An impossible thing before breakfast

The Information Commissioner, Christopher Graham, made one of his occasional appearances on BBC Radio 4’s Today programme this morning. He was there to talk about the Daily Mail’s blistering investigation into the call centres used by charities to raise money over the phone, often with high-pressure sales tactics and abundant breaches of PECR. As regular blog readers will know, I have always been a fan of Mr Graham personally on the basis that he is not his predecessor, but it was painful listening.

There was the obligatory yet pointless literary reference (Alice in Wonderland), some generalities about investigating and getting the bottom of things and, as is often the case with Mr Graham, an attempt to steer the story to something else. The trade in personal data is a massive concern but it is not what he was on the programme to talk about. It wasn’t hard to detect an element of squeamishness about the issue because it involves charities. Even though I would normally defend the ICO’s record on PECR breaches, I am certain that nothing will happen as a result of the Mail’s revelations because the ICO doesn’t have the guts to enforce the law on charities, no matter how badly behaved they might be.

As an FOI request revealed a few years ago, Mr Graham appears to be a stickler for the proper use of language: he went as far as to make his ‘Most Hated’ list available to his staff, although a subsequent FOI response rather confusingly claimed that the information was not held. Whatever his literary standards might be, Graham’s comments about PECR and consent showed that he doesn’t care much for getting the law right.

The worst mistake was when Graham claimed that where an organisation has an “established relationship” with a person, they have a “right” to call them. There is a very widespread misconception across a number of sectors, charities among them, that a customer or donor relationship trumps the TPS requirements. It doesn’t. There is nothing about this in PECR; the text says:

Where a subscriber who has caused a number allocated to a line of his to be listed in the register kept under regulation 26 has notified a caller that he does not, for the time being, object to such calls being made on that line by that caller, such calls may be made by that caller on that line, notwithstanding that the number allocated to that line is listed in the said register

The subscriber (the person being called) has to “notify” the caller that they do not object. You can’t do this by implication, or because you have given a donation. As the Information Commissioner’s Direct Marketing guidance states “This needs to be a positive step to express their wishes”. There is an argument that it doesn’t matter what the Commissioner says on the radio, what matters is what the law says. However, Graham’s words are a gift to every charity and double-glazing company  – we have an “established relationship”, so we can call them. To describe the companies as having a ‘right’ to call people on the TPS because of an “established relationship” is an unforgivably sloppy use of language, and vulnerable people may pay the price for Mr Graham’s inattention to detail.

The other mistake Graham made was almost as serious, although to be fair to him, he made up some ground with subsequent comments. Senior people in the ICO have a habit of talking about consent being obtained through endless terms and conditions. His statement today was “we don’t realise we’re giving consent”. This is a completely false understanding of how consent works. Think of what the Data Protection Directive says: consent should be a freely given, informed and specific indication of the subject’s wishes. Look at what the ICO’s own guidance says (I wonder if Mr Graham has):

the person must understand what they are consenting to… Including information in a dense privacy policy or hidden in ‘small print’ which is hard to find or difficult to understand, or rarely read will not be enough to establish informed consent”.

Mr Graham did go on to question whether such consent was ‘valid’, clearly indicating the possibility that it might not be. But some of the damage was done. Misunderstandings about consent are everywhere, and the uncertainty is ruthlessly exploited. I’ve even seen a Twitter conversation where a high-profile and respected privacy lawyer said “consent can technically be “obtained” even when people are unaware”. This is nonsense, but it is popular nonsense among organisations that want to breach PECR and the DPA.

Data Protection law can be subtle and flexible. Especially if you’re being quizzed by the permanently bewildered self-parody of John Humphrys that presides over the Today programme, it might be tricky to get the detail right. However, PECR is not subtle: it is made up of rules. The ICO has explained clearly in its guidance how those rules work. If there is a point to having a figurehead like the Commissioner, it should be that they can confidently and accurately explain the law, especially when the office’s position is actually clear. Unlike his predecessor, Christopher Graham will rightly be remembered for taking action at least some of the time. The problem with his comments to day is that he may do more harm than good.