86 posts • joined 14 Sep 2009
The ICO regularly screw up
I currently have a complaint being processed by the Parliamentary and Health Service Ombudsman (PHSO) where I have outlined the failings of the ICO. To support my complaint I have included a detailed analysis of seven case reviews from last year where the view of the ICO was either wrong or likely to be wrong. These are case reviews too... so for each case review to be wrong it means that two members of staff hold the incorrect opinion: the Case Officer who conducted the original Assessment and their line manager who conducted the Case Review.
In one case I argued that a data controller had failed to comply with my subject access request (SAR) because they held the actual date: day, month, year of when they obtained my information but only provided me with the year in response to my SAR. I argued that a year on its own does not constitute a date and as they held an actual date, that's what they should have provided. As they didn't they failed to comply with my SAR. Three different levels of staff at the ICO: the person who conducted the assessment, their line manager who conducted the case review, and their line manager - who got pissed off with me complaining all held the view that a year on its own constitutes a date.
The organisation works in silos so that two different case workers can give you two different responses depending on who you ask. I'm hoping that the BBC's Panorama team will do a show on it once the PHSO has concluded it's investigation.
Webmaster - www.mindmydata.co.uk.
I'm reluctant to do anything more than I have to with Amazon because it's ultimately going to mean more marketing. I've already opted out of marketing e-mails with them. Then the other week they promoted the soon to be defunct Norton Antivirus - See Reg article: Symantec: Antivirus is 'DEAD' – no longer 'a moneymaker'... must have done a deal to farm it on to unsuspecting Amazon customers. Anyway, Amazon sent me an e-mail to promote Norton AV and they said that this was because I had spent over £30.
So I'm opted out of marketing e-mails, so what do they do, just find some reason to bypass it. So I've told them that I will never place an order with them again that exceeds £27.99. And I'm submitting a complaint to the EU Commissioner's Office because I had already expressed a preference not to receive marketing e-mails and they ignored it.
Eff them! The worst thing a company can do is take its customers for granted. Just as Mr Ratner.
Get into a habit of opting out under section 11 of the DPA
We don't need new laws as we have perfectly good but unused laws. Section 11 of the DPA allows an individual to opt-out of all direct marketing from a UK-based company. If parents ensure that they register on behalf of their child then all they need to do is follow that up with an e-mail to the company opting out under section 11. Once opted out, the company cannot legally target the individual with direct marketing by any means, including generic or targeted adverts that appear in a logged in website.
You then follow that up by submitting a subject access request to any company that sends your child unexpected marketing. At the end of the day, the more people complaint about these companies to the ICO the more likely it is that the ICO will take action. Buying software only hides the problem. The problem is that companies don't understand the law. www.mindmydata.co.uk.
I wouldn't trust AVG anyway as they target me with advertising even though I've purchased the full internet security product. Free version yes, full product no way. My AVG expires in September and I won't be using them again.
AVG themselves are an abuser of privacy. If I pay for a full version of their product then under UK law they cannot promote their products or services to me if I opt-out under section 11 of the DPA. But they're not a UK data controller so they don't don't recognise our rights. So despite the fact that I've paid for the full version they still target me with adverts from time to time an d try to dupe me into paying for more services.
If I were using the free version then fair enough but I'm not. My AVG licence expires in Oct and I wont' be renewing.
For example, Anyone buying Amazon's Kindle Fire will have to to pay £10 to remove the advertising. If Amazon.co.uk were bound by the DPA you could ask them to remove it by opting out of all direct marketing under section 11 of the DPA for free.
I'll never do business with this company again. I switched to Plusnet three year ago and never looked back.
Amazon shouldn't be allowed to operate a .co.uk website either as they don't have a UK-based data controller. A .co.uk website specifically targets UK individuals so the government should require those multinational companies that operate a .co.uk website to register a UK data controller:
The ICO is a waste of time
As someone who submits, on average, about three complaints to the ICO a month, I can confirm that they are totally useless. I currently have nine case reviews that I need to escalate to the PHSO because the caseworkers that worked on those case reviews don't know what they're talking about. So basically ICO staff are not really interested, and if they were they often get it wrong and ultimately it's an absolute waste of time.
