On Boxing Day at 12.47pm, millions of people received a badly-written text message.
“GET BOOSTED NOW
Every adult needs a COVID-19 booster vaccine to protect against Omicron.
Get your COVID-19 vaccine or booster. See NHS website for details”
The Government confirmed via a press release – complete with quotes from The Saj himself – that this was an official communication. Debate has raged, with #GDPR trending on social media but I don’t think this debate is about the GDPR. For many, their position on the text message is a proxy for their position on vaccines. I have already been accused of being an anti-vaxxer simply for questioning whether the text was lawful, even though I got my booster on December 21st and I encourage any reader who hasn’t had the Covid jab to do so if they can. Call me old-fashioned, but I think the question about whether this is a GDPR breach should be answered by whether it’s a GDPR breach.
The first question is whether the data processed (mobile phone number) is personal data. There are all sorts of edge cases, but not here. The companies who sent the message will generally know who the account holder is, so the mobile number is personal data in their hands as long as the number doesn’t relate to an unregistered SIM card. GDPR is *engaged*, even if you think sending the text was fine. After that, let’s start with transparency.
GDPR requires the provision of transparency information. Perhaps the most important element is the identity of the controller, and the message doesn’t tell me. The number is hidden but in a manipulative masterstroke, the sender presents as ‘NHSBooster’. I’m plainly supposed to think the controller is the NHS. However, the press release doesn’t mention the NHS at all. It’s a joint operation between the Department of Health and Social Care and the Cabinet Office. It’s also clear that the text was sent by the mobile companies using their customer data at the behest of the Government: “HMG would like to thank the Mobile Network Operators for their assistance in helping deliver the vitally important Get Boosted Now message.”
I can just about see an argument that the mobile companies are processors for this particular purpose and the two government departments are joint controllers (you can be a controller even if you never get access to the data as long as you determine the purposes for which it is processed), but I think it’s much more likely that all are joint controllers together.
As joint controllers, HMG and the mobile companies should have a joint agreement to cover issues like transparency and data subject rights. Although a well-known Data Protection Lawyer claims that the campaign was “widely publicised and explained”, this ignores the misleading NHS ID. There is no mention of the NHS on the government press release, no quote from the NHS England Chief Executive, Amanda Pritchard or her counterparts elsewhere and at the time of writing, nothing about the texts on NHS England’s website. Expecting people to track down a statement on the Gov.UK website when you have falsely associated your message with another organisation is neither fair or transparent. If the message had been accurately labelled as being from the DHSC or Javid himself, I suspect a lot less people would have argued with me on Twitter.
As there’s no obvious transparency information for this purpose, I also don’t know the lawful basis for the processing. It isn’t the one that my mobile provider normally uses (necessary for a contract), and it’s definitely not consent. The same well-known Data Protection Lawyer has stated definitively that the lawful basis is vital interests, a justification described by the ICO as “very limited in its scope, and generally only applies to matters of life and death”. Claiming that vital interests applies in any circumstance where someone might die, even if the overwhelming majority of the subjects whose data will be processed won’t is the silliest interpretation of data protection law I have seen since those people who claimed that pre-GDPR, you could get consent without people really knowing.
It’s conceivable that DHSC has a specific power to order the mobile companies to deliver public health messages, but if they have, they don’t want to tell the public what it is. It’s been suggested that an amendment to PECR is the source of such a power, but I’m not so sure. Regulation 16A allows the use of traffic (e.g. who you called and when) and location data for the purposes of emergency alerts. This is necessary because traffic and location data is otherwise very tightly controlled, and PECR would therefore prevent the use of data for targeted alerts like ones related to a flood or terrorist attack. To me, it reads like an exemption, removing restrictions that would otherwise be in place, rather than an active power to do something. You can disagree with me, but bear in mind that the ICO describes it in the same way in their PECR guidance (page 44). Make no mistake, they’re going to rubber stamp this if anyone complains, but they don’t describe it as an active power. In any case, you don’t need traffic or location data to do what the government did here, you just need phone numbers.
As a data subject, I shouldn’t have to figure the lawful basis out on my own or rely on angry guesswork from people who think I’m an anti-vaxxer (by the way, if you want to play that game, you’re a shill for Boris Johnson’s government). If DHSC or the Cabinet Office can compel the mobile companies to send these messages, in that sense they’re lawful, but the misleading nature of the campaign means that they’re not transparent. My reading of the press release is that this is a handshake deal between HMG and the big companies. Some smaller companies haven’t seem sent the message yet – if government had a solid lawful basis for the processing (even if we’re in the upside-down world where it’s vital interests), there’s no reason why a sizeable provider like GiffGaff wouldn’t have received a government directive.
There are other problems – if you’re boosted like me, is this use of personal data relevant? Is it accurate? Is there any evidence of a DP by Design and by Default approach where after getting daily texts from my GP and an email from the NHS (all after my jab was booked), I and millions of other boosted people get a completely useless and irrelevant message that is plainly designed to get through to someone else. There is, of course, an argument that a more targeted approach would be more intrusive and require the processing of more specific personal data, and it would. Compliance with the relevance and minimisation requirements does indeed require a more specific approach. That doesn’t make this lawful; it just makes it easier to swallow. In order to comply with UK GDPR, a controller must process data lawfully, fairly, transparently, with a clearly defined purpose, in a way that is adequate, relevant and not excessive, minimised wherever possible, with rights built in by default, and accurate for the purpose. If you’re telling me that all this applies to the sending of this message, I have a bridge to sell you.
Or rather, I have a future that you’re apparently keen to legitimise. A future where this government – a Home Office run by Priti Patel, a Levelling Up department (i.e. local government) run by Michael Gove, a Department of Health run by Sajid “my favourite author is Ayn Rand” Javid – has a get out of jail free card to send whatever messages it likes. ICO has already said that public bodies can send their own messages free of PECR considerations (despite the ICO’s definition of marketing including promotion of public sector aims and ideals for decades), but you want it to go further. You want the government to co-opt the mobile phone companies (and what other channels?) to send messages about whatever they consider to be an emergency (take a look at the elastic definition of emergency gifted to us by Tony Blair’s government in the Civil Contingencies Act). People die in the channel, so they’ll send messages about illegal immigration. Terrorists threaten our way of life, so let’s us tell you about Prevent and dobbing your neighbour into the border force. Obesity kills and you lazy bastards have been stuffing your faces all Christmas, so how about a daily text about getting some exercise?
My concern here is not about vaccines. It is not about the pandemic. It is about what laws apply when the government wants to send messages to the public, and how much scrutiny they get when they do. This is the thin end of the wedge; imagine what will come after after this one gets nodded through. I’m sorry to be in the small minority of people who think that there’s something to be concerned about here, and questions to be asked. I know that few people will read this and those that do will decide that I’m wrong, or a crank. But I have one real objective in writing this. When they get away with this, and they will, I want to be able to show that I wrote these last two paragraphs today, to be able to point to them when they send a message that you object to. Because it’s coming.