Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.
In early May, the Metropolitan Police were accused of a ‘severe’ security breach when they disclosed 30,000 addresses of shotgun and firearm owners to a direct mail marketing agency, “Yes Direct Mail”.
The British Association for Shooting and Conservation (BASC) has now demanded an answer from the Commissioner of the Metropolitan Police, Cressida Dick, to clarify what legal basis they had for passing on the addresses of so many firearm and shotgun owners. Namely: under the Data Protection Act (DPA) and any wider guidelines surrounding privacy and marketing.
The Metropolitan Police confirmed that they used a company, Corporate Document Services (CDS), based in Leeds to print the leaflets. The leaflets advised certificate holders of a product called ‘SmartWater’ (not to be confused with the bottled water brand), which allows owners to mark their guns with invisible ink that can be read under UV light in the event that it’s stolen. Though the leaflets may have been created with the intention of advising owners of how to keep their firearms and shotguns safe and protected, the marketing strategy seemingly disregarded the fact that owners didn’t give their express consent for their addresses to be shared.
BASC was informed that CDS sub-contracted the distribution of these leaflets to Yes Direct Mail. BASC wrote a letter to the Commissioner, Cressida Dick, outlining the concerns it had with the home security of shotgun and firearm owners given that their addresses were compromised by the leaflet distribution. The understandable concerns were in relation to criminals looking to acquire a gun.
There are suspicions floating around that there was an ulterior motive involved. The person who founded the traceable ink company is reportedly a former police detective. It’s believed that the company has strong ties with a number of UK police forces, and their product is something that the police actively endorse. So it’s not surprising that the Metropolitan Police may have been swayed to provide addresses of thousands to assist with the promotion of the product…
When an application is made for the ownership of shotgun and/or firearm, under the data protection statement, the applicant and the police only give the police permission to share their personal details with GPs, other government departments, regulatory bodies, or enforcement agencies. It certainly doesn’t appear to cover commercial companies. CDS and Yes Direct Mail probably fall under the definition of a commercial company, and therefore it seems that the Metropolitan Police didn’t have permission to disclose this information.
This is black and white for me. Data controllers can only pass on the personal data of an individual with prior consent. The exception to this rule is if there’s a legitimate concern for public health and safety.
Under the DPA, Section 11 provides that an individual has the right to prevent processing for purposes of direct marketing. This means that, had the shotgun and firearm owners known that their addresses were being disclosed onto an external contractor, they could’ve given written notice to the data controller (Metropolitan Police) to stop this from happening. However, on this occasion, the owners weren’t made aware that their addresses were being used for direct marketing, and therefore couldn’t give their consent.
The Information Commissioner’s Office (ICO) reiterates this by stating that prior consent must be obtained for direct marketing purposes. Individuals should be allowed to opt-in or out of these methods of communication. The ICO’s guidance also states that companies should check the individual’s preference before they directly contact them for marketing purposes.
For the time being, BASC’s Director of Firearms, Bill Harriman, maintains the position that there was no legal basis for their addresses to be disclosed;
“…we can see no legal authority which allows the Met to breach the DPA by passing on sensitive, confidential information to as many as three external companies.”
Bill Harriman highlights the threat of personal information being passed on:
“…such information is currency for criminals.”
Especially when involving firearms. That’s why data security is crucial and companies who fail to adhere to the DPA and other privacy obligations will be punished.
EasyJet admits data of nine million hacked
British Airways data breach: How to claim up to £6,000 compensation
Are you owed £5,000 for the Virgin Media data breach?
Virgin Media faces £4.5 BILLION in compensation payouts
BA customers given final deadline to claim compensation for data breach
Shoppers slam Morrisons after loyalty points stolen
Half a million customers can sue BA over huge data breach
Lawyers accuse BA of 'swerving responsibility' for data breach
The biggest data breaches of 2020