Home > Analysis
Mind my data Click to visit the homepage
The ICO is manipulating the process again
The basics
Plausible deniability
Employment agencies
Useful links
Open in a new window/tab
The Information Commissioner
Mailing Preference Service
Telephone Preference Service
Royal Mail junk mail opt-out
Register of data controllers
My response to the ICO's tweet about policy
Are data controllers 'officially' lying to us?
Why do we need to accept a Privacy Policy?
Can I opt-out of a renewal quote under section 11 of the DPA?
Who's texting me about PPI?
Marketing corporate employees by e-mail

Are data controllers 'officially' lying to us?

When a data controller notifies the ICO about their company's data processing purposes, they do so by completing a Notification form. When filling out the form, the data controller will be aware of two things:

1. That they have a legal obligation to process personal data in accordance with the DPA98 and its eight data principles;

2. that it is an offence under section 5 of the Perjury Act 1911 to give false information on a notification form.

This being the case, what I don't understand is why so many companies have strict marketing clauses within their terms and conditions even though they've notified the ICO. I don't get it, is someone telling lies?

If a data controller wants to process personal data to send direct marketing to the company's customers then they need to identify the data processing purpose of Advertising, Marketing & Public Relations on the notification form. When the data controller adds this purpose to the notification form, if he or she has any doubts about the company's willingness to carry out this processing in accordance with the DPA, then they shouldn't sign the form. Only a fool would put their name to a statement of truth knowing it to be false. Yet someone clearly has signed the notification form and it has to be renewed each year so why hasn't the data controller contacted the ICO?

The way I see it, the data controller of these companies should either

1. Remove the misleading clauses relating to marketing from their terms and conditions and have them instead as statements of processing in their privacy policy;

2. update their notification by informing the ICO that they wish to process personal data for the purpose of Advertising, Marketing & Public Relations - not in accordance with the DPA, but in accordance with their version of the DPA - one that that has been bastardised by civil law.

3. update their notification by withdrawing the data processing purpose for Advertising, Marketing & Public Relations from their notification and cease processing personal data for this purpose;

4. continue to mislead data subjects. In which case, I would recommend that members of the public should submit complaints to the ICO about these companies giving false information on their notification forms, and escalate it to a Parliamentary Ombudsman if the ICO refuse to take action.

A company cannot negate the rights of a data subject with their standard form civil contracts. As such, any civil law term that appears within a company's terms and conditions is misleading because it cannot be enforced in a court of law. What's the company's legal argument... "You accepted our terms"? Yeah, I accepted your terms dick head, but only those terms that are compatible with my statutory rights as a consumer and a data subject. You know where you can shove the rest! Ideally you should shove them into your privacy policy. Alternatively, sue me for breach of contract and see how far you get.

A company cannot do anything that negates my statutory rights so there's no point trying. When I asked the ICO to clarify this they said:

'You have asked me to clarify whether or not our office accepts that an organisation cannot negate its legal obligations to comply with the eight principles with civil law’. ‘Organisations cannot opt out of complying with the DPA'.

A far better, and legal, approach is for data controllers to be less confrontational by putting their marketing related terms into their privacy policy. It makes a huge difference: instead of having an unfair term informing the data subject that they will receive marketing and then trying to enforce it - which they can't, the data controller is informing the data subject that they intend to process personal data for the purpose of direct marketing but understands and accepts the data subject's statutory right to opt-out with a section 11 DPA request.

I think I need to start contacting some of these companies to find out what they're playing at. I've already made a start with Moneysupermarket.com. I'm waiting for their reply as I write this.

Also see notification