Summit to hide?

On at least three occasions in the past year, a member of staff from the Information Commissioner’s Office has spoken at conferences organised under the banner of GDPR Conference or GDPR Summit. Garreth Cameron has appeared twice, and Lisa Atkinson was at the latest event on October 9th. Nothing odd about this, you would think – the ICO clearly wants to spread its message (such as it is) to a wide audience, and conferences are a way to do it. They should be wary about showing favouritism and they’re not very good at avoiding it – a certain Assistant Commissioner often appears at a certain training company’s courses, and appearing three times at one company’s commercial events comes close to being an endorsement.

But even if such regular support for a conference would otherwise be justified, in this case, I don’t think it is. It’s not easy to find out from the GDPR Summit website who is actually organises the conferences. A little bit of digging suggests that it is a company called Amplified Business Content. Amplified Business Content is also responsible for ‘GDPR Report’, which used to publish articles for free but has now gone to a subscriber model. Having an opaque company structure isn’t compliant with Data Protection because it’s not clear who the Data Controller is. Moreover, some of the material on their website is garbage – they have published quizzes with wrong answers, and harvested information without a privacy policy (though I noticed that after people on Twitter made a fuss of it, they stopped demanding email addresses to get scores on the quiz). Via GDPR Report, the organisation has pumped out reams of vague, badly-written stories including one titled ‘The Data Protection Apocalypse’ that claimed that organisations need consent for all processing – it was so bad that after a morning of criticism via Twitter and other sites, they had to delete it. Worst of all, Amplified Business Content has not notified the ICO under Data Protection – unless they are exempt (which for a conference organisation is hard to believe), this is a criminal offence.

Given that the ICO have given Amplified Business Content so much support, I wondered whether they had done any due diligence on the organisation before agreeing to speak at their events. Under FOI, I asked for the following:

Any information about due diligence carried out by the ICO before accepting invitations to speak at these events, including whether ICO staff checked if the company had a notification, and whether their materials and publications were accurate and reflected the ICO’s approach to the GDPR

Any procedure that requires ICO staff to carry out due diligence before accepting speaking engagements

The answer was that no information was held. The best they could offer was “We apply our speaking engagement policy here when making a decision whether or not to accept a request for a speaker“. Needless to say, the speaking engagement policy does not include any requirement to carry out due diligence. In other words, the fact that Amplified Business Content has not notified and has spread misleading and unhelpful information about a Data Protection apocalypse is irrelevant to Wilmslow. They’re not even expected to check whether the organisation has taken the most basic steps to comply with Data Protection law. This is remarkable, especially at a time when so many dodgy people have flooded into the Data Protection market.

Their answer to the first part of my request was more interesting, and more worrying. I asked for:

All correspondence between the ICO and Amplified Business Content or those purporting to represent GDPR Conference or GDPR Summit or GDPR Summit Europe (or other variations on the theme of GDPR Summit).

I’ve done this before, both with the Privacy Laws and Business Conference (which led to this blog) and True Swift, another organisation for whom the ICO has done several online courses. Both times, the ICO gave me detailed correspondence between themselves and the organisation, which allowed me to see, among other things, Stewart Dresner of PLB complaining that he doesn’t have special access to news about ICO activities. This time, however, the ICO has refused to give me any of the correspondence. The exemption they used is a prohibition on disclosure that applies when organisations supply data to the Commissioner when information “has been obtained by or furnished to the Commissioner under or for the purposes of the Information Acts”. In other words, ICO claims that when arranging their spots at the GDPR events, they were exercising their functions under the Data Protection Act. Needless to say, the refusal doesn’t say which function they were exercising – presumably I am expected to guess. I think the only function that could apply is the duty to promote the following of good practice under Section 51, but the idea that Parliament intended conference arrangements to be secret is a fairly bizarre idea.

Only two possibilities present themselves. The first is that the ICO’s policy is only to release material such as this with the consent of the organisation (which the prohibition allows), so PLB and TrueSwift consented to the disclosure and Amplified Business Content refused, which begs the question of what ABC have to hide. Their internal business arrangements are nobody’s business but theirs, but when dealing with the regulator, they should expect to be more open. I’ve made fun of Dresner following the disclosures, but the emails I received didn’t show him or his company doing anything inappropriate – the only criticism I’ve got is that the ICO should hold all organisations at arms length.

