DPO

A month or so back, I saw a tweet inviting me to download a worksheet from a company called Intillery, who were selling some sort of consent management tool. I didn’t want the worksheet, but when someone is selling GDPR consultancy, it’s always interesting to see what the state of their own compliance is. I visited their website, and gave them a Gmail address to receive my copy of their worksheet. There was a separate privacy policy which referred to providing me with “information, products or services that you request from us or which we feel may legitimately interest you, where you have consented to be contacted for such purposes“. There was no reference to further information being sent, or consent for any marketing.

Needless to say, I have received several marketing emails from Intillery since downloading the worksheet. You might argue that I should expect to receive marketing in return for the worksheet, but these are allegedly GDPR consultants, and their own privacy policy talks about sending further information only with consent. You might equally argue that although they’ve screwed up the fair processing element, under PECR they don’t need my consent because the marketing was business to business. But that’s irrelevant, because I used a Gmail address for which I am an individual subscriber. Even if I did so deliberately, you’d expect people offering Data Protection services to be wise to this. You might, at a pinch, argue for the soft opt-in, but I am downloading a worksheet that is supposed to help me comply, not making an enquiry about Intillery’s services, and in any case, there is no opt-out on the page. The soft opt-in cannot apply. I checked to see whether Intillery has notified the Information Commissioner for the purposes of consultancy, but needless to say they haven’t.

One interesting thing on Intillery’s privacy policy was that they have a named Data Protection Officer, the self-styled “GDPR Guy” Carl Gottlieb, who is presumably carrying out the role as a DPO contractor, given that he is also still running his information security business. He did a notification for that in October, which is coincidentally when Jon Baines kicked off about the number of GDPR people who weren’t notified. I’ll give him the benefit of the doubt over the non-notification of his scrap metal business as it might be exempt. I can’t tell you what advice Mr Gottlieb has given to Intillery in his role as their DPO, but they’re touting themselves as capable of advising others on Data Protection, and they’re not even compliant themselves. You need the right person, whoever you are.

I could have written this blog about Axon, a company who have been regularly emailing me in breach of PECR since I downloaded their GDPR document, or a dozen others. The Data Protection People cold-called me, and were surprised when I mentioned the Corporate Telephone Preference Service to them. All of these folk purport to be capable of helping others in their Data Protection efforts but either they don’t know how to comply themselves, or it isn’t sufficiently important to them to bother. On Friday, I spent a very enjoyable day training a group of school headteachers and business managers. They took in a lot of information about the GDPR and Data Protection implications for their schools with good humour and a constructive attitude, but the Data Protection Officer requirement was a stumbling block. Very few schools need a full-time DPO. A small, well-run primary school will need a relatively small amount of DPO time to keep them on an even keel, but unless the Data Protection Bill / Act delivers them a miracle, they will be legally obliged to have a named DPO. It’s daft but it’s true.

I find it hard to picture how a school will find someone half-decent to support them in the sea of endlessly swirling bullshit that has engulfed the Data Protection world over the past couple of years. I have never been as busy as I am currently, and I have never had so much fun doing my job. But when I look up from the work I am actually doing to see what state the DP sector is in, I am ashamed to be associated with Data Protection. Everywhere you look, there is scaremongering hype, ridiculous claims about fines, about a SAR tsunami, claims about businesses closing and the ICO stalking the land like Godzilla. As many GDPR folk never tire of complaining, I do spend some of my time calling it out. I correct false claims. I draw attention to crap articles. I argue with LinkedIn bullshitters, who block me because they’re cowards.

But just as when I wandered into the charity sector with an (overly) critical eye, the same legitimate criticism has been levelled at me again. Why don’t you do something constructive? What some of these people mean (and what some of them have said to me privately) is “there’s plenty of money to be made here, why don’t you just let us take our piece?”. The problem with this is that I don’t care how much money anyone makes. I could charge more than I do. I could go for more lucrative work. I could do more work. My criticisms of the bullshitters is not motivated by money. If all I cared about was cash, I wouldn’t just have given up a substantial guaranteed income to work solely for myself in 2018. But some of the people who ask that question are sincerely motivated, and they mean the same thing that my charity critics meant – why don’t you *do* something.

