Just come across this.

http://www.118800.co.uk/index.html

Which I believe will be up and running soon. I was wondering what others particually SilentCallsVictim, NGMsGhost and Dave thinks about this service.

To me I am a bit suspicious.

Reading the faqs, you do a search, they text you a pin to enter on their website, then text you a £1 message, then text the person you want to call with your number asking them to call you back.

Seems ripe for problems.  What if you get the wrong person, or an old or invalid mobile number, or somebody who doesn;t want to be disturbed right then.. or, like me, somebody who doesn't phone back mobiles due to the costs involved!  (I'm on an old tariff where off-network non-landline calls cost me a fortune!)  Then you've been charged a quid for the lookup, and you haven't even got the number so you can try them again later on!


Certainly not a service I'd be using...

I have just seen the set up on the news.   If I want your mobile number, I ring 118800 and give your name and address (I wonder why I do not write to you for it).   The directory contact you and say that a business or person wants your number and you have to give the ok for them to pass it on (I doubt if many are going to do that).   If that works ( and I see that it will not and the number will be given out irrespectively) it should be ok rather like Facebook.


If you give a name and a town (ie do not know the address) I am not sure what happens

There's just been a report on Channel 4 News about this. Apparently they have bought lists of mobile numbers collected from consumers who have put their mobile numbers on forms when applying for goods and services. Those who have not ticked the box opting out of their details being passed on will be included.

So this is in no way a comprehensive database of all mobile numbers and those on it are ones which were provided for marketing purposes. This is some 15 million numbers listed.

The company has spoken to the Information Commissioner's office and they say it's OK. This use of such numbers is not for marketing purposes. What other personal information gets passed around like this for purposes which it was not intended.

I avoid giving my mobile number to any organisation so as to avoid getting junk texts and nuisance calls from organisations. This strengthens my resolve to continue keeping my mobile number private.

I do not _ever_ give my permission to any company that has my details to share this information with any other organisation.

As this company has my personal information there has been a breach of Data Protection.

I contacted the company to have them remove my data which they hold ilegally and they refuse to cease using this data immediately. They will not confirm that they have complied with my request to remove all my mobile numbers.

I have no relationship with this company and they do not have my express or implied consent to hold my information. (I assume this is probably true of millions of other citizens and this needs to be investigated.)


It took over 40 phone calls and 2 hours to get through to talk to someone and then they tell me that they are just sub-contracted to run the service, and they had been briefed that they would be receiving a lot of flak over this.

If they are that confident that the service is useful and commercially viable, why do they use an opt-in policy, instead of buying dodgy lists.

Cheers, Des.

From what I saw on BBC news, the company offering this "service" claimed there was a way to opt out of it - does anyone know what this is?   This just goes to prove my refusal to put my mobile no on forms (seems by my children as probable pananoia I suspect!) is perfectly justified.  Another thought occurred to me, if I am abroad & am sent a text by this lot asking me to call someone (probably someone to whom I do not wish to speak otherwise I would have given them my mobile no) presumably I will be charged for receiving this text.   Also, the number of junk texts will be huge - currently if I receive a text I know it is from someone close & is probably urgent, with this system, it could be anyone.  Does anyone know from whom they have got the mobile nos?  I know that even so-called reputable organisations (eg County Councils) pass on/sell contact details of, for example, school governors, without permission as this happened to a fellow governor of mine, one may have given such organisations a mobile number in good faith, never dreaming that could be abused in such a way.  To me, this is a potential nightmare & how the Information Commissioner can say it isn't a breach of privacy defeats me.

From their FAQs


Can I be ex-directory with 118 800?

You can become ex-directory by texting the letter ‘E’ to 118800 from the mobile phone you want to be made ex-directory or you can call us on 0800 138 6263. Standard network charges apply. The first time 118 800 contacts you you will be sent an SMS reminding you about how to become ex-directory. Please allow up to 4 weeks for your ex-directory request to take effect.

Hmm.... thanks Sherbert but it seems I would have to give them my mobile number which they may not already have & would I trust them to make it ex-directory or would they just add it to their database?   Think I'll wait & see what happens, if I get a text from them, I'll know they've got the no & then can go ex-directory.

Barbara wrote on Jun 11^th, 2009 at 2:31pm:

Hmm.... thanks Sherbert but it seems I would have to give them my mobile number which they may not already have & would I trust them to make it ex-directory or would they just add it to their database?   Think I'll wait & see what happens, if I get a text from them, I'll know they've got the no & then can go ex-directory.

I think it stands to reason that if you text them to go ex-directory and they don't already know the number you're texting from, then even if they add your number to their database they still don't know who you are, so it'd be impossible for them to give it out on an enquiry.

As a matter of principle I have concerns about this service. The information this company holds was provided for the purposes of marketing products and services to those on the list.

This company is using it to provide a service and profit from others.

Having been invited to comment, I will offer some thoughts, although I have not studied this issue in any depth.

This seems to be an attempt to address the problem caused by the fact that there has never been any proper arrangements for the assembly of a proper directory database of mobile numbers, with proper procedures to cover opting in or out.

Firstly, I address the "privacy" issues raised by this service.

I personally have my name, address and (main landline) telephone number listed in the normal telephone directory. I see no reason why this information should not be publicly available, despite the fact that some banks are content to steal my identity by granting it to anyone who accesses this information.

