Published on Friday, March 13, 2020 - 14:38 by Martin Fletcher
Martin Fletcher is data protection and privacy consultant with 7 years of experience in helping organisations use their data with confidence. He works with organisations across the UK to provide expert advice and guidance on how to use data effectively and securely.
In his article Martin investigates the data protection policies employed by protest group “Education Watch”, and has used these to examine the privacy laws around ‘special category’ data, such as political views, vs the IPSO Editors Code of Practice. All views expressed are his own, and are not a reflection of those held by DQM GRC.
When we privacy professionals work with personal data in a business day in and day out, it can be hard to sell the notion of why a company needs data protection laws – especially to employees that don’t live and breathe the regulations every day.
Afterall, what does it actually matter if a Subject Access Request (SAR) gets back to a data subject 10 days later than it should, or if good old Fred from accounts still has access to the HR records he worked with whilst on secondment?
And it suddenly strikes home why we have these laws in place, and the significance these rules have in protecting some very fundamental human rights for all of us.
News recently broke about a delightful little website called “Education Watch”, hosted by Turning Point UK. This organisation is an offshoot of what is seen as the youth wing of Donald Trump supporters in the U.S. Education Watch invites its users to submit examples of university lecturers who they think have a left-wing bias.
In the U.S. Turning Point has used submissions to name and shame academics who, in some cases, have then found themselves subjected to online harassment and death threats. In the UK the organisation has said that it will not be doing this. However it has said that “if some incidents are serious enough, we may decide it is necessary to publicly name the individuals involved.”
This raises several questions over Turning Point UK’s data processing practices, and I’ve taken the liberty of examining the content of TPUK’s privacy notice and an FAQ page regarding Education Watch itself.
Prior to undertaking a processing activity which has a high risk to the rights and freedoms of individuals, the General Data Protection Regulation (GDPR) mandates that an organisation needs to undertake a Data Protection Impact Assessment (DPIA).
The European Data Protection Board sets out criteria for when such an assessment might be required. Based on the information provided on TPUK’s website, it’s likely that one will be required - as Education Watch involves the following:
On the basis that a DPIA is required, Education Watch seems to immediately raise several red flags (which is surprising, as TPUK doesn’t seem to be a fan of red flags).
So, if I were to wear my privacy consultant hat, I would raise the following as my top priorities.
TPUK publicly advocates their right to speak freely on this subject, and indeed data protection law has exemptions to allow for this. The Journalistic Exemption in the law attempts to tread the fine line between allowing the media to scrutinise and hold to account people and institutions, and stopping groups using the concept of a free press as a fig leaf to abuse and harass people.
The journalistic exemption allows data controllers to not comply with aspects of data protection law in circumstances where they can show they are doing it as part of publishing content that is of substantial public interest.
The definition we use in the UK for this comes from the IPSO Editors Code of Practice. There are some aspects of the code that could potentially be used to justify TPUK’s data processing, for example:
“Raising or contributing to a matter of public debate, including serious cases of impropriety, unethical conduct or incompetence concerning the public.”
However, given the proven level of debate this activity has prompted in the U.S, TPUK is going to have a very difficult time defending the activity on this point.
Data protection law has evolved from the development of human rights law over the last 70 years. Looking at continents with histories of dictatorships, widespread surveillance and punishments for rebellion, it is very easy to see why political opinions are given priority as ‘special category’ data.
Whilst it’s easy to lose track in our (comparatively) comfortable and stable times, running right through the GDPR - like writing on a stick of rock - is the commitment to give people the freedom to think and do what they want, without the risk of harm from both the state and private actors. It’s a law that must, by necessity, apply to all data controllers - regardless of what we’re doing with personal data.
For that reason, I’m happy to keep reminding you to get that SAR turned around in time. And Fred, for the last time - clear out your inbox.
*A day where you can’t paraphrase Peep Show is a day wasted in my opinion.
If you are interested in any of our services then please either use the contact form or contact us via of the methods below: