93 posts • joined 14 Sep 2009
I'm about to expose the ICO as not being fit for purpose. My MP is helping me to get to the bottom of why nearly fourteen of my case reviews - where the ICO found in favour of a company, are likely to be seriously flawed. At the moment we're struggling to find someone within the organisation to take ownership of my complaint.
What about the moon?
On a BBC science programme the other week they were saying that the moon had a massive impact on life on earth and my have contributed to getting life started. Do these similar planets also have a moon like ours then?
Oh, look, yet another headline grabbing story for the ICO! What they don't tell you is that, for the overwhelming majority of complaints submitted to the ICO about direct marketing, most of them are a total waste of time. A combination of incompetent case officers and a policy of only taking action if they receive lots of complaints about the same company means that most companies can carry on regardless. For example, if Optical Express sent me the marketing and I complained, as long as that company stops sending me marketing the ICO will be happy. The company can carry on abusing the rights of thousands of others unless they too complain. And it's only when enough people complain that the ICO will think about doing anything.
This is a poor use of limited resources in my opinion. If I submit a complaint against a company and the ICO upholds my complaint then they should advise the company of their obligations, give them 30 days to contest the ICO's view, and warn them that any further similar complaints received after 30 days will result in criminal prosecution. Job done! And... the ICO needs to be prosecuting these companies so that we get some precedent because at the moment the Commissioner is just giving his own view. He needs to go to court and get a court ruling so that his guidance becomes law.
The fact remains that nearly every single company that I do business with will abuse my data protection rights in some way. It's an utter failure by the Commissioner.
What about advertising
The other month Amazon decided to send me an e-mail to promote Norton Antivirus despite the fact that I've been opted out of promotional e-mails with Amazon for years. When I questioned this they said it was because I'd spent over £30 with my last order. Since then, I've not purchased anything from Amazon that exceeds £29.99 and its' surprising what bargains you can find elsewhere. For example, I purchased a new TV in August from John Lewis for the same price as Amazon but with a free five year guarantee. Fair enough, I had to pay the postage but still, it's a far better deal.
My point being... I loath companies that think they have a God given right to promote their products and services to me and this is why I wouldn't consider Amazon Fire TV. If they're not already advertising on the TV then it can't be far off. You're much better off waiting until a product is released by a UK data controller so that you can opt out of all direct marketing - even marketing served to a TV.
This is their own policy
I've submitted a number of complaints to the ICO over the years about companies holding on to my personal data indefinitely because they don't have a data retention policy in place. One of those complaints is currently being investigated by the PHSO. In my experience, as long as the organisation can demonstrate that they have a data retention policy in place the ICO couldn't care less. And if they don't, the ICO will just advise them to do so.
The fact that the Authorised Records Disposal Practice puts a three year data retention on MPs expenses then that's fine. However, bearing in mind the public's interest they might want to increase this to say six years.
They don't seem to know what a Subject Access Request is
I've just submitted a complaint to the ICO because they failed to respond to my SAR within 40 days. So here we have a new company that doesn't seem to understand their basic data protection obligations. I'm going to do a data audit on this company over the next few weeks.
The ICO regularly screw up
I currently have a complaint being processed by the Parliamentary and Health Service Ombudsman (PHSO) where I have outlined the failings of the ICO. To support my complaint I have included a detailed analysis of seven case reviews from last year where the view of the ICO was either wrong or likely to be wrong. These are case reviews too... so for each case review to be wrong it means that two members of staff hold the incorrect opinion: the Case Officer who conducted the original Assessment and their line manager who conducted the Case Review.
In one case I argued that a data controller had failed to comply with my subject access request (SAR) because they held the actual date: day, month, year of when they obtained my information but only provided me with the year in response to my SAR. I argued that a year on its own does not constitute a date and as they held an actual date, that's what they should have provided. As they didn't they failed to comply with my SAR. Three different levels of staff at the ICO: the person who conducted the assessment, their line manager who conducted the case review, and their line manager - who got pissed off with me complaining all held the view that a year on its own constitutes a date.
The organisation works in silos so that two different case workers can give you two different responses depending on who you ask. I'm hoping that the BBC's Panorama team will do a show on it once the PHSO has concluded it's investigation.
Webmaster - www.mindmydata.co.uk.
I'm reluctant to do anything more than I have to with Amazon because it's ultimately going to mean more marketing. I've already opted out of marketing e-mails with them. Then the other week they promoted the soon to be defunct Norton Antivirus - See Reg article: Symantec: Antivirus is 'DEAD' – no longer 'a moneymaker'... must have done a deal to farm it on to unsuspecting Amazon customers. Anyway, Amazon sent me an e-mail to promote Norton AV and they said that this was because I had spent over £30.
