Compensation culture

We’ve had years of headlines about Cambridge Analytica and Facebook which have captured the public’s imagination like never before, and generated huge publicity for the Information Commissioner’s Office and their army of blue-jacketed enforcers. Action, on the other hand, has been slightly less forthcoming. No action has been taken against Cambridge Analytica itself – there is the prosecution of SCL Elections over a subject access request made by an American (David Carroll), but if anyone can explain why prosecuting the now defunct company when the best outcome is a fine that will never be paid because it will be buried at the bottom of the pile of creditors, comment below. The ICO issued their first GDPR enforcement notice against AIQ, and it was so clumsy it had to be withdrawn and replaced (it’s astonishing that the ICO’s mishandling of this landmark action has gone virtually unnoticed). There is the famous Facebook fine of course, but that is already under appeal. Given that the Commissioner’s case changed radically from the Notice of Intent (published against all normal ICO practice) to final penalty, I don’t think that the ICO should count any chickens on the outcome.

The other issue haunting the case is a number of legal firms mounting ambitious compensation claims on behalf of those who believe themselves to be affected. Just as I am sceptical about the ICO’s track record, some odd assertions in a story in the Independent about David Carroll’s own attempt to sue Cambridge Analytica make me wonder whether the compensation road will be any less rocky. The claim is happening under the old Data Protection Act, and so Carroll and his solicitors will have to prove some kind of damage. Carroll’s solicitor Ravi Naik from ITN Solicitors is quoted as saying payouts could spiral to as much as £43 billion if only 10% of the possible affected pool of people claimed successfully.

Even if one conservatively uses the lowest end of the range, both in number and value of each claim, and calculates on the basis of 10 per cent of the estimated 87 million affected Facebook users only, with claims of £5,000 each against Cambridge Analytica, that still implies a total potential claim value of £43.5bn

I think his claims are optimistic at best, and at worst, comically exaggerated. Facebook did claim that up to 87 million people’s data may have been affected, but they’ve wavered since – to the extent that the ICO now admit that UK data wasn’t used by Cambridge Analytica in their final penalty on Facebook, despite building their NOI around that very claim. Carroll is claiming between £5000 and £20000, but he won’t get a penny unless he can show evidence of the breach in the first place, and then evidence of the damage. Claiming compensation for non-material damage is tricky. You can’t show something concrete like lost wages or business – the money won’t be awarded just because Carroll says he’s upset or annoyed, and the courts have shown scepticism in the past about claims of damage or distress (look at the Tetrus case that ICO lost on the issue of distress a few years back).

That 87 million number is a maximum, not a certainty, and the UK courts have shown themselves to be unmoved by generic class action claims of damage. Look at Richard Lloyd’s failed claim against Google, where the court said that different people will react to the use of their data in different ways. Perhaps Carroll has made a good case about the harm he says was done to him, but even if he has, that is not to say that all claimants are in the same position. If my data was abused by Facebook, my reaction would be numb resignation at worst. I can’t get outraged about Facebook abusing my data, any more than I can get upset by rain being wet. This is why I don’t use Facebook.

The consensus on LinkedIn seems to be that a possible breach is automatically accompanied by a ringing cash register – but that’s not a safe assumption, backed by any evidence. Lloyd lost his Google claim. Everyone who wrote excited Tweets and LinkedIn posts about the outcome of the recent Morrisons case – where the supermarket was found vicariously liable for a breach committed by an employee – ignored the fact that even if Morrisons lose their planned appeal to the Supreme Court, the issue of how much each claimant gets hasn’t been considered yet. Admittedly, Morrisons is a claim for misuse of private information and breach of confidence, but even so, we haven’t got to the bit about the money yet. The claimants may each get a big payout; they may get bus fare. There hasn’t been a case in the UK where multiple people received a big payout because their personal data was abused.

Naik’s extravagant claims and ambitious maths make for an impressive headline, but it’s speculation. I’m uncomfortable about the idea of tempting people into joining litigation (which is presumably the point of Naik’s claim) using hyped-up numbers in this way. The words sound sensible, and Naik effectively describes his estimate as conservative, but it’s a fantasy. Carroll will lose unless he can persuade the court that a breach occurred, that he experienced damage, and that there is a figure that will compensate him for that harm. We have had a few interesting and successful compensation claims in the past, but the idea that we’re looking at lottery jackpots for DP claimants is, so far, Fake News.

