Updated: Apr 23, 2020
I received this email the other day, and my immediate thought was "Please tell me it's 1st April.." When shared with my colleagues, Dean pointed out their hilarious privacy statement. Yes, please don't share my email with anyone, but here let me send you my DNA...
In my experience, privacy and security principles are put in place because someone, somewhere, said they must exist. However, the explanation of why is rarely shared. Humans do not work that way.
We cannot simply be told 'do x' and then be expected to not only implement that, but also carry over to all other situations, without first understanding the 'why.'
I'm not here to pick on SpareRooms, it could be a very interesting research project honestly, and may be they really are doing this with all good intentions. However, I'm not about to send mine in.
Originally I started this post with solely SpareRoom's DNA advert, but then I came across the KeepSafe situation..
I'm not going to get into how inappropriate that blog post was, because I was pretty clear here I believe:
What I am including, is their lack of transparency regarding how they processes data. See, after seeing the ridiculous post, I decided to read a bit more about who exactly this organisation is.
The first thing I noticed was the 'How We Do It' statement. Take a closer look, notice the difference between the paragraph description, and the bullet points.
What does this mean to me? This right away is a red flag, words are important.
If you stated to me you cannot access my information, that implies it is end to end encrypted, you simply do not have access to said information.
If you state you will not access my information, I am aware you are able to, but I make an informed decision if I trust you, and I may even limit the content shared on your platform.
By hiding the real wording in a paragraph, and using the bullet points to show can't access, it's more likely the wording of can't access will be read.
Following this, I read the 'Guiding Principles', again, it becomes clear that indeed staff can access your data.
As you can clearly see in the screenshot of KeepSafe's Guiding Principles, it does indeed have access to personal information and stored data, such as photos, videos, passwords, etc.
Principle 1: this concerns me quite a lot, because by reading the first section mentioned 'How Do We Do It', it implied this wasn't possible.
Principle 2: this isn't unusual, and from what I can tell, would be inline with GDPR, having a contract between the data subject and the company stating their approval of this collection. However, based on the other pieces, I'm still quite sceptical of what data they deem needed to improve your experience.
Principle 3: again, not unusual. As per what a colleauge of mine used to always say "Remember, if a product is free, that's because you're the product."
Principle 4: "We only reveal your data for legal or safety issues." I'd be interested to know what their policy is regarding how they make these decisions.
Again, why does this bother me so much? GDPR says you must processes data lawfully, transparently, and fairly - KeepSafe to me is not following two of the above. As I am not a lawyer or work in compliance, I can't really say where they lay in the legal side, but this to me is a complete lack of respect to their consumers.
If the organisation strives to protect those who may not be capable of protecting themselves, I'm all for it, but this organisation must also be open and honest about how that person(s) data is processed.