Home > News
Mind my data Click to visit the homepage

The ICO confirms that the TPS is a waste of time

Is there any point in submitting a TPS complaint to the ICO when it's clear that the UK's Data Watchdog couldn't care less whether or not a company has a right to phone a TPS number to promote their products or services?

Many of us will have seen the Information Commissioner and other senior ICO staff on TV assuring us that they are working hard to ensure that companies comply fully with TPS regulations (Regulation 21 PECR). However, based on how the ICO have dealt with my complaint against Sparta Telecom it's likely that they are not.

Last year Sparta Telecom phoned my TPS number to promote their services to me. I responded by submitting a Subject Access Request (SAR) and Sparta informed me that they had obtained my information from a third party mailing list that was supplied by a company called Teleprospects Ltd; a company that now goes under the name of TPL MediaSparta Telecom: opens in a new window.

I submitted an SAR to Teleprospects and they seemed genuine enough; they complied fully with my SAR but informed me that they did not provide my information to Sparta. However, I wasn't best pleased to discover that Teleprospects had obtained my information from a third party - that I'd never heard of, in 2004 and were still processing it. I submitted a separate complaint to the ICO about this. That's ten years that Teleprospects had held on to my name, postal address and home phone number. Unbelievable!

Note: I nearly always submit a SAR when a company sends me unexpected marketing but I've never paid the £10 fee yet. Once you start digging into these companies you'll soon learn how your personal information is bought and sold behind the scenes.

Having learned that Teleprospects did not provide my information to Sparta, I went back to Sparta and asked them to confirm how they obtained my information; I submitted another SAR. Sparta informed me:

With regard to your data access request under the Freedom of Information Act 2000., we do not hold any data on you, your number was on an excel spreadsheet which was supplied to us, this file has already been destroyed automatically by the system once the end of the list is reached, as is standard procedure and policy once the numbers have been dialled, as our contract is for one use only.

Sparta's compliance person didn't seem to understand the difference between a Subject Access Request and a Freedom of Information (FOI) request and that's why he's referring to the Freedom of Information Act 2000. Commercial organisations do not have to comply with FOI enquiries. Anyway, what we learn from this response is that:

  • Sparta apparently obtained my personal information from a third party mailing list;
  • Sparta assumed that they had obtained my consent from that third party mailing list;
  • Sparta processed my personal information to phone my TPS number to promote their services to me;
  • Sparta deleted my information immediately after processing it in accordance with their policy.

I submitted a complaint to the ICO and argued two points:

  1. That by deleting personal information immediately after processing it, Sparta will not have to explain how they obtained an individual's information in response to an SAR. This is because an SAR is based on the information that the organisation actually holds about you - not on what they once held. If Sparta are deleting the information immediately then

  2. That by deleting personal information immediately after processing it, Sparta will not be able to demonstrate that they had obtained the individual's consent to phone their TPS number to promote their services.

In the Assessment (RFA0581234), the case officer said:

Sparta Telecom advised you that the information they held about you had been deleted in their normal course of business before they received your subject access request. We have no reason to dispute this. The Data Protections Act 1998 provides you with a right to request copies of personal information that is held about you however it does not give you the right to request a copy of an organisation’s retention policy.

But if Sparta is deleting my information immediately after processing then I won't be able to submit an SAR before they delete my information. Furthermore, a data controller shouldn't just delete information after processing; it should be deleted in accordance with a data retention policy. This policy should take into account what the information is being used for. For example, if the information is being processed to target an individual with direct marketing, then it's highly likely that some of the recipients of the marketing will want to submit an SAR to find out how and when the company obtained their personal information and at what point they obtained their consent. In which case, wouldn't the data controller reasonably have to retain the information for at least a month or so, to give the data subject time to exercise their statutory right of subject access?

Then there's the question of consent. Sparta need the individual's consent prior to promoting their services via a TPS registered phone number, wouldn't Sparta need to retain the information for a period of time to demonstrate that they obtained consent? Sparta told me that they obtained my information from Teleprospects but Teleprospects said that they did not. What am I supposed to do in that situation? What's the ICO going to do?