 

Regulating the FOIA into obscurity?

This is a guest post from the redoubtable John Slater, whose tireless efforts to hold DWP to account are a lesson in how FOI should be used. John has had real success in wrestling information out of a stubborn and secretive system, but the post describes the hurdles in the way of the applicant, and the shameful way in which the ICO makes things worse. It’s not a quick read but there’s a lot to say. I think anyone with an interest in how the benefits system operates, or how healthy the FOI system is at the moment should give it the time it deserves. I’m very grateful to John for writing it and letting me host it.

I suspect that most people reading this have experience of submitting a request for information (“RFI”) under the FOIA and all the frustrations that can come with it. Some people may have complained to the office of the Information Commissioner (“ICO”) while others may have just given up when their RFI was refused. I suspect that a smaller number of people, who had the time, appealed ICO decisions to the First-Tier and Upper Tribunals.

Via my involvement with the FOIA I have been dealing with the ICO for approximately 6 years. My interaction has ranged from normal FOIA complaints through to appeals to the First-Tier and Upper Tribunals.

Setting aside the minor issues one typically experiences with any large organization I have to say that my experience of dealing with the ICO has been very positive. Even when a decision notice (“DN”) went against me I could understand why and how that decision was reached. In respect of appeals to the First-Tier and Upper Tribunals I have nothing but praise for the people involved, even when I was appealing an ICO decision.

However, approximately 18 months ago things started to change for the worse. The time taken to respond to complaints seems to be inexorably increasing and the quality of the case work is deteriorating. I’ll use 3 of my current complaints to illustrate the problems that I and others are experiencing on a regular basis.

Case 1 – Universal Credit Programme Board Information Packs

In July 2017 I asked the DWP for the 3 most recent packs of information that were given to the Universal Credit (“UC”) Programme Board members at each monthly meeting. Given how controversial UC is and the history of the DWP being less than honest about it, this seemed to be a good route to try to find out what the senior people responsible for UC actually know and what they are doing about it.

For those not familiar with programme management terminology the programme board consists of senior people who are accountable and responsible for the UC programme, defining the direction of the programme and establishing frameworks to achieve its objectives. So apart from Neil Couling (senior responsible owner) and the secretary of state they are about as senior as it gets. The membership of the programme board can be found here:

https://www.whatdotheyknow.com/request/419990/response/1090823/attach/html/2/3044%20IR%20516%20IR%20604%20reply.pdf.html

Unsurprisingly the DWP refused my RFI on 16 August 2017 citing S.36. However it explained that it needed an extension to carry out the public interest test (“PIT”). On 14 September 2017 the DWP did exactly the same thing. This is a tactic that the DWP uses regularly and often issues monthly PIT extensions until the ICO becomes involved.

I complained to the ICO on 14 September 2017. On 22 November a DN was issued giving the DWP 35 calendar days to issue its response. On 3 January 2018 the DWP finally confirmed that it was engaging S.36 and that the public interest did not favour disclosure (I’ve yet to see a public interest test from the DWP that does favour disclosure). I submitted a revised complaint to the ICO on 9 January 2018 challenging S.36 and the public interest decision.

Despite the 5 month delay by the DWP the ICO bizarrely told me that I still had to exhaust the DWP internal review procedure before my complaint could be investigated. I had submitted 4 internal review requests (“IRR”) during the 5 months that the DWP treated the FOIA with such contempt. I know from previous experience that the DWP would use the same PIT ‘trick’ to delay answering my IRR. I explained this to the ICO and asserted that it has the authority to proceed without me having to submit another IRR. On 30 January the ICO accepted my complaint. I know about this from experience but I assume most people would have followed the ICO instruction and been stuck in another loop of 5 months until the DWP was told to issue its response to the IRR.

On 26 April my case was assigned to a case officer, just 3 months short of a year since I submitted my request to the DWP. Despite the DWP clearly citing S.36 the ICO allowed the DWP to get away with numerous delaying tactics and nothing happened for many months. Despite chasing the ICO on a number of occasions there appeared to be no progress. My patience ran out in October 2018 and I complained to the ICO about this and two other cases. On the face of it this appeared to have got things moving.

