The ICO is complicit in the systemic abuse of our direct marketing rights
The notion that an organisation can obtain our information from “somewhere” and process it to target us with unwanted direct marketing is utter nonsense! If any organisation is acting as a data controller for our information without our knowledge, then they should make us aware who they are and what they intend to do with our information BEFORE they process it to target us with direct marketing. The ICO is likely to be well aware of this but they’ve opted to manipulate the process to support these third party spammers and scammers, so that they can continue to target us, our children and our elderly parents with unwanted direct marketing.
The fact that the ICO has repeatedly failed to clarify the correct interpretation of Section 11, only serves to demonstrate that they’ve been caught in a lie that likely affects us all but don’t want to admit it. You can see how the ICO continues to avoid answering my question at the bottom of this article. Note how they only give me half an answer instead of addressing the question being asked. The ICO is refusing to answer the question because to do so, they’re going to have to admit that they’ve deliberately manipulated the process.
What’s this all about?
As individuals, one of the key rights afforded to us under the Data Protection Act (DPA) is the right to ask a specific data controller for our information not to target us with direct marketing. In this article I shall analyse the relevant law and guidance and by doing so, I aim to demonstrate how the Information Commissioner has opted to manipulate our key rights to favour the UK’s mailing list industry. In other words, the ICO is pissing all over our key rights as individuals by giving preferential treatment to the arseholes that obtain our contact information from “somewhere” so that they can target us with direct marketing. Yet rather than being open, by admitting that they’re doing this, the ICO has attempted to cover it up. I’m going to expose the cover-up and you can decide for yourselves.
Fortunately, we can now claim compensation in the small claims court and it’s a fairly easy win but I’m keen to see how far the ICO will go to stick to their lie. And let’s be clear, if the ICO has deliberately manipulated this process then there needs to be an investigation. My thoughts are this… if the ICO doesn’t want to enforce our key rights, then tell us and tell us how we can go about claiming compensation in the small claims court instead. Don’t manipulate the process to hide the truth from us because that’s a serious breach of trust by a government agency. I’ll add any response that I receive from the ICO to the bottom of this article.
The marketing chain of misery
Big business needs our information so that they can promote their products and services to us. To fulfil this demand, the UK has an industry of mailing list operators and marketing companies that trade in our information without us ever being made aware. Feeding into this chain of misery we’ve got the genuine companies that we do business with on a daily basis, as well as the bottom-dwellers: the creepy bastards that spend their days crawling through social media websites gathering our information and creating likely e-mail addresses for us at our place of work. I’ve settled out of court with a few of the companies that scraped my information from LinkedIn and I’m currently taking one of them to court. It’s unfair data processing to process personal information obtained from the public domain and it’s an easy win in court.
This marketing chain of misery affects all of us, including children and elderly parents. We’re all at the whim of organisations that are unknown to us trading in our personal information in the shadows until finally it is used to target us with direct marketing. It should not be happening, the law states that it should not be happening but the ICO is allowing it to happen. So I’m going to reference the published view of the Information Commissioner, I’m going to reference the DPA and EU law and demonstrate how the ICO has opted to manipulate the process in their direct marketing guidance.
For the purpose of this article, I shall focus mainly on third parties. Those organisations that obtain our information from a source other than directly from ourselves, and either trade our information for profit without our knowledge, or process it to target us with direct marketing. Let me start by giving you an example to demonstrate what goes on behind the scenes. When I use the word “organisations” I’m referring to those organisations that are data controllers for our information.
An example of what goes on behind the scenes
A few years ago, I received direct marketing from the Cooperative Bank. I submitted a string of Subject Access Requests to discover that I had originally given my information directly to a comparison website years earlier when I obtained a quote for car insurance. They had sold my information to a marketing company called LeadX and they held on to it for about eighteen months. They then sold my information to another marketing company called Marketing Source. Marketing Source were commissioned by the Co-op to design and send out the mailshot and they in turn commissioned Communisis Data Intelligence to process the data and send out the mailshot.
The comparison website, LeadX, and Marketing Source were all data controllers for my information. Communisis Data Intelligence insisted that they were only acting as data processor for my information; acting under instruction from Marketing Source. Marketing Source’ solicitor refused to clarify this however, as she was unwilling to disclose the nature of the contract between Communisis and themselves. And to top it all, the comparison website had no right to disclose my information to third parties for direct marketing in the first place because they failed to give me the right to object. If it happened today, I’d be claiming compensation in the small claims court under Section 13 of the DPA.
