Category Archives: Regulatory Issues

ICO publishes data protection guidance for BYOD

Posted on by
Reply
Photo: chinnian.

Image credit: chinnian.

The Information Commission Office (ICO) has recently published guidance for companies to help them avoid potential breaches of data protection laws when encouraging staff to use their personal laptops, tablet computers or smartphones for business purposes, a practice known as ‘bring your own device’ (BYOD).

A recent survey, commissioned by the ICO and carried out by YouGov, revealed that 47% of all UK adults now use their personal smartphone, laptop or tablet computer for work purposes. But fewer than 3 in 10 who do so are provided with guidance on how their devices should be used in this capacity, raising worrying concerns that people may not understand how to look after the personal information accessed and stored on these devices.

The benefits of BYOD include employee satisfaction from being able to use devices of their choice, increased productivity particularly when out of the office and cost saving as a result of the decreased overheads for hardware. However, there are also risks associated with BYOD, one of the key ones being security.

The ICO’s guidance outlines some of the risks which businesses should consider when allowing personal devices to be used for work-related purposes and guidance explains how BYOD can be adopted in a manner that complies with the Data Protection Act 1998 (DPA).

Under the DPA, there are 8 principles of ‘good information handling’. As well as protecting individuals who are the subjects of this information, it imposes obligations upon those processing the information. Of most relevance is the seventh principle of maintaining ‘appropriate technical and organisational measures…[to protect] against accidental loss or destruction of, or damage to, personal data’.

The ICO’s guidance recommends a number of security measures which employers should put in place to avoid breaching their data protection obligations, these include:

  • auditing the types of personal data being processed and the devices used to access that data;
  • denying or restricting access to sensitive data on devices which lack a high level of encryption; and
  • controlling access to data and/or devices using passwords or PIN codes.

The guidance also explains how businesses should have remote locate and wipe facilities in place to maintain the confidentiality of data in the event of loss or theft and should, where possible, avoid the use of public cloud-based sharing and public backup services if the services have not been fully assessed.

Although implementing these controls will not be free of cost, the potential fines and reputational damage which could arise as a result of non-compliance with data protection legislation and the financial benefits of BYOD could far exceed the costs of putting in place appropriate security measures.

As data controllers, employers must ensure that all personal data is processed in accordance with the requirements of the DPA. The ICO’s guidance represents a useful tool for employers currently using or considering BYOD initiatives to ensure that they remain compliant with the DPA.

A copy of the ICO’s guidance is available here.

Twitter Joke Trial: what is a “menacing” communication?

Posted on by
Reply

Image © John Allan – click image for further details

Paul Chambers’ two-and-a-half year battle to clear his name in the “Twitter joke trial” has ended with his acquittal in the Court of Appeal.

The Court of Appeal judgment is already available here. The key basis for the decision is that Paul Chambers’ tweet “lacked menacing character”, as required under s.127(1) Communications Act 2003 (the legislation under which Mr Chambers was prosecuted). Once that was established, there was little need to consider whether Mr Chambers had had a criminal motive in posting the tweet – though it’s pretty clear what the court thought on that issue anyway.

Some key points made in the judgment. First, the court insisted that the 2003 Act is not intended to interfere “with the first of President Roosevelt’s essential freedoms – freedom of speech and expression”:

Satirical, or iconoclastic, or rude comment, the expression of unpopular or unfashionable opinion about serious or trivial matters, banter or humour, even if distasteful to some or painful to those subjected to it should and no doubt will continue at their customary level, quite undiminished by this legislation. (para 28)

If a message tips over from being “distasteful” into being “menacing” then an offence may be committed. However, this raises the question of what constitutes a “menacing” message. In particular, if the message does not “create a sense of apprehension or fear in the person who receives or reads it” then “it is difficult to see how it can sensibly be described as a message of a menacing character”:

So, if the person or persons who receive or read it, or may reasonably be expected to receive, or read it, would brush it aside as a silly joke, or a joke in bad taste, or empty bombastic or ridiculous banter, then it would be a contradiction in terms to describe it as a message of a menacing character. In short, a message which does not create fear or apprehension in those to whom it is communicated, or who may reasonably expected to see it, falls outside this provision, for the very simple reason that the message lacks menace. (para 30)

In making this assessment, it is necessary to look not only at its “precise terms” and “any inferences to be drawn from its precise terms”, but to look also at “the context in and the means by which the message was sent” (para 31). In the case of Mr Chambers’ tweet, “the language and punctuation are inconsistent with the writer intending it to be or to be taken as a serious warning”.

