Categories
Charities

Culture, Media and Spam

 

Most of the news and comment I heard about the Queen’s Speech suggested that it was a hole in the air, with the Government wanting to avoid doing anything of any consequence before the resolution of the EU vote in June. It was a surprise, therefore, to see provisions in the proposed Digital Economy Bill that will change the face of direct marketing.

At the moment, the rules for direct marketing are a mixture of Data Protection (for postal marketing) and PECR (for email & texts, live calls, automated calls and fax). PECR breaks down into subsets, with some forms of marketing requiring consent (email & text, automated calls, fax) and some done without consent and with opt-out (live calls, with the ability to opt-out of all calls via the Telephone Preference Service.

But consider this line from the full version of the Queen’s Speech:

Protection for consumers from spam email and nuisance calls by ensuring consent is obtained for direct marketing, and that the Information Commissioner is empowered to impose fines on those who break the rules.

My first reaction to this was that the Department for Culture, Media and Sport were incompetent: PECR already requires consent for email, and the Information Commissioner already has the power to impose fines for breaches of consent. Whatever else, this is still true, and DCMS should explain why they are announcing things that have been in place since 2003 (consent for email) and 2011 (fines) respectively. Nevertheless, it’s impossible to interpret this sentence as meaning anything other than a change in the rules for live calls. It’s not earth-shattering: it’s only lawful to cold-call people who aren’t on TPS and who haven’t directly opted out, which is probably a minority of the overall population. But nevertheless, the proposal as written abolishes the need for the Telephone Preference Service and inverts current practice.

It certainly has the merit of neatness: PECR would make more sense if all electronic direct marketing had to be opt-in. However, it will have consequences far and wide. There are plenty of lead generators and telemarketing companies who still make cold-calls, and they would be dead in the water. I would shed no tears over this (I think the lead generation and list broking industry is fundamentally unlawful, and most of the folk in the call centres would just end up in hopefully less rancid call centres). However, killing off the telemarketing industry is bold.

It will also create an even more stark contrast with the Fundraising Preference Service, which in its current form allows someone to stop all contact with all charities. It’s not even clear whether a person will technically be able to opt-in to individual charities that they do want to hear from if they’re on the FPS. It would be moronic if this situation wasn’t clarified, but people who do moronic things tend to be good at maintaining their standards. Given that the Digital Economy Bill apparently puts all* electronic marketing on an opt-in basis, charities might legitimately argue that the FPS is unnecessary, and they would have a point.

There are other issues. If all email marketing has to be done on the basis on consent, this also presumably kills off the ‘soft opt-in’. The ‘soft opt-in’ allows a company to send email marketing on an opt-out basis, as long as the email address in question has been obtained in the course of a sale, and as long as the products being marketed are their own, and are similar to the one that was originally purchased. Requiring all email marketing to be done on the basis of consent would remove this option (NB: if you think the absence of an opt-out can be interpreted as consent, you are a moron).

Finally, the proposal doesn’t mention texts, hence my * above. Texts are as much of a nuisance for people as live calls or emails, and have been the subject of routine enforcement action by the Information Commissioner since 2011. PECR treats email and text as the same, so it’s entirely possible that the Government are treating them so. It’s equally possible that this is a back of a fag packet proposal to bulk out a weak bill in a thin speech. One indicator that this might be the case is that the Information Commissioner, explicitly mentioned in the proposal, has not reacted to it in any way. There is no press release, and not a single tweet, despite a run of tweets this week about nuisance calls and other PECR related action. One could be forgiven for thinking that they didn’t know about it (I will be doing an FOI to find out).

You might think that spinning 833 words out of a single sentence is overkill, but on the face of it, the proposed change will have a considerable impact. Like me, I hope you will be watching the progress of the Digital Economy Bill with interest.

Categories
Charities

Less than ideal

 

Last week, Stephen Lee, an academic and former fundraiser was reported as having attacked the Information Commissioner’s Office for their interpretation of direct marketing at a fundraising conference. It was, he said “outrageous” that the Commissioner’s direct marketing guidance stated that any advertising or marketing material that promoted the aims and ideals of a not-for-profit organisation was covered by Data Protection. According to Lee, only fundraising activities should be considered to be marketing.

[NB: Third Sector articles are sometimes open to all and sometimes limited to subscribers. If the links don’t work, please accept my apologies!]

He is quoted as saying “Who says that’s right? Just the ICO. Who did it consult? No one.” and  went on to say “Why and how and in what way should we be compelled to comply with that proposition?”

Who says that’s right? Who did the ICO consult? Well, let me see now.

1) The Council of Europe

In 1985, the Council of Europe issued a Recommendation on the protection of personal data used for the purposes of direct marketing. The definition of direct marketing includes both the offer of goods or services and “any other messages” to a segment of the population. The recommendation predates the guidance Mr Lee disparages by more than 30 years.

2) The 1995 Data Protection Directive

The Directive makes clear that direct marketing rules apply equally to charitable organisations and political parties as they do to commercial organisations, and emphasises the need for people to be able to opt-out of direct marketing. By redrawing the definition, Mr Lee would contradict this fundamental right.

3) The Data Protection Act 1998

Given that Mr Lee feels qualified to make bold statements about the interpretation of the Data Protection Act, it’s odd that he doesn’t seem to have taken the time to read it. Section 11 of the Act states that the definition of Direct Marketing “the communication (by whatever means) of any advertising and marketing material which is directed at particular individuals”. The important word there is “any” – organisations do not get to pick and choose which of their promotional messages are covered and which are not.

