The ICO has recently confirmed (RFA0612308) that ANY information found in the public domain does not require consent to process it. In other words, if this breach were related to UK individuals, then any UK organisation would not be unlawfully processing personal information by processing it - even if they were well aware that it had come from a breach. They'd be unfairly processing the information sure, but not unlawfully because for it to be unlawful - section 55 of the DPA, they would have to knowingly process the information without the consent of the data controller. But according to the ICO, consent is not required for information that is found in the public domain.
103 posts • joined 14 Sep 2009
Invite will likely constitute direct marketing
I'm not happy too with the way in which Amazon only tell me that the items in my wishlist have been reduced; they don't tell me when they've gone up. I asked them about this last month and they said it was due to an error in the system so I'm keeping my eye on it.
Section 11 of the DPA might help
Under section 11 of the DPA, if you ask a UK data controller to stop targeting you with adverts they would also need to remove their own advertising banners that appear in a logged-in website. I went to great lengths to clarify this with the ICO some years ago but it never found its way into their direct marketing guidance.
Direct marketing is marketing by any means and would include even generic banners appearing in a logged in page. This is because the data controller will know at all times who is logged into the account pages. I keep meaning to raise this issue with the ICO again but to be honest, they're so crap I can't be bothered
Good job BT don't make planes.
ICO not fit for purpose
The Ombudsman is currently investigating the ICO as it's likely that many thousands of complaints made by the public over the years have been incorrectly assessed so that they support the companies that people are complaining about. The ICO's case officers have been siding with companies because they lack the skill to challenge them.
Annoying domain renewal e-mails
Nominet don't seem to get it that sending someone an e-mail to remind them that their domain is due for renewal is unsolicited electronic marketing. They can't legally send those e-mails without first obtaining consent and consent is only valid if the individual is given the opportunity not to give their consent at the point their information was collected.
Unless they have a legal obligation to remind their customers, Nominet need to obtain consent - tick box on the domain registration form for example, or send the reminder by post. I'm getting fed-up with setting a domain not to be renewed in the control panel provided by my hosting company but still receiving reminder e-mails from my hosting company and then from Nominet.
The number of UK companies that just don't get it is staggering. And don't get me started on the fee paying WHOIS opt-out that 123-Reg are heavily promoting to the detriment of the free WHOIS opt-out; they won't be doing that for long.
Small claims court
Talk Talk have a legal obligation to ensure that they store personal information securely. If they didn't refund all of my lost money then I would file a claim for actual damages and distress caused by the abuse of my data protection rights in the small claims court.
I find add blockers essential
I to hate all adverts which is quite strange because as a kid I used to love them, especially near to Christmas. I guess for me adverts are no longer relevant because I'm not that materialistic anyway but also because I tend to do my own research about any products that I'm looking to buy and no amount of advertising will change that. Why on earth would I accept at face value what I'm being told in an advert when I can get other people's opinions. I often rely on the feedback on Amazon's website for example and in my experience, it tends to be fairly accurate.
Under UK law (section 11 of the DPA), one has the legal right to write to a data controller to ask them to stop promoting their products or services to you BY ANY MEANS. According to the ICO this would include generic adverts delivered while an identifiable individual is logged in to an account. Why do you think Amazon is an EU data controller and not a UK data controller? It's so that they can plaster their adverts all over their pages and on their Kindle Fire and you can't ask them to remove it. If Amazon were a UK data controller then you wouldn't have to pay the £10 to get the adverts removed from a Kindle Fire because it's a statutory right. This is why I want to see all .co.uk websites operated by a UK-based data controller because these sites are aimed at a UK audience.
I use an ad blocker regularly and my version of Amazon's website is very strange because I've blocked every possible advert. I read the Reg at work however and we don't have add blockers.
To be fair, I don't mind companies making money out of advertising providing that it's their main source of income. What irks me is when companies like National Rail have advertising banners on their website; they should be providing a service but want to make money from it too! My National Rail website at home is so heavily blocked that it's just a couple of boxes in the middle of the screen so that I can check what time my train is running each day. I love the fact that I don't have to view their advertising - it actually makes me happy.
Need a UK alternative to Amazon
I shop with Amazon all the time but I wish that there was an alternative UK solution. Why can't some well known UK companies come together to create an online portal to challenge Amazon. Amazon are not a UK company and they're not even a UK data controller yet at least 50% of my annual purchases are made via Amazon.
I don't want to shop with individual companies via their websites because they all tend to abuse electronic marketing regulations and they all seem to want to send me a survey. Not interested! Don't want my e-mail address being used for this purpose and that's why I go with Amazon - not the price. If we had a UK shopping platform where I can opt-out of all the marketing and surveys then I'd be up for that.
