, Africa, Indonesia, Vietnam, Middle East & North Africa and Bangladesh.

Surprisingly in all these locations they couldn’t find a data protection expert to run his eye over their Privacy Policy. This is puzzling as you can find good information about their accounts and activities quite easily on the web. (£7m donations in 2014 and over 125,000 children helped all over the world). They look like they’re doing a good job except for the unsolicited mailing that dropped through my door today.

They sent 2 full colour glossy A4 double sided leaflets. 10 sticky gift tags to attach to Xmas presents, an A5 double sided full colour leaflet, an eight page A6 booklet about their work, a donation form to return and an envelope. If they’d not spent their money on these pieces of coloured paper, 2 of which were customised to say my name and address they might have had more in the kitty to help the children they featured in their leaflets. Nowhere on any of these pieces of paper is there a mention of the Data Protection Act. Nor is there a phone number so I could tell them quickly I didn’t want their unsolicited mailing. Presumably their marketing expert advised them not to offer this simple mechanism of objecting as it might result in people using it. So I found their website and had a look.

After a while I found their Privacy Policy. It was extensive and told me a lot about the cookies it used. No mention of the Data Protection Act again. Some of the interesting sections were

  1. Your acceptance of this policyBy using our site, you consent to the collection and use of information by XXXXXXX  in accordance with our Privacy Policy.  If you do not agree to this Policy, please do not use our site. In order to fully understand your rights we encourage you to read this Privacy Policy.

(Mmm a good one to start with. You have to use the site to find the policy before you can read it, but by using the site you have already agreed with their policy even though you haven’t read it, which they want you to do).

  1. Changes to this privacy policyXXXXXXXX  reserves the right at any time and without notice to change this Privacy Policy simply by posting such changes on our site. Any such change will be effective immediately upon posting.  Your subsequent use of this website after we have made changes to this policy (including the submission of information on our donation form) will be deemed to signify your acceptance of any variations that we make.

(So when they change something and before you find out about the changes by reading their policy you have already agreed to the changes you haven’t yet read about).

3. Sharing your information with third parties

From time to time, XXXXXX allows other worthy organisations to send communications to our donors via direct mail.  We carefully screen these organisations to ensure their services may be of interest to our supporters. If you do not wish to hear from these organisations, please let us know by contacting us. 

(Wow what a good one. Firstly that great phrase “from time to time” I thought this had died out but here it is again and what it really means is whenever we feel like it…”. The following few words shows the staggering arrogance of the organisation. We ALLOW other worthy organisations to send communications to OUR donors. Despite the fact that there is a law that prohibits this they ALLOW it and the donors aren’t any free thinking individuals  – they belong to the organisation and the organisation can do with their personal data what they want. Did the Slavery Abolition Act of 1833 have a clause in it exempting charities. Er… no  And there’s more – what is a worthy organisation? One that helps children? One that  only uses recycled paper? One that pays their directors in bit coins? We have no idea what this cute little phrase means. It implies that Data Controllers don’t have to bother with Principle 2 if you’re passing data to ‘worthy’ organisations. 

It gets worse. The last element is giving you the right to write to them and object to receiving communications from what they think are worthy organisations that have been through a screening process although you don’t know much about their screening methods if they do in fact exist, and ended up on a list of organisations they sell your data to but which they may not keep).

It seems they are relying on the mythical but desirable exemption in the Act that says Charities are completely exempt from the DPA and also it seems exempt from writing simple Privacy Policies in Plain English.

Read more about how EU Data Protection Regulation will change the DP landscape. Attend our full day workshop.

 

Sainsbury’s and Data Protection – They have your number (and it’s not on your nectar card).

It shocked me on Sunday morning (a few months ago) when driving into our local Sainsbury’s car park. Through bleary eyes I suddenly saw my registration number flash up on a display in front of me. It also said my 2 hours of free parking would end in precisely 1 hour and 59 minutes. After parking and doing a bit of investigating I found that they’d fitted cameras at the only entrance (which was also the exit) so they could snap you on the way in and on the way out and thereby obtain evidence (or not) of your length of stay. This isn’t new. Many car parks have been doing this for years but it does raise a few issues.