Being engaged in society I have no problem with the basic fact that I receive unsolicited communications. These are sometimes welcome, even though they are mostly worthless. I am able to apply filtering mechanisms for my convenience and do so. I nonetheless fully respect the right of anyone (individual or corporate) who wishes to opt out from their contact information being available in certain forms.

The ICO (which is not a government body, contrary to the false statement on the 118800 website) enforces regulations designed to protect the right to privacy. Although its enforcement policies are hopelessly weak, as they are based on a consumerist approach, I find its principles of what is acceptable to be generally sound.

As ever, the devil is doubtless in the detail of how the information is collected and used. If I became aware of a problem I would look into this very carefully and take up the issues with the ICO.

Secondly, from the perspective of the service user.

PhonePayPlus is a self-regulatory body. To my mind any such body has an inherent conflict of interest which must make its role as a regulator an alternative to, not a means of implementing, statutory regulation.

Excessive advertising has happily communicated the fact that 118 numbers belong to commercial services, rather than being inclusive with one's telephone service (like printed directories). I would doubt that anyone would contact 118 800 without being aware of the fact that they were entering into a commercial arrangement and so the principle of caveat emptor must apply. Any misrepresentation that is found would be a matter for Ofcom (via PhonePayPlus) or Trading Standards.

A quick response to the concern about a request to be ex-directory causing details to be added. As with the TPS, there is no confirmation of the authority to add the number to the list. An ex-directory request could only be used to add to the directory if the name and address were already held as they do not need to be supplied. Furthermore, one could make such a request for any number. It is however likely that measures are in place to detect mass requests for every number in a range. (When BT started passing on TPS registrations with the launch of its BT Privacy service, there were allegations that it was registering numbers without request, simply to protect its existing customers from being recruited by telephone by its competitors - that was its commercial justification for BT Privacy.)

I hope these comments are of interest to members.

See this link for an alternative analysis http://forums.moneysavingexpert.com/showthread.html?p=22629373#post22629373

Yes, the current regulatory framework is a mess and needs to reflect changes in technology and business models .. but at the heart of all this are individuals and it is their choice what happens to their data ..  this service should be based on  opt-in .. why isn't it - because very few people would opt-in to it.

There is already a national directory database ... as described in the above post.

As for the company behind this .. here are some of their thoughts about UK Mobile operators ..
"Mobile Network Operators are manipulating their privacy obligations in such a way that consumers are not being given the opportunity to choose whether or not have their numbers included in a directory service.”  REALLY - what choice has Connectivity given those it has automatically included in its directory service?

“Ofcom must act now and mandate that MNOs operate privacy friendly policies which are consistent and which provide consumers with a clear and unambiguous choice regarding inclusion in a directory service.”  REALLY? Mobile operators do currently offer choice and it is OPt-IN.

It is clearly time for some regulatory clarity and action

Is it possible for individuals to find out if they are listed without having to incur any charges?

Also, if you request your number be removed, then what happens if it is 'sold' to them in another database? In order not to list your number ever again, they will have to keep your number (on another list).

So, if you don't want to be listed, your data (mobile phone number) must be stored with them. What if you don't want them to have that? They might add your number to the 'directory'.

It's difficult to see how anyone can confirm if they are listed without incurring a charge .. their online service doesn't appear to work that well.

Good point about removing a number and the company buying it again from another source.  Well, everyone has the right under the e_privacy regs or the Data protection act to ask Connectivity to remove their data .. Connectivity has 20 days to say whether it will or not .... interesting issues here. They might argue for example, that it is in their 'legitimate' interests NOT to delete the data and retain it so that they can ensure an individual is not contacted via the service and is made XD.  This is why there needs to be a proper regulatory review of this service!

What is needed is for some people to exercise their 'subject access rights' under Section 7.1 of the Data protection Act and not ask for what is held by Connectivity but also where the company obtained the data from .. this will help get to the root of the problem and assess the legitimacy of how data have been obtained and used

tadg wrote on Jun 20^th, 2009 at 12:53pm:

Good point about removing a number and the company buying it again from another source.

The same issue crops up with companies holding our data in general. You request your address to be removed from a particular company's marketing list.

Does that company retain your address on another list to screen it against future lists of contact details it obtains?


tadg wrote on Jun 20^th, 2009 at 12:53pm:

They might argue for example, that it is in their 'legitimate' interests NOT to delete the data and retain it so that they can ensure an individual is not contacted via the service and is made XD.

Is this allowed for due to the reasons I've highlighted? In this case, would they be limited to storing the mobile telephone number only, with no information as to whose it is?

Just a few small points about going ex-directory by DE-REGISTERING your mobile number with these people.

• If they don't already have your information, they obviously will have even more when you've given it to them.

• They are a commercial enterprise so whatever they do will be financially driven.

• What Guarantees do you have that they won't use pass your information on to others.

• Whatever promises they make now will not be valid should the company later be sold on.

This seems like a very clever SCAM designed to collect people's data with no cost or effort involved. Just start a panic and wait for the flood of idiots volunteering their personal information.

This is the link to their website concerned with removing your details, passed to me by my other half (& numerous concerned followers of the Russell Watson website).

My recommendation is to keep tight hold of your data and if contacted by them to pass your details to anyone, just SayNo and deny everything !!