In March, I published a guide for fundraisers on Data Protection. I will be updating that guide in the next month to cover GDPR and the DP Bill. In the meantime, I have written another guide, this time for those organisations seeking an external, contract-based Data Protection Officer. It is designed to help the small, non-expert organisation to choose the right DPO consultant. You can find it at this link, in the downloads section of my website.

I have several other guides planned for 2018 – if you have suggestions for things I might write given what I have done so far, you’re always welcome to let me know. I probably can’t do them all, but the folk who ask me the ‘constructive’ question in good faith make a good point, and I’d like to do my small part to clear the fog, and make a positive contribution. And for all those people who think I’m a dick for doing and saying things like this, don’t read the guide. You really won’t like it.

 

The Naked Truth

The story of Damian Green’s porn-clogged computer has several facets, with a surprising number of them related to data protection. Whether it was a breach for former Deputy Commissioner Bob Quick to reveal that there was porn on the computer is hard to say for certain – I think Quick has a journalistic defence in revealing hypocrisy given that the Government is current waging a moralistic war on adult websites, but you are welcome to disagree. The fact that Quick has form for revealing information that he shouldn’t have only adds spice to the mix.

The question of why Green’s other accuser Neil Lewis still has his police notebooks raises more serious questions. Did he keep them without authorisation from the Met? If he did, this could be a criminal offence under Data Protection’s Section 55 for which Lewis would be liable. Did the Met Police fail to recover them properly? This would be a serious breach of the seventh data protection principle, for which the Met should expect to answer. In any case, I have to agree with those who say that public servants should respect confidences even after they leave the service. Sensitive material should never be retained by former officers of any organisation. I know my reaction to the story is clouded by the entertaining spectacle of seeing a politician caught with his pants down, or at least, unzipped. The question of how the story came to light needs to be interrogated.

Green’s use of the Shaggy Defence to claim that he knows nothing about the porn begs more questions. If he didn’t download it, this means that someone else did (none of the Tories defending him seem to claim that it doesn’t exist). Part of Green’s outrage when his office was raided in 2008 was the threat to the sanctity of Parliamentary Privilege and the confidentiality due to his constituents. In the light of this, Green needs to explain how it was possible for someone else to download porn onto his computer. The best case scenario for him is that this was the result of malware, rather than someone else being able to log into his computer without his knowledge. Of course, malware infecting an MP’s computer is a story in itself. Regardless of whether this story should be in the public domain, we can’t be expected to ignore it now. As someone who processes highly sensitive data about his constituents (as well as possibly other sensitive information), at some point Green has to explain who had access to his computer and what they were doing downloading porn. Or he has to admit that it was him.

I don’t know what, if anything, Green is guilty of, but his fellow Tory Nadine Dorries’ spectacular contribution on Saturday doesn’t allow for any ambiguity. The MP for Mid Bedfordshire has a habit of deleting tweets when she (or someone else running her account) realises how stupid they make her look, so I have screengrabbed this one and I reproduce it in full here:

My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!

UPDATE: There’s more:

All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, ‘what is the password?

ANOTHER UPDATE: Robert Syms MP is at it as well

As a constituency MP, Dorries will be handling sensitive correspondence on a wide variety of matters, and she has publicly confirmed that access to information is open to a wide variety of people, including interns on exchange programmes. To this, there is no defence. The seventh data protection principle states that a data controller must have in place appropriate technical and organisational security measures to prevent “unauthorised or unlawful processing of personal data, and against accidental loss of or destruction of or damage to personal data“. This means a mix of technical measures like passwords and encryption and organisational measures like ensuring that passwords are not shared or written down. Dorries has confirmed she has authorised password sharing in her office – which is bad enough in itself because it means passwords are spoken aloud or written down, greatly increasing the chance of the password being known to someone nefarious. But worse than that, she says specifically that a wide group of people share her login. There is no way of knowing who has accessed what, because even if the intern has done it, it looks like Nadine was the person responsible.