However, on 18 October 2018 I was told by the ICO that an information notice had been served on the DWP to obtain copies of the information I had requested. The DWP has 30 days to respond to these notices.

Whilst I’m not surprised by this (in fact I even suggested this was the case in my complaint) I struggle to understand how any organisation can investigate a complaint for almost 6 months without having a copy of the requested information. I can only hope that the DN I have been seeking for so long will appear at some point in 2018!

The delay has been so long that I have actually submitted another request for more current programme board packs. At the time of writing the DWP hasn’t provided a response within 20 days so that’s another complaint that I need to send to the ICO!

Case 2 – Aggregation of various RFIs

Between 4 February and 23 April 2018 the DWP aggregated 9 of my requests for information claiming that they were for the “same or similar” information. Well, what it actually said was:

We consider each of the seven requests to be of a similar nature as they all relate to either decision making or performance delivery of disability assessments on behalf of the Department for Work and Pensions.  In particular, all of the requests would be allocated to the same team for response as it falls within their specialised area. 

Under Section 12 of the FOI Act the Department is not therefore obliged to comply with your request and we will not be processing it further.

This seems to suggest that the DWP believes the requested information is the same or similar because they relate to activities it carries out and the teams that do them. This is a crude attempt to rely on the discredited concept of ‘overarching themes’ that was attempted in Benson v IC and the Governing Body of Buckinghamshire New University (EA20110016).  At [29] the Tribunal stated:

Whilst the Tribunal understood the Commissioner’s analysis the Tribunal felt that it was not compelling and relied on concepts that were not actually within the legislation – e.g. ‘overarching theme’. The Tribunal felt that any consequent uncertainty should, on balance, be resolved in the Appellant’s favour.

On 30 March I submitted a complaint to the ICO. My complaint involves 9 requests and deals with an important area of the FOIA, where there is very little precedent. A reasonable person might conclude that the ICO would be keen to act swiftly. On 27 April 2018 my complaint was assigned to a case officer so things were looking good. It is now coming towards the end of October and I have not had a single piece of correspondence from the ICO.

The requests that have been aggregated cover management information about how the DWP runs large controversial contracts that assess the eligibility for employment support allowance and personal independence payment (“PIP”). A previous RFI uncovered numerous problems with the quality of medical reports being produced for PIP assessments. This might explain why the DWP is so keen not to let me have the current information but not why there has been no progress by the ICO.

Case 3 – Datasets & Type of Data Held for Various Benefits About Claimants

On 26 February 2018 I asked the DWP to disclose the datasets and type of data it holds about various social security benefits. I am not asking for the actual data just the type of data and the “groups” or “sets” of data that it holds.

On 17 April 2018 the DWP refused my request citing S.31 (it eventually confirmed it meant section 31(1)(a))  and  S.24. After a further IRR the DWP reconfirmed its position and I complained to the ICO on 15 July. Some 3 months later on 11 October I was finally told that my case had been assigned to a case officer. Does this now mean I wait for a further 6 months before anything actually happens?

Conclusion

I know the ICO is very busy, partially due to the new Data Protection legislation, but the problems that I and others are experiencing can’t just be explained by “being busy”. Based on my previous experience of dealing with them I also don’t believe it is the fault of the case officers. These problems are due to serious organisational failings within the ICO. There doesn’t seem to be the type of business processes / workflow that one would expect to see in an organisation of this size. The line management oversight of case officers appears to be absent. Based on my own experience it seems to be that the line managers focus solely on protecting case officers while actually making matters worse for them as their workloads probably grow faster than they can cope with.

The ICO should have a small set of metrics about how it is dealing with cases. Surely line managers should be looking at cases where nothing has actually happened for 6 months and do something about it? The idea of management by exception has been around for a long time and yet I’m left with the impression that there are no exceptions set within the ICO and senior management have no impartial way of knowing what is actually going on at the case level.

People might wonder why this matters and that in these times of constrained budgets we should expect cases to take longer. I can’t accept this as one of the key drivers for the FOIA is that we get a chance to hold public authorities to account for their actions. For that to happen we need access to information while it is still relatively current.

