A couple of weeks ago, the journalist Heather Brooke tweeted the following in respect of myself and another person:
She doesn’t quite call me a snide, lurking troll but we’re close. If “innocent face” is enough to get Lord MacAlpine going, then associating me with trolls (example: Frank Zimmerman, the man who threatened Louise Mensch and her kids ) is surely murky territory. Could I argue that Brooke’s comments tend to lower me in the estimation of right-thinking members of society generally or would be likely to affect a person adversely in the estimation of reasonable people generally? Brooke is the hero of the MPs expenses case, the respected journalist and authority on FOI, the esteemed tutor of the next generation of journalists. I am just a tawdry freelancing consultant. Isn’t it possible that people might well give her comments credence because of her status as a respectable public figure?
So can I sue her for libel?
Of course not, it wasn’t libel. Brooke has a low opinion of me and these weekly mentions on my blog will probably only make it worse, but she is entitled to say I’m a troll. She can say worse things and has every right to. She said it’s a shame I’m not a journalist, so maybe she already has. Brooke expressed a negative opinion about the fact that I fired critical responses to some of her tweets in quick succession. The question of whether I was simply disagreeing with her (my version) or deliberately misunderstanding her point (her version) depends on your perspective – you’re obviously free to see it her way, and given our respective respectability, you probably will. I don’t agree with her accusation, but my objection doesn’t make it libel. She didn’t accuse me of training the BNP, teaching people in how to breach the DPA and get away with it, or bribing officials to get training contracts. I haven’t done these things, and I would sue anyone who said that I did. Free speech protects our legitimate opinions even if they offend other people. However, it shouldn’t allow us to say anything, especially if anything is an unfounded accusation of a crime.
All this is by way of introduction to a doubtless unwelcome and unpopular contribution to the depressing resolution of the libel battle between the redoubtable blogger Jacqui Thompson and Mark James, Chief Executive of Carmarthenshire Council . Doubtless I will be accused of backing Team Goliath for not simply foaming at the mouth in outrage, but I cannot say my reaction is the same as most of the comments I have seen.
Much of the background to the case is like a riposte to my own defences of public sector workers. The idea that councils might fund or back libel actions for their staff in any circumstances is a disgrace. Public money is for public services, and if an officer is libelled and cannot afford to defend their reputation, they must blame our legal system or cruel fate. If Carmarthenshire’s Chief Executive accepted public funds to defend his personal reputation – even though this might have been entirely legal – he should pay the money back, as he can afford his own defence.
Moreover, all senior council officers must have a thick skin. I once dealt with a senior officer who did not want his salary disclosed because of fears his children would be bullied in the playground. He earned more than £100,000 per annum, and he was talking bollocks. Every front-line officer gets abuse from time to time and they just plough on, letting it wash over them. If you are not prepared to be called crap, incompetent, idiotic, stupid, moronic, selfish, or cowardly, whether it’s fair or unfair, you are not fit for management in local (or central) government, the Police, NHS, Fire or the rest of the public sector. Suck it up; it’s part of the job.
The most eye-catching element of the case is still troubling. Public meetings should be public places. Any restriction on filming, recording, tweeting or reporting of proceedings held in public by any person for any reason is an affront to democracy. I would include the courts in this (with necessary protections for witnesses and victims). No part of the UK, and no UK institution no matter how large or small should seek to restrict access to public proceedings, no matter what the circumstances. Any organisation that attempts to restrict coverage of public meetings – whether by professional journalists or by amateur bloggers – must be prevented from doing so. Any amount of blather from Eric Pickles disguises the fact that he has done nothing formal to protect those wanting to film or report council and other similar proceedings.
And finally, calling the police because a person is filming a public meeting and refusing to stop is ridiculous. From a purely tactical perspective in the Carmarthenshire case, it was disastrous. The people who called the police have forever ensured that this case will always be the innocent ‘armchair auditor’ against the overweening, something-to-hide establishment. Mark James won his case, but in the court of public opinion, he and his council will forever be associated with the image of an ordinary taxpayer being led away simply for wanting to report the truth, and they deserve nothing else for their poor judgement in making that image happen.
But free speech is not dead. The arrest of Jacqui Thompson for filming a public meeting is a free speech issue, and I entirely agree with her stand on that. However, this libel case was launched by Thompson and not the council. Ultimately it is about accusations of corruption versus claims of intimidation. If you haven’t read the full judgement and are going off the headlines, you should read it objectively now before you pontificate (I didn’t and I deleted tweets as a result). If you really can’t bear it, this detailed story in the Western Mail (HT: @NewsatTwm on Twitter) is very strong.
The daft arrest isn’t the decisive issue. Thompson sued Mark James, the Chief Executive, because he published a letter accusing her and her family of conducting a campaign of harassment and intimidation against council officers. James counter-sued for comments that Thompson made on her blog about perjury, dishonesty and corruption. If Thompson could justify her allegations of corruption, the comments on her blog and her actions in the Council chamber would be vindicated, and James’ comments about the campaign would probably be libellous. However, without anything concrete to back up the corruption claims, the position is reversed. If Thompson made serious and repeated accusations without evidence, she has libelled James and potentially others. No matter how outrageous the arrest was, it does not prove that anyone is guilty of corruption, or justify statements that cannot be verified. Thompson’s libel action against James is not made one tiny bit stronger by the unfairness of her arrest, and it was not an opportunity for her to be recompensed for the unfairness of that arrest. No amount of capsule sermonising from Nick Cohen changes this.
Even the sympathetic Broken Barnet coverage of the case acknowledged that Thompson “has perhaps made errors of judgement in some of the comments made in some of her posts” . But isn’t it more than that? In 2006, Thompson accused James and a planning officer of corruption and was sued by the latter for libel. She lost, and had to retract her comments and apologise in court – paragraphs 6 and 7 of the judgment – as well as agreeing to pay £7500 in costs (costs she later argued should be borne by the Council, a suggestion that I think is outrageous). Thompson made no attempt to prove that any of her allegations of corruption were true and defended herself solely on “honest comment”. Every decision and comment I have found on this defence include a variation on this quote: the comment “must explicitly or implicitly indicate, at least in general terms, the facts on which it is based”. You cannot accuse someone of corruption without something concrete to back it up.
So consider paragraph 299 from the current judgement:
“Mrs Thompson did not, when sued by Mr Bowen, attempt to prove that the allegation of corruption she made against him was true. She has never attempted to prove in court that Mr Bowen was corrupt. A defamatory publication for which there is no defence is unlawful. She accepts that she cannot prove that. She accepted during the trial that the HMCS letter bearing the Council’s stamps does not prove that the Council made any payment in respect of Mr Bowen’s libel action, and does not prove that he or Mr James, or anyone else lied or committed perjury.”