The court also considered it highly relevant that none of those who first encountered the message – Mr Chambers’ followers on Twitter, those responsible for security at Doncaster airport, South Yorkshire Police – had acted in a way which suggested urgent concern over what Mr Chambers had said. The prosecuting authorities and the previous courts had instead placed too much emphasis on how Mr Chambers’ message might have been understood by hypothetical readers “who might lack reasonable fortitude”.

All this led inevitably to the conclusion that:

on an objective assessment, the decision of the Crown Court that this “tweet” constituted or included a message of a menacing character was not open to it. On this basis, the appeal against conviction must be allowed. (para 34)

What this decision demonstrates is that even a 140-character tweet has to be read in its context – a principle that has also been followed in non-judicial contexts, such as the Advertising Standards Authority’s sponsored tweets decision earlier this year. What matters is not how some hypothetical reader lacking “reasonable fortitude” might read the message, but whether it actually creates “fear or apprehension” in those to whom it is in fact communicated.

In short, the Court of Appeal seems to have drawn a helpful clarifying line between “outspoken” and “menacing”, which hopefully will ensure continuing freedom of expression online while still protecting people from genuinely menacing behaviour.

ASA uses its power to ban a Twitter campaign for the first time

Posted on by
Reply

Speaking at the Cannes Lions Festival of Creativity on 19 June, Coca Cola’s most senior marketer Joseph Tripodi called on marketers to take a “leap of faith” and embrace social media as a brand building tool. However, as Nike discovered the very next day, advertising using social media is not free from constraints.

Since 1 March 2011 the Advertising Standards Authority (ASA) has had the power to oversee businesses’ marketing communications on their own websites, as well as on social networking sites and other “non-paid-for” space online, to ensure that they comply with the CAP (Committee of Advertising Practice) Code.

The first major case that forced the ASA to look at advertising on social media came to light earlier this year when it launched an investigation into tweets by celebrities such as Katie Price and Rio Ferdinand promoting Snickers. The campaign involved celebrities posting a string of bizarre tweets ending with “You’re not you when you’re hungry@snickersUk#hungry#spon” and a picture of them holding a Snickers. The ASA ultimately dismissed the complaints against Mars finding that the inclusion of the #spon hashtag in the final “reveal tweets” made them clearly identifiable as marketing communications.

There has since been a noticeable increase in the number of sponsored tweets or “tweeting for money” and this looks set to continue. However, in the first case of its kind, the ASA has taken action to “ban” a campaign which features them. As part of its “Make it Count” campaign, Nike UK used the personal Twitter account of footballer Wayne Rooney to post the following tweet:

Nike posted a similar tweet on the account (subsequently deleted for unconnected reasons) of Arsenal footballer Jack Wilshere:

Jack Wilshere – “In 2012, I will come back for my club – and be ready for my country. #makeitcount gonike.me/Makeitcount”.

Responding to a complaint that the tweets were not clearly identified as advertising, Nike claimed that both footballers were well known for being sponsored by Nike and argued that Twitter users would not be misled about its relationship with the players. Nike took the view that the presence of the Nike URL and campaign strap line #makeitcount within the body of the tweets, indicated that the purpose of the tweets was to direct followers to the Nike website and made it sufficiently clear that the tweets were advertising.

The ASA disagreed, finding that the reference to Nike was not prominent and could be missed, making the tweets not obviously identifiable as advertising and putting them in breach of the CAP Code. The ASA held that as not all Twitter users would know about the players’ sponsorship deals with Nike, the tweets should have featured an indication hashtag, such as #ad or #spon, to make it clear that they were marketing communications.

Just the one complaint?

It is interesting to note that the Nike campaign was banned by the ASA despite only receiving one complaint. To coincide with its 50th anniversary, the ASA has recently released a list of the most complained-about ads of all time.

