Home > News
Mind my data Click to visit the homepage
The ICO is manipulating the process again
The basics
Plausible deniability
Employment agencies
Useful links
Open in a new window/tab
The Information Commissioner
Mailing Preference Service
Telephone Preference Service
Royal Mail junk mail opt-out
Register of data controllers
Analysis
My response to the ICO's tweet about policy
Are data controllers 'officially' lying to us?
Why do we need to accept a Privacy Policy?
Can I opt-out of a renewal quote under section 11 of the DPA?
Who's texting me about PPI?
Marketing corporate employees by e-mail

McAfee farms personal data

In April 2012, I received an e-mail from McAfee.com, sent to my works e-mail address, inviting me to attend the McAfee stand at a forthcoming exhibition. My work's e-mail address contains my name and identifies me as an individual within the organisation that I work for. My work's e-mail address is likely therefore to constitute my personal data.

I contacted McAfee and asked them how they obtained my e-mail address because I work within our organisation's intranet team - which is mostly and internal facing role. I was told that they found my details on the public page of a social network website, and that 'we validated your corporate email address through your Switchboard so we were able to send you out an invitation to our event'.

Two things here that really piss me off:

  1. My information was stored on the social network website under a contractual agreement that exists between the website owner and myself. What right does McAfee have to simply extract and process personal data obtained from another company's website?

  2. When I registered with the social networking site I exercised my contractual right to opt-out of all direct marketing from other members. I suspect that McAfee tried to contact me first via the social network site, realised that I had opted out of marketing so they extracted my data instead and used it to contact me directly at work. I'm not happy at all!

Are McAfee - a company that is supposed to promote online security, of the opinion that if they can find a way to access data, that they're entitled to process it if it serves their own needs? That just because they were able to see my online profile they have the right to process my personal data? What if a company accidentally exposed it's customer database on a web page, are McAfee entitled to capture that data and process it as well? Or would they conclude that it's not their data and therefore have no right to process it?

I've not submitted a formal complaint to the ICO as yet, instead I have asked them to clarify the law in relation to an employment agency that did something similar. The ICO have initially said that it is unlikely to be a contravention of the DPA98 if it was in the data controller's legitimate interests to process my personal data in this manner. The ICO is referring to the followingNew window DPA paragraph:

'The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject'.

I'm still asking the ICO to clarify the law but when I submit my complaint against McAfee, I'm going to argue that the processing is unwarranted because the information displayed on my public profile was intended to be processed by the website owner and it's associates only, and not by a third party company that neither has the consent of, nor a contractual relationship with the site owner. Basically, I am of the opinion that McAfee had no legal right to process my data. I will also argue that McAfee failed to obtain my consent (PECR) to send me electronic marketing.

Added: 01.07.2012