Keep your mobile number safe  - SayNoTo 118800

Good questions .. the ICO has in the past advised that a company could retain details in order that they suppressed communications/contact with an individual who may have asked the company to stop contacting the (say for marketing purposes).  However, there is a genuine case for say a battered wife/husband to insist that data are removed in order that a stalker/harasser cannot contact them ...... I believe that if the company refused, then a judge might force them to ......

However, this particular business model is fraught with data privacy compliance challenges. For example, and referring to your question about retaining number.  People change their mobile numbers regularly .. they take their business from one mobile company to another .. these companies recycle numbers .. sometimes as quickly as 6 months from an account/number being cancelled by a customer.  How will 118800 know this and keep their records up to date .. they can't and that is why we need a national and comprehensive  directory and directory enquiry service that is fit for purpose and based on transparency and opportunity of choice and control.

I would suggest that people contact the Information Commissioner and pose questions about this service and the basis on which a persons details have been entered and can be removed.

It is clear that the company has not conducted a proper privacy impact analysis

It is hugely important that people understand this is a private mobile enquiry database .... it is not the official OSIS national database and does not and is not entitled to, get information from the national database.

The service has been set up by venture capitalists who have invested £17.5 million the 118800 service ...... its all about profit ..

I agree .. don't give them your data .. instead refer matters to the  ICO, OFCOM and PhonePayPlus

of course .. people could always contact the company's marketing director ..... here's some public data on her including her email address http://www.123people.co.uk/s/shona+forster

DaveM wrote on Jun 20^th, 2009 at 1:59pm:

This seems like a very clever SCAM designed to collect people's data with no cost or effort involved.

On the contrary.  When you 'opt out' online, you merely enter your mobile number.  No name or address or any other details are required.

http://www.118800.co.uk/removeme/remove.html

Whilst I fear that too much concern over the so-called "privacy" issues may serve to confuse and devalue more serious concerns over this topic, I cannot see how the ICO can be alleged to have confirmed that this service is not fundamentally in breach of the existing Privacy regulations.

Regulation 18 of the PECR 2003 states as follows:


Quote:

(1) This regulation applies in relation to a directory of subscribers, whether in printed or electronic form, which is made available to members of the public or a section of the public, including by means of a directory enquiry service. (2) The personal data of an individual subscriber shall not be included in a directory unless that subscriber has, free of charge, been - (a) informed by the collector of the personal data of the purposes of the directory in which his personal data are to be included ...

Use of the 118 prefix is a clear indication that this is a "directory enquiry service". It is also clearly acknowledged that the information was collected for use by specific persons, without any indication of it being used to provide the basis for such a service.

It should also be noted that the text message sent to advise of the enquiry would be a breach of regulation 22.

The problem may arise in the means of enforcement available to the ICO, which are known to be weak. In general it is found that the ICO can only warn of a breach and then take action following complaints. This is an important issue that appears to have been missed in the "Digital Britain" report, which fails to even mention the role of the ICO in consumer protection, whilst it wastes energy on a misplaced concern about the level of penalties available to Ofcom.

I have not been notified of my mobile number being included in this directory, nor have I asked for it to be excluded. Perhaps someone would like to spend a pound trying to contact me on it using information that I am happy to have publicly available. If successful, I would be able to start a complaint.

SCV, you can do a search for yourself on their website, that is how I found out that they did have my data.

I have a case ongoing with the ICO.

Complaint to Phonepay plus was just dismissed as 'not their problem gov' talk to the ICO.

Cheers, Des.

DesG wrote on Jul 1^st, 2009 at 6:23pm:

SCV, you can do a search for yourself on their website, that is how I found out that they did have my data.

Thanks for the tip. I have confirmed that they claim to have my number, however that does not of itself represent a breach of the PECR.

The critical issues are for determination by the Information Commissioner:

1. Is this a "directory enquiry service" and therefore subject to the provisions of regulation 18? Although the information is collected in an unusual way and numbers are not given out, it is referred to as a directory.

2. Does the SMS message sent fall within the definition of unsolicited "direct marketing" and therefore require explicit consent under regulation 22? The definition of "direct marketing" is very broad and must surely include an invitation to participate in a service for which the sender has already earned a fee.

Whilst in both cases the person may have had the opportunity to opt-out from their information being used for contact by specific organisations, a declaration of the purpose for which the information may be used is vital and is unlikely to have covered inclusion in a public directory.

Further to my previous post, I can add some further comments following a conversation with a representative of the ICO.

The ICO has not as yet made any formal determination regarding the compliance of this service with the PECR. It has not however taken any action in respect of a breach.

Compliance with regulation 18 is suggested as being achieved by the fact that no information is given out without consent. There is however a wider issue involved as the regulation seeks to prevent information being held without consent, regardless of what procedures may be in place to prevent it from being revealed without consent. The regulation covers the holding, not the dissemination, of the information.

The vital principle of data protection that is being breached is that information which was provided for one purpose is being used for another. If enforcement of the relevant regulations is not seen to be effective then the whole process collapses, as the ICO is reliant on the public being aware of what is allowed, so that breaches will be reported, so that they can be dealt with.

I am told that the possibility of a breach of regulation 22 has not been considered as it is understood that contact is made only by telephone. Given that directory enquiry services are permitted to market their services (to callers) by calling those registered with the TPS, one may assume that they are compliant with regulation 21. 22 is however different as there is no implied consent by default. Furthermore, a text message that solicits activity involving expenditure in order for the service delivery to be completed is more likely to be regarded as "direct marketing" than a telephone call that does not.

