As Varsity reported recently, Labour – particularly CULC, its student wing in Cambridge – have kicked up a significant fuss over the unsolicited emails sent to students by Julian Huppert’s campaign, and a complaint has been made to government regulators. But does the claim have any substance or merit?

Whatever the legality of their actions, the Huppert campaign has history in this regard. We were contacted after the initial story by Matthew Grosvenor, the Secretary at the Graduate Union; in the 2013-14 period, Mr Grosvenor received 17 emails from Mr Huppert’s campaign, on subjects as diverse as fracking, the Gaza crisis and the military action against ISIS in Iraq. All of the emails carry Mr Huppert’s name and endorsement at the bottom.

“The earliest one was sent to me on 15 Jan 2013. This was sent to me as president of the Clare Hall MCR,” Mr Grosvenor told me by email. “On 28 April 2014, I received the first really ‘personal’ email addressed as ‘Dear Matthew’.”

“I did not, have not, and will not [be] willing [to] give my details to the Lib Dems,” Mr Grosvenor added. Some weeks later, he made a complaint on an unrelated issue to the Information Commissioner’s Office (ICO), the quango that oversees the enforcement of the Data Protection Act 1998, which is the main statute which governs data privacy in the United Kingdom.

The results of Mr Grosvenor’s complaint were not encouraging. His email address, which included an @cam.ac.uk suffix, was, according to the ICO, a business email address – and unlike personal email addresses, business email addresses can receive unsolicited emails, on an opt-out basis. However, a business email address is defined as a personal email address if it contains the recipient’s name as Mr Grosvenor’s did.

Raven/Hermes IDs, by comparison, contain only initials and a number, and the ICO website does not contain any guidance as to whether initials constitute a name for these purposes.

We asked the ICO about this to see if their guidance had changed since Mr Grosvenor made his complaint, and a spokesperson told us (somewhat unhelpfully) that “we would need to look into the details further” as part of a formal complaint. Specifically: “This would include considering the nature of the email address, any previous contact between the individual and the candidate where they may have given their consent and the measures the sender has in place to ensure their compliance with electronic marketing rules.”

So this brings us back to square one. If an email address consisting of initials, as most Cambridge students’ do, is indeed a personal address, then a party must have consent from recipients (see pages 12–13), and it seems that in this case the Huppert campaign didn’t acquire that consent; if it isn’t, parties are permitted to spam, as long as they provide a method of opting out. For now, the ICO isn’t telling us exactly what the position is, but Varsity will keep you updated as more information becomes available.

There is only one question left. The last time something like this happened was last month, in Bath, where another enthusiastic Liberal Democrat used their access to that university’s email lookup service to provide their local campaign with lots of new recipients. However, the University of Bath in that instance said this was not a breach of their data protection policy.

What about Cambridge? On its website, the Information Compliance Office says: “The Act gives Data Subjects the right to prevent the processing of their data for the purposes of direct marketing. Since the operation of the opt-out provisions must operate across the whole University, on the basis of a single Data Subject opt-out request, it is necessary to maintain a list of all alumni mailing and direct marketing activities. It is essential that you obtain advice from the Development Office before undertaking any fundraising, direct marketing operations or alumni activities.”

Although email addresses do not seem to fall into the definition of “sensitive personal data” that always requires consent, University-held data must be processed in accordance with the eight “Data Protection Principles”, including being “kept in a secure manner”. The processing of that data – which, essentially, means doing anything with it at all – has to be handled in a certain way. It is always possible for subjects to consent to particular processing of their data. In absence of consent, though, one of the other conditions mentioned in Schedule 2 of the Data Protection Act 1998, particularly “legitimate interests” pursued by either the third party (in this case, the Liberal Democrats) or the University itself.

In summary, it’s all rather worryingly vague. We contacted the Information Compliance Office, but so far they have not responded to our request for clarification. It seems entirely likely that either or both of the Huppert campaign and the person who leaked the email addresses has breached the provisions of the Data Protection Act, and the consequences for that can be severe. In absence of firm guidance, though, we can’t be sure. As always, Varsity will keep you informed.

@rtrnicholl

CORRECTION: An earlier version of this article implied incorrectly that Mr Grosvenor's complaint was directly related to the emails he had received from Julian Huppert's campaign. In fact, the complaint was due to a subsequent spam message from a separate organisation. The article has been amended.