Cambridge Analytica profiling

Request to:
Cambridge Analytica (data request)
Law used:
Data Protection Act 1998
Status of this request:
Information not held
Summary of Request
Dear Cambridge Analytica, I wish to attract your attention to this article: https://www.dasmagazin.ch/2016/12/03/... This article leaves some questions unanswered, and in particular some uncertainty as to where else Cambridge Analytica might already be working. In light of upcoming elections in Europe, and under the purview of EU Data Protection Directive 95/46/EC and Data Protection Act 1988, I wish to: - know whether your company or any of its processors hold any of my personal data; - know how you classify this data into the different categories recognized by law; - know for what purposes you process this data; - know the legal basis of such processing (if you rely on consent, please be specific on when I might have given consent and how); - know the legal bases of potential transfers of such personal data to the United States, for each vendor; - for each data point, obtain full information as to its source; - get an explanation on the "logic of the processing" of my personal data; - obtain a copy of all my personal data. It is my understanding that you are only allowed to charge for the last of those points, up to a maximum of GBP 10. Please let me know if you will charge a fee for this. I trust that you will do your best to respond to my request as quickly as possible, or that you will, at the very least, respect the delays mandated by law. I particularly wish to attract your attention to the "General provisions relating to offences" articles in the Data Protection Act 1988, as they pertain to liabilities by body corporates, but also the personal liability of any officer in such body.

Messages in this request

From << Name Not Public >>
Subject Cambridge Analytica profiling [#64]
Date Dec. 15, 2016, 4:40 p.m.
To Cambridge Analytica (data request)
Status Awaiting response

Dear Cambridge Analytica, I wish to attract your attention to this article: https://www.dasmagazin.ch/2016/12/03/... This article leaves some questions unanswered, and in particular some uncertainty as to where else Cambridge Analytica might already be working. In light of upcoming elections in Europe, and under the purview of EU Data Protection Directive 95/46/EC and Data Protection Act 1988, I wish to: - know whether your company or any of its processors hold any of my personal data; - know how you classify this data into the different categories recognized by law; - know for what purposes you process this data; - know the legal basis of such processing (if you rely on consent, please be specific on when I might have given consent and how); - know the legal bases of potential transfers of such personal data to the United States, for each vendor; - for each data point, obtain full information as to its source; - get an explanation on the "logic of the processing" of my personal data; - obtain a copy of all my personal data. It is my understanding that you are only allowed to charge for the last of those points, up to a maximum of GBP 10. Please let me know if you will charge a fee for this. I trust that you will do your best to respond to my request as quickly as possible, or that you will, at the very least, respect the delays mandated by law. I particularly wish to attract your attention to the "General provisions relating to offences" articles in the Data Protection Act 1988, as they pertain to liabilities by body corporates, but also the personal liability of any officer in such body.
[... Show complete request text] Kind Regards, << Name Not Public >>
  1. 11 months, 1 week agoDec. 15, 2016, 4:40 p.m.: << Name Not Public >> sent a message to Cambridge Analytica (data request).
From Alex Tayler – Cambridge Analytica (data request)
Subject Re: Cambridge Analytica profiling [#64]
Date Dec. 15, 2016, 4:44 p.m.
Status Awaiting response

