The Post Office formally admits to unfairly processing my personal data

What started out as a reasonable response, ended in disaster for the Post Office

It’s common knowledge that insurance businesses offer competitive quotes for insurance to attract new customers but then hike up the cost of renewing the policy. The use of rolling contracts ensures that apathetic policy holders are locked in to an automatic renewal at the inflated premium, while savvy consumers like myself, have to undertake the frustrating process of explaining their decision not to renew to some arsehole in customer services. Frustrating, because the customer service person will often ask me what I’ve been quoted by another company to see if they can match it. It seriously winds me up. That rather than give me a competitive quote for renewal in the first place, they hike up the price and wait to see if I go elsewhere before trying to improve the quote when I phone them to cancel the policy.

You may have gathered that I don’t like rolling contracts so I am using my rights as a data subject – my right to opt-out of all direct marketing with a data controller for my information, to prevent an insurance business from automatically renewing my policy. On the understanding that a renewal quote will fall under the definition of direct marketing, and if they cannot send me a renewal quote then they cannot legally roll-over the contract and I won’t have to contact them to cancel the policy and be subjected to their nonsense.

When I raise the issue with a company that I’m insured with, their first response is often to tell me that they’re obligated to send me a quote to renew, which is kind of true. Insurance businesses have a requirement placed on them by the Insurance Conduct of Business Sourcebook (ICOBS) to provide us with a quote for renewing the service in good time and in a comprehensible form – see ICOBS 6.1. However, when I checked with the FCA (Financial Conduct Authority), they clarified that an insurance company has a regulatory obligation, not a statutory obligation to provide me with a renewal quote. In other words, our statutory rights under the DPA/GDPR will overrule ICOBS. Thus, if I’m opted out of all direct marketing with an insurance business then they cannot target me with a renewal quote – period!

Having said that, I acknowledge that there will situations where a data subject might want to opt-out of all direct marketing from an insurance business but still want to receive the renewal quote. Indeed, I actually think that it’s a good idea that insurance companies remind us that we need to renew our car insurance. I don’t mind the renewal notice, it’s the rolling contract that I dislike.

With this in mind, I think it’s not unreasonable for an insurance business to send me the renewal quote even though I am opted out of all direct marketing. They may even be able to convince a judge that their actions were reasonable; bearing in mind that they do have a regulatory obligation. Technically, they’ll likely be in breach of Section 11 DPA so you probably wouldn’t lose the case, but it might impact on what you’re awarded as compensation. To avoid any confusion, when I opt-out of all direct marketing from my insurance provider under Section 11 DPA, I specifically make it clear that I do not want to receive the renewal quote. I also invite the data controller to object to my opt-out if they hold the view that they must send me a renewal quote.

Esure complied with my Section 11 opt-out for my car insurance in 2017. Instead of sending me a quote to renew, they simply notified me of the date that my insurance was due to expire. And Dial Direct have just confirmed that they will not send me a renewal quote for my home insurance but they too will probably send me a reminder that my policy is due to expire about a month before it expires.

Now that I’ve set the scene, you’ll hopefully have a better understanding of what I had to deal with when I opted out with the Post Office.

What happened with the Post Office

I took out home insurance with the Post Office in January 2017. Shortly after, they sent me an e-mail inviting me to take part in a survey. However, the information about the survey suggested that my feedback could also be used for promotional purposes: ‘Your feedback will be used to measure satisfaction and we may also publish your comments anonymously on our website or other promotional material to inform other customers of our service’. In my view, it wasn’t a genuine customer survey because the feedback is being further processed. Genuine customer surveys do not constitute direct marketing because the feedback is only being used to improve internal systems and processes. In my view, as soon as you start further processing the feedback it’s no longer a genuine customer survey and the communication that promotes the survey will thus constitute direct marketing.

