Home > News
Mind my data Click to visit the homepage

Confusion reigns at ICO

That's not what the Commissioner means! Oh, actually, that is what he means. Actually, don't listen to him, that legislation is no longer valid. Durr!!!

Nigel Frank

What should have been a fairly straightforward question has exposed the utter incompetence of the ICO and in particular, how case officers are incessantly failing to give the view of the Commissioner in an assessment/case review.

Satisfying a condition for processing personal data is a fundamental aspect of the DPA. The conditions are given at schedule 2 of the DPA and the first is that the data subject has given his consent to the processing. Although consent is the first condition in the list, all the conditions are weighted equally and a data controller only has to satisfy one condition for processing. According to the DPA therefore, if a data controller has obtained the consent of a data subject then they can process their personal data how they see fit.

Consent is not defined by the DPA though, instead it is defined by the European Directive 95/46/EC as:

Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

However, freely given specific and informed consent does present a few problems for data controllers. For example, does a data controller obtain consent to process an individual's personal data - for any reason, just because that individual ticked a box to accept their terms and conditions? Wouldn't that person have to read through the data controller's terms and conditions first so that they made an informed decision to give their consent? Also, if we look at section 53 of the Commissioner's Direct Marketing guidance, he outlines what "freely given" means:

Freely given – the individual must have a genuine choice over whether or not to consent to marketing. Organisations should not coerce or unduly incentivise people to consent, or penalise anyone who refuses. Consent cannot be a condition of subscribing to a service or completing a transaction.

Fair enough, the Commissioner's Direct Marketing guidance focuses on the Privacy and Electronic Communications Regulations 2003 (PECR) rather than the DPA but the PECR also gets its definition of consent from the EC Directive. Thus, if the Commissioner is of the view that consent for the PECR cannot be a condition of subscribing to a service or completing a transaction, then why would consent to justify one's data processing be any different? The point I'm trying to make is that it's not clear at all that a data controller will obtain consent to satisfy a condition for processing just because someone ticked a box to accept the data controller's terms and conditions or privacy policy.

You shouldn't have to accept or agree to a privacy policy by they way, I tend to contact the company and ask them whether they're contractually binding me to their data processing and they often cannot or will not answer. A privacy policy is for information only and satisfies the data controller's obligation - it's got nothing to do with us as data subjects so we don't have to read it never mind accept it.

Anyway, it would appear that the Commissioner is also concerned about data controllers relying solely on consent to justify their data processing. The Commissioner's view is outlined at section 3.1.5 of his Data Protection Act 1998 Legal Guidance document which states:

One of the conditions for processing is that the data subject has given his consent to the processing. The Commissioner's view is that consent is not particularly easy to achieve and that data controllers should consider other conditions in Schedule 2 (and Schedule 3 if processing sensitive personal data) before looking at consent.

Unless someone wants to challenge the Commissioner's view in court then it would appear that data controllers need to consider another condition instead of relying on consent to justify their data processing.

By the way, seeking consent to justify one's data processing is not the same as seeking consent for unsolicited electronic marketing. Consent for unsolicited electronic marketing is a requirement of the Privacy and Electronic Communications Regulations 2003 (PECR), not the DPA. A data controller is still obliged to seek consent for electronic marketing regardless of what condition(s) for processing they rely on to justify their data processing. For example, if a company wanted to send me unsolicited electronic marketing they would need to satisfy a condition for processing (DPA) and obtain my consent to send me the electronic marketing (PECR). According to the Commissioner, consent for unsolicited electronic marketing is only valid if the individual has been given the opportunity not to give their consent prior to receiving the marketing. A data controller risks prosecution if they fail to obtain consent for unsolicited electronic marketing.

So here's my issue.

One of the things that I've been trying to clarify with the ICO over the past couple of years is how the Commissioner's view about consent for processing impacts on job alerts. Think Monster.co.uk and the fact that third party employers and employment agencies - let's call them Monster's "Partners", pay to access the Monster CV database. I've registered with Monster and my CV is public so I've invited job alerts from Monster's Partners. What this means is that I've given my consent (PECR) for Monster's Partners to send me unsolicited electronic marketing in the form of e-mail job alerts.