Is it such a big deal?
I regularly submit Subject Access Requests and in response, I am constantly being asked for photo ID as identifying information. I have argued on numerous occasions to the ICO that I'm not going to give any company a copy of my passport or driving licence because of the security risk and because it's excessive.
A data controller can validate me by phoning me and asking me a few questions about my account. Or they could send me a letter to my home address and ask me to quote the reference number on the letter. Or they could wait for the £10 fee to clear and that validates me. Or they could ask me to pay the fee by credit card as that would validate me too!
There are lots of ways that a data controller can be satisfied about my identity without me having to give them photo ID.
The ICO however is adamant that requesting a copy of a passport is not excessive. If the UK's Data Watchdog couldn't care less who sees passport information then what's the big deal? Having said that, the ICO also told me that a year on its own constitutes a date for the purpose of a Subject Access Request. This organisation is not fit for purpose.
I'm about to expose the ICO as not being fit for purpose. My MP is helping me to get to the bottom of why nearly fourteen of my case reviews - where the ICO found in favour of a company, are likely to be seriously flawed. At the moment we're struggling to find someone within the organisation to take ownership of my complaint.
What about the moon?
On a BBC science programme the other week they were saying that the moon had a massive impact on life on earth and my have contributed to getting life started. Do these similar planets also have a moon like ours then?
Oh, look, yet another headline grabbing story for the ICO! What they don't tell you is that, for the overwhelming majority of complaints submitted to the ICO about direct marketing, most of them are a total waste of time. A combination of incompetent case officers and a policy of only taking action if they receive lots of complaints about the same company means that most companies can carry on regardless. For example, if Optical Express sent me the marketing and I complained, as long as that company stops sending me marketing the ICO will be happy. The company can carry on abusing the rights of thousands of others unless they too complain. And it's only when enough people complain that the ICO will think about doing anything.
This is a poor use of limited resources in my opinion. If I submit a complaint against a company and the ICO upholds my complaint then they should advise the company of their obligations, give them 30 days to contest the ICO's view, and warn them that any further similar complaints received after 30 days will result in criminal prosecution. Job done! And... the ICO needs to be prosecuting these companies so that we get some precedent because at the moment the Commissioner is just giving his own view. He needs to go to court and get a court ruling so that his guidance becomes law.
The fact remains that nearly every single company that I do business with will abuse my data protection rights in some way. It's an utter failure by the Commissioner.
What about advertising
The other month Amazon decided to send me an e-mail to promote Norton Antivirus despite the fact that I've been opted out of promotional e-mails with Amazon for years. When I questioned this they said it was because I'd spent over £30 with my last order. Since then, I've not purchased anything from Amazon that exceeds £29.99 and its' surprising what bargains you can find elsewhere. For example, I purchased a new TV in August from John Lewis for the same price as Amazon but with a free five year guarantee. Fair enough, I had to pay the postage but still, it's a far better deal.
My point being... I loath companies that think they have a God given right to promote their products and services to me and this is why I wouldn't consider Amazon Fire TV. If they're not already advertising on the TV then it can't be far off. You're much better off waiting until a product is released by a UK data controller so that you can opt out of all direct marketing - even marketing served to a TV.
This is their own policy
I've submitted a number of complaints to the ICO over the years about companies holding on to my personal data indefinitely because they don't have a data retention policy in place. One of those complaints is currently being investigated by the PHSO. In my experience, as long as the organisation can demonstrate that they have a data retention policy in place the ICO couldn't care less. And if they don't, the ICO will just advise them to do so.
The fact that the Authorised Records Disposal Practice puts a three year data retention on MPs expenses then that's fine. However, bearing in mind the public's interest they might want to increase this to say six years.
They don't seem to know what a Subject Access Request is
I've just submitted a complaint to the ICO because they failed to respond to my SAR within 40 days. So here we have a new company that doesn't seem to understand their basic data protection obligations. I'm going to do a data audit on this company over the next few weeks.
The ICO regularly screw up
I currently have a complaint being processed by the Parliamentary and Health Service Ombudsman (PHSO) where I have outlined the failings of the ICO. To support my complaint I have included a detailed analysis of seven case reviews from last year where the view of the ICO was either wrong or likely to be wrong. These are case reviews too... so for each case review to be wrong it means that two members of staff hold the incorrect opinion: the Case Officer who conducted the original Assessment and their line manager who conducted the Case Review.
