Environment Agency takes phishing rather too literally?

A friend’s application for an angling license reveals may reveal that the Environment Agency is either sloppy with its personal data or is deliberately obfuscating its privacy policies. If government is to build trust in its management of personal information, then these ‘small incidents’ must come to an end.

[Editor’s update: 30 April – Please see comments below for the Environment Agency’s response and note that this entry has now been amended as indicated with strikethrough / italics.]

This particular friend has long taken an interest in privacy. One of the steps he takes to protect his email from abuse is to use one-off email addresses with each organisation he deals with. His domain catches all incoming emails to his main account, but shows the address that was used. That way, if he receives a spam email then he can track down the offending party. Good idea.

It’s an approach that has turned up some interesting results in the past, most notably a phishing email to [email protected] very soon after applying for a road fund license online, which suggests that there are some problems in Newport. But the latest is appears to be a blatant sale or theft of personal information, arising from his application for a rod license, as this email to [email protected] demonstrates:

Glasgow Angling Centre Offers!

Introducing the Hardy Marquis Limited Edition Nite SX10

For years, the Hardy brand has been associated with the finest fishing tackle in the world – a name synonymous with quality and excellence. To celebrate this enviable angling heritage, Hardy & Greys have collaborated with Nite International to produce a unique and Limited Edition timepiece in honour of one of it’s most famous names – the Marquis.

Strictly limited to 500 individually numbered pieces this is an opportunity to purchase a piece of history. The Hardy Marquis SX10 features a Swiss-made movement, solid stainless steel case and elegant, waterproof leather strap. The SX10 follows the Hardy ethos of quality and performance whilst mirroring the classic design of the Marquis reel on the dial.

In line with Hardy’s record of innovation, each watch is fitted with fourteen GTLS (Gaseous Tritium Light Source) self-powered lamps to ensure easy reading in any light condition. At a depth of just 7mm, the Marquis is the world’s thinnest watch to feature this technology.

To pre-order your chosen serial number, please call us on

0141 331 6330 or email:

[email protected]

And so the email continues. It seems very convenient that an angling centre has laid its hands on the Environment Agency’s list of anglers. My friend assures me that he always checks the privacy policies before he uses online services – particularly government ones – so let’s see what the Environment Agency website has to say on the subject of privacy:

Use and disclosure of personal information

We use personal information to deal with licence applications, to monitor compliance with the licence/permit/registration conditions, to process renewals, preventing and investigating breaches of environmental law, for maintaining the relevant public register(s), dealing with complaints, consultations and for providing environmental services and literature.

We may disclose personal data to our consultants, agents and representatives to do these things on our behalf. In addition we may disclose information to other public bodies and other organisations (e.g. Health and Safety Executive Local Authorities, Emergency Services, Defra) for consultation on environmental issues.

Personal information that we are required to put on our public registers may be licensed for re-use to third parties. Personal information that is not on a public register may be also be licensed to third parties, but this will only be where the Data Protection Act 1998 allows. If personal information not on the public register is licensed for marketing purposes this will only be for strictly limited types of marketing and where you have indicated you want this to happen. Personal information may also be shared with parties other than those mentioned above where we are required by law to disclose the information.

I’ve highlighted the relevant lines. Read them again. They’ll only sell their data where the DPA 1998 allows. But the point of the DPA is that is facilitates that interchange of data. You can do pretty much anything you wish so long as you declare your intent at the point of collection, and register accordingly with the Information Commissioner’s Office. So that means they have to obtain consent. What are the consent terms?

Would you like to receive information about fishing? If so tick the appropriate box(es) below.

Coarse / Game

Seems innocent enough, and definitely nothing there about selling your contact details. Then check the additional privacy statement accessed from the online application form:

The information provided by you will be processed by the Environment Agency to deal with your licence application, to monitor compliance with the licence conditions, to provide you with further information about our fishing licence services and activities (including licence renewals), and to provide you with a copy of our national and/or regional fisheries magazines.

We may also process and/or disclose it in connection with the following:

  • carrying out statistical analysis, research and development on environmental issues;

  • investigating possible breaches of environmental law and taking any resulting action;

  • preventing breaches of environmental law;

  • assessing customer service satisfaction and improving our service;

  • responding to requests for information under the Freedom of Information Act 2000 and the Environmental Information Regulations 2004, where the Data Protection Act 1998 allows.

We may pass it on to our agents/representatives to do these things on our behalf.

Hang on – two different privacy statements? Surely that’s a somewhat opaque approach to privacy? What’s the Freedom of Information Act got to do with permitting them to release personal information? And at no point here has the user given consent to their data being sold to angling shops. That means that, if my friend’s data trail is as clear as it seems, either there’s a hidden clause buried elsewhere in the website; or the Environment Agency has ignored its own policies and sold its data anyway; or an insider there has stolen it to order.

This is precisely the sort of small privacy error that compounds the loss of trust in Government’s handling of personal information. Data losses happen, it’s a fact of life. When they’re major, such as the infamous HMRC incident, then something happens about them. But these little incidents often don’t get spotted, and when they do, very little happens to investigate or deal with them. If Government is to rebuild trust and consumer confidence in its information systems, then it has to look after the bits as well as the bytes (apologies for the corny analogy).

So, Environment Agency: care to provide a response?