The Digital Catapult Really Screwing up Trust about Personal Data

Executive Summary

In publishing a report about how organisations need to build trust with the public about the storage and use of their Personal Data, the Digital Catapult has done almost all the classic things to undermine that trust.
And they even missed a great opportunity – the research suggests that if an organisation does screw up, and then comes clean and corrects things, it ends up with a higher level of trust than if they hadn’t screwed up in the first place.
But they didn’t.

Now read on if you wish…

Wendy tweeted about a new report:

Wendy Hall ‏@DameWendyDBE 1d1 day ago
#PDTReview has been launched today by @DigiCatapult! Get the report here: http://bit.ly/SignUpPDTReview

I though it might be interesting, so I followed to find that it was called “TRUST IN PERSONAL DATA: A UK REVIEW”. When I finally got the report, it turned out it says things like “We must build consumer trust or risk future failure” and “Building trust in the use of personal data is the responsibility of every digital stakeholder in the UK”.
However, I get ahead of myself: in order to get it, I was required to fill in a short form, giving my names, email, organisation and the organisation type (as mandatory fields).
Like many people (apparently, when I read the report), I choose to be careful about where my personal information goes. And it seemed to me that there was no reason why the Digital Catapult should need more than my email address, even if it did decide that it was not going to make the PDF available for download, but only by personal request over email.
So I tweeted:

Hugh Glaser ‏@hughglaser Jul 29
@DigiCatapult Can I get a copy of #PDTReview without giving you my Personal Data please?

So far, disappointing, but OK.
Now the screw up starts:

Digital Catapult ‏@DigiCatapult Jul 29
@hughglaser Thanks for tweet. We ask anyone wishing to download the report to fill in a few fields so we can get the report to them swiftly.

Yup, “swiftly”!
Good practice to have a prompt response, but I can recognise a classic case of making up an answer, just to get rid of me. πŸ™‚ This is known as flimflam or flannel by support staff. Like “Your database is running slowly because it is the wrong colour, we are repainting for the next release, so it will be better.” (cf http://dilbert.com/strip/1995-11-17)
But actually, this is displaying a lack of respect – the public aren’t fools.
So now I’m hooked!

Hugh Glaser ‏@hughglaser Jul 29
@DigiCatapult Huh? Swiftly?!!! My Organisation? Why not a PDF download link? It smells like you are actually touting to get a DB of people.

Digital Catapult ‏@DigiCatapult Jul 29
@hughglaser For clarity, we are not keeping a DB unless people opt-in. Equally happy to share report with you via non sign in. Please DM.

(Opt-in: There is a tick box on the page that invites people to sign up for a Network.)
But come on! This is more flimflammed flannel. No answer to why the “swiftly”. And why am I typing if it doesn’t get kept. Again, the public aren’t fools. And don’t take me for one. I know you are keeping the data – just own up to it!

Hugh Glaser ‏@hughglaser Jul 29
@DigiCatapult Thanks, may do. But hang on: if I don’t tick the box, you don’t keep anything I type? So why ask? And it says “SIGN UP…”.

Digital Catapult ‏@DigiCatapult Jul 29
@hughglaser Thanks for your feedback Hugh. We’ve amended the page so people can fill in details if they so wish, rather than ‘sign up’.

Classic! I’m not going to fix the bug – I’ll change the documentation – any Software Engineer worth their salt recognises that one. They did change it, so the page says “FILL IN…” instead of “SIGN UP…”.
And what is this “if they so wish” – more noise words of flimflam and flannel – there is no other option I can see.

Hugh Glaser ‏@hughglaser Jul 29
@DigiCatapult Sorry to be a bear with a sore head, but I’m still not making sense of this. What does “if they so wish” mean.

Now, there does seem to be some deeper investigating in order, so I went to the page and gave it my details and got the email with the report – and very interesting reading it is too.
At the same time, I emailed:

To: info@cde.catapult.org.uk
Subject: Personal Data Request
Please can you tell me what personal details you hold about me, as specified in section 1.7 of http://www.digitalcatapultcentre.org.uk/terms/
Thank you.

Within an hour (well done!) I got a lovely response, which I won’t quote because it was in email. But in there it said that they had my name, email, business name and organisation type – exactly the same details that I was being told aren’t being kept!
This needed a private response, I think – although these are really important issues, I had no wish to cause any serious embarrassment on twitter. It was something that the Digital Catapult should get the chance to put right, so it was an email back:

Subject: Re: personal data request
Dear xxxxx,
Many thanks for your swift and detailed response.
I appreciate an organisation that can do this - on the rare occasions I have done asked others, some of them simply fail!
Unfortunately, your response tells me that the person who does your twitter feed has basically lied to me:
Digital Catapult ‏@DigiCatapult 5h5 hours ago @hughglaser For clarity, we are not keeping a DB unless people opt-in. Equally happy to share report with you via non sign in. Please DM.
OK, it may be that the data you have is not in a real β€œDB", but in principle you have a problem here.
I clearly have a problem with your report being used to get personal data about people.
The deep, deep irony is that it is undermining trust in exactly the way the report says should be built up.
How should we resolve this?
Is your twitter feed going to give some honest and clear answers?
Best
Hugh

In the meantime, the next day I had no response to my question on Twitter, so I asked again:

Hugh Glaser ‏@hughglaser 8h8 hours ago
@DigiCatapult What does “if they so wish” mean? Is there another option if they don’t want to?

To which there was a swift response:

Digital Catapult ‏@DigiCatapult Jul 30
@hughglaser Hi Hugh, you can now directly access the review here: http://bit.ly/1DRpjpy

That’s good!
But it isn’t really what we need by now.
Any trust I might have had in the Digital Catapult has been completely undermined.
What went wrong?
Will it go wrong again?
Should I not expect an apology?
Later, I got a response to my email. It was very nice, inviting me to join the network and asking if I wanted my details removed. But it was also rather disappointing, in that it suggested that what were effectively the lies I had been told about the Digital Catapult keeping my Personal Data were because of the limitations of 140 characters in Twitter, and that the DB issue was because it was a different, “marketing” DB.
Oh dear – more flimflam and flannel.
So…

Thanks xxxxx,
Just a quick question before I respond at more length, please:
...
I think blaming the 140 is a bit disingenuous: "For clarity, we are not keeping a DB unless people opt-in.” is pretty unequivocal.
So what is the scope and purpose of the DB that you found my data in?
Best
Hugh

I also sent a message asking what is the scope and purpose of the DB that I am in.

So, coming to an end…
I exchanged a few more email,and then had a chat on the phone.
As best I see it:
The Digital Catapult wants/needs to report to the funding body what interactions they have with companies. So they gather the sort of information above. It is disturbing, because they don’t seem to think that this is “using” the information (it’s not for marketing, in particular). In fact, I am now really rather disturbed that the Digital Catapult, which has just issued a report relating to Personal Data, have significant people who actually don’t understand Data Protection, and the related regulations. We discussed how the Terms and Conditions could be improved to reflect this situation.

I asked for an apology on Twitter for taking me for a fool (at which point it felt like the call had become distinctly frosty πŸ™‚ Or maybe it was because I mentioned I would blog about it.)

Now it is time to leave it – maybe they have learned something!

One lesson – make sure that the person on your twitter feed is technically savvy, or at least understands when they need to get advice.

Some more lessons?
Don’t take the public fools and just fudge things with brush off messages and flimflam, and when you make a mistake, come clean as soon as possible; oh, and apologise for it.
This is serious stuff – it was worth the Digital Catapult spending money to write a report about it!
And perhaps even paying Experian money to gather data, although that isn’t clear.
And, of course, “Oh the Irony!” That this should happen about a report on Trust and Personal Data!

Flattr this!