4) The Privacy and Electronic Communications Regulations 2003

PECR sets up the rules for consent over electronic direct marketing (consent for automated calls, opt-out and TPS for live calls, consent for emails and texts). It does not define direct marketing, but instead says this “Expressions used in these Regulations that are not defined in paragraph (1) and are defined in the Data Protection Act 1998 shall have the same meaning as in that Act”. Therefore, the DPA definition applies to PECR.

5) The Information Tribunal (now the First Tier Tribunal)

In 2005, the Information Commissioner served an Enforcement Notice on the Scottish National Party after they repeatedly and unrepentantly used automated calls featuring Sean Connery to promote the party in the General Election. The SNP appealed, and in 2006, the Information Tribunal considered the issue. One of the main elements of the SNP appeal was against the ICO’s definition of direct marketing. Although the case is about a political party, the ICO’s submissions are based on the proposition that charities as well as political parties are covered by the definition of direct marketing, and that the definition cannot be restricted to fundraising alone. The Tribunal accepted the ICO’s view in full, and dismissed the appeal.

6) The charity sector and anyone else who wanted to be consulted

The ICO may have issued guidance in the 1980s or 1990s on the definition of direct marketing, but the idea that promoting aims and ideals is part of it has been their view since 1999. In guidance issued on the precursor to PECR, the ICO stated clearly that direct marketing includes “not just to the offer for sale of goods or services, but also the promotion of an organisations aims and ideals”. They specifically mentioned charities, as they have ever since. Virtually every iteration of the ICO’s guidance on PECR and direct marketing has been subject to public consultation – indeed, the very guidance Lee is talking about was subject to a public consultation.

Here’s the problem. Lee is an Honorary Fellow of the Institute of Fundraising, and has a long association with it. The IoF has been the most consistently pernicious influence on the charity sector’s compliance with data protection and privacy law in the past ten years. Their guidance and public utterances on data protection are often misleading, and they recently had to change their own Code of Practice because it was legally incorrect. At best, they haven’t noticed the ICO position on charities and direct marketing for more than 15 years. At worst, they deliberately ignored it in favour of an interpretation that largely suits fundraisers. Lee complained at the conference about the “appalling” communication between the ICO and charity umbrella bodies, but Richard Marbrow of the ICO summed the problem up all too well:

One of the things the sector asked for was clarity, and I will try and bring you that. The trouble is, if you then say ‘we don’t like that clarity, could we have some different clarity please?’, we’re not going to get on very well.”

The most important thing about Lee’s outburst is the subtext – if any form of communication is not covered by the definition of direct marketing, then your consent is not required  in the first place and you have no right to stop receiving it. His interpretation is nonsense, but it is also ethically unsound. At its most basic level, privacy means the right to be left alone, the right to have an area of your life which is yours, which others can’t intrude into. Lee seems to want to erode that right. If his view was correct (it’s not), charities could bombard people with phone calls, texts or emails to tell them how marvellous they are, how important their work is, how vital they are for society. As long as they don’t ask for money, the logic of his argument is that people wouldn’t be able to stop them.

Lee’s other question (“Why and how and in what way should we be compelled to comply with that proposition?”) has an easy answer. Ignore it. Carry on breaching the law, ignoring the rules. I went to the cinema last night and saw adverts for two different charities that plainly breached PECR, so that seems to be the plan. Given that the furore over charities began with an innocent person bombarded with unwanted correspondence, it’s remarkable that senior figures in the charity sector are ready for another go, but if Mr Lee wants to drag charities’ reputations deeper into a swamp that they share with PPI scammers and payday loan merchants, he’s welcome.

But the ICO should not listen to their concerns, or open friendly channels of communication with the sector. They should apply the law firmly and regularly until the charities get the message. If this results in more enforcement against charities than other sectors, that will be only because the big charities are among the worst offenders and they haven’t put their houses in order. If charity giving suffers as a result, even amongst the many charities that have not transgressed, they should stop blaming others and look to their fundraisers, their colleagues and themselves.

Categories
Charities

Fair Cop

 

The bedrock of Data Protection is fairness. You cannot gain consent without fairness. Your interests are not legitimate interests if they are secret interests. Unless you have an exemption or you claim that telling the person represents disproportionate effort (i.e. the effort of telling outweighs the actual impact), you have to tell the person whose data you are using the purposes for which their data will be used, and any other information necessary to make the processing fair.

The ICO’s Privacy Notices Code of Practice is not ambiguous, nor was its predecessor. It is impossible to read the ICO’s published guidance on fair processing without taking away the key message, consistently repeated for more than a decade: if something is surprising or objectionable, especially if it involves some kind of impact or sharing outside the organisation, it should be spelt out. New-ish Information Commissioner Elizabeth Denham seems to have chosen to reverse the ICO’s previously timid, unimaginative approach to the first principle with a pair of civil monetary penalties against charities. We have one each for the Royal Society for the Prevention of Cruelty to Animals, and the British Heart Foundation, with the promise of more to come. You might say it was unfortunate that charities are first in line rather than, say, credit reference agencies or list brokers (to be a touch tautological). It was the charity sector’s misfortune to fall under the Daily Mail’s Basilisk gaze, and they have to accept that we are where we are.