In one case I argued that a data controller had failed to comply with my subject access request (SAR) because they held the actual date: day, month, year of when they obtained my information but only provided me with the year in response to my SAR. I argued that a year on its own does not constitute a date and as they held an actual date, that's what they should have provided. As they didn't they failed to comply with my SAR. Three different levels of staff at the ICO: the person who conducted the assessment, their line manager who conducted the case review, and their line manager - who got pissed off with me complaining all held the view that a year on its own constitutes a date.
The organisation works in silos so that two different case workers can give you two different responses depending on who you ask. I'm hoping that the BBC's Panorama team will do a show on it once the PHSO has concluded it's investigation.
Webmaster - www.mindmydata.co.uk.
I'm reluctant to do anything more than I have to with Amazon because it's ultimately going to mean more marketing. I've already opted out of marketing e-mails with them. Then the other week they promoted the soon to be defunct Norton Antivirus - See Reg article: Symantec: Antivirus is 'DEAD' – no longer 'a moneymaker'... must have done a deal to farm it on to unsuspecting Amazon customers. Anyway, Amazon sent me an e-mail to promote Norton AV and they said that this was because I had spent over £30.
So I'm opted out of marketing e-mails, so what do they do, just find some reason to bypass it. So I've told them that I will never place an order with them again that exceeds £27.99. And I'm submitting a complaint to the EU Commissioner's Office because I had already expressed a preference not to receive marketing e-mails and they ignored it.
Eff them! The worst thing a company can do is take its customers for granted. Just as Mr Ratner.
Get into a habit of opting out under section 11 of the DPA
We don't need new laws as we have perfectly good but unused laws. Section 11 of the DPA allows an individual to opt-out of all direct marketing from a UK-based company. If parents ensure that they register on behalf of their child then all they need to do is follow that up with an e-mail to the company opting out under section 11. Once opted out, the company cannot legally target the individual with direct marketing by any means, including generic or targeted adverts that appear in a logged in website.
You then follow that up by submitting a subject access request to any company that sends your child unexpected marketing. At the end of the day, the more people complaint about these companies to the ICO the more likely it is that the ICO will take action. Buying software only hides the problem. The problem is that companies don't understand the law. www.mindmydata.co.uk.
I wouldn't trust AVG anyway as they target me with advertising even though I've purchased the full internet security product. Free version yes, full product no way. My AVG expires in September and I won't be using them again.
AVG themselves are an abuser of privacy. If I pay for a full version of their product then under UK law they cannot promote their products or services to me if I opt-out under section 11 of the DPA. But they're not a UK data controller so they don't don't recognise our rights. So despite the fact that I've paid for the full version they still target me with adverts from time to time an d try to dupe me into paying for more services.
If I were using the free version then fair enough but I'm not. My AVG licence expires in Oct and I wont' be renewing.
For example, Anyone buying Amazon's Kindle Fire will have to to pay £10 to remove the advertising. If Amazon.co.uk were bound by the DPA you could ask them to remove it by opting out of all direct marketing under section 11 of the DPA for free.
I'll never do business with this company again. I switched to Plusnet three year ago and never looked back.
Amazon shouldn't be allowed to operate a .co.uk website either as they don't have a UK-based data controller. A .co.uk website specifically targets UK individuals so the government should require those multinational companies that operate a .co.uk website to register a UK data controller:
The ICO is a waste of time
As someone who submits, on average, about three complaints to the ICO a month, I can confirm that they are totally useless. I currently have nine case reviews that I need to escalate to the PHSO because the caseworkers that worked on those case reviews don't know what they're talking about. So basically ICO staff are not really interested, and if they were they often get it wrong and ultimately it's an absolute waste of time.
All they need to do is allow individuals to take companies to the small claims court for contravening the DPA or the PECR. Make it a fixed claim amount for, say, £75 and watch how fast the marketing stops.
It's all a waste of time
It doesn't matter what new laws are introduced, the fact remains that the ICO will only take action against a commercial organisation in extreme circumstances.
For example, through a series of subject access requests I identified the order of events that led to me receiving an unidentified PPI text on my mobile phone. The company that sent the text were told by the ICO not to hid their ID in a text - that's it! The company that provided them with my mobile phone number failed to comply with my subject access request. The ICO contacted them on my behalf and told them to comply. We waited another 40 days - no reply. The ICO wrote to the company again, we waited 40 days but still no reply. They've now contacted them for the third time and they're not going to get a reply because the company is likely to be illegally farming mobile phone numbers.
The ICO have informed me that this is the last time they're going to try and It'll then be up to me to spend a couple of thousand pounds to seek a court order under section 7(9) of the DPA to make the company comply with my Subject Access Request. So much for the ICO's big crack-down on PPI companies.