I registered directly with the comparison website but neither LeadX or Marketing Source made me aware that they were a data controller for my information. That’s unfair data processing and again, if it happened today I’d claim compensation. And what makes the Cooperative Bank think that they can rely on mailing lists? What are they doing to check the validity of the mailing lists?
See what I mean. There is an entire industry of arseholes unfairly trading in our personal information without our knowledge and it often starts with the companies that we register directly with. This shouldn’t be happening though, because all the data controllers in my example were obligated to process my information fairly. This includes the following obligations:
They each needed to satisfy a condition for processing my information (a requirement of the first data principle).
They each needed to identify themselves to me, let me know that they’re a data controller for my information and tell me how they intend to process my information (a requirement of the first data principle).
They each needed to obtain my consent to disclose my information to a third party for the purpose of direct marketing (a requirement of Article 14b of EU Directive 95/46/EC). For that consent to be valid they would need to name the third parties that they wish to disclose my information to.
They each needed to give me the right to object to my personal information being processed for the purpose of direct marketing in accordance with Section 11 of the DPA (a requirement of the sixth data principle). This is a KEY right of individuals, yet I can’t exercise this right until I know who they are.
They each needed to give me the right to submit a Subject Access Request in accordance with Section 7 of the DPA (a requirement of the sixth data principle). Again, this is a KEY right of individuals, yet I can’t exercise this right until I know who they are.
A note about Point 3: When we register directly with an organisation, if they want to disclose our information to a third party for the purpose of direct marketing, they MUST give us the right to object to such a disclosure (Article 14b of EU Directive 95/46/EC). We can claim compensation from the company if they fail to give us a clear opportunity to object. It’s a strong argument for the court to consider too, because the law is clear: we must be informed and “expressly offered the right to object” to such a disclosure. The law is clear and UK courts are obligated to comply with EU law. Furthermore, if they don’t obtain clear consent, then the third party will not be able to satisfy a condition for processing and you could claim compensation against them too!
In light of this, the only possible way that a third party data controller can fairly process our personal information to target us with direct marketing, is if they obtain it directly from an organisation that obtained it directly from ourselves. And then, only if the third party were specifically named in a clear statement that gave us the right to expressly object to our information being disclosed. Indeed, the notion that one organisation can obtain a mailing list of personal information from somewhere and trade it with another organisation is utter nonsense! It’s a lie that the ICO is desperate for us to believe because an entire industry relies on this abuse.
Having briefly clarified Point 3, I’m going to focus on two of the points raised above in more detail: The need for data controllers to provide us with a fair processing notice (Point 2) and the need for data controllers to comply with our rights under Section 11 of the DPA (Point 4). For these two points, I’m going to demonstrate how the ICO’s flagship direct marketing guidance has manipulated our rights as individuals to favour the spammers and support the scammers.
Let’s start with the need for ALL data controllers for our information to provide us with a fair processing notice (Point 2).
What is a fair processing notice?
When an organisation makes decisions about the processing of our personal information: obtaining it, disclosing it, processing it for the purpose of direct marketing etc., it’s likely that they will act as a data controller for our information and we usually have a right to be informed. As a rule, a data controller for our information will need to make a fair processing notice readily available to us or they will need to provide us with one. A data processor by the way, will only process personal information as instructed by a data controller so they’re not obligated to provide us with a fair processing notice.
Most of the organisations that we register directly with, will satisfy their obligation to provide us with a fair processing notice by making a privacy notice available to us. A fair processing notice therefore, should identify the data controller and tell us how they intend to process our information. In some cases, the data controller isn’t obvious. For example, Blacks, Millets, and JD Sports all have the same data controller: JD Sports Fashion Group.
It’s important to understand though, that it’s not just the organisations that we register directly with that are obligated. All organisations that act as a data controller for our information are, as a rule, obligated to provide us with a fair processing notice unless it’s not practicable to do so. This includes organisations that obtain our information from a source other than directly from ourselves.
Schedule 1, Part 2, 2 of the DPA makes it clear that a data controller for our information needs to provide us with a fair processing notice whether they obtain our information directly (a) or indirectly (b):
2 (1) Subject to paragraph 3, for the purposes of the first principle personal data are not to be treated as processed fairly unless—
(a) in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3), and
(b) in any other case, the data controller ensures so far as practicable that, before the relevant time or as soon as practicable after that time, the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3)
Sub-paragraph 3 that is referenced above, stipulates the information to be provided in a fair processing notice: the identity of the data controller, the type of processing being carried out etc.