To issue a civil monetary penalty, there are three hurdles for the ICO to clear. Firstly, there must be a serious breach. Both charities used commercial companies to profile thousands (and in one case, millions) of donors, buying up data from publicly available sources* to assess their wealth and resources, they shared data with other charities whose identity they did not know via a commercial company, and in the case of the RSPCA, they bought contact details to fill in data that donors had provided. The average donor did not have any idea that this was happening. I can see there’s a problem that when everyone in the charity sector knows that wealth screening goes on, it seems normal. But I’ve been using it as an example on my training courses ever since the Mail revealed it, and bear in mind that these are often seasoned data protection professionals who know about data sharing and disclosure, attendees are invariably shocked and some cases revolted by what I tell them.

There is no doubt in my mind that this processing needed to be spelt out, and there is no doubt from the notices that it was not. Carefully selected third parties or partners has been a stupid lie in marketing for years, but not even knowing where the data goes is much worse than the usual flogging it to all comers. At least the list broker knows who he’s flogging it to, even though the only careful selection is the ability to pay.

The second hurdle is the need to show that the breach is likely to cause damage or distress to the affected data subjects. It’s been known for quite some time that the ICO was planning to take enforcement action over the Mail stories, and the gossip I heard from charities was that fines were likely. I’ll be honest, I wasn’t convinced. The Information Commissioner lost a Data Protection Tribunal appeal from Scottish Borders Council because they bungled the damage / distress element of a £250000 CMP over pension records found in recycling bins. ICO made a flawed claim that the loss of paper pension records was likely to result in identity theft, but Borders had an expert witness who could argue convincingly that this was not true. The link between the breach (the absence of a contract with the company processing the data) and the damage was broken, and the ICO lost.

But this case is different. The ICO does not need to make a link between an incident and a breach, because they are bound up together here. Both notices show that the ICO has given considerable thought to the distress angle. There is no question that the charities breached the first principle, and their only hope for an appeal is to convince the Tribunal that people would not be caused substantial distress by secret profiling and data sharing after an act of generosity. This is not science, and all I can say is that I am persuaded. But for an appeal to be successful, the charities will need to persuade a Tribunal with strong experience and knowledge of DP and PECR from the numerous (and almost exclusively doomed) marketing appeals.

The third element requires the breach to be deliberate or a situation where the charities ought reasonably to have known about the breach. As I have already said, the ICO’s position on fair processing is well known in my sector and available to anyone who can type the ICO’s web address. I think it’s possible that the charities didn’t know what they were doing was a breach, but in my opinion, this is because the Institute of Fundraising and the Fundraising Standards Board effectively acted as a firewall between charities and reality. The advice (often inaccurate and out of date) came from the IoF, and complaints about charities went to the FRSB and no further. When your code of practice is written by the people who earn their living from fundraising and most in your sector are doing the same thing as you are, it’s not hard to fool yourself into thinking it’s OK. But ‘everybody does it’ will cut no ice with the Tribunal. The RSPCA and the BHF are not tiny charities flailing in the dark – they are massive, multi-million pound operations with vastly greater resources than many of my clients.

Daniel Fluskey, head of Policy for the Institute of Fundraising, whose apparent lack of experience or qualifications in Data Protection does not prevent him from writing inaccurate articles for the charity sector on GDPR, has already weighed in, saying that the ICO should be providing the specific wording that charities require: “Charities need more detail on the ICO’s view of what lawful practice looks like: what form of words would have passed the test?” The Information Commissioner is the regulator for every organisation, of every size and shape, that processes personal data. If they start writing tailored wording for charities, they will have to do it for everyone else as well. It is a ridiculous demand. I think the ICO should move on to the data pools, wealth screeners and list brokers, but if she could find the time to issue an enforcement notice on the Institute of Fundraising, forbidding them ever to speak or write on Data Protection matters again, the third sector would have a fighting chance of complying.

Besides, how hard is it to find compliant wording? Nobody – especially not the trade association for fundraisers – should be allowed to present this as a byzantine and complex task. The individual doesn’t need to know what software you’re using, or whether cookies are involved. They need to understand the purpose – what are you collecting, what are you going to do with it, who are you going to give it to? This should be presented without euphemism or waffle, but it’s when you strip out the legalistic nonsense, you see the problem. It isn’t that the poor charities were labouring under the burden of complex data protection rules. They could not comply with the Data Protection Act because what they were doing (and in RSPCA’s case, are apparently still doing) is so unattractive:

  • We will share your details with unspecified charities via a commercial company. We don’t know who they are.
  • We will buy your phone number, postal or email address from a commercial company if you have not given it to us.
  • We will use commercial companies to compile a profile of your wealth and property to work out whether to ask you for further donations. If you are likely to be worth a lot when you die, we will use this information to ask you for a bequest.

When Reactiv Media appealed their PECR penalty, the Tribunal rejected their appeal and increased the penalty. Like a lot of the spammers, they put themselves into administration to avoid paying up, but this option is not available to household name charities. If either the RSPCA or BHF appeal, they are dragging themselves deeper into the mud, and very possibly spending thousands more of donors’ money to do so. If they say that what they did wasn’t a breach, or that they couldn’t have been expected to know that it was, their officers, advice and business model will be scrutinised to a doubtlessly painful extent. The claims management company Quigley and Carter found themselves described as “feckless” and “most unimpressive” in the course of being filleted during a recent failed appeal. Do charities really want that? Even if they decide to roll the dice solely on distress, does either charity really want to acknowledge a serious breach that they knew or ought to have know about in the hope of getting the fine overturned on a technicality? Do they want ICO to call donors as witnesses?