The only way that Dorries has not admitted a clear breach of Data Protection’s security principle is if she (or whoever wrote the tweet) is lying in order to defend Green,  which is quite the stupidest thing I can imagine.

There are several possible breaches here – Quick’s original revelations about Green, Lewis’ retention of his notebooks / the Met’s failure to recover them when he left, Green’s insecure computer equipment and Dorries’ admission of her completely lax security. While Quick and Green’s problems are somewhat murky, Lewis / Met Police and Dorries present much more straightforward issues for the Information Commissioner. Both should be investigated as a matter of urgency.

Given Dorries’ casual admission of the insecure way in which her office operates, a much wider investigation might be required. Elizabeth Denham has put huge resources into investigating the possibility of political use of analytics and big data in an unlawful way, even though it’s hard to imagine anything coming of it. On the other hand, here we have a sitting MP openly admitting that constituents’ data is unsafe – how many more of Dorries’ colleagues operate in a similarly unlawful fashion? I cannot complain to the ICO about these matters, as I am not affected by them. However, the issues are serious, and Wilmslow should step in immediately. A bland press release reminding MPs to process data safely is not good enough; the ICO needs to demonstrate that Data Protection law applies to MPs just as it does to the rest of us.

Summit to hide?

On at least three occasions in the past year, a member of staff from the Information Commissioner’s Office has spoken at conferences organised under the banner of GDPR Conference or GDPR Summit. Garreth Cameron has appeared twice, and Lisa Atkinson was at the latest event on October 9th. Nothing odd about this, you would think – the ICO clearly wants to spread its message (such as it is) to a wide audience, and conferences are a way to do it. They should be wary about showing favouritism and they’re not very good at avoiding it – a certain Assistant Commissioner often appears at a certain training company’s courses, and appearing three times at one company’s commercial events comes close to being an endorsement.

But even if such regular support for a conference would otherwise be justified, in this case, I don’t think it is. It’s not easy to find out from the GDPR Summit website who is actually organises the conferences. A little bit of digging suggests that it is a company called Amplified Business Content. Amplified Business Content is also responsible for ‘GDPR Report’, which used to publish articles for free but has now gone to a subscriber model. Having an opaque company structure isn’t compliant with Data Protection because it’s not clear who the Data Controller is. Moreover, some of the material on their website is garbage – they have published quizzes with wrong answers, and harvested information without a privacy policy (though I noticed that after people on Twitter made a fuss of it, they stopped demanding email addresses to get scores on the quiz). Via GDPR Report, the organisation has pumped out reams of vague, badly-written stories including one titled ‘The Data Protection Apocalypse’ that claimed that organisations need consent for all processing – it was so bad that after a morning of criticism via Twitter and other sites, they had to delete it. Worst of all, Amplified Business Content has not notified the ICO under Data Protection – unless they are exempt (which for a conference organisation is hard to believe), this is a criminal offence.

Given that the ICO have given Amplified Business Content so much support, I wondered whether they had done any due diligence on the organisation before agreeing to speak at their events. Under FOI, I asked for the following:

Any information about due diligence carried out by the ICO before accepting invitations to speak at these events, including whether ICO staff checked if the company had a notification, and whether their materials and publications were accurate and reflected the ICO’s approach to the GDPR

Any procedure that requires ICO staff to carry out due diligence before accepting speaking engagements

The answer was that no information was held. The best they could offer was “We apply our speaking engagement policy here when making a decision whether or not to accept a request for a speaker“. Needless to say, the speaking engagement policy does not include any requirement to carry out due diligence. In other words, the fact that Amplified Business Content has not notified and has spread misleading and unhelpful information about a Data Protection apocalypse is irrelevant to Wilmslow. They’re not even expected to check whether the organisation has taken the most basic steps to comply with Data Protection law. This is remarkable, especially at a time when so many dodgy people have flooded into the Data Protection market.