Filming and collecting personal data is OK as long as a Schedule 2 condition of the Data Protection Act is fulfilled. (I suppose going off on one for a moment that filming at a hospital car park might require a Schedule 3 condition but that’s an argument for another day). The simplest one is Schedule 2 condition is consent as the other 5 require a necessary element. Do Sainsbury’s have your consent? Did you know that filming was going to happen before you attempted to enter their car park or did it only register when your number plate was staring back at you. If you were filmed before you knew you’d been filmed the consent is out of the window.

Once inside the car park you could see signs that told you more about the filming. Looks good to start with but the small print really is small and is also 8 feet up in the air (that old joke again!). I couldn’t actually read the small print. Basic fact remains that the Fair Processing Notice whatever the quality of it was only available after the processing took place.

So far we’ve missed out on an obvious Schedule 2 condition and missed the fair processing element of Principle One. What else could go wrong? If the sensible Sainsbury’s shoppers don’t overstay their welcome they won’t be troubled by a bit of DPA non-compliance. But if they do go over their limit will Sainsbury’s do nothing or will they take the registration number they acquired unlawfully and unfairly and further process it by finding out more personal data about the driver and sending him/her a penalty notice?

It may be that they’ve explained all this very well somewhere but as an everyday shopper in a rush I didn’t see it. It may also be that holding the information about a car than its owner and its address is proportionate if by so doing they allow you to stay a couple of minutes extra checking out the different brands of Prosecco but it could also be argued that it is not. A recent court judgment about parking is interesting:

https://www.supremecourt.uk/cases/docs/uksc-2013-0280-judgment.pdf

It seems to come down in favour of disproportionate penalties for parking and while it may be appealed the current climate is not very temperate.

The fact remains that Sainsbury’s have obtained your car’s number plate without giving you fair warning and are holding it and probably further processing it.

The old joke? What lies on its back 8 feet up in the air.

Answer: A dead spider!

The Act Now Data Protection Practitioner Certificate is a qualification designed to give candidates a head start in understanding and implementing the proposed EU Data Protection Regulation.

Jumping on the charity bashing gravy train.

Returned from holiday to a mountain of mail. Usually this is good fun but recently it’s turned into a nightmare of more and more charity mailings. First off today was British Heart Foundation. A good cause and I walk voluntarily into their charity shops regularly to find bargains and do my bit. But because of recent publicity about charity mailings I took a hard line. I rang them up and asked to be taken off their mailing list. The operator was polite and efficient. She asked for the code next to my address beginning 52A so she could add me to their suppression list but when I quoted it she said I wasn’t actually on their mailing list. Strange – I am looking at a letter addressed to me at my address asking for money from BHF.

She was quick to explain however that it was a one off mailing using data supplied by a 3rd party so they didn’t actually process my name and address. They just used it. I trotted out the well worn definition of processing that all BCS certificate holders know and she did admit that it looked as if they were processing after all. I asked who was the 3rd party and it turned out to be Senior Rail Card.

(as an aside these are managed by ATOC Ltd which manages the contract for the issue and use of the Senior Railcard on behalf of the Train Companies. Reference to a ‘Train Company’ or the ‘Train Companies’ means those Train Companies which, pursuant to a franchise agreement, operate Passenger Railway Services in Great Britain. Their website has a cookie policy but no privacy policy. Nowhere on their website do they assure you that they will only use your personal data to supply you with a senior railcard. Nowhere do they inform you that they will pass it on to anyone else.)

To be honest it wasn’t Senior Rail card who gave my details to BHF it was Media Lab group; BHF told me at the same time they told me about Senior Rail card.