The business model of pressure selling, TPS-busting, heavy texting, data sharing and donor-swapping adopted by some of the UK’s most celebrated charities resembles nothing so much as the activities of the claims management, PPI spammers (i.e. the scum of the earth). For all the noise and bluster on Twitter and in the charity press this week, there is an uncomfortable truth that has to be faced. The hated Daily Mail unearthed it, and the ICO has rightly acted on it. Some big charities have run an end-justifies-the-means approach to marketing and they have got away with it for a decade. Fundraisers ruled the roost, and compliance has been sidelined or ignored. Given how much money the RSPCA and the BHF have raised from fundamentally unlawful practices, they should pull back and rethink how they get donations in the future. They should ignore the Institute of Fundraising’s every word on Data Protection and PECR, and like every other charity, concentrate on reading and applying the ICO’s Code on Privacy Notices and guidance on Direct Marketing.

And right now, if there is a fundraiser sitting with the two CMP notices working out how to at the same time devise a method to raise loads of cash for their cause while complying with Data Protection and PECR, I hope they wipe the floor with everyone else.

*citation needed

Categories
Charities

Small change

 

Some senior figures in the charity sector have sought to deal with the Information Commissioner’s recent enforcement against the RSPCA and the British Heart Foundation by suggesting that the ICO’s action is disproportionate and unfair. The fundraiser sorry, academic, Ian MacQuillin has written two blogs which touch on the theme, while a few days ago, Robert Meadowcroft, the Chief Executive of Muscular Dystrophy UK tweeted:

If the  is impartial regulator it will investigate practices of  and not simply pursue charities

As 2016 is now disappearing over the horizon, I thought it was worth testing the hypothesis that the ICO is taking disproportionate action against charities, and the fines and other enforcement against charities are unrepresentative. TL:DR – it’s complete nonsense.

In 2016, the ICO issued 34 civil monetary penalties – 11 under the Data Protection Act, and 23 under the Privacy and Electronic Communications Regulations (PECR). There are a number of different ways of looking at the figures, and none of them show any evidence of disproportionality.

1) Charity CMPs as a proportion of the total in 2016

Of the 34 penalties, 2 were against charities, so 6% of the ICO’s CMPs in 2016 were against charities.

2) Amount charities were fined, as a proportion of the total in 2016

The CMP total was £3,225,500. The total of CMPs issued against charities was £43,000. This is 1.3% of the total.

3) Proportion of Data Protection CMPs issued to charities in 2016

If you look only at the CMPs issued under Data Protection, the charity proportion is not insignificant – there were 11 DP CMPs, so the 2 charity CMPs are 18% of the total – the same as the police, 1 more than councils, but less than the private sector or the NHS (3 each). However, this is the only comparison where charities feature significantly, and they are not the dominant sector. The next two comparisons are also instructive.

4) Proportion of PECR CMPs issued to charities in 2016

None. This is despite widespread breaches of PECR by charities, including phoning donors who are on TPS and sending texts and emails without consent (for example, the vast majority of mobile numbers gathered via charity posters in 2016 were obtained in breach of PECR).

5) Proportion of CMPs issued for marketing related activities in 2o16

There were 21 PECR CMPs related to marketing, and 2 DP CMPs related to marketing, making 23 marketing CMPs in all. 2 were against charities, which is 9.5% of the total. Given the big charities’ disastrous approach to marketing, this relatively small number is astonishing.

6) Level of CMPs in 2016

The average DP CMP was £108,500; the average charity DP CMP was £21,500.

The average PECR CMP was £84,666.75; there were no charity PECR CMPs.

The highest DP CMP was £400,000; the highest charity DP CMP was £25,000.

7) Other enforcement in 2016

There were 22 enforcement notices issued by the ICO in 2016, 8 under DP and 14 under PECR. 1 of the 8 DP enforcement notices was against a charity, which is 4.5% of the total, or 12.5% of the total DP enforcement notices. Either way, it is a small percentage of the total. Again, if you count the number of marketing related enforcement notices, there were 15, of which 1 was against a charity. This is 6.6% of the total.

8) CMPs since 2010

There have been 69 DP CMPs since 2010 that I can find (they drop off the ICO’s website after a few years); 4 were issued against registered charities, which is 5.8% of the total. The average DP CMP was £114, 163, whereas the average charity was £78,250. It is worth noting that these figures are slightly skewed by the £200,000 penalty against the British Pregnancy Advisory Service, which is a registered charity but receives most of its funding from the NHS.

The CMP against the British Heart Foundation was the 8th lowest CMP overall, while the CMP against the RSPCA was the 9th lowest. The only organisations to receive lower penalties than the charities were small businesses, unincorporated associations, and a bankrupt lawyer.

There have been 47 PECR CMPs that I can find since 2012; none have been issued on charities, which is 0% of the total.

Conclusion

These figures will likely be different in 2017. The ICO has signalled that more DP enforcement against charities is coming, and so the proportion of DP penalties may rise when the totals are in, but that depends on a variety of different factors including the number of other penalties and the ICO’s general approach. However, when you look at the facts for 2016, MacQuillin and Meadowcroft are wrong. Despite years of ignoring the Data Protection and PECR requirements in favour of a flawed, fundraiser-driven approach, the ICO has not taken disproportionate action against the charities. The action taken is a small percentage of the overall total. Special pleading and blame-shifting will not help the sector. Compliance with the law will.

Categories
CCTV

Eye in the sky

 

There’s nothing that says ‘Silly Season’ more than a Twitterstorm about a photograph of the top of a comedian’s head. After the National Police Air Service (NPAS) tweeted an image of the comedian Michael McIntyre, inviting their followers to guess who it was (it was Michael McIntyre), a variety of human rights lawyers, legal commentators, data protection experts and morons weighed in to give their view. In itself, the incident was not significant and seemingly no harm was done to Mr McIntyre. However, there are serious questions to be answered here. While I could forgive the Information Commissioner for brushing it off as a lot of fuss about nothing, they shouldn’t.