Dear Sir We noticed your request for data access was made via a third party ( personaldata.io). Protecting the data we hold is of the utmost importance to us, and in line with the guidance issued by the Information Commissioner's Office, we are obligated to confirm the identity of any requester. In particular, we need to verify both the requester's correct postal address and email address. Please could you email me from a personal email account, and confirm your full name, postal address and date of birth? We will then confirm whether or not we hold data on you, and if we do may undertake further identity checks and issue a small fee before proceeding with the request for personal information. Thank you for your cooperation Alex Tayler On 15 December 2016 at 15:40, << Name removed >> << Name removed >> < <<email address> > wrote: > > > Dear Cambridge Analytica, > > I wish to attract your attention to this article: > https://www.dasmagazin.ch/2016/12/03/... > gezeigt-dass-es-die-bombe-gibt/ > > This article leaves some questions unanswered, and in particular some > uncertainty as to where else Cambridge Analytica might already be working. > > In light of upcoming elections in Europe, and under the purview of EU Data > Protection Directive 95/46/EC and Data Protection Act 1988, I wish to: > - know whether your company or any of its processors hold any of my > personal data; > - know how you classify this data into the different categories recognized > by law; > - know for what purposes you process this data; > - know the legal basis of such processing (if you rely on consent, please > be specific on when I might have given consent and how); > - know the legal bases of potential transfers of such personal data to the > United States, for each vendor; > - for each data point, obtain full information as to its source; > - get an explanation on the "logic of the processing" of my personal data; > - obtain a copy of all my personal data. > > It is my understanding that you are only allowed to charge for the last of > those points, up to a maximum of GBP 10. Please let me know if you will > charge a fee for this. > > I trust that you will do your best to respond to my request as quickly as > possible, or that you will, at the very least, respect the delays > mandated by > law. > > I particularly wish to attract your attention to the "General provisions > relating to offences" articles in the Data Protection Act 1988, as they > pertain > to liabilities by body corporates, but also the personal liability of any > officer in such body. > > > > << Name removed >> << Name removed >> > <<email address>> > > Post Address: > << Name removed >> << Name removed >> > << Address removed >> > << Address removed >> > << Address removed >> > << Address removed >> > << Address removed >> > > -- > Legal Note: This mail was sent through a Data Protection Portal. Replies > might be published automatically. > > > > >
-- Dr Alex Tayler Chief Data Officer Direct: +44(0)20 3757 4942 Mobile: +44(0)7511 943 900 <<email address>> *SCL Group* 55 New Oxford Street London, WC1A 1BS Phone: +44 (0)20 3828 7504 http://sclgroup.cc
  1. 11 months, 1 week agoDec. 15, 2016, 4:44 p.m.: Received an email from Cambridge Analytica (data request).
From << Name Not Public >>
Subject Re: Re: Cambridge Analytica profiling [#64]
Date Dec. 16, 2016, 8:33 a.m.
To Cambridge Analytica (data request)

Dear Alex, I have trouble making sense of your request. To communicate with you I am using an email address generated by PersonalData.IO. The situation is not that different than what would happen if I had used gmail.com (say) or another service. In fact, it is safer for me since most likely anything you send to a gmail.com address would then be mined to show me "relevant ads". I like PersonalData.IO's privacy policy better than gmail's. The guidance from the ICO requires that data controllers make sure of the identity of the requester prior to responding. They don't require that the requester authenticate through a series of attributes that are fairly irrelevant to this request (my understanding is that Cambridge Analytica does not use email addresses as primary identifiers). In addition, the guidance of the ICO fully authorizes requests made through third-party websites, and the interface between PersonalData.IO and Cambridge Analytica is, as I understand it, email. Cambridge Analytica seems to be overstepping in mandating a specific email provider behind this interface. Overall your requirements seem misguided in that they are confused in their goals. My summary of the ICO guidance is that it recognizes some need for the data controllers to impose some rules on the interface of communication (both for the request and the response), but simultaneously limits what the controller can mandate. It also imposes some very high obligation on the data controller to make sure of the identity of the requester. You seem to be hoping to certify my identity by mandating the channel of communication (i.e. beyond interface). If you think about it, that's the wrong way to approach the problem. Now for certifying my identity, I can suggest to use either a scan of my ID (as linked below), my Estonian e-ID, my Belgian electronic ID or finally some coded message (mandated by you) on my keybase.io account. Sincerely yours << Name removed >> << Name removed >> Request Number: 64 Reply To: <<email address>> Post Address: << Name removed >> << Name removed >> << Address removed >>
-- Legal Note: This mail was sent through a Data Protection Portal. Replies might be published automatically.
  1. 11 months agoDec. 16, 2016, 8:33 a.m.: << Name Not Public >> sent a message to Cambridge Analytica (data request).
From Alex Tayler – Cambridge Analytica (data request)
Subject Re: Re: Cambridge Analytica profiling [#64]
Date Dec. 17, 2016, 11:46 a.m.
Status Awaiting response

