The Executive Director of Which?, Mr Richard Lloyd made an appearance last week before MPs of the Culture, Media and Sport Committee as part of their inquiry into the epidemic of PPI and other nuisance calls and texts, at which he said this:
“Any organisation – public or private – ought to be looking very hard at what it’s doing to comply with the existing regulations on the use of personal data and ensuring if they are gathering your phone number for legitimate reasons, perhaps as a local authority where you are buying parking permits or whatever, are you confident that every local authority isn’t selling that data on? I haven’t got that confidence at the moment. This is the loop hole behind this trade in data.”
I can’t get access to the full transcript, and so I’m relying on this quote in the Daily Express. It’s possible that he was misquoted (when I tweeted Which?, they didn’t explain say he had). It’s also entirely possible that everything else that Mr Lloyd said wasn’t bollocks. Which? are, however, supposedly the consumer champion, putting forward a strong (and relatively robust) case for changes to PECR and Data Protection. One would expect that the senior person chosen to put their case to Parliament would know what he is talking about. One is disappointed.
Similarly, Big Brother Watch demonstrated their flawless finger on the pulse by highlighting the big privacy issue of 2002: the sale of the Edited Electoral Roll. The Daily Mail dutifully served up a monster portion of outrage: “SOLD FOR £5: YOUR PERSONAL DETAILS”, and a litany of local papers breathlessly rewrote the press release, sometimes changing the headline but thoughtfully remembering to ensure that they used the name of their local council rather than someone else’s. My favourite of these is the Bolton Evening News, whose headline began: REVEALED. I don’t know how many times this story has been REVEALED, but assuming that nothing changes, I’m pencilling in another REVELATION in about 2017.
CORRECTION: my personal details were not sold for £5 by Manchester City Council because, like a lot of people, I opted out. The few moments it takes for me to check that I am still opted out when the elections paperwork comes around continues to be NOT REALLY A BIG DEAL. Indeed, given the other things that one’s electoral roll entry is also used for credit checks, the two-minute exercise to check all is correct is absolutely vital.
The last Conservative Government demanded that the full register be sold to anyone who wanted it. An ordinary Wakefield citizen, Mr Brian Robertson, took the matter to court arguing that because he had to register, it was unfair that he couldn’t then opt-out of the sale. He won his case, and the law was changed. I agree with Big Brother Watch that the edited register should not be sold, but look at what the story actually amounts to. The names and addresses of an unknown proportion of the population is sold by some councils for the purposes of junk postal mail, but only if they haven’t opted out. Many of the councils surveyed had either not sold the edited register at all, or to only a few customers, which include such terrifying entities as Durston House Prep School, BAPS Hindu Temple, the University of Bristol and the Scottish Agricultural College.
In attempting to ramp up the hysteria, the BBW report even cites research that people are discouraged from registering to vote because the edited register is sold, making them fear the possibility of ‘identity fraud’, which cannot be achieved simply by knowing a name and address. A problem doesn’t become more serious because (unnamed and unnumbered) people don’t understand it.
Moreover, BBW’s determination deal with the ‘problem’ leads them into actively unhelpful territory. Section 11 of the Data Protection Act gives everyone the right to prevent any processing for direct marking purposes. This includes both the marketing itself and the sale of data for marketing purposes. Irked by the need to regularly opt-out, BBW say that Electoral Registration Officers should advise citizens to use Section 11 to get a permanent opt-out from the edited register. They even provide a helpful letter to send to your local town hall. If you want my advice, do not do this. Section 11 applies only to marketing, but EROs do not have the power to refuse to sell the edited register. If I go along and try to buy it, they do not have the power to ask me what I want the register for, and if I choose to lie, there is nothing they can do about it. There are only two ways that BBW’s idea can work – the ERO deliberately misinterprets the Section 11 request as a permanent opt-out (which could be subject to challenge), or the ERO polices what happens to the register once it is sold. They have neither the power nor the resources to do this. Anyone who is sufficiently concerned about the sale of their data should check their entry when it is sent to them. BBW’s solution to the problem is much worse than the existing solution i.e. the one designed exactly for the purpose.
The problem with both stories is that they place the focus squarely on the public sector: the fictional but eye-catching sale of parking permit data for PPI, and the real but unshocking sale by unwilling councils of some names and address. The real problem goes unaddressed. Mr Lloyd said unambiguously that he does not have the confidence to say that when you buy a parking permit from your local council, they’re not selling that number on to someone else, with the result that you get nuisance calls. Which? were good enough to respond to me on Twitter when I quizzed them on this, but all they had to offer was hogwash:
Mr Lloyd was not speaking hypothetically; he said that he didn’t have the confidence to say that councils weren’t flogging phone numbers to phone spammers. If you make such a heavy implication in front of MPs, you should have evidence, not just a gut instinct. I have absolute confidence that when you apply for a parking permit, home care, the removal of a large item of waste, to register a death or whatever else it is that you are asking them to do, the council does not sell your phone number to PPI scammers. There is no grey area, no ‘loop-hole’ that allows anyone to have any doubts. It would be a breach of the first Data Protection principle for them to sell the data without informing the public and (as far as I can see) getting consent.
The trade in personal data does not flow from councils. Everywhere you look, data is being obtained, stored and traded, but it’s the private sector that does it. Big Brother Watch might be more comfortable flailing at public servants because it was spawned by the Taxpayers Alliance and old habits die hard. The one area that their report scrupulously avoids is scrutinising the small number of private sector companies who are buying the roll routinely and across the country: why not look at them? Which? has no such excuse. The big problem with data in the UK is in the private sector, and all this focus on councils ignores that.
The sale of the Electoral Roll involves an opt-out that not even BBW says doesn’t work. It’s explicit, clear and fair. Look at the private sector small print and you often need binoculars. Check the terms and conditions of price comparison sites, mobile phone and other contracts, and you will find similar approaches. Look at the many list brokers whose business is to trade and sell personal data (just Google ‘list brokers’ and you’ll see what I mean). Is all of this totally DPA compliant? To use Mr Lloyd’s formulation, are you confident that every company collecting or selling data is doing so having clearly and simply told the data subject that their data is being collected? I don’t have that confidence at the moment. A tiny mention in the T&Cs or a buried tick-box does not comply with the DPA’s requirements for clear, explicit fair processing. An unticked tick box is not freely given, specific and informed consent, and without that, what other Data Protection condition do they have?
And don’t forget about the relentless data theft for commercial purposes: the claims management who received stolen data from a nurse with ultimately tragic consequences, the employee of an online gambing firm who openly touted stolen data for sale and of course, the theft of T-Mobile’s customer database. Are you confident that these are isolated examples, and that there aren’t many more cases of commercial data theft going on? I don’t have that confidence at the moment.
Big Brother Watch’s report is short on evidence, and long on speculation. It’s the TPA playbook of press-releasing to justify your existence. However, the written submission provided by Which? to the CMS Committee about the nuisance calls issue is nuanced and well-informed. I don’t agree with all of it, but it’s an intelligent contribution. However, the Daily Express and Daily Mail are unlikely to focus on the subtleties – and they didn’t. They like big dumb headlines, something that at least BBW understands. If Which? want to join in the debate about how our data is used, where it goes, how it is sold and how this process can be dragged out of the dark ages, they’re welcome. But making eye-catching but baseless remarks about the wrong targets actively helps the people causing the problem. The dodgy end of the direct marketing industry would love nothing more than for the debate to be about the electoral roll and councils, and not themselves.