It is generally known that there are certain large government departments that have very poor history in respect of FOIA. If someone requests information that these departments suspect will be embarrassing they will deliberately play the system to delay disclosure. From personal experience it’s all far too easy to do:

  1. Ignore the request completely until the ICO tells the department to respond (3+ months).
  2. Use the public interest test with impunity to introduce a 5 to 6 month delay before the requester can complain to the ICO about the exemption cited.
  3. 3 months before a case officer is assigned.
  4. At least 3 to 6 months before a DN is issued.

Total possible delay = 14 to 18 months.

The department can then appeal the DN to the First-Tier Tribunal (“FTT”), even if there is little chance of success. I’ve had 2 cases recently that have been appealed and then withdrawn just before the FTT hearing was due to take place. This added another 6 month delay let alone the cost to the public purse. If the DWP had actually gone through with the appeals and lost then that delay would probably be closer to 9 to 12 months.

This means that “playing the system” allows disreputable government departments to delay disclosure of embarrassing information by at least 2 years. Any media interest in the information can then be met with the claim that it is now ‘historical’ and things are better now.

A good example of this is the Project Assessment Review Reports (“PARs”) for the Universal Credit programme. I asked the DWP for these in April 2016 (see URL below):

https://www.whatdotheyknow.com/request/universal_credit_programme_proje#comment-82746

Using the delaying tactics described above and making the ICO issue an information notice to compel the DWP to release the PARs to them, they weren’t disclosed until March 2018. That’s a 2 year delay.

The ICO needs to sort out the internal delays that these government departments seem to be relying on. They also need to make sure there are meaningful consequences for public authorities that “play the system”. Writing strongly worded DNs telling public authorities off for abusing the system is meaningless. The ICO was highly critical of the DWP in its DN for the PARs case. A link to the DN is given below and the criticisms start at [62].

https://ico.org.uk/media/action-weve-taken/decision-notices/2017/2014762/fs50640285.pdf

The criticism has had absolutely no impact on the DWP.  It still regularly doesn’t reply in time and still produces “boilerplate” responses that have little bearing on the case in question.

As a result of the new GDPR and Facebook the Information Commissioner regularly seems to be in the media and was recently named as the most influential person in data-driven business in the updated DataIQ 100 list. I hear talk of the Commissioner being able to issue huge fines for data breaches and serving enforcement notices on organisations that are not complying with the FOIA.

The original white paper “your right to know” stated at [1.1]:

Unnecessary secrecy in Government leads to arrogance in government and defective decision-making. The perception of excess secrecy has become a corrosive influence in the decline of public confidence. Moreover, the climate of public opinion has changed; people expect much greater openness and accountability from government than they used to.”

If public authorities continue to be allowed to easily introduce delays of 2 years before disclosure then the regulator of the FOIA is failing in her role.  Before the FOIA we only had the thirty-year rule (now moving to the twenty-year rule) controlling when information was released to the public.

I suggest that we are rapidly approaching the situation where by default we have the “two-year rule” for information government departments do not want released. Unless the Commissioner does something about it that will slowly increase to the “three-year rule” and then the “four-year rule”. From my perspective its time the Commissioner stopped boasting about all the powers she has and started using them.

Secret Service

A little while ago, I noticed an interesting story on the website of the Fundraising Regulator. They reported a case where a woman had applied for a job with a charity and subsequently, she started to receive marketing from them. She asked for her details to be removed from their donor list, and the request was ignored. The story was still there when they reworked their website recently, but it now appears to have vanished.

This is a breach of Data Protection and (potentially) PECR – the charity would not have informed the person that their data was being used for marketing which is a breach of the first DP principle, they breached the second principle by re-using the data for an incompatible purpose. By ignoring her request for the marketing to stop, they breached her rights under Section 11 of the old DPA and if they sent emails, they breached PECR as well.

Given that this is a quite a serious breach of DP fundamentals, you might think that the Fundraising Regulator isn’t really the right person to deal with it. Although direct marketing forms part of the Code of Fundraising Practice, the proper regulator for both DP and PECR is the Information Commissioner. For both possible breaches, the issue of fundraising is probably the least important aspect – a charity that misuses personal data in such a profound way should be investigated by the Information Commissioner, not a non-statutory body with a relatively narrow focus.