Their answer to the first part of my request was more interesting, and more worrying. I asked for:

All correspondence between the ICO and Amplified Business Content or those purporting to represent GDPR Conference or GDPR Summit or GDPR Summit Europe (or other variations on the theme of GDPR Summit).

I’ve done this before, both with the Privacy Laws and Business Conference (which led to this blog) and True Swift, another organisation for whom the ICO has done several online courses. Both times, the ICO gave me detailed correspondence between themselves and the organisation, which allowed me to see, among other things, Stewart Dresner of PLB complaining that he doesn’t have special access to news about ICO activities. This time, however, the ICO has refused to give me any of the correspondence. The exemption they used is a prohibition on disclosure that applies when organisations supply data to the Commissioner when information “has been obtained by or furnished to the Commissioner under or for the purposes of the Information Acts”. In other words, ICO claims that when arranging their spots at the GDPR events, they were exercising their functions under the Data Protection Act. Needless to say, the refusal doesn’t say which function they were exercising – presumably I am expected to guess. I think the only function that could apply is the duty to promote the following of good practice under Section 51, but the idea that Parliament intended conference arrangements to be secret is a fairly bizarre idea.

Only two possibilities present themselves. The first is that the ICO’s policy is only to release material such as this with the consent of the organisation (which the prohibition allows), so PLB and TrueSwift consented to the disclosure and Amplified Business Content refused, which begs the question of what ABC have to hide. Their internal business arrangements are nobody’s business but theirs, but when dealing with the regulator, they should expect to be more open. I’ve made fun of Dresner following the disclosures, but the emails I received didn’t show him or his company doing anything inappropriate – the only criticism I’ve got is that the ICO should hold all organisations at arms length.

The other possibility is that the ICO is being inconsistent. They didn’t use this exemption before, but there is something awkward or embarrassing about their relationship with ABC that they want to cover up. Either way, it isn’t a good look for the transparency regulator to be hiding information about its dealings with a private company. The prohibition allows data controllers and public authorities being investigated for DP and FOI breaches to provide secret business information to the Commissioner with the confidence that it won’t be disclosed. This is entirely justifiable – otherwise, no organisation would ever give the ICO information they had withheld from an FOI or subject access applicant in case the applicant then tried to use FOI or DP to get it from Wilmslow.

This case is very different. The ICO has scant resources, and yet has regularly provided speakers to a commercial company with a spotty approach to Data Protection and is using the prohibition on disclosure to prevent legitimate scrutiny of their relationship. The prohibition does allow disclosures that are ‘necessary in the public interest’ – given ABC’s dissemination of scaremongering articles and possibly illegitimate non-notification, I am convinced that the public interest does support transparency here. Of course, the ICO might argue that if they disclose, this will deter conference organisers and others from approaching them – but who cares? This is far from a core activity for the Commissioner. If you’re not willing to be open in these circumstances, what has anyone involved in this got to hide?

Things To Come

The imminent arrival of the #GDPR, as many have already noted, has resulted in a huge amount of speculation, prediction and scaremongering. Stories of massive fines, a torrent of crippling class action lawsuits, 75000 DPO jobs and the emergence of a new volcano in the fields outside Wilmslow* have all captured our attention. Nevertheless, just when I thought I had heard everything, Lawrence Serewicz proved me wrong.

Mr Serewicz issued, with the certainty of an Old Testament prophet, this astounding claim:

Quick #gdpr prediction. By May 2019 the ICO will have issued more, in terms of number of and amount of, “fines” than in the previous years of the MPN era *combined*.