What do we mean by “so far as practicable”?
Whether personal information is obtained directly or indirectly, the phrase “so far as practicable” is quoted in the legislation above. What do we mean by so far as practicable?
Fortunately, the Information Commissioner has created some in-depth guidance on how to interpret various aspects of the DPA and it specifically covers situations where organisations obtain our information from a source other than directly from ourselves: Data Protection Act 1998 Legal Guidance (PDF). This guidance explains the Commissioner’s interpretation of the phrase “so far as practicable” and I’ve outlined it below.
Paragraph 18.104.22.168 of the ICO’s DPA – Legal guidance states:
22.214.171.124 Information to be provided to data subjects – data obtained other than from data subjects.
The fair processing information (see paragraph 126.96.36.199 above) should also be provided to data subjects (within the timescale set out in paragraph 188.8.131.52 below) in cases where the data have been obtained from someone other than the data subject, unless one of the exceptions in paragraph 184.108.40.206 below applies.
As a general rule, the Information Commissioner explains that data controllers that obtain our information from a source other than directly from ourselves are expected to provide us with a fair processing notice – so far as practicable.
The Commissioner explains what is “practicable” by giving a couple of exemptions at paragraph 220.127.116.11. You can check for yourself, but the only exemption that will likely apply to a commercial organisation that wants to target us with direct marketing is the “disproportionate effort” exemption. In other words, the Commissioner is saying that, if it requires a disproportionate effort on behalf of the third party data controller to provide us with a fair processing notice, then providing the fair processing notice will not be practicable.
The disproportionate effort exception is clarified at paragraph 18.104.22.168, which states:
The term “disproportionate effort” is not defined in the Act. In assessing what does or does not amount to disproportionate effort the starting point must be that data controllers are not generally exempt from providing the fair processing information because they have not obtained data directly from the data subject. What does or does not amount to disproportionate effort is a question of fact to be determined in each and every case.
In deciding this the Commissioner will take into account a number of factors, including the nature of the data, the length of time and the cost involved to the data controller in providing the information. The fact that the data controller has had to expend a substantial amount of effort and/or cost in providing the information does not necessarily mean that the Commissioner will reach the decision that the data controller can legitimately rely upon the disproportionate effort ground. In certain circumstances, the Commissioner would consider that a quite considerable effort could reasonably be expected. The above factors will always be balanced against the prejudicial or effectively prejudicial effect to the data subject and in this respect a relevant consideration would be the extent to which the data subject already knows about the processing of his personal data by the data controller.
The guidance goes on to state:
Where a data controller relies upon the disproportionate effort ground in (a) above, the data controller must keep a record of the reasons why he believes the disapplication of the fair processing requirements is necessary.
Clearly, the Information Commissioner requires data controllers that obtain our information from a source other than directly from ourselves, to provide us with fair processing information; unless it requires a disproportionate effort to do so. In which case, it will not be deemed practicable to provide us with this information and the data controller should record why they cannot provide us with a fair processing notice.
The ICO deliberately buries guidance to support the lie
This all sounds fairly reasonable but you won’t find this information in the ICO’s flagship direct marketing guidance. There’s nothing about the need for third parties to provide us with a fair processing notice and you won’t find the phrase “disproportionate effort”. Instead, the ICO has opted to bury this guidance in order to give an advantage to third parties. Indeed, I’ve been informed by various members of staff at the ICO that their Data Protection Act 1998 Legal Guidance is no longer published but it’s not clear what they mean by this.
The ICO’s legal guidance gives an in-depth interpretation of the DPA by the Information Commissioner so although I accept that this specific guidance is no longer promoted on the ICO’s website, this doesn’t necessarily mean that the view of the Commissioner is no longer valid. It simply means that the ICO has opted to copy some of the guidance on to their website while apparently opting to bury the rest of it. The ICO can’t just bury a previously published view of the Commissioner though. If it’s no longer valid then why is it no longer valid? The DPA hasn’t changed much in the past 20 years so why should the Commissioner’s interpretation of the DPA change? We need to know why it’s no longer valid.
I can only reasonably conclude that the ICO is deliberately and knowingly manipulating our rights as individuals in their direct marketing guidance because they want to support the spammers and of course, this helps the scammers. The more marketing e-mails that we receive, the easier it is for scammers to target us, our children or our elderly parents with phishing e-mails. My elderly father is lucky that he has me there to sort him out – I visit him every day. He’s also good on computers so he understands the risks. But think of the hundreds of thousands of pensioners that have no one to advise them. They need the ICO to do their job, yet these arseholes have opted to completely bury the issue. As it stands then, we don’t know what the view of the Commissioner is on this issue. And the taxpayer is paying to keep these arseholes in jobs.
Let’s take a look now, at our rights under Section 11 to see what they are, and to see whether they have any impact on the need for a third party to provide us with a fair processing notice. The ICO can’t be manipulating Section 11 too can they? Surely not!
What rights does Section 11 of the DPA give us?
Section 11 of the DPA is our fundamental right as individuals to ask a data controller for our information to cease, or not to begin processing it for the purpose of direct marketing. Here’s Section 11(1) of the DPA, as it’s quoted in the Act:
An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.
My understanding of Section 11, from the way that it’s worded, is that we have an equal right to ask a data controller to cease processing our information to target us with direct marketing – if they’ve already started doing so, or, we can ask a data controller not to begin processing our information for the purpose of direct marketing if they’ve not yet started to do so.
Now, let’s see what the ICO’s direct marketing guidance has to say about Section 11. Paragraph 11 states:
Section 11 of the DPA also gives individuals the right to prevent their personal data being processed for direct marketing. An individual can, at any time, give written notice to stop (or not to begin) using their details for direct marketing. In other words, organisations must stop any marketing directed at a particular individual if that person writes and asks them to stop. The organisation does not have to reply, but it is good practice to acknowledge the request and confirm that the
marketing will stop.
How, interesting. Without any explanation as to why, it would appear that the Information Commissioner is of the view that our right under Section 11 is a right to ask the data controller to cease processing only. Notice how they’ve changed the word “cease” to “stop”, how they’ve removed the comma, and how they’ve bracketed the phrase “or not to begin” to demonstrate that it is associated with the stop request rather than being a separate request. The view of the Information Commissioner therefore, appears to be that our right under Section 11 is a right to ask a data controller to stop processing our information for the purpose of direct marketing and, once they’ve stopped, not to begin again in the future. I think this is a serious and deliberate manipulation of a key right by the arseholes at the ICO.
The correct interpretation of Section 11 is extremely important to us as individuals as it’s one of the KEY rights given to us under the DPA. Section 11 should carry a lot of weight therefore, and the ICO should come down hard on organisations that abuse this key right.
To determine whether the ICO has deliberately manipulated a key right to support the spammers and the scammers, let’s see if the EU Directive on which Section 11 is based, can help us with the interpretation.
Seeking clarification on the interpretation of Section 11
EU Directive 95/45/EC is the Directive on which the DPA is based. Article 14b of the Directive defines two key rights: the right to object to direct marketing (Section 11), and the right to object to the disclosure of our information to a third party for direct marketing – Point 3 above. Here’s what Article 14b states:
The data subject’s right to object
Member States shall grant the data subject the right:
(b) to object, on request and free of charge, to the processing of personal data relating to him which the controller anticipates being processed for the purposes of direct marketing, or to be informed before personal data are disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object free of charge to such disclosures or uses.
Member States shall take the necessary measures to ensure that data subjects are aware of the existence of the right referred to in the first subparagraph of (b).
We’re interested in the first part of Article 14b as this is the element of the EU Directive that Section 11 DPA brings into UK law:
(b) to OBJECT, on request and free of charge, to the processing of personal data relating to him which the controller ANTICIPATES being processed for the purposes of direct marketing,
Note the use of the word “anticipates” because this single word tells us all we need to know about Section 11.
Note that Article 14b grants us the opportunity to object to the processing of our information for the purpose of direct marketing – not before, during or after such processing has taken place, but as soon as the data controller ANTICPATES processing our information for the purpose of direct marketing. In other words, as soon as the data controller makes the decision to process our contact information for the purpose of direct marketing, we have a fundamental right under Section 11 of the DPA to object to that processing. It’s a fairly straightforward argument in court even if the ICO wants to continue with the lie, because a judge will take into account Article 14b.