Media Lab has a website where it says

“The media landscape may have changed, but the need for data hasn’t. That’s why at Medialab, we live and breathe data. It’s at the centre of everything we do. Our data-driven approach allows us to develop successful multi-channel media plans that are built on econometric analysis, innovation and a passion for our clients’ results. As a leading integrated direct response agency, we plan campaigns for the UK’s leading brands including National Trust, Post Office and Macmillan.”

Bizarrely for a data driven company they don’t have a privacy policy either. They were the company that gave my data to BHF. They got it from ATOC. I’m not sure how the transfer of data was made or whether money changed hands. We just don’t know. But I thought when I bought my senior rail card that my personal data would only be used or me to get cheap rail fares not donate to Heart charities or end up in the hands of List brokers.

The efficient BHF operator said she couldn’t delete me from their mailing list as I wasn’t actually on it. The list really belonged to Media Lab Group. They only used it to mail me. (Did someone at the back say Data Processor agreement and breach of Principle 7?).

However she had a solution to my predicament. She would add me to their database and immediately add me to their suppression list. Brilliant.

Next Alzheimers. Not as we first thought the Alzheimers Society (See comments) but another organisation working in this sector.

They also asked for money (or any donation will do) and they did have a privacy policy and also an undertaking issued by the ICO. They also gave me my Supporter reference number which was why they were contacting me. Because a year ago I filled in an online quiz to see if I was presenting any of the symptoms of dementia. At no time before, during or after the quiz did they give me any indication they would tap me up for money nor I asked if I wanted to become a supporter of theirs.

I rang them up to ask them to remove me from their mailing list but not a lot happened. When I say not a lot there was a recorded message saying “we apologise for the delay” then there was silence for the next 10 minutes at which point I gave up. They could have whistled a tune or even played a song but nothing. It was as if they  had forgotten to answer or they were hoping (like Doc Martin) that I had no patience.

They were right so I used the system they provided to communicate with them.  This time they supplied an SAE and a form where I could inform them of my preferences so I did. They’d used a jocular style to contact me without my consent so I replied in the same vein.

Only 20 more charity letters to deal with… How I hate coming home from holidays.

The Act Now Data Protection Practitioner Certificate is a qualification designed to give candidates a head start in understanding and implementing the proposed EU Data Protection Regulation.

Requesting Your Permission

I received an email last week. It was from someone I’d never heard of.

Translating this into PECR speak

We have a list of emails. We don’t think we have your consent to email you which would lead to us breaching PECR so we’re writing to ask for your permission which in itself is breach of PECR. By putting Request for Permission in the subject line we’re hoping you’ll think we know what we’re doing and that we’re a nice company.

I asked them by email to tell me where they obtained my email. A week later they hadn’t replied. I know a week is a long time in politics but a week is a light year in emails.

I upgraded my request to a Subject Access Request and suggested they pass my request to their DPO. Less than 3 hours later I had a reply which appeared to come from near the top.

Dear Sir

Thank you very much for your email and for reaching out to us with regards to our recent emails to you. We have carried out an investigation into your complaint as we take this type of matter very seriously.

As per your inquiry, we have recently acquired a new supplier called “Latest Mailing Database” (latestdatabase.com) who provided us a list of customers’ email addresses interested in travel. They have contractually reassured us that those listed have expressed their consent to be contacted by selected third party partners for marketing purposes.

Upon receiving your inquiry, we have realised that the reassurances we received from this company is in question. While we investigate this further, we have subsequently ceased the use of that mailing list they have provided and all the e-mails, including yours, have now been deleted from our Databases.

We apologise for any inconvenience caused.

Best regards,

Spiros XXXXXXX

Head of International Marketing and Business Development

At least I received a reply but the phrase “They have contractually reassured us that those listed have expressed their consent to be contacted by selected third party partners for marketing purposes” started to worry me. Also a list of people who are interested in travel. Isn’t that a list of everyone in the world? We all travel. Now if they’d asked for a list of those interested in sex and travel we’d have a snappy answer.