At this point, I’m out. I can’t support Thompson if this is true. Corruption isn’t just a label you apply to those who you disagree with. Even if the corruption seems painfully obvious to you through experience of beating your head against a brick wall of bureaucratic numbskullery, impenetrable decisions, and people who just seem to have it in for you. Even with all that, corruption is not a loose or metaphorical word. Accusing someone of corruption is accusing them of a crime – taking or accepting bribes, committing acts of misconduct in public office, or perpetrating fraud. This is corruption. Unhappy FOI and Data Protection applicants, bloggers, letter writers and Local Government Ombudsman complainants throw around words like corruption and conspiracy as if all they need to justify their use is a deeply held conviction. Whatever the outcome of Jacqui Thompson’s libel case had been, flinging these words around is an abuse of free speech at best. The outcome of the case shows that the courts agree.
If accused of a crime, you are innocent until proven guilty. Evidence is weighed and sifted, and an objective decision made by a court. Journalists and bloggers can play a vital role in digging up evidence of crimes, in bringing them to public attention, and forcing the hand of the police and the CPS, but ultimately, it is the courts and not the commentators who make the decision of guilt. Without evidence, your strongest conviction is worth nothing and if you cannot keep it to yourself, you risk the wrong end of a libel suit. And now we see what that’s like.
Local newspaper journalism is dying; like most people, I believe that the internet including many enthusiastic bloggers will end up replacing it entirely. But Thompson Vs James must not be misrepresented as a threat to this. In her statement on the case, Thompson said this: “I believe this judgement has dire consequences for others who publicly scrutinise and criticise their local authority, including the press”. I completely disagree with her. Nobody should feel that this case prevents them from scrutinising, criticising, mocking, or commenting on public affairs in the strongest possible terms. Get out there. Show why the decisions are shoddy, find the links between politicians and dodgy business, seek out the fraudsters, the hucksters and the bigots where they exist and show them for what they are.
But – and it’s a big but – do not accuse someone of criminal activity without something concrete. I don’t want to live in a society where allegations of criminality are made without being substantiated – that’s not free speech, it’s a witch-hunt. Nothing about this case puts the decision-makers and politicians in Carmarthenshire County Council in anything but a dire light, but I’m not paranoid enough to believe that Thompson was stitched up by the Establishment. She made accusations she couldn’t ultimately substantiate – even if they were true, she couldn’t prove it to the satisfaction of a judge. If she appeals and proves her claims to be true, refuting the idea that her campaign was illegitimate, I’ll be in a long queue to congratulate her. But she cannot win her appeal on the basis that the daft arrest was daft, or illiberal, or wrong. It was all of those things, but two wrongs do not make a right.
And if you want to call me an arsehole (guilty), a vile corporate stooge, a council apologist, a scumbag enemy of free speech, a self-hating blogger or even a wannabe journalist (not guilty), the comments section is below.
Dark times on the Wirral, as confidential memos about web filtering fly around, suggesting skullduggery on the corridors of Council power. The headlines are remarkable: “Confidential memo tells shocked Wirral councillors their emails are being read by town hall bosses“, which would be quite a thing if it was true. Following the receipt of offensive emails about Hillsborough, the Chief Executive of Wirral Council suggested that the Council could filter the emails out so that councillors would not receive them. The opposition members worked themselves up into a lather, with one, Councillor Chris Blakeley, declaring: “I think it is outrageous that the council should determine which emails we should receive”. Another, Councillor Lesley Rennie opined “My colleagues and I are absolutely appalled that there could have even been a suggestion that emails from the public could be considered for filtering“.
At the risk of starting another barney in the comments, I don’t think the Council was suggesting anything inappropriate. Whatever you think of Wirral Council (feel free not to tell me), I think it’s likely that the Council was simply offering to block offensive emails, rather than making decisions about which emails Councillors receive. The Chief Executive stated that he had received complaints about the emails, so clearly felt that some kind of response was required. As feelings across Merseyside are still understandably raw over Hillsborough, even if the Council response was inelegant, I can see why the offer was made.
However, the Councillors’ reaction and some of the comments on the Wirral Globe’s story (the commenter ‘2040TIM’ sounds like he knows what he’s talking about), raise an interesting question that I suspect many councils and most councillors have not considered. If you are not a Data Protection nerd or a dedicated council watcher, look away now.
Councillors wear up to three hats in the normal course of their activities. As participants in Council Committees and decision-making, they are part of the Council. For Data Protection purposes, they are covered by the Council’s DP notification and any incident or breach involving them would be the Council’s problem. Hat number 2 comes with membership of a political party. They may sometimes receive personal data from their party for campaigning purposes. In this scenario, the party is responsible for Data Protection. The strangest hat is the one they wear as constituency representatives. Here, neither the council nor the party is responsible. The Councillor is a Data Controller in their own right.
Much of the controversy about Councillors and Data Protection revolves around the technical issue of notification (still often called ‘registration’, despite that term belonging to the 1984 Act), and in particular who pays for it. Some councillors notify, some don’t. One Wirral blogger was told by a councillor that notification was ‘a load of tosh‘, which is an odd way for an elected representative to describe a legal requirement. Some councils pay for all of their councillor’s notifications, some don’t. However, despite the fact that numerous councillors across the UK remain without a notification, and despite the fact that the ICO has prosecuted estate agents, bar owners, solicitors and hairdressers for non-notification, no councillor in the UK has ever been prosecuted for non-notification.
The reason for this is probably that by prosecuting an errant elected member, the ICO would be crossing Eric Pickles, the Secretary of State for Communities and Local Government and an opponent of the ‘red tape’ that member notification represents. In 2011, Pickles told Conservative Home that notification for members was a ‘tax on volunteering’. In 2013, he proposed amending the DPA to exempt parish and town councillors from notification altogether (which is a good idea) and allowing councils to make a single payment for all Councillors’ notifications, which is unnecessary given that since the middle of the last decade, the ICO has accepted notification forms for all of a council’s members in one go with a single payment. I know this, because I used to do the notifications for my council’s members.
But this is all a red herring. Notification is an administrative tick-box. Under the 1984 Act, if you processed data electronically, you were covered by the Act and you had to register. If you didn’t process data electronically, you didn’t have to register and you didn’t have to comply. Under the 1998 Act, you have to comply regardless of whether you notify. If you’re exempt from notification, you still have to comply with all other aspects of the 1998 Act. If you refuse to notify, you’re committing an offence, but you still have to comply with all other aspects of the 1998 Act.
Just before Christmas, another Northern Council – Craven Council in the Yorkshire Dales – had a councillor / Data Protection controversy. The Council proposed rolling out iPads to its elected members as part of an upgrade to its IT security. Some councillors objected, and one Independent member was reported as offering “to sign up as his own data handler“, in other words, he was offering to notify as a data controller in order to avoid having the iPad. And so we come to the punchline. The Councillor was already a Data Controller whether he liked it or not. All councillors have to ensure that they are compliant with the DPA for the areas not covered by the Council or their party. Notification – and who pays the £35 – is just about the least significant aspect of this process.
