‘Off my chest’ 1
Over the last 10 years or more of privacy consulting I've come across a number of inconsistencies and data protection blind alleys, that I'd like to explore. I'm going to start posting them up on my blog in the hope that we can stimulate some comment and debate and get a few things cleared up. So please do add your comments .. I do want to get these off my chest.
Number 1: The Privacy Notice, 'check back for changes' statement
We gain consent to use a data subject's personal data by a process of transparency and action. The Data Controller tells the us what they want to do with our data, in a way that we can comprehend (that's the transparency bit) and we consent by some signifying action e.g. clicking submit on a web form.
We know from reading the various definitions in Directives and Acts that there can be no consent on the basis of non-response (British Gas and Elizabeth France sorted that one out many years ago). You have to DO SOMETHING to SIGNIFY your consent to processing.
So why is it possible for me to simply state in a privacy notice that you, the data subject, must check back regularly to see if changes have been made to the way in which your data is used, to which you may or may not agree?
I fail to see how this meets the requirements of Principle 1 Data Protection Act 1998. The data subject should be actively informed of any changes, and if they EITHER fail to respond, OR respond negatively, their data should not be processed for the new/amended purposes.
I know this is a Royal pain in the rear, passive is so much easier, but are we simply ignoring the law because it falls in the too hard basket?
Next: The definition of marketing given in the DPA 98 and why this is entirely unhelpful when it comes to the right to opt-out of so-called marketing.
About the author
Comment on this post
You must be logged in to post a comment.