Globehunters have a privacy policy which looks pretty good. Just for fun I looked up their company name and their postcode on the ICO Register of Data Controllers. The ICO doesn’t have any record of their name and there are only 2 notifications from their postcode both from the next door building.

I couldn’t resist looking at his source for the emails.

http://www.latestdatabase.com A quick scan through showed their address was Majira Bypass Sajahanpur, Bogra, Bangladesh and they sold email lists. Google maps zeroes in rapidly on a company called seoexparte. A touching review of the company is available.

 

 

They had a privacy policy too. http://www.latestdatabase.com/privacy-security-policy/ which was last updated in 2009.

Their UK customer list boasted 2 million records or just $300

Listing Include:

* Frist Name (sic)

* Last Name

* Age

* address

* Email Address

* Ip address

* Phone number

They also have a blog (http://www.latestdatabase.com/appearance-adele-gaga/) and although it would be churlish to mock their poor English if they’re operating in a global marketplace and assuring their customers contractually of the quality of their product it might be a good idea to use a spell checker.

They also seem to run http://emailmarketinglists.bloggets.net. And http://buyemaillists.yolasite.com/contact.php and https://emaillistsforsales.wordpress.com and http://mailinglsit.over-blog.com and http://issuu.com/emaillistsforsale and I gave up at this point.

So where are we now? For £190 a start up company has bought 2 million customer emails. This means that my email is worth 1/100th of a penny. When prodded they realize that they may have bought in a dodgy list so apologise and take my name off their list. A good response but no mention of my Subject Access Request. No Notification for their business and a lead to a major list seller who may just not check their lists that well.

All in day’s work for a PECR vigilante. I’ll see if Spiros comes back.

Act Now Training is one of the UK’s leading provider of seminars and workshops on all aspects of Data Protection, Freedom of Information, Surveillance Law and Records Management. More details www.actnow.org.uk

And so, the end is near, and now we face, the final curtain… or do we?

In case you missed it over the last week or so it has been confirmed that the European Council have agreed a text of the Draft EU Data Protection Regulation. You would think that would be the final stage but alas no. Instead we now present this version back to the Commission & Parliament for tri-partide discussion and agreement. This really is the final stage of the legal process in which the Council, the EU Parliament and the EU Commission will now negotiate on this document to agree a final text that can become law (promise… it really is the last stage).

However, in typical governmental fashion of not being able to do anything smoothly 2 versions were ‘released’. One is the text of the Council of Minister’s final text agreed on June 15th: Council of Ministers text minus objections from Member States.

The other was a copy of the text of the Council of Minister’s final text agreed on June 15th including the 649 paragraphs of ‘disagreements’ from the member states (oops). Council of Ministers text plus objections from Member States

There is still some discussion to be had however and in the comments version the Council acknowledges this. First up, with regards to police processing of personal data the regulation now includes as a purpose for processing “safeguarding against and the prevention of threats to public security”. Which, at face value, seems rather wide and “loose” in its wording. We all know that defining a “threat to public security” can be open to various interpretations therefore this may meet with some stiff opposition.

The Council has also said that there needs to be some discussion around the “lawfulness of processing” under Article 6 recital (40 and Article 19 (1). The Council is looking to approve final wording on legitimacy of processing data that is incompatible with the original purpose for which it was collected. The current proposal looks to allow such processing but as a condition allows the data subject a means to legitimately object. Again, how this will work in the real world is open to interpretation but given that this is a move away from the current Directive’s standards then it will be interesting to see if the Council and Parliament accept that.

The Council also appears to be looking for further discuss on the right to compensation and liability outlined in Article 77 and recitals (112), (113a), (118), (118b). The current proposal clarifies the roles and liabilities for processing that is not compatible with the regulation. Namely it is looking to narrow the extent of liability for a processor or controller where it can be demonstrated that the controller or processor concerned is not fully liable (IE, it can be clearly demonstrated that it wasn’t their fault). It makes sense but again, how that will go down with the Parliament and Commission will be interesting.