So I'm opted out of marketing e-mails, so what do they do, just find some reason to bypass it. So I've told them that I will never place an order with them again that exceeds £27.99. And I'm submitting a complaint to the EU Commissioner's Office because I had already expressed a preference not to receive marketing e-mails and they ignored it.
Eff them! The worst thing a company can do is take its customers for granted. Just as Mr Ratner.
Get into a habit of opting out under section 11 of the DPA
We don't need new laws as we have perfectly good but unused laws. Section 11 of the DPA allows an individual to opt-out of all direct marketing from a UK-based company. If parents ensure that they register on behalf of their child then all they need to do is follow that up with an e-mail to the company opting out under section 11. Once opted out, the company cannot legally target the individual with direct marketing by any means, including generic or targeted adverts that appear in a logged in website.
You then follow that up by submitting a subject access request to any company that sends your child unexpected marketing. At the end of the day, the more people complaint about these companies to the ICO the more likely it is that the ICO will take action. Buying software only hides the problem. The problem is that companies don't understand the law. www.mindmydata.co.uk.
I wouldn't trust AVG anyway as they target me with advertising even though I've purchased the full internet security product. Free version yes, full product no way. My AVG expires in September and I won't be using them again.
AVG themselves are an abuser of privacy. If I pay for a full version of their product then under UK law they cannot promote their products or services to me if I opt-out under section 11 of the DPA. But they're not a UK data controller so they don't don't recognise our rights. So despite the fact that I've paid for the full version they still target me with adverts from time to time an d try to dupe me into paying for more services.
If I were using the free version then fair enough but I'm not. My AVG licence expires in Oct and I wont' be renewing.
For example, Anyone buying Amazon's Kindle Fire will have to to pay £10 to remove the advertising. If Amazon.co.uk were bound by the DPA you could ask them to remove it by opting out of all direct marketing under section 11 of the DPA for free.
I'll never do business with this company again. I switched to Plusnet three year ago and never looked back.
Amazon shouldn't be allowed to operate a .co.uk website either as they don't have a UK-based data controller. A .co.uk website specifically targets UK individuals so the government should require those multinational companies that operate a .co.uk website to register a UK data controller:
The ICO is a waste of time
As someone who submits, on average, about three complaints to the ICO a month, I can confirm that they are totally useless. I currently have nine case reviews that I need to escalate to the PHSO because the caseworkers that worked on those case reviews don't know what they're talking about. So basically ICO staff are not really interested, and if they were they often get it wrong and ultimately it's an absolute waste of time.
All they need to do is allow individuals to take companies to the small claims court for contravening the DPA or the PECR. Make it a fixed claim amount for, say, £75 and watch how fast the marketing stops.
It's all a waste of time
It doesn't matter what new laws are introduced, the fact remains that the ICO will only take action against a commercial organisation in extreme circumstances.
For example, through a series of subject access requests I identified the order of events that led to me receiving an unidentified PPI text on my mobile phone. The company that sent the text were told by the ICO not to hid their ID in a text - that's it! The company that provided them with my mobile phone number failed to comply with my subject access request. The ICO contacted them on my behalf and told them to comply. We waited another 40 days - no reply. The ICO wrote to the company again, we waited 40 days but still no reply. They've now contacted them for the third time and they're not going to get a reply because the company is likely to be illegally farming mobile phone numbers.
The ICO have informed me that this is the last time they're going to try and It'll then be up to me to spend a couple of thousand pounds to seek a court order under section 7(9) of the DPA to make the company comply with my Subject Access Request. So much for the ICO's big crack-down on PPI companies.
I bet they don't complain when they're signing the electronic box to accept delivery of a parcel.
Cheggers Plays Doc
How about Keith Chegwin as the Doc and Maggie Philbin as his sidekick.
Google doing something good for a change
Pay Day loans should be banned in my opinion - people getting rich out of other people's misery. So nice one Google! I doubt Money Supermarket will be around for long once the Tesco, Sainsburys et al start offering their own comparison service.
We need this in the UK
I've started a petition for the UK to achieve something similar. Basically, if a company wants to specifically target UK consumers (and UK data subjects) by operating a .co.uk website, then they should be a UK-based data controller.
It'll never work
The overwhelming majority of YouTube readers visit their site for something to do. As soon as they start charging those people will just find somewhere else to go.
The EU Directive is rubbish
EC Directive 95/46/EC on which the Privacy and Electronic Communications Regulations 2003 are based is too confusing. We could do away with the PECR 2003 and just have the DPA98. And if the e-mails are bothering you you simply opt-out under section 11 of the DPA98.
What we need is a review of the DPA98 to make it easier for individuals to seek compensation from companies that abuse their data protection rights. At the moment, a solicitor wants £5000 to bring a case under section 11(2) of the DPA98 - where a company has continued to market me after I have opted out under section 11. The process needs to be easier; I should be able to claim a set amount via the small claims court. So I opt out under section 11 and that company cannot send me direct marketing by phone, by post by e-mail by text etc, If they do then I can take them to court and walk away with, say £250.
This is long overdue. Let's face it, if UK companies actually understood the Regulation 22 rules then I am of the opinion that it's a pretty fair system. Unfortunately many don't. Regulation 22 states that a company can opt you in to marketing by default - so that the individual has to perform some kind of action to opt-out, only if they are collecting the information when making a sale or when someone is enquiring about a sale - obtaining a quote for example. In other words, if there's no possibility that submitting the form will result in a sale, such as a generic contract form, then you should be opted out by default. But if a company had a contact form that was specifically for contacting their sales department then that could be opted in by default.
In a recent example I switched my electric provider to M&S, and the service is provided by SSE. As part of the account I was advised to create an online account with SSE, and in doing so they had opted me in to marketing by default on the registration form. But I purchased the electric from M&S and I purchased it before Christmas. So I've already done the deal and signed-up to the service so SSE should have me opted out by default - because I'm not registering with them to enquire about or make a sale; I'm registering with them to manage my account. As such, the Regulation 22 rules are not satisfied.
So I'll be contacting SSE this week to remind them: www.mindmydata.co.uk
Block withheld numbers
If Ofcom introduced legislation to make it free to opt-out of calls where the caller has withheld their number, then perhaps more people would take up this option. Then they should introduce legislation that makes it easy for an individual to take legal action against these companies, especially if you're registered with the TPS.
I got an out of court settlement when Littlewoods kept phoning me despite the fact that I had told them that they had the wrong number:
Section 11 of the DPA
To stop receiving any and all marketing from a UK-based company you should opt-out under section 11. But you have to make sure that the data controller is a UK-based data controller, which rules out Amazon for example as their data controller is based in the EU so they don't have to comply with the DPA.
It's simple to stop spam
Mailwasher Pro and regular expressions for overseas spam, Section 11 of the DPA to stop any and all marketing from a UK-based company. I section 11 my insurance companies so that they're not able to send me an automatic renewal as I never stay with the same company twice.
You can opt out of marketing from any UK company under section 11 of the DPA
If you're being bombarded by unwanted e-mails from a particular UK company, then all you have to do is write to them and ask them to stop in accordance with your rights as a data subject. Forget all this unsubscribe malarkey, a section 11 request will stop marketing by post, text, e-mail, phone, and if you have an online account, even the advertising banners that appear in your account pages.
Barns & Noble are not a UK retailer
Although Barnes & Noble may have retail outlets in the UK the UltraViolet website is operated by a US data controller. If you want to hand your personal data to yet another overseas company and forgo the statutory rights afforded you as a UK data subject then by all means register.
I think it's important to distinguish between a UK retailer that operates under UK laws and has a legal obligation to uphold the statutory rights of it's UK data subjects, and those that don't.
While they're at it...
It might be a good idea too to bring in legislation to ensure that only UK-based data controllers can operate a .co.uk website. At the moment we have a situation where Amazon are asking their Kindle Fire customers to pay £10 to opt-out of of direct marketing being served to their new Kindle. But as UK data subjects we all have a statutory right to opt-out of direct marketing with a company under section 11 of the DPA98. How does Amazon get around this? They operate the Amazon.co.uk website with a European-based data controller rather than a UK-based one and thus deny us of our rights.
If they specifically wish to sell to UK consumers then Amazon should honour our data protection rights in my opinion and appoint a UK-based data controller.
Where's the UK equivalent to Amazon?
If a company like Argos was actually able to compete with Amazon I would much rather do business with a UK based company that pays UK tax and complies with UK data protection laws. Amazon.co.uk's data controller is based in Europe so as soon as you start using their services your rights as a UK citizen are not being upheld.
The law should be changed so that any company operating a .co.uk website should be based in the UK, pay the proper tax and comply with our laws.
Re: A recruitment agency's wet dream
If an employment agency extracts your data from LinkedIn and uses it to contact you outside of LinkedIn - which they did in my case because I had blocked them contacting me, then it's likely that the employment agency is contravening section 55 of the DPA98: Unlawful obtaining etc. of personal data.