I understand that the ICO is open to representations on these points. I personally see this as a case which requires important issues of principle to be clarified, rather than it representing a nuisance in itself (from the recipients perspective). Whether the service is useful and represents good value for money is a quite separate issue.

Hello, Joe from 118800.co.uk here.

Just to reassure you that we’ll never actually give out anyone’s personal details. When you search on 118800.co.uk, we’ll send an SMS message to the person you’re looking for, giving them your contacts details and it is then up to you if you wish to call them back or not.

In response to the popular belief that there is a deadline to opt out, this is incorrect. The viral email that has been circulating is incorrect in that there is no deadline, users can opt out at any time. Secondly, the belief that the numbers of children will be “given out” is also false. We have no children listed in our directory. All data is checked to ensure the individuals are adults.

Our service on 118 800 and 118800.co.uk was being tested in June. There are now developments we want to make to improve the service for our customers. But due to the high levels of enquiries we are getting, we are simply not able to complete the technical work required whilst the service is live. We are sorry for inconvenience and will be up and running again as soon as possible.

If you have any questions or concerns, please contact us using the feedback form on our site.

Thanks,

Joe
118800.co.uk

Following the previous post, I have a query.   If you have my details & someone wishes to contact me, you will send me a text, if I understand correctly.  However, apart from the fact that I have already given my mobile no to anyone I wish to have it (ie if they haven't got it it means I don't want them to have it!), if I am abroad, it will cost me to receive the text you would send and THAT I REALLY RESENT!   Can you tell me how you propose to avoid people incurring costs to receive said unwanted texts while abroad?

118800 wrote on Jul 13^th, 2009 at 2:32pm:

Hello, Joe from 118800.co.uk here. Secondly, the belief that the numbers of children will be “given out” is also false. We have no children listed in our directory. All data is checked to ensure the individuals are adults. Joe 118800.co.uk

So, If a parent gives their child a mobile as a present and it will be registered in the adults name, how can you guarantee that no children are in your directory?

As I have registered my mobile number in the Telephone Preference Service, I would have thought this would be enough to stop your outfit from sending me a SMS requesting my number?

Barbara's point about being abroad is valid and look forward to your reply.

118800 wrote on Jul 13^th, 2009 at 2:32pm:

Hello, Joe from 118800.co.uk here. If you have any questions or concerns, please contact us using the feedback form on our site. Thanks, Joe 118800.co.uk

A bit difficult to do that as your site is down. ::)

118800 wrote on Jul 13^th, 2009 at 2:32pm:

Hello, Joe from 118800.co.uk here. {2} ... we’ll send an SMS message to the person you’re looking for ... {3} ... giving them your contacts details ... {1} ... listed in our directory ...

Thanks to Joe for the helpful post. This clarifies the position in respect of the PECR, as referred to in my earlier posting.

Thank you Joe ...

{1} ... for confirming that the data is held as a "directory" and therefore subject to the provisions of regulation 18. These require that every subscriber included must be informed of its purposes. The posting to this forum may have addressed this requirement in respect of a few, however Joe will need to send out his message more broadly to remain within the law.

{2} ... for confirming that contact is by SMS message and therefore subject to the provisions of regulation 22 - these require explicit consent. For direct marketing contact by telephone a failure to register the number with the Telephone Preference Service or the Corporate Telephone Preference Service is deemed to represent consent under the terms of regulation 21.

{3} ... for confirming that 118800 is not infallible. The purpose of the PECR is to prevent unauthorised information from being held, as procedures covering its release cannot be relied upon to be 100% effective. Joe meant to say "giving you their contact details". We are all liable to make mistakes and for this reason nobody can be trusted to protect unauthorised data.

Silentcallsvictim has provided good analysis of the core data privacy issues - it is important that people refer their complaints to the ICO and to OFCOM.  You may also wish to contact the All Party Parliamentary Interest Group on Privacy and raise it at a cross government level  - http://privacyappg.org.uk/ .There is a need for an urgent review of the regulatory framework and efficacy of the regulators.

Here's another overview:
Ok, the service does NOT give out mobile numbers . ..... The company has provided a facility so people can opt-out and become ex-directory.  It's OK says 118800 the service is privacy friendly ..

So what's wrong with all this?
Well, firstly, this directory enquiry (call completion) service sits outside of the regulatory framework for directories and directory enquiry services in the UK and which falls under the remit of OFCOM. Under that Framework, OFCOM has established a national directory database managed by BT and which is called OSIS. This is the OFFICIAL database and which also contains ex-directory numbers. ALL 118 providers that offer telephone numbers are entitled to access this database under the law/the regulatory framework. Mobile operators are obliged to pass subscriber information to OSIS BUT do so only where a customer has specifically requested that they want an entry in a directory or directory enquiry service - in other words where a customer has expressly opted-in. Both OFCOM and the EU (who were taking legal action against the UK government for failing to give mobile customers the right to an entry in directories) have agreed that entries in directories and directory enquiry services should be based on opt-in consent.

It is a fact that the 118800 service does not fall under any definitions of the above regulatory framework and so is NOT entitled to access OSIS data or receive data from OSIS or the mobile operators.

The 118800 service is a purely private system. Ask yourself why someone should need to become ex-directory in this service if they are already ex-directory in the national OSIS database?  How many times should someone need to opt-out (never because it should be opt-in)

So what else is wrong. Well, firstly lets look at the 15 million names, addresses and numbers obtained from third parties (and which could be the retailer you bought your phone from or some online retailer who you supplied your details to). 2 pieces of law apply here.
(1) Data Protection Act 1998 - the DPA. Under the DPA those collecting your data would have needed to make you aware in a transparent and clear manner of the intention to place your details in a directory service and the purposes of that directory, and allowed you to make and informed decision as to whether you agreed or not .. in other words they needed your consent. (2) Regulation 18 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 applies - the PECRs. Reg 18 states: The personal data of an individual subscriber shall not be included in a directory unless that subscriber has, free of charge, been -
(a) informed by the collector of the personal data of the purposes of the directory in which his personal data are to be included, and (b) given the opportunity to determine whether such of his personal data as are considered relevant by the producer of the directory should be included in the directory. “ This seems quite clear that the party collecting your data should have told you about the 118800 service and given you the clear opportunity to agree - either by an opt-in box or by an opt-out box (depending on whether they published a clear and prominent notice at the time they collected your data). It seems to me that opt-in consent is required for the purposes of this directory.

So what else. Well, the company says you can obtain a copy of information they hold on you pursuant to your rights under Section 7(1) of the DPA. 118800 now charges £5 (but used to charge the maximum £10 fee permitted under the DPA for meeting these access requests). BUT why are they charging people when Reg 18(5) of the PECRs requires directory operators to provide subscribers with the means (free of charge) to verify, correct or withdraw their data at any time - I can find no mention of these rights on the 118800 website. Perhaps the company thinks it doesn't need to if its services sit outside the regulatory framework?

What else? Oh yes. back to the regulatory framework. ALL 118 services are regulated by PhonePayPlus which is an agency of OFCOM the government telecoms and media regulator. PhonePayPlus regulates services by a Code of Practice - the Code. the 118800 service is incompatible with the Code which (a) defines telephone directories as ones that supply phone numbers (b) requires companies providing call completion services to disclose telephone numbers to persons who demand a number and (c) requires that services must not or must not be likely to result in any unreasonable invasion of privacy. As opt-in consent has not been sought from any person in the 118800 directory, it is possible that individuals listed in the directory without their knowledge or agreement will consider contact via the call completion service to amount to an unreasonable invasion of their privacy (especially those who considered they are already ex-directory under the official national OSIS database).  PP+ can exempt 118 providers from compliance with the code but has not done so yet!

ran out of space ....

Given that the company is unable to meet requests to verify, correct or withdraw their data under Regulation 18(5) of the PECRs then you may wish to complain about this to the ICO.

Also be aware that the company captures your calling line identity (CLI) when calling 118800 even when you have specifically withheld your CLI.  It seems that something may have been done to override the requirements of the PECRs and the OFCOM Guidelines on CLI.

Regulation 10 of the PECRs states that for outgoing calls: "The provider of a public electronic communications service shall provide users originating a call by means of that service with a simple means to prevent presentation of the identity of the calling line on the connected line as respects that call." E.g. the 141 facility provided on BT phones.   This CLI restriction cna only be overridden in the case of emergency calls or where a call is subject to an interception warrant -  full stop!

A good read here and towards the bottom are some comments

http://www.theinquirer.net/inquirer/news/1433346/118800-knocked

tadg wrote on Jul 13^th, 2009 at 3:55pm:

It is a fact that the 118800 service does not fall under any definitions of the above regulatory framework and so is NOT entitled to access OSIS data or receive data from OSIS or the mobile operators. The 118800 service is a purely private system. Ask yourself why someone should need to become ex-directory in this service if they are already ex-directory in the national OSIS database?  How many times should someone need to opt-out (never because it should be opt-in)

So if it does not fit the definition of a "directory enquiries" service, then why has it been allowed to operate on a 118xxx number? Does this set a precedent for other non-DQ services to use 118xxx numbers?


tadg wrote on Jul 13^th, 2009 at 3:55pm:

… This seems quite clear that the party collecting your data should have told you about the 118800 service and given you the clear opportunity to agree - either by an opt-in box or by an opt-out box (depending on whether they published a clear and prominent notice at the time they collected your data). It seems to me that opt-in consent is required for the purposes of this directory.

How can you know who collected your data if it is in 118800's database?

Furthermore, how can the company that collected your data from you in the first place be sure that, when it sells the data on, that the company buying it will not be using it for a DQ service? And what about if that company in-turn sells it on?

tadg wrote on Jul 13^th, 2009 at 4:04pm:

...  This CLI restriction can only be overridden in the case of emergency calls or where a call is subject to an interception warrant -  full stop!

Sorry to be picky as we are essentially on the same side, however my nickname gives away some experience in dealing with this very specific matter.

It was indeed widely thought that a warrant was necessary, until I drew the attention of BT and Ofcom to the provisions of regulation 15, which qualifies regulation 10 (there is no "full stop"). This specifies that "a person with a legitimate interest" may see withheld CLI, not only someone holding a warrant. It had been assumed that the only way of establishing such an interest was by obtaining a specific warrant, or being a warranted Police Officer.