All they need to do is allow individuals to take companies to the small claims court for contravening the DPA or the PECR. Make it a fixed claim amount for, say, £75 and watch how fast the marketing stops.
It's all a waste of time
It doesn't matter what new laws are introduced, the fact remains that the ICO will only take action against a commercial organisation in extreme circumstances.
For example, through a series of subject access requests I identified the order of events that led to me receiving an unidentified PPI text on my mobile phone. The company that sent the text were told by the ICO not to hid their ID in a text - that's it! The company that provided them with my mobile phone number failed to comply with my subject access request. The ICO contacted them on my behalf and told them to comply. We waited another 40 days - no reply. The ICO wrote to the company again, we waited 40 days but still no reply. They've now contacted them for the third time and they're not going to get a reply because the company is likely to be illegally farming mobile phone numbers.
The ICO have informed me that this is the last time they're going to try and It'll then be up to me to spend a couple of thousand pounds to seek a court order under section 7(9) of the DPA to make the company comply with my Subject Access Request. So much for the ICO's big crack-down on PPI companies.
I bet they don't complain when they're signing the electronic box to accept delivery of a parcel.
Cheggers Plays Doc
How about Keith Chegwin as the Doc and Maggie Philbin as his sidekick.
Google doing something good for a change
Pay Day loans should be banned in my opinion - people getting rich out of other people's misery. So nice one Google! I doubt Money Supermarket will be around for long once the Tesco, Sainsburys et al start offering their own comparison service.
We need this in the UK
I've started a petition for the UK to achieve something similar. Basically, if a company wants to specifically target UK consumers (and UK data subjects) by operating a .co.uk website, then they should be a UK-based data controller.
It'll never work
The overwhelming majority of YouTube readers visit their site for something to do. As soon as they start charging those people will just find somewhere else to go.
The EU Directive is rubbish
EC Directive 95/46/EC on which the Privacy and Electronic Communications Regulations 2003 are based is too confusing. We could do away with the PECR 2003 and just have the DPA98. And if the e-mails are bothering you you simply opt-out under section 11 of the DPA98.
What we need is a review of the DPA98 to make it easier for individuals to seek compensation from companies that abuse their data protection rights. At the moment, a solicitor wants £5000 to bring a case under section 11(2) of the DPA98 - where a company has continued to market me after I have opted out under section 11. The process needs to be easier; I should be able to claim a set amount via the small claims court. So I opt out under section 11 and that company cannot send me direct marketing by phone, by post by e-mail by text etc, If they do then I can take them to court and walk away with, say £250.
This is long overdue. Let's face it, if UK companies actually understood the Regulation 22 rules then I am of the opinion that it's a pretty fair system. Unfortunately many don't. Regulation 22 states that a company can opt you in to marketing by default - so that the individual has to perform some kind of action to opt-out, only if they are collecting the information when making a sale or when someone is enquiring about a sale - obtaining a quote for example. In other words, if there's no possibility that submitting the form will result in a sale, such as a generic contract form, then you should be opted out by default. But if a company had a contact form that was specifically for contacting their sales department then that could be opted in by default.
In a recent example I switched my electric provider to M&S, and the service is provided by SSE. As part of the account I was advised to create an online account with SSE, and in doing so they had opted me in to marketing by default on the registration form. But I purchased the electric from M&S and I purchased it before Christmas. So I've already done the deal and signed-up to the service so SSE should have me opted out by default - because I'm not registering with them to enquire about or make a sale; I'm registering with them to manage my account. As such, the Regulation 22 rules are not satisfied.
So I'll be contacting SSE this week to remind them: www.mindmydata.co.uk
Block withheld numbers
If Ofcom introduced legislation to make it free to opt-out of calls where the caller has withheld their number, then perhaps more people would take up this option. Then they should introduce legislation that makes it easy for an individual to take legal action against these companies, especially if you're registered with the TPS.
I got an out of court settlement when Littlewoods kept phoning me despite the fact that I had told them that they had the wrong number:
Section 11 of the DPA
To stop receiving any and all marketing from a UK-based company you should opt-out under section 11. But you have to make sure that the data controller is a UK-based data controller, which rules out Amazon for example as their data controller is based in the EU so they don't have to comply with the DPA.