Dear << Name removed >> personaldata.io posts our correspondence to a public forum ( http://www.personaldata.io/request/ca...), and thus we do not consider it an appropriate medium for transmitting private information. Please could you email me from a private email account, and confirm your full name, postal address and date of birth? We will then confirm whether or not we hold data on you, and if we do may undertake further identity checks and issue a small fee before proceeding with the request for personal information. Thank you for your cooperation Alex Tayler On 16 December 2016 at 07:33, << Name removed >> << Name removed >> < <<email address> > wrote: > Dear Alex, > > I have trouble making sense of your request. > > To communicate with you I am using an email address generated by > PersonalData.IO. The situation is not that different than what would > happen if I had > used gmail.com (say) or another service. In fact, it is safer for me > since > most likely anything you send to a gmail.com address would then be mined > to > show me "relevant ads". I like PersonalData.IO's privacy policy better > than > gmail's. > The guidance from the ICO requires that data controllers make sure of the > identity of the requester prior to responding. They don't require that the > requester authenticate through a series of attributes that are fairly > irrelevant to this request (my understanding is that Cambridge Analytica > does not use > email addresses as primary identifiers). > In addition, the guidance of the ICO fully authorizes requests made through > third-party websites, and the interface between PersonalData.IO and > Cambridge Analytica is, as I understand it, email. Cambridge Analytica > seems to be > overstepping in mandating a specific email provider behind this interface. > > Overall your requirements seem misguided in that they are confused in their > goals. My summary of the ICO guidance is that it recognizes some need for > the data controllers to impose some rules on the interface of > communication > (both for the request and the response), but simultaneously limits what > the > controller can mandate. It also imposes some very high obligation on the > data > controller to make sure of the identity of the requester. You seem to be > hoping to certify my identity by mandating the channel of communication > (i.e. > beyond interface). If you think about it, that's the wrong way to approach > the problem. > > Now for certifying my identity, I can suggest to use either a scan of my ID > (as linked below), my Estonian e-ID, my Belgian electronic ID or finally > some coded message (mandated by you) on my keybase.io account. > > Sincerely yours > << Name removed >> << Name removed >> > > Request Number: 64 > Reply To: <<email address>> > > P ost Address: > << Name removed >> << Name removed >> > << Address removed >> > > -- > Legal Note: This mail was sent through a Data Protection Portal. Replies > might be published automatically. > > > > > >
-- Dr Alex Tayler Chief Data Officer Direct: +44(0)20 3757 4942 Mobile: +44(0)7511 943 900 <<email address>> *SCL Group* 55 New Oxford Street London, WC1A 1BS Phone: +44 (0)20 3828 7504 http://sclgroup.cc
  1. 11 months agoDec. 17, 2016, 11:46 a.m.: Received an email from Cambridge Analytica (data request).
From << Name Not Public >>
Subject Re: Re: Re: Cambridge Analytica profiling [#64]
Date Dec. 17, 2016, 9:21 p.m.
To Cambridge Analytica (data request)

Dear Alex Tayler, Indeed, the text of our communication so far has been posted on a public forum, and that was done with my full consent. Cambridge Analytica has no say in what I decide to do once your communication has arrived to me. If you disagree, please point me to the legal basis or at worst the administrative guidance that would make this channel inappropriate against my own wishes. Be advised that I will be offered the option to review any attachment that you include in a reply prior to posting it, so you might consider using this option to include the substance of your response. If you don't, that's fine for me too. You, Alex Tayler, might personally have some say regarding your own privacy, in the matter of posting your name online. However I note that you are now a public person, having appeared several times in public and on mass media in your official capacity as a representative of Cambridge Analytica. If somehow you do not want to have your name associated with this exchange, please let me know and I would graciously "black it out". Sincerely yours << Name removed >> << Name removed >> Request Number: 64 Reply To: <<email address>> P ost Address: << Name removed >> << Name removed >> << Address removed >>
-- Legal Note: This mail was sent through a Data Protection Portal. Replies might be published automatically.
  1. 11 months agoDec. 17, 2016, 9:21 p.m.: << Name Not Public >> sent a message to Cambridge Analytica (data request).
From << Name Not Public >>
Subject Re: Re: Re: Re: Cambridge Analytica profiling [#64]
Date Dec. 18, 2016, 12:01 a.m.
To Cambridge Analytica (data request)