In late 2003, I persuaded BT to confirm to Ofcom (early in 2004) the source of traced Silent Calls to me. Clearly Ofcom has a legitimate interest relating to nuisance calls where it is seeking to use its statutory powers under section 128 of the Communications Act. The BT Nuisance Calls Bureau accepted this as a point of principle and adjusted its standing procedures so that traced call data can be passed to Ofcom and the ICO, as well as the Police and Officers of a court, on request. Other NCB could follow the same procedure.

This has no relevance to the position of 118800, however I was troubled on reading the "full stop" with reference to other situations. Nuisance callers who are not committing a criminal act (e.g. Silent Callers not yet subject to an injunction) cannot hide their identity by withholding their CLI.

I am genuinely sorry to find myself being such an anorak on these topics; I hope that this information is helpful.

---

Dave wrote on Jul 14^th, 2009 at 12:58am:

So if it does not fit the definition of a "directory enquiries" service, then why has it been allowed to operate on a 118xxx number?

It seems that different determinations on this point have been made by different bodies.

Clearly it has passed the self-defined criteria of Ofcom and PhonePay Plus to qualify as a directory enquiry service, however, as indicated in my earlier posting, the ICO has apparently not yet seen fit to make a similar determination.

Whilst Ofcom and PhonePay Plus need only consider the rules that they have determined for themselves, the Information Commissioner must have regard to the specific statutory regulations (PECR), which do not permit any exercise of discretion.


I fear, or rather I fear that the ICO fears, that this point may need to be tested in the courts.

The determinations of Ofcom and PhonePay Plus, as well as the self-definition of the service would undoubtedly have a bearing on any proceedings, however they cannot be assumed to compel the result. To make matters worse, it must be remembered that the PECR 2003 is only the UK implementation of the EU Directive 2002/58/EC. The possibility of the matter being decided by the ECJ therefore cannot be dismissed.

Fellow anoraks may wish to refer to article 12 and recitals 38-40 of the Directive on privacy and electronic communications, as they consider the relevant components as implemented in the Privacy and Electronic (EC Directive) Regulations 2003.

---

Dave wrote on Jul 14^th, 2009 at 12:58am:

How can you know who collected your data if it is in 118800's database?

This is easy - you cannot, unless that data can only have come from one source.

I understand that interested parties do keep an eye on these things by deliberately placing fictitious or inaccurate details onto particular lists. When those details are used by someone other than the person to whom it was given then the source is revealed.

Very many years ago, I learned that the BT Phone Book contains some credible but utterly spurious entries, so that illegitimate copying of the published version can be identified.

Thinking of this, I considered always adding a distinct spurious extra initial, flat number or house name to my details, choosing a different one for each occasion. This could assist in ensuring that the source of any mailings would be obvious to me. As my details are published (accurately) in the telephone directory however, this would only be of interest, rather than having any true benefit. Those who seek to protect themselves from all unsolicited communications may wish to consider this.

silentcallsvictim .. yes, we are on the same side :)

I stand corrected .. I failed to mention Reg 15 .... however,  a comms provider would generally only disclose the CLI to the police and not to a victim of malicious calls etc ..... this is done to protect victims from harm when possibly seeking to take action themselves.   I introduced the issue of CLI compliance to demonstrate that neither 118800 or the regulators have conducted a proper assessment of compliance requirements.

Regards Dave's questions. People are entitled to submit a subject access request to Connectivity to ask for details of any recipients to whom their data may have been disclosed, for details of the sources of their data (if readily available) and for a copy of any data held.  The issue here is that 'readily available' is not defined in the DPA. So if Connectivity stated that they did retain information about the source of individual data or that it was held on another system then they may try to claim exemption from disclosure.  If anyone has asked for this and been refused then they should take it up with the ICO.

A directory enquiry facility is one which discloses a telephone number - this is defined in the Communications Act 2003 and the PhonePayPlus Code of practice.   As 118800 does not disclose telephone numbers it is outside of this framework (and hence NOT entitled to receive data from mobile operators or the BT OSIS database - that's why they've bought their data).

It's a mess and the ICO and OFCOM need to act together, responsibly and consistently to deliver real protection and benefits to consumers.

It will also be interesting to see the ICO's take on Connectivity's obligation under Schedule 1 Part II paragraph 1 and 2(b) and which require data controllers such as Connectivity to process data fairly in part by giving individuals specific information about the (a) identity of the data controller (b) the purpose or purposes of the processing and (c) any other information to make the processing fair.  Where personal data are obtained from third parties, a data controller must " ensure so far as practicable that, before the relevant time or as soon as practicable after that time, the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3) (of schedule 1 Part II).  It will be interesting to see whether Connectivity has claimed any disproportionate effort in meeting this obligation or how else it believes it has met it.

back to silent call victim - I agree that the manner in which the regulators have addressed this issue and the regulatory failings and weaknesses will lead to the matter being referred to the EC - perhaps to Vivien Reding .. if not the ECJ .

meant to say the CEO of Connectivity will be on BBC2 working lunch at 12.30 today!!!

have just come across this which I thought would be of interest.  It's a letter from Phil Jones (assistant Information Commissioner) to the MP John F Spellar concerning the ICO's involvement with Connectivity. It  makes interesting reading but fails to offer the necessary clarity ...  http://tweetmeme.com/bar/110974930

Watched the [url=]Working lunch interview[/url]on the web, and also the [url=]linked report[/url]. What drivel.