It's simple to stop spam
Mailwasher Pro and regular expressions for overseas spam, Section 11 of the DPA to stop any and all marketing from a UK-based company. I section 11 my insurance companies so that they're not able to send me an automatic renewal as I never stay with the same company twice.
You can opt out of marketing from any UK company under section 11 of the DPA
If you're being bombarded by unwanted e-mails from a particular UK company, then all you have to do is write to them and ask them to stop in accordance with your rights as a data subject. Forget all this unsubscribe malarkey, a section 11 request will stop marketing by post, text, e-mail, phone, and if you have an online account, even the advertising banners that appear in your account pages.
Barns & Noble are not a UK retailer
Although Barnes & Noble may have retail outlets in the UK the UltraViolet website is operated by a US data controller. If you want to hand your personal data to yet another overseas company and forgo the statutory rights afforded you as a UK data subject then by all means register.
I think it's important to distinguish between a UK retailer that operates under UK laws and has a legal obligation to uphold the statutory rights of it's UK data subjects, and those that don't.
While they're at it...
It might be a good idea too to bring in legislation to ensure that only UK-based data controllers can operate a .co.uk website. At the moment we have a situation where Amazon are asking their Kindle Fire customers to pay £10 to opt-out of of direct marketing being served to their new Kindle. But as UK data subjects we all have a statutory right to opt-out of direct marketing with a company under section 11 of the DPA98. How does Amazon get around this? They operate the Amazon.co.uk website with a European-based data controller rather than a UK-based one and thus deny us of our rights.
If they specifically wish to sell to UK consumers then Amazon should honour our data protection rights in my opinion and appoint a UK-based data controller.
Where's the UK equivalent to Amazon?
If a company like Argos was actually able to compete with Amazon I would much rather do business with a UK based company that pays UK tax and complies with UK data protection laws. Amazon.co.uk's data controller is based in Europe so as soon as you start using their services your rights as a UK citizen are not being upheld.
The law should be changed so that any company operating a .co.uk website should be based in the UK, pay the proper tax and comply with our laws.
Re: A recruitment agency's wet dream
If an employment agency extracts your data from LinkedIn and uses it to contact you outside of LinkedIn - which they did in my case because I had blocked them contacting me, then it's likely that the employment agency is contravening section 55 of the DPA98: Unlawful obtaining etc. of personal data.
When an employment agency uses LinkedIn it has agreed to do so in accordance with their terms and conditions. The agency should not be taking your data from LinkedIn, guessing your e-mail address and using it to contact you directly.
The employment agency business is full of failed salesmen who think that they can make a better living by operating an employment agency. In doing so, they're prepared to try every trick in the book to make some money out of you.
They could make more money
If LinkedIn clamped down on those employment agencies that regularly trawl their site to extract and process the data of those individuals that they're interested in - thus circumventing the fee paying channel, they could make even more money.
You can stop all advertising from a UK-based data controller
The Information Commissioner is of the opinion that all advertising - even generic advertising - appearing within a logged-in website is likely to be directed at an individual and therefore constitutes direct marketing. As such, if you're unhappy with advertising appearing within the logged-in pages of a UK-based website then you can send them a section 11 request to stop. If they fail to remove the adverts then submit a complaint to the ICO. http://www.mindmydata.co.uk/
Acronis vague about data controller question
Acronis want me to pay for their service and have my data stored on their servers but who is responsible for that data and under want laws will that data be stored? This should not be a difficult question to answer.
I'm still waiting for an answer.
Amazon show contempt for our rights as UK data subjects
As UK data subjects we are all entitled to opt-out of all direct marketing from a UK-based company. Amazon operates a .co.uk website and as such, one might think that they comply with UK data protection laws but they don't; the data controller for Amazon.co.uk is based in Europe, not the UK. As such, we as UK data subjects forgo our right under section 11 of the DPA98 to opt-out of the direct marketing that Amazon insist on displaying on their new Kindle. For that reason, I'll be sticking with my basic Kindle.
