Emily Keaney is the ICO’s Deputy Commissioner for Regulatory Policy, and is responsible for overseeing the ICO’s policy work programme.
Earlier this year, you may have seen media reports about people receiving unwanted contact from ‘text pests’ after using services such as booking a taxi or ordering a pizza. This isn’t an issue the ICO has received many complaints about, so we wanted to gain a greater understanding of how widespread the problem is.
Specifically, we wanted to understand what companies are doing to stop their staff from using customers’ personal information given to them in a business context, such as a phone number or email address, for sexual propositions – for example, asking a customer out on a date after they ordered a takeaway. We also wanted to hear from customers about their experiences of receiving such inappropriate contact.
We know from what we heard that this can be very distressing, and we want to thank everyone who came forward and shared their stories.
Through our investigation we found numerous examples of good practice in protecting data or dealing with perpetrators that we want others to learn from so they can continue to work with the public appropriately.
The effect of unwanted texts and calls on the public
We received around 90 responses to our call for evidence survey. Most of the responses came from women, where they told us they had received an inappropriate text message or call after giving their personal information to a business. Such contact involved comments on their physical appearance, date propositions, and even sexually explicit images in some cases.
What we found was that this behaviour is not necessarily a new invention of the modern era. One individual told us of an incident dating back several decades, while others told us of unwanted text messages received in the 2010s. This suggests that this type of contact can have a lasting impact on those affected, with people saying they felt that their privacy had been violated, as well as feeling anxious and uncomfortable in their own homes. It shows how crucial it is for organisations to look after people’s information appropriately.
What we didn’t find through our survey was any ongoing negligent behaviour from specific companies. And when we spoke to companies where incidents had occurred they had taken proactive action to address them. That was reassuring, but we know that even one-off incidents can have a big impact on people, and that they are often under-reported. That’s why it’s important for people currently affected by this issue to get in touch with the ICO, so we can look into the details and build a wider picture to inform our work in protecting the public from data misuse.
Good practice in data protection and wider learnings
As part of our scoping exercise, we contacted some of the major customer-facing employers in the country. Although we found that some of the companies received complaints from customers on unwanted contact, it was a very small number when compared to the millions of people employed and the number of deliveries and services provided every year. Such incidents and the employees responsible were dealt with through the companies’ own discipline procedures, many resulting in dismissal of the perpetrator.
We also saw a good level of understanding from the companies on their data protection obligations, including having the appropriate measures in place to avoid the misuse of customer data by their employees. Some of the good practice we saw include:
- UberEats applies the principle of data minimisation by allowing couriers to only view limited delivery and customer data, specifically first name and initial of the last name, and the delivery address. For real-time communication during delivery, for example if a courier can’t find the delivery address, couriers can call or message the customer. If opting for a call, temporary phone numbers appear at both ends to avoid disclosing their actual phone numbers, while messages are sent within the app. After the trip ends or in case of cancellation, the courier loses retrospective access to that data.
- Royal Mail approaches data minimisation by restricting customer personal data passed through its systems, so that no email or telephone numbers of customers are accessible by postmen and postwomen when they are out delivering parcels for their customers. Access to customer data is restricted to only relevant roles to support resolving customer queries.
- Just Eat applies phone masking to hide the customer phone number, ensuring that only a minimum amount of data is shared with the courier. Should the courier need to communicate with the customer about their order, they are connected through a centralised phone number which does not reveal the customer’s actual phone number. Couriers are to only communicate with customers regarding the delivery.
Other examples of good practice included:
- staff training that clearly outlines the implications of misuse of personal information;
- application of the principles of least privilege, meaning staff can only access data that is relevant to their roles;
- ability for customers to easily raise a concern about unsolicited contact;
- existence of robust disciplinary measures in the event of an incident; and
- ensuring that there is a mechanism to report serious incidents to the ICO.
While we recognise that customer information, including phone numbers and home addresses, are often essential in support of legitimate business transactions, the unsolicited contact beyond this purpose is likely to be unfair and unlawful. That’s why we’re urging organisations to learn from the good practice outlined so they can continue to handle people’s information appropriately.
Reporting text pests
We found that reports to companies and us are low, so please do report it. This will mean companies can take a firm line, and then we can step in if this doesn’t happen.
Should you fall victim to unwanted contact using data you provided for business reasons, here’s what you can do:
First, report to the company who employs the perpetrator. We found that companies do understand their obligations in this area, and have previously dealt with incidences such as these robustly.
Should they not take action, or if you are dissatisfied with their response, then you can complain to the ICO and we will investigate further.
Notes to editors
About the Information Commissioner’s Office (ICO)
- The ICO is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use, and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone call our helpline on 0303 123 1113, or go to ico.org.uk/concerns.