ICO Assessment (RFA0857688): What it means to obtain consent

Another flawed view by an ICO case officer.

In this flawed Assessment, a Lead Case Officer demonstrated that not only does she not understand what it means to obtain consent, but that she doesn’t seem to understand what it means to satisfy a condition for processing either. Furthermore, the case officer took every opportunity to side with the controller, in what should have been an evidence-based assessment.

A concern too, is that the assessment reviewed how a political party obtains consent, yet it would appear that the case officer doesn’t understand what’s going on in her own organisation; that the Commissioner has concerns about how political parties obtain consent. For example, in 2018, the Information Commissioner’s Office (ICO) produced a report: Investigation into the use of data analytics in political campaigns, where they highlighted their concerns about how political parties obtain consent. The report reached the following conclusion:

We have concluded that there are risks in relation to the processing of personal data by many political parties. Particular concerns include the purchasing of marketing lists and lifestyle information from data brokers without sufficient due diligence, a lack of fair processing and the use of third party data analytics companies, with insufficient checks around consent.

https://ico.org.uk/media/action-weve-taken/2260271/investigation-into-the-use-of-data-analytics-in-political-campaigns-final-20181105.pdf.

This report was created on the back of the Facebook/Cambridge Analytica scandal, where the need to give clear consent to data processing became a global hot topic. So, is it reasonable to conclude that the ICO’s case officers have a clear understanding about what it means to obtain consent? And that the ICO has a process in place to specifically investigate any abnormal data processing behaviour by political parties? Apparently not.

As is often the case with the ICO, it’s all about public perception. The ICO likes to give the impression to the public that they’ve got everything under control but in reality, the ICO is a flawed organisation, and its case officers take every advantage of the public’s lack of understanding of data protection law to spout their nonsense. Why aren’t case officers aware about what’s going on in their organisation? The same thing happened with another case, where the ICO had entered into an undertaking with the FCA but the case officer was oblivious to it. What’s the point?

In my experience, if the ICO were a department of the NHS – where expertise is critical, they would have been exposed as not fit for purpose many years ago, because they would have killed patients with their utter incompetence. As it is, they continue to get away with it because the UK public trusts that the advice being given is competent, and because the public lack the understanding of the law to challenge the ICO’s advice. This is where I come in.

This is the first of seven recent examples of incompetence by the ICO’s case officers that I am going to publish and then I’ll start working back over the ten years that I’ve been submitting complaints to the ICO. You’re in for a shock. If you’re being prosecuted by the ICO, you may be able to use some of these cases to question the ICO’s right to prosecute anyone.

Facts of the case

In autumn 2018, out of the blue, a political party sent an email to me at my place of work, asking me to make a donation. I contacted the Data Protection Officer (DPO) for the political party [The Party] and asked them how they had obtained my work’s email address, as besides being my work’s email address, it also constitutes my personal data.

Having received no reply after two weeks, I tried again by forwarding my enquiry, and on this occasion I received a response. I was informed by their DPO, that they had obtained my information when I signed-up to receive marketing emails, via a form on their website. I did not submit any forms on their website so I was concerned about how they had obtained my information. For all I know, Party members are scraping profiles from social media and submitting the personal data into the form themselves – to sign these individuals up to the donation emails. Such an action is potentially a criminal offence.

I had a look at their website and they’re operating one of these forms; you know, where you submit a small amount of personal data to sign-up to marketing emails. This is a fairly common and sometimes annoying feature of many websites, particularly when the form pops-up on a website that you’ve stumbled across and you can’t do anything until you’ve closed down the form.

In a follow-up response, The Party stipulated that they had obtained my consent to target me with the direct marketing emails. I informed them that they had not obtained my consent and that I intended to file a claim for compensation. Their DPO replied as follows:

I do not accept that [The Party] has unlawfully processed your data, and therefore your claim for compensation is totally without merit. Given you assert that you did not submit your email address, I have instructed colleagues to delete your record from our database. This should in no may be interpreted as an admission of liability in respect of any claim.
You should be aware that [The Party] will robustly defend its interests in the event of litigation. Particulars of claim should be sent to [the email address of their legal team].

My claim does indeed have merit if they cannot prove that they obtained my consent. Receiving direct marketing as a direct result of unlawful data processing, constitutes a valid claim for compensation. And as they’ve just gone and deleted my personal data from their database, it’s quite possible that they’ve deleted all records associated with my master record, depending on how their database works. So, it’s possible that they have no evidence at all.

Furthermore, deleting personal data during an ongoing complaint, and after having been threatened with legal action, was suspicious behaviour in my view. Controllers should not be deleting personal data on-the-fly unless specifically requested to do so. For one thing, by deleting my data they’ve denied me of the key right of subject access. 

Based on the Commissioner’s report, where she makes it clear that she has concerns about how political parties obtain consent, isn’t this something that the ICO should be investigating? Wouldn’t we reasonably expect the case officer to be aware of the report and to follow an escalation process? If nothing else, The Party should be prosecuted if they autonomously delete personal data when dealing with an ongoing complaint.

I contacted The Party’s legal team to outline my case on a number of occasions, using the email address provided, but I never heard back from them. When I win the case in court, I shall identify The Party.

