The Information Commissioner has written to TalkTalk with concern and disappointment over its phorm-like network scanning system designed to protect customers from malware on websites which it announced back in July. The system collects every website address that its customers visit and compares these with a known list of blacklisted (bad) and whitelisted (good) sites which it builds by following its customers around the Internet. If a site has not been verified in the last 24hours the system will visit the website after the user has done so.
Although TalkTalk claim that the system will not receive or store any personal information and that it is completely legal, it has raised concern amongst worried customers and critics as to whether their interception of data is within the law.
You will be aware of recent media interest in Talk Talk's trial of a service aimed at blocking malware. This matter has also been brought to my attention by individuals concerned that the service involves the interception of communications and that the trial itself was undertaken without the knowledge of Talk Talk customers whose browsing habits have been tracked.
I should be grateful first of all if you could clarify how the monitoring takes place. While I recognise that the aim of the service is to protect users from websites containing malicious software, it is still important that it does so within the law. In a statement made to The Daily Telegraph, Talk Talk have assured customers that the monitoring process is completely legal. Please provide details of how your analysis demonstrates that the service can operate in compliance with the Data Protection Act 1998 and the Privacy Electronic Communications Regulations.
I am concerned that the trial was undertaken without first informing those affected that it was taking place. You will be aware that compliance with one of the underlying principles of data protection legislation relies on providing individuals with information about how and why their information will be used. You will also be aware that these principles are not suspended simply because the information is being used for the purposes of a trial. I should be grateful if you could inform me as to the reasons why the trial was conducted without first informing customers and in particular how such a trial was in compliance with the relevant legislation.
Finally, and in light of the public reaction to BT's trial of the proposed Webwise [Phorm] service I am disappointed to note that this particular trial was not mentioned to my officials during the latest of our liaison meetings. I appreciate that your analysis may have led to the conclusion that it was not necessary to provide us with this information but we would be in a much better position to respond to the enquiries we have received on this matter if we had the chance to review and discuss the trial with you."Letter from Information Commissioner, Christopher Graham, to TalkTalk
The question therefore lies as to whether the system does store or process personal information. Documentation provided by TalkTalk in response to the above letter from the ICO and following meetings provides a detailed overview of how their system works and in particular how rules such as the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR) apply.
Data Protection Act 1998 ("DPA")
The anti-malware system records website URLs alone (and not together with any other information). The website URLs constitute "data" under the DPA. While the data relates to a living individual (as it is an individual who initiates the request to access the website URL), the individual cannot be identified from the data itself nor from the data together with any other information in our possession.
The website URL may by its nature contain information about racial or ethnic origin, political beliefs, religious beliefs or other areas referred to in section 2 DPA. However, as the website URL data does not constitute "personal data" under the DPA, it will not by definition constitute "sensitive personal data".
Pursuant to section 17 of the DPA, both Opal Telecom Limited (the network provider) and TalkTalk Telecom Limited (the primary entity contracting with customers) are registered under the DPA.
Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”)
Under PECR, "traffic data" is defined to include "data relating to the routing, duration or time of a communication". The website URL is traffic data.
Our use of the traffic data is compliant with regulation 7 of PECR. The traffic data, when no longer required for the purpose of the transmission of the communication (i.e. requesting the website URL), is modified such that it ceases to be personal data (under regulation 7(1)(b) or (c)). In fact, the website URL does not require modification as it never becomes personal data. The network records the destination website URL with no reference to the customer who made the request.
The anti-malware service does not store information, or gain access to information stored, in the terminal equipment of a customer. PECR regulation 6 does not accordingly apply.TalkTalk documentation on anti-malware system
The ICO are expected to decide upon whether the system breaches the DPA but will not make rulings on whether it could be deemed that it breaches the RIPA (Regulation of Investigatory Powers Act) due to interception of data. This would likely need to be raised with the Police in a similar way to Phorm which was investigated by the City of London Policy for breaches of RIPA.