For one thing, Councillors are Data Controllers for any equipment, any email account, any electronic system that they use to communicate with their constituents. The Council is their Data Processor in this context. Buried deep in the back of the Data Protection Act are surprisingly specific requirements for the relationship between a Data Controller and Data Processor – there must be a contract made or evidenced in writing, security guarantees given by the processor (the Council) to the Controller (the Councillor), and a reasonable check that the contract is being complied with. In other words, if the Wirral Councillors up in arms about what may or not be happening to their emails have not obtained a written contract from Wirral, ensuring that Wirral will act only on their instructions when handling their constituency correspondence, the Councillors are in breach of the Data Protection Act. The Council – as a data processor – is not.
It goes further. Councillors should clearly inform their constituents about the way in which their data is used. They should respond to subject access requests. The Wirral Councillors are upset about what they believe is happening to their Wirral.gov.uk email addresses, but many Councillors use Hotmail or Yahoo mail for constituency business, or at the very least have all of their Council emails auto-forwarded to an outside account. This carries both security risks that might breach the 7th DP principle, but also raises the spectre of the 8th Principle, which governs how to transfer information outside the European Economic Area (many web-based email providers use servers outside Europe).
Many senior Council officers and IT and DP specialists will weep at the thought, and I can think of one or two who will give me a smack for bringing it up. But Councils cannot dictate to their Councillors. It is clearly logical for Councillors to use systems and kit provided to them by the Council, but ultimately, they are responsible for a big slice of the data that they use as part of their work and it’s their decision. The Council is a processor, a service provider. Sticking with the robust corporate system is a reasonable idea, but they can work outside of it and if they do, Councillors are wholly responsible for what happens. In the meantime, any Councillor planning to kick up a fuss about emails or iPads or anything else should remember that if something goes wrong, the Council has a get-out-of-jail-free card for non-Council business. Perhaps they should be more shocked about that.
Last year, I wrote about the fact that Councillor Alex Ganotis, Labour leader of Stockport Council is also a group manager at the Information Commissioner’s Office. After an FOI request, the ICO admitted that he managed the teams responsible for complaints about political parties and local councils. At the time, I argued that this was an unacceptable conflict of interest, and something had to be done about it.
In May this year, shortly after being elected as Manchester’s new Mayor, Andy Burnham appointed Cllr Ganotis as his Environmental Tsar. You can watch a video of the announcement here, and ponder such fascinating questions as why Burnham’s nose is so red, or why throughout the first two minutes, the camera keeps cutting to a wide shot that captures Ganotis’ uncomfortable facial expressions while Burnham is talking. The announcement piqued my interest. If he was organising a grand summit of environmental worthies, would Cllr Ganotis really have time to work at the ICO? And if so, what effect would the review into political activities that Elizabeth Denham announced have on his role?
I made an FOI request to the ICO for the following information:
1) In 2016, the ICO confirmed to me that Alex Ganotis was manager of the team that dealt with complaints about councils and political parties, despite being Leader of Stockport Council at the time. Can you confirm whether Mr Ganotis is still a member of ICO staff, and if so, what is his current job, and what arrangements have been made to avoid any potential conflict of interest?
2) What is the current ICO policy and process for dealing with political party affiliations and potential conflicts of interest?
3) In August 2016, the Information Commissioner announced in an interview with the BBC’s Martin Rosenbaum that she had ordered a review of the involvement of ICO staff in political activities. I would like to see any report or findings arising out of the review, or other summary of the review and its findings, and details of any actions that were taken as a result of it.
4) I would like to receive all current declarations made by any member of staff of involvement in political activities
5) What specific measures have been taken in respect of each staff member who has made a declaration to ensure that there is no conflict of interest?
The response made for fascinating reading. For one thing, Cllr Ganotis remains a Group Manager at Wilmslow and although his group no longer deals with political parties, it still covers issues related to all local authorities in the UK except for those in Greater Manchester, Cheshire or Derbyshire. How politicians and others in every council outside the North West feel about complaints about their authorities still being supervised by the Leader of a Labour Council and a close ally of Andy Burnham is hard to judge. They might be thrilled. Maybe the ICO should ask them.
The report I received under item (3) of my request did contain an option to remove Cllr Ganotis from work involving local authorities altogether, but one of the reasons that this option was not recommended was the fact that “it could be seen to question the professionalism of Alex and other members of staff and their ability to apply the law without bias or political influence“. How Cllr Ganotis’ political career could possibly be seen to reflect on other people is beyond me, but it is jarring that a significant factor in the decision to keep him involved in council work might have been the effect on him, rather than the Commissioner’s ability to operate independently. To be blunt, the ICO as a whole is more important.
UPDATE: I have attached the ICO’s report into the conflict of interest here, so readers can judge whether how objective and balanced it is: Commissioner Information Note – Political Activities.pdf
Unless every team in the ICO handles complaints about local authorities (and to lesser extent, government), Cllr Ganotis should have been moved to one that doesn’t. Having decide to pursue a high-profile political career, asking him to make a sacrifice to avoid conflicts of interest and their perception would not be too much. I am surprised that Cllr Ganotis has not requested such a transfer himself. To risk even the perception of influence over decisions about politically-run organisations, and at the same time pursue a high-profile political career suggests either an enormous amount of faith in one’s ability to compartmentalise, or just old fashioned hubris.
The review identified gaps in the ICO’s Political Activities Policy, with recommended “updates” including a stipulation that staff must avoid party political activities which might impair their ability to perform their duties impartially, a requirement to inform the ICO if their activities or areas of responsibility change, and the scope to remove permission to undertake political activities if an individual’s ICO role or political activity changes. Needless to say, this means that none of this existed before.
The rest of the FOI request suggests a continuing unwillingness to face the issue of political involvement. Including Cllr Ganotis, eight staff members have made declarations of involvement in political activities, but the ICO refused to tell me who the other seven are, or what they do, claiming that the data is sensitive personal data. This is true, but it is not automatically a barrier to disclosure. For one thing, the Secret Seven could be asked for consent, and this is not the only route to disclosure.
There is surely a legitimate interest in knowing whether people working for an independent regulator such as the Commissioner have political affiliations, especially when you consider the ICO’s involvement in political matters. Over the past few years, the ICO has fined Leave.EU, David Lammy MP over his London Mayoral Campaign, the Daily Telegraph for its pro-Tory emails during the 2015 election, and in recent months, they took no action against Virgin Trains following Jeremy Corbyn’s antics in a train vestibule. More importantly, the Commissioner herself announced a formal investigation into the use of data analytics for political purposes with no small amount of fanfare, involving 20 staff. The ICO is knee-deep in politics and transparency over the declared political activities of the staff is in the public interest.
As the data is sensitive personal data, legitimate interests would not be enough; a condition must also be met from Schedule 3 of the Data Protection Act as well. One of the conditions is that the Data Subject has put their sensitive data into the public domain. If, for example, a senior ICO staff member was to mention on their LinkedIn page that they were a Councillor for 9 years, the Campaigns and Communications Officer for an MEP for five years, listed the Liberal Democrats as one of their main interests and was recommended for ‘politics’ and ‘political campaigning’ by dozens of people, I think I can argue that at least this one has manifestly made their political views public. The ICO refusal says “our staff do not have a reasonable expectation that their declarations would be disclosed into the public domain“, but the staff member in question was a candidate for the LibDems in the 2015 General Election, so I humbly suggest that the cat is out of the bag. Either this person is one of the seven, and the ICO’s arguments are false, or they haven’t made a declaration, and the ICO’s claim to me that “the review and policies are sufficient to demonstrate that we avoid conflicts in our work” is nonsense. Again, did they consider this before refusing me?