Firstly, it is a Data Protection breach to tweet a photograph of an individual in such circumstances. If you are new to this blog (Hi, how are you, that’s a lovely item of clothing you have on), then you might not understand my impatience with the argument that McIntyre was in public and therefore DP does not apply, McIntyre has no expectations of privacy, blah, blah, stupid blah. I’ve dealt with it many times before. Data Protection applies whenever personal data is gathered: filming someone in the street is less intrusive and therefore less likely to breach the DPA fairness and excessive provisions than filming someone in the shower, but the law still applies.Data Protection always requires the person gathering the data to meet a data protection condition. Nothing in the Act removes this requirement if the data is gathered from a public place, which is why the Information Commissioner has published detailed codes of practice on public space CCTV since the current DPA’s inception, and has had to revise it significantly twice because of CCTV’s complexity. If you don’t agree, tell me in the comments which section of the Act says that I am wrong.

While I am writing this, Radio 4’s Today programme is covering the story, and John Humphrys has just asked the crucial question: “what on earth does this have to do with policing?“. That’s what makes it a breach, because the answer is ‘nothing’. Policing organisations have wider scope to process personal data than other bodies, but only for national security and crime prevention & detection. Celeb-spotting comes under neither heading. NPAS would need to demonstrate that tweeting a picture of McIntyre was fair, lawful, and was necessary for a legitimate interest causing no unwarranted harm to McIntyre’s interests (the only data protection condition for processing that would apply here. They would have to show that the use of personal data outside the original policing purpose (which is what they’re up there for) was not incompatible. They would need to demonstrate that the use of McIntyre’s image was relevant to the policing purpose and not excessive. If you’re wondering, what I’m doing here is simply running through the Data Protection principles, and I’ve got multiple breaches just from the first three.

Even this innocuous image could have caused harm. The woman standing next to McIntyre in the picture is his publicist and they were leaving Global Radio’s studios after an interview. But what if NPAS inadvertently tweeted a picture of a celebrity and the person they were having an affair with? In 1995, CCTV operators in Brentwood Council once saw a man walking down the street carrying a knife and contacted the police. After the incident was resolved, Brentwood proudly shared images of the man to show how their CCTV system had tackled a dangerous individual, and his identity was subsequently revealed in the media. Except that Mr Peck wasn’t a danger to anyone but himself, and the Council obliged Mr Peck to reveal the details of his suicide attempt to family and friends who may not otherwise have known, as well as effectively libelling him. After eight years, Mr Peck rightly won a privacy case at the European Court of Human Rights. Bodies with the power to watch and record us should not casually toss images of us around without a proper justification.

I have wider concerns. If NPAS are merrily spotting celebrities and tweeting the results to thousands of people, what else are they doing? What do they do if they spot someone that they know? Will we get down-top shots of young women? Fat-shaming tweets if they see someone who is massively obese? The ICO’s CCTV Code of Practice places a strong emphasis on the requirement for CCTV operators to receive detailed training, but this casually intrusive incident doesn’t suggest that it’s working. In fact, I suspect that this incident is the tip of an iceberg that goes very deep. We’ve already seen police CCTV operators jailed for voyeurism; if the police don’t treat their surveillance with single-minded professionalism, that’s where this will end up. The tweet has been deleted, but if someone somewhere isn’t investigating what else has gone wrong, they should be.

The question of who should be doing that is a good one. NPAS describes itself as “a truly national (England and Wales) policing service“. It is hosted by West Yorkshire Police, but provides air support to all police forces in England and Wales. When scouring the skies of London for stand-up comedians, it is clearly providing a service to the Metropolitan Police. There are therefore a range of possibilities as to who is responsible, in Data Protection parlance, who is the Data Controller? Is NPAS a data processor for each force, in which case Met Police should answer for what happened here (and more importantly for the other more serious breaches of DP that I suspect have occurred). Is NPAS a data controller jointly with the Met Police, so they are both responsible? This is my guess, but my esteemed colleague Jon Baines has already noted that NPAS hasn’t completed a Data Protection notification, which if they are a Data Controller would be a criminal offence. If NPAS is a processor for the forces, each one of them would need to subject NPAS to a legally binding contract meeting all of the requirements of the 7th Data Protection principle. It’s a mess, but not one that the forces and Information Commissioner should be allowed to ignore.

I have already met a few people on Twitter whose knee-jerk understanding of Data Protection convinces them that this is nonsense. It’s not a breach, it’s not even personal data. It’s all in the public domain, and there’s nothing to see here but Michael McIntyre’s head. If those people are happy with this, they’re saying that the next time they furtively pick their nose, adjust their balls or their boobs while nobody is looking, or just walk down the street minding their own business, the police can record it and broadcast it to the world, and that’s just fine. I don’t think they should be allowed to make that decision for everyone else.

Categories
Caredata

A very long engagement

 

Tim Kelsey’s appearance on the Today programme was not illuminating. No compromise, no acknowledgement that the process has been badly handled, and the plan to slip leaflets about the process in with the pizza menus was on the advice of ‘competent marketing agencies’ (the sound you just heard was the launch of an FOI request about who they were and what they said). It must be nice to make such a fantastic hash of your job, and be capable of thinking you’re still a winner.