For the purpose of the PECR then, I'm happy that the third party Partners that pay to use Monster's CV database to send me electronic marketing in the form of job alerts are entitled to do this. But this is not my issue.

If Monster's Partners obtain my consent (PECR) to send me electronic marketing in the form of job alerts, does that mean that they can send me a job alert about any job? Am I going to receive thousands of job alert e-mails each day? No! Because Monster's Partners are also data controllers so they MUST also satisfy a condition for processing (DPA). And if the Commissioner is saying that data controllers cannot rely solely on consent to justify their data processing, then these Partners need to look at satisfying another condition for processing otherwise the processing necessary to send me a particular job alert could be deemed unfair. As I'm not contractually bound to these third party Partners, it's likely that the only other condition for processing that they can reasonably rely on is their legitimate interests - that the processing is necessary for the purposes of the legitimate interests pursued by the data controller.

My issue therefore is this... at what point does one of Monster's third party Partners satisfy their legitimate interests to process my personal data? In other words, at what point did the data controller satisfy themselves that they needed to process my personal data to send me that particular job alert. If they were able to rely on consent to justify their data processing then it's likely that they could send me job alerts about any job because I've given my consent. But they can't rely on consent so to justify their data processing so they'll need to demonstrate that they had a legitimate business need to process my information to send me a particular job alert.

For example, if I were a Maths teacher and my CV was on Monster, if one of Monster's third party employment agencies paid to access the CV database and sent me an alert about a job for an English teacher, is it clear that they needed to process my information to send me the English teacher job alert?

The Commissioner has identified two tests to determine legitimate interests. The first test is that the data controller must need to process the information for the purposes of their legitimate interests or for those of a third party to whom you disclose it.

Does the example of the English teacher above satisfy the first test? Let's consider the facts. If we reasonably conclude that the employment agency's need is to find suitable candidates for their client, and bearing in mind that their client is looking for an English teacher, then the employment agency's need is to find suitably qualified English Teachers who are willing to work in a specific location for the specified salary. With this in mind, what action did the employment agency take to ensure that the recipients of their e-mail job alert were able to satisfy this need? Or, to put it another way, what did the employment agency do to ensure that their job alert wasn't going to individuals who were unsuitable for the job?

The employment agency can filter the Monster CV database by location and by keywords but this will only get them so far. What I've been trying to get the ICO to clarify is how far do they need to go? Is filtering on location, salary, keywords etc, enough to establish a need or would the employment agency be expected to spend at least some time looking at each CV to ensure that the individual is suitable and thus, that they have a legitimate business need for processing that individual's information to inform them about this particular job?

You see, I think we have a new breed of employment agency where the abuse of the DPA is an essential part of their business model. So whereas your traditional employment agencies will take the time to review a candidate's CV before contacting them, this new breed of employment agency couldn't give a toss! They'd happily spam hundreds of thousands of CV owners just because they can't be bothered to spend time filtering or reviewing the CVs. This might be okay for the PECR but for the DPA, those employment agencies would need to demonstrate that they've processed the personal data fairly - that they have a legitimate business need to process the personal data for each of the data subjects that received their job alert.

As I say, I've been trying to get the ICO to clarify what the Commissioner would expect these third party Partners to reasonably do to establish that they needed to process an individual's information to satisfy their legitimate interests. Unfortunately, I've not been able to get an answer to this question because the ICO case officers appear to be confused about relying solely on consent to justify one's data processing. They seem to prefer to make up their own rules.

Let the bumbling commence!

The first time I brought this to the attention of the ICO was when I submitted a Request For Assessment (RFA) against an employment agency that had sent me a job alert that didn't contain any information about the job other than it was a permanent role based near my location. They said that I should contact them if I were interested. For me, there was nothing in that job alert to indicate that they needed to process my information. The e-mail might also breach Monster's terms and conditions because it's not really a job alert.

The case officer who conducted the assessment was clueless and concluded that it was likely that the employment agency had complied with the DPA. I rejected the assessment and submitted a case review. The case officer who conducted the case review, we'll call him:
Case Officer P (CO-P) - who is also a section head and likely responsible for training staff, had the following view:

It is clear in this case that you volunteered your personal data to the Monster website and therefore consented to the terms of the service it provides, which includes access and use by its agents. Where an individual chooses to submit their personal data to a website for this purpose, it is clear that they are actively consenting to their data being processed in this way.

Just to recap... the Commissioner is of the view that consent is not easy to achieve. But what the case officer is saying here is that not only do I give my consent to Monster by accepting their terms and conditions, but I also give my consent for Monster's Partners to process my personal data how they deem fit. And if Monster's Partner's have my consent then what's to stop them from forwarding that consent to other companies via their terms and conditions... and so on. According to (CO-P) then, I've potentially given my consent for any number of unknown companies to do whatever they like with my information. Indeed, they could publish all the information contained in my Monster CV on their website. Why not! I've apparently given my consent and if they have my consent then they don't have to justify their processing.

According to CO-P then, a data controller can rely solely on consent to justify their data processing and that consent, as well as third party consent, can be obtained from me accepting Monster's terms and conditions. I asked him to clarify the apparent contradiction between the view of the Commissioner and his. Just to recap, the Commissioner's view at section 3.1.5 of his Data Protection Act 1998 Legal Guidance document states:

One of the conditions for processing is that the data subject has given his consent to the processing. The Commissioner's view is that consent is not particularly easy to achieve and that data controllers should consider other conditions in Schedule 2 (and Schedule 3 if processing sensitive personal data) before looking at consent.

CO-P repled as follows:

You have pointed out that ICO guidance states that organisations should not exclusively rely upon consent to legitimise processing. However, this part of the guidance simply highlights that there will often be more than one condition for processing personal data.

Yeah, I'm not convinced that this is what the Commissioner is saying.

Earlier this year I submitted another assessment that once again focussed on consent (DPA). The case officer that conducted the assessment was clueless and as is often the case, found in favour of the data controller. I submitted a case review and it was CO-P who once again conducted the case review and found in favour of the data controller. This time though I specifically asked CO-P to clarify whether a data controller can rely solely on consent. He said:

You, like any data controller, would indeed need to have a basis for publishing personal data fairly prior to seeking consent via terms and conditions. All data controllers would need whether disclosing personal data would comply with the first data protection principle in the particular circumstances.

What he's saying here is that a data controller would need to satisfy another condition for processing before considering consent. Durr... isn't this the view of the Commissioner as given at section 3.1.5 of his Data Protection Act 1998 Legal Guidance document?

It appears that CO-P has contradicted himself and now accepts the view of the Commissioner. I asked him to clarify the contradiction but he eventually stopped responding to my enquiries. I notice though that he still holds the view that consent can be obtained from a company's terms and conditions. Is that the view of the Commissioner is it? I don't think so! So even though he now accepts that data controllers need to satisfy another condition before considering consent, he still thinks that consent can be obtained by ticking a box.

Enter Case Officer J

Last month I received another job alert and on this occasion I simply wasn't suitable for the job being advertised. It's likely that the employment agency searched the Monster CV database for a single keyword and spammed tens of thousands of people. I submitted another Request For Assessment (RFA). The person who conducted the assessment concluded that the data controller had likely complied with the DPA so I submitted a case review. Indeed, whenever I submit a RFA these days, the assessments are often so poor, that I expect to submit a case review. And the case reviews are so poor that I expect to submit a complaint to the PHSO.

Case Officer J (CO-J) - who is also a section head and likely responsible for training staff, conducted the case review and said:

By uploading your CV to monster.co.uk and agreeing to their terms and privacy policy you have given your consent to be contacted by the users of the monster.co.uk CV database, with details of job opportunities. 

Ha, so we have yet another contradiction; this time between two different case officers. CO-P had confirmed about three weeks earlier that a data controller cannot rely solely on consent yet here's CO-J telling me that they can. I referred CO-J to the Commissioner's guidance and to the fact that CO-P had recently clarified the guidance, he replied as follows:

Section 3.1.5 is contained in legal guidance no longer published by the ICO. It refers to situations where consent is not particularly easy to achieve. In this case [the data controller] had obtained consent and therefore would be able to rely upon it to process your personal information.