Top of the list was a TV advert for Kentucky Fried Chicken which aired in 2005 and featured call centre workers singing with their mouths full of food. The ad received a record 1,671 complaints with many people considering that it could encourage bad manners among children. However, despite the record number of complainers, the complaint was not upheld by the ASA, which ruled that the ad was unlikely to change children’s behaviour or undermine parental authority.

The other ads to make the top 10 were:

2. Auction World (2004): Shopping channel – 1,360 complaints – referred to Ofcom

3. Paddy Power (2010): Cat being kicked by blind football player – 1,313 complaints – not upheld

4. The Christian Party (2009): Poster saying “There definitely is a god” – 1,204 complaints – not upheld

5. British Safety Council (1995): Condom advert featuring Pope – 1,192 complaints – upheld

6. Marie Stopes International (2010): TV ad offering sexual and reproductive healthcare advice -  1,088 complaints – not upheld

7. Volkswagen (2008): Depicted an engineer fighting multiple versions of himself – 1,070 complaints – partially upheld

8. Yves St Laurent (2000): Poster of naked reclining Sophie Dahl – 948 complaints – upheld

9. Department of Energy and Climate Change (2010): Press and TV campaign about climate change – 939 complaints – upheld in part

10. Barnardo’s (2008): TV campaign about domestic child abuse – 840 complaints – not upheld.

Olympic advertising divide?

Posted on by
Reply

I’ve discussed before both here and elsewhere the  rules on advertising around Olympic and Paralympic venues later this year.

However, other rules on advertising will have an even more widespread effect, in particular the ban on all forms of “association” of brands with the London Olympics – even if the “association” is done indirectly, through the use of phrases such as “Summer 2012″.

I’ve written an article for the Guardian Media Network on this issue, which is available here: 2012 Olympics: advertisers beware overstepping the line.

Breaching advertising guidelines? You’re not when you’re #spon

Posted on by
2

A marketing campaign by confectionary giant Mars has been cleared by the Advertising Standards Authority (ASA) in its first investigation involving social networking site Twitter.

The ASA launched its investigation after receiving complaints regarding a chain of bizarre economy and knitting-related tweets sent in January from the official accounts of the footballer Rio Ferdinand and model Katie Price followed by a final Snickers tweet and a photograph.

On January 24 the Manchester United defender tweeted “Really getting into the knitting!!! Helps me relax after high-pressure world of the Premiership”.  In further postings, he added “Can’t wait 2 get home from training and finish that cardigan”; “Just popping out 2 get more wool!!!”; “Cardy finished. Now 4 the matching mittens!!!”

His fifth tweet read “You’re not you when you’re hungry @snickersUk #hungry #spon”.

In Price’s tweets she wrote about subjects such as the eurozone debt crisis, China’s GDP figures and the economic concept of quantitative easing before finally tweeting a picture of herself holding a Snickers bar with the same message as Ferdiand’s “You’re not you when you’re hungry @snickersUk #hungry #spon”.

In making its decision, the ASA considered two points: (a) whether it should have been stated in the first four ‘teaser’ tweets that they were marketing communications and (b) whether the hashtag “#spon” in the final ‘reveal’ tweet made it clear enough that that tweet was a marketing communication.

Responding to the complaints, Mars said that it had “considered in detail” the extent to which the tweets were marketing communications and believed only the last one needed to be identified. Mars argued consumers could not have been misled into making a purchase by the first four tweets as their meaning only became apparent once the campaign was revealed with the fifth message.

The ASA accepted Mars’ argument that the tweets contained the hashtag “#spon” to indicate sponsored content but it disagreed with Mars that the first four only became marketing communications after the final tweet was posted and stated that all five tweets should be considered to be part of an “orchestrated advertising campaign”.

However, the ASA said the final tweet was clearly highlighted as an advertising campaign and that having seen the final ‘reveal’ tweet consumers would understand that the series of tweets were part of a marketing communication. It held that it was acceptable that the first four tweets were not individually labelled as being part of the overall marketing communication and concluded that the ads did not breach the CAP code.

This investigation highlights the importance of disclosing paid-for promotions in all forms of advertising media including blogs, posts and microblogs like Twitter. Whether this is by using hashtags such as #spon, #paid-promotion or #advert or some other statement, in order to avoid breaching advertising legislation, promoters should ensure that consumers understand when they are reading paid-for promotional content regardless of the media through which that content is being displayed.