The other possibility is that the ICO is being inconsistent. They didn’t use this exemption before, but there is something awkward or embarrassing about their relationship with ABC that they want to cover up. Either way, it isn’t a good look for the transparency regulator to be hiding information about its dealings with a private company. The prohibition allows data controllers and public authorities being investigated for DP and FOI breaches to provide secret business information to the Commissioner with the confidence that it won’t be disclosed. This is entirely justifiable – otherwise, no organisation would ever give the ICO information they had withheld from an FOI or subject access applicant in case the applicant then tried to use FOI or DP to get it from Wilmslow.

This case is very different. The ICO has scant resources, and yet has regularly provided speakers to a commercial company with a spotty approach to Data Protection and is using the prohibition on disclosure to prevent legitimate scrutiny of their relationship. The prohibition does allow disclosures that are ‘necessary in the public interest’ – given ABC’s dissemination of scaremongering articles and possibly illegitimate non-notification, I am convinced that the public interest does support transparency here. Of course, the ICO might argue that if they disclose, this will deter conference organisers and others from approaching them – but who cares? This is far from a core activity for the Commissioner. If you’re not willing to be open in these circumstances, what has anyone involved in this got to hide?

Things To Come

The imminent arrival of the #GDPR, as many have already noted, has resulted in a huge amount of speculation, prediction and scaremongering. Stories of massive fines, a torrent of crippling class action lawsuits, 75000 DPO jobs and the emergence of a new volcano in the fields outside Wilmslow* have all captured our attention. Nevertheless, just when I thought I had heard everything, Lawrence Serewicz proved me wrong.

Mr Serewicz issued, with the certainty of an Old Testament prophet, this astounding claim:

Quick #gdpr prediction. By May 2019 the ICO will have issued more, in terms of number of and amount of, “fines” than in the previous years of the MPN era *combined*.

This might be the wildest prediction anyone has made since the GDPR first dropped from the sky (sidenote: feel free to link me to dafter ones). By my quick and dirty calculation, this would mean GDPR fines in excess of £9million and more than 100 fines between May 2018 and May 2019. This isn’t going to happen. Even in a parallel universe where we had a Commissioner who liked taking action, they couldn’t fire out 100 fines in one year. It is inconceivable.

It is probably fair to say that Mr Serewicz and I do not have a relationship marked by mutual respect or affection, but for once, he has inspired me. The idea of predicting what the first year of GDPR will involve is a brilliant one, and I have decided to have a go.

Below are 12 predictions about the first 12 months of GDPR in the UK. For every one that I get wrong, I will donate £20 to the charity Mind. And here’s where you can join in. Look down the list, and see if you disagree. If you spot a prediction that you think will not come true, let me know – in the comments here, on Twitter, via LinkedIn, or via email. If you are right and I am wrong, I will publicly admit that this was the case on this blog. I will celebrate your perspicacity. But if I am right, and you are wrong, you will donate £20 to a charity of your choosing. You don’t have to do anything else and I will not make fun of you. Nobody makes any money except good causes, but imagine me having to grovel and highlight your superior knowledge in print. If three people say I’m going to get one wrong and I don’t, each one makes their donation, but however many people bet against me, if I am wrong, I just pay one £20 per prediction. I will still praise those who get it right.

I will not be a smart-arse about general comments and reactions on social networking sites – if you want to join in, contact me directly and say you want to take up the charity challenge on one of these predictions.

PREDICTION 1

The total amount of GDPR fines (not including PECR and legacy DPA fines) between May 2018 and May 2019 will be less than the total of all DP CMPs up to today’s date.

Yes, this is half of Mr Serewicz’s prediction. Guess what prediction 2 is?

PREDICTION 2

The total amount of GDPR fines (not including PECR and legacy DPA fines)  issued between May 2018 and May 2019 will be less than the total number of all DP CMPs up to today’s date.