When an employment agency uses LinkedIn it has agreed to do so in accordance with their terms and conditions. The agency should not be taking your data from LinkedIn, guessing your e-mail address and using it to contact you directly.
The employment agency business is full of failed salesmen who think that they can make a better living by operating an employment agency. In doing so, they're prepared to try every trick in the book to make some money out of you.
They could make more money
If LinkedIn clamped down on those employment agencies that regularly trawl their site to extract and process the data of those individuals that they're interested in - thus circumventing the fee paying channel, they could make even more money.
You can stop all advertising from a UK-based data controller
The Information Commissioner is of the opinion that all advertising - even generic advertising - appearing within a logged-in website is likely to be directed at an individual and therefore constitutes direct marketing. As such, if you're unhappy with advertising appearing within the logged-in pages of a UK-based website then you can send them a section 11 request to stop. If they fail to remove the adverts then submit a complaint to the ICO. http://www.mindmydata.co.uk/
Acronis vague about data controller question
Acronis want me to pay for their service and have my data stored on their servers but who is responsible for that data and under want laws will that data be stored? This should not be a difficult question to answer.
I'm still waiting for an answer.
Amazon show contempt for our rights as UK data subjects
As UK data subjects we are all entitled to opt-out of all direct marketing from a UK-based company. Amazon operates a .co.uk website and as such, one might think that they comply with UK data protection laws but they don't; the data controller for Amazon.co.uk is based in Europe, not the UK. As such, we as UK data subjects forgo our right under section 11 of the DPA98 to opt-out of the direct marketing that Amazon insist on displaying on their new Kindle. For that reason, I'll be sticking with my basic Kindle.
I kicked these jokers into touch a long time ago
They sent me a promotional e-mail quite a few years after I'd place my last order with them. I wasn't happy that they were still processing my data many years later so I submitted a section 11 DPA98 request and made it clear that I would seek a court order if they continued to send me direct marketing. I won't be doing business with them again.
Just take them to the small claims court
If a retailer gives you grief over a refund that you're legally entitled to all you need to do is get everything in writing and inform them that you're going to file a claim with the county court unless they comply. I've represented myself in the small claims court twice and the judge on both occasions was very supportive.
How about restricting it to registered UK data controllers
If they restricted the sale of .uk domains to registered UK data controllers only, then the user will be confident that the rights afforded them by the DPA98 will apply when doing business with a .uk website. For example, Amazon.co.uk has a European data controller, not a UK one. As such, we as UK data subjects lose a lot of the rights granted to us by the DPA when registering with Amazon.co.uk; including the right not to receive marketing. This is why Amazon's new Kindle Fire comes with advertising by default; because the data controller is based in Europe so we don't have the same rights. If Amazon.co.uk had a UK data controller then you could easily opt out of all advertising from Amazon or take them to court if they refused.
Bigger fish to fry
What you need to understand is that the ICO don't care about the little people. They have failed to take action against TPS contraventions. They will not take any action for a company failing to comply with a section 11 request, and they will not want to take action against cookie violations.
All the ICO want to do is go after government organisations and it throws most of its limited resources into doing this. They don't really care about marketing issues.
Tesco claim that they're 'never complacent' but when I asked them recently to respect my rights as a data subject not to receive their marketing, they suggested that I should cancel my ClubCard account if I wasn't happy with their marketing. They wanted me to cancel my account so that the matter would go away rather than deal with it and ensure that they were/are fully compliant with the DPA98. A rather cavalier attitude if you ask me that demonstrates complacency towards Tesco's obligations as a data controller.
Let's not bother to comply with the rights of this data subject, let's just delete his account instead.
CAP operate in a silo
'The CAP Code contains rules that advertisers, generally, have to adhere to and prohibits firms from making misleading claims or causing harm or offence to the public subjected to their promotions, among other things'.
But the CAP Code does not reflect the law of the land. The DPA 98 contains a legal definition of direct marketing and this is interpreted by the Information Commissioner's Office. Why does the CAP operate it's own antiquated definition?
All the shadows cast by the moon's hills are to the right, which means that they're being lit from the left. But the flag's shadow is on the right.
It's not just bad practice that Tesco are guilty of in my opinion. Tesco's Clubcard is likely to be incompatible with our statutory rights as data subjects because they are unable to separate the marketing from card; if you want a Clubcard then you must have the associated marketing. But section 11 of the DPA98 entitles data subjects to opt-out of ALL direct marketing from an organisation. However , when I asked Tesco to comply with my section 11 request they informed me that they would have to cancel my account. So I can't have an account unless I have the marketing which means that Tesco must have civil law terms - either actual or implied, that are incompatible with my statutory rights. The ICO are investigating.
