31 May 2019 / Technology

Are you data-aware?

Steve Wood Deputy Commissioner for Policy – ICO

Comments 35

It’s more important than ever to know who is using your personal data, and why. Our guest from the Information Commissioner’s Office explains more.

This is a guest post by Steve Wood. All views expressed are Steve’s own and not necessarily shared by Which?.

New laws introduced a year ago changed the way businesses should be using personal data – the General Data Protection Regulation or the GDPR – strengthened consumers’ rights, putting them at the heart of data protection law.

At the ICO, we regulate this new legislation and increasing the public’s trust and confidence in how their personal data is used is one of our main priorities.

We’ve handled more than 40,000 complaints about personal data since May 2018. We look at every complaint to make sure people’s data are being used in ways they expect.

Know your data rights

We want people to understand how they can be in control of their own personal information. People have the right to ask for a copy of all the data held about them, the right to get their personal information corrected, and the right to ask an organisation to stop using their data.

It’s your right to be informed about how organisations are using your data, even if it happens behind the scenes.

Over the last year our investigations have revealed the invisible ‘behind the scenes’ processing of personal data that happens online.

Why is my app free?

People are starting to ask ‘why is my app or online service free?’ – and realising the trade-off is their personal information.

We always advise those who use social media, online services and any websites to check their privacy and advertising settings and to review them regularly, particularly after any new settings are introduced.

This includes understanding how people use your data to target you with social media adverts. Our new ‘Be Data Aware’ campaign is designed to show people how companies might be using their data to target them online and why, and how you can control who is targeting them.

In 2018, we fined Facebook £500,000 for allowing an app to harvest the personal data of 87 million people without their consent.

We have also taken action against HMRC, ordering it to delete personal data after it collected seven million voice records without consent.

Whether people are liking or sharing a social media post, or accessing a public service, they have a right to expect the law is being followed.

Did you know you have the right to ask an organisation to stop using your data? Do you understand why you receive nuisance calls? And do you know why you receive adverts online?

This was a guest post by Steve Wood. All views expressed were Steve’s own and not necessarily shared by Which?.

What action do you think could be taken by the ICO and others to awareness of data rights?

Comments

alfa says:

31 May 2019

The only thing GDPR has achieved is showing us how little control we really have over our personal data and how difficult it is to manage.

Since it came into being, websites have used every devious way possible to make it virtually impossible to find out what they are doing and what we can do about it. Many started off with a simple privacy statement and easy opt-outs, but that soon escalated to wading through many pages, far too much text to be bothered with and controls hidden in their murkiest depths. You are even told to visit other sites that will give you much of the same, so impossible to control.

Many sites won’t even let you continue unless you agree to their data harvesting. Many sites opt-outs don’t work at all.

Then if you regularly clear out temporary files and cookies, you have to start again.

Opting in or out to marketing is another pitfall. You might be happy to receive marketing emails from a company, but not all its partners and this is not always made clear. If I can’t opt out of ‘selective partners’, I don’t opt in at all.

When GDPR was introduced, every operating system should have released a user interface to give us real control over our personal data so we could build up our own databases of who was allowed to pry into our lives and online travels. Websites could ask and be told NO once and for all.

Kevin says:

31 May 2019

Taking a look at Which’s policies I’m quite surprised to find the following. I wasn’t even aware that Which were engaging with commercial retailers to foist more junk on me, since I’m paying a subscription I DON’T expect to be the product:

https://www.which.co.uk/help/our-policies-and-standards/1975/which-privacy-notice

Buried amongst the long list:
*** to develop and carry out marketing activities and competitions;
*** to serve you adverts on other websites about things which you’ve shown an interest in on our own website, or relating to campaigns you have interacted with;

And under cookie policy (by the way set to default ON), at the bottom of the page, expand the list:
https://www.which.co.uk/help/our-policies-and-standards/1979/our-cookies-policy-your-cookies-preferences

Under “Advertising & Targeting cookies”:
An example of the many third parties is Lead Intelligence:
“These are cookies used by Lead Intelligence – a lead management platform that streamlines the lead buying and management process for agencies and advertisers providing them with significantly more insight and reliability.”

Excuses that your data is anonymised are dubious since it’s notoriously difficult to effectively anonymise data, especially now in the world of big data when this stuff is cross referenced so easily. If a consumer rights organisation is adopting a rather cavalier attitude, what are the likes of Facebook/google etc up to?

George Martin says:

10 June 2019

Hi Kevin. Our apologies for the delay while we consulted the relevant teams to address these concerns. We now have a full response, which I’m able to share with you below. Thank you for your patience.