PREDICTION 3

There will be less GDPR fines (not including PECR and legacy DPA fines) between May 2018 and May 2019 than between May 2017 and May 2018.

That’s right – I predict the number of fines will decrease in GDPR’s first year of operation.

PREDICTION 4

There will not be a €20 million or UK equivalent fine before the end of May 2019.

I intend no weasel get-outs here – we all know what I mean here. There will not be a maximum possible fine in any circumstances.

PREDICTION 5

There will not be a 4% of annual turnover before the end of May 2019.

As above.

PREDICTION 6

Thinking about the lower level of penalty i.e. under Art 83(4), there will not be a €10 million or UK equivalent fine before the end of May 2019.

PREDICTION 7

Thinking about the lower level of penalty i.e. under Art 83(4), there will not be a 2% of annual turnover or UK equivalent fine before the end of May 2019.

PREDICTION 8

No UK public authority will be fined more than £1 million before the end of May 2019.

PREDICTION 9

No UK company will be fined more than £2 million before the end of May 2019.

I want to be wrong on this one as there will be deserving breaches. I don’t think I will be.

PREDICTION 10

No charity will be fined more than £50,000 before the end of May 2019, unless for a security breach.

PREDICTION 11

No GDPR class action case will have been concluded with a total damages payout of more than £1million before the end of May 2019.

PREDICTION 12

Five of the companies registered on Companies House today with ‘GDPR’ in their name, or a company name whose initials spell ‘G D P R’ will no longer be offering Data Protection services in May 2019.

BONUS ROUND

These ones just for fun as they cannot be measured

  • the number of people describing themselves as ‘Certified GDPR Practitioners’ on LinkedIn will be half what it is now
  • nobody will change their profile to say ‘Certified GDPR Practitioner’ on LinkedIn during May 2019
  • the ICO will still be asking for more staff
  • we will all wonder what all the fuss was about

AND FINALLY: do you have a prediction in the style of those above? If you do, let me know what it is. If I get at least five predictions (and a maximum of 10, I’m not made of money), next month, I will write another blog made of reader suggestions. If this comes off, I will say whether I agree with them or not, and if I disagree with them, it’s another £20 to Mind from me for every one that I get wrong. But contributors must promise that if they get it wrong, they will pay the £20.

This will go wrong in one of two ways. It will capture people’s imagination, and I have given myself a shedload of admin. Or nobody will care, and nobody will join in. But we’ve all read a pile of predictions since all this GDPR nonsense started. Let’s have a bit of fun, and raise a little bit of money for charities at the same time.

 

* In 2017, anything is possible.

The Secret Seven

Last year, I wrote about the fact that Councillor Alex Ganotis, Labour leader of Stockport Council is also a group manager at the Information Commissioner’s Office. After an FOI request, the ICO admitted that he managed the teams responsible for complaints about political parties and local councils. At the time, I argued that this was an unacceptable conflict of interest, and something had to be done about it.

In May this year, shortly after being elected as Manchester’s new Mayor, Andy Burnham appointed Cllr Ganotis as his Environmental Tsar. You can watch a video of the announcement here, and ponder such fascinating questions as why Burnham’s nose is so red, or why throughout the first two minutes, the camera keeps cutting to a wide shot that captures Ganotis’ uncomfortable facial expressions while Burnham is talking. The announcement piqued my interest. If he was organising a grand summit of environmental worthies, would Cllr Ganotis really have time to work at the ICO? And if so, what effect would the review into political activities that Elizabeth Denham announced have on his role?

I made an FOI request to the ICO for the following information:

1) In 2016, the ICO confirmed to me that Alex Ganotis was manager of the team that dealt with complaints about councils and political parties, despite being Leader of Stockport Council at the time. Can you confirm whether Mr Ganotis is still a member of ICO staff, and if so, what is his current job, and what arrangements have been made to avoid any potential conflict of interest?

2) What is the current ICO policy and process for dealing with political party affiliations and potential conflicts of interest?