I’ve now had the chance to read through this updated text and in short it smells an awful lot like a beefed up Directive. A lot of the stricter wording that was in the initial draft proposed by the Commission & indeed the Parliament draft have been replaced with general expectations, the finer details of which member state law or local codes of practice are encouraged to work out. Some of the aspects of the regulation even invite member states to write complimentary laws so that those sections can be properly enacted within that member state. (I’m sure that’s the purpose of a Directive you know…).  

Here’s a quick summary for you;

  • Member states can create their own laws on conditions for processing certain types of data (national ID numbers for example). (Article 9 (5)). This also extends to the conditions for processing HR data which can be defined by local member state work agreements.
  • Member states can decide if fines are to be used on public sector bodies.
  • Article 79a – Fines of up to 250,000 euros or 0.5% of previous year global annual turnover for deliberate or negligent breaches & not responding to SARs.
  • Article 79a – Fines of up to 500,000 euros or 1.0% of  previous year global annual turnover for any of the above or;
    • Does not provide information in a timely manner to a data subject
    • Does not provide access or rectify data belonging to the data subject
    • Does not erase personal data belonging to the data subject
    • Processing data in violation of an restrictions on processing outlined in article 17 (Notification obligation regarding rectification, erasure or restriction).
    • Does not communicate any rectification, erasure or restriction requests to 3rd parties
    • Does not provide the data subject with their personal data.
    • Processing of data of objection to processing received and no viable reason for legitimate processing.
    • Does not provide data subject with information about the right to object to processing of information for marketing purposes.  
    • Does not sufficiently determine responsibilities of joint controllers.
    • Does not maintain sufficient documentation pursuant to Articles 28 (Records of categories of personal data processing activities) & 34 (Prior consultation).
  • Article 79a – Fines of up to 1,000,000 euros or 2.0% of  previous year global annual turnover for any of the above or;
    • Processes information without a legal basis for doing so or does not obtain appropriate consent.
    • Does not comply with conditions for automated decision making & profiling.
    • Does not implement measure to demonstrate compliance with articles 22 (Obligations of the controller) and 30 (Security of processing).
    • Does not designate a representative in violation of Article 25 (Representatives of controllers not established in the Union).
    • processes or instructs the processing of personal data in violation of Articles 26 (Processor).
    • does not alert on or notify a personal data breach or does not [timely or] completely notify the data breach to the supervisory authority or to the data subject in violation of Articles 31 (Notification of a personal data breach to the supervisory authority) and 32 (Communication of a personal data breach to the data subject).
    • does not carry out a data protection impact assessment in violation of Article 33 (Data protection impact assessment) or processes personal data without prior consultation of the supervisory authority in violation of Article 34(2) (Prior  consultation).
    • misuses a data protection seal or mark in the meaning of Article 39 (Certification) or does not comply with the conditions and procedures laid down in Articles 38a (Monitoring of approved codes of conduct) and 39a (Certification body and procedure).
    • carries out or instructs a data transfer to a recipient in a third country or an international organisation in violation of Articles 41 to 44 (Transfer of Personal Data to third countries or international organisations).
    • does not comply with an order or a temporary or definite limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 53 (1b) or does not provide access in violation of Article 53(1) (Powers).
  • Article 38 – Member states can create their own codes of practice and standards for data protection for specific sectors. This need approval by the EU Data Protection Board but can be developed per member per sector.
  • Article 54a – One stop shop concept for regulatory action and complaint handling amongst supervisory authorities remains.
  • Article 12 – Removal of charging for SARs remains.
  • Article 70 – Removal of need to register all processing of personal data remains but instead only high risk processing must be registered (at no charge) and will be published by the supervising authority.
  • Data portability now does not apply to the public sector or any processing for the enactment of a contract. (General  Text, paragraph 55)
  • Article 31 – Breach notification to a supervisory authority is now 72 hours or “without undue delay” if longer than that period.  