While preparing my case for court, I submitted a complaint to the ICO to see what they had to say.

The ICO’s Assessment (RFA0857688)

The ICO carried out an Assessment, and a Lead Case Officer at the ICO concluded as follows.

We have considered the information you have provided to us and it is our view that [The Party] have complied with their data protection obligations in this instance. This is because we consider the obtaining and processing of your personal data to have been lawful in this instance. [The Party] have kept a record of how your email address and consent was obtained and been able to demonstrate their lawful basis for processing this data. The organisation also gave you the option to opt out of receiving further marketing emails, as required by data protection law.

The ICO acknowledges that you did not receive a response to the initial concern you raised with [The Party]. However, your concerns were addressed within one calendar month of the first concern you raised with the organisation. We also note that [The Party] subsequently deleted your personal data without you requesting they do so. However, we consider [The Party]’s explanation that this information was deleted as you made it clear you had not submitted your email address in the first place reasonable.

As there is insufficient evidence that your data was unlawfully obtained we do not consider it necessary to take any further action at this time. We note your concerns regarding the lack of validating data at the point it is received, however it is not a legal obligation for organisations to take this step. Further to this, due to the small amount of personal data that is obtained we consider the option to opt out as sufficient to prevent any unlawful processing in the unlikely event that a third party inputs an individual’s email address without their consent on an online form or survey.

Let’s carry out a Mindmydata (MMD) analysis of the ICO’s Assessment.

1. The controller has deleted my record

The Lead Case Officer was of the view that The Party had complied with its data protection obligations. She said:

[The Party] have kept a record of how your email address and consent was obtained and been able to demonstrate their lawful basis for processing this data.

However, the case officer was well aware that the controller had deleted my account information, so how does she know what records they now hold about me? At the very minimum, she needed to contact the controller to ask them what information they held about the form being submitted. Do they have an IP address for example? And of course, to ask them why they opted to delete my information during an ongoing complaint to deny me of my right of subject access.

Yet, the case officer didn’t do anything. Despite being aware that the Controller had deleted my account information, the case officer still found a way to side with the controller in, what should be, an evidence-based Assessment. This kind of nonsense is standard practice at the ICO – as you’ll see when I publish the other cases.

2. Deleting personal data under these circumstances should be a cause for concern

The Lead Case Officer supported The Party’s decision to delete my information, she said:

However, we consider [The Party]’s explanation that this information was deleted as you made it clear you had not submitted your email address in the first place reasonable.

Deleting personal data when threatened with legal action is a reasonable course of action is it? How about denying me of my right of subject access, is that reasonable too? How about the fact that they may have failed to retain evidence of how they obtained my consent? Reasonable?

In light of the Commissioner’s report, this issue should have been escalated and investigated. If Party members are scraping profiles from LinkedIn and submitting the data via their web-form, deleting the personal data of anyone that complains is an obvious course of action to cover up the abuse.

3. The controller had no intention of dealing with my complaint

The Lead Case Officer supported The Party’s failure to respond to my complaint. She said:

The ICO acknowledges that you did not receive a response to the initial concern you raised with [The Party]. However, your concerns were addressed within one calendar month of the first concern you raised with the organisation.

It’s quite possible that my concerns were only addressed by The Party because I submitted a follow-up email, yet note how the case officer again sided with the controller. There was no auto-responder, they didn’t tell me that they’d get back to me within 14 days or anything like that. And their lawyers have not got back to me at all. They’ve clammed up and again, this should be a cause for concern.

In my experience, the default position for any case officer is to side with the controller – regardless of the facts. This is another example.

4. The controller DID NOT obtain MY consent

The Lead Case Officer said that The Party was able to demonstrate that consent was their lawful basis for processing my data. Yet, this remains unclear because they deleted my account so we don’t know what they’re able to demonstrate. Let’s assume though, that The Party hadn’t deleted my information. What can they actually prove? Can they prove that they obtained MY consent? Or can they only prove that someone submitted my information into their web-form?

Of course, we’re talking about a controller obtaining consent when a small amount of personal information is submitted via a form on their website. For consent to be valid, it must be freely given, specific informed and unambiguous. In other words, for consent to be valid, a controller will have to demonstrate that I visited their form, read their consent statement, and freely submitted my personal data into their form – having been informed about what it is I am consenting to.

Unless a controller can prove that the data subject visited their form, they cannot rely on consent to obtain that data subject’s personal data via that form. This is because the consent statement that appears on the form is a critical element of consent.

It might be easier to demonstrate if I use the example that I intend to use at the court hearing. At the court hearing, I shall ask the judge to consider the following… that if I had the judge’s name and email address, were I to visit The Party’s website and submit the judge’s information into the form to sign them up to marketing emails – without the judge knowing that I’ve done this, has the judge given their consent?

What do we think the judge will say? In this scenario, the judge never even visited the website, never mind read the consent statement and submitted the form. Instead, I submitted the judge’s information without their knowledge, so how can any controller claim that the judge gave their consent?