3) In August 2016, the Information Commissioner announced in an interview with the BBC’s Martin Rosenbaum that she had ordered a review of the involvement of ICO staff in political activities. I would like to see any report or findings arising out of the review, or other summary of the review and its findings, and details of any actions that were taken as a result of it.

4) I would like to receive all current declarations made by any member of staff of involvement in political activities

5) What specific measures have been taken in respect of each staff member who has made a declaration to ensure that there is no conflict of interest?

The response made for fascinating reading. For one thing, Cllr Ganotis remains a Group Manager at Wilmslow and although his group no longer deals with political parties, it still covers issues related to all local authorities in the UK except for those in Greater Manchester, Cheshire or Derbyshire. How politicians and others in every council outside the North West feel about complaints about their authorities still being supervised by the Leader of a Labour Council and a close ally of Andy Burnham is hard to judge. They might be thrilled. Maybe the ICO should ask them.

The report I received under item (3) of my request did contain an option to remove Cllr Ganotis from work involving local authorities altogether, but one of the reasons that this option was not recommended was the fact that “it could be seen to question the professionalism of Alex and other members of staff and their ability to apply the law without bias or political influence“. How Cllr Ganotis’ political career could possibly be seen to reflect on other people is beyond me, but it is jarring that a significant factor in the decision to keep him involved in council work might have been the effect on him, rather than the Commissioner’s ability to operate independently. To be blunt, the ICO as a whole is more important.

UPDATE: I have attached the ICO’s report into the conflict of interest here, so readers can judge whether how objective and balanced it is: Commissioner Information Note – Political Activities.pdf

Unless every team in the ICO handles complaints about local authorities (and to lesser extent, government), Cllr Ganotis should have been moved to one that doesn’t. Having decide to pursue a high-profile political career, asking him to make a sacrifice to avoid conflicts of interest and their perception would not be too much. I am surprised that Cllr Ganotis has not requested such a transfer himself. To risk even the perception of influence over decisions about politically-run organisations, and at the same time pursue a high-profile political career suggests either an enormous amount of faith in one’s ability to compartmentalise, or just old fashioned hubris.

The review identified gaps in the ICO’s Political Activities Policy, with recommended “updates” including a stipulation that staff must avoid party political activities which might impair their ability to perform their duties impartially, a requirement to inform the ICO if their activities or areas of responsibility change, and the scope to remove permission to undertake political activities if an individual’s ICO role or political activity changes. Needless to say, this means that none of this existed before.

The rest of the FOI request suggests a continuing unwillingness to face the issue of political involvement. Including Cllr Ganotis, eight staff members have made declarations of involvement in political activities, but the ICO refused to tell me who the other seven are, or what they do, claiming that the data is sensitive personal data. This is true, but it is not automatically a barrier to disclosure. For one thing, the Secret Seven could be asked for consent, and this is not the only route to disclosure.

There is surely a legitimate interest in knowing whether people working for an independent regulator such as the Commissioner have political affiliations, especially when you consider the ICO’s involvement in political matters. Over the past few years, the ICO has fined Leave.EU, David Lammy MP over his London Mayoral Campaign, the Daily Telegraph for its pro-Tory emails during the 2015 election, and in recent months, they took no action against Virgin Trains following Jeremy Corbyn’s antics in a train vestibule. More importantly, the Commissioner herself announced a formal investigation into the use of data analytics for political purposes with no small amount of fanfare, involving 20 staff. The ICO is knee-deep in politics and transparency over the declared political activities of the staff is in the public interest.

As the data is sensitive personal data, legitimate interests would not be enough; a condition must also be met from Schedule 3 of the Data Protection Act as well. One of the conditions is that the Data Subject has put their sensitive data into the public domain. If, for example, a senior ICO staff member was to mention on their LinkedIn page that they were a Councillor for 9 years, the Campaigns and Communications Officer for an MEP for five years, listed the Liberal Democrats as one of their main interests and was recommended for ‘politics’ and ‘political campaigning’ by dozens of people, I think I can argue that at least this one has manifestly made their political views public. The ICO refusal says “our staff do not have a reasonable expectation that their declarations would be disclosed into the public domain“, but the staff member in question was a candidate for the LibDems in the 2015 General Election, so I humbly suggest that the cat is out of the bag. Either this person is one of the seven, and the ICO’s arguments are false, or they haven’t made a declaration, and the ICO’s claim to me that “the review and policies are sufficient to demonstrate that we avoid conflicts in our work” is nonsense. Again, did they consider this before refusing me?

