I think there is confusion here over "opt in" and "opt out" consent. The original question was about a form that
had "yes" and "no" tick boxes. In this instance failure to tick either MUST be treated as refusal to consent as
there is ambiguity in the non-answer.
Failure to tick a box to "opt out" is consent - the ICO have guidelines on wording for this option which is clear
enough.
Failure to tick a box to "opt in" is a refusal.
Simon Howarth.
Quoting Paul Ticher <[log in to unmask]>:
> I don't strongly disagree with Simon, but there was a lot of discussion
> about this in the early days of the Act, and I believe the upshot was that
> failure tick a box when returning a form probably does constitute consent.
> The Information Commissioner's legal guidance is cagey. (I'm quoting from a
>
> version I downloaded some while ago, as their web site keeps crashing when I
>
> try to look at the current version.)
>
> My copy says:
>
> "The fact that the data subject must "signify" his [sic] agreement means
> that there must be some active communication between the parties. ... Data
> controllers cannot infer consent from non-response to a communication, for
> example ... failure to return or respond to a leaflet." (Someone please
> tell me if my copy is out of date.)
>
> So, if you *do* respond, but fail to take advantage of a clear opt out,
> there is 'active communication between the parties' and therefore the
> argument goes that the data controller can infer consent. I know this
> doesn't completely follow logically, but silence often is consent - failure
> of an employer to object or intervene in unacceptable behaviour, for
> example, is often interpreted as tacit endorsement.
>
> In practice, a clear statement of what is being proposed, and a clear
> opportunity to opt out, is likely to contribute strongly to compliance with
> the sixth Condition (legitimate interests) and with Principle 1 in general,
> so the question of whether it constitutes consent may not need to be
> resolved. In my training courses I have almost stopped using the word
> 'consent', and concentrate on good practice around opting in and opting out,
>
> as I think this is clearer.
>
> What gives me much greater cause for concern is the number of contracts
> which say "by signing this contract you consent to ... [whatever we want you
>
> to]". I don't believe that that approach truly complies with the
> Directive's requirement that consent be "freely given" unless there is an
> opportunity to negotiate. I would much prefer the contract to say: "these
> are the consequences of signing up ... these are your options ... and this
> is how we protect your interests". Supposed consent of this nature is often
>
> the lazy option.
>
> Paul Ticher
> 0116 273 8191
> 22 Stoughton Drive North, Leicester LE5 5UB
>
> I hereby require any recipient of this message not to use my personal data
> for direct marketing purposes.
>
>
> ----- Original Message -----
> From: "Simon Howarth" <[log in to unmask]>
> To: <[log in to unmask]>
> Sent: Saturday, October 27, 2007 10:20 AM
> Subject: Re: Signature for opting in required?
>
>
> There are a number of issues here which to some extent Paul has covered,
> however I must take issue one of his points.
>
> If the form is sent back with nothing ticked, then regardless of what the
> form is for (in the design you say) you CANNOT take this as consent. Silence
> is not consent. Also someone may have refused consent but simply forgotten
> to tick the box (it has happened many times) so if you publish their details
> I really believe you will get in trouble. Paul stated that you "...probably
> have their consent..."; unfortunately probably is not good enough. The only
> safe thing to do is not publish until you find out otherwise. A redesign of
> the form as Paul suggests is probably a good idea.
>
> The opt-out design of the other association's form is quite reasonable, and
> much easier to manage, but together with Paul's comments you also need to
> consider if any of the information may be considered sensitive personal
> data, because if you are relying on consent to publish, then the DP Act
> states that it must be explicit, which means opt-in.
>
> Regards,
>
> Simon Howarth
>
>
>
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Paul Ticher
> Sent: 26 October 2007 11:05
> To: [log in to unmask]
> Subject: Re: [data-protection] Signature for opting in required?
>
> This depends on two things:
>
> 1) What you want to achieve.
>
> If you want a list of definitely keen people, then go for an opt in. If you
>
> think the greater purpose would be served by having a list of people who are
>
> either keen or don't mind, then consider an opt out.
>
> 2) What you perceive the risks to be.
>
> If the risk of publishing the details is high, then an opt in is by far
> safest way to go. However, if the site is restricted to members - and you
> basically trust your members not to misuse the data - and you are happy that
>
> your security is adequate - then an opt-out is almost certainly adequate.
>
> The best way to administer an opt-out is to piggy-back on something that
> people are sending you anyway (such as a membership renewal).
>
> * You must provide a full explanation of what is involved (in order to
> comply with Principle 1 and - because it is on the web site - Principle 8 if
>
> any of your members are abroad). It may be worth saying that you take no
> responsibility for what other members do with the contact details, but that
> they are provided on the understanding that they are only to be used for
> purposes related to that of the society, and not for marketing - or
> something like that.
>
> * Do not offer both a yes and a no box, because then you don't know what to
> do with people who tick neither.
>
> * If they send the form back without ticking the no box then you probably
> have their consent - because sending the form back without ticking the box
> 'signifies' their consent, and therefore complies with the Directive
> definition of consent.
>
> If you can't piggy-back on something else, make the opting out process as
> easy as possible (e.g. a freepost address or freephone number) - and give
> people several opportunities. They might miss your first announcement, or
> be away at the time. However, be aware that failure to respond in such a
> case does not count as consent, because the members have done nothing to
> 'signify' their preference. You therefore have to comply with one of the
> other Schedule 2 Conditions: Condition 6 is the only likely one, and you
> would have to be confident that you are not infringing the 'rights, freedoms
>
> and legitimate interests' of your members by publishing their details
> without consent.
>
> Don't forget that people who have consented can withdraw their consent, so
> you must have a way of responding promptly if people change their minds and
> ask for their details to be removed.
>
> Paul Ticher
> 0116 273 8191
> 22 Stoughton Drive North, Leicester LE5 5UB
>
> I hereby require any recipient of this message not to use my personal data
> for direct marketing purposes.
>
>
> ----- Original Message -----
> From: "Linda Haylock" <[log in to unmask]>
> To: <[log in to unmask]>
> Sent: Thursday, October 25, 2007 3:22 PM
> Subject: Signature for opting in required?
>
>
> We are planning to make our members' database available on our website in
> the spring.
>
> It will be a members only, password-protected area that will include
> contact details of members.
>
> We are presently sending out forms to all our members with the
> statement "I agree to have my details listed in a members-only, password-
> protected area of the website", a 'Yes' tickbox, a 'No' tickbox and a
> space for signature and date.
>
> Quite a large number of people have not sent the form back, or have sent
> the form back without ticking either Yes or No, and the whole exercise is
> becoming costly and time-consuming.
>
> Then I came across another association's form which quite simply said "The
> Society is Registered under the Data Protection Act 1998. If you have any
> objection to your details being included in the Members’ List that is
> available only to other Members, please tick here."
>
> Is this latter 'opt out clause' sufficient, does anybody know? Or is a
> signature opting in mandatory?
>
> Linda
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the list
> owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your
> needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the list
> owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your
> needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.503 / Virus Database: 269.15.12/1095 - Release Date: 26/10/2007
> 19:54
>
>
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.503 / Virus Database: 269.15.12/1095 - Release Date: 26/10/2007
> 19:54
>
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the list
> owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your
> needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the list
> owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your
> needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
--
Simon Howarth
The Information Edge
37 The Grange
Cottam
Preston
PR4 0LR
Office: 0870 991 3696
Mobile: 07836 365588
Webtech Systems trading as The Information Edge, registered in England No.
3428632. More information available at www.informationedge.co.uk
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|