I bet they don't complain when they're signing the electronic box to accept delivery of a parcel.
Cheggers Plays Doc
How about Keith Chegwin as the Doc and Maggie Philbin as his sidekick.
Google doing something good for a change
Pay Day loans should be banned in my opinion - people getting rich out of other people's misery. So nice one Google! I doubt Money Supermarket will be around for long once the Tesco, Sainsburys et al start offering their own comparison service.
We need this in the UK
I've started a petition for the UK to achieve something similar. Basically, if a company wants to specifically target UK consumers (and UK data subjects) by operating a .co.uk website, then they should be a UK-based data controller.
It'll never work
The overwhelming majority of YouTube readers visit their site for something to do. As soon as they start charging those people will just find somewhere else to go.
The EU Directive is rubbish
EC Directive 95/46/EC on which the Privacy and Electronic Communications Regulations 2003 are based is too confusing. We could do away with the PECR 2003 and just have the DPA98. And if the e-mails are bothering you you simply opt-out under section 11 of the DPA98.
What we need is a review of the DPA98 to make it easier for individuals to seek compensation from companies that abuse their data protection rights. At the moment, a solicitor wants £5000 to bring a case under section 11(2) of the DPA98 - where a company has continued to market me after I have opted out under section 11. The process needs to be easier; I should be able to claim a set amount via the small claims court. So I opt out under section 11 and that company cannot send me direct marketing by phone, by post by e-mail by text etc, If they do then I can take them to court and walk away with, say £250.
This is long overdue. Let's face it, if UK companies actually understood the Regulation 22 rules then I am of the opinion that it's a pretty fair system. Unfortunately many don't. Regulation 22 states that a company can opt you in to marketing by default - so that the individual has to perform some kind of action to opt-out, only if they are collecting the information when making a sale or when someone is enquiring about a sale - obtaining a quote for example. In other words, if there's no possibility that submitting the form will result in a sale, such as a generic contract form, then you should be opted out by default. But if a company had a contact form that was specifically for contacting their sales department then that could be opted in by default.
In a recent example I switched my electric provider to M&S, and the service is provided by SSE. As part of the account I was advised to create an online account with SSE, and in doing so they had opted me in to marketing by default on the registration form. But I purchased the electric from M&S and I purchased it before Christmas. So I've already done the deal and signed-up to the service so SSE should have me opted out by default - because I'm not registering with them to enquire about or make a sale; I'm registering with them to manage my account. As such, the Regulation 22 rules are not satisfied.
So I'll be contacting SSE this week to remind them: www.mindmydata.co.uk
Block withheld numbers
If Ofcom introduced legislation to make it free to opt-out of calls where the caller has withheld their number, then perhaps more people would take up this option. Then they should introduce legislation that makes it easy for an individual to take legal action against these companies, especially if you're registered with the TPS.
I got an out of court settlement when Littlewoods kept phoning me despite the fact that I had told them that they had the wrong number:
Section 11 of the DPA
To stop receiving any and all marketing from a UK-based company you should opt-out under section 11. But you have to make sure that the data controller is a UK-based data controller, which rules out Amazon for example as their data controller is based in the EU so they don't have to comply with the DPA.
It's simple to stop spam
Mailwasher Pro and regular expressions for overseas spam, Section 11 of the DPA to stop any and all marketing from a UK-based company. I section 11 my insurance companies so that they're not able to send me an automatic renewal as I never stay with the same company twice.
You can opt out of marketing from any UK company under section 11 of the DPA
If you're being bombarded by unwanted e-mails from a particular UK company, then all you have to do is write to them and ask them to stop in accordance with your rights as a data subject. Forget all this unsubscribe malarkey, a section 11 request will stop marketing by post, text, e-mail, phone, and if you have an online account, even the advertising banners that appear in your account pages.
Barns & Noble are not a UK retailer
Although Barnes & Noble may have retail outlets in the UK the UltraViolet website is operated by a US data controller. If you want to hand your personal data to yet another overseas company and forgo the statutory rights afforded you as a UK data subject then by all means register.
I think it's important to distinguish between a UK retailer that operates under UK laws and has a legal obligation to uphold the statutory rights of it's UK data subjects, and those that don't.
While they're at it...
It might be a good idea too to bring in legislation to ensure that only UK-based data controllers can operate a .co.uk website. At the moment we have a situation where Amazon are asking their Kindle Fire customers to pay £10 to opt-out of of direct marketing being served to their new Kindle. But as UK data subjects we all have a statutory right to opt-out of direct marketing with a company under section 11 of the DPA98. How does Amazon get around this? They operate the Amazon.co.uk website with a European-based data controller rather than a UK-based one and thus deny us of our rights.