Like most organisations, Which? carries out a number of marketing activities via post, email and digital channels. This is always carried out to support our own products and services, and never to facilitate other companies targeting you. Beyond our base of members we want to continue to promote our products, services, tools and advice to a wider range of consumers. As a not-for-profit charitable organisation all the money we make from our commercial operations, including the revenue from our membership subscriptions, is used to support the activities of the Which? Group, not least the campaigning and lobbying work we do on behalf of consumers.

We use platforms such as Google, Bing, Facebook and Amazon as primary sources to locate new people likely to be interested in what we offer, and to serve them with relevant adverts on those platforms. We also use them to serve adverts on people who may have visited our site(s) to encourage them to return. Users can of course opt out of such activity by switching off cookies in our websites or the platforms’ websites as appropriate. Cookies dropped in relation to this activity allow us to effectively track our performance and ensure that our limited marketing money is spent efficiently. On occasion we do use other 3rd parties to conduct such activities on our behalf – you mentioned Lead Intelligence as an example of such a 3rd party, but we can report that this arrangement is no longer in place and we have updated the Cookies Policy to reflect this.

The only cookies defaulted to On are those classified as “Essential & Performance” cookies. Cookies relating to Insight and Advertising & Targeting are defaulted to Off at the point of entry to the site – as per our initial Cookie message, these will only be dropped if you click OK or continue to browse or use the site. Plus, you can of course turn them off at any time via the Consent tool.

We can assure you that data collected via cookies is anonymised with nothing classified as personally identifiable.

-1

malcolm r says:

10 June 2019

@gmartin, George – good morning 🙂
“The only cookies defaulted to On are those classified as “Essential & Performance” cookies. Cookies relating to Insight and Advertising & Targeting are defaulted to Off ….“.

I’ll take issue with this. I have never thought about cookies on the Which? site, nor thought to try and find them. So have not changed mine. However, when I just looked both “User experience and insight cookies” and “Advertising and targeting cookies” are set to “active”. Not of my doing.

I’ll also be quite unkind in response to this statement: “As a not-for-profit charitable organisation all the money we make from our commercial operations, including the revenue from our membership subscriptions, is used to support the activities of the Which? Group, not least the campaigning and lobbying work we do on behalf of consumers.“. A pity, then , that those activities included a failed venture in India and a failed mortgage advice operation that wasted getting on for £40 million that would (should) have been more prudently used, let alone the trivial £2.4 million paid in bonuses to support….. four staff.

Sorry, it’s a dull morning 🙁

p.s. this comment would be more appropriately made in a Convo only available to Which? Members as it is critical of the organisation’s competence and rewarding ethos, something best kept from public view – if only there were one.

NFH says:

31 May 2019

I find the ICO to be ineffective at enforcement. For example, Three (mobile network) fails to make usage history available online to prepaid customers, only to postpaid customers. If one makes a GDPR request to Three for one’s personal usage data (including charge data), then Three sends the usage history, but incorrectly populates the charge column with 0 for every item of usage, which is blatantly false data, particularly on a prepaid account with no bundles where every item of usage is individually chargeable. When I reported this to the ICO, the ICO’s response was pathetic and it made no effort to require Three to comply with the GDPR, despite this affecting a large number of customers.

NFH says:

31 May 2019

I also made another complaint to the ICO about Uber on 12th February 2019, to which I have still not even received an acknowledgement from the ICO. I am consistently disappointed with the ICO.

h says:

4 June 2019

A few questions for Steve Wood

Why are some companies allowed to ask employees to give them Power of Attorney over their own personal bank accounts as a condition of being made manager?

They can’t even withdraw money for food and water without permission from company accountants and senior managers after they agree

Why aren’t tracking pixels, which are tiny invisible pictures 1×1 pixels in size, loaded by advertising company websites, addressed properly in ICO policy? Most of you know about tracking cookies, but I never see tracking pixels mentioned, and those have been around for years

If you visit a website using a browser that has all cookies turned off, you will still be tracked because adverts also load the invisible pixel picture from the advertiser’s website

Saying no to cookies doesn’t stop the tracking picture from being sent to your computer

Castle says:

4 June 2019

Earlier this year I was sent a number of unsolicited marketing emails from the same company. Since I wasn’t a customer of the company I sent them a Subject Access Request, (SAR), to find out where they had got my details from. The company refused to reply to my SAR unless I provided them with a copy of my passport, which I naturally refused.

I asked for help from the ICO who have now replied to tell me that the company is right; if you don’t provide a copy of your passport then the company doesn’t have to reply.