Every national, local, or internal party election or referendum runs on personal data, and personal data is exploited, analysed, shared, lost, stolen and misused in every single one of them. If you can name a major vote in this decade that hasn’t resulted in a DP snarl-up, you’ve a better memory than me. If there is one word that shines through everything the Commissioner sent me on this topic, last time and this time, it’s  complacency. The policies and procedures that existed before and the ones that have replaced them are built on an obvious assumption that a box needs to be ticked. Of course nobody is actually going to do anything untoward, the managers are on top of it, staff will proactively declare any conflicts of interest and besides, we have a procedure. But they thought it was all fine before. If I had not written my blog last summer, Cllr Ganotis would still be responsible for managing complaints involving his council, his party and his opposition.

I don’t think the Commissioner’s Office takes this seriously. I am amazed that Alex Ganotis is still allowed any influence over the ICO’s decisions about local government, regardless of how objective or benign that influence might be. I am appalled that anyone in the ICO’s senior management could think that this is acceptable. Every time the Commissioner acts or doesn’t act on a political issue, do we always need to ask: who was involved? What bias, conscious or unconscious, did they bring to bear? What other interests do they serve? In a world dominated by fake news and internet froth, the ICO’s independence and objectivity should be their highest priority. It isn’t.

Just say no

On Friday December 16th 2016, I had a routine eye test. The optician noticed swelling on the optic discs at the back of my eye, and I was dispatched to the Manchester Eye Hospital to attend their Emergency Eye Clinic. This is basically A&E for eyes, a mix of swollen eyelids, sudden blindness and people who should have just gone to an optician. I arrived at 2.45pm, and fairly quickly, I was put in the ‘people who need to be seen’ pile. However, this meant waiting for the next available doctor, and like any A&E, the wait was long.

At 5.30, having waited in a dull holding area (with the files of other patients unattended and clearly visible), I was seen by a doctor. At this point, I was bored and worried, desperate to go home but desperate to find out what was going on in my head. Swollen discs can mean all sorts of things, you see, but one of the things Google told me that they can mean is Brain Tumour.

The doctor was terrible. He examined my eyes, pulled faces, and asked lots of questions about the medical history of my family without explaining the significance of any of them. In the middle of that barrage of questions was this one: ‘Any history of tumours in your family?’. Of course, having sat there for nearly three hours with only Google Searches That Spell Imminent Death for company, this question fired out of nowhere was just perfect. After the obligatory disappearance act to consult with a more senior doctor, I was told that they wanted to scan my brain in case “God Forbid” there was a tumour in there.

I was shunted back into another holding area, then at around 7pm a very sympathetic nurse inserted a cannula into my arm so that they could put a dye into my bloodstream when scanning me (a process that never actually happened) and explained ‘We’d like to do a CT scan’. She told me where to go, and because I was evidently in a bad place mentally, made clear that if I wanted to go for a walk before the scan, that would be fine. At length (and after it became clear that the people doing the CT scan weren’t actually expecting me), I had the scan. Several hours later, they decided I had high blood pressure and I went home at 10.45pm.

Looking at the whole thing as a Data Protection professional rather than a patient, the thing that leapt out at me at the time were the boxes of paper records left unattended. During the day, the holding area I was sitting in is very busy, with at least one member of staff behind the desk able to prevent access. When I was there on the Friday evening, there were long stretches when I could have got behind the desk and read the files, and nobody would have known. It’s an open question as to whether a patient left alone with unattended medical records is a ‘personal data breach’ that would have to be reported to the Information Commissioner.

In retrospect, there is a more interesting question. Carrying out a CT scan is processing personal data – it involves the creation of a scan of the patient’s brain which is plainly sensitive personal data (under GDPR, special categories data). So, what condition did Manchester Eye Hospital have for processing my personal data, and did they provide me with adequate fair processing?

