“This is the whole point about privacy law, the whole point of privacy is to make sure this kind of thing never happens!” *

Published on Friday, March 13, 2020 - 14:38 by Martin Fletcher

Martin Fletcher is data protection and privacy consultant with 7 years of experience in helping organisations use their data with confidence. He works with organisations across the UK to provide expert advice and guidance on how to use data effectively and securely.

In his article Martin investigates the data protection policies employed by protest group “Education Watch”, and has used these to examine the privacy laws around ‘special category’ data, such as political views, vs the IPSO Editors Code of Practice. All views expressed are his own, and are not a reflection of those held by DQM GRC.

When we privacy professionals work with personal data in a business day in and day out, it can be hard to sell the notion of why a company needs data protection laws – especially to employees that don’t live and breathe the regulations every day.

Afterall, what does it actually matter if a Subject Access Request (SAR) gets back to a data subject 10 days later than it should, or if good old Fred from accounts still has access to the HR records he worked with whilst on secondment?

Then, you see something like this.

And it suddenly strikes home why we have these laws in place, and the significance these rules have in protecting some very fundamental human rights for all of us.

News recently broke about a delightful little website called “Education Watch”, hosted by Turning Point UK. This organisation is an offshoot of what is seen as the youth wing of Donald Trump supporters in the U.S. Education Watch invites its users to submit examples of university lecturers who they think have a left-wing bias.

In the U.S. Turning Point has used submissions to name and shame academics who, in some cases, have then found themselves subjected to online harassment and death threats. In the UK the organisation has said that it will not be doing this. However it has said that “if some incidents are serious enough, we may decide it is necessary to publicly name the individuals involved.”

This raises several questions over Turning Point UK’s data processing practices, and I’ve taken the liberty of examining the content of TPUK’s privacy notice and an FAQ page regarding Education Watch itself.

Prior to undertaking a processing activity which has a high risk to the rights and freedoms of individuals, the General Data Protection Regulation (GDPR) mandates that an organisation needs to undertake a Data Protection Impact Assessment (DPIA).

The European Data Protection Board sets out criteria for when such an assessment might be required. Based on the information provided on TPUK’s website, it’s likely that one will be required - as Education Watch involves the following:

  • Processing special category data i.e. data that can be used to infer political views
  • Processing will prevent data subjects from exercising certain rights i.e. if they are publishing data in a public forum it becomes very difficult for the data subject to exercise their right to object to processing after the fact.

On the basis that a DPIA is required, Education Watch seems to immediately raise several red flags (which is surprising, as TPUK doesn’t seem to be a fan of red flags).

So, if I were to wear my privacy consultant hat, I would raise the following as my top priorities.

  • The data being gathered by TPUK is coming from a wide range of sources. Some of the information will be data that the academics have released into the public realm. However, some of the material published on the website is recordings of lectures taken on mobile phones. I’d want to be confident that the keyboard warriors supplying these recordings have obtained the required permissions to be sharing the data with TPUK.
  • While TPUK has said that it won’t publish identifiable information, their pretty ominous statement of publishing names in serious cases does suggest that they are continuing to hold identifiable information on their systems. If so, then the organisation needs to justify why they are continuing to hold this very sensitive data - if in most cases they don’t intend to publish it. As a follow up, it would be handy to see what criteria TPUK is using to determine if an “incident is serious enough.”
  • TPUK appears to be being careful to not publish materials which identify names and faces of individual academics. However, if they are publishing data that could be used by viewers to identify individuals based on other information available, then this still counts as personally identifiable. Given that the typical TPUK user is likely to be a student with right of centre political views, I think it’s likely that a user will at some point be able to infer the identity of an academic based on the information TPUK provides i.e. voice recordings, lecture slides, place of employment. In order to avoid this, I would recommend scaling back what is published so that this identification is not possible – even if this makes headlines less emotive.
  • Finally, given the reasonably high likelihood that individual academics could be identified, TPUK should consider what harm could potentially come to them. Similar initiatives in the U.S. gives us a pretty good idea. Harms include anti-Semitic abuse, threats of sexual violence and death threats which have led on occasion to temporary closures of universities.

TPUK publicly advocates their right to speak freely on this subject, and indeed data protection law has exemptions to allow for this. The Journalistic Exemption in the law attempts to tread the fine line between allowing the media to scrutinise and hold to account people and institutions, and stopping groups using the concept of a free press as a fig leaf to abuse and harass people.

The journalistic exemption allows data controllers to not comply with aspects of data protection law in circumstances where they can show they are doing it as part of publishing content that is of substantial public interest.

The definition we use in the UK for this comes from the IPSO Editors Code of Practice. There are some aspects of the code that could potentially be used to justify TPUK’s data processing, for example:

“Raising or contributing to a matter of public debate, including serious cases of impropriety, unethical conduct or incompetence concerning the public.”

However, given the proven level of debate this activity has prompted in the U.S, TPUK is going to have a very difficult time defending the activity on this point.

Data protection law has evolved from the development of human rights law over the last 70 years. Looking at continents with histories of dictatorships, widespread surveillance and punishments for rebellion, it is very easy to see why political opinions are given priority as ‘special category’ data.

Whilst it’s easy to lose track in our (comparatively) comfortable and stable times, running right through the GDPR - like writing on a stick of rock - is the commitment to give people the freedom to think and do what they want, without the risk of harm from both the state and private actors. It’s a law that must, by necessity, apply to all data controllers - regardless of what we’re doing with personal data.

For that reason, I’m happy to keep reminding you to get that SAR turned around in time. And Fred, for the last time - clear out your inbox.

*A day where you can’t paraphrase Peep Show is a day wasted in my opinion.

Find out more?

Leave your contact details below and one of our expert team will be in touch

We will only use the contact details you supply on the basis of our legitimate interest to respond to your query and contact you about DQM GRC. You will always be given the opportunity to opt-out from future communications. Please read our privacy policy for more details.

 

Find out more..

If you are interested in any of our services then please either use the contact form or contact us via of the methods below:

  •   Telephone
  •   E-mail

  •   +44 (0)1494 442900
  •   sales@dqmgrc.com