In light of this, my interpretation of Section 11 of the DPA MUST be the correct interpretation. That we have a right under Section 11 of the DPA to ask a data controller to cease – if they have already started, or not to begin if they anticipate processing our information for the purpose of direct marketing. And… as it’s impossible for us to exercise our KEY right under Section 11 until we know who the data controller is, then clearly, ANY third party that obtains our contact information with the intention of processing it to target us with direct marketing, MUST provide us with a fair processing notice first, and give us the time to object. In other words, it cannot possibly require a disproportionate effort to provide us with a fair processing notice if the data controller has our contact information and anticipates targeting us with direct marketing – because Section 11 is a key right of data subjects.
Furthermore, the clever use of the word anticipates demonstrates why the ICO’s interpretation is mute. It’s simply not necessary to tell the data controller to cease… and not to begin again at some point in the future, because the cease instruction alone will suffice. This is because the use of the word “anticipates” future-proofs the objection. It’s not just a objection to the direct marketing; it’s an objection to the anticipation of direct marketing. That’s clever, as our request to “cease” applies to any current or future use of our personal information for direct marketing by that data controller. As does our request “not to begin”.
Ooops! I’ve just destroyed the UK’s mailing list industry. But let’s face it, this should have happened years ago. The notion that some chucklehead can obtain our information without our knowledge and start processing it to target us with direct marketing is utterly ridiculous! The ICO is clearly at fault. The ICO has clearly opted to manipulate the process to support the spammers and the scammers.
So where does this leave third parties?
Our KEY right under Section 11 would surely negate the disproportionate effort rule so why can’t they provide us with a fair processing notice before sending us marketing? They can, but only if they send the fair processing notice to us by post. This is because, according to Paragraph 74 of the ICO’s direct marketing guidance, were a third party to provide us with a fair processing notice by electronic mail (text or e-mail), to inform us that they want to target us with direct marketing, then that fair processing notice will, in itself, constitute unsolicited electronic marketing:
74. Note that organisations cannot email or text an individual to ask for consent to future marketing messages. That email or text is in itself sent for the purposes of direct marketing, and so is subject to the same rules as other marketing texts and emails. And calls asking for consent are subject to the same rules as other marketing calls.
Having said that, I’m not convinced it’s good practice to send us a letter to inform us that they have our information and wish to process it for direct marketing unless we say otherwise. That process is open to abuse. Which is why it’s ridiculous that the ICO has not included fair processing information in their direct marketing guidance. And it’s ridiculous that the ICO does not require data controllers that we register directly with to name the third parties. If a data controller wants to disclose our information to a third party so that they can target us with direct marketing then what is the problem with naming that third party? It’s by far the safest way to ensure full compliance – the third parties are named, we make a choice as to whether or not we want to receive marketing from them, we know who they are and we can view their privacy notice. What’s the problem? The problem is that the ICO favours the spammers and the scammers and this is why they’ve opted to manipulate the process.
How the ICO goes about selling a lie to the public
I think I’ve reasonably demonstrated that the ICO is deliberately manipulating the process to support the UK’s mailing list industry. People make mistakes but the fact that they’ve failed to incorporate aspects of their legal guidance into their direct marketing guidance and the fact that they’ve unfairly manipulated Section 11, serves to demonstrate that this was deliberate. It’s a combination of the need to provide a fair processing notice and the interpretation of Section 11 that is the compelling argument. If you need further evidence however, take a look at Paragraph 145 of the ICO’s direct marketing guidance. Here they have opted to completely ignore our right to ask a data controller “not to begin” processing our personal information for the purpose of direct marketing:
145. In addition, many employees have personal corporate email addresses (eg email@example.com), and individual employees will have a right under section 11 of the DPA to stop any marketing being sent to that type of email address.
Where’s the “not to begin” aspect of Section 11 gone to? Oh, it’s miraculously gone missing because the ICO doesn’t want us to know that a corporate e-mail address that identifies a unique individual working for an organisation, will constitute personal information. As such, we have just as much right to ask a data controller not to begin targeting our corporate e-mail address with direct marketing as we have with our personal e-mail address. Further proof that the ICO is manipulating the process… they’ve completely removed the not to begin element of Section 11 at Paragraph 145.
And if you want further proof, in a recent case (RCC0671147), a Lead Case Officer at the ICO told me:
Section 11 of the Data Protection Act 1998 (‘the DPA’) provides individuals with a right to request a data controller to cease, or not to begin, processing information for the purpose of direct marketing. An individual could therefore proactively contact any organisation requesting they do not use their information for marketing purposes.
