Who do you trust more, the man in the office or the man in cell?


I’ts been a while since I’ve written any posts so apologies if this is slightly rough around the edges. I’ve been disctracted with “fluffy” magazine article writing… all that hard hitting column type stuff was getting far too exciting so I’ve come back (from outta space) and stumbled accross this item in the news the other week.

Now to those with a similar disposition having seen the title of this entry as myself you are asking yourself  “well, what’s the difference”? Which is a fair point, but in this instance according to a recent article in The Independent “Prison inmates [are to be] paid to collect information from homeowners for insurance companies”. The Independent claims that a scheme that is currently run by Oakwood Prison would be extended that could, according to the article, see detainees contacting the public to obtain information for insurance companies on their insurable items.

At face value there is several issues there, not least that most of the British public see “cold callers” as criminals anyway so actually turn cold callers into criminals does have an air of irony and humour about it.

At this point I’d like to slightly bring in the debate about rehabilitation (but only slightly). In this specific instance the offer of rehabilitating current offenders seems to be being used to divert attention from the level of risk associated with such practice as well it’s failings to comply with the concept of Data Protection and Privacy. I have no controversial views on rehabilitation nor am I qualified to issue a view but I’d like to clear away the rehabilitation point by stating that I’m firmly in the camp of offering offenders (current or former) a second chance in society and to “pay back” what they have idealistically taken from society. Now that’s said let us focus on the privacy debate and not get the 2 mixed up.

Putting the matter of offender rehabilitation aside for one moment (and use of the term ‘criminal’), this raises some interesting questions around ‘appropriate controls’ and the people element of processing personal data.

Unfortunately, it is not unreasonable to say that currently that the concept of “privacy by design” is a stranger to UK data controllers. By this I mean the concept that privacy and the respect for that right is at the forefront of system and process design and sit alongside the need for ‘profitability’ and alignment to company priorities and branding. Now to give credit where credit is due, some controllers understand and engage with this concept and have indeed achieved a status of “privacy by design” or something that closely resembles it. To those organisations I tip my hat but also acknowledge that you are the indeed elite and special few.

Let’s start from the beginning and look at this from an “ideal world” point of view (I really must stop doing that). According to the Independent and what information I have been able to find online the operator will ‘cold call’ a number provided by the Data Controller using a computer controlled telephone system. According to the BBC this system doesn’t show to the operator the data subjects address or other contact details. The operator will then ask the data subject whether they would be interested in a quote for their valuable items (following the usual cold calling standard call template; namely “what a great offer we have” and such similar nonsense). The Data Subject’s replies are then recorded by the operator in the computer system which the Data Controller would then translate into sales leads and action with other operators (non-inmate).

According to G4S “All the prisoners are carefully security checked and interviewed before working in the centre, calls are made remotely by computer, and every conversation is closely monitored by supervisors. No information from the calls is stored and there is no way any personal information can be used for any criminal purposes”.

Now, at face value all the measures outlined above seem like sensible steps to take to control and lock down access and would usually be found in most ‘secure’ call centres. However, purely from a practical point of view, how can an operator speak to customer without seeing their contact details or address? What happens if the data subject wants a call back on a different number? Or is moving and wants to change their address? Both are events that are not beyond the realm of possibility? Also, what is an acceptable level of “security checks” to accept the inmate as an operator? Do they exclude those that have been convicted of Fraud or Burglary? In which case (as a side point) how does that then represent a “equal opportunity” for rehabilitaion for all inmates as it’s currently sold? Surely other schemes that don’t involve personal data would be better suited to such a noble cause?

Currently the DPA states that processing of ‘personal data’ can be achieved if you meet any of the ‘Schedule 2’ conditions. In this instance, as there is no law to specifically allow for the processing of this data for this purpose therefore they are relying on consent, legitimate interests of the data subject or legitimate interests of the data controller. Historically, the Information Commissioner has taken a dim view of controllers that have tried to argue that they are processing information in order to “benefit the legitimate interests of the data subject” so I doubt that ‘legitimate interests of the data subject is truly applicable. So what is left, the legitimate interests of the data controller? But does this processing really meet the legitimate interests of the data controller without prejudicing or otherwise harming the rights or interests of the data subject?

In a “normal” call centre or cold calling setup, and in an ideal world, companies should only be contacting prospective customers with information that has been made available via the electoral register or with consent. It is expected (by the data subject) that the data controller is based in a reasonably secure office environment and that they are being spoken to “Business to Customer” (even if they don’t like cold callers). In this scenario, data subjects are being called from inside prison by operators that are unpaid and where the data subject has not been informed. Rightly or wrongly, a fair amount of data subjects would instantly feel that their privacy had been invaded and remove consent for any processing in this fashion. So coming back to the original question, how does this processing not prejudice a data subject’s reasonable expectation of fair processing and privacy of their information?

I haven’t touched on the recent tribunal decision that seemed to suggest that infringing the right to privacy under the Human Rights Act could mean that you have “unlawful processing” of personal data. It speaks for itself…

To be clear, purely under the Data Protection angle, I don’t like this idea and I don’t think that it does any favours to the privacy cause and what the public understand privacy to be in the UK. This could be the most secure process going but Data Protection is about more than just the security of data and using “free labour” in this environment and context simply does harm to the idea of privacy and to some degree destroys the apparent “good intentions” behind the scheme.

Note, I haven’t commented on the immoral use of “free labour” to get sales leads for private companies… surely rehabilitation should be about giving back to the community not helping big business turn a profit?

Independent Newspaper – 22nd August 2013 – http://www.independent.co.uk/news/uk/home-news/prison-inmates-paid-to-collect-information-from-homeowners-for-insurance-companies-8777641.html
BBC Online News Article – 21st August 2013 – http://www.bbc.co.uk/news/uk-england-23777143