I asked the Fundraising Regulator whether they had passed the complaint to the Information Commissioner’s Office. After a little while, I received a reply from a senior officer asking why I wanted to know. I said that I thought this was a relatively serious breach of data protection, and I wanted to know whether it had been shared with the right people. Shortly after that, I received a reply saying that they couldn’t tell me. This is an anonymised case study – the description of the case did not name the charity, or give any identifying information about the donor. The Fundraising Regulator has already decided to use the story to promote their work, and so asking whether they have shared it with the appropriate regulator (a question that has a Yes / No answer) seems entirely reasonable to me. I pushed a little, and apparently my request went up to Gerald Oppenheim, the FR’s eminently sensible Chief Executive. He also said no.

So I made an FOI request to the ICO, asking for the number of complaints the Fundraising Regulator has passed on to them, and a summary of each complaint. The ICO replied, saying that 100 complaints have been passed from the FR, and in response to my request for a summary of each complaint, they gave me whatever this is:

Charities who have failed to on-board onto the Fundraising Preference Service (FPS) portal despite receiving a request to stop communications from a member of the public.”

Weirdly they claimed that “We do not hold information in regard to the details of each complaint” but in reply to my question about what action they have taken as a result of these complaints, the answer was: “No further action, logged for future intelligence purposes”. This means that they don’t hold any information about complaints that they have logged for future intelligence purposes.

Leaving that aside, the ICO’s response doesn’t suggest that the complaint I am interested in was shared, and so I am going out on a limb to say that I think the reason that the Fundraising Regulator didn’t want to tell me whether they had shared the complaint is because they hadn’t and didn’t want to admit it.

Why does this matter? The Fundraising Regulator’s predecessor, the Fundraising Standards Board, was an inherent part of the Data Protection problems in the charity sector that exploded spectacularly with stories in the Daily Mail. Thousands of complaints were soaked up by the FRSB and never passed on, meaning that the ICO was largely unaware of marketing problems in the sector. The last thing that the FR should be doing is sitting on serious data protection issues in the same way. The ICO and the FR have signed a memorandum of understanding agreeing to share information to assist each other in carrying out their functions, and so there is a clear gateway for the FR to inform the Commissioner of complaints like this.

The problem is, I only know about this complaint because the FR was incautious enough to try to get some PR out of it. Who knows how many more complaints they have dealt with that reveal genuine data protection problems – it may be an isolated case, or there may be loads of them. The organisation’s refusal to be open about the fate of this case means it’s unlikely they’d be forthcoming if it wasn’t a one-off. The FR’s role in operating a glorified opt-out service which is arguably not really required has already attracted some justifiable criticism from the charity sector, but this issue also deserves scrutiny.

Charities have had a torrid time over the way in which some of them handled personal data – as unpopular as this will make me (again), I think much of the flack was deserved. But it isn’t helping the sector for cases like this to be buried – bad practice should be rooted out publicly and by the right people, so all can learn by example. I can’t make Freedom of Information requests to the Fundraising Regulator because they’re not covered, and given the track record of the FRSB, being told rather haughtily that “it is for our organisation and the ICO to discuss and agree what issues we should and shouldn’t be investigating” doesn’t fill me with very much confidence that the right lessons have been learned. The Fundraising Regulator should be transparent about what cases are passing through their doors, which get passed on, and which don’t. Otherwise, perhaps the Mail should start digging again.

We need to talk about Ardi

This week, Private Eye reported that the publishers Kogan Page had withdraw a book about the GDPR by Ardi Kolah, after they received allegations of plagiarism from several sources. Most references to the GDPR Handbook have been scrubbed from Kolah’s online history and Kogan Page’s website is terse, to say the least. The fate of Kolah’s book is interesting not only because the high profile author is involved in both Henley Business School’s GDPR course and the British Computer Society’s Data Protection Certificate, but because Kolah has repeatedly sought to build his reputation through an association with the Information Commissioner, Elizabeth Denham.

The ‘About the Author’ section of his book describes Kolah as having “worked closely” with Denham, and there is some substance to the claim. Not only did Denham write the foreword for the book (and also for Kolah’s luxury leather-bound edition of the GDPR), she invited him to be one of the judges of her inaugural Data Protection Officer award.