Dear Alex Tayler, I wish to add, in order to assess Cambridge Analytica's compliance with existing data protection regulations, that my records indicate my original request was sent December 4th 2016. After a while Cambridge Analytica asked me to send a new request to a different address, but I do not think this should impact the original deadline. Sincerely yours << Name removed >> << Name removed >> Request Number: 64 Reply To: <<email address>> P ost Address: << Name removed >> << Name removed >> << Address removed >>
-- Legal Note: This mail was sent through a Data Protection Portal. Replies might be published automatically.
  1. 11 months agoDec. 18, 2016, 12:01 a.m.: << Name Not Public >> sent a message to Cambridge Analytica (data request).
From Alex Tayler – Cambridge Analytica (data request)
Subject Re: Re: Re: Cambridge Analytica profiling [#64]
Date Dec. 19, 2016, 5:02 p.m.
Status Request resolved

Dear << Name removed >> Thank you for confirming your identity. From the information you have provided I can confirm that Cambridge Analytica does not hold any data on you. Alex On 17 December 2016 at 20:21, << Name removed >> << Name removed >> < <<email address> > wrote: > Dear Alex Tayler, > > Indeed, the text of our communication so far has been posted on a public > forum, and that was done with my full consent. Cambridge Analytica has no > say > in what I decide to do once your communication has arrived to me. If you > disagree, please point me to the legal basis or at worst the > administrative > guidance that would make this channel inappropriate against my own wishes. > > Be advised that I will be offered the option to review any attachment that > you include in a reply prior to posting it, so you might consider using > this > option to include the substance of your response. If you don't, that's > fine > for me too. > > You, Alex Tayler, might personally have some say regarding your own > privacy, > in the matter of posting your name online. However I note that you are now > a public person, having appeared several times in public and on mass media > in your official capacity as a representative of Cambridge Analytica. If > somehow you do not want to have your name associated with this exchange, > please > let me know and I would graciously "black it out". > > Sincerely yours > << Name removed >> << Name removed >> > > Request Number: 64 > Reply To: <<email address>> > > P ost Address: > << Name removed >> << Name removed >> > << Address removed >> > > -- > Legal Note: This mail was sent through a Data Protection Portal. Replies > might be published automatically. > > > > > >
-- Dr Alex Tayler Chief Data Officer Direct: +44(0)20 3757 4942 Mobile: +44(0)7511 943 900 <<email address>> *SCL Group* 55 New Oxford Street London, WC1A 1BS Phone: +44 (0)20 3828 7504 http://sclgroup.cc
  1. 11 months agoDec. 19, 2016, 5:02 p.m.: Received an email from Cambridge Analytica (data request).
  2. 11 months agoDec. 19, 2016, 8:21 p.m.: << Name Not Public >> set status to 'Information not held'.
From << Name Not Public >>
Subject Re: Re: Re: Re: Cambridge Analytica profiling [#64]
Date Dec. 20, 2016, 3:51 p.m.
To Cambridge Analytica (data request)

Thank you for your response. Would SCL Elections or other companies in the group require separate requests? Sincerely yours << Address removed >> Request Number: 64 Reply To: <<email address>> Post Address: << Address removed >> << Address removed >>
-- Legal Note: This mail was sent through a Data Protection Portal. Replies might be published automatically.
  1. 11 months agoDec. 20, 2016, 3:51 p.m.: << Name Not Public >> sent a message to Cambridge Analytica (data request).