Here’s the thing: they didn’t have my consent and I suspect they think they did. They probably didn’t have Data Protection Act consent, but they definitely didn’t have GDPR standard consent. I’m sure many readers will disagree. Surely my lying down to have the scan is a “clear affirmative action”, signifying my agreement to the processing?

Well, it’s not that simple. First, there is the lack of fair and transparent processing. I was told why they wanted to do the scan, but I wasn’t told who would get access to it (which in today’s NHS could be Google), how long it would be kept for, what legal basis they were relying on and so on. Even if the DPA doesn’t demand this now, it’s hard to argue that the processing would be fair unless I was told these things. Moreover, without any fair processing, any consent I gave would not be informed and specific.

The second problem is that my consent was not freely given. I was tired after hours of sitting around, I had been given limited information by a doctor with poor communication skills and frankly I was scared that I had a brain tumour. I hadn’t eaten and or drunk very much, and my phone was dead so I couldn’t discuss it with anyone else. I do not believe I had the capacity to freely give my consent to have my brain scanned. At no point did anyone say ‘Do you consent to having your brain scanned?’, it was couched in passive language: we would like to do this, and if I didn’t object, my consent was assumed.

Then there is the power imbalance – people like to talk about ‘Our NHS’ as if we all collectively own it, but that’s bullshit. Surrounded – outnumbered – by doctors and nurses who want to do something, it’s hard to say no. Indeed, I am aware of cases where a person who refuses to do what the doctors want have been sectioned. Admittedly, as a white, middle-aged, middle-class man, I’m probably less likely to be subjected to this, but who knows. What would they have done if I had said no?

In this context, recital 43 of the GDPR is worth reading:

consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation

I think the power imbalance between the assembled medical staff and me made it impossible for me to say ‘no’, especially when considering the specifics of the situation. I had gone from a routine eye appointment to a request for a brain scan to find out if I had a brain tumour. My ability to make decisions was fried. A few months later, I got up at 7am on a Sunday to drive to Trafford Hospital where some improbably chirpy technicians did an MRI on my head. That interaction was certainly closer to consent than the CT scan, but strictly speaking, nobody asked my consent. It was a lot better, but by no means the only way in which the NHS processes data.

Since my diagnosis of high blood pressure, I have spent an afternoon in a specialist diagnostic ward in one hospital, had the above MRI in another, had separate MRIs and ultrasound scans on my kidneys, a shedload of blood tests and monthly appointments at my GP. My GP aside (who is excellent at explaining everything), the standard of fair processing in all my interactions with the NHS since last December has been lamentable. I don’t know who gets access to my data, I don’t know what for, and nobody has told me how to find out. There may be a privacy notice somewhere on a website but I don’t know where it is and nobody told me how to find it.

I respect and trust my GP. Every nurse I have met, even those briefly sticking a needle in my arm, has been exemplary. The team at the ARMU at Wythenshawe Hospital are superb, both at medicine and communication (in fact, every experience I have had there has been good). But for all the fact that I can be a troll sometimes, I have never caused as much hostility and frustration as when I give my honest opinion about my experiences in the NHS. People are angry with me if I speak my mind. Criticising the NHS is modern-day blasphemy. I’m only writing this blog now because it looks like my eyes are getting better and I probably haven’t got a brain tumour (although the fact that the hospital lost the brain MRI for several months because of the virus infection in May dents my confidence in this). I worry about pointing out the Eye Hospital’s failings because I do have to go back there. Do I want to be treated by people who know that I have criticised them online? This is the power imbalance in a nutshell.

So what’s my point?

The GDPR is built on an improved model of Data Protection – organisations should be transparent, and wherever possible, subjects should be empowered. One of the most important elements in this relationship is the proper treatment of consent. Ironically, given the number of ill-informed articles claiming that GDPR requires consent for data processing, a significant effect of GDPR should be to reduce reliance of consent. Organisations, especially those like the NHS who purport to rely on it, should be much more honest with people. Sometimes you don’t have a choice at all and a thing is going to happen whether you like it or not (HELLO, ROYAL FREE HOSPITAL). Sometimes, there isn’t a real choice – ask me whether I want you to find out whether I have a brain tumour, and honestly, the answer’s no. Rationally, the answer’s probably, ‘OK then’, but it’s not much of a choice and in my case, the question wasn’t even posed.