There are some very big underlying issues here about the type of society we are becoming. Properly applied, the provisions of the DPA and PECR could help to protect some lasting values, however we are too keen to rush forward into some Brave New World, losing our sense of values.

Perhaps the hiatus in the Connectivity web service (although apparently the telephone service carries on), will give the ICO an opportunity to finish its deliberations and determine that compliance with regulation 15 is required (notwithstanding proper decisions by Ofcom). Writing to everybody in the database to invite them to opt-in will give Connectivity a valuable opportunity to verify the accuracy of its data and ensure that the contacts it is able to make are likely to be welcome, for the sake of its customers.

The simple point for Connectivity in the light of the present publicity is to ask who would wish to pay a pound to use a service that is likely to create annoyance and resentment on the part of those who they are trying to contact.

If Connectivity were smart, it would invite people to register their number for its service and at the same time register the number with the TPS.

Notwithstanding the degree of non-compliance with the TPS, which is significant, but not as great as some may think, I cannot see why most people should not be happy to register with 118800, on the off-chance that someone may have a need to contact them. At the cost of a pound few calls are likely to be frivolous!

(N.B. please let nobody see my recognition of the value of the 118800 service as any endorsement of its present failure to properly comply with the priniples of the PECR.)

I don't think the argument has ever been about the value of the service .. but about ensuring transparency and opportunity of choice and control .... about compliance with law .. about ensuring the law is properly and consistently interpreted and applied by the regulators ...

Data privacy compliance should not prevent the development of new technologies or business models ......

Connectivity grossly underestimated the depth of feeling that mobile users have towards their privacy .. and tried to push the regulatory boundaries too far.

I concur.

It is however only since the banks starting practicising identity theft, by ascribing one's identity to anyone who knew a name address and telephone number and other non-confidential information, that a listing in a telephone directory has become a matter of privacy for the vast majority of the population. What is especially galling about the bamks is their offering a chargeable service for one to to be able to perhaps find out when they have done it.

I understand that the ICO has made three determinations regarding the status of the 118800 service (when it resumes) in respect of the PECR.

• It is a "directory service" within the terms of regulation 18 and the requirement for notification is met by the first contact (by telephone or SMS) in response to an enquiry.
  
  
• A telephone call from "Connectivity" offering immediate connection to an enquirer does not breach regulation 21, even if the number is registered with the TPS or CTPS.
  
  
• A SMS text message from "Connectivity" inviting consent to connection with an enquirer does not breach regulation 22.
  

The ICO is understood to have been persuaded by the fact that this is a "call connection" service which does not reveal telephone numbers, not even to its own agents handling enquiries. The consent to release of information to third parties by the original sources is understood to have been verified rigorously, albeit that the actual purpose for which it would be used could not have been foreseen.

Although it never does this formally, the ICO has effectively authorised the service as it is known to operate. This position was verified by telephone, but it is understood that it would be confirmed in writing and by a statement in response to media enquiries. The ICO does not presently initiate publication of anything about particular cases, other than judgements following formal procedures.

I am very unhappy with some aspects of these determinations and am ready to assist and support those who are perhaps more vigorously concerned in taking the battle forward.

The fact that the mobile number service is currently suspended should provide an opportunity for progress to be made in advance of its resumption.

I would agree with your concerns, it would seem that none of the issues raised has been addressed.   I am particularly concerned about the prospect of receiving unwanted, costly texts while abroad and the fact that it seems the only way to find out if one's number is in their database requires one to reveal the number so if they didn't have it before, they'd have it once you'd checked!   I really do wonder what is the point of rules if those supposed to enforce them just take th e line of least resistance!   (Am having a bad morning with public sector not doing its job & letting people get away with murder!!)

Barbara wrote on Jul 23^rd, 2009 at 10:16am:

.... it seems the only way to find out if one's number is in their database requires one to reveal the number so if they didn't have it before, they'd have it once you'd checked!

I think you can do a search on your own name, when the service resumes, to see if they have it on their database.   As far as I can recall, because it is a while since I did it, you don't need to reveal your number.  

However, if you want to go ex directory, I think it is different

* * *  "I think you can do a search on your own name" * * *


How would they verify that "you", really is "you"?


In that case, anyone could search for anyone, no?

catj wrote on Jul 24^th, 2009 at 8:39pm:

* * *  "I think you can do a search on your own name" * * * How would they verify that "you", really is "you"? In that case, anyone could search for anyone, no?

That's right.   Anyone can search for anyone including themselves, which is what I did.

As I recall, the system responds with a list of people with the name or similar name to the one entered.   Each name had a Town or location associated with it.   You can then choose which one you may wish to contact.   My own name and location were not available.

When you search your name, you put in your name & address and if it they have your number, you follow the instructions.

I tried this with my name and thankfully they did not have my number. I tried a few friends, some had their number on the database and some did not. So I guess it is pretty accurate. You can not get the number without asking the outfit to get in touch with the other person first (texting) and they will have to agree to let them give your number.

Anyway the service is still down and hopefully the 'illness' is terminal!!!

More on this subject here.


http://www.tiscali.co.uk/members/safety-and-security/blog/?p=123

What about a situation where someone is being harrassed by another, maybe an ex? They (the harrasser) phones 118800 and give a name that they know the recipient will accept calls from and hence get to speak to them.

I wonder if the site is now dead. It has been down a long time now. I think it went down on 13th July, seems a long time 'to improve the experience for our customers' after it was running for only a short time.