Talking Olympic advertising

Posted on by
Reply

In a recent post, I discussed the laws prohibiting advertising activity round Olympic venues in the summer.

One of the affected venues is the Ricoh Arena in Coventry, which will be renamed the City of Coventry Stadium for use in Olympic football matches. Shane O’Connor from BBC Radio Coventry & Warwickshire interviewed me at 7.40 this morning to talk about the law behind these advertising restrictions. Here’s a recording of our conversation:

Olympic advertising ban: a pre-emptive ambush?

Posted on by
Reply

One of the key measures proposed to protect the interests of sponsors for the 2012 London Olympics and Paralympics is a prohibition on unauthorised advertising, including “ambush advertising”, around Olympic event sites.

The regulations imposing this advertising ban have now been implemented, as The London Olympic Games and Paralympic Games (Advertising and Trading) (England) Regulations 2011, and the LOCOG website has guidance on the regulations and how to comply with them. Crucially, this includes the maps of the “event zones” where advertising will be banned around the time of the Games.

The ban will apply for different periods for each event zone, as listed in Schedule 2 to the regulations, with the longest ban being around the Olympic Park itself: from 23 July to 13 August (for the Olympic Games), and then from 28 August to 9 September (for the Paralympic Games).

Anyone wishing to display advertisements within event zones during the relevant period (including existing traders) will need prior authorisation from LOCOG.

The types of “advertising activity” banned under the regulations are very broad, ranging from conventional billboards and signs to leaflet distributions and even the wearing of “advertising attire”.The thoroughness of the regulations is perhaps best shown by their express application of the ban to:

(i) an advertisement to be displayed on an animal, or

(ii) an apparatus by which an advertisement is displayed to be carried or held by an animal.

The mind boggles.

There is an exemption for people (though not for animals!) wearing clothes which carry advertisements, provided this isn’t part of an ambush marketing campaign, and also for “not-for-profit bodies”.

The regulations have been attacked by both advertisers and campaigners as “draconian” and an assault on freedom of expression. LOCOG, however, argues that the rules will “not only help protect the investment of sponsors”, but are also intended to ensure “a welcoming environment for spectators”.

“Independently safeguarding” children’s websites

Posted on by
Reply

The new Independent Safeguarding Authority is attracting a lot of media coverage today, with news stories focusing in particular on compulsory registration for those regularly giving children lifts to social/sports clubs.

However, those operating websites (and other “interactive communication services”) for children should be aware that their activities may also fall within the ISA’s remit when the new regime becomes fully operational in just over a year’s time. The Safeguarding Vulnerable Children Act 2006 (PDF) defines the “regulated activities relating to children” for which ISA-registration is required. These include:

moderating a public electronic interactive communication service which is likely to be used wholly or mainly by children

(see paragraph 2(1) of Part 1 of Schedule 4, on p.67 of the linked PDF).

So if you are operating a website for children, anyone involved in “moderating” that site will need to be registered with the ISA. “Moderating” involves any function relating to:

  • monitoring content;
  • removing or blocking content; or
  • controlling access to, or use of, the service,

for the purposes of protecting children, where individual concerned either has access to the content involved or contact with users of the service (see paras 2(4) and 2(5), Sch.4 Part 1).

Equivalent provisions apply to those operating websites and other interactive services for vulnerable adults.

Employers who engage people who are not ISA-registered, or who are recorded by the ISA as being barred from working with children or vulnerable adults, could face a £5,000 fine or even imprisonment. The ISA website summarises employers’ obligations in more detail.

Paid employees will need to pay a £64 fee to register with the ISA (registration is free for volunteers). For existing employees, in all likelihood it will be the employers who end up paying these fees. Any barred individual is committing a criminal offence by being engaged in any regulated activity, even as a volunteer.

This new regime is still some way off from coming fully into force. The ISA will start the registration process in July 2010, and the legal requirement on employers to check employees’ status will only come into force in November 2010. However, businesses involved in regulated activities – including children’s websites and interactive services – should be making plans to ensure their staff are registered in a timely fashion next summer.