by jane fae
Trans people have good reason to fear abuse of their data by big organisations. Recent legal developments, including a beefing up of the Data Protection Act and “GDPR” appear to provide protection. But is that protection adequate? And do organisations take any real notice of the law when it comes to data processing.
Here, in the first of an occasional series written for TransActual I look at how data gets misused, and what trans people can be doing to stop it.
A (Damn and) Blast from the Past
It starts with a tale from my history. A long time ago, as I was just beginning to transition, I found myself needing to change my name. Ah, what a palaver! Though I managed almost every single name change WITHOUT any formal legal documentation. That, is yet another story, and I will tell it, too, one day.
Mostly, matters went smoothly. Some organisations were better than others. Some … were bad. One was very bad. When I called my electricity supplier to request a name change, the call handler took exception. Very quickly, the call descended into him making some very nasty comments about “you people” (I think he meant trans people). It ended with my saying I would call back and complain about his attitude.
Very quickly, the call descended into him making some very nasty comments about “you people” (I think he meant trans people).
So far, so Karen. But it did not stop there. This individual then took it upon himself to use my personal data to follow up and leave nasty commentary on my personal blog. Stuff was said that left me and my partner genuinely concerned that some physical nastiness might follow. At best it was online stalking. At worst it was worse than that.
I contacted the electricity supplier and … they could not help. No way to prove it was him and … they’d already investigated. Yes, dear reader: they applied the time-honoured technique of calling him into the office and asking if he’d done it. “No”, he said.
Too bad for him, and the supplier, that my partner was the demon online researcher from Blackpool. She tracked his ip address, tracked him to two or three other blogs where he’d left equally dodgy comments. Most telling, she discovered that the geolocation for that specific IP address was approx. a mile and a half from the offices where this hater worked.
Game, set, and match. To us. We handed the whole nasty mess to the police and then set about having stern words with the company involved.
The Importance of Being GDPR
In hindsight, I realise I took the wrong route. I should have taken the Data Protection road. Today I’d go GDPR. So, what is that? And how does it help trans people.
The General Data Protection Regulation (GDPR) is EU law, in origin. But it is now embedded in UK Law under the Data Protection Act 2018 and is now nattily called UK GDPR with the only change being the European Data Protection Board is now a UK Government Minister. It builds on existing UK law (the Data Protection Act) and sets out some very exacting rules for how organisations should use your data. Not only rules, but stiff penalties, too, for breaching them.
More simply put: your data is as much part of you as your hand, foot or any other body part you care to mention, and no-one is allowed to interfere with your hand, foot, or A N Other body part without your express consent.
There are exceptions, where data collection is “necessary”. For instance, where the police suspect you of committing a crime, they are allowed to process data about you without your consent. That makes sense: because the last thing you want is your local mass murderer or cat poisoner phoning up the police and demanding they delete all the fruits of their investigations to date “because data protection”. Not so businesses.
From The Prisoner: “We want Information”
Your local supermarket, plumber or skateboarding society cannot just go round collecting and processing data on you without your permish. Although — and this is murkier territory — it is allowable for some organisations to make such activity a condition of accepting you as a customer. “You wanna come in, mush? Then give us your name, address and inside leg measurement”.
Thus, every loyalty scheme ever, since Tesco Clubcard*.
Processing? Collecting? Data? Inside Leg Measurement? Perhaps now would be a good time to define some terms.
Personal data is any data relating to an identified or identifiable individual. If you live alone at home, your house address could constitute personal data, since anything recorded about the occupant is about YOU. Collecting relates to capturing that data and holding it on a system: once upon a time, an automated processing system. Nowadays, though, pretty much any system would count. And processing involves processing — natch! — but over and above this, processing must be legal, fair and transparent.
Once more, the clickthru to the Information Commissioner is helpful here.
Your local supermarket, plumber or skateboarding society cannot just go round collecting and processing data on you without your permish.
Here, though, is the issue. If you’ve had this experience too, please drop a line to TransActual.
Damn! More Recent Insult
First thing I got when I called was a message saying my call would be recorded. For “monitoring and training purposes”.
Do I want that to happen? No. (Though the system did not give me the option to say no).
All sorts of reasons, and there is no need for me to give any reason. Although, long story short: in the course of the conversation, I suspected I would be dishing out name, address and phone number: and any recording would include my voice. This is not the most feminine and in many cases, it is a “tell”. It outs me to the organisation as trans before anything else happens.
This, by the way, is what is known as “jigsaw puzzle” data. Not a thing I have disclosed directly. But by putting together two or more bits of data (in this case, my name and my voice) it is possible — likely, even — that the organisation will be able to divine that I am trans. (Check out page 4 of this report from the Information Commissioner).
And transness is not just personal data but “special category” data, because it is sensitive.
You would be right in thinking special category data requires MORE protection.
So, the moment I got past the computerspeak and through to a human individual, I asked them to turn off recording. Couldn’t be done.
Could they assure me they’d delete the recording after? Nope. Could they tell me a bit more about how this recording would be used? Sorry.
This is not good enough. This organisation now has sensitive personal data about me that according to their own message, could well be played out in front of a bunch of spotty faced yoof in the course of a training session. Would any reasonable person agree to that? I doubt it. Yet the official response to date has been pretty shabby.
Time to Blast the Bullies
Right now, I am at the stage of submitting an official complaint to this body’s “Data Protection Officer” — a role they are supposed to maintain and a person who should deal with this matter. We shall see what transpires.
Meanwhile, for everyone else in similar boat, coracle or other mode of marine transport, there are two out-takes.
1. You have rights over your personal data and organisations — espesh public bodies — cannot just go around recording and collecting your personal data without your permission. In this case, permission was explicitly refused — but the way the call system was set up, it was not possible to honour that request
2. If your rights are breached in this way, complain. In the first instance to the Data Protection Officer of the organisation concerned. And if that fails, to the Information Commissioner.
This has been a public service briefing on behalf of TransActual. If it can assist any trans people out there (cis people, too), then it has been a success.
* — I jest. I know that Tesco do not ask for your inside leg measurement. Waitrose**, on the other hand…
* *— Nope. Still jesting
Many thanks to former Data Protection Officer Chrissy Jarvis, who read the above piece for accuracy.