There are a lot of aspects of the Data Protection Act, or more specifically the way it gets used, with which I disagree. It is very much like the Health & Safety laws, conceived to tackle factory accidents, and turned in to a crazy industry protecting you from paper cuts in offices. The DPA was there to tackle the new usage of computer based databases of people's details which were being collected and sold - mainly around credit reference agencies. Now the DPA gets applied to all sorts of things, and get used as an excuse for much more.
On one of my mailing lists I came across a slightly worrying story which is where DPA usage and ICO views may make sense, perhaps. So, all of this post is based on what I have seen reported on the mailing list and not first hand. However, it does raise a few questions.
The issue is around a product called Helpscout. It appears to be a customer support system for handling incoming emails to a support desk and tracking them properly. As with many such system there are a lot of features and a lot of bloat, as I understand it. One of the clever features is that it looks up email addresses on various social networks, e.g. facebook, twitter, and so on, and collects publicly available personal information and associates it with the ticket. It means people handling the ticket get a wealth of information about the originator automatically. You can see how they think it is a good idea. For some people it could be very useful, I am sure.
There are, immediately, some issues. It means users of this system are collecting and processing a load of data which they don't actually need. That goes against one of the Data Protection Principles. In this particular case the user did not want the data either. So first question revolves around the collection and use of such data which is public information (published on the likes of facebook). Is that valid? To be honest, I don't know, after all, at any time, you could go and look up details on facebook yourself, so how is copying it to your own database any different? From a DPA point of view it may be valid or may not be, no idea. The suppliers of the system are adamant that it is valid to do this in the UK. They even said "In the end, neither you, nor I, nor the IC's office (probably not the person you talked to) would be considered legally qualified to make a
judgement on the matter."
But the far bigger issue is that, in checking with facebook, etc, the system sends the end user's email address for the search. So it means facebook, etc, are told a new email address, one they may not even have seen before.
So this raises the issue of whether an email address, on its own, is personal information. I believe this is one of those grey areas even for the ICO. Of course, the very fact that it can be used to extract all of this useful data from social media kind of proves it is! I think the general view is an email address like adrian.kennard@whatever is personal information, because it has my name, but as Paul in my office points out, if he was to use adrian.kennard@hisdomain then that would not be personal information as it is not his name!
The problem, as ever, is that one bit of information is often not personal information on its own, as it is not able to identify an individual. E.g. "Eyes: blue" on its own is not personal information. But associate it with an name and address and now it is. It is all about linking things together that makes the collection of information and associations in to personal information. So protecting something which, on its own, is not personal information may be important.
Of course it is not that simple, in this case it could become sensitive personal data if the social media sites work out where the requests are coming from. It sounds like the system pipes the request through yet another third party so they don't, but all that means is that another third party can tell instead of facebook. The particular support system is being run for a gay website. Now, associating an email address with visiting a gay web site surely must count as personal information? It could easily lead to targeted adverts to friends of the person. I know many people are quite open about their sexual preferences, but they have the right not to be if they want.
Sadly the providers of Helpscout seem oblivious to this issue. They refuse to allow the feature to be turned off and are adamant that it is 100% legal in the UK. Apparently lots of other companies use it.
It seems the site will be dropping them because of this, and their intransigent attitude.