Note that he has not quoted the ICO’s bracketed version of Section 11 so there’s another inconsistency. Why has the ICO displayed it as stop (or not to begin) in their direct marketing guidance and why is this lead case officer quoting the DPA and not the ICO’s guidance? I pushed for clarification and he said:
As stated in our previous correspondence, we would consider an organisation providing fair processing information in the first email to an individual to be compliant with the requirements of the Data Protection Act (‘the DPA’).
But as I’ve explained, the anticipates element of Article 14b simply doesn’t support this view. He went on to say:
With regard to your queries about our guidance, as you will appreciate we continually update guidance and publish this on our website. The legal guidance you refer to is no longer published and not considered when we make assessments. Current guidance can be found on our website.
But does this mean that the Commissioner’s interpretation of “so far as practicable” as given in her legal guidance no longer valid? If it is no longer valid, then what is the current interpretation of “so far as practicable” and why has this not been added to the direct marketing guidance? When an organisation obtains our contact information from a source other than directly from ourselves, are they or are they not obligated to provide us with a fair processing notice? If so, when and how should they provide that fair processing notice – bearing in mind our rights under Section 11?
I believe that I have reasonably demonstrated that when a third party data controller obtains our contact information, they reasonably need to provide us with a fair processing notice at the point they obtain our information – so far as practicable. We do have detailed guidance that clearly explains the “so far as practicable” aspect but the ICO has opted to bury this information in order to sell a lie.
However, when a third party data controller obtains our contact information – without our knowledge, with the intention of using it to target us with direct marketing, they MUST provide us with a fair processing notice and give us the time to opt-out under Section 11 DPA way before they target us with direct marketing. This is because we have a fundamental right under Section 11 of the DPA to object to such data processing as soon as the third party anticipates processing our information for this purpose. We have a very strong case in court against both the data controller that passed our information to the third party and the third party that sent us marketing because the EU Directive provides a clear interpretation.
This is why the organisations that we register directly with should name the companies that they want to disclose our information to for the purpose of direct marketing, and give us the option to opt-out. If they specifically name the third parties and provide a link to their fair processing information then we can make a more informed decision about whether or not we want to receive marketing from them. That’s a win-win situation.
The ICO is clearly complicit in the abuse to the extent that they may be in breach of EU laws. They’re definitely misleading the public and have been for many years so they should be investigated. I’m going to have a word with my MP.
The ICO’s direct marketing guidance should make it clear that:
Organisations that we register directly with MUST identify any third party data controller that they wish to disclose our contact information to for the purpose of direct marketing – good practice. If they don’t identify the third party then any third party that obtains our information from that data controller will have to provide us with a fair processing notice well before they target us with direct marketing – not good practice.
Organisations that we register directly with MUST allow us to object to our information being disclosed to third parties for the purpose of direct marketing. The law behind this rule is the second part of Article 14b. This aspect of 14b wasn’t included in the DPA but the ICO’s recognises it and so will the courts. It’s an easy win in court… have a word with one of the no-win, no-fee solicitors to see if they’re willing to represent you.
Any organisation that obtains our information from a source other than directly from ourselves, will not be able to process that information for the purpose of direct marketing unless they obtained it from a data controller that obtained it directly from ourselves and we were given the opportunity to object. This includes companies that target our work’s e-mail address if it constitutes our personal information.
The ICO’s flagship direct marketing guidance is seriously flawed because the ICO is seriously flawed. On a plus note, we don’t have to wait for the GDPR to come into force to claim compensation in the small claims court. Organisations that fail to identify third parties that they disclose our information to, for the purpose of direct marketing, can be sued in court. You just wait for the third party to target you with direct marketing and then submit a Subject Access Request to find out how they obtained your information. You’ve got two separate claims there.
Let me tell you where I’m at. I question every bit of unexpected marketing that I receive – be it to me as an individual or to me as an employee. I’ve settled out of court on a number of occasions, I’m currently in the process of taking two companies to court but one of those is about to settle. And I have about another ten companies that I’m going to take to court. Some of them are very well-known companies. I’d like to see the no win, no fee solicitors picking up on this.
A word of warning though, if you challenge an organisation that sends direct marketing to your work’s e-mail address, they might contact your employer to submit a complaint. Some arseholes think that a corporate e-mail address belongs to your employer and the ICO doesn’t really make this clear in their direct marketing guidance.