Every national, local, or internal party election or referendum runs on personal data, and personal data is exploited, analysed, shared, lost, stolen and misused in every single one of them. If you can name a major vote in this decade that hasn’t resulted in a DP snarl-up, you’ve a better memory than me. If there is one word that shines through everything the Commissioner sent me on this topic, last time and this time, it’s complacency. The policies and procedures that existed before and the ones that have replaced them are built on an obvious assumption that a box needs to be ticked. Of course nobody is actually going to do anything untoward, the managers are on top of it, staff will proactively declare any conflicts of interest and besides, we have a procedure. But they thought it was all fine before. If I had not written my blog last summer, Cllr Ganotis would still be responsible for managing complaints involving his council, his party and his opposition.
I don’t think the Commissioner’s Office takes this seriously. I am amazed that Alex Ganotis is still allowed any influence over the ICO’s decisions about local government, regardless of how objective or benign that influence might be. I am appalled that anyone in the ICO’s senior management could think that this is acceptable. Every time the Commissioner acts or doesn’t act on a political issue, do we always need to ask: who was involved? What bias, conscious or unconscious, did they bring to bear? What other interests do they serve? In a world dominated by fake news and internet froth, the ICO’s independence and objectivity should be their highest priority. It isn’t.
To bowdlerise Viz Comic, chuff me, it’s all kicking off in Buxton. The fine folk of High Peak Borough Council had a little local difficulty last week after getting into a tussle with a redoubtable local concerned about how much the Council was paying to maintain closed office buildings. Having disclosed the costs under FOI, the applicant complained that High Peak were refusing to allow him to share the information with anyone else, including the press. With commendable restraint, John Phillips, the editor of the Buxton Advertiser, summarised the situation as follows:
“It’s like a gagging order, and smacks of Orwell’s 1984”
As one of the commentators on Hold the Front Page pointed out, organisations often have a standard boilerplate attached to FOI responses making grand claims about re-use of information, and it seems likely that this is at the root of this problem. A quick trip to the foaming pages of What Do They Know seems to confirm this, as High Peak’s Re-Use warning is bracing:
“Under the Re-use of Public Sector Information Regulations 2005, if you wish to re-use any information that you have been provided with by the Council for any purpose that is not your own individual use, you require the written consent of the Council. In order to make a request you should write to the Council for permission to use the information and provide your name and address and state the purpose for which the document is to be re-used.”
There is a slight problem with the first sentence. FOI applicants to High Peak, and any other authority using a similarly stern warning, do not need written consent to re-use ‘any information’. The Re-Use Regulations cannot be applied to “any” information because much information disclosed under FOI and EIR isn’t subject to copyright. Even if you refuse me consent to re-use your data, unless you own the copyright, there’s nothing formal to prevent me publishing it, selling it, or having it tattooed on my forehead. I could, for example, re-use data disclosed by High Peak in November 2011 in response to an FOI request about stray dogs by telling you that 13 strays impounded in 2010 were reclaimed by their owners. I don’t have High Peak’s permission to do this, but I doubt they’re rolling out their copyright lawyers as we speak because you can’t copyright a number of stray dogs. 13, 13, 13. The world still turns.
It’s completely unfair to pick on High Peak in this way because they’re not alone. The Re-Use Regs emerged in the shadow of FOI and EIR in 2005, and they didn’t make a lot of sense to a lot of people because they simply permit rather than require them to introduce a re-use regime. Tell most people in the public sector that something is optional and they will legitimately ignore it because there will always be something else that they do have to do. Moreover, public authorities are legitimately concerned about the way that FOI information is used to stitch them up. To quote one example, every time a newspaper reports how much a council spends on alcohol, remember that councils own leisure and cultural facilities and host weddings, so they sell the alcohol and get their money back. They’re probably not having parties at your expense. And finally, because some of the information they disclose actually will be copyright protected, they don’t want to lose whatever rights they do have. Hence the stentorian warnings – but the organisations that do this are using an unhelpful, blanket approach because they don’t know enough about the issue.
Kirklees Council advises web users that “Most council information is protected by copyright”, while Tower Hamlets claim that “Most of the information that we provide in response to Freedom of Information Act 2000 requests will be subject to copyright protection”. HS Western Cheshire declares that apart from private research, “Any other re-use, for example commercial publication, would require the permission of the copyright holder (i.e. the PCT). And so, you must ensure that you gain our permission before reproducing any information.” Does that include me quoting the copyright warning on my blog so that I can say that I think it’s nonsense? Given that much of the data that fuels a public sector organisation is factual, I don’t believe that these statements are correct.
A glance at the Intellectual Property Office’s website shows that to be covered by copyright, content has to be the result of “independent creative effort”. Any document copied from something else won’t be protected, so every person who has ever begun a project with the phrase ‘let’s not reinvent the wheel’ is on a hiding to copyright nothing. Leave aside the legitimate argument that public sector data should be freely available because it has already been created using personal and business taxpayers’ money. Any request for statistics, facts, or other raw information is more or less outside copyright to begin with, so re-use and awful warnings are irrelevant. Much of the information that could be subject to copyright – policies, documents, correspondence – lacks the inherent value that would justify taking action to defend copyright, so the organisation wouldn’t waste public money doing so.
And most important of all, although the ‘fair dealing’ provisions of copyright law are by no means simple, they do give journalists and others the right to comment and criticise, which is where we came in. Even if High Peak could have claimed copyright on the costs of running their empty properties (which I believe they could not), copyright and re-use would not prevent the applicant from passing the data to the local press. The Council may not even have intended this impression to be created, but nobody forced them – or anyone else – to use such a daft and excessive copyright warning. It helps no-one to create a false impression of how far copyright and re-use actually go – the confusion in applicants’ minds and resentment of perceived but imaginary copyright slights just muddies already murky waters.
I have two suggestions. The first is that when an FOI or EIR disclosure is made, the person sending out the response makes a balanced and informed decision about whether a claim of copyright could be made on the disclosed information. If this seems like too much work, I have an alternative re-use notice which all readers of this blog are more than welcome to use, copyright free.
There is a possibility that if the information we are disclosing to you was the subject of independent creative effort, or a huge amount of work, it wasn’t based on someone else’s work or isn’t, in fact, someone else’s work in the first place, we own the copyright on it. We don’t have the time or resources to track what you do with our information – if it is ours – and we haven’t actually looked at the information here to decide whether any of this is the case, so we’re attaching this notice to instil in you a vague sense of uncertainty about what you can do with it. We definitely don’t want you to make any money out of it but we probably won’t notice.
