Data Protection and the RSPCA: the limits of consent

Peter LewintonBusinesses must handle and protect their customers’ data correctly. Peter Lewinton, MA (Oxf), MBCS explores and explains what we can learn from the recent RSPCA case.

The areas of data protection, cyber security and IP protection in the Digital Age generally are very much in the news. They are a slightly splintered area of law falling variously under the Data Protection Act 1998, the Computer Misuse Act 1990, Investigatory Powers Act 2016, Freedom of Information Act 2000, Human Rights Act 1998 and the Copyrights, Designs and Patents Act 1988 as amended and updated by various WIPO treaties.

A key tension is the balance between an individual’s right to privacy and protection of their personal data balanced against the often quoted desire of the state to keep us safe. The rapid growth of the internet, computing power and increased storage capacity allow for unprecedented data collection and processing.

Generally hackers make the news and highlight security shortcomings leading to the Information Commissioners Office becoming involved. However serious breaches of Data Protection law occur without a hacker anywhere to be seen through the illegal use of data provided voluntarily.

In the case of the RSPCA, it was collecting personal data from donors who were presented with the following notice:

‘The RSPCA may allow other organisations whose aims are in sympathy with our own or whose offers will benefit animal welfare to contact our supporters, if you do not wish to hear from them please tick the box’

The RSPCA then participated in a data sharing scheme called ‘reciprocate’ without knowing who the other parties in the scheme were. They also provided data to wealth screening companies and participated in data matching and telematching schemes. On a few occasions they also released data on individuals who had opted out.

This was brought to the attention of the new Information Commissioner Elizabeth Denham via the press and unsurprisingly after a 9 month investigation serious breaches of the Data Protection Act were identified. A monetary penalty was issued of £25,000 but criminal charges could have been brought.

The Data Protection Act has at its heart 8 key principles of Data Protection with the first 2 being that personal data must be processed fairly and lawfully and that, crucially in this case, shall be obtained for a specified purpose and used consistently with that purpose. Generally to be lawful consent must have been obtained which is appropriate to the purpose.

The Commissioners view was they the initial notice was too vague and ambiguous and did not provide data subjects with sufficient information. Consent must be freely given, specific and informed. Just ticking any old box does not do it. Therefore the data subjects had not properly consented and therefore the data processing was illegal.

The Data Protection Act covers all personal data (with certain limited exemptions) which includes names, addresses and even IP addresses. Generally consent must be sought to process that data so everybody is going to need to take great care when collecting data to ensure proper consent has been obtained and also that if the person collecting the data (the data controller) decides to use the data for another purpose to seek fresh consent.

The world of big data is going to struggle a bit with this but perhaps has consoled itself that currently the maximum fine from the ICO is capped at £500,000. Fatal for an SME probably but merely a deduction for a large corporate. However new legislation proposes a fine of 4% of turnover.

Of the 8 principles of Data Protection only 1 is directly concerned with security of data (principle 7). Organisations and individuals need to devote resources to ensure the legal collection and management of personal data as well as making sure appropriate security is in place to avoid substantial fines and potential criminal prosecution.

Personal data collected which requires consent can only be lawfully used in ways which derive directly from the consent given unless a specific exemption applies. It has been said that personal data is like money and if so when you provide your personal data to a third party it is analogous to a loan on specific terms for a specific purpose.

Comments (1)

Leave Comment
  • 1
    Richard Hind wrote on 27th Feb 2017

    Being an RSPCA supporter I received a letter explaining this case, sadly they took a rather arrogant stance claiming that they had done nothing wrong (and that other charities do the same thing). Having reviewed the various news stories I am in agreement with the ICO's action. I am now waiting to see if the big cheeses at the RSPCA to do the honorable thing and step down.

    Report Comment

Post a comment

About this blog

This blog is brought to you by the members of the BCS Internet Specialist Group and allows you to harness their skills, expertise and knowledge. The internet is ubiquitous and has a major impact on our daily lives, at work, at home on the move. The associated risks and security concerns are real, but the magic and advantages of the internet are significant.

See all posts by Internet Specialist Group

Search this blog

October 2017
M
T
W
T
F
S
S
1
2
3
4
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31