Kevin says:

9 June 2019

Taking a look at Which’s policies I’m quite surprised to find the following link. I wasn’t even aware that Which were engaging with commercial retailers to foist more junk on me, since I’m paying a subscription I DON’T expect to be the product:

…/help/our-policies-and-standards/1975/which-privacy-notice

And under cookie policy (by the way set to default ON), at the bottom of the page, expand the list:
…/help/our-policies-and-standards/1979/our-cookies-policy-your-cookies-preferences

Under “Advertising & Targeting cookies”:
An example of the many third parties is ‘Lead Intelligence’:
“These are cookies used by Lead Intelligence – a lead management platform that streamlines the lead buying and management process for agencies and advertisers providing them with significantly more insight and reliability.”

pa says:

9 June 2019

Isn’t it surprising?

Which kept quiet about the whole thing.

Not very honest, are they?

Kevin says:

9 June 2019

I originally submitted this on 31st May, 10 days ago, with the full Which URL’s, but it’s been on “Your comment is awaiting moderation – we’ll get to it as soon as we can” status. Despite contacting them a few days ago, the original is still, shall we say, ’embargoed’.

Ironic given the topic and author.

DerekP says:

9 June 2019

Kevin, as you seem to have discovered, any full web links sentence posts to “moderation” but posts with incomplete stub links usually appear immediately.

alfa says:

9 June 2019

I see another of my posts has been removed with no explanation.

Removed and held posts are becoming a bit of a problem. By the time they are released their dates put them way down the pecking order so nobody knows they are there.

alfa says:

9 June 2019

Hi Kevin,

We had a discussion about this last year you might be interested to read.
https://conversation.which.co.uk/home-energy/the-lobby/#comment-1532445

The page has been migrated but does work eventually if you keep refreshing it.

Kevin says:

9 June 2019

Hi Alfa, thanks for the link, as you say, a couple of refreshes necessary.
The quoted policies I referred to do not seem to be in strict alignment with the policies as stated by Which’s Adam Gillet?
I don’t have a problem with functional cookies, but the Which policy doesn’t restrict the use of them, and explicitly allows marketing and targeted advertising.
The answer here has got to be to NOT collect the data in the first place unless there’s a specific, risk assessed requirement for it.

malcolm r says:

10 June 2019

The post just dropped on my doormat, urging me to join Nextdoor for my parish – a “free online network sharing recommendations for traders, discuss safety and local issues, plan neighbourhood events, post things for sale, and much more”“.

It all sounds very good. I looked at the websire and find “With offices in San Francisco, London and Amsterdam, Nextdoor was founded in 2010 and is funded by Benchmark Capital, Greylock Partners, Kleiner Perkins Caufield & Byers, Tiger Global Management, and Shasta Ventures as well as other investors and Silicon Valley angels.“. “As of December 2017 Nextdoor had raised $285 million in financing.[16] About $75 million in new funding announced that month put its valuation at $1.5 billion” (Wiki). My suspicious mind tells me that they will have a way of making money from this operation, presumably from knowledge of those who register. so despite the attraction I’m wary of joining in.

Does anyone – Which? – know anything about this operation?

alfa says:

10 June 2019

Do you remember Streetlife? It was a really useful forum that could be based in your area for discussing local issues.

Streetlife was bought by Nextdoor and the way it worked totally changed. I don’t know if it still the same, but it was too invasive of your privacy, you could no longer be anonymous and your address was shown to everybody else on the site.

malcolm r says:

10 June 2019

alfa, thanks. My impression as well.

malcolm r says:

10 June 2019

Here’s a bit about it:
https://www.komando.com/tips/392828/how-to-protect-your-privacy-on-neighborhood-sites-like-nextdoor/all

alfa says:

10 June 2019

Best steered clear of methinks.

John Ward says:

10 June 2019

Almost like medieval religion, pioneered by the likes of Facebook et al, the population has been conditioned to accept the virtues of sharing as a Good Thing. Reluctance to share risks being a social outcast [like me]. It has infected the younger generations and is gradually embracing the entire community and at its heart is the use and manipulation of personal data.

I still think a notice on a tree or on the gate or in some other public place is as good a way as any of advertising or seeking support for something. It happens where we live with events, activities, appeals, sales, and warnings posted in almost every road. Dog walkers spread the message as well.

A ‘community’ that lives hidden within the dark bubble of a social media platform and does not transact in a personal way is not really a community, is it?

Ian says:

11 June 2019

John Ward said: 10 June 2019

Almost like medieval religion, pioneered by the likes of Facebook et al, the population has been conditioned to accept the virtues of sharing as a Good Thing.

Excellent analogy, John, but I fear it goes a lot further. The parallel between medieval religion and social media rings uncomfortably true, in far more ways than one.

Perhaps the most worrying is in the ability of social media to exert a unique peer influence and use that same influence to warp truth, create ‘truth’ and intimidate those who know the actual truth. We associate medieval religion with the Inquisition and the witch hunts, so perhaps even closer to what we’re witnessing today.

Darn! Very early for this sort of thinking.