The NHS is going to breach the GDPR as much in spirit as in practice if it continues in its dubious mantras of implied consent and ‘no decision about me without me’. The fact that a person doesn’t have to be physically forced into the scanner does not mean that they have consented, especially if they haven’t been told clearly and directly how that data will be used. In many situations throughout the NHS, medical professionals think they have consent, tell each other they have consent and they don’t. There are other options in the GDPR, of course, including a rock-solid legal condition for special categories data for the purposes of medical treatment and diagnosis. But many people in the NHS still think consent is their byword and it really isn’t.

For one thing, secondary uses for analysis and research either have to stop, or a much more open and transparent process has to be developed to contact people directly, either to be transparent or, if that’s the basis that being relied on, to seek consent. For all my many scans and blood tests since last December, I have to assume that none of them will ever be used for any purpose other than the direct diagnosis and treatment of my condition because I have never been given a hint that anything else will happen. But is that true?

For another, if the NHS is going to get to grips with GDPR philosophically, it has to be much more honest about the flawed nature of the consent it thinks it’s getting. For years, NHS staff have told me on training courses that a patient rolling up their sleeve is evidence of ‘implied consent’ to take blood (and by further implication, process the data that flows from the test). In fact, what they have at best is inferred consent; and with the power imbalance, possibly not even that.

We know for certain that the Information Commissioner will not tackle this issue because they are terrified of challenging such fundamental issues. Elizabeth Denham’s trumpeting of a slapped-wrist undertaking for the Royal Free Hospital’s misuse of 1.6 million people’s personal data was, at least for me, the final nail in the coffin of her credibility. As a friend of mine said, the chief role of each new Commissioner is make the last one seem better. I am not predicting fines or enforcement of any kind; it won’t happen. But the best thing about the GDPR is its recognition that we are human beings who deserve respect and autonomy. My experience of the NHS in Manchester is far from achieving that.

Actually Asked Questions II

Last year, I wrote a blog asking for questions from fundraising and charity professionals about Data Protection for a guide that I was writing. Despite something of a lull between asking and delivering the guide, those ‘Actually Asked Questions’ were one of the things I thought worked best. It was great to include real questions from real, lovely people.

I am doing it again. This time, the guide I am writing is shorter and more focussed than the charity one, although it is not for charities, but for any data controller. The subject is choosing a company to provide your Data Protection Officer (AKA DPO as a Service). Most organisations that need a DPO will recruit a staff member, and to be honest, that’s what I consider to be the wisest choice. Nevertheless, the GDPR plainly allows data controllers to hire DPOs under contract, and many so-called GDPR experts and companies are offering themselves as DPOs on Demand. I am writing a short practical guide, containing questions and tips for anyone who is thinking of hiring a company to provide DPO as a Service. What should you look for? What should you avoid? How do you spot the cowboys? What questions should you ask?

FULL DISCLOSURE: I am not going to be a DPO for hire, either by myself or via any organisation. I have turned down several organisations already (two in particular who know they are and that I adore). This is not a way to get you to hire me, although an organisation did have me on the interview panel for their DP officer role recently, and I WOULD SNATCH YOUR HAND OFF TO DO THAT AGAIN.

What I would like to know is this: are there any questions you have about DPOs as a service, or hiring a DPO generally? If possible, I will extend the text to be a general guide to getting a DPO internal or external, but at the moment, I have more material on the external side than the internal side.

Send me a question, send me an issue you’d like to see someone talk about, send me anything you’d like a smart-arse to think about when writing a guide like this. You will not be mentioned in the guide unless you want to be, and the guide will be free to anyone who wants it.

SEND ME YOUR QUESTIONS HERE: tim@2040training.co.uk

DEADLINE: September 30th 2017

If you approve of this endeavour and would like to promote it, please do.