A few blog posts ago, I asked the question of whether the Royal Mail was a Data Controller or a Data Processor. I think they are the latter; many disagreed, and in the main, argued that the Royal Mail are – in DP terms – Switzerland. They are not contractors, not controllers, they merely move the mail about the place without any definable role or responsibility. I’ve heard a similar argument made from time to time by staff from the Information Commissioner’s Office, so I decided to see if they had written it down anywhere. My FOI to the ICO was answered with commendable speed, and so now I have their view in black and white, set out in January 2012 in a ‘Line to Take’.
My interest in the Royal Mail is partly free-range geekery – it’s just interesting to work out what they are given the Emperor’s New Clothes conspiracy around their status. But the ICO is willing to enforce at the top end of the scale against Data Controllers for mistakes made by contractors providing a simple service (£250,000 for Scottish Borders and their unshredded files, and £325,000 for Brighton NHS Trust’s misappropriated hard drives), so it’s important for Data Controllers to understand their position on contractors.
It is regrettable – if unsurprising – to find that the Information Commissioner’s position is nonsense. Whoever wrote ‘Data Protection and mail delivery services’ has started from the proposition that the Royal Mail and other delivery services are not data processors, and worked out from there. According to the document, the Royal Mail (and other delivery companies) ‘take possession’ of someone’s personal data when contained in mail. However, they do not ‘process’ it, because they ‘do not have access to the data entrusted to it and will usually be prevented by law from doing so’. The lack of rigour with which the document is written is clear from the fact that the ‘law’ in question is not mentioned. They don’t process the data (the word is italicised in their version), they just have it in their possession.
Some awkward parallels are raised so that they can be unconvincingly disposed of. “Arguably, the destruction of personal data, which does constitute processing, could take place without accessing it”. This gives the ICO a problem, as in January 2012 they were contemplating taking action against both Borders and Brighton, so the document relies on the fact that destruction is mentioned in Section 1 of the DPA as a form of processing.
Unfortunately, the writer then remembers that ‘holding’ data is also included in that section, and has to explain why the Royal Mail don’t hold the data. They also don’t want to create the impression that a firm that stores data is in the same legal parallel universe, as a storage firm isn’t supposed to access the data either. This they do in an elegant argument that goes like this:
“Such organisations are ‘holding’ personal data and are therefore processing it, in a way that mail delivery companies do not, albeit they are in physical possession of the data whilst it is in their hands.”
There is no explanation of why storage companies and delivery companies are different, even though neither is supposed to have access to their client’s data – they just are different. According to Wilmslow, it is possible to be in physical possession of something without holding it. The Queen in ‘Alice In Wonderland’ would feel quite at home there. On something of a roll, the author might be expected to consider the other activities that the Act defines as processing – for example, ‘transmitting’, which Dictionary.com helpfully defines as ‘to send or forward, as to a recipient or destination; dispatch; convey’. A piece of guidance about whether the activities of mail delivery companies might be processing data should at least consider this part, even if only to dispatch it in the same half-arsed way as ‘holding’, but no. It is not mentioned at all.
The second page of the guidance seeks only to tie up some of the inconvenient implications of the first. A data controller must still choose a “sufficiently reliable” delivery company (even though they aren’t actually processing the data) and can expect enforcement action if they do not. Besides, the document says, breathing a sigh of relief as the agony is nearly over, there will be a contract in place for most private delivery companies that will do all of the things that would need to be done if they were a data processor. So as long as nobody mentions the Royal Mail, we can all get out of here: “Individuals who are concerned about the integrity of the Royal Mail or other mail delivery services should be advised that this is not a data protection issue.”
The Information Commissioner cannot change the law. They cannot rewrite the law to prevent awkward outcomes, and the fact is, the Royal Mail and their competitors lose an awful lot of personal data amongst many other things. Even if you believe this guidance, the implications are surprising. For one thing, you do not need a contract with any mail delivery company that puts them under any requirements to secure your data when they deliver it for you, and you do not need to monitor how well they protect your mail. The Information Commissioner says that section in Schedule 1, Part II of the DPA that covers contractors does not apply to mail delivery companies because they do not process data.
I think the implications go further. If a contractor can be shown not to be accessing data as they process (or to use the ICO terminology, possess) it, potentially they are not a data processor, especially if there is a legal barrier to that access. Because the Royal Mail can be said to be not ‘holding’ data because they do not have access to it, surely Controllers using contractors to store or destroy their data may in some cases be free from the requirements to comply with Schedule 1, Part II as well. The ICO says that a Data Controller is not liable for enforcement action if let down by “accidental loss of a mail item or by the activities of a rogue delivery worker”. Therefore, if they can prove that a storage or destruction company should not have had access to its personal data (i.e. the contractor merely ‘possessed’ it), surely a Data Controller equally has a case that they are insulated from enforcement.
Let me be clear – I think the above argument is hogwash. I think the provisions of the Seventh Principle should be properly implemented regardless of what type of processing is going on. I actually think that the ICO LTT gets as close as it can to saying that this is true for private sector delivery companies, but because of the lumbering Royal Mail elephant in the room with whom contracts that comply with the DPA are largely impossible, they can’t say so definitively. The question I am asking is whether delivery companies are processors. It doesn’t matter how inconvenient it might be, the ICO’s job to work out what the correct answer is. If they come up with the wrong answer to avoid difficult consequences here, they can do so elsewhere and in more important areas, like who is covered by the EIRs, whether the ICO should take enforcement action against the Cabinet Office, or what shape the EU Data Protection Regulation should be in. Whatever you think about the post, if you care about information rights, you should care about whether the ICO can deliver.