Denham’s foreword describes him admiringly as a veteran of the Data Protection sector. She describes the UK’s data protection community before her arrival from Canada as a “small group of people ready to help each other out to raise standards“. She claims Kolah was someone who “flew the flag for data protection many years before it broke into the mainstream with the GDPR“. After some flannel, she returns to the theme: “Ardi and others of his generation often walked a rather lonely path in their efforts to have data protection taken seriously by the mainstream” and praises the book as “authoritative“.

I made an FOI request to the ICO asking if she wrote the foreword because I had a sneaking suspicion that Kolah himself might have been the author. The response was emphatic: “The Commissioner wrote the foreword and was the author of the Word document that was sent to Mr Kolah with the foreword in it. Mr Kolah had no input in the content of the foreword, did not ask for any input and did not ask for any copy approval of the foreword. The version sent to him on 6th April represented the Commissioner’s final wording to appear in the book unedited and unabridged.” This means that Denham is entirely responsible for the claims about Ardi Kolah’s career in Data Protection that appear in the foreword, and I think that’s a problem.

For most of his career, Kolah has been a PR guy. He worked as head of communications or PR for a variety of different organisations between 1995 and (at least) 2012. He worked for the BBC up until 1995, but after that, he did PR for Arthur Andersen, Cancer Research and Logica among others. His own CV on LinkedIn shows him as ‘Global Head of Public Relations’ for Brit Insurance until 2012. The notion that Kolah was flying the flag for Data Protection for “many years” and he was part of a generation of people who worked thanklessly in the DP mines is plainly unsustainable. Even now, his Twitter account describes him as a “Commentator on all things sales and marketing and social media“. Kolah’s own timeline doesn’t mention Data Protection until 2012, when he says founded a company called Go DPO, and even so, it’s hard to square his version with other available information.

An experienced training consultant called Darren Verrian is also on LinkedIn, and he  says that he started work on Go DPO in May 2015, three years after Kolah. This is interesting because Verrian describes himself as ‘co-founder’ of the business. Furthermore, Companies House shows that on 2nd June 2015, Kolah and Verrian registered two companies, one called Go DPO EU Recruitment (which was dissolved in February 2018), and another called Go DPO EU Compliance (which is still trading). Subsequently, they registered Go DPO EU Advisory Services in February 2016 (dissolved in March 2018), and finally Go DPO EU Consultancy Services in August 2017 (also still trading). Weirdly, despite his claim that he was running Go DPO in 2012, a company called Genworth Financial announced on 28th May 2012 that they had hired Kolah as their Director of Communications. Kolah doesn’t mention Genworth Financial anywhere on his LinkedIn CV.

I think it’s impossible to reconcile Denham’s claims about Kolah’s longstanding involvement in Data Protection with his own CV, but the contradiction between Kolah and Verrian’s respective claims and the facts on Companies House make it worse. As far as I can see, Ardi Kolah is not a Data Protection veteran: he’s just good at PR. Since I started to make mischief at his expense, several people have approached me with stories of Kolah’s error-strewn, self-promoting performances at conferences, and his now-disgraced book is an bloated mix of turgid management-speak and basic errors.

I didn’t identify the examples of apparent plagiarism or report them to Kogan Page, but I have seen them and it’s obvious to me why the publishers withdrew the book. I think Kolah owes everyone who bought the book an apology, and Kogan Page owes them a refund (I’m aware that they did offer a refund to at least one purchaser on the proviso that he returned the book). Perhaps Kolah did Data Protection work before May 2015 but I can’t find it. Maybe he can reconcile his and Verrian’s accounts and explain why no variant of a company called Go DPO was registered in 2012. But even if 2012 really is when he started, the way Denham characterises him in her foreword is at best wildly exaggerated, and a slap in the face for those of us who really have been working on UK data protection for a long time.

Moreover, unless he can refute the plagiarism allegations (and having seen what they’re based on, it would require a lot more than spin to achieve that), I think Kolah should resign from three of his current roles. There is no way that someone guilty of plagiarism should have a role on an exam board, at a prestigious business school or as Editor-in-Chief of a widely published journal. If he does not, then the BCS, Henley Business School and the editorial board of Journal of Data Protection and Privacy (many of whom are quoted in the book endorsing it) should sack him. They cannot be seen to tolerate plagiarism. Whether his friends at Amplified Business Content (who organise many of the conferences that Kolah speaks at) or Hitachi (who employ him as a part-time DPO) still think he’s an appropriate person to work with is none of my business.

