Jon, you are of course correct in a general sense about the opt-out approach and it is something we were initially concerned about.
However, the Department of Justice here in NI passed specific legislation that allows us to operate with an opt out (though of course whether that would stand up to long term legal challenge is another matter).
The research is specifc government sponsored research (though that does not absolve us from DPA).
Obviously the approach from the research company comes at the end of the criminal process by which stage we will have had a significant amount of contact with witnesses and victims. At every step of the contact with witnesses and victims, we flag up that the data may be used for these purposes and offer the the option to opt out, so think we can say that subjects have a fair warning of this.
===============
Seth
I think this is highly problematic.
If we go back to basic principles it would seem that you are the initiating data controller, and the market research company are either your data processor or a joint data controller (depending on the terms of the agreement between you).
You are asking the company to conduct research and as a result you are passing personal data to them of a particularly sensitive type (whether it's actually "sensitive personal data" according to s2 DPA 1998 is another matter, although it could be in some situations). Yet you are working on a basis of "opt out" - I would argue that this is very risky. The processing, which involves transfer of data, and its subsequent use and storage by the company, has to be fair and with a legal basis from (at least) schedule 2 DPA. If as seems the case you are acting on the assumption that the legal basis is consent, it's important to remember the Directive's definition of consent as "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed".
Could you defend a claim that your process of opt in does not involve the free giving of the data subject's wishes? Maybe you could - a lot of use of implied, or assumed, consent goes on, without much concern from the regulator, but in these circumstances I tend to ask myself "how would I* feel" (if, for instance, I'd overlooked your letter)? And the answer here I think would be, outraged - I would not want the fact that I'd been the victim of a crime passed to a market research company.
Given all this, you can probably guess where I'm going with the question about telephone-number-matching. However, it would be a step further, as presumably the data subject would have no idea it was happening. Only last month ICO served monetary penalty notices on two charities for various unlawful practices, one of which was using the services of tele-matching companies (see paras 50-60 of https://ico.org.uk/media/action-weve-taken/mpns/1625540/rspca-mpn-20161209.pdf). And just to add, as the market research company appear to have specifically asked you whether it's ok to do this you're very much in data controller territory, and you can't say "it's nothing to do with us".
Query: why can you not write to the data subjects, asking them to opt in to the research, and asking for a phone number to assist the research? If the answer is because sufficient people might not agree, then I think you have a further indication of why this is problematic.
Apologies if I've rather give to town on this, but on some subjects one feels strongly. Apologies also if I've missed, or misunderstood, anything.
Jon Baines,
Chair,
nadpo.co.uk
*I freely accept I may not be representative of the general public in these matters.
On 5 Jan 2017, at 14:55, Seth Speirs <[log in to unmask]> wrote:
How would anyone feel about the following situation:
We are engaged with a reputable market research company to carry out targetted research on the expereinces of victims and witnesses. As part of this process we provide persoanl data about them to the company to facilitate contact. This is all above board and potential subjects are contacted by letter first to give them an opportunity to withdraw from consideration.
The company in question is now asking if it can use the services of a telephone number matching service to add telephone numbers to some of the subjects - the primary purpose is to increase the pool of potential subjects and the survey quality in general.
Obviously we could say that htis is nothing to do with us, but obviously the data we have provided is the basis for the search and obviously there is a certain reputational issue here.
Other than this there will be no other changes to the way subjects are contacted.
My initial inclination is that this ought to be ok, but that we should write this into our inforation ahring agreement.
Seth
Seth Speirs
Assistant Departmetnal Security Officer
Public Prosecuion Service
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|