Paul and list
With respect to such a contract clause you do have a link to the 'Unfair
terms in consumer contracts Act' I'm fairly certain I read something about
this a few years ago where such consent clauses can be unlawful and the
Information Commissioner is specially mentioned as one of the bodies who can
rule on fairness. Given the ICO should be looking after the consumers rights
under DPA you would think these powers would be exercised if a challenge was
made.
(See http://www.lawcom.gov.uk/docs/lc292bill.pdf - Schedule 1 section 10.
Although the primary regulator for the UFCA is the OFT references to the
'regulator' within the legislation can be read as the ICO)
>What gives me much greater cause for concern is the number of contracts
>which say "by signing this contract you consent to ... [whatever we want
>you
>to]". I don't believe that that approach truly complies with the
>Directive's requirement that consent be "freely given" unless there is an
>opportunity to negotiate. I would much prefer the contract to say: "these
>are the consequences of signing up ... these are your options ... and this
>is how we protect your interests". Supposed consent of this nature is
>often the lazy option.
David Wyatt
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Paul Ticher
Sent: 29 October 2007 12:21
To: [log in to unmask]
Subject: Re: [data-protection] Signature for opting in required?
I don't strongly disagree with Simon, but there was a lot of discussion
about this in the early days of the Act, and I believe the upshot was that
failure tick a box when returning a form probably does constitute consent.
The Information Commissioner's legal guidance is cagey. (I'm quoting from a
version I downloaded some while ago, as their web site keeps crashing when I
try to look at the current version.)
My copy says:
"The fact that the data subject must "signify" his [sic] agreement means
that there must be some active communication between the parties. ... Data
controllers cannot infer consent from non-response to a communication, for
example ... failure to return or respond to a leaflet." (Someone please
tell me if my copy is out of date.)
So, if you *do* respond, but fail to take advantage of a clear opt out,
there is 'active communication between the parties' and therefore the
argument goes that the data controller can infer consent. I know this
doesn't completely follow logically, but silence often is consent - failure
of an employer to object or intervene in unacceptable behaviour, for
example, is often interpreted as tacit endorsement.
In practice, a clear statement of what is being proposed, and a clear
opportunity to opt out, is likely to contribute strongly to compliance with
the sixth Condition (legitimate interests) and with Principle 1 in general,
so the question of whether it constitutes consent may not need to be
resolved. In my training courses I have almost stopped using the word
'consent', and concentrate on good practice around opting in and opting out,
as I think this is clearer.
What gives me much greater cause for concern is the number of contracts
which say "by signing this contract you consent to ... [whatever we want you
to]". I don't believe that that approach truly complies with the
Directive's requirement that consent be "freely given" unless there is an
opportunity to negotiate. I would much prefer the contract to say: "these
are the consequences of signing up ... these are your options ... and this
is how we protect your interests". Supposed consent of this nature is often
the lazy option.
Paul Ticher
0116 273 8191
22 Stoughton Drive North, Leicester LE5 5UB
I hereby require any recipient of this message not to use my personal data
for direct marketing purposes.
----- Original Message -----
From: "Simon Howarth" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Saturday, October 27, 2007 10:20 AM
Subject: Re: Signature for opting in required?
There are a number of issues here which to some extent Paul has covered,
however I must take issue one of his points.
If the form is sent back with nothing ticked, then regardless of what the
form is for (in the design you say) you CANNOT take this as consent. Silence
is not consent. Also someone may have refused consent but simply forgotten
to tick the box (it has happened many times) so if you publish their details
I really believe you will get in trouble. Paul stated that you "...probably
have their consent..."; unfortunately probably is not good enough. The only
safe thing to do is not publish until you find out otherwise. A redesign of
the form as Paul suggests is probably a good idea.
The opt-out design of the other association's form is quite reasonable, and
much easier to manage, but together with Paul's comments you also need to
consider if any of the information may be considered sensitive personal
data, because if you are relying on consent to publish, then the DP Act
states that it must be explicit, which means opt-in.
Regards,
Simon Howarth
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Paul Ticher
Sent: 26 October 2007 11:05
To: [log in to unmask]
Subject: Re: [data-protection] Signature for opting in required?
This depends on two things:
1) What you want to achieve.
If you want a list of definitely keen people, then go for an opt in. If you
think the greater purpose would be served by having a list of people who are
either keen or don't mind, then consider an opt out.
2) What you perceive the risks to be.
If the risk of publishing the details is high, then an opt in is by far
safest way to go. However, if the site is restricted to members - and you
basically trust your members not to misuse the data - and you are happy that
your security is adequate - then an opt-out is almost certainly adequate.
The best way to administer an opt-out is to piggy-back on something that
people are sending you anyway (such as a membership renewal).
* You must provide a full explanation of what is involved (in order to
comply with Principle 1 and - because it is on the web site - Principle 8 if
any of your members are abroad). It may be worth saying that you take no
responsibility for what other members do with the contact details, but that
they are provided on the understanding that they are only to be used for
purposes related to that of the society, and not for marketing - or
something like that.
* Do not offer both a yes and a no box, because then you don't know what to
do with people who tick neither.
* If they send the form back without ticking the no box then you probably
have their consent - because sending the form back without ticking the box
'signifies' their consent, and therefore complies with the Directive
definition of consent.
If you can't piggy-back on something else, make the opting out process as
easy as possible (e.g. a freepost address or freephone number) - and give
people several opportunities. They might miss your first announcement, or
be away at the time. However, be aware that failure to respond in such a
case does not count as consent, because the members have done nothing to
'signify' their preference. You therefore have to comply with one of the
other Schedule 2 Conditions: Condition 6 is the only likely one, and you
would have to be confident that you are not infringing the 'rights, freedoms
and legitimate interests' of your members by publishing their details
without consent.
Don't forget that people who have consented can withdraw their consent, so
you must have a way of responding promptly if people change their minds and
ask for their details to be removed.
Paul Ticher
0116 273 8191
22 Stoughton Drive North, Leicester LE5 5UB
I hereby require any recipient of this message not to use my personal data
for direct marketing purposes.
----- Original Message -----
From: "Linda Haylock" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Thursday, October 25, 2007 3:22 PM
Subject: Signature for opting in required?
We are planning to make our members' database available on our website in
the spring.
It will be a members only, password-protected area that will include
contact details of members.
We are presently sending out forms to all our members with the
statement "I agree to have my details listed in a members-only, password-
protected area of the website", a 'Yes' tickbox, a 'No' tickbox and a
space for signature and date.
Quite a large number of people have not sent the form back, or have sent
the form back without ticking either Yes or No, and the whole exercise is
becoming costly and time-consuming.
Then I came across another association's form which quite simply said "The
Society is Registered under the Data Protection Act 1998. If you have any
objection to your details being included in the Members' List that is
available only to other Members, please tick here."
Is this latter 'opt out clause' sufficient, does anybody know? Or is a
signature opting in mandatory?
Linda
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.15.12/1095 - Release Date: 26/10/2007
19:54
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.15.12/1095 - Release Date: 26/10/2007
19:54
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|