My favourite part of the Information Commissioner’s website is the blog, where a succession of ICO notables talk about how marvellous their particular corner of the business is. The enterprise appears to be modelled on the Opinion section of The Onion, and I look forward to each new instalment with childlike enthusiasm. I’m really hoping they let the Internal Compliance people do one about people who make subject access requests in green ink. They have my permission to publish the mugshot from my driving license.
In the meantime, the one entitled ‘Education key to cookie law success’ by Dave Evans is certainly worth a read. Evans opens his post with the startling claim that “One area where I’ve seen most progress is cookie guidance”, a statement that makes sense only if he’s talking about the document produced by the International Chamber of Commerce, but the rest of the blog is definitely about the apparently marvellous work the ICO has been doing on cookies. I’ve been running – with a growing sense of futility – online courses on the cookie law for more than a year, and in the context of the ICO, “success” and “cookies” are phrases that repel each other like the opposing poles of a magnet. Cookies affect the private sector at least as much as the public sector, and often, much more so. This perhaps explains why the ICO has found it so challenging. Consider some of the landmarks:
- The ICO published guidance called ‘Changes to the rules on using cookies and similar technologies for storing information’ on 9th May 2011 that stated: “The new legislation comes into force on 26 May 2011. You need to take steps now to prepare and ensure you are ready to comply.” The Commissioner himself ‘urged’ website owners to get to work in an associated press release:
- Two weeks later, the day before the regulations came into force, the ICO suddenly decided not to enforce this same law for a year.
- Even though the Commissioner’s slightly patronising school-themed ‘Half-Term Report’ of December 2011 included the comment that “if you are struggling with this part of the rule you are seriously lagging behind”, six months later, Dave Evans was reported by The Register to have said “We don’t expect all organisations not compliant on the 27th to have some evidence of taking action to be compliant.”.
- On 13th December 2011, the ICO stated that consent – the vital disputed issue at the centre of all the cookie confusion – “must involve some form of communication where an individual knowingly indicates their acceptance”. They deliberately highlighted this quote out on their website. Two days before the ICO ended its self-imposed cookie enforcement abstinence in May 2012, they issued guidance that stated, “while explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant”.
In other words, anything to avoid going after the private sector. This unwillingness to take action was underlined by an interview Evans gave to a website in April in which he said that the ICO might not to enforce against someone breaching the cookie law, purely because the website might lose money: “if a company’s revenue would drop if it went for a strict opt-in, then we could look at different ways of educating users and gaining consent”. Every cookie case has already been pre-judged as not meeting the threshold for a civil monetary penalty.
Even though the ICO’s current position seems to be ‘whatever it is you’re doing about cookies is fine’, some in the web industry are so frustrated they have taken to goading the Commissioner to take action against them . In response to this criticism, the ICO’s position probably reveals what lies behind the problem. A spokesman said: “It’s worth noting that this website criticises those regulations, but the ICO is responsible only for regulating those who must comply with the law, and not for how it was drafted”
The ICO’s response raises the question of why the change happened in the first place. The argument about whether consent needs to be active or can be inferred from some specific action is a bit sterile – the intention of the change was clearly to shift the onus from users opting-out to websites getting evidence of users’ preferences. In the old version of the Regulations, users of the internet were to be given “the opportunity to refuse the storage of or access to” a cookie; in the new version, users must have “given his or her consent”. Few of the EU’s citizens spend fretful nights over the lurking menace of cookies on their computers, even those who are concerned over their privacy. Subtly dropped onto your machine by unseen electronic tentacles, the cookie is more insidious than the noisy spam text, but it’s equally easy to get rid of. Most web browsers include an option to reject them outright or purge them at the click of a mouse. So why make the change?
My answer to this question is simple, and it goes some way to explaining the ICO’s clod-hopping reluctance to engage with the cookie changes. The cookie changes are their fault. Though the story is a familiar one to many, I’m surprised that it hasn’t been revisited more often in recent months. Some years ago, a company called Phorm started to hit the headlines. The Phorm product (WebWise) worked like this: ISPs provide data to Phorm about the browsing habits of their customers using a cookie. Websites access the cookie, and knowing what sites had been browsed, allows them to display just random adverts, but ones tailored to the interests indicated by the recent browsing. Everyone makes money (except the user whose web browsing has been monetised).
Less ambitious / troubling versions of this idea are alive and well on the internet right now, but the idea of the ISP tracking your every move and selling the results to others didn’t go down very well with Joe Punter. The alleged KGB past of the company’s saturnine CEO Kent Ertugrul probably didn’t help public perception much, but what really lit a fire under Phorm was the revelation that the system had been tested by BT and none of the customers involved knew about it. I should probably put the Phorm / BT case that what they did wasn’t a breach of anything, that no personal data was gathered etc. etc. But their interpretation doesn’t convince me and more importantly, there was no reason to do the trial in secret. BT deserves opprobrium on that point alone. As the fury over the secret trial and the implications of the product itself increased, customers on all sides melted away, and Phorm pulled out of Europe altogether.
The ICO took no action against either Phorm or BT for the secret trial, and a perfect way to understand their approach is to track down a document entitled “Phorm: The ICO View”, published in April 2008, but no longer on their website (thanks, WhatDoTheyKnow for reminding me of it, and to @blepharon for this link). “Whether or not the deployment of the Phorm products raise matters of concern to the Commissioner will depend on the extent to which the assurances Phorm has provided so far are true. The Commissioner has no reason to doubt the information provided by Phorm but some technical experts have publicly expressed concerns.”. The instinct when dealing with big organisations, ‘stakeholders’ or the private sector is believe what you’re told and accommodate and ameliorate rather than act. It’s hard to believe a council or NHS trust being given the same generous benefit of the doubt.
Look at Google. When dealing with the allegation that Google had secretly slurped Wi-Fi data from thousands of UK citizens, former Assistant Commissioner Phil Jones and Dave Evans (remember him?) met with Google, resulting in a decision to delete all the inconvenient and potentially incriminating data, with no further questions. Google was a valued stakeholder needing only a friendly meeting, rather than a data controller that might have breached the law. Evans’ blog states: “In my experience of working as the ICO’s industry strategic liaison manager, the vast majority of businesses want to operate within the law”. But Evans’ experience ought to show that the Streetview data turned out to be more personal than previously advertised, resulting in the ICO having to ask Google to sign an undertaking. Their press release at the time said that Google had been ‘instructed’ to sign, but the whole point of an undertaking is that it is voluntary. Only now that this undertaking has apparently been breached has Google Streetview finally been passed to the Head of Enforcement. Altogether, it’s not quite a ringing endorsement of strategic liaising.
To misquote The Dark Knight, I believe in Chris Graham, the current commissioner. He clearly has more guts than his predecessor, he sorted out the shameful FOI backlog, he has taken more enforcement action than any of the three previous Wilmslow incumbents put together, and his public persona is polite but increasingly pugnacious, precisely the kind of attitude to persuade recalcitrant organisations to take Data Protection seriously. But the cookie debacle is evidence of the Old ICO alive and well: vague, deferential, ineffectual, and embarrassing. In other words, nobody’s definition of success.
