Proportionate data protection policies

Jeni Tennison

Jeni Tennison

When I first started CONNECTED BY DATA, one of the first things I thought about was the website’s privacy policy. Wouldn’t it be great, I thought, if we could demonstrate the kind of approaches that we’re advocating for in our own practice. But then there was so much other stuff to do – website content, hiring, finance, strategy work, engagement, projects, fundraising, writing, and so on and on – that it was easier to use a couple of off-the-shelf data protection policies for recruitment and just to not even track website analytics.

Then we got going on our advocacy work, and started organising events. And this meant we needed to collect data – personally identifiable data – and about privacy advocates! The worst kind of data subject. We knew we had to take a proper look at our data protection approach.

It’s easy to be an idealist about what other people should do. And our vision at CONNECTED BY DATA is quite idealistic. We think that effective data governance is needs to take into account our collective interests, not just individual ones; be democratic and give power to the people who are affected by it; be as participatory as possible, so that those people are actually involved in the process; be deliberative, with proper thought put into complex decisions; and be powerful, so that it actually makes a difference to how data gets collected, used and shared.

It’s easy to see how those principles might be applied to large-scale uses of sensitive data about people’s health or finances. But how should we apply it to the rather more mundane – and a lot more common – activities of customer relationship management, recruitment and hiring, event organisation, or marketing?

The first, and obvious, answer we could give is “You tell us!” But while we’re idealistic, we’re also pragmatic. Us holding a citizen’s jury to work out how to manage data about event registrations is disproportionate to the risks this small database presents. One of the gaps that we’re hoping to fill at CONNECTED BY DATA is to work out how the collective and participatory data governance ideals might apply to small businesses or resource-strapped charities. And how they might be used to answer really context-specific and practical questions, not just provide general guidelines and principles.

So this post describes what we’ve done in our data protection policy and why we’ve done it. I hope that we’ll then hear from you about what we should be doing differently.

The basics

There’s a bunch of stuff that is obvious and that I won’t go into in detail. Obviously we have to be compliant against the legal requirements we’re subject to, namely UK data protection law and rules around electronic communications. ICO has a whole array of guidance about what this looks like for SMEs. Their simple privacy policy guidance and template were particularly helpful.

We thought through all the places where we were collecting – or otherwise in control of – data, exactly what we were collecting and how, where it was, what we were doing with it and why. And then we worked out what lawful basis should apply in each case with the help of ICO’s lawful basis tool.

Challenging norms

One of the key principles of data protection is that of data minimisation – the principle that you should only collect data if you absolutely need to. We have to recognise, though, that common tools and services collect a lot more data than most of the organisations who use them actually need. For example:

  • Google analytics and most other analytics platforms track individuals as they navigate your website. We figured we only really needed to know things like which web pages were popular and how many people visited our site. So we plumped for using Plausible.io, which doesn’t use cookies but gives us enough to know that we really need to update our Projects page! Also, really nicely, our website analytics dashboard is open to everyone.
  • Mailchimp and most other mailing list or newsletter managers inject things like invisible images and redirected URLs into emails you send through them, so that they can give you analytics about who opens your mail and what links they click on when they do. We’re not going to be carrying out mass marketing campaigns for which that information might be useful. So we’re not going to use those tools but just the simple group emailing facilities that Google offers.
  • Hubspot and similar CRMs use a variety of mechanisms to link up between visits to your website, newsletters you send, emails and other interactions with customers. These can become really invasive, prompting sales people to drop you an email because they’ve detected you’ve visited a particular page for example. Again, we don’t need to do that, so we’re not going to.

I’m highlighting these because they are extremely common tools, and because in fact it’s hard to find mailing list management software or CRMs that don’t invade the privacy of your subscribers, clients and customers by default. So many organisations end up performing this data collection without really thinking about it. It’s just the industry norm.

There is also a norm around keeping data “just in case”. We debated, for example, what to do about information about who attended an event, once the event was done. Should we keep it around to support more personalised interactions with those people in the future, or to create more detailed metrics and reporting? Or should we extract the summaries we need and then delete it? We’re opting for the latter unless people explicitly opt in to being contacted again down the line.

Simplicity and transparency

We have tried to use simple language in our privacy notice, and aimed to be really transparent about what we’re doing and why, rather than obscuring it. While transparency is a legal requirement, it is easy to lapse into legalistic language, and to gloss over things that you are worried people might not be happy about. You will be the judge of whether we’ve succeeded with this goal.

One area where we’ve been more transparent than we legally have to be – but where we believe greater transparency should become the norm – is in spelling out the details of the three part test for legitimate interests: our purpose, why processing is necessary for it, and how that weighs against the rights of interests of data subjects and other people who might be affected. We think it’s important for organisations to go into these details so that they’re clear, and so they receive pushback if people don’t agree with them.

Collective interests

The items above are all pretty standard good practice for privacy policies. But now we’ll get into the pieces that are more specific to our priorities at CONNECTED BY DATA.