The case officer replied as follows:

Regarding subject access requests, information should not be deleted by an organisation to avoid releasing it under an individual’s request. However the fifth principle of the the DPA says, ‘personal data kept for any purpose(s) shall not be kept longer than is necessary for that purpose(s)’.

It would be impractical for the DPA to be able to give specific retention periods for every type of organisation that must comply with the DPA. Therefore the fifth principle means in practice that once it is no longer necessary for a data controller to retain data collected for a particular purpose, they should take the appropriate steps to dispose of it.

In this case we have no evidence that Sparta Telecom had reason to consider that they had a requirement to retain this information.

The case officer said: 'Therefore the fifth principle means in practice that once it is no longer necessary for a data controller to retain data collected for a particular purpose, they should take the appropriate steps to dispose of it'.

This is not what the fifth data principle means!

The actual definition of the fifth data principle given on the ICO's website states:

 

The Act does not set out any specific minimum or maximum periods for retaining personal data. Instead, it says that:

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

This is the fifth data protection principle. In practice, it means that you will need to:

        • review the length of time you keep personal data;

        • consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;

        • securely delete information that is no longer needed for this purpose or these purposes;

        • and update, archive or securely delete information if it goes out of date.


Reviewing the information is an essential element of the fifth data principle so why has the case officer failed to mention this in his response? Is it because omitting the need for the data controller to review the information prior to deleting it better supports the case officer's own subjective view that a data controller is well within their rights to delete personal information immediately after processing?

I submitted a case review (RCC0585624) and argued that the case officer deliberately omitted the need to review from the definition of the fifth data principle in order so satisfy his own agenda. The case review concluded that:

[The case officer who conducted the assessment] has quoted the definition directly from the legislation, with a slight truncation for ease of reading. His advice on the requirements of this principle was correct.

Slight truncation? Bollocks! By omitting need to review personal data prior to deleting it the case officer has completely changed the definition of the fifth data principle. The case review concluded that the advice given was correct but it's not is it? The Information Commissioner either requires data controllers to review personal information prior to deleting it or they can just delete it. And if the data controller is required to review prior to deleting then the case review should have reasonably concluded that the view given in the assessment was incorrect. Furthermore, when you put it into context: that by omitting the need to review it greatly supports the view that Sparta can delete personal information immediately after processing, it's reasonable to conclude that it was omitted deliberately.

The case review went on to say:

The Act does not prescribe how long information should be retained for.

The fifth principle says that:“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

On the basis that Sparta had made the call and had no further reason to hold the data, we would not be able to reach an adverse assessment in these circumstances.

This does not affect the right of subject access: the response to your request is that the company does not hold your data.

You state that, “This case is a cracking example of how case officers actively and knowingly manipulate the assessment process to suit their own agenda.

I am satisfied that [the case officer who conducted the assessment] was correct not to accept your individual concerns on this occasion, and that this decision was in line with our casework procedures.

So there you have it. The ICO clearly does not have a problem with commercial organisations deleting personal information immediately after processing it to target an individual with direct marketing. This means that the ICO:

  • Does not require a data controller to reasonably retain personal information for a period of time - having processed it to target an individual with direct marketing; so that the individual can submit an SAR and be told how and when the company obtained their information;

  • Does not require a data controller to reasonably retain personal information for a period of time - having processed it to phone a TPS registered phone number to promote their products or services, so that they are able to demonstrate that they obtained consent to phone a TPS number.

But there's more... you're going to love this!

I recently contacted Paul Arnold - the ICO's Head of Customer and Business Services, about one of my previous cases. The case review in this case (RCC0586606) concluded that the marketing that I received - a renewal quote for car insurance, was solicited electronic marketing, not unsolicited electronic marketing. Solicited electronic marketing is marketing that is actively requested and as such, does not require consent.

For example, if I fill out a form to actively request a quote for insurance by e-mail then that e-mail quote will likely constitute solicited electronic marketing. My active request will have been fulfilled when I received the e-mail quote. If the company sent me a further e-mail quote, a renewal quote, or phoned me to see if I wanted to proceed with the quote, then this would likely be unsolicited electronic marketing because I didn't actively request a follow-up e-mail or the phone call; I actively requested a quote by e-mail.

