One of the features of the GDPR which is superficially similar to the old Data Protection Act but turns out to be quite different is the requirement to provide information about how personal data is being used. The word ‘transparency’ is an inherent part of the GDPR first principle, whereas it was absent from the previous version. The DPA 1998 allowed data controllers to decide what information data subjects needed to know, beyond who the controller was and what purposes their data was being processed for. The GDPR has two similar but distinct lists of information that must be provided, one for where data is obtained from the subject, the other where data is obtained from somewhere else, and they dictate what must be provided in scary detail.
When I first started looking at the GDPR, it was this element that I was most sceptical about. I simply couldn’t believe that organisations would admit where they obtained data from, or how long they were going to keep it. I have an almost completed blog on the boil (stay tuned) which is about the very subject of list brokers covering up where they get personal data from and who they sell it to. So when a friend passed me the ‘Data Protection Privacy Notice for Alumni and Supporters‘ from Queen Mary (University of London), I was amazed to see a clear, transparent explanation of what data was used, for what purposes, and under what legal basis. The only problem is that some of it is bollocks, and some of it deploys an attitude to data that requires a seatbelt and a helmet.
Ironically, because it is a relatively short and easy to read document (four pages of A4 in normal font, written in human English), the nonsense leaps out at you like a chucked spear in a 1950s 3D movie. The notice asserts that for a list of purposes, the University is relying on the legal basis of legitimate interests’. The purposes include:
“furthering Queen Mary’s educational and charitable mission (which includes fundraising and securing the support of volunteers”
This is, of course, direct marketing. The notice then says:
“We may pursue these legitimate interests by contacting you by telephone, email, post, text or social media.”
Which would be a PECR breach. The University cannot send emails or texts to alumni without consent, but according to the policy, they can. Of course, some clever person (I have a list of names here) will come along and tell me that since students pay for their education, surely the University can rely on the soft opt-in? Well, for one thing, these are alumni, some of whom may have attended the University decades ago (and Queen Mary freely admits to tracking down ex-students using the Royal Mail’s Change of Address Service). For anyone who didn’t substantially pay for their degree, it doesn’t fly. Moreover, I’ve trained a lot of universities who were understandably squeamish about the idea that a qualification like a degree can be reduced to a mere commodity, like a dishwasher or a new set of tyres.
And there’s more.
“If you are registered with the Telephone Preference Service (TPS) but have provided us with a telephone number, we will assume we have your consent to call you on this number until notified otherwise”
No. For Pity’s Sake, No. Have the last three years of the world and his dog banging on incessantly about consent (often insisting wrongly that you always need it but OK) been for nothing? There is no such thing as assumed consent. There is no such thing as assumed consent. MATE, ARE YOU HAVING A LAUGH?
It seems odd that because Queen Mary have done something really well, I’m criticising them. To be clear, it’s one of the clearest privacy notices I have ever seen. But it’s not just the unlawful bits that stick out like Madonna’s bra (happy 60th, Your Majesty). The rest of it is, to use my favourite euphemism for this kind of thing, is bold. Students’ personal data will be retained “in perpetuity“. The data held about alumni includes “occupation, professional activities and other life achievements“, “family and spouse / partner details and your relationships with other alumni, supporters and friends” and also “financial information relating to you and your family, including data and estimations around your income, assets and potential capacity to make a gift“. If anyone from Queen Mary is reading this, my friend says not to get your hopes up.
The gleeful description of what data they hold is an amuse bouche to the relish with which Queen Mary describe their use of research. The fundraiser Stephen Pidgeon once told me with great vehemence that fundraisers couldn’t possibly be frank about the techniques that they deploy. Queen Mary, on the other hand, have more or less had shirts made: “we may gather information about you from trusted publicly available sources to help us understand more about you as an individual and your ability to support the university in ways financial or otherwise“. They explicitly say that they do wealth screening in some cases, and have a long list of possible data sources including Companies House, company websites, “rich lists“, Factiva, Lexis Nexis, “general internet and press searches“, Who’s Who, Debretts People of Today and LinkedIn.
Because I banged on about it so loudly a year or so ago, I should be the first to point out that despite all the bollocks talked about the ICO banning wealth screening, the ICO’s enforcement against charities did not such thing: it fined a number of high-profile charities for doing wealth screening without fair processing. Ostensibly, Queen Mary are simply doing what the ICO demanded by describing the process, but I have a sneaking suspicion that some of Our Friends in Wilmslow might be surprised to see wealth screening being carried out so enthusiastically.
To be frank, I do not believe that Queen Mary can justify processing the personal data of the spouses or family members of alumni in any circumstances, unless with consent. I think it is unfair, they do not have a legitimate interest in processing the data, and it is excessive. I think they and any institution who did the same deserve to be enforced against, or at the very least they should receive a shedload of Right to Be Forgotten Requests from mischievous family members. I am also sceptical about the depth of research that may be carried out into some alumni – it’s clear that it will only be a subset of the whole, but unless we’re talking about a handful of millionaires who might well expect this kind of thing to go on, I think this document is an inadequate way to meet the requirements of transparency. If a university is digging into a person’s background to this extent, it’s a form of processing that a person should directly know about and have a right to prevent. My friend only read this document because she’s in the business – Queen Mary should tell people if they’re subject to this level of profiling.
I know some fundraising consultants who will take issue with this and to be clear, I am not dogmatically saying that QM can’t do this. But seriously, can they do this? Is this what the brave new world of GDPR is all about? My instinct is HELL NO WITH AN AIRHORN FOR EMPHASIS but it would be hilarious if I was wrong, and the GDPR really doesn’t dent this kind of activity. I write this solely to see what other people think. Do you think this kind of thing is OK?
I don’t have a dynamite conclusion to this blog. I could kiss the person who wrote this privacy notice because it’s so plain and well-written, and yet the approach to consent and PECR is so misbegotten, I think whoever came up with it should be cast out into the Cursed Earth without a backwards glance. I don’t believe that Queen Mary can possibly justify the amount of data that they propose to process and the purposes for which they think legitimate interests is an adequate umbrella. But at the same time, the ICO looked at precisely this kind of activity and only really complained about the lack of transparency, which isn’t a problem here. All I can say for certain is that other people are going to get the fundamentals so enthusiastically arse-about-face, and do such interesting things, I demand that they do so with the same clarity.
A SMALL ADVERT – if you’d like to know more about this kind of thing, I’m running courses in September and November on GDPR, marketing, how to be a DPO and other big DP issues. Some of the September courses are already full, so book now: https://2040training.co.uk/gdprcourses/