A more important question than the fate of Mr Kolah is what this mess says about Elizabeth Denham. Kolah trades on his ‘close working relationship‘ with the Commissioner. Denham should have shut down this inappropriate use of her name, but instead, she promoted both Kolah’s book and the man himself by asking him to be a judge of the DPO award. When I made an FOI request to the ICO about Denham’s relationship with Kolah, they were in denial, refusing to accept that writing a foreword was an endorsement:

it may be helpful to note that we do not consider that writing a foreword in an official capacity to be an endorsement or to be otherwise advertising a commercial product. A decision to write a foreword or review is normally taken on the basis of the ICO being aware of the author’s standing as a practitioner or expert, and the value the book adds to the information rights community

ICO comments received by Private Eye suggest that while Denham definitely wrote the foreword, she may not have even read the book. Kolah sent it to her, but the ICO said she did not study the book, relying instead on her ‘prior confidence‘ in the author. Along with several other people, I have asked the ICO to show what evidence Denham relied on to make her assertions about Kolah’s long history in UK data protection. They admit that no such information is held. Denham made assertions to support her friend and help sell his book, and I don’t think she can substantiate them.

The Information Commissioner should not endorse commercial products, and this isn’t the first time she’s been willing to lend her authority when doing so. Kolah’s book has turned out to be damaged goods, but if she’d had the sense not to endorse anything, she wouldn’t have this problem. What this says about Denham’s judgement isn’t pretty, and I think it’s untenable for her to stay silent on the matter. Rather than throwing spokespersons under the bus, Denham should explain it herself. What due diligence did she do on Kolah? Did anyone even Google him? Why does she think he’s got a long and distinguished career in Data Protection when he hasn’t? And most of all, how can she assure us that she’s independent when she can be persuaded to make a mistake as big as this?

 

Yas Queen!

One of the features of the GDPR which is superficially similar to the old Data Protection Act but turns out to be quite different is the requirement to provide information about how personal data is being used. The word ‘transparency’ is an inherent part of the GDPR first principle, whereas it was absent from the previous version. The DPA 1998 allowed data controllers to decide what information data subjects needed to know, beyond who the controller was and what purposes their data was being processed for. The GDPR has two similar but distinct lists of information that must be provided, one for where data is obtained from the subject, the other where data is obtained from somewhere else, and they dictate what must be provided in scary detail.

When I first started looking at the GDPR, it was this element that I was most sceptical about. I simply couldn’t believe that organisations would admit where they obtained data from, or how long they were going to keep it. I have an almost completed blog on the boil (stay tuned) which is about the very subject of list brokers covering up where they get personal data from and who they sell it to. So when a friend passed me the ‘Data Protection Privacy Notice for Alumni and Supporters‘ from Queen Mary (University of London), I was amazed to see a clear, transparent explanation of what data was used, for what purposes, and under what legal basis. The only problem is that some of it is bollocks, and some of it deploys an attitude to data that requires a seatbelt and a helmet.

Ironically, because it is a relatively short and easy to read document (four pages of A4 in normal font, written in human English), the nonsense leaps out at you like a chucked spear in a 1950s 3D movie. The notice asserts that for a list of purposes, the University is relying on the legal basis of legitimate interests’. The purposes include:

furthering Queen Mary’s educational and charitable mission (which includes fundraising and securing the support of volunteers

This is, of course, direct marketing. The notice then says:

We may pursue these legitimate interests by contacting you by telephone, email, post, text or social media.

Which would be a PECR breach. The University cannot send emails or texts to alumni without consent, but according to the policy, they can. Of course, some clever person (I have a list of names here) will come along and tell me that since students pay for their education, surely the University can rely on the soft opt-in? Well, for one thing, these are alumni, some of whom may have attended the University decades ago (and Queen Mary freely admits to tracking down ex-students using the Royal Mail’s Change of Address Service). For anyone who didn’t substantially pay for their degree, it doesn’t fly. Moreover, I’ve trained a lot of universities who were understandably squeamish about the idea that a qualification like a degree can be reduced to a mere commodity, like a dishwasher or a new set of tyres.

And there’s more.