I submitted a complaint to the Post Office’s data protection person and we agreed to disagree about the survey, but I took the opportunity to opt-out of receiving the renewal quote, I said:

‘I’ll take this opportunity to opt-out of all direct marketing from your organisation under Section 11 of the DPA. I’ve clarified previously with the FCA that ICOBS places a regulatory, not a statutory obligation on insurance companies, whereas the DPA places a statutory obligation on data controllers. As such, your organisation cannot send me a renewal quote by any means, because a renewal quote will constitute direct marketing. If you disagree with this, then please let me know and I’ll submit a further complaint to the ICO. Thanks!’

Do you see how I made it clear that I specifically want my opt-out to apply to the renewal quote? The Post Office’s data protection person wrote a letter to me as a PDF and attached it to an e-mail response where she confirmed that I would not receive a renewal quote. She said:

‘When your policy ends you will receive a letter confirming this in order to reduce the risk of you becoming unintentionally uninsured. This letter will replace the renewal invite we normally send out which would also normally serve as your proof of no claims discount.  If at that time you do require proof of your discount you will need to contact us’.

Her reference to the “unintentionally insured” only applies to vehicle insurance, surely? We’re not legally obligated to have home insurance. Perhaps I’m nit-picking. The point is, she confirmed that I would not receive a renewal quote. If they want to notify me when my insurance is due to expire as Esure did, then I don’t have a problem with that.

Eleven months later, or thereabouts…

You’ve no doubt guessed… the Post Office sent me the renewal quote in December 2017. I went through my old e-mails to check that I had opted out and found the e-mail that I had sent to the Post Office to opt-out under Section 11 DPA. At this point I didn’t realise that their data protection person had written to me to confirm the opt-out, as I’d only looked through my sent items. I submitted a complaint to the Post Office to see how they would respond. The Post Office carried out an investigation into my complaint and the view of that investigation was that:

‘Your rights under data protection law to prevent your data being used for the purpose of direct marketing do not however, prevent companies from sending you any service communications’.

Interesting that she didn’t mention ICOBS. Fair enough, she does have a point – the Post Office is entitled to target me with service messages. However, if a service message – send under the terms of a contract, contains a significant amount of promotional material then that service message will also constitute direct marketing. Just so we’re all clear – there’s no such thing as a promotional service message that bypasses the definition of direct marketing. If anyone tells you this, then they’re either trying to mislead you or they don’t know what they’re talking about. It makes no difference either, that the marketing is related to a service that you’re subscribed to. It’s unfortunate that legal professionals even the ICO’s own case officers have made these nonsense arguments to me over the years. Let’s be clear, if anyone sends me anything more than a logo and a strapline when I’m opted out of direct marketing then I’ll follow-up on that. Here’s the ICO’s view on direct marketing – taken from their website:

Genuine market research does not count as direct marketing. However, if a survey includes any promotional material or collects details to use in future marketing campaigns, the survey is for direct marketing purposes and the rules apply.

Routine customer service messages do not count as direct marketing – in other words, correspondence with customers to provide information they need about a current contract or past purchase (eg information about service interruptions, delivery arrangements, product safety, changes to terms and conditions, or tariffs). General branding, logos or straplines in these messages do not count as marketing. However, if the message includes any significant promotional material aimed at getting customers to buy extra products or services or to renew contracts that are coming to an end, that message includes marketing material and the rules apply.

The first paragraph explains why I had an issue with the customer survey that I received. The second paragraph clearly explains that a renewal quote will fall under the definition of direct marketing so it’s not clear why a formal investigation by the Post Office into my complaint, failed to pick-up on this. I take it that the person who carried out the investigation never bothered to review the ICO’s guidance. Had she come back with the ICOBS argument I would have respected that because ICOBS likely places an obligation on the Post Office, but as it stands, it’s my view that the formal investigation into my data protection complaint was shambolic.

By this time, because I didn’t cancel the insurance policy, the Post Office renewed it. Following their “investigation” they agreed to issue me with a refund of the insurance premium as a gesture of goodwill.

Experience has taught me that there’s no point trying to argue the merits of the DPA with a customer service person so I started working on my Statement of Case. I was confident of winning a court case because I had stipulated in the Section 11 opt-out that I specifically did not want to receive the renewal quote, had referenced ICOBS, had referenced the view of the FCA and had asked the Post Office to let me know if they disagreed with my opt-out. If they objected to the opt-out then they should have informed me at the time. While I was drafting my case however, I reviewed all the e-mail correspondence and of course, I found the letter attachment that I had overlooked earlier. It was game over for the Post Office.