John Ward says:

11 June 2019

I agree, Ian, but I must admit I wasn’t expecting the Spanish Inquisition.

The controlling mind, the triumph of the will – characteristics of dictatorship that have subtly woven themselves into the popular psyche and are becoming taken as gospel. Frightening really. We are sleepwalking into a miasma of indoctrination by a handful of media manipulators.

User 66219 says:

19 October 2019

This comment was removed at the request of the user

John Ward says:

19 October 2019

Knowing that is interesting, Duncan, but it seems fairly unavoidable to me and I don’t share your outrage.

What these organisations can do and what they actually do could be two widely different things. My view is that the more you surf and browse the more likely you are to get stung or to find something you don’t like. Keeping a low internet profile seems to be beyond some people and they might get what they bargain for. Not everyone heeds risks despite your good intentions in sounding the alarm.

Ian says:

19 October 2019

The thing is, Duncan, three of those you identify are effectively public/private networks and snooping using apps like Wireshark is feasible, which is why you should never do banking on a public network.

Someone might also be using sslstrip or similar, so using such networks for anything other than the most basic browsing isn’t a good idea.

The ISP is different: in the US they’re allowed to monitor all traffic. However, using a reputable VPN plus https can be the best defence.

User 66219 says:

19 October 2019

This comment was removed at the request of the user

John Ward says:

19 October 2019

What form does the alleged snooping take? Is there any evidence of the extent of misuse of personal data by official bodies?

The overriding principle of the General Data Protection Regulation is that the collection and retention of data has to be justified by an essential functional purpose. Breaches of that should be reported to the Information Commissioner’s Office which has over 800 staff investigating possible misuse of data, unjustified collection and retention of data, and inadequate security of any personal data that is operationally necessary.

User 66219 says:

19 October 2019

This comment was removed at the request of the user

John Ward says:

20 October 2019

You seem to be in constant fear of retribution from Which? for telling the truth, which I think is an unfair slight on Which? because I have no reason to believe it would ban you from the site. Which? has to be careful not to publish anything defamatory, of course, but anything you have found out must be in the public domain [even if difficult to access] so I don’t think you should worry so much.

Anyway, we don’t need the spoofing details here; if you think it is a contravention of the General Data Protection Regulations then you should report it to the Information Commissioner’s Office. I should be surprised if any of the companies or organisations that I deal with spoof their addresses on e-mails, and I cannot understand why they might want to, but it doesn’t bother me.

I should be interested to have a link to the new globalisation rules you mentioned.

User 66219 says:

20 October 2019

This comment was removed at the request of the user

John Ward says:

20 October 2019

Yes, I was in the middle of replying to you when Which? Conversation collapsed. I saved the text and a few minutes later the service was restored.

As I have previously said, only those with something to hide have anything to fear. How many whistle-blowers in this country have come to harm for embarrassing the government? If things have gone wrong for them it’s probably because they have acted wrongly, not for telling the truth. Private Eye [and other more covert media] would spend all day every day in court if the situation was as bad as you suggest.

Ian says:

20 October 2019

John: although we almost never disagree I must take exception with your contention that “only those with something to hide have anything to fear”.

It’s far from being a simple subject And it’s nowhere near being black and white, that I accept. But we know from long experience that we cannot trust most government bodies with our data, as the rate of loss of government and military laptops on trains, ‘planes and in cars continues to rise.

Edward Snowden said “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”

There are numerous dissertations and debates about that specific point, but this is perhaps a typical example: “Imagine upon leaving your house one day you find a person searching through your bin, painstakingly putting the shredded notes and documents back together. In response to your stunned silence he proclaims ‘you don’t have anything to worry about – there is no reason to hide anything, is there?'”

The basic tenet of the “nothing to hide” defence, if taken seriously, could be used against government agencies, politicians, and CEO’s. This is to turn the “nothing to hide” argument on its head. The MI5 agent, politician, police, and CEO have nothing to hide so they should embrace total transparency like the rest of us. But they don’t and when given the technological tools to watch, the politician, police, or CEO are almost always convinced that watching others is a good thing.

Openness is the basic safeguard on democracy; unfettered monitoring of its citizens the hallmark of a repressive regime.

And whistle-blowers have come to harm in the UK. Although we have legislation prohibiting retaliation by employers, it’s astonishing how many lost their jobs, cannot gain future employment and seem to end up in legal difficulty.

User 66219 says:

20 October 2019

This comment was removed at the request of the user

Ian says:

20 October 2019

🙂

Help

Are you data-aware?

Know your data rights

Why is my app free?

Search

Latest discussions

Vote in our poll

Know your data rights

Why is my app free?

Search

Latest discussions

Vote in our poll

Join the debate

Related discussions