Press "Enter" to skip to content

Tag: analogies

Tea, sex and data

Comparing consent for processing personal data with consent for sexual activity.

Many laws, professional obligations, contracts and standards make reference to “consent” as a basis or requirement for something to be done. As I’ve mentioned before in an earlier post, “consent” is not a tick box or a signature, it is a state of relationship between two (or more) parties.

With this in mind, I’m going to write about something we’re almost all enthusiastic about (sexual activity) and something I’m [also] very enthusiastic about (data protection) in the hope that comparing the two will lead to greater understanding of how to manage consent as a legal basis for processing personal data, while keeping your attention for long enough to explain…

If you haven’t already seen this, it’s an excellent analogy between sexual activity and cups of tea – almost every point made can also be related to processing of data. The main difference here is that a cup of tea is unlikely to have a lasting and damaging effect, whereas both unwanted sexual contact and unfair/unlawful processing of personal data have the potential to cause serious harm to individuals if they occur.*

Before I get into the similarities though, there are two ways in which consent for getting sexy and processing data are totally different.

1. You don’t *have* to get consent for data processing (and shouldn’t try to, if consent is not the appropriate legal basis) but you always need to make sure that your sexual activities are with consenting adults only.

2. Consent for happy fun time can be implied or inferred (carefully). A long-married couple probably don’t need to have a detailed conversation about whether to take advantage of the kids being out that evening – a speculative look in the direction of the bedroom/kitchen/sofa and a twinkle of the eye in response is probably enough to communicate “shall we?” “Yes!” effectively.

No such parallel exists with data processing – either you have an unambiguous and specific response to “can we use your data in this way for this purpose” or you don’t have consent.

Ok, those are the significant differences. So, what are the similarities between consent for sexual activity and consent for data processing?

What it’s for: specifically

Consent is not “one size fits all”, if you consent to A (whether A is a cheeky snog behind the bike sheds, or being profiled on social media in order to be served targeted advertising), that does not mean you have also consented to B (which might be a hand up your shirt – or having your social media data sold to an insurance agency to calculate your risk of having a driving accident). It doesn’t even mean that you have consented to future As (snogs or profiling), especially if those future As might take you by surprise. It certainly doesn’t mean that having consented to A with one party, that anyone else can join in without having to ask permission separately (I’m looking at you, data brokers)

Whether you have it depends on how you get it:

Evidence of consent may be a legal requirement in some scenarios, but that evidence itself is not “consent”, just a record that something was asked for and an affirmation provided.

Obviously, if you have been misled or misinformed as to the activity, not given enough information to make an educated decision or if you don’t really have a choice, then no amount of tickboxes, signatures, “I agree” buttons or recordings will suffice. You have not consented.

Obtaining consent before/during sexual activity doesn’t usually involve either paper or electronic records, although there are apps which purport to fill that……er….niche (I’m in complete agreement with Girl On The Net’s views on these apps, by the way [warning also probably NSFW]). However, asking “would you like me to….” or “how about if we…..” rather than just diving in is the right thing to do and doesn’t have to kill the mood – in fact, that kind of conversation can be quite good fun…..

A positive response is an indication of consent. No response, or a negative response is very very unlikely to be consent. If someone is impaired in some way so they can’t a) understand the decision or b) communicate their decision then they cannot consent. Back off.

Obtaining consent for processing of personal data doesn’t necessarily need to involve tickboxes or signatures although as evidence of consent is a legal requirement, those are some mechanisms you might want to consider using.

What’s important in both circumstances is that you get consent before you start getting jiggy/processing data.

It doesn’t last forever:

Once you have consent, you can do whatever it is you have obtained agreement to do, for as long as that consent was agreed to last. “Yes” can turn to “No” at any time. If you don’t give the other party the freedom to change their mind, then you don’t have valid consent.

Regret does not retrospectively turn a ‘yes’ into a ‘no’. While many of us may have woken up and thought “Oops” when recalling the night before; this does not invalidate any informed, freely-given consent that was provided at the time. The past cannot be undone, only learned from. Likewise, if I give an advertising agency permission to use my photo, while I can tell them to stop using it later, I can’t make them recall every copy of the image that they published while my consent was in place.

Withdrawal or refusal is not an invitation to try to continue:

No means no. End of. Once someone has withdrawn their consent you must stop doing whatever it was you obtained their agreement to do. Pleading, bullying, coercing, forcing – these are violations of consent and could be very serious, both for you and for the person whose preferences you have ignored. Emotional blackmail to get sex is a favourite tactic of hormone-crazed teenage boys and has (superficial) parallels with companies that send emails to opted-out addresses offering incentives to resubscribe. Teenage boys might not realise that what they are doing is wrong (educate them please, parents!) but companies have no excuse whatsoever.