The best thing you can do with this company
If, like me, you're a former customer and want nothing else to do with Talk Talk, send them a section 11 notice and ask them to cease processing your information to send you direct marketing: www.mindmydata.co.uk
If you're an existing customer watch out for special offers as my dad subscribed to a 12 month special offer at half price but it only lasted six months; then they put the price up. I got involved as my dad is in his 80s, and after getting nowhere with their Indian customer services, I contacted their head office and got them to sort it out. Apparently the person who processed the 12 month discount only did it for 6 months and failed to keep a reminder that he needed to put the other six months through. But why didn't he do it for 12 months in the first place and why, after their customer service people kept my dad talking for nearly an hour, did they not discover the error? Why did it take an investigation from head office? I was going to report them to Ofcom but my dad didn't want to get involved.
The other thing to watch out for too... if you contact Talk Talk and ask them to make a change to your account, this will require you to automatically renew your contract with them and they don't necessarily make you aware of this. That's what head office told me.
I'll never do business with Talk Talk again. I switched to Plusnet last year and haven't look back - good speeds no disconnections and excellent UK-based customer service. It's more expensive but it's worth it.
Get a good mailwasher
I been using Mailwasher Pro for many years which allows me to preview my e-mails on the mail-server before I download them. Any that I don't recognise can be deleted on the server and I never have to download it to my computer. If it's spam I have filters that automatically delete the e-mail and make me aware that the e-mail has been deleted, or that automatically delete the mail without me even knowing. Great for deleting spam based on keywords.
Of the 12,985 complaints they've accounted for 35% of them... what about the rest? I suspect that the majority of the unexplained 65% is made up of direct marketing complaints and the reason why the ICO hasn't mentioned anything about these is because they don't take action over direct marketing complaints.
It's one thing patting themselves on the back but prosecuting government organisations is easy as they have to comply so they can't fight back. How many commercial organisations have the ICO prosecuted?
What's the ICO doing about this?
In the UK, section 11 of the DPA98 entitles us to opt out of all direct marketing from a company by submitting a request for that company to cease processing our data for the purpose of advertising, marketing and public relations. In which case, you could simply submit a section 11 request to Microsoft and they would have to remove the adverts or fact prosecution. But will Microsoft comply with such a request bearing in mind that they're a US-based company.
This is yet another example of our rights as UK data subjects being ignored by non-UK based companies that couldn't give a toss about the DPA98. Twitter, LinkedIn, Skype, Facebook... they all ignore our statutory rights.
The ICO and the government should be doing more to enforce our rights.
Picking on government agencies again
This is yet another example of how the ICO focuses its resources chasing after government agencies. Contrast this with commercial organisations and the ICO don't want to know. The ICO's record of dealing with commercial organisations is appalling. They can't even carry out an audit against a company without first obtaining permission from the company to do so. And they send out mixed messages all the time. For example, I know for a fact that the ICO will not prosecute for a contravention of the PECR2003. Nor will they prosecute for failing to comply with a section 11 DPA98 request. Yet apparently they're going to kick-ass over tracking cookies? How do they explain the inconsistency?
It's easy to make things awkward for Amazon
All you need to do is send Amazon a Section 11 DPA98 request to cease processing your personal data for the purpose of direct marketing and they have to stop all forms of marketing to you or face prosecution by the Information Commissioner's Office.
This includes marketing by post, phone, e-mail, fax, text, and targeted advertising. More importantly, it also includes generic marketing banners that appear within your logged in account pages.
It won't remove all advertising... for example, advertising banners that appear when you are logged in via a cookie are unlikely to be directed at you personally. But once you proceed to the check-out and verify your credentials, then every page you view until you are logged out is being directed at you personally. The Information Commissioner's Office has clarified this.
Amazon would probably just cancel your account though to avoid having to comply. And apparently the ICO wouldn't have a problem with that.
Don't believe the hype
The ICO's claim that they're going to start issuing fines is a joke! They don't take any action under the Privacy and Electronic Communications Regulations 2003, they won't take action against a company for contravening section 11 of the DPA 98 but now they're going to start issues fines for non-compliance of cookie law. If so then it's a travesty!
If they're going to take action at all then they should be prosecuting companies for failing to comply with a section 11 request because this is a for more serious matter. If an individual submits a section 11 request to a particular company then it stops all marketing; including cookie-based targeted adverts
I've submitted two complaints about my bank failing to comply with my section 11 request the ICO have told me that prosecution for this kind of contravention is something they don't want to pursue. But what...they're now going to take action over friggin' cookies?
Please explain the double standards ICO.