On the 7 Feb 2018, I e-mailed the Post Office’s data protection person and said:

I’ve just realised that you actually sent me a letter in response to my Section 11 opt-out, confirming that you would not send me a renewal quote but would send me a reminder that my insurance is about to expire instead. That’s a smoking gun! Your organisation had no right to target me with the renewal quote. I suggest you have a word with [withheld] – the person who carried out an investigation into my complaint because she wasn’t aware of this. Her investigation was a waste of time anyway and I’m about to file a claim for [withheld] in compensation under Section 13 DPA. Your organisation will not win that case.

I received a response from the same lady who carried out the investigation into my complaint on 16 Feb 2018, she said:

We have already fully addressed the issues that you have raised in our previous response dated 29 January 2018 and we would refer you to that correspondence. You have already received a full refund of your premium and no further sums are due. We are therefore closing your complaint.

Fully addressed? She continued…

For the avoidance of doubt we confirm that any claim for compensation will be fully defended and we would strongly encourage you to seek independent legal advice before commencing such a claim particularly in relation to the circumstances in which costs order may be made against you if you are unsuccessful with your claim.

Ouch! Okay, well, I gave the Post Office a clear opportunity to settle the matter without having to go to court; which I’m reasonably obligated to do, but they clearly were not interested. I filed the claim on the 14 March.

On the 5 April, lawyers acting on behalf of the Post Office contacted me to indicate that their client wanted to settle the claim. I don’t think I’m allowed to go into details because the case wasn’t assigned a track by the court. However, in a nutshell, I refused their out of court settlement because it contained too many conditions. I amended those conditions and added some of my own and in response to this, the Post Office decided to formally settle the claim and admit fault, rather than try and settled the claim out of court – based on my amended conditions.

The Post Office formally admitted that they failed to comply with my rights as a data subject.

Conclusion

Failing to comply with my Section 11 opt-out was an outright abuse of my fundamental rights as a data subject. Failing to carry out a competent investigation into my complaint was frustrating. However, failing to act upon my confirmation that I had the letter that utterly destroyed what little case they had, was unreasonable in my view. Strip away all the marketing and advertising and you get to see a company for what it is. What I don’t understand is what happened to the letter internally. Having confirmed in writing that I would not receive the renewal, did their data protection person just file it away or did she pass it to customer services for action? And why wasn’t she involved in the investigation?

Changes under the GDPR

Section 11 DPA has now been superseded by Article 21(2) GDPR. If you want to opt-out of all direct marketing with a data controller for your information, then you need to contact them and inform them that you’d like to opt-out under Article 21(2) GDPR. If you’re opting out to avoid receiving a renewal quote then you might want to specifically mention this in the opt-out request.

If I were to file this claim under the GDPR/DPA2018 instead of the DPA, the main difference is that the DPA2018 now stipulates that distress alone constitutes damages. So, whereas a judge required me to demonstrate that I had suffered “non-pecuniary” damages under the DPA, for example, that I’d received a marketing e-mail as the result of a failure to comply, I’m no longer required to demonstrate this.

Under the GDPR/DPA2018, any failure to comply with our rights as data subjects warrants a claim for compensation – because you’ve suffered distress. How the data controller deals with that issue will likely have an impact on what a judge might award in damages. So, in this case, I would point out the failure by the Post Office to act upon my opt-out, to carry out a competent investigation or to seek advice from their data protection person or the ICO. I would have pointed out too that when presented with the smoking gun – the letter confirming compliance, rather than reasonably look to settle the claim, they refused to discuss the matter further and tried to pressure me into dropping the case by mentioning that I might incur costs.

My view is that companies should start issuing standard compensation for any abuse of their customer’s data protection rights to avoid having to defend claims in court. But there again, one needs to have an effective process for investigating complaints for that to work.