NB: The tradition in writing about cookies is to use one of a limited number of obvious cookies puns or references in the title. I have chosen the most obscure I can think of, and if you recognise it, you should be as ashamed of yourself as I am.
I had intended this blog to cover all aspects of information governance including marketing, but unfortunately, my anorak’s habit of reading terms and conditions has already got the better of me in a possibly irrelevant way.
In Waitrose’s weekly magazine, they had a competition sponsored by Jordan’s Cereals to win a weekend in Norfolk. As always, the terms and conditions seek to ensure that if Anything Happens, the promoters will not be in the frame for any legal action. However, I have to assume that Jordan’s are using some kind of parent company devised for a prize trip to a Disaster Movie, because the alternative foresees a nightmarish future for Norfolk. Forget the torment in the Middle East and the tropical storm in New York, it’s all apparently coming to East Anglia
The first bit is covers the corporate back in general terms:
“The Jordan’s & Ryvita Company Limited accepts no responsibility for any damage, loss, liabilities, injury or disappointment incurred or suffered by You as a result of entering the
Competition to accepting any prize”.
Now, I’m with Jordan’s here. If the winner doesn’t enjoy their trip to Pensthorpe, or the runners-up find their Emma Bridgewater bowls to be less than delightful, I don’t think they should be able to sue anyone for ‘Disappointment’. I’ve been disappointed by something pretty much every day since I was nine, and I’ve always accepted it as a character flaw rather than an opportunity for litigation.
However, the next bit sounds like legal brainstorming gone a little too far. I say again, the winner goes to Norfolk.
“The Jordans & Ryvita Company Limited shall not be liable for any failure to comply with its obligations where the failure is caused by something outside of its reasonable control. Such circumstances shall include, but not be limited to weather conditions, fire, flood, hurricane, strike, industrial dispute, war, hostilities, political unrest, riots, civil commotion, accidents, supervening legislation, or any other circumstances amounting to force majeure.”
I’m assuming that plague, alien invasion and Giant Lovesick Ape from Skull Island are wrapped up in ‘any other circumstances’. There’s a town not a million miles away from me that does look like it has suffered a hurricane, but generally speaking, unless the winner has cheated death in a Final Destination movie, I don’t believe Norfolk is likely to play host to any of the anticipated calamities. Or is this simply an awful portent of what is to come?
Yesterday, after at least a year of pondering it, the Information Commissioner asked the Universities and Colleges Admissions Service (UCAS) to sign an undertaking, agreeing to change the way in which they obtain consent to use students’ data. The data is obtained as part of the application process and subsequently used for marketing a variety of products and services, and UCAS has agreed to change its approach. It’s important to note that this is an undertaking, so UCAS has not been ordered to do anything, nor are there any direct consequences if they fail to do what is stated in the undertaking. An undertaking is a voluntary exercise – it is not served, it does not order or require, it simply documents an agreement by a Data Controller to do something.
Aspects of the story concern me. The ICO’s head of enforcement is quoted as saying: “By failing to give these applicants a clear option to avoid marketing, they were being unfairly faced with the default option of having their details used for commercial purposes” but given that the marketing was sent by text and email, the opportunity to “avoid” marketing is not what should have been in place. If UCAS wanted to sell access to university and college applicants, they needed consent – which means opt-in, not opt-out. As the undertaking itself points out, consent is defined in the EU Data Protection Directive as freely given – an opt-out cannot constitute this in my opinion. If you think that an opt-out does constitute consent, try transposing that thinking into any other situation where consent is required, and see how creepy your thinking has suddenly become. Consent should be a free choice, made actively. We should not have to stop commercial companies from texting and emailing us – the onus should be on them to make an attractive offer we want to take up, not on consumers to bat away their unwanted attentions.
It’s entirely possible that the ICO’s position on consent is better expressed in the undertaking itself, but here we have a little problem. At least when it was published yesterday, half of the undertaking was missing. Only the oddly numbered pages were published, so presumably the person who scanned the document had a double-sided original and didn’t notice that they had scanned it single-sided. The published document also included one page of UCAS’ covering letter and the final signed page of the undertaking, which the ICO never normally publishes. This mistake reveals some interesting nuggets that we wouldn’t normally know, from the trivial (the Chief Executive of UCAS signed the undertaking with a fountain pen, something of which I wholeheartedly approve) to the potentially significant (the covering letter sets out when UCAS might divert resources away from complying with the undertaking).
But that’s not the point. The point is that the ICO uploaded the wrong document to the internet, and this is not the first time it has happened. I know this because on a previous occasion, I contacted the ICO to tell them that they had done it, and many people on my training courses have also seen un-redacted enforcement and FOI notices on the ICO website. The data revealed in the UCAS case is not sensitive (although I don’t know how the UCAS Chief would feel about her signature being published on the internet), but that’s not the point either. The ICO has spent the last ten years taking noisy, self-righteous action against a variety of mainly public bodies for security slip-ups, and the past five issuing monetary penalties for the same, including several following the accidental publication of personal data on the internet.
The issue here is simple: does the ICO’s accidental publication of this undertaking constitute a breach of the 7th Data Protection Principle? They know about the risk because they’ve done it before. Have they taken appropriate technical and organisational measures to prevent this from happening? Is there a clear process to ensure that the right documents are published? Are documents checked before they are uploaded? Does someone senior check whether the process is being followed? Is everyone involved in the process properly trained in the handling of personal data, and in the technology required to publish documents onto the web? And even if all of these measures are in place, is action taken when such incidents are identified? If the ICO can give positive answers to all these questions, then it is not a breach. Stuff happens. But if they have not, it is a breach.
There is no possibility, no matter how hilarious it would be, that the ICO will issue a CMP on itself following this incident, although it is technically possible. What should happen is that the ICO should quickly and effectively take steps to prevent this from happening again. However, if the Information Commissioner’s Office does not ask the Information Commissioner Christopher Graham to sign an undertaking, publicly stating what these measures will be, they cannot possibly speak and act with authority the next time they ask someone else to the same. Whether they redact Mr Graham’s signature is entirely a matter for them.
UPDATE: without acknowledging their mistake, the Information Commissioner’s Office has now changed the undertaking to be the version they clearly intended to publish. One wonders if anything has been done internally, or if they are simply hoping that only smartarses like me noticed in the first place.
Amongst the hype over the end of negotiations over the new EU Data Protection Regulation, one theme kept emerging again and again: Big Penalties. It’s understandable that people might want to focus on it. The UK goes from a maximum possible penalty of £500,000 to one of just under £15,000,000 (at today’s Euro conversion rate) or even 4% of a private enterprise’s annual worldwide turnover. Only a fool would say that it wasn’t worth talking about. It’s much more interesting than the bit about Codes of Practice, and it’s easier to explain than the section about certification bodies.
