Home > News
Mind my data Click to visit the homepage
The ICO is manipulating the process again
The basics
Plausible deniability
Employment agencies
Useful links
Open in a new window/tab
The Information Commissioner
Mailing Preference Service
Telephone Preference Service
Royal Mail junk mail opt-out
Register of data controllers
Analysis
My response to the ICO's tweet about policy
Are data controllers 'officially' lying to us?
Why do we need to accept a Privacy Policy?
Can I opt-out of a renewal quote under section 11 of the DPA?
Who's texting me about PPI?
Marketing corporate employees by e-mail

Wiggletree fails to comply with Subject Access Request

Touting themselves as one of the UK's leading recruitment communities, Wiggletree fails to comply with my Subject Access Request.

Wiggletree.comNew window is a UK-based portal for a number of job websites that are mainly operated by non-UK data controllers; such as www.indeed.co.uk and jobg8.co.uk. Registered members can upload their CV and make friends with other members etc.

Wiggletree sent me an e-mail on the 5 May and this is the first time that I had ever heard of the company. It was basically a promotional e-mail but there was an option there to upload my CV. I responded to the e-mail by submitting a Subject Access Request to ask them how they obtained my information and what right they had to process it to send me electronic marketing. It's common practice for me these days to submit a Subject Access Request whenever I receive unexpected marketing.

40 days passed and I received no response from Wiggletree. So I e-mailed them to let them know that I would be submitting a complaint to the ICO. They replied and informed me that this was the first e-mail that they had logged from me. Unfortunately for Wiggletree, as long as I'm able to demonstrate that I sent my Subject Access Request to an active e-mail address, the ICO will deem that the data controller would have received it. Wiggletree also informed me that they had deleted my account - I never asked them to delete my account. Wiggletree also said that they do not buy email databases as this is illegal and not ethical. Yeah right... pull the other one it's got bells on!

I submitted my complaint to the ICO and they concluded that Wiggletree had likely failed to comply with my Subject Access Request (RFA0494135) because they failed to comply within 40 days. The ICO contacted Wiggletree who basically repeated what they told me; that they don't buy mailing lists and that someone else must have registered using my e-mail address.

I think the ICO would like to call it a day there but I'm not happy and I may have to seek a case review.

I've gone back to the ICO and asked them to prosecute Wiggletree for deleting my account in response to a Subject Access Request. I never asked them to delete my account and a data controller does have an obligation under the sixth data principle to process personal in accordance with the rights of data subjects - my right to submit a Subject Access Request. Wiggletree need to comply with my request not delete my account to avoid having to comply.

I am also of the opinion that their processing of my data was unwarranted because they've demonstrated a clear intention not to comply with my Subject Access Request. I am of the opinion therefore that their processing was also unwarranted because it prejudiced my rights as their data subject to submit as Subject Access Request and expect them to comply.

I've since re-worded my Subject Access Request template to make it clear that I do not want a data controller to delete my data until I confirm that I am satisfied with their response to my Subject Access Request. At least then if I have to take them to court I can demonstrate to the judge that I clearly advised them not to delete my account.

I've raised a number of other issues with the ICO too which I'll discuss at a later date.

If you can't find their privacy policy on their website then it's hereNew window if you're interested.

Update 17/12/2013

The Wiggletree website is currently unavailable. A suspect the cause for this is that they're having to make changes to the security of their website as this was one of the other issues that I raised with the ICO. To recap, I found myself registered on a website that I'd never heard of before. When I questioned this with Wiggletree they decided to delete the account. However, when I was drafting my complaint to the ICO I wasn't able to view their privacy policy as there were no links for non-members, so I created an account under a different name and logged in.

While I was logged in to the site I changed the ID number at the top of the page to see whether I could find the previous account that had been created for me without my knowledge, and sure enough, by changing the ID in the URL I was able to view another member's details. I Changed the ID again and I was able to see another member's details and so on. I didn't find any details for me though. This was likely to constitute personal data as I could see their name, home telephone number, mobile phone number, and their location so it would be fairly easy to identify a living individual. I made the ICO aware of this and they investigated.

Once their investigation had concluded the ICO said:

Wiggletree have explained that members can control what data is available in the privacy settings tab on their account. The information visible is the same as on other websites such as LinkedIn.

However, as Wiggetree clarified in its response to your previous complaint, it is in the process of rebuilding its website and will take the site offline until the new one is ready. The new site will not have any member sections.

The ICO concluded:

On the basis of all the information available we have decided it is unlikely that Wiggletree has complied with the requirements of the DPA in this case. This is because it appears it did not take appropriate steps to prevent the disclosure of personal data to third parties. From what we understand about the Wiggletree site we cannot see there is any expectation that a subscriber’s personal data would also be accessible to other subscribers.

However, we note that Wiggletree is in the process of amending its website and that a member section will not form part of the new one. It would appear therefore that Wiggletree has taken note of the issue you have raised and has taken steps to correct the situation. The Information Commissioner has therefore decided that further regulatory action is not required at this time.

So if you had a legitimate account with Wiggletree and you're not happy that your personal data was likely exposed to other members, then you might want to seek legal advice. The ICO's case reference number for this is: RFA0512698.

Update 11/05/2014

The Wiggletree website has been down for a while now and personally, I would like to see it remain that way. The way I see it... there's always some chump that doesn't know anything about anything who thinks he's going to make money by operating some super duper online portal. When the reality is, that these types of company have to spend millions in advertising each year. And unfortunately, if you don't have the advertising budget, then the only way that you can even get to dip your toe in the water is to abuse data protection laws and regulations. Either that or put an awful lot of effort into it and hope that the word spreads via social media.

I received marketing from a dating company based in Gibraltar last year and they told me that they had obtained my information from Wiggletree - months after Wiggletree told me that they had deleted my information. Wiggletree also never responded to a second subject access request that I submitted so Ill keep these in the bank and I'll be all over them if they send me marketing again, or if they forward my information to another company.

Added: 01.09.2013.