This Regulation is as close to a final version as we are going to get for the moment. As we’ve seen in recent weeks and months the majority of Data Protection regulators and even the EU Commission are saying that elements of the Regulation should start to be implemented from this point onwards (e.g. Netherlands are implementing a general DP breach notification law from next year). Some are even using the principle of the Regulation in the interpretation of current law (the ‘right to be forgotten’ for example).

I intend to do a few more articles over the coming weeks to look in more detail at some of the wording and what this could mean if the Parliament and Commission accept the current draft (which is a realistic possibility).

Author:

Scott Sammons CIPP/E, AMIRMS

@privacyminion

Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate which is a qualification designed to give candidates a head start in understanding and implementing the proposed EU Data Protection Regulation.

Sell your friend’s email for £25!

It’s quite simple. You’ve just bought a product and the company who just sold it to you asks for a friend’s email so they can market to them. If they buy then you (and them) get a cheque for £25. What a great idea!

Unfortunately they seem to have chosen to breach some regulations. To market electronically by email requires prior consent or consideration of the soft opt in option as defined in Section 22 (3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

To market by email three conditions should apply.

a) You must have obtained the email address in the course of a sale or negotiations for a sale

b) You should only market similar products

c) You should offer an opt out with every message.

They clearly miss the first one as they have made no sale nor negotiated with your friend. The second one falls by the wayside for the same reason as your friend won’t have bought anything from them, so there is no “similar” test. Finally, we’ll credit them with offering an opt out (although based on their understanding of email marketing so far that’s being generous).

There is a safety valve. If your friend, after being sold down the river does not buy from the company, then their email will never be used by the company. In fact it will be destroyed securely within 30 days. And of course it will never be passed to any other organisation or sold to a list broker.

Unfortunately the company doesn’t offer any of the guarantees in the previous paragraph. They may well do so but they don’t bother with any concept of a fair processing notice. How do you feel about sending your friend’s email to this organisation? If they’re happy to pay £25 to buy an email address that makes a sale what price do they put on a prospect?

I’m not a hacker. I’ve started an online course to learn how to be one. There is no course literature or reading list. The exam which can be taken at any time has one task. “ Your grade is held in a secure area at Hacker’s University. Change it to Pass and email yourself a PDF of your certificate”.

But if I was a hacker I’m sure I could find a way to flood this business that’s trying to buy email addresses with a few long lists of emails. All those on JISCmail data protection list; All people with NHS.net; I have many lists that people have sent me by accident.

Paul Simpkins is a Director and trainer at Act Now Training Ltd.

No time to attend our PECR courses? Try our on demand PECR webinars. One hour of  learning for only £39 plus vat.

Information, Documents or Both – What is available under FOI?

It is an oft-repeated phrase that the Freedom of Information Act (FOI) provides a right of access to information but not documents. A recent Court of Appeal decision shows that it is not that straightforward an issue.

Section 1 contains the general right of access and uses the term “request for information.” But what exactly is “information”? Section 84 defines it as “information recorded in any form.” This includes information held on paper, computer, video, audiotapes as well as that contained in manuscript notes. No mention is made of access to the actual documents containing the information. However this does not mean that documents cannot be requested.

A request for a document will generally be a valid request for all of the information contained within that document (including visual format, design, layout etc). In considering whether the public authority has complied with the request, the question is whether all of the information recorded in the document has been provided. It will not be sufficient to rephrase the document or provide an outline or summary of its contents unless the applicant has specifically expressed a preference for a digest or summary under section 11(1)(c).

This matter has now been put beyond doubt by a Court of Appeal decision this week. Judges dismissed an appeal by the Independent Parliamentary Standards Authority (IPSA), the body that oversees MPs’ expenses claims, from a decision of the Upper Tribunal requiring it to release copies of MPs’ invoices and receipts. This is the latest in a serious of appeals by IPSA in an attempt to overturn the original decision of the Information Commissioner.