If they specifically wish to sell to UK consumers then Amazon should honour our data protection rights in my opinion and appoint a UK-based data controller.
Where's the UK equivalent to Amazon?
If a company like Argos was actually able to compete with Amazon I would much rather do business with a UK based company that pays UK tax and complies with UK data protection laws. Amazon.co.uk's data controller is based in Europe so as soon as you start using their services your rights as a UK citizen are not being upheld.
The law should be changed so that any company operating a .co.uk website should be based in the UK, pay the proper tax and comply with our laws.
Re: A recruitment agency's wet dream
If an employment agency extracts your data from LinkedIn and uses it to contact you outside of LinkedIn - which they did in my case because I had blocked them contacting me, then it's likely that the employment agency is contravening section 55 of the DPA98: Unlawful obtaining etc. of personal data.
When an employment agency uses LinkedIn it has agreed to do so in accordance with their terms and conditions. The agency should not be taking your data from LinkedIn, guessing your e-mail address and using it to contact you directly.
The employment agency business is full of failed salesmen who think that they can make a better living by operating an employment agency. In doing so, they're prepared to try every trick in the book to make some money out of you.
They could make more money
If LinkedIn clamped down on those employment agencies that regularly trawl their site to extract and process the data of those individuals that they're interested in - thus circumventing the fee paying channel, they could make even more money.
You can stop all advertising from a UK-based data controller
The Information Commissioner is of the opinion that all advertising - even generic advertising - appearing within a logged-in website is likely to be directed at an individual and therefore constitutes direct marketing. As such, if you're unhappy with advertising appearing within the logged-in pages of a UK-based website then you can send them a section 11 request to stop. If they fail to remove the adverts then submit a complaint to the ICO. http://www.mindmydata.co.uk/
Acronis vague about data controller question
Acronis want me to pay for their service and have my data stored on their servers but who is responsible for that data and under want laws will that data be stored? This should not be a difficult question to answer.
I'm still waiting for an answer.
Amazon show contempt for our rights as UK data subjects
As UK data subjects we are all entitled to opt-out of all direct marketing from a UK-based company. Amazon operates a .co.uk website and as such, one might think that they comply with UK data protection laws but they don't; the data controller for Amazon.co.uk is based in Europe, not the UK. As such, we as UK data subjects forgo our right under section 11 of the DPA98 to opt-out of the direct marketing that Amazon insist on displaying on their new Kindle. For that reason, I'll be sticking with my basic Kindle.
I kicked these jokers into touch a long time ago
They sent me a promotional e-mail quite a few years after I'd place my last order with them. I wasn't happy that they were still processing my data many years later so I submitted a section 11 DPA98 request and made it clear that I would seek a court order if they continued to send me direct marketing. I won't be doing business with them again.
Just take them to the small claims court
If a retailer gives you grief over a refund that you're legally entitled to all you need to do is get everything in writing and inform them that you're going to file a claim with the county court unless they comply. I've represented myself in the small claims court twice and the judge on both occasions was very supportive.
How about restricting it to registered UK data controllers
If they restricted the sale of .uk domains to registered UK data controllers only, then the user will be confident that the rights afforded them by the DPA98 will apply when doing business with a .uk website. For example, Amazon.co.uk has a European data controller, not a UK one. As such, we as UK data subjects lose a lot of the rights granted to us by the DPA when registering with Amazon.co.uk; including the right not to receive marketing. This is why Amazon's new Kindle Fire comes with advertising by default; because the data controller is based in Europe so we don't have the same rights. If Amazon.co.uk had a UK data controller then you could easily opt out of all advertising from Amazon or take them to court if they refused.
Bigger fish to fry
What you need to understand is that the ICO don't care about the little people. They have failed to take action against TPS contraventions. They will not take any action for a company failing to comply with a section 11 request, and they will not want to take action against cookie violations.
All the ICO want to do is go after government organisations and it throws most of its limited resources into doing this. They don't really care about marketing issues.
Tesco claim that they're 'never complacent' but when I asked them recently to respect my rights as a data subject not to receive their marketing, they suggested that I should cancel my ClubCard account if I wasn't happy with their marketing. They wanted me to cancel my account so that the matter would go away rather than deal with it and ensure that they were/are fully compliant with the DPA98. A rather cavalier attitude if you ask me that demonstrates complacency towards Tesco's obligations as a data controller.
Let's not bother to comply with the rights of this data subject, let's just delete his account instead.