Our policy isn’t a privacy policy, it’s a data protection policy. We don’t think that the people whom we collect data about are the only people whose interests we should consider. We have to ask ourselves how our use of data affects those who aren’t included, for example those we can’t contact directly when new opportunities present themselves, because they’re not in our database, or have asked not to be contacted. We know that people have a lot of reasons not to consent to data collection, and that this may bias the data we have towards or against particular groups. Our data protection policy documents where we see these potential wider harms and inequalities, and how we’re mitigating them.

We also don’t think that personally identifiable data is the only data that’s important. I wrote about Plausible.io above, which we use for our website analytics. It doesn’t collect anything that’s identifiable (not even IP addresses), but it’s still data that’s derived from people’s activity on our website. We think you should know that we’re doing it, and be able to say that you don’t think we should, if that’s what you think. So our data protection policy talks about it, even though it’s not personal data.

Participation

Data protection law gives a whole bunch of rights to data subjects about the use of their own data. But we don’t think they go far enough. There are three additions that we’ve made to our data protection policy:

  • If you’re a data subject, you’re not limited to having a say about the processing of just your data: we invite you to have a say about what we’re doing more generally.
  • In fact, we invite you to have a say even if you’re not a data subject – ie we don’t collect data about you – but are affected by the way we use data.
  • And, we invite you to have a say if you’re an organisation that’s acting on behalf of a wider group of people (something that’s also described Article 80(2) of GDPR, but that the UK chose not to implement in its Data Protection Act).

There’s a range of different ways people and organisations might participate in decisions about data, and frankly the mode that we’ve chosen – writing down what we’re doing and then asking for feedback, comments or complaints – is not as participatory as the ideal of co-creation. By writing the policy ourselves, we have set the frame for any discussion and placed people affected by our use of data in a subordinate role. Any comments and feedback that we do get are likely to come from a self-selecting group of people – usually those with privilege who are used to having their voices heard.

But we have to be pragmatic. As a single organisation, needing to produce something relatively quickly, we don’t have the resources to enter into a big co-design exercise. And it would seem overblown for us to do so. We have settled on a mode of engagement that still provides for some participation (and people power, see below) but is nearer the middle than the top of Arnstein’s ladder.

Is this always going to be the way that small organisations need to operate? I don’t think so. Larger associations, membership organisations, professional bodies or ecosystem enablers – such as CAST or the NCVO for the small non-profit space – provide guidance about data protection (see NCVO’s guidance for example) but it’s written by experts and doesn’t provide insight into what the clients or advocacy targets of these organisations reasonably expect. Organisations like these could choose to run participatory and deliberative exercises that helped many organisations to understand public attitudes and expectations around their uses of data in their sectors.

There are also cases where there could be simple participatory (but not particularly deliberative) mechanisms for people to exercise collective control over what organisations do with data. When I was first thinking about giving website visitors power over the collection of website analytics, I imagined a system where there was a voting form directly hooked up to turning the analytics on or off. If more than half of the website visitors voted against the use of Plausible.io, it would be turned off; when more than half voted for it, it would turn on. We haven’t implemented that, but you can see how it would be a feature that we, or Plausible.io themselves, could provide.

Power

The final piece of the approach we’ve taken in our data protection policy is about ensuring those who are affected by our collection and use of data have power over it. The crucial thing here is what happens when someone makes a comment or suggestion that we disagree with. If we can just ignore it, then our invitation to critique is just a gesture – participation-washing. On the other hand, it’s problematic, not only for us but for others, if we’re bound to adopt whatever any random person says we should do.

In the case where someone suggests a change that we don’t agree with, we need to have some kind of independent arbiter. For complaints about personal data that fall under current data protection law, that would be the ICO. But as described above, there are several aspects of our data protection policy that aren’t about legal compliance, and therefore fall outside ICO’s scope, but where we still think people should have some power.

The approach we’ve taken is to say that in the case where there’s a disagreement, we’ll jointly convene an independent panel. I’m imagining that in this case we would each nominate two panellists, and jointly agree on the chair. And then we would abide by that panel’s decision. I’m hoping this wouldn’t be too much of a call on anyone’s time, and therefore that this would be a voluntary activity. A slightly more costly alternative would be to appoint an arbitrator to make the decision but currently arbitrators are more used to employment and contractual disputes than disputes around the use of data. Perhaps this is an area of future professional specialisation for arbitrators!

In conclusion

We should be asking for better data protection from organisations large and small. Our legal frameworks – and therefore a lot of the guidance that’s currently provided to organisations – focus on harms to individual data subjects, and not to groups or others who might be affected by uses of data. But that doesn’t stop organisations who want to from going further: they can consider wider and collective impacts arising from data, or their use of non-personal data. And even without the legal frameworks that would make it binding, it’s still possible to provide mechanisms for accountability that give real power to people and groups that data affects, without being overly burdensome.

We shouldn’t assume that democratic power over data is only relevant for larger organisations or riskier uses of data. Nor should we let the perfect be the enemy of the good or assume a one-size-fits-all approach to participation. There are pragmatic, proportionate approaches to participatory data protection that any organisation can adopt.