In April 2013 the First Tier Tribunal (Information Rights), ruled that images of MPs’ expense claim receipts were information to which the FOI applied (IPSA v Information Commissioner (EA/2012/0242)). The background to the request was that, following the MPs’ expenses scandal, the then newly-formed IPSA, decided that it would not routinely publish images of the receipts submitted to IPSA by MPs in support of their expenses claims.  Only text transcribed from the submitted receipts would be published.

A journalist made an FOI request for the actual receipts submitted by a number of MPs. The question arose as to whether images of those receipts held by IPSA contained “information” within the meaning of section 1 of FOI, which was not captured by the transcription process favoured by IPSA. The Tribunal concluded that the definition of information (in this case) included logos, letterheads, handwriting, manuscript comments, and even the layout and style of the requested documents. These were not disclosed to the requestor as a result of providing a transcription, rather than a copy, of the relevant receipts.

Last year the Upper Tribunal’s Judge Williams (in Independent Parliamentary Standards Authority v IC & Leapman [2014] UKUT 33 (AAC)) dismissed the appeal by IPSA. At Paragraph 22 of the judgement he said:

“It is to me also trite to note that the wording on a typical receipt or invoice is only part of what a recipient sees when looking at it. Typically there will be verbal and numerical content to be read and understood, but there will also be visual content to be seen, rather than read, but which may also require to be understood for the recipient to have appreciated the whole of the experience, if I may term it that, communicated by the receipt or invoice.”

In the judge’s view information is more than just the words and figures on a piece of paper. Sometimes the nature of the request will mean that the only way to convey all the information on a document is to disclose the original or at least a copy. He gave the example of Land Registry plans, drawings and photographic evidence of a particular building.

In coming to his decision the judge took note of the Scottish Court of Session decision in Glasgow CC v SIC [2009] CSIH 73 under the Freedom of Information (Scotland) Act 2002 (FOISA). As a general point of principle, the Commissioner and the Tribunal is not bound by Court of Session decisions on FOISA, although they may be considered persuasive where the terms of FOISA mirror the terms of FOI. In the Scottish case the applicant specifically wanted the public authority to provide copies of the documents, although he acknowledged that the same information was available elsewhere. The Court confirmed that FOISA entitles requesters to the information within a document, rather than a copy of the document itself. To the extent that this request was specifically for copies of the documents over and above the information they contained, it was invalid. The Court rejected an argument that the copy documents were “information” distinct from the information contained within them.

Paragraph 45 of the Court of Session judgment states:

“Where the request does not describe the information requested… but refers to a document which may contain the relevant information, it may nonetheless be reasonably clear in the circumstances that it is the information recorded in the document that is relevant.”

However paragraph 48 should be noted:

“The difference between the original and a copy… does not consist in any difference between the information recorded in each document: that information, if the copy is true and accurate, will be identical.” (my emphasis)

To quote one of our FOI trainers (Philip Bradshaw), much will also in practice depend on the wording of the request. Contrast “How much did you spend on pencils?” with “Can I have a copy of your pencil invoices”. You can clearly provide in permanent form all the recorded information within scope of the first request without copies, but not perhaps for the second.

In the IPSA case, the judge ruled that transcriptions of the requested receipts would not be “true and accurate”, as they would not contain all the same information as on the originals e.g. logos, style, layout etc.

This is an interesting decision especially for those public authorities who often insist, when refusing to supply actual documents (such as minutes of meetings) that FOI is about access to information not documents. Sometimes the requestor is interested in the document, which contains the requested information, as it will give a further insight into its background and the thoughts/observations of the producers/subjects of the document.

IPSA has been given time to consider taking the case to the Supreme Court.

Ibrahim Hasan will be discussing this and other recent FOI decisions in the FOI Update workshops which are delivered in one hour online sessions as well as full day face to face sessions.

Exit mobile version
%%footer%%