This might be the wildest prediction anyone has made since the GDPR first dropped from the sky (sidenote: feel free to link me to dafter ones). By my quick and dirty calculation, this would mean GDPR fines in excess of £9million and more than 100 fines between May 2018 and May 2019. This isn’t going to happen. Even in a parallel universe where we had a Commissioner who liked taking action, they couldn’t fire out 100 fines in one year. It is inconceivable.

It is probably fair to say that Mr Serewicz and I do not have a relationship marked by mutual respect or affection, but for once, he has inspired me. The idea of predicting what the first year of GDPR will involve is a brilliant one, and I have decided to have a go.

Below are 12 predictions about the first 12 months of GDPR in the UK. For every one that I get wrong, I will donate £20 to the charity Mind. And here’s where you can join in. Look down the list, and see if you disagree. If you spot a prediction that you think will not come true, let me know – in the comments here, on Twitter, via LinkedIn, or via email. If you are right and I am wrong, I will publicly admit that this was the case on this blog. I will celebrate your perspicacity. But if I am right, and you are wrong, you will donate £20 to a charity of your choosing. You don’t have to do anything else and I will not make fun of you. Nobody makes any money except good causes, but imagine me having to grovel and highlight your superior knowledge in print. If three people say I’m going to get one wrong and I don’t, each one makes their donation, but however many people bet against me, if I am wrong, I just pay one £20 per prediction. I will still praise those who get it right.

I will not be a smart-arse about general comments and reactions on social networking sites – if you want to join in, contact me directly and say you want to take up the charity challenge on one of these predictions.

PREDICTION 1

The total amount of GDPR fines (not including PECR and legacy DPA fines) between May 2018 and May 2019 will be less than the total of all DP CMPs up to today’s date.

Yes, this is half of Mr Serewicz’s prediction. Guess what prediction 2 is?

PREDICTION 2

The total amount of GDPR fines (not including PECR and legacy DPA fines)  issued between May 2018 and May 2019 will be less than the total number of all DP CMPs up to today’s date.

PREDICTION 3

There will be less GDPR fines (not including PECR and legacy DPA fines) between May 2018 and May 2019 than between May 2017 and May 2018.

That’s right – I predict the number of fines will decrease in GDPR’s first year of operation.

PREDICTION 4

There will not be a €20 million or UK equivalent fine before the end of May 2019.

I intend no weasel get-outs here – we all know what I mean here. There will not be a maximum possible fine in any circumstances.

PREDICTION 5

There will not be a 4% of annual turnover before the end of May 2019.

As above.

PREDICTION 6

Thinking about the lower level of penalty i.e. under Art 83(4), there will not be a €10 million or UK equivalent fine before the end of May 2019.

PREDICTION 7

Thinking about the lower level of penalty i.e. under Art 83(4), there will not be a 2% of annual turnover or UK equivalent fine before the end of May 2019.

PREDICTION 8

No UK public authority will be fined more than £1 million before the end of May 2019.

PREDICTION 9

No UK company will be fined more than £2 million before the end of May 2019.

I want to be wrong on this one as there will be deserving breaches. I don’t think I will be.

PREDICTION 10

No charity will be fined more than £50,000 before the end of May 2019, unless for a security breach.

PREDICTION 11

No GDPR class action case will have been concluded with a total damages payout of more than £1million before the end of May 2019.

PREDICTION 12

Five of the companies registered on Companies House today with ‘GDPR’ in their name, or a company name whose initials spell ‘G D P R’ will no longer be offering Data Protection services in May 2019.

BONUS ROUND

These ones just for fun as they cannot be measured

  • the number of people describing themselves as ‘Certified GDPR Practitioners’ on LinkedIn will be half what it is now
  • nobody will change their profile to say ‘Certified GDPR Practitioner’ on LinkedIn during May 2019
  • the ICO will still be asking for more staff
  • we will all wonder what all the fuss was about

AND FINALLY: do you have a prediction in the style of those above? If you do, let me know what it is. If I get at least five predictions (and a maximum of 10, I’m not made of money), next month, I will write another blog made of reader suggestions. If this comes off, I will say whether I agree with them or not, and if I disagree with them, it’s another £20 to Mind from me for every one that I get wrong. But contributors must promise that if they get it wrong, they will pay the £20.

