Recently I travelled to York on Grand Central Railway. I really like their train service because you pay the same fare whether you buy your ticket in advance, at the station, or on the train. I really dislike the terms and conditions for using their on-board wi-fi.
“Grand Central reserves the right to include the name, address and other relevant information relating to the User in a directory for the use of Grand Central users or other third parties, unless specifically requested by the User in writing not to do so.”
As a fair processing notice designed to let the user know what Grand Central will do with your data, this fails.
- I guess by ‘directory’ they mean ‘database’. Directory is a terrible word to use, as most people’s mental model will be of something that’s open to anyone to consult – like a telephone directory.
- It doesn’t say what use will be made of the data, just the types of people (Grand Central users and other third parties) who can use it.
- It gives no indication of what could be relevant information. It could mean that they collect details of all the web sites you visit when using that connection, and add those to their ‘directory’.
- If you were to apply the Information Commissioner’s Principle One test – what would the user expect Grand Central to do with their data?
Needless to say, I didn’t use the wi-fi, but emailed their customer service department once I was back on a real connection. Their response was:
“This is a generic condition from our WiFi service provider. The only detail we collect is email address and we may use this from time to time to contact users with details of Grand Central, offers and promotions. If you wish to be removed from the directory please inform us in writing.”
Which is a much better statement of the data they are collecting, and what they plan to do with it — essentially the fair processing notice that should have been available for using the wi-fi.
There are some lessons here:
- Telling a user what data you’re collecting and what you are going to do with it is one of the fundamental principles of the DPA.
- If you use generic text from someone else, then you risk being in breach of the first and second data protection principles.
- Breaching the DPA at best gets you a letter from the ICO, and perhaps you’re added to his list of ‘potential incompetents’. After all, if you can’t write a basic statement of what you’re going to do with people’s data, you might be equally relaxed about how you look after it. Perhaps all the routers and file servers at Grand Central still have their generic passwords?