How good is your mailing company?

Just had an interesting phone call with a company about their spam emails. This company has emailed me about one of their "special offers", needless to say I never signed up to receive said offers. When I rang to ask to be removed from the mailing list, the person answering the phone said they had received lots of complaints about the emails. Apparently I have been lucky because I only have two emails, some of the people they have been emailing have been receiving 2 an hour for days! According to the company, they outsourced their email marketing to a company in China and they haven't been following the instructions they were given. A number of people who have been getting the emails have been complaining to the ICO.

So where has this company gone wrong (this is my speculation based on the phone call).

1. Breach 1 - I never gave them permission to email market to me. Never heard of them before the email came through so definitely didn't sign up. You need to have a persons permission to be able to electronically market to them. You should also record where the sign up information was gathered. Lots of people don't remember signing up and the ICO, if they investigate, will look for confirmation you have permission.

2. Breach 2 - The emails did not have an unsubscribe option on the bottom, so gave me no choice but to call to cancel it. Given the person didn't take my email address, I expect more emails from them in the future. There is certain criteria that has to be met when email marketing, one of which is that there is the ability to unsubscribe from future contact. It is an offence to fail to remove someone from your mailing list when they ask.

3. Potential Breach 3 - IF I had given them permission for email marketing, did they also ask my permission to send my details outside of the EEA (to their marketing company in China), probably not. If you are sharing personal information outside the EEA, you have to tell the provider of the information at the time of collection. 

4. Potential Breach 4 - Sending the information to China, which is not an approved country, the company needed a specific clause in place to protect individuals information. As China is not an approved country for data transfers, they company needed a specific clause and contract in place. Seems unlikely in this case that they complied.  https://ico.org.uk/for-organisations/guide-to-data-protection/principle-8-international/

Needless to say this company is already getting attention from the ICO regarding the level of complaints. If you need help to avoid a similar situation, contact me to discuss how we can help. ask@audit-and-risk.co.uk

Paper Forms - Do you have the basics in place?

It's been a busy week and whilst I have been out and about I have needed to complete some forms. I completed three different forms and not one of them met the requirements of the Data Protection Act with regard to collection notices.
Most of the forms were collecting basic details -  the usual - name, address, DOB. The forms were being used by a health professional, charity and college.

So what did I learn this week. Ultimately most of the organisations who collected information about me did not even meet the basic requirements of a collection notice on the form. A collection notice tells the person providing the information what their information will be used for, how it will be stored and for how long and if it is going to be shared with anyone. I have asked each of the organisations for whom I have completed a form what they intend to use my information for. It is worrying that if an organisation cannot even collect the information properly, how are they storing it and who has access to it. Given the significant rise in identify theft, I have provided enough information for this to happen.

Remember that regardless of whether you are registered with the ICO you have to comply with the Data Protection Act so any forms that you use for the collection of information MUST have a data collection notice on it. Without a valid collection notice you are breaking the law!

If you need help to produce a collection notice or require a review of your forms, please contact me.

You've got to love her

My daughter came home from school the other day and as she was telling me about her day she made me laugh. Apparently at some point during the day they were to act as evacuees and so each child was given a cardboard tag and asked to write their name, age and address on the tag. Now my husband and I have both completed the Data Protection Act training and been auditing for more years than I would care to say, so she has been brought up in an environment where you always check the information you are being provided with. So my darling daughter told the teacher that she would not be completing the cardboard tag until she was told what they were going to do with the information as required by the Data Protection Act!

I have no idea how this went down with the teacher but I know that my daughter is trying to protect her information and privacy. Good for her.

Charities and Data Protection

I was listening to a radio 4 programme yesterday where they were discussing charities and their information collection processes and compliance with the Data Protection Act. This is a top topic currently because of the death of Olive Cooke.

So far all the reports indicate that none of the charities named in the Olive Cooke case have breached the Data Protection Act. During the radio interview, the presenter suggested that charities should be more considerate of their supporters and do more than was required by the DPA. I can understand this point of view having worked with lots of charities; they are a caring sector and try to do the best for their supporters. My concern is that there are lots of companies that are not complying with the basics of the DPA and yet we expect charities to go beyond what the law requires just because of the sector they work in.

The difficulty charities have (as well as other companies) is that as their long term supporters age, they may increase in vulnerability. A friends mother has dementia and my friend regularly goes through the post to see what letters have been received.  There are requests from charities that her mother has supported for a long time, ones that her mother has made regular donations to. My friend contacted the charities and explained that her mother was no longer able to deal with the correspondence coming through and could they not send information making further requests but she would continue to make the regular donations in line with her mother's wishes. All the charities contacted complied with the request promptly.

We need to take some responsibility for the information that we receive and telling organisations to stop sending it when we no longer require it. Organisations then need to take appropriate action to ensure that their records are updated.