It would be equally foolish to assume, however, that penalties on this scale will rain down from Wilmslow like thunderbolts from Zeus. At the same time as many were talking up the future, the Information Commissioner issued two monetary penalties under the current regime, one under Data Protection (£250 for the Bloomsbury Patient Network) and one under the Privacy and Electronic Communications Regulations (£30,000 for the Daily Telegraph). The £250 penalty is the lowest the ICO has ever issued for anything, while the PECR one is the lowest for a breach of the marketing rules, notwithstanding that the Daily Telegraph is probably the richest PECR target at which the ICO has taken aim.
You could argue that the embarrassment caused to the Telegraph carries an added sting (the ICO has never before taken enforcement action against a newspaper). It’s equally likely that the oligarchs who own the paper will consider £30,000 (£24,000 if they pay up in 35 days) to be a price worth paying if it had the desired effect on the outcome of a very close election. They’ll probably do it again.
In any case, the Bloomsbury Patient Network CMP is much worse. The Regulation calls for monetary penalties to be effective, proportionate and dissuasive, and yet everybody at the ICO thought that a £250 penalty, split between three people, was action worth taking and promoting. The Commissioner himself, Christopher Graham told the DMA in March 2015 that the ICO was not a ‘traffic warden‘, but if the Bloomsbury Three pay up on time, the £66.67 penalty they each face is no worse than a parking ticket you didn’t pay in the first fortnight.
The ICO’s press release claims that the penalty would have been much higher if the data controller had not been an ‘unincorporated association’, but this is irrelevant. The ICO issued a £440,000 PECR penalty against two individuals (Chris Niebel and Gary McNeish) in 2012, while the Claims Management Regulator recently issued a whopping £850,000 penalty against Zahier Hussain for cold calling and similar dodgy practices. The approach on PECR and marketing is positively steely. The problem clearly lies in Data Protection enforcement, and that is what the Regulation is concerned with.
The size and resources of the offending data controller are a secondary consideration; the test is whether the penalty will cause undue financial hardship. The ICO could bankrupt someone or kill their business if they deserved it. The Bloomsbury Patient Network’s handling of the most sensitive personal data was sloppy and incompetent, and had already led to breaches of confidentiality before the incident that gave rise to the penalty. Enforcement action at a serious level was clearly justified. Even if the level of the penalty was high enough to deter well-meaning amateurs from processing incredibly sensitive data, this would be a good thing. If you’re not capable of handling data about a person’s HIV status with an appropriate level of security, you have absolutely no business doing so at all, no matter good your intentions are. Donate to the Terence Higgins Trust by all means, but do not touch anyone’s data. If the ICO lacks the guts to issue a serious penalty, it would be better to do nothing at all and keep quiet, rather than display their gutlessness to the world.
Whoever made this decision cannot have considered what message it would send to organisations large and small who already think of Data Protection as pettifogging red tape, low on the agenda. Is there an organisation anywhere in the country that would consider the slim chance of being fined £66.67 to be a deterrent against anything. A fine is a punishment (it has to cause pain to those who pay it) and it is a lesson to others (it has to look painful to the wider world). The Bloomsbury Patient Network CMP is neither.
Despite the increased expectations raised by the GDPR, the ICO is actually losing its appetite for DP enforcement, with 13 Data Protection CMPs in 2013, but only 6 in 2014 and 7 in 2015. Meanwhile, there have been 24 unenforceable DP undertakings in 2015 alone, including one against Google which you’re welcome to explain the point of, and another (Flybe) which revealed endemic procedural and training problems in the airline which are more significant than the moronic cock-ups that went on at the Bloomsbury Patient Network. Wilmslow is so inert that two different organisations have told me this year that ICO staff asked them to go through the motions of self-reporting incidents that ICO already knew about, because the only way the enforcement wheels could possibly begin to turn was if an incident was self-reported. ICO staff actually knowing that something had happened wasn’t enough. It’s these same timid people who will be wielding the new powers in 2018.
Admittedly, there will be a new Commissioner, and it’s possible that the Government will pick a fearsome enforcement fiend to go after Data Protection like a dog in a sausage factory. You’ll forgive me if I don’t hold my breath. Nevertheless, something in Wilmslow has to change, because the General Data Protection Regulation represents a clear rebuke to the ICO’s DP enforcement approach.
Most obviously, in the long list of tasks in Article 52 that each Data Protection Authority must carry out, the first is very powerful: they must “monitor and enforce” (my emphasis) the application of the Regulation. Someone recently said that in certain circumstances, some organisations require a ‘regulatory nudge’, but the Regulation is much more emphatic than that. The ICO’s preference for hand-holding, nuzzling and persuading stakeholders (especially those where former ICO colleagues have gone to work) is a world away from an enforcement-led approach.
The huge increase of penalties throws down the gauntlet, especially when the ICO has rarely approached the current, comparatively low UK maximum. But the ICO should also pay close attention to the detail of Article 79 of the Regulation, where the new penalties are laid out. Of the 59 ICO monetary penalties, 57 have been for breaches of the 7th principle (security). The Regulation has two levels of penalty, the lower with a maximum of €10,000,000 (or 2% of annual turnover), and the higher with a maximum of €20,000,000 (or 4% of annual turnover). Breaches of Article 30, a very close analogue to Principle 7, is in the lower tier.
Admittedly, the higher penalty applies to all of the principles in Article 5 (which in a somewhat circular fashion includes security), but it explicitly covers “conditions for consent“, “data subject rights” and infringements involving transfers to third countries, areas untouched by the ICO’s DP penalty regime. The Regulation envisages monetary penalties at the higher level for processing without a condition, inaccuracy, poor retention, subject access as well as new rights like the right to be forgotten or the right to object. The ICO has issued a solitary penalty on fairness, and just one on accuracy – it has never fined on subject access, despite that being the largest single cause of data subject complaints.
The Regulation bites hard on the use of consent and legitimate interest, and misuse of data when relying on them would again carry the higher penalty. Most organisations that rely on consent or legitimate interest are outside the public sector, who rely more on legal obligations and powers. Indeed, the Regulation even allows for the public sector to be excluded from monetary penalties altogether if a member state wishes it. Nevertheless, since they got the power to issue them, only 24% of the ICO’s civil monetary penalties have been served on organisations outside the public sector (2 for charities and 12 for private sector).
I doubt the ICO is ready for what the Regulation demands, and what data subjects will naturally expect from such a deliberate attempt to shape the enforcement of privacy rights. The penalties are too low. The dwindling amount of DP enforcement is based almost exclusively on self-reported security breaches. While the Regulation might feed a few private sector cases onto the conveyor belt by way of mandatory reporting of security breaches, it will do nothing for the ICO’s ability to identify suitable cases for anything else. Few ICO CMPs spring from data subject complaints, and anyone who has ever tried to alert Wilmslow to an ongoing breach when they are not directly affected knows how painful a process that can be. The ICO has not enforced on most of the principles.