From the perspective of someone who is uncomfortable with the care.data process, I would have been happy had he promised a proper, personally addressed opt-out (which is better than what we have now). I would have been even happier had he promised consent. I wouldn’t say for certain that a fair version of care.data is impossible but I don’t think one will ever be offered. I doubt NHS England wants to spend the money on sending personally addressed letters to everyone, and they don’t respect their fellow citizens enough to choose consent, so I’m actually happy that Kelsey is sticking to his guns. Because we’re not going to get a fair, democratic version of the system, I’d rather he keep infantilising the public. This tactic has already led to two delays –  a third try at the same patronising “engagement” will surely kill the scheme off forever.

However, one thing struck me about the interview. Justin Webb asked Kelsey the straight question of whether a letter would be sent to every affected citizen. Kelsey said that all options were on the table, but was keen to plug his ‘Get hip with the 21st Century’ bluster about direct mail not being the right way to communicate. We’re using the Vulcan Mind Meld, Grandad. On the basis that Twitter has hardly been a roaring success for the care.data campaign (look at the #caredata hashtag if you don’t believe me), I wondered whether there might be more to Kelsey’s statement than panicked airtime filling. If so, what else is he planning, because I think the expensive letter option is the only game in town?

It’s entirely possible that NHS England has no plans to contact citizens directly at all. I predict posters, the reappearance of the NHS smurfs in the cheapest conceivable TV ad breaks, or adverts on radio stations I don’t listen to because I am old. But let’s assume that Kelsey and NHS England are thinking about some kind of direct contact. What are the options?

POST

Writing to every citizen directly would be more or less legal in Data Protection terms.  Assuming that NHS England has a reliable source for every person (not every address) in England, I believe that contacting everyone would be lawful and fair, even if they loaded the correspondence with propaganda. This is partly because Data Protection has its limitations, but also because there’s nothing in the DPA to say that you can’t contact people unless you have their permission, even if the correspondence is marketing. Unless NHS England sends everyone a bald postcard that says ‘we’re taking your data for research, here’s your opt-out’, it’s highly likely that the correspondence would be marketing. The ICO’s definition of marketing is far wider than simply the offer for sale of goods and services, but the DPA does not prevent an organisation from sending unsolicited marketing by post unless the person has used their Section 11 data protection right to opt-out.

Legally, I think that’s NHS England’s only option for direct contact.  It is inconceivable that if they are going to pay to contact us all, NHS England would just provide a bald statement of the facts. They would (and you might think they are entitled to) provide the reasons why care.data is a good thing. I believe this fits solidly into the ICO’s definition of ‘promotion of ideals’, which makes post their only legal option.

AUTOMATED CALLS

Automated calls are universally loathed as a form of marketing, so I’m certain that a scheme as cack-handedly managed as this one will hover over the option of making them. Automated calls are much cheaper than live calls, but to make them, you have to step wholly outside Data Protection. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (usually rendered as PECR, which you pronounce ‘pecker’ in order to get cheap laughs) state in regulation 19 that an automated marketing call can only be made if the subscriber (i.e. bill-payer) has “notified the caller” that they consent to receiving the call. That means explicit, opt-in consent for automated calls from NHS England. Nothing implied or inferred – they need active specific consent for automated marketing calls, or they can’t make them.

EMAILS (and as it happens TEXT MESSAGES)

The business sector did a smart lobbying job way back when PECR was drafted, so it is legally possible to send unsolicited business-to-business marketing emails, because PECR treats corporate subscribers (effectively organisations and their email addresses) differently from individual subscribers (i.e. an email account of any kind used solely for personal, home and recreational purposes). But for those individual subscribers i.e. you at home as a regular person, Regulation 22 has bad news for Kelsey’s 21st century engagement. The same rules apply – an active opt-in is the only option. The ‘Interpretation’ section of PECR makes clear that a text message is the same as an email, so the same rules apply – active opt-in. Even if NHS England can get hold of email addresses or mobile numbers (or exhort GPs to use the information they have), it is legally impossible to send messages about care.data unless they have active consent, or the messages are not marketing. And they will be marketing.

LIVE CALLS

I assume that live calls won’t be an option because they would be prohibitively expensive. However, just in case anyone is wondering, NHS England would have to screen all calls against the Telephone Preference Service list under PECR Regulation 21, ruling out millions of people (or making calls to them illegal).

Of course, these rules are routinely abused by Green Deal and PPI pests. The ICO’s efforts have been rather dismissively rebuffed by the First Tier Tribunal, so we await the Upper Tier to see whether the existing PECR rules can be properly enforced. But the difficulty of enforcing PECR does not grant NHS England permission to adopt the tactics of the snivelling spam-monger. PECR does not have public interest get-outs or exemptions. It applies to communications about care.data made by electronic means because they will inevitably be a promotion of NHS England’s ideals.

Of course, I may be way off. It’s entirely possible that the plan is for more soothing reassurance. It’s equally possible that care.data is dead, and nobody is willing to admit it yet. Given their stewardship of this so far, I doubt NHS England are above claiming that any contact would not be marketing, and going on a spam frenzy. The ICO – permanently on the back foot over care.data – would need to slap that down. But the Royal College for General Practitioners have demanded direct contact with patients, and it’s clear that their intervention (along with the BMA) has been decisive. Whatever options are on the table, NHS England does not have the legal consent necessary to contact patients by electronic means, even if they can get the data to do it. It would be illegal.

Time to warm up the franking machine.