It doesn’t last forever:

“Yes” now does not mean “yes” to every future occurrence. “But you liked sucking my toes last week” does not mean that person wants to suck your toes right now, or at any time in the future. Put your socks back on. Similarly, asking an organisation to send you info about a specific event you’re interested in doesn’t mean they can send you messages about any other event they run.

It’s important to be clear:

Keep checking that ‘no objection’ has not turned into “no”. Consent must be informed to be valid, so if the other party has forgotten what they agreed to then you may not still have their consent – whether that’s the prospect of getting the silk scarves out, or tracking every location they take their phone to.

Proportionality is advised:

Signed agreements are not necessarily appropriate for either sexual activity or data processing (although they are relatively common in relationships that incorporate the exotic end of sexual activities [warning possibly NSFW] where the potential for miscommunication could have serious ramifications). Likewise, a signed declaration of consent to data processing is probably overkill for the majority of scenarios and is likely to increase both your administrative overhead and the annoyance you’re going to cause to the people who’s data you’re wanting to process. However, as with exotic sexual activities; if there is potential for a high impact, especially any kind of harm to the individual from your processing then it’s likely that you will need to make your consent evidence more stringent and robust. (note: if the processing is *required* in order to carry out a contract, then you should not be asking for consent in the first place as it cannot be freely-given separately to the contract agreement itself).

Lastly; don’t be a git:

If you’re looking for ways to evade obtaining proper consent in order to exploit someone then you are a Bad Person. This applies in any context. Even if you don’t see what you’re doing as exploitation, fiddling with either someone’s physical or intangible self has real consequences – it should only happen with care, respect and communication.

So if you are considering processing someone’s personal data, first check the appropriate legal basis. If that’s consent, then ask them for it – being clear about what you want to do and why. Keep a record of their response. Check in with them after a while to make sure it’s still OK. Don’t be sneaky/deceptive/coercive/vague/ask for more than you actually need.

And practice safe sex, mm’kay?

*NB: I am *not* equating data misuse with sexual assault in terms of seriousness! Lives can be ruined by unfair/unlawful/careless data processing (the construction industry blacklist, exposing vulnerable people to their stalkers, medication errors, inaccurate criminal records, credit rating errors….) – these are all Really Bad Things, but nowhere near the horror of being assaulted.

How To Not Be An Arse

(a.k.a the futility of compliance-for-the-sake-of-it programmes)

Imagine there was a law* that says “don’t be an arse to other people” which contains a list of 8 general requirements for avoiding arse-ness, including (among others) “be fair”, “be honest”, “don’t be reckless or negligent” and “don’t deny people their rights”.

Then hundreds of thousands of hours, billions of beer tokens and litres of sweat from the brows of assorted lawyers and auditors later; there were produced a number of standards and frameworks, guidance documents and checklists for helping everyone to ensure that whatever they’re doing, they’re avoiding being an arse.

At which point, everyone’s efforts get directed towards finding some technical way to acquire a clean, shiny glowing halo; ticking all of the boxes on the checklists, generating reams of ‘compliance’ paperwork, churning out Arse Avoidance Policies…….but actually ending up as almost *twice* as much of an arse because despite all of the shouting and scribbling and hymn-singing, what they are actually doing on a day to day basis looks remarkably arse-like (despite being called a “Posterior-Located Seating and Excretion Solution”; not the same thing at all) – since as it turns out, arsing around is lucrative and being well-behaved is not so much.

And then the questions is no longer “how do we avoid being arses” or even “what do we need to do to make sure we are not accidentally not arses?” but becomes “what is the bare** minimum we have to do in order not to appear to be arses?”

And that becomes the standard that (nearly) everyone decides to work to, writing long, jargon-filled statements explaining “why we are definitely not arses at all”, insisting that you must all complete a mandatory, dry-as-dust, uninformative half-hour “Anti Arse” e-learning module once a year (and calling it a “training programme” – hah!), hiring armies of lawyers to define the boundaries of “arse” and generally forgetting what it was that the law was trying to achieve in the first place. All of that costs quite a lot of money and – surprise surprise – doesn’t actually fulfill the intent of the law in the first place.

If you have to hide, obfuscate or misdirect from what you are really doing, then it’s quite likely that you are not achieving compliance with the law, no matter how much paperwork you generate or how shiny your halo looks.

It’s quite simple……just don’t be an arse.

 

(*in case you didn’t get it; that would be the Data Protection Act…..)

(**yes I had to get a ‘bare’ reference in there somewhere)

WARNING - this site sets cookies! Unfortunately, I am unable to disable some of the inbuilt tracking without killing the site content. tell me more

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close