Over the weekend, the petition website 38 degrees sent emails about the cuts to tax credits which will shortly hit low-paid working families across the UK. Unfortunately, some of the emails falsely identified Labour MPs as being Conservatives and implied that they were in favour of cuts that they in fact oppose (on Twitter I’ve seen complaints from Jess Phillips, Cat Smith, Wes Streeting, Barbara Keeley and Matthew Pennycook, but I don’t know how many were actually affected).
I tweeted that this could well be a breach of Data Protection’s fourth principle, and very quickly I received a reply from 38 Degrees confidently telling me although an apology had been given to all concerned, “this didn’t breach DPA“. I asked them if they could explain this given what the fourth principle says, but they had nothing for me.
For many people, Data Protection is about subject access, the right to get copies of one’s own data. Much is also made of the importance of the 7th principle, which requires information to be protected by appropriate security (indeed, most of the ICO’s enforcement is related to security). Many of the recent headlines on Data Protection have concerned international data transfers, which is the preserve of the Eighth principle. With these noisy and annoying siblings vying for attention, the fourth principle, despite being the simplest and arguably the most important of all the principles, is often overlooked.
It says this: “Personal data shall be accurate and, where necessary, kept up to date.” That’s all. Its simplicity is matched only by its brutal implications. Every time I am booked into a hotel as Tina Turner instead of Tim Turner: breach. That time I got marketing addressed to ‘Tim Thunder’: breach. When MyOffers sold my address earlier this year to Experian, except it turned out to be the address of a house I moved out of in 2001: breach.
There is no qualification; principle 7 requires security to be “appropriate”, but principle 4 offers no appropriate level of accuracy for live information except totally accurate. You might think this is impossible, but the consequences of personal data not being accurate are often worse that what the ICO imagines might result from a data loss. Forget the theoretical risk of identity theft: try missing out on a school place, being told that you’ve got the all clear when you shouldn’t have, receiving cancer treatment you didn’t need, having your house raided dozens of times by mistake or even being falsely accused of being dead. The accuracy of personal data is not merely desirable or good practice – it underpins all other aspects of using personal data, and getting it wrong ruins lives.
The MPs inaccurately labelled as Conservatives in 38 Degrees’ “incorrect email” have not been harmed in any way that cannot be put right, although with Labour seemingly a step away from a full-scale witch-hunt, this kind of cock-up isn’t going to help them to do their jobs. And importantly, the incident is a breach of the Data Protection Act. I’m not calling on the Information Commissioner’s Office to launch an investigation – they should take on many more accuracy cases than they have, but this isn’t where they should start. Indeed, I am constantly baffled by their unwillingness to enforce on accuracy given that it is so much easier to prove the breach than in security cases, But nevertheless, for 38 Degrees and all organisations, it is vital to understand that when you use a person’s data, you are obliged to do so accurately. There are exemptions, but they relate to specific situations like law enforcement and legal proceedings. There is no justification to get something as simple as the party an MP belongs to wrong, and it is a breach of the law when you do.