Categories
Caredata

Dangerous Liaisons

 

We found this meeting to be productive and are pleased with the level of cooperation between our respective organisations” Letter from David Evans, Strategic Liaison, Information Commissioner’s Office, to Christine Outram, Director of Strategic Intelligence, NHS England, 26 September 2013

 

As the care.data leaflet arrived in people’s homes in January, the ICO published a blog by Dawn Monaghan, Group Manager for Public Services in the ICO’s Strategic Liaison team. The blog described the NHS approach to the extraction of data from GP practices, the communication activities to underpin this, and the ICO’s role which – accurately – Monaghan described as limited. However, the blog did not stop short of effectively endorsing the process. Having summarised the plan to have posters and leaflets in GPs surgeries and a household leaflet drop, Monaghan’s blog stated: “We see this as a sensible approach” and “we would consider it likely that the fair processing requirements under the DPA would be met“.

Within days, the media was reporting on widespread concerns about the sensible approach. By the time of Tim Kelsey’s Comical Ali appearance on Radio 4’s Today Programme to say that everything was absolutely fine just before the whole thing was put on hold, Monaghan was interviewed to say that NHS England had not done enough. Christopher Graham later complained to the Independent that they’d wanted a direct letter all along.

This reaction to the mess was correct – it was the original, syrupy reassurance that was odd. The ICO is an independent regulator, there to ensure data protection compliance and, where necessary, to take enforcement action to back that up. And yet here they were, effectively saying ‘it’s all fine’. I thought it was bizarre that the ICO could give any backing to NHS England’s approach, but they seemed to find it necessary to be supportive until they saw which way the wind was blowing.

My concerns were shared. In September 2013, Dr Geraint Lewis, Chief Data Officer of NHS England was warned that the communications plan – the ‘sensible approach’ – was “essentially passive”. There were real concerns that “a number of patients would be unaware of what is happening to their personal data”. Lewis was informed that the approach – essentially the same approach that was delivered in practice – was almost certainly not an “adequate standard to ensure data protection compliance”. In October 2013, Rachel Merrett of NHS England received an email expressing concern about the household leaflet drop. There was a serious question about the leaflet’s effectiveness, arriving as it would along with stuff from “the local window cleaner and the Domino’s Pizza leaflet”, likely to be “scooped up and placed in the bin without being read”.

The author of these communications was Dawn Monaghan. I made an FOI request to the ICO for correspondence and meeting notes between the ICO and NHS England and the HSCIC. A large quantity of material was disclosed, virtually all of it recording the frequent contacts between Strategic Liaison – Monaghan, Evans and occasionally the head of the team Jonathan Bamford – and various NHS England and HSCIC civil servants. The biggest players, Information Commissioner Christopher Graham and Head of Patients and Information Tim Kelsey – make cameos as early on, the ICO fails to persuade NHS England to contact each patient directly.

It’s difficult to find a proper description of what Strategic Liaison does on the ICO’s website, but the aim seems to be to maintain good relationships with large data controllers ‘stakeholders’. This seems clear from a ‘Strategic Liaison Organisational Review’ document put forward by Bamford in March 2013, asking for more staff. More staff would help meet the ICO’s objectives to “maintain its influence in key areas and on key issues”. Another key benefit was to ensure that “stakeholder satisfaction levels will be maintained”. So how’s that influence working out for you?

In practice, Strategic Liaison’s activities look like the provision of lots of free advice with no real gain for compliance or the public. From the Commissioner through Bamford to Monaghan and Evans, and in particular, in emails in August 2013, it is clear that the ICO wanted a direct communication with each patient, and they wanted the leaflet to set out very clearly what the ICO called an ‘opt-out’ until they acquiesced to NHS England’s terminology of an ‘objection’. In reality, the leaflet drop went ahead, and it contains only a mealy-mouthed references to objecting. There is no form to register an objection or website to do so – on the last page, it simply tells the reader “ask the practice to make a note of this in your medical record”. Even NHS England’s preferred word ‘objection’ does not appear.

All the while NHS England and HSCIC pressured Strategic Liaison for detailed advice about who they think the Data Controllers are in various permutations of the process, and even when they got the answers, they demanded to know the background thinking. This resulted in Monaghan sending a detailed letter in November 2013, setting out the ICO position in detail. The average data controller, seeking concrete answers to such questions, would be told to whistle for it. Ring the helpline today and see if I’m wrong.

NHS England and the HSCIC clearly wanted the ICO to sign off their proposals. Even though an independent regulator should refuse this outright, several times, Monaghan refers to sign-off as something which cannot be done yet. In September 2013, an email states “Until this has taken place, the ICO could not offer an endorsement or agree that the process or communication plans would be compliant”, while later on it is unlikely that “we will be able to reach a point of endorsement or assurance until…”. The ICO is there to regulate, not to give approval, and yet it seems they contemplated endorsing the process. Indeed, what is Monaghan’s January blog, if not a tacit thumbs up? Typical of the way things worked is Monaghan’s statement on 12 August 2013 that “we do not wish to cause unnecessary delays to the project”. Delays to the project are not the ICO’s problem. If NHS England didn’t want to wait for ICO advice (advice I don’t think the ICO should have given), they should have got their answers from their own lawyers and hoped for the best, like most other Data Controllers have to do.

No matter how quickly the ICO changed their mind after the wheels came off, no matter how strong some of the correspondence is (Monaghan’s bracing September 2013 letter to Lewis is a standout), the overall mood is cooperative, ameliorating, persuasive, which might be OK if it worked. Teddy Roosevelt once advised a friend to ‘speak softly, and carry a big stick’. Strategic Liaison don’t have so much as a twig. The worst threat they offer is refusing to sign off the communication plan, something they should never have offered to do in the first place.

