Simon Howarth (WSL) on 20 November 2004 at 22:35 said:-

> You have a point, however I am not sure I entirely agree.
> 
> Something else that needs to be considered, and it's not 
> directly related to
> DPA and that's the PR surrounding this sort of activity going public.
> Organisations spend a lot on CRM and PR to put them in a 
> positive light with
> consumers. I would think that if this exercise was performed 
> and it became
> common knowledge, that there may be significant fall out from 
> the media and
> the public over "dubious business practices". 

Marketing seems to be used to deal with some of those difficulties at times.

> This then takes 
> us into the
> realms of Corporate Compliance big style and on toward such 
> nightmares as
> Sarbannes-Oxley and Turnbull, as a publicly quoted company 
> might be asked to
> justify its actions and I would think that senior management 
> would much
> rather go there.

That may well depend on what fallout is considered acceptable or that can be
dealt with, perhaps even by merely trying to justify by pointing at one
single factor, the legality under the DPA.

> 
> I still think there are legal implications with regard to 
> what is suggested,
> but the biggest threat in doing this activity will be the 
> ethical standpoint
> and the loss of valuable PR, customers et al, should the deed 
> become known.

The ethical stances of organisations and different portions of organisations
do differ, generating e-mail addresses for company employees as a means of
identify the correct ones could quite likely be seen as ethically acceptable
and yet perceived by the recipient company as a denial of service attack,
which itself could then be a more effective counter argument within the
originating company.

> 
> I believe that an organisation considering doing this should 
> be doing a very
> careful risk assessment within which the DPA will be only a 
> small part....

Risk assessments are easily turned into arguments effectively negating the
DPA though, as the risks are so often perceived as minimal.

For instance, take police intelligence and pocket books: Pocket books are
required to be retained for a number of years. They are in many ways similar
to a diary.

Police intelligence is regulated by quality control, retention and weeding
rules which seem to be intended to weed out much of the rumour, innuendo and
malicious material, at a relatively early date, leaving what is considered
useful material.

Computerise the pocket book/diary and any intelligence contained within
those documents is covered by the retention rules pertinent to that document
and yet becomes searchable in the same way that the intelligence systems
are.  The purpose of the collection is met, although the final purpose of
some of it is clearly not, the ethical aspects can be argued from many sides
but looking at some results, intelligence material which should be tightly
regulated could easily be available for a period of many years for use in a
relatively unregulated manner where the organisational risks are minimal.
Without other supportive changes debates about short term retention periods
will be fatally flawed and eroded over a period of time.

Consider then things like the recent communications data retention periods,
12 months does not seem long, until you consider the data was previously
transitory material and that by a simple removal of that data into another
area the purpose can be changed and the material retained beyond that
original 12 months, say for a number of years. If during the following 12
months other reasons then exist to recollect the material it would be
possible to effectively retain a group of material for virtually any
determined period.  Shorter retention periods would make such actions more
obvious, but would not stop them.

> You are right Duncan, these sorts of debates are what it's 
> all about! Hence
> my spending Saturday evening reading my e-mail!

I agree, as like generating email data, purposes of processing together with
retention periods and the other principles can all be very closely linked.
The manipulation of those items, whilst often legal and ethical from the
various viewpoints can have far reaching affects. When organisations choose
to ignore those affects in the interests of focused or short term gains it
can result in very salutary lessons being learned, often at the expense of
others rather than themselves.

Where does the correct ethical answer sit within those situations? How are
the legal aspects of providing respect for others illustrated, or
effectively argued? How do DP practitioners become familiar with all of the
issues?  What training exists which educates in the various areas?  Clearly
there are many questions and, like us all, DP is still on the learning
curve.  

Hence many hours of personal time freely given to the benefit of
organisations, or would that be personal development? What did happen to
that working time directive?  I guess the freedom to choose eroded it in a
most graphical way!

Ian W

> -----Original Message-----
> From: This list is for those interested in Data Protection 
> issues [mailto:[log in to unmask]] On Behalf Of 
> Simon Howarth (WSL)
> Sent: 20 November 2004 22:35
> To: [log in to unmask]
> Subject: Re: email append, lawful?
> 
> 
> >Simon: your principle 4 I think I might resolve with 
> "cleansing the duff
> addresses in a 'reasonable' time frame" i.e.
> >once they have bounced, and
> >trying the "it's not necessary" for the data to be accurate. 
>   How much
> >damage and distress does a bounced e-mail cause the data 
> subject? Could be
> challenged, I know, but you know the IC!
> 
> You have a point, however I am not sure I entirely agree.
> 
> Something else that needs to be considered, and it's not 
> directly related to
> DPA and that's the PR surrounding this sort of activity going public.
> Organisations spend a lot on CRM and PR to put them in a 
> positive light with
> consumers. I would think that if this exercise was performed 
> and it became
> common knowledge, that there may be significant fall out from 
> the media and
> the public over "dubious business practices". This then takes 
> us into the
> realms of Corporate Compliance big style and on toward such 
> nightmares as
> Sarbannes-Oxley and Turnbull, as a publicly quoted company 
> might be asked to
> justify its actions and I would think that senior management 
> would much
> rather go there.
> 
> I still think there are legal implications with regard to 
> what is suggested,
> but the biggest threat in doing this activity will be the 
> ethical standpoint
> and the loss of valuable PR, customers et al, should the deed 
> become known.
> 
> I believe that an organisation considering doing this should 
> be doing a very
> careful risk assessment within which the DPA will be only a 
> small part....
> 
> You are right Duncan, these sorts of debates are what it's 
> all about! Hence
> my spending Saturday evening reading my e-mail!
> 
> Simon Howarth.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^