Home > News
Mind my data Click to visit the homepage
The ICO is manipulating the process again
The basics
Plausible deniability
Employment agencies
Useful links
Open in a new window/tab
The Information Commissioner
Mailing Preference Service
Telephone Preference Service
Royal Mail junk mail opt-out
Register of data controllers
Analysis
My response to the ICO's tweet about policy
Are data controllers 'officially' lying to us?
Why do we need to accept a Privacy Policy?
Can I opt-out of a renewal quote under section 11 of the DPA?
Who's texting me about PPI?
Marketing corporate employees by e-mail

The ICO struggles to understand civil law

The ICO's Simon Entwisle told the BBC's Panorama last week that giving your consent to receive electronic marketing overrides your TPS opt-out. But there are supposed to be rules on how a company obtains consent and if you read on, I think you'll agree that the ICO are actually part of the problem; the advice that they are giving out in response to general enquiries is simply incorrect.

Can a commercial organisation negate the statutory rights of a data subject with their civil law terms and conditions? I would say that they definitely cannot but depending on who deals with your enquiry at the ICO it's not so clear what their policy is or whether they even have a policy. I believe that this is due to the fact that many of the employees working at the ICO are not legal professionals. Indeed, I suspect that many of them have no legal training whatsoever. What they do, is learn how to understand and interpret the various data protection laws to the point where they're able to offer advice. The problem with this is that they often fail to understand the wider picture, and in particular, how the various data protection laws and regulations interact with civil law.

The ICO doesn't seem to grasp the idea that a company cannot negate the statutory rights afforded to a data subject with a standard form civil contract. Or if it does, it's failing to share the knowledge among its staff.

As an example, I have been told on many occasions by the ICO that an organisation is required to obtain an "informed" indication of consent before they can process your personal data to target you with electronic marketing. What they mean by this is that the data controller cannot simply assume that the data subject has given their consent; they need to actively seek consent so that it is virtually impossible for the data subject to submit their data without being made aware that it will be used to send them electronic marketing. The obvious method is to put a clear consent statement on the form: 'by submitting this form we will use your e-mail address and phone number to keep you informed about our products or services'.  If the consent statement is clear, not too wordy and ideally, situated above the submit button, then it's virtually impossible for a data subject to submit the form without being informed.

A consent statement on the web-form is not the only method for obtaining consent but it demonstrates the need for a data controller to actively inform the individual. However, many companies fail to use consent statements or any other method, preferring instead to rely on consent statements buried within their terms and conditions/privacy policy. These companies are attempting to use civil law to obtain the individual's consent. They believe that by ticking a box to accept their terms and conditions/privacy policy, the individual is accepting the consent statements contained within their standard form civil contracts. But it's highly unlikely that this method can be used to obtain an informed indication of consent because while the company is able to prove that the individual ticked the box, they are not able to prove that they actually visited those pages and read the terms/consent statements contained within. Unless the company can show that the individual actually visited those pages and read the consent statements contained within, then it's unlikely that they've obtained consent.

This is my understanding based on numerous communications with the ICO – that the company needs to actively inform me that by submitting my personal data it will be used to target me with electronic marketing and overrule my TPS opt-out.

So, getting back to my point...

The other month I submitted a PECR complaint to the ICO – which I don't often do as it's basically a waste of time. The ICO goes through the motions but the outcome is always the same... they'll keep the complaint on file. Anyway, bearing in mind what I've said above about how an organisation needs to obtain an informed indication of consent, here's part of the ICO's response to my complaint (ELE0442206):

'After examination of the [Company's] website I note that their privacy policy states under information disclosure,
 
"We may also use the information you supply to keep you informed of current or new products and services, perform market research or to remind you when your renewal is due".
 
In the circumstances this appears to be a clear notice of their intention to send you marketing regarding their own products.  In the same section of the privacy policy is a link enabling you to opt out of future marketing communications if required'.

It's a total and utter contradiction though from what the ICO has told me on numerous occasions. According to the ICO's enquiries department it seems that a company can bury a consent statement within its terms and conditions/privacy policy and this is an acceptable method for obtaining an informed indication of consent and bypassing my TPS opt-out.

What is apparent to me is that the ICO doesn't have an overall knowledge database. It seems that the less informed enquiries team are giving out incorrect advice while a more informed case worker understands the need to obtain an informed indication of consent. A similar contradiction happened to me last year with a Talk Talk complaint. I told the guy from Talk Talk to contact the ICO's enquiry team to clarify the law and he was told something that was inconsistent with the ICO's policy.

If any MPs are reading this, why isn't there a system in place at the ICO to ensure the consistency of replies to enquires?

See: What is consent

See: Which? fails to obtain consent

Added: 08.07.2012