This will go wrong in one of two ways. It will capture people’s imagination, and I have given myself a shedload of admin. Or nobody will care, and nobody will join in. But we’ve all read a pile of predictions since all this GDPR nonsense started. Let’s have a bit of fun, and raise a little bit of money for charities at the same time.

 

* In 2017, anything is possible.

The Secret Seven

Last year, I wrote about the fact that Councillor Alex Ganotis, Labour leader of Stockport Council is also a group manager at the Information Commissioner’s Office. After an FOI request, the ICO admitted that he managed the teams responsible for complaints about political parties and local councils. At the time, I argued that this was an unacceptable conflict of interest, and something had to be done about it.

In May this year, shortly after being elected as Manchester’s new Mayor, Andy Burnham appointed Cllr Ganotis as his Environmental Tsar. You can watch a video of the announcement here, and ponder such fascinating questions as why Burnham’s nose is so red, or why throughout the first two minutes, the camera keeps cutting to a wide shot that captures Ganotis’ uncomfortable facial expressions while Burnham is talking. The announcement piqued my interest. If he was organising a grand summit of environmental worthies, would Cllr Ganotis really have time to work at the ICO? And if so, what effect would the review into political activities that Elizabeth Denham announced have on his role?

I made an FOI request to the ICO for the following information:

1) In 2016, the ICO confirmed to me that Alex Ganotis was manager of the team that dealt with complaints about councils and political parties, despite being Leader of Stockport Council at the time. Can you confirm whether Mr Ganotis is still a member of ICO staff, and if so, what is his current job, and what arrangements have been made to avoid any potential conflict of interest?

2) What is the current ICO policy and process for dealing with political party affiliations and potential conflicts of interest?

3) In August 2016, the Information Commissioner announced in an interview with the BBC’s Martin Rosenbaum that she had ordered a review of the involvement of ICO staff in political activities. I would like to see any report or findings arising out of the review, or other summary of the review and its findings, and details of any actions that were taken as a result of it.

4) I would like to receive all current declarations made by any member of staff of involvement in political activities

5) What specific measures have been taken in respect of each staff member who has made a declaration to ensure that there is no conflict of interest?

The response made for fascinating reading. For one thing, Cllr Ganotis remains a Group Manager at Wilmslow and although his group no longer deals with political parties, it still covers issues related to all local authorities in the UK except for those in Greater Manchester, Cheshire or Derbyshire. How politicians and others in every council outside the North West feel about complaints about their authorities still being supervised by the Leader of a Labour Council and a close ally of Andy Burnham is hard to judge. They might be thrilled. Maybe the ICO should ask them.

The report I received under item (3) of my request did contain an option to remove Cllr Ganotis from work involving local authorities altogether, but one of the reasons that this option was not recommended was the fact that “it could be seen to question the professionalism of Alex and other members of staff and their ability to apply the law without bias or political influence“. How Cllr Ganotis’ political career could possibly be seen to reflect on other people is beyond me, but it is jarring that a significant factor in the decision to keep him involved in council work might have been the effect on him, rather than the Commissioner’s ability to operate independently. To be blunt, the ICO as a whole is more important.

UPDATE: I have attached the ICO’s report into the conflict of interest here, so readers can judge whether how objective and balanced it is: Commissioner Information Note – Political Activities.pdf

Unless every team in the ICO handles complaints about local authorities (and to lesser extent, government), Cllr Ganotis should have been moved to one that doesn’t. Having decide to pursue a high-profile political career, asking him to make a sacrifice to avoid conflicts of interest and their perception would not be too much. I am surprised that Cllr Ganotis has not requested such a transfer himself. To risk even the perception of influence over decisions about politically-run organisations, and at the same time pursue a high-profile political career suggests either an enormous amount of faith in one’s ability to compartmentalise, or just old fashioned hubris.