I kicked these jokers into touch a long time ago
They sent me a promotional e-mail quite a few years after I'd place my last order with them. I wasn't happy that they were still processing my data many years later so I submitted a section 11 DPA98 request and made it clear that I would seek a court order if they continued to send me direct marketing. I won't be doing business with them again.
Just take them to the small claims court
If a retailer gives you grief over a refund that you're legally entitled to all you need to do is get everything in writing and inform them that you're going to file a claim with the county court unless they comply. I've represented myself in the small claims court twice and the judge on both occasions was very supportive.
How about restricting it to registered UK data controllers
If they restricted the sale of .uk domains to registered UK data controllers only, then the user will be confident that the rights afforded them by the DPA98 will apply when doing business with a .uk website. For example, Amazon.co.uk has a European data controller, not a UK one. As such, we as UK data subjects lose a lot of the rights granted to us by the DPA when registering with Amazon.co.uk; including the right not to receive marketing. This is why Amazon's new Kindle Fire comes with advertising by default; because the data controller is based in Europe so we don't have the same rights. If Amazon.co.uk had a UK data controller then you could easily opt out of all advertising from Amazon or take them to court if they refused.
Bigger fish to fry
What you need to understand is that the ICO don't care about the little people. They have failed to take action against TPS contraventions. They will not take any action for a company failing to comply with a section 11 request, and they will not want to take action against cookie violations.
All the ICO want to do is go after government organisations and it throws most of its limited resources into doing this. They don't really care about marketing issues.
Tesco claim that they're 'never complacent' but when I asked them recently to respect my rights as a data subject not to receive their marketing, they suggested that I should cancel my ClubCard account if I wasn't happy with their marketing. They wanted me to cancel my account so that the matter would go away rather than deal with it and ensure that they were/are fully compliant with the DPA98. A rather cavalier attitude if you ask me that demonstrates complacency towards Tesco's obligations as a data controller.
Let's not bother to comply with the rights of this data subject, let's just delete his account instead.
CAP operate in a silo
'The CAP Code contains rules that advertisers, generally, have to adhere to and prohibits firms from making misleading claims or causing harm or offence to the public subjected to their promotions, among other things'.
But the CAP Code does not reflect the law of the land. The DPA 98 contains a legal definition of direct marketing and this is interpreted by the Information Commissioner's Office. Why does the CAP operate it's own antiquated definition?
All the shadows cast by the moon's hills are to the right, which means that they're being lit from the left. But the flag's shadow is on the right.
It's not just bad practice that Tesco are guilty of in my opinion. Tesco's Clubcard is likely to be incompatible with our statutory rights as data subjects because they are unable to separate the marketing from card; if you want a Clubcard then you must have the associated marketing. But section 11 of the DPA98 entitles data subjects to opt-out of ALL direct marketing from an organisation. However , when I asked Tesco to comply with my section 11 request they informed me that they would have to cancel my account. So I can't have an account unless I have the marketing which means that Tesco must have civil law terms - either actual or implied, that are incompatible with my statutory rights. The ICO are investigating.
The best thing you can do with this company
If, like me, you're a former customer and want nothing else to do with Talk Talk, send them a section 11 notice and ask them to cease processing your information to send you direct marketing: www.mindmydata.co.uk
If you're an existing customer watch out for special offers as my dad subscribed to a 12 month special offer at half price but it only lasted six months; then they put the price up. I got involved as my dad is in his 80s, and after getting nowhere with their Indian customer services, I contacted their head office and got them to sort it out. Apparently the person who processed the 12 month discount only did it for 6 months and failed to keep a reminder that he needed to put the other six months through. But why didn't he do it for 12 months in the first place and why, after their customer service people kept my dad talking for nearly an hour, did they not discover the error? Why did it take an investigation from head office? I was going to report them to Ofcom but my dad didn't want to get involved.
The other thing to watch out for too... if you contact Talk Talk and ask them to make a change to your account, this will require you to automatically renew your contract with them and they don't necessarily make you aware of this. That's what head office told me.
I'll never do business with Talk Talk again. I switched to Plusnet last year and haven't look back - good speeds no disconnections and excellent UK-based customer service. It's more expensive but it's worth it.