Dave wrote on Jul 30^th, 2009 at 3:53pm:

What about a situation where someone is being harrassed by another, maybe an ex? They (the harrasser) phones 118800 and give a name that they know the recipient will accept calls from and hence get to speak to them.

The defence will be that this can only happen once for each victim. The victim will obviously go ex-directory immediately afterwards and the perpetrator has not actually got their number.

The need for a proper notification to the person listed in the directory is to prevent that from happening the first time. That is why the regulation exists and that is why it should be applied.

The one catch in the scenario is that the victim must also believe that the alleged caller would be likely to use the service. If offered a call allegedly from a close friend who would have no need of the service, one would probably be suspicious. The essential point stands regardless.

SilentCallsVictim wrote on Jul 30^th, 2009 at 4:43pm:

The one catch in the scenario is that the victim must also believe that the alleged caller would be likely to use the service. If offered a call allegedly from a close friend who would have no need of the service, one would probably be suspicious. The essential point stands regardless.

I see what you mean, but in the call recipient may act, what we would perceive as irrationally.

Supposing a lady gets a call from this service saying that John Smith is trying to contact her and does she wish to accept the call? Aside from the fact that she may know many John Smiths and so may not know which one it is, what if her brother was called John Smith? Of course, her brother has her number and would therefore never need to use 118800 to find it, but she may not think of that and, convinced that it is her brother, accept the call when it is infact from her harrassing ex.

Dave wrote on Jul 30^th, 2009 at 4:56pm:

I see what you mean, but in the call recipient may act, what we would perceive as irrationally.

My only point is that there is no killer argument, to which there is no answer (no matter how weak if can be).

Are we sure that, e.g. in the case that you suggest, the recipient could not ask for more information before deciding whether or not to accept the call, or must they make a decision based simply on a forename and surname?

As I said "the essential point stands regardless"; there could be cases where the orgiinal scenario would lead to unacceptable problems. Do not think however that there will not be answers thrown back, which would reduce an exchange to alternate "what ifs" competiing for which is the most likely.

Proper prior notification, with the option to be removed, must be provided to those listed in a directory such as this. That is what the regulations require; this case has not shown itself to be sufficiently unusal as to make them inappropriate.

I have read the coments with interest because I to feel that a mobile number is personal data and should not be used in this way.

What we must remember is that people such as me and others that make coment on this site are canny and the fact that they use this site says that they are aware of dodgy services.

My point is that in many cases people would accept the call if only out of curiosity, the company would then have the recipients data to do with as they pleased.

There was a representative on Working Lunch in this regard and the marketing company in question stated that it was not in their interest to provide a service to or pass on customers information if the customer did not wish to receive the information. He stated that companies had to pay for this service and they wouldn't have any customers if they sold data of people that requested not to be contacted "WHAT A LOAD OF RUBBISH" marketing companies contact all categories it is in their nature to do so.

If that was the case we wouldn't receive Junk Mail or calls from companies requesting information or trying to sell us something and there wouldn't be any need to regulate the industry in the first place. The trouble is that the regulatory bodies in this country either do not have the teeth or the will to carry out the service they were set up for to regulate the industry.

Baz

Aplogies if I've come late to this subject

After discussion of this on another thread, I've read a bit more, and changed my mind about according to 118800 the benefit on any doubt, which my reply there  implied.

My current view is all doubt is removed, and the company is dirt.

I found Dave Gorman's blog, which starts with an anecdotal story about some students coming upon his phone number by accident, and the excessive number of semi-prank calls he then received, which culminated in him changing his phone number

http://gormano.blogspot.com/2009/07/118-800.html

He then goes on to compare this saga with the prospects of similar sorts of problems arising with numbers obtained  from 118800

But he's not joking, and he found some other important things.

An article in The Register suggests that Connectivity threatened O2 with legal action when O2 refused to give it lists of its customers, O2 saying that only an opt-in approach was appropriate, and the article says that Orange similarly refused

http://www.theregister.co.uk/2009/06/12/connectivity_legal_threats/

Where it gets insidious is this


Quote:

But according to privacy campaigner Simon Davies, who worked as a consultant to Connectivity, the company had calculated that for the business to be viable it would have to use an opt-out consent model.

- and a reply comment on Dave Gorman's blog points to Connectivity's double-dealing comments on an Ofcom questionnaire, in which they try to legalistically argue that they can assume a change of default condition and consent without people having given it


Quote:

Connectivity's response to questions about 118800 in the following document indicates its attitude to, and understanding of, consent. You will be interested in their response to Q4.9 http://www.ofcom.org.uk/consult/condocs/dirinfo/responses/connectivity.pdf Connectivity: In our view, given that the Information Commissioner, who has responsibility for data protection compliance, has indicated that the Privacy Regulations allow individual subscribers to be included in a directory as a default position as long as the choice available to the individual is well explained and there is a clear opportunity to decide otherwise, the “opt out” approach should be preserved for both types of communications services

Oh, that's kind of them, but what efforts did the duplicitous 118800 make to do that explaining to people who were unaware of being imported to their lists? Absolutely bugger all.


To summarise my standing now: the news that 118800 threatened legal action to obtain information from the mobile networks, after those networks had been unable to reassure themselves about 118800's use of their customer data, shows me they have  naked contempt for concepts of privacy and consent as most reasonable people would interpret them.