It’s been my habit whenever talking about the Regulation to people I’m working for to emphasise the period we’re about to enter. There are two years before the Regulation comes into force; two years to get ready, to look at practice and procedure, two years to tighten up. The need to adapt to the future goes double for the Information Commissioner’s Office. Instead of canoodling with stakeholders and issuing wishy-washy guidance, wringing its hands and promising to be an ‘enabler’, the ICO should take a long hard look in the mirror. Its job is to enforce the law; everything else is an optional extra. It’s wise to assume that the wish for total DP harmonisation will probably be a pipe dream; it’s equally obvious that the Regulation will allow for much easier comparisons between EU member states, and the ICO’s lightest of light touches will be found wanting.
June is a significant time for Data Protection in the UK. At the end the month, we have the EU vote (where a vote to leave will throw at least the timetable for implementation of the new General Data Protection Regulation into disarray) and Christopher Graham steps down as Information Commissioner, to be replaced by Elizabeth Denham. There are several reasons to be optimistic about Denham’s appointment – she is the first Information Commissioner to have previous experience of privacy and FOI work, she has already taken on big corporate interests in Canada, and she isn’t Richard Thomas.
However, Denham inherits a series of headaches as she begins her reign as Elizabeth II, and it’s difficult to know which of them will be the hardest to shake off. There is the GDPR implementation, which would be a challenge even without the uncertainty that Brexit will create. She also has to tackle the ICO’s lack of independence from Government, which results in scandalous outcomes like the admission in an FOI response that Wilmslow takes orders from its sponsor department (see answer 3 here). But perhaps biggest of all is the ICO’s approach to enforcement.
On FOI, the ICO doesn’t approach enforcement – it does pointless monitoring and audits without any evidence of success, and the major government departments use the ICO as their internal review, sometimes not bothering to answer requests unless ordered to do so by an ICO case officer. The sole enforcement notice in the past five years wasn’t even promoted by the office because the now departed Deputy Commissioner Graham Smith didn’t want to draw attention to the failure to tackle Whitehall’s FOI abuses.
On Data Protection, the approach is to enforce against self-reported security breaches. There is nothing wrong with lots of enforcement on security – it’s a significant requirement of the legislation and many people are concerned about it. The problem is that Wilmslow doesn’t enforce on anything else, despite breaches of the other principles being widespread and obvious. Unless I missed one, the ICO has issued 61 Data Protection monetary penalties since getting the power to do so. Two have been for non-security breaches: Pharmacy 2U (1st principle data sharing without consent) and Prudential Insurance (accuracy). The overwhelming majority of enforcement notices (and undertakings, if you count them, which you shouldn’t) are on security matters. This is despite the fact that the UK has a massive culture of unlawful data sharing, over-retention, flouted subject access and perhaps most obvious, rampant, damaging inaccuracy. The ICO does nothing about it.
A classic example is a story reported in the Observer about the Dartford Crossing between Kent and Essex. Automatic Number Plate Recognition is used by Highways England to issue penalty charges to drivers who use the crossings without paying by phone or web within a fixed period of time. The only problem is that drivers who have never used the crossing are getting the penalties, but it is more or less inconceivable that the ICO will take action.
Having used the crossing myself, I can confirm that there are some Data Protection issues with the signage around the bridge / tunnel – the Observer article explains well how the signs can easily be confused with those for the London congestion charge, which works entirely differently. This is, in itself, a potential data protection breach, as personal data needs to be obtained fairly, especially when the data being obtained (the license plate) will not only be used to levy a charge, but because court action may result for non-payment.
One person is quoted in the article as having being charged because the system misread a ‘C’ as a ‘G’. The Observer also reports that hire car users sometimes find penalties aimed at the wrong person because Highways England don’t specify a date that the charge applies to. In another case, the person receiving the charge had sold the car in question, and had a letter from DVLA to prove it. As with most of these situations, terrible customer service and inflexible processes mean that even when a charge is applied to the wrong person, nobody in the food chain has the authority or the inclination to sort things out. Both of the individuals cited in detail by the Observer were headed for the baliffs until the Observer got involved, and all action was terminated. Research by Auto Express notes that only 1 in 25 people appeal their penalty, but 80% of those that do are successful.
Every time Highways England / Dart Charge issues a penalty against the wrong person, it is a breach of the fourth Data Protection principle, which states that “Personal data shall be accurate, and where necessary, up to date”. Note the lack of any qualification or context here – data is accurate, or it’s a breach. Clearly, this means that most organisations are breach DP every minute of every day simply because of typos, but even adopting a flexible approach, there can be no doubt that demanding money and threatening court action is a situation where the Data Controller must be certain that the data is accurate, and if they get the wrong person, it’s a breach. The security principle talks about “appropriate measures” to prevent incidents, but the fourth principle doesn’t: it’s absolute.
Highways England / Dart Charge have breached the DPA, but would it be possible for the ICO to take action? In order to issue a monetary penalty, the ICO has to meet a series of tests.
1. The breach is serious
Dart Charge are pursuing people for debts they don’t owe. It’s serious.
2. The breach is deliberate
This one is potentially tricky, as we would need evidence that Highways England know that they are operating on the basis of inaccurate information in order for the breach to be deliberate. I can’t prove that Highways England are deliberately pursuing people, knowing that they are the wrong targets, although one of the Observer readers quoted gives clear evidence that they might be: “I spent 20 minutes trying to get through to someone who kept telling me I had to pay, even though he could see the problem”. However, we don’t need deliberate if we have:
3. The Data Controller knew or ought to have known about the risk and failed to take steps to prevent it
This test is clearly met – Highways England know that most of their penalty charges are overturned on appeal, they know that their system misreads licence plate characters, that it fails to properly distinguish dates, and they know that people contact them multiple times with evidence that the charge is wrong, but they ignore this evidence until they are embarrassed into action by a national newspaper. The breaches are still happening.
4. The breach is likely to cause damage or distress
Innocent individuals who have not used the Dartford Crossing are being pursued and threatened with legal action if they do not pay money that they do not owe. The breach is causing damage and distress and is highly likely to do so.
The ICO does not enforce on accuracy and they won’t touch this case. If I tried to report it to them, they would ignore my complaint because I have not been affected (if an affected person complained, they would do an unenforceable assessment). They do not ask Data Controllers to report incidents of damaging inaccuracy, and they do not even advocate investigating incidents of inaccuracy in the way that they do for security. This despite that fact that inaccuracy leads to the wrong medical treatment being given, innocent people’s houses being raided by the police, and old men nearly drowning in canals. The ICO took no enforcement action in any of these cases, despite them being in the public domain. I have dozens of others. Meanwhile, the Commissioner chunters on about a series of accidents and mishaps without any direct evidence of harm (ironically, even the pace of security enforcement has slowed, with only three DP monetary penalties at all so far this year).
Whatever Ms Denham’s priorities might be, she cannot ignore this. The ICO has shirked its responsibilities on the other principles for too long. A quick glance at the articles relevant to enforcement show that the GDPR is specifically designed to give breaches of the principles the higher maximum penalty. It’s a riposte to the ICO’s enforcement priorities since the HMRC lost discs incident in 2007, and it’s a bridge that the new Commissioner must be willing to cross.