If you are registered with the Telephone Preference Service (TPS) but have provided us with a telephone number, we will assume we have your consent to call you on this number until notified otherwise

No. For Pity’s Sake, No. Have the last three years of the world and his dog banging on incessantly about consent (often insisting wrongly that you always need it but OK) been for nothing? There is no such thing as assumed consent. There is no such thing as assumed consent. MATE, ARE YOU HAVING A LAUGH?

It seems odd that because Queen Mary have done something really well, I’m criticising them. To be clear, it’s one of the clearest privacy notices I have ever seen. But it’s not just the unlawful bits that stick out like Madonna’s bra (happy 60th, Your Majesty). The rest of it is, to use my favourite euphemism for this kind of thing, is bold. Students’ personal data will be retained “in perpetuity“. The data held about alumni includes “occupation, professional activities and other life achievements“, “family and spouse / partner details and your relationships with other alumni, supporters and friends” and also “financial information relating to you and your family, including data and estimations around your income, assets and potential capacity to make a gift“. If anyone from Queen Mary is reading this, my friend says not to get your hopes up.

The gleeful description of what data they hold is an amuse bouche to the relish with which Queen Mary describe their use of research. The fundraiser Stephen Pidgeon once told me with great vehemence that fundraisers  couldn’t possibly be frank about the techniques that they deploy. Queen Mary, on the other hand, have more or less had shirts made: “we may gather information about you from trusted publicly available sources to help us understand more about you as an individual and your ability to support the university in ways financial or otherwise“. They explicitly say that they do wealth screening in some cases, and have a long list of possible data sources including Companies House, company websites, “rich lists“, Factiva, Lexis Nexis, “general internet and press searches“, Who’s Who, Debretts People of Today and LinkedIn.

Because I banged on about it so loudly a year or so ago, I should be the first to point out that despite all the bollocks talked about the ICO banning wealth screening, the ICO’s enforcement against charities did not such thing: it fined a number of high-profile charities for doing wealth screening without fair processing. Ostensibly, Queen Mary are simply doing what the ICO demanded by describing the process, but I have a sneaking suspicion that some of Our Friends in Wilmslow might be surprised to see wealth screening being carried out so enthusiastically.

To be frank, I do not believe that Queen Mary can justify processing the personal data of the spouses or family members of alumni in any circumstances, unless with consent. I think it is unfair, they do not have a legitimate interest in processing the data, and it is excessive. I think they and any institution who did the same deserve to be enforced against, or at the very least they should receive a shedload of Right to Be Forgotten Requests from mischievous family members. I am also sceptical about the depth of research that may be carried out into some alumni – it’s clear that it will only be a subset of the whole, but unless we’re talking about a handful of millionaires who might well expect this kind of thing to go on, I think this document is an inadequate way to meet the requirements of transparency. If a university is digging into a person’s background to this extent, it’s a form of processing that a person should directly know about and have a right to prevent. My friend only read this document because she’s in the business – Queen Mary should tell people if they’re subject to this level of profiling.

I know some fundraising consultants who will take issue with this and to be clear, I am not dogmatically saying that QM can’t do this. But seriously, can they do this? Is this what the brave new world of GDPR is all about? My instinct is HELL NO WITH AN AIRHORN FOR EMPHASIS but it would be hilarious if I was wrong, and the GDPR really doesn’t dent this kind of activity. I write this solely to see what other people think. Do you think this kind of thing is OK?

I don’t have a dynamite conclusion to this blog. I could kiss the person who wrote this privacy notice because it’s so plain and well-written, and yet the approach to consent and PECR is so misbegotten, I think whoever came up with it should be cast out into the Cursed Earth without a backwards glance. I don’t believe that Queen Mary can possibly justify the amount of data that they propose to process and the purposes for which they think legitimate interests is an adequate umbrella. But at the same time, the ICO looked at precisely this kind of activity and only really complained about the lack of transparency, which isn’t a problem here. All I can say for certain is that other people are going to get the fundamentals so enthusiastically arse-about-face, and do such interesting things, I demand that they do so with the same clarity.

 

A SMALL ADVERT – if you’d like to know more about this kind of thing, I’m running courses in September and November on GDPR, marketing, how to be a DPO and other big DP issues. Some of the September courses are already full, so book now: https://2040training.co.uk/gdprcourses/