Why does this impact on the TPS? Well, if a company can obtain an individual's active request to received solicited marketing via their terms and conditions, then this makes a mockery of the TPS. All a company has to do is add a term stating that their customers actively request marketing phone calls and they won't need to obtain the individual's consent prior to phoning a TPS number to promote their products or services. Thus, any company that you have an ongoing relationship with could phone your TPS phone number to promote their products or services without having to bother about screening for the TPS.

I've asked Mr Arnold on numerous occasions to clarify whether or not a data controller can obtain an active request to solicited marketing via their terms and conditions but he has continually refused to clarify. He doesn't want to clarify because he doesn't want to admit that the case review was flawed so he simply refuses to answer the question. So that's Mr Paul Arnold - the ICO's Head of Customer and Business Services, refusing to clarify. Instead he said:

We remain clear that our case handling and case review processes have been followed in the examples you have raised. We do not accept that you have supplied evidence of these processes being flawed. We also do not accept your allegations of fraud, based on the fact our staff have not agreed with you

Instead of telling me this why doesn't he just tell me whether or not a company can obtain an individual's active request to received solicited marketing via their terms and conditions.

Is the ICO making a mockery of the TPS?

In this case the ICO had the following facts:

  1. That Sparta phoned my TPS registered phone number to promote their services to me;
  2. That Sparta informed me that they received my information from Teleprospects;
  3. That Teleprospects denied giving my information to Sparta;
  4. That Sparta refused to provide me with a receipt of purchase from Teleprospects;
  5. That Sparta deleted my information automatically shortly after processing it.

Did the ICO have reasonable grounds for asking Sparta to provide some evidence that they purchased my information from Sparta? Absolutely, for two reasons:

  1. To determine whether Sparta lied in response to my SAR;
  2. To determine whether Sparta were randomly phoning TPS phone numbers.

Yet the ICO never bothered to contact Sparta to clarify anything.

It seems to me that the ICO's front line administrators couldn't care less about TPS abuse. In this case they had a perfectly valid reason for contacting Sparta and seeking clarification. Not only did they fail to do this, the case officer who conducted the assessment manipulated the process to support his own unfounded view that Sparta can delete personal information immediately after processing it for the purpose of direct marketing. Furthermore, it seems that the ICO also holds the view, supported by Mr Arnold, that a company can obtain an active request for solicited electronic marketing from their terms and conditions which means that any company that you have an ongoing relationship with will not have to screen for TPS prior to phoning your number.

You can draw your own conclusions but the next time you see a senior member of staff at the ICO on the TV harping on about how they're clamping down on TPS abuse you can take that with a pinch of salt. They focus on prosecuting a couple of companies to give the impression that they're clamping down and to grab the headlines. In reality, it seems that ICO staff - including the Head of Customer and Business Services, are more than happy to manipulate the process.

This is a typical response from the ICO by the way. The ICO's case officers are merely administrators with no formal legal training yet they regularly adjudicate on complex legal issues. They adjudicate because rather than support their view with a reference to policy, guidance, knowledge base information, or policy advice, the case officers just give their own subjective views or manipulate the facts to support their views.

Conclusion

The problem here is that senior managers are making promises to the public that they cannot keep. They're telling the public that they're clamping down on TPS abuse but clearly this view is not being disseminated to the front line administrators that deal with the complaints. The effectiveness of the front line staff is further diminished by a lack of top down policy within the ICO. Where's the ICO's policy on organisations deleting personal information immediately after processing it for the purpose of direct marketing? Have the case officers now created policy? Can we expect to see this on the ICO's website soon?

Of course what should happen is... if the company is unable to demonstrate that they had a right to phone a TPS registered phone number to promote their products or services, then the ICO should reasonably conclude that the company randomly phoned the number. It should then be up to the company to prove that they did not and if they cannot then they should prosecute.

I've said it before and I'll say it again... when it comes to dealing with complaints from individuals about commercial organisations, the ICO is not fit for purpose.

Added: 26.09.2015