The review identified gaps in the ICO’s Political Activities Policy, with recommended “updates” including a stipulation that staff must avoid party political activities which might impair their ability to perform their duties impartially, a requirement to inform the ICO if their activities or areas of responsibility change, and the scope to remove permission to undertake political activities if an individual’s ICO role or political activity changes. Needless to say, this means that none of this existed before.

The rest of the FOI request suggests a continuing unwillingness to face the issue of political involvement. Including Cllr Ganotis, eight staff members have made declarations of involvement in political activities, but the ICO refused to tell me who the other seven are, or what they do, claiming that the data is sensitive personal data. This is true, but it is not automatically a barrier to disclosure. For one thing, the Secret Seven could be asked for consent, and this is not the only route to disclosure.

There is surely a legitimate interest in knowing whether people working for an independent regulator such as the Commissioner have political affiliations, especially when you consider the ICO’s involvement in political matters. Over the past few years, the ICO has fined Leave.EU, David Lammy MP over his London Mayoral Campaign, the Daily Telegraph for its pro-Tory emails during the 2015 election, and in recent months, they took no action against Virgin Trains following Jeremy Corbyn’s antics in a train vestibule. More importantly, the Commissioner herself announced a formal investigation into the use of data analytics for political purposes with no small amount of fanfare, involving 20 staff. The ICO is knee-deep in politics and transparency over the declared political activities of the staff is in the public interest.

As the data is sensitive personal data, legitimate interests would not be enough; a condition must also be met from Schedule 3 of the Data Protection Act as well. One of the conditions is that the Data Subject has put their sensitive data into the public domain. If, for example, a senior ICO staff member was to mention on their LinkedIn page that they were a Councillor for 9 years, the Campaigns and Communications Officer for an MEP for five years, listed the Liberal Democrats as one of their main interests and was recommended for ‘politics’ and ‘political campaigning’ by dozens of people, I think I can argue that at least this one has manifestly made their political views public. The ICO refusal says “our staff do not have a reasonable expectation that their declarations would be disclosed into the public domain“, but the staff member in question was a candidate for the LibDems in the 2015 General Election, so I humbly suggest that the cat is out of the bag. Either this person is one of the seven, and the ICO’s arguments are false, or they haven’t made a declaration, and the ICO’s claim to me that “the review and policies are sufficient to demonstrate that we avoid conflicts in our work” is nonsense. Again, did they consider this before refusing me?

Every national, local, or internal party election or referendum runs on personal data, and personal data is exploited, analysed, shared, lost, stolen and misused in every single one of them. If you can name a major vote in this decade that hasn’t resulted in a DP snarl-up, you’ve a better memory than me. If there is one word that shines through everything the Commissioner sent me on this topic, last time and this time, it’s  complacency. The policies and procedures that existed before and the ones that have replaced them are built on an obvious assumption that a box needs to be ticked. Of course nobody is actually going to do anything untoward, the managers are on top of it, staff will proactively declare any conflicts of interest and besides, we have a procedure. But they thought it was all fine before. If I had not written my blog last summer, Cllr Ganotis would still be responsible for managing complaints involving his council, his party and his opposition.

I don’t think the Commissioner’s Office takes this seriously. I am amazed that Alex Ganotis is still allowed any influence over the ICO’s decisions about local government, regardless of how objective or benign that influence might be. I am appalled that anyone in the ICO’s senior management could think that this is acceptable. Every time the Commissioner acts or doesn’t act on a political issue, do we always need to ask: who was involved? What bias, conscious or unconscious, did they bring to bear? What other interests do they serve? In a world dominated by fake news and internet froth, the ICO’s independence and objectivity should be their highest priority. It isn’t.