Get a good mailwasher
I been using Mailwasher Pro for many years which allows me to preview my e-mails on the mail-server before I download them. Any that I don't recognise can be deleted on the server and I never have to download it to my computer. If it's spam I have filters that automatically delete the e-mail and make me aware that the e-mail has been deleted, or that automatically delete the mail without me even knowing. Great for deleting spam based on keywords.
Of the 12,985 complaints they've accounted for 35% of them... what about the rest? I suspect that the majority of the unexplained 65% is made up of direct marketing complaints and the reason why the ICO hasn't mentioned anything about these is because they don't take action over direct marketing complaints.
It's one thing patting themselves on the back but prosecuting government organisations is easy as they have to comply so they can't fight back. How many commercial organisations have the ICO prosecuted?
What's the ICO doing about this?
In the UK, section 11 of the DPA98 entitles us to opt out of all direct marketing from a company by submitting a request for that company to cease processing our data for the purpose of advertising, marketing and public relations. In which case, you could simply submit a section 11 request to Microsoft and they would have to remove the adverts or fact prosecution. But will Microsoft comply with such a request bearing in mind that they're a US-based company.
This is yet another example of our rights as UK data subjects being ignored by non-UK based companies that couldn't give a toss about the DPA98. Twitter, LinkedIn, Skype, Facebook... they all ignore our statutory rights.
The ICO and the government should be doing more to enforce our rights.
Picking on government agencies again
This is yet another example of how the ICO focuses its resources chasing after government agencies. Contrast this with commercial organisations and the ICO don't want to know. The ICO's record of dealing with commercial organisations is appalling. They can't even carry out an audit against a company without first obtaining permission from the company to do so. And they send out mixed messages all the time. For example, I know for a fact that the ICO will not prosecute for a contravention of the PECR2003. Nor will they prosecute for failing to comply with a section 11 DPA98 request. Yet apparently they're going to kick-ass over tracking cookies? How do they explain the inconsistency?
It's easy to make things awkward for Amazon
All you need to do is send Amazon a Section 11 DPA98 request to cease processing your personal data for the purpose of direct marketing and they have to stop all forms of marketing to you or face prosecution by the Information Commissioner's Office.
This includes marketing by post, phone, e-mail, fax, text, and targeted advertising. More importantly, it also includes generic marketing banners that appear within your logged in account pages.
It won't remove all advertising... for example, advertising banners that appear when you are logged in via a cookie are unlikely to be directed at you personally. But once you proceed to the check-out and verify your credentials, then every page you view until you are logged out is being directed at you personally. The Information Commissioner's Office has clarified this.
Amazon would probably just cancel your account though to avoid having to comply. And apparently the ICO wouldn't have a problem with that.
Don't believe the hype
The ICO's claim that they're going to start issuing fines is a joke! They don't take any action under the Privacy and Electronic Communications Regulations 2003, they won't take action against a company for contravening section 11 of the DPA 98 but now they're going to start issues fines for non-compliance of cookie law. If so then it's a travesty!
If they're going to take action at all then they should be prosecuting companies for failing to comply with a section 11 request because this is a for more serious matter. If an individual submits a section 11 request to a particular company then it stops all marketing; including cookie-based targeted adverts
I've submitted two complaints about my bank failing to comply with my section 11 request the ICO have told me that prosecution for this kind of contravention is something they don't want to pursue. But what...they're now going to take action over friggin' cookies?
Please explain the double standards ICO.
Re: What about the Information Commissioner's obligations?
All data protection legislation falls under the umbrella of the DPA as a data controller has a legal obligation to process personal data in accordance with the eight data principles. Thus, the failure by a data controller to comply with UK or EU regulations will ultimately have an impact on the DPA.
For example, the failure by a data controller to obtain consent prior to sending out electronic marketing - which is required by the PECR2003, which are in turn based on an EU Directive, is also one of the requirements of schedule 2 of the DPA.
What about the Information Commissioner's obligations?
The Information Commissioner is legally obligated to 'promote' good practice among data controllers: 'It shall be the duty of the Commissioner to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act as to promote the observance of the requirements of this Act by data controllers'.
How does sitting back and waiting for complaints achieve this obligation?
