On page 74 of the Information Commissioner’s newly published Annual Report, you can find the welcome news that the ICO reduced the amount of water in flushing toilets and the timings of auto flushing in urinals. Sadly, the expansion of the organisation’s footprint in Wilmslow, due to swelling numbers of staff, has led to an increase in overall emissions (insert your own joke). There is an abundance of other information about other environmental issues, including paper consumption and car journeys,
Strangely, if you look for information about one of the landmark events of UK Data Protection in 2019 – 2020, there is no sign. In December 2019, the Information Commissioner issued its first ever penalty under the General Data Protection Regulation against a company called Doorstep Dispensaree. Several pages of the report are taken up illustrating “The Year in Summary”, and the only thing mentioned for December is the launch of a consultation about AI. It’s not that the ICO had so many things to report on; one of the highlights for June 2019 was “The Information Commissioner makes a speech at a G20 side event in Tokyo“. Odd that an event which is very much the ‘only invited to the evening do’ of international speaking gigs makes the cut, but the first and so far only UK GDPR fine does not.
There are several reasons for this, I believe, all of which go to the heart of what is wrong with Elizabeth Denham’s disastrous term as Commissioner. The first is Denham’s vanity, mistaking public appearances and headlines for actual achievements. Allied to her Kim Jong Un tendencies is the prioritisation of international work and pet projects over the basics of regulation. Finally, there is a fundamental dishonesty at play – it should be deeply embarrassing for Denham that she hasn’t made a serious attempt to enforce the GDPR in two years. Because it is evidence of this failure, Doorstep Dispensaree (a solid and encouragingly detailed enforcement case that should have been the ICO’s bread and butter during this period) is written out of the story. It didn’t happen.
Most of the report is a soup of meaningless buzzphrases, presumably designed to disguise the hollow nature of what is being described. There have been “deep dive sessions” with the “most significant Digital Economy Stakeholders“, an “Innovation Listening Tour” and an “Innovation Hub”, which the ICO hopes to open up to “innovative organisations” like “catapults” and “incubators“. I think all of this that they’ve had lots of meetings; the outcomes are impossible to identify beyond wonderful “engagement“, a word which appears 22 times (‘penalty‘ appears 4 times).
It is possible to identify a couple of interesting themes. One is the ICO’s determination to support capitalism and The Man. One of the main strategic goals is “enabling innovation and economic growth“, while another is increasing trust and confidence in the way personal data is used. These are not regulatory outcomes, they are economic goals. Actual enforcement of the law is demoted to the fifth out of six goals. The ICO has established a team of people to work on the economic growth agenda, led by a Head of Economic Analysis seconded from an organisation that Wilmslow has decided we don’t need to know the name of.
The other obvious strand is both depressing and familiar, especially to an ICO refugee of such ancient vintage as myself. The joke in the ICO when I was there (2001 – 2002, fact fans) was that it didn’t matter that we never took action because “thinking is doing”, a phrase attributed to Francis Aldhouse, the Deputy Commissioner at the time. Thinking is Doing paralysed the ICO for years, but the spell was broken first by the impossibility of ignoring the cycle of security breaches begun by HMRC’s lost discs, and then by Chris Graham. For all his flaws, Graham revolutionised the ICO by allowing his staff to demolish the shameful FOI backlog and embrace the penalty powers that the lost discs fiasco gifted to Wilmslow.
Thinking is Doing is back. Doorstep Dispensaree (a thing that happened) doesn’t warrant a mention, but the BA and Marriott penalties (things that did not happen) are mentioned approvingly because they “received a large amount of media attention”
One of the case studies in the Annual Report covers the ICO’s investigation into Ad Tech. After a flurry of meetings, press releases and agreeable dinners at Cibo, the ICO was supposedly poised to rewrite the internet, but instead, the Executive Director of Shiny Things Simon McDougall promised that whatever they did, ICO would not to spoil the ad industry’s Christmas. Then, when Covid-19 gave him cover, he dropped the whole thing like a stone. McDougall is paid between £115,000 and £120,000 per year, and his contract has been renewed until July 2021, for reasons I cannot begin to understand.
The closer that the report gets to reality rather than Denham’s preoccupations with politics and online harms, the harder it gets to spare her blushes. The report cites 236 instances of “regulatory action“, but it’s really hard to work out what this means. Of that total, just 15 are fines, 7 are enforcement notices, and 8 are assessment notices (i.e. mandatory audits). There are 8 prosecutions and 4 cautions. 54 of the “regulatory actions” are in fact information notices, which do not represent action at all.
An Information Notice is an investigatory tool which might led to action, and might not; in itself, it’s just demanding information. What are the other 139 “regulatory actions“, and why doesn’t the Commissioner what to admit what they are? Has there been a blizzard of warnings and reprimands that are being kept secret? Or, as the inclusion of information notices denotes, is the maths necessary to create the 236 more akin to gymnastics?
The report boasts of ICO intervention in a number of court cases, and happily sets out their successful involvement in the Elgizouli case. It’s a sign of how thin-skinned Denham’s ICO has become that they can’t bring themselves to admit that in the other two cases they cite (the challenges to South Wales Police’s use of facial recognition and the DPA’s immigration exemption), they backed the losing side.
In the end, the figures don’t lie. The toilet flush numbers are encouraging, but other information is less reassuring. The ICO set itself a target of resolving (i.e. closing) 80% of complaints within 12 weeks. Despite receiving less complaints than in the previous year, gaining 100 staff and receiving a massive boost in funding, they managed only 74%. 84 cases are more than a year old. Despite 46% of complaints received being about subject access, the ICO took no enforcement action against subject access infringements in the period.
Perhaps most damning of all, the total number of fines issued in the period (£2,409,000) was less than half what it was in 2018 – 2019 (£5,436,000). There are people who praise the ICO for their guidance and conference appearances, but this is like measuring the police for their road safety demonstrations in schools. The ICO isn’t a “proportionate and practical regulator” – it’s far from where it should be, achieving nothing but emissions of hot air.
Denham’s foreword has an almost valedictory tone. There’s a strong effort to defend the ICO’s determination to spend time on anything as long as it isn’t related to the UK, but the final thought is about how Denham thinks she has achieved her objective of transforming the ICO into “an information rights regulator that is helpful, authoritative, tech-savvy, practical and firm“. While what she’s actually done is hollowed out a passable regulator and turned it into an ineffective, politically biased think-tank, the only positive thing I can take away from this annual report is the hope that if Denham thinks it’s mission accomplished, she will move on to pastures new. Hopefully her successor will have some experience at putting out fires.