Virgin Media, BT and TalkTalk, three of the UK's largest ISPs are planning to implement a thing called Phorm. Phorm is a very bad thing. It allows the ISPs to track everything you do online - even 'read' (or to be correct 'parse') the contents of most online webmail systems and then sell your browsing history to third parties so that they can ensure you see personally targetted adverts.
This breaks several laws including the Regulation of Investigatory Powers Act 2000 (commonly called 'RIPA'), the Data Protection Act 1998 and the Human Rights Act 1998. There's bunch called BadPhorm who have written extensively on the subject. They say it better than me.
What I wanted to write about, since it's what I do for a living, is some ways in which you can use the law to protect yourself against this crap.
Here's two things everyone should know about how to stop it.
Section 10 Notice
Everyone with an ISP that is going to implement Phorm needs to lodge a Section 10 notice with the ISP. Section 10 of the Data Protection Act 1998 says that an individual has the "Right to prevent processing likely to cause damage or distress".
To write a S10 notice, you need to write to the ISP stating that the processing of your data by Phorm consititues a breach of Article 8 of The Human Rights Act 1998 "Everyone has the right to respect for his private and family life, his home and his correspondence" and that such processing will cause you unwarranted and distress by violating your right to privacy.
Within 21 days the Data Controller - the ISP - must respond to say how they intend to respond. The S10 notification DOES NOT oblige the data controller to comply, but if they do not comply, they must state why they are not complying.
Please see suggested wording below:
Section 11 Notice
Section 11 of the Data Protection Act 1998 states:
11 Right to prevent processing for purposes of direct marketing
"(1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.
(2) If the court is satisfied, on the application of any person who has given a notice under subsection (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.
(3) In this section “direct marketing” means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals."
Please see below for suggested wording:
This is distinct from S10 and you should do both.
Please post a link to this article to as many places as you can - if you do post the text elsewhere, a link back here would be appreciated.
This breaks several laws including the Regulation of Investigatory Powers Act 2000 (commonly called 'RIPA'), the Data Protection Act 1998 and the Human Rights Act 1998. There's bunch called BadPhorm who have written extensively on the subject. They say it better than me.
What I wanted to write about, since it's what I do for a living, is some ways in which you can use the law to protect yourself against this crap.
Here's two things everyone should know about how to stop it.
Section 10 Notice
Everyone with an ISP that is going to implement Phorm needs to lodge a Section 10 notice with the ISP. Section 10 of the Data Protection Act 1998 says that an individual has the "Right to prevent processing likely to cause damage or distress".
To write a S10 notice, you need to write to the ISP stating that the processing of your data by Phorm consititues a breach of Article 8 of The Human Rights Act 1998 "Everyone has the right to respect for his private and family life, his home and his correspondence" and that such processing will cause you unwarranted and distress by violating your right to privacy.
Within 21 days the Data Controller - the ISP - must respond to say how they intend to respond. The S10 notification DOES NOT oblige the data controller to comply, but if they do not comply, they must state why they are not complying.
Please see suggested wording below:
Dear [ISP or contact name],
I am [insert name]. My customer number is [insert customer number or other relevant identification here]
Under Section 10 of the Data Protection Act 1998, I hereby serve notice upon you as Data Controller to cease immediately processing of my personal data by means of Phorm.
My browsing habits will reveal information about me falling into some or all of the following categories deem to be 'sensitive personal data' under Section 2 of the Data Protection Act 1998:
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union (within the meaning of the [1992 c. 52.] Trade Union and Labour Relations (Consolidation) Act 1992),
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
The processing of my personal data by Phorm consititues a breach of Article 8 of The Human Rights Act 1998 "Everyone has the right to respect for his private and family life, his home and his correspondence" and that such processing will cause me unwarranted and distress by violating my right to privacy."
Phorm further constitues a use of my personal data and a violation of the second and third Data Protection Principles, from Section 8 of the Data Protection Act 1998:
2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Under the law, you have 21 days to inform me of your response, stating your reasons for regarding the data subject notice as to any extent unjustified and the extent (if any) to which you have complied or intends to comply with it.
Please be aware that if I am unsatisfied with your response, I am entitled to complain to the Information Commissoner who can investigate and, should it find you to have failed to comply with a reasonable request, force you to comply.
Yours sincerely,
[Insert Name]
Section 11 Notice
Section 11 of the Data Protection Act 1998 states:
11 Right to prevent processing for purposes of direct marketing
"(1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.
(2) If the court is satisfied, on the application of any person who has given a notice under subsection (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.
(3) In this section “direct marketing” means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals."
Please see below for suggested wording:
Dear [ISP or contact name],
I am [insert name]. My customer number is [insert customer number or other relevant identification here]
Under Section 11 of the Data Protection Act 1998, I hereby serve notice upon you as Data Controller to cease immediately processing of my personal data for the purposes of direct marketing by means of Phorm.
I am legally entitled to have a data controller cease, or not to begin, processing of my personal data within "a reasonable period". I suggest a period of five working days should be sufficient to stop processing of my data.
Please be aware that if I am unsatisfied with your response, I am entitled to complain to the Information Commissoner who can investigate and, should it find you to have failed to comply with a reasonable request, force you to cease processing my data.
Yours sincerely,
[Insert Name]
This is distinct from S10 and you should do both.
Please post a link to this article to as many places as you can - if you do post the text elsewhere, a link back here would be appreciated.
0 comments:
Post a Comment