I’ll expect a response from the ICO about their interpretation of Section 11 of the DPA and why they’ve opted to bury the guidance on fair processing notices. Indeed, I challenge the arseholes at the ICO to prove me wrong.
Update: 11 August 2017
The ICO’s Mary Jervis (PEC0675919) has informed me:
As advised previously by our office, we would consider an organisation providing fair processing information in the first email to an individual to be compliant with the requirements of the Data Protection Act 1998 (DPA). All organisations must comply with a request under section 11 of the DPA. Should you send a request under section 11 to an organisation and continue to receive marketing you may forward the correspondence exchanged to us for further consideration.
Again, she’s only recognising the cease aspect of Section 11. Bearing in mind the wording of Article 14b, I’ve asked Ms Jarvis to clarify whether the Information Commissioner accepts that we have two key rights under Section 11 of the DPA: the right to ask a data controller to cease processing, as well as a right to ask a data controller not to begin processing our information for the purpose of direct marketing.
Update: 18 August 2017
No response from the ICO as yet. Are they going to continue with their bogus interpretation of Section 11 or are they willing to admit that they’ve been deliberately and knowingly misleading us for many years to support the spammers and the scammers?
I’ll give them until the end of the month and then I’ll have to ask my MP to ask the question on my behalf – again. Actually, I might ask my MP to ask the question in Parliament so that we get a formal answer. This is a clear example as to why this organisation needs to be investigated.
Update: 29 August 2017
Ms Jervis has provided the following response:
Section 11 of the Data Protection Act 1998 (‘the DPA’) provides individuals with a right to request a data controller to cease, or not to begin, processing information for the purpose of direct marketing. An individual could therefore proactively contact any organisation requesting that they do not use their information for marketing purpose. The matter has been responded to in the past and we do not intend to continue to correspond about the matters you have raised.
Ms Jervis hasn’t answered my question though has she? How does an individual proactively request a third party data controller for their information – NOT TO BEGIN processing it for the purpose of direct marketing WHEN THEY DON’T KNOW WHO THE DATA CONTROLLER IS? That’s my whole point!
We should all know who intends to process our information for the purpose of direct marketing WELL BEFORE they target us with direct marketing so that we can PROACTIVELY object to that data processing under Section 11 of the DPA – at the point they ANTICIPATE (Article 14b) processing our information for this purpose.
If this were a mistake by the ICO – if they’ve been getting it wrong for years due to their incompetence, then they’d want to apologise to the public and aim to put things right as soon as possible by updating the guidance – right? The fact that they’re refusing to accept that they’ve got it seriously wrong only serves to support my view that the ICO has deliberately and knowingly buried the fair processing guidance, and manipulated Section 11 to support the spammers and the scammers. If I’m wrong then the ICO needs to tell me why I’m wrong; they need to tell me how their interpretation of Section 11 satisfies Article 14b and why they opted to bury the fair processing guidance.
This is fundamental to fair data processing so I’ve sought further clarification from the ICO. Is the ICO going to continue with the lie or are they going to come clean and admit that they’ve been getting it seriously wrong for years and apologise?
Update: 4 September 2017
No response from the ICO’s Mary Jervis so I’ve asked her again to provide me with an answer that addresses that question that I’ve asked. Is the ICO willing to admit that they’ve deliberately manipulated the process to support the spammers and the scammers or are they able to demonstrate that I’m wrong? One of us is wrong, so if it’s me, then why can’t they explain why I’ve got it wrong?
Update: 7 September 2017
Still no response yet from the ICO’s Mary Jervis as to how her interpretation of Section 11 complies with Article 14b of the EU Directive and our right to object at the point the data controller anticipates processing our information for the purpose of direct marketing. Has she been told by senior staff at the ICO not to answer the question so that this government agency can continue with their lies?
Update: 19 September 2017
I returned from holiday but I still don’t have an answer to my question so I’ve now asked Rob Cole at the ICO to answer the question for me. If he can’t do that then I’ll ask my MP to write to the Information Commissioner for an answer. Just so we’re clear, Mary Jervis did not answer the question and did not escalate it to someone that could answer it. This is a typical for the ICO – it’s all smoke and mirrors. Make no mistake, the ICO is full of people who don’t really know what they’re talking about, manipulating the process to cover up the fact that they don’t really know what they’re talking about. And we’re paying these arseholes to do this. This organisation needs to be investigated.