I don’t think the question of whether information is "in the public domain" is entirely relevant: that isn't a Schedule 2 condition in DPA, so the fact that information is public doesn't actually mean it can lawfully be processed in any way you like. And specifically, it is still possible to breach my Article 8 rights by using data about my private or family life, even if I have published that data - if only because going and looking for it can amount to directed surveillance.
I think the better analogy is with walking down the street. This is clearly a public act, and if I just happen to notice someone walking down the street that is hardly "directed surveillance" or unfair processing. But if I go and watch for her to do so, with a view to catching her out in a lie about her state of health (and without telling her I'm doing so), then that clearly is directed surveillance: it is covert, and it elicits private information - and I need either to have a DPA Schedule 2 condition or a RIPA authorisation or both to avoid trouble.
I would say that *going to look* on Facebook is pretty much the same scenario, and if it can't be RIPA-authorised, I wouldn't advise doing it. *Happening to notice* something on Facebook may be different: if my colleague and I regularly exchange bon mots in Zuckerberg's World, and I then notice that his selfies prove that he isn't as sick as he's telling our employer he is and get him hit with a disciplinary as a result... then he's a fool and I'm a clype, but our employer is probably in the clear.
Interesting and very germane discussion - lots of good stuff in there!
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Michelle Peel
Sent: 04 December 2014 15:55
To: [log in to unmask]
Subject: Re: [data-protection] information sourced from facebook or other social media for investigations
Hi Phil,
I agree with you regarding the covert issue on CCTV - that is what I intended to put across, but unfortunately I may have over simplified (as I tend to do!).
Can I ask for clarification about what (in your example below) is included in the definition of 'covert' investigation by an employer or other organisation? Would covert checking of what is in the public domain be included in 'covert' monitoring in this instance? I might (actually I do!) expect employers to check out what information is out there about me - it's in the public domain, so why not? I do not need to know they are doing it, because I've put the information out there. At which point maybe the argument becomes one about whether facebook (in particular) constitutes a private or public social media platform, with all the associated debates about their privacy policies and their communication to users about these policies. My own view, as I said in my original post, is that ignorance is not a form of defence, but I accept others may feel otherwise, namely that facebook has a duty to inform it's users better how to protect their information online.
I think there is a difference between monitoring an account over a period of time and checking it once (and perhaps striking gold). Would that be fair? And would this be lawful?
Best wishes,
Michelle
Michelle Peel
Information Manager
Transport for Greater Manchester
2 Piccadilly Place, Manchester M1 3BG
Direct line 0161 244 1123, Extension 701123
www.tfgm.com
Please don't print this email unless you really need to.
NOTE: This email message and any attachments are for the sole use of the intended recipient(s) and may contain confidential and/or privileged information. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by replying to this email, and destroy all copies of the original message.
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Phil Bradshaw
Sent: 04 December 2014 14:35
To: [log in to unmask]
Subject: Re: [data-protection] information sourced from facebook or other social media for investigations
There is a difficulty with the distinction which Michelle seeks to make in that s26 refers to " ... likely to result in the obtaining of private information about a person (WHETHER OR NOT one specifically identified for the purposes of the investigation ... ) . So looking at CCTV to see if Fred (known) is a malingerer and looking at CCTV to discover who (unknown) carried out graffiti are equally directed surveillance.
The real issue I suggest is whether it is covert. In both cases I believe it is proper to regard the use of CCTV as not being covert, because if set up properly public CCTV is not covert - in DP terms fair processing notice has presumably been given in the form of suitable notices. This is not the same as monitoring social media where no FPN may have been given, and reasonable expectation of privacy is not the only issue and can be a red herring.
For example checking or monitoring social media as part of recruitment is clearly not going to get a RIPA authorisation - it is either irrelevant or not covert..
In DP terms, to a large extent people have a very limited reasonable expectation of privacy in respect of their public social media. Nevertheless an employer doing this 'covertly' is, I suggest, in clear breach of DPA if the activity is not clearly communicated. Simple application of SCHEDULE ! Part II : "for the purposes of the first principle personal data are NOT to be treated as processed fairly unless— ... the data controller ensures so far as practicable that ... the data subject has, is provided with, or has made readily available to him, ... the purpose or purposes for which the data are intended to be processed". Remember that processing includes obtaining. So to monitor social media for any routine staff management purpose you need to be open and transparent.
Of course in the OP situation you may well need RIPA authorisation to monitor social network, just as you would for a bespoke CCTV surveillance and if you can get this properly than you will also be DP compliant, usually using s29 to avoid the FPN issue.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This email was scanned by the Government Secure Intranet anti-virus service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) In case of problems, please call your organisations IT Helpdesk.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
*********************************** ********************************
This email has been received from an external party and
has been swept for the presence of computer viruses.
********************************************************************
**********************************************************************
This e-mail (and any files or other attachments transmitted with it) is intended solely for the attention of the addressee(s). Unauthorised use, disclosure, storage, copying or distribution of any part of this e-mail is not permitted. If you are not the intended recipient please destroy the email, remove any copies from your system and inform the sender immediately by return.
Communications with the Scottish Government may be monitored or recorded in order to secure the effective operation of the system and for other lawful purposes. The views or opinions contained within this e-mail may not necessarily reflect those of the Scottish Government.
Tha am post-d seo (agus faidhle neo ceanglan còmhla ris) dhan neach neo luchd-ainmichte a-mhàin. Chan eil e ceadaichte a chleachdadh ann an dòigh sam bith, a’ toirt a-steach còraichean, foillseachadh neo sgaoileadh, gun chead. Ma ’s e is gun d’fhuair sibh seo le gun fhiosd’, bu choir cur às dhan phost-d agus lethbhreac sam bith air an t-siostam agaibh, leig fios chun neach a sgaoil am post-d gun dàil.
Dh’fhaodadh gum bi teachdaireachd sam bith bho Riaghaltas na h-Alba air a chlàradh neo air a sgrùdadh airson dearbhadh gu bheil an siostam ag obair gu h-èifeachdach neo airson adhbhar laghail eile. Dh’fhaodadh nach eil beachdan anns a’ phost-d seo co-ionann ri beachdan Riaghaltas na h-Alba.
**********************************************************************
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) This email has been certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|