The Defendant’s lawyers might argue that by following the process for obtaining consent and keeping a record of the form being submitted, they obtain consent to process any personal data submitted via the form, regardless. I’d then refer the judge to Article 7(1) GDPR, which states:

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

Article 7(1) GDPR gives the judge clear instruction. That it’s not enough for a controller to demonstrate that personal data was submitted via a form that contains a valid consent statement; the controller needs to demonstrate that the data subject gave their consent. And the only way to do that, is to demonstrate, beyond reasonable doubt, that the individual visited the form, read the consent statement and freely submitted their own personal data; having been clearly advised about what they were consenting to.

At the end of the day, it all comes down to the form. If it’s clear that it’s easy for anyone to submit anyone’s information via the form, then the controller is screwed. How do they prove to the judge that my personal data was submitted by me an not by someone else? If controllers don’t want to bother with form validation, then they risk being unable to defend a claim for compensation. They’re basically adopting a fingers-crossed approach to data processing – they obtain consent as long as no one objects. And there are lots of public-facing forms on lots of websites and an ever-growing number of no-win, no-fee data protection solicitors.

Clearly, the case officer has demonstrated that she does not understand what it means to obtain consent. This should be a serious cause for concern for the public and controllers alike. Particularly in this case, where the controller is a political party.

5. The controller assumes the risk if they do not validate their forms

The Lead Case Officer continued…

We note your concerns regarding the lack of validating data at the point it is received, however it is not a legal obligation for organisations to take this step.

While I accept that it’s not a specific legal requirement to validate personal data that is submitted via a public-facing form, as I have demonstrated, the data controller assumes the risk if they don’t.

The level of risk is likely to be linked to the type of form being used. For example, if you’re placing an order for something to be delivered to your property, and you pay with a credit card, then that form has reasonably been validated and the risk of someone else submitting your personal data into that form is likely to be very low. Thus, there’s probably no need for a double opt-in validation.

In this case however, where the form only collects a small amount of information, it’s very easy for someone to submit someone else’s information into the form and sign them up to marketing emails, either for a laugh or out of spite. In this situation, the controller has no defence if they do not validate the form with a double opt-in or a similar mechanism. They have to be able to prove, if challenged, that the data subject submitted the form.

The ICO clearly couldn’t care less but the data subject has a right to claim compensation unless the data controller is able to prove that they submitted the form. Like I say, this case officer isn’t doing anyone any favours.

6. The Lead Case Officer doesn’t understand what it means to satisfy a condition for processing.

The Lead Case Officer added…

Further to this, due to the small amount of personal data that is obtained we consider the option to opt out as sufficient to prevent any unlawful processing in the unlikely event that a third party inputs an individual’s email address without their consent on an online form or survey.

What can I say about this? They’re relying on consent to obtain my personal data so anyone that understands the basics of data protection law will likely gasp with despair at this comment. That a Lead Case Officer employed by the ICO, holds the view that a controller is able to satisfy a condition for processing… because they satisfied Regulation 23 PECR. For crying out loud!

Moreover, she doesn’t seem to understand the difference between direct marketing and a survey. This highlights the ICO’s failure to understand what constitutes a survey, which was the view given in another recent case review. I’ll probably publish that one next. The level of incompetence is staggering but it’s par for the course at the ICO.

Relying on consent to obtain form information – further analysis

Finally, one thing for controllers to consider, is that they should avoid relying on consent to obtain such a small amount of personal data. They’d be better off relying on the legitimate interests condition as this gives them the flexibility to target the individual with a double opt-in validation email to balance their legitimate interests.

For example, by relying on the LI condition, the legitimate interest will be something like… ‘to send marketing emails to data subjects that sign-up to receive marketing emails from us’. To balance the LI condition with the rights of the data subject, the controller should use a double opt-in to ensure that the person who submitted the form submitted their own information. If the individual does not action the validation email that is sent to them – because they didn’t submit the form, then the validation process has worked; the legitimate interest has been balanced against the rights of the data subject, and the data will not be further processed.

However, if a controller attempts to carry out the same validation process using consent, then if the individual does not action the validation email – because they didn’t submit the form, the data controller will have unlawfully processed their personal data. This is because the controller relied on consent to obtain personal data that was subsequently rejected at the validation stage. To obtain is to process, so the controller cannot rely on consent to obtain the data if it is discovered that the data subject did not give their consent. Even if they’re obtaining the data for the purpose of validating it.

What I’m saying is… if you cannot trust the source, then don’t rely on consent. If it’s possible for someone to submit someone else’s data, then don’t rely on consent. If you rely on consent you will have unlawfully obtained the data if the double opt-in email is rejected. Whereas the LI condition allows you to obtain the data for the purpose of validating it.

Conclusion

Rather than uphold my complaint and possibly escalate it to the ICO’s Intelligence Hub for further investigation, the Lead Case Officer has found a way to support the controller in every single aspect of my complaint. She couldn’t even be bothered to contact the controller to get an update about what information they hold about me since deleting my account.

Unfortunately, this is standard practice among the ICO’s case officers.
I’m currently waiting for the ICO to carry out a case review and I’m about to file a claim for compensation against the political party. I’ll start publishing the other Assessments as time allows.