by

The Englishman who wades into Scottish politics on either side, especially if he lives in England, is probably taking a huge risk of being disagreed with vehemently, no matter what he says. Nevertheless, the explosion of interest into the so-called ‘Clypegate‘ list has a Data Protection angle that I cannot resist.

To summarise, it seems that the Scottish Labour Party have assembled a list of supporters of the Scottish National Party who have said things on Twitter and Facebook that the Scottish Labour Party do not like. The list – inevitably tagged a dossier – has been passed to the tabloids to stir up some kind of frenzy about the so-called ‘Cybernats’. Some of the statements are fairly strong, but I doubt they are worse than anything said in the average pub conversation about politicians. I’m certain every term applied to Gordon Brown and Donald Dewar has been said of Alex Salmond by Labour supporters. As someone who voted Labour in the recent election, I can think of a few more constructive things that the smouldering remnants of Labour in Scotland could be doing with their time, but this is what they decided to do, so we are where we are.

Now, if you were hoping for anything more in the way of politics, you’re going to be disappointed. From here on in, it’s ANORAK TIME!

The Data Protection Act has many requirements for the processing of data, but the chief hurdle is the first DP principle, which requires three things. The processing of personal data must be fair, lawful, and conditions must be met. Regular readers will know that consent is not required, as there are alternatives to consent in the lists of conditions. Let’s consider the three elements in turn;

FAIR: fair has two meanings. The use of data has to be fair in the dictionary sense of the word and it also has to be fair in the DP sense, which means the Data Controller (Labour) has to tell the subject (the SNP tweeter) how their data will be used unless an exemption applies. Many organisations believe that because personal data is in the public domain, it is fair game. The Information Commissioner’s own guidance on personal data online stated in 2010 that this was not the case, and we have a very recent example (Samaritans Radar, which also focused on tweets) where the ICO stated that tweets were personal data (depending on their content), and so DP applied.

Labour fail on both counts. Gathering together tweets and providing them to a newspaper to name and shame the individuals is not fair in my opinion. But more importantly, Labour did not tell the subjects that their data would be used in this way. Clearly members of the Scottish Labour Party will look at what is being tweeted; they may analyse and try to counteract it. If you don’t like the idea of people you don’t like reading your tweets, go private or stop tweeting. However, the conscious selection and specific analysis of a person’s tweets is processing personal data as is passing it to a newspaper, and none of the DP exemptions allows Labour to do this in secret.

The use of the data was not fair.

LAWFUL: this is a tricky one where I expect I will get little agreement, especially from people who might read this hoping to see Labour eviscerated. DP requires that data processing should not breach other relevant laws e.g. Human Rights privacy or confidentiality. I do not believe that Labour’s use of the data was unlawful – Carina Trimingham’s Facebook account was pruriently raided by the Daily Mail so that they could make cheap jibes about her, but she still lost her Human Rights privacy case. Twitter and Facebook are not private places unless you lock your account. Get used to that.

CONDITIONS: DP requires that one of a prescribed set of conditions is met to justify the use of personal data, and one from a second list if the data is defined as ‘sensitive’. A person’s political opinions are sensitive data, so this means that Scottish Labour needed not one condition, but two. The tricky part is usually the sensitive data condition, but as it happens, I don’t think Labour have a problem here. One of the conditions for processing sensitive personal data is that the sensitive data has “been made public as a result of steps deliberately taken by the data subject‘. I think this box is ticked – the political opinions were tweeted out into a public forum by the subject.

But that’s not the problem. The problem is that a condition is also required from the first set, and here Labour are stuffed. They don’t have consent, a contract, a legal power or obligation, and they are not protecting anyone’s vital interests. The only condition left is ‘legitimate interests‘, where they have to claim that their legitimate interest in monitoring and publicising rude tweetersis not ‘unwarranted’ because of ‘prejudice to the rights and freedoms or legitimate interests of the data subject’. I am not remotely convinced that monitoring of ordinary folk – even if they are supporters or members of a party – is a legitimate interest in this context.

I have registered to vote in the Labour leadership elections, and had to declare that I support the aims and values of the Labour Party. That was not an easy declaration to make, but I definitely don’t support any other party and I never have. If Labour wanted to find out whether I was in fact a Conservative or SNP supporter pretending to be Labour, and looked at my Twitter account to find out, I believe that would be a legitimate interest. They would still have a problem with fairness, and would have to tell me that this was going to happen (they didn’t).

I don’t believe the two situations are comparable however. But even if I did, even if Scottish Labour monitored their opponents legitimately, it’s impossible to argue that legitimate monitoring is not undermined by passing the data to journalists, especially as journalists are (under Section 32) virtually exempt from the Data Protection Act. If the monitoring was done to identify genuine abuse and report it to Twitter or Facebook, I believe that would be legitimate and would not be unwarranted. But this all seems to be for PR and political points scoring. I cannot read this as legitimate interests with no unwarranted harm.

There are other questions – does the dossier breach the DP requirement for accuracy for example? But we don’t need to get into that. Two significant breaches of the first principle are sufficient to say that Labour has breached the Act. That’s it.

The only remaining question is what should happen now. I believe Scottish Labour should stop in their tracks, grow up and apologise. If that doesn’t happen (and even if it does), this is a gift to their opponents that will undoubtedly result in complaints to the ICO. Regular readers will know that I am always sceptical that the ICO will stray outside their comfort zone of security fines, but it is open to them to issue either an enforcement notice stopping Labour from doing this, or (very unlikely) issue a penalty. It is worth noting that by the time the ICO quietly disposed of complaints about the Samaritans, the charity had stopped their Radar project and may never restart it. Political parties are rarely so intelligent, and if the ICO are faced with an intransigent Labour response, not admitting that they have done wrong, anything is possible. Much as I would like to see Labour pick themselves up and offer something more optimistic, it seems that they have instead blundered into another bruising debacle of their own design.