Fasthosts have been going downhill
I've been a Fasthosts customer on and off for over 12 years... I remember the days when there was no support at the weekend so my site would go down on a Saturday morning and I'd have to wait until Monday for them to fix the problem.
They're okay I guess. My main issue with them is that they are one of the more expensive hosting companies but I don't mind paying if the support is there. Recently though, I've noticed that they tend to inform me that they "monitoring the situation" which basically means that if they leave it for a bit the problem will probably resolve itself. As a typical example, they had an issue with the SQL server recently and it was causing my site to be unavailable for long periods. They said that they were monitoring the situation but when I tried to get logged in during my lunch hour at work, my site was down. It was still down 45 minutes later so clearly, they were not monitoring the situation otherwise they would have done something to get it back up.
When you think about how much their costs will have reduced over the years... to continue to charge what they do they either need to be offering a lot more ore providing a first class support. They do neither very well in my opinion but it could be worse.
It's a pointless law
So I can record a TV programme on a video recorder or a hard drive recorder, I can keep it for years or even decades, and no one has a problem with that. Yet if I download the same programme from a torrent I'm breaking the law. Where's the logic in that?
And the argument that downloading is costing millions in lost revenue is rubish. In the early days of eBay I actually used to make money by buying a series cheap from somewhere like Play.com, watching it at my leisure, and then selling it on eBay. I then bought another series, and another and so on. I watched lots of series this way and not only did it not cost me anything, I actually made money from it. The only thing it cost me was the hassle of packaging and posting the items.
My point is, it's not the downloading that's costing millions, it's the fact that people can buy and sell second hand goods that is costing millions. For many, downloading the files is just an easier way of doing it. If this has to stop then they'll find another way.
It's easy to make it stop
According to the Information Commissioner's Office, all advertising - whether the data controller meant to target the data subject for this purpose or not, appearing within the logged in account pages of a data subject constitues direct marketing. This is because the data subject's personal data must be processed as a security check before each and every account page is served to their browser. And of course, if personal data is processed to deliver generic marketing then that generic marketing constitues direct marketing - because it is being delivered to a data subject.
Submit a section 11 request to make the online advertising banners stop.
What about UK data protection rights
In the UK we have a right to opt-out of direct marketing - including online marketing that is targeted at an individual (Part II, section 11 DPA98). Are generations of UK data subjects going to forfeit this right just because Facebook in a US company. Why isn't Europe and the UK Government protecting our rights?
What about commercial organisations?
When is the Information Commissioner going to start handing out fines to companies? The other month The Register reported on how the ICO were asking companies to volunteer for audits: http://www.theregister.co.uk/2011/07/07/ico_annual_report/
The thing is, most of those companies volunteering are likely to be keen on full compliance anyway so it's unlikely that there are going to be any major issues - you can bet that criminal organisations will not be volunteering. A far better strategy would be to audit those companies that people submit complaints about.
I've reported 30+ abuses of my personal data to the ICO over the years and none of them were ever audited. There are so many examples: Most employment agencies need to be registered data controllers and many are committing a criminal offence by failing to notify. Why don't they audit employment agencies? Another example: The majority of financial services companies use civil law to automatically opt the data subject in to marketing. But these terms are often worthless because an organisation has to obtain consent prior to targeting a data subject with marketing and this statutory obligation cannot be negated with civil law. Nor can consent be obtained by using civil law. So why isn't the ICO auditing financial organisations? Better still, why aren't they working with the FSA to ensure that the banking code requires financial services companies to comply fully with data protection laws and regulations, bearing in mind that this sector is one of the worst offenders when it comes to the abuse of data subjects' rights. Another example: Some companies are opting to cancel accounts to avoid having to comply with the rights of the data subject. Why isn't the ICO ensuring that these companies are operating compliant systems and processes because if they were, then they wouldn't have to cancel accounts.
- JLaw, Kate Upton exposed in celeb nude pics hack
- Google flushes out users of old browsers by serving up CLUNKY, AGED version of search
- GCHQ protesters stick it to British spooks ... by drinking urine
- Page File Love XKCD? Love science? You'll love a book about science from Randall Munroe
- Facebook to let stalkers unearth buried posts with mobe search