As you will see the guidance goes on to say that ‘merely because consent is the first condition to appear in both Schedule 2 and 3 does not mean that data controllers should consider consent first’. This means each condition carries equal weight and organisations should not consider that consent, as the first condition on the list, is the only condition that they could use to process personal information.

As I have previously advised you [CO-P]'s comments do not relate to this case and should be taken in the context of the case or issue you raised with him.

If you as a data controller have obtained personal data fairly and lawfully and in particular can meet a condition in Schedule 2 and Schedule 3 in the case of sensitive personal data it is likely that you would have complied with your obligations under the DPA and could process the personal data for the purposes that you collected it for.

Hang on! If the guidance is no longer published does that mean that it's no longer valid? And if it's no longer valid then why is CO-J referencing it in his reply? And his reply is wrong anyway. His view is:

As you will see the guidance goes on to say that ‘merely because consent is the first condition to appear in both Schedule 2 and 3 does not mean that data controllers should consider consent first’. This means each condition carries equal weight and organisations should not consider that consent, as the first condition on the list, is the only condition that they could use to process personal information.

The Commissioner's guidance doesn't say this at all. It's not saying don't just consider consent because it's the first condition in the list. The Commissioner is saying... consider another condition because consent is not particularly easy to achieve. Does he or does he not say this in the guidance? Why hasn't CO-J referenced this part of the guidance in his response. It's because case officers tend to manipulate the DPA and the Commissioner's guidance to support their own unfounded view. You can see how they do it. They'll take the Commissioner's guidance and leave out anything that doesn't support their own subjective view. And why is it that CO-P's comments do not relate to this case? The Commissioner's guidance should apply to any case because it gives the view of the Commissioner and case officers must give the view of the Commissioner.

Anyway, I wasn't convinced that the Commissioner's guidance was no longer valid so I had a look on the ICO's website and found a fairly up to date pageNew window that states: For these reasons an organisation should not rely exclusively on consent to legitimise its processing. So what's he on about? What does it take to get a straight answer from the UK's Data Watchdog? In an organisation like this the Commissioner's view should be the case officer's brand. They should all be on-board and singing from the same hymn sheet.

CO-J has contradicted the view of the Commissioner so I've asked him to clarify.

Welcome to my world... where I can't get an answer to my question because I can't even get to the point where these chumps will even consider my question - because they don't have a clue what they're talking about. The view of a case officer is supposed to reflect the view of the Commissioner. I have to deal with this all the time. My MP is aware and so is the PHSO.

Update: 19.03.2015

CO-J has informed me that he will not discuss the matter further.

As it stands then, I've got one case officer who initially told me in a case review that a data controller can rely solely on consent to justify their data processing and that consent can be obtained by accepting a data controller's terms and conditions.

The same case officer in a completely different case review told me that a data controller cannot rely solely on consent to justify their data processing but still holds the view that a data controller can obtain consent for their data processing from their terms and conditions.

And now I have another case officer telling me that a data controller can rely solely on consent to justify their data processing. Furthermore, he has told me that the Commissioner's legal guidance is no longer published but not whether it is no longer valid. I'm not convinced that it's no longer valid because the guidance that can be found at section 3.5.1 of the Commissioner's legal guidance can still be found on a current page on the ICO's website.

Let's be clear, we're talking about the most fundament aspect of the DPA - a condition for data processing yet I can't seem to get a straight answer from the UK's Data Watchdog. And the view of both case officers that consent for data processing can be obtained by accepting a companies terms and conditions is not supported - you won't find this in the DPA or in the Commissioner's published guidance. It's just their own unfounded view. And that's how they do that!

I'm a case officer... durr, I work for the ICO... durr, I'm supposed to be giving the consistent view of the Information Commissioner... durr, but I don't really know what I'm doing here so I'll just give my own view... durr! And if in doubt, I'll just tell him that the company's terms and conditions can negate all data protection laws and regulations... durr!!!

And the taxpayer has to pay to employ these chumps!

Added: 15.03.2015 | Updated: 19.03.2015