The only mention of enforcement action anywhere in the correspondence comes in an email from Rachel Merritt of NHS England in November 2013, trying to get confirmation from the ICO that they will take action if GPs opt out their patients in bulk. If the ICO cannot issue guidance on this issue, then NHS England has a number of options on the table: “If a large number of GP practices bulked block [sic] their patients, consideration would need to be given to whether we can continue to offer the objection”. Acknowledging the NHS Constitution’s guarantee of a right to object, Merritt continues that if the objection offer was withdrawn, “we could consider and refuse on this basis that we cannot provide a health service”. There is no evidence of how Strategic Liaison even reacted to this outrageous suggestion, but the friendly cooperation certainly continued. NHS England’s meeting notes from the back-end of 2013 even imply that the ICO was considering whether action against bulk opt-outs was possible.

Meanwhile, the HSCIC expressed concern about subject access request numbers escalating, and the meeting notes state “ICO to bring up with health priority cross officers group the issue of support for subject access requests”, and on 19 September 2013 “ICO agreed to work with the HSCIC if such requests significantly increased”. This offer of support is unacceptable on its own terms, but the ICO’s own Subject Access Code of Practice states “You should be prepared to respond to peaks in the volume of SARs you receive”. Every other Data Controller has to put in additional resources, but elite stakeholders get a promise of support. As we know, Strategic Liaison has to maintain their satisfaction levels.

I have complained before that the ICO’s use of the word ‘customer’ when they mean ‘complainant’ sends out the wrong message. The ICO is an ineffective ombudsman, and their recent decision to concentrate more on regulatory issues than making every complainant happy is probably a good idea on balance. I doubt it will work, but that’s a separate question. It’s essential for the ICO to be neutral and to send out the message that they’re on the side of the public is wrong. They serve Parliament, the Data Protection Act and the public interest. But equally, it is wrong for them to assist certain favoured ‘stakeholders’, facilitating them with monthly meetings, daily emails, and detailed advice on demand, especially not when the ICO’s own requirements (if you can call them that) are unmet. Would NHS England have sent a clear letter with an opt-out form to every individual if Strategic Liaison had promised them an enforcement notice if they didn’t? We’ll never know, but you don’t have to read much of the correspondence to see that this kind of thing isn’t in their vocabulary. The ICO needs to publish guidance, it needs to deal with complaints (i.e. make assessments) and in certain cases, it needs to enforce. Why does it need to make friends?

If there is any future compliance question about care.data – particularly the issues of fair processing or data controllership – the ICO has been intimately involved in NHS England’s thought process. I don’t even think NHS England and HSCIC were cynically implicating Strategic Liaison – the approach of nuzzling up to stakeholders does that automatically. The days when the ICO didn’t even have an enforcement team are long gone, but Strategic Liaison represents an outdated strand of thinking. The senior people who ran the office when I was there – which was long, long ago – treated Data Protection as an extended debating society where everything could be settled with a civilised discussion. Strategic Liaison had a civilised discussion with NHS England, they didn’t get what they wanted, but in the end, was maintaining a good relationship an objective in itself?

The one question FOI doesn’t allow me to ask is what Strategic Liaison think they’ve achieved. Care.data was delayed again, and this time, the objection that NHS England had contemplated dropping is getting a statutory basis, but Strategic Liaison didn’t ask for these concessions. It’s probably more pleasant to maintain friendly relationships with big data controllers, but at least in this case, I can’t see what was achieved by it. The ICO has a mountain of FOI complaints, a difficult new approach to DP compliance to implement, a pile of enforcement and a new version of Data Protection on the horizon, all in a time of austerity. I wouldn’t keep Strategic Liaison going in the years of plenty, but we’re in famine now, and deploying some of the most experienced ICO staff to hold hands with an elite group of data controllers stakeholders is a waste of valuable people and resources.

Time for a new strategy.

Categories
Caredata

Careless

 

The people who run NHS England and the Health and Social Care Information Centre never wanted to give the public a choice about whether their data would be mined and sold for research purposes (and the clumsy, ill-infomed opt-out that was dragged out of them isn’t a proper choice anyway). It should therefore come as no surprise – as the front page of today’s Telegraph makes clear – that the opt-outs have not been processed. Despite this, it’s full steam ahead: “the NHS has insisted that it will continue to sell medical data to insurers and other third parties“.

I’ve already seen questions on Twitter about the likelihood of the Information Commissioner taking action. If they do, it’s worth considering what the HSCIC and NHS England have actually done wrong. I’ve said this before, and I will say it again: care.data is legal and does not require consent. Because of the powers that Parliament bestowed in the Health and Social Care Act 2012, consent is not required because a legal power exists that allows personal data to be extracted and shared. It doesn’t matter which way you slice it, had NHS England steamrollered care.data through when they had the chance, this wouldn’t even be a story.

Ironically, it is the fact that NHS England bowed to the predictable but apparently unexpected backlash and offered their weedy compromise, achieved in part by that mealy-mouthed leaflet hidden among the pizza menus, that puts them in a pickle. All personal data must be processed fairly, and by telling all citizens that they had a right to opt-out of the sharing of their health data, NHS England created a set of clear expectations. They didn’t have to, but they did. So by not properly resourcing the opt-out process, NHS England and the Health and Social Care Information Centre have breached the first principle.

Lack of funding isn’t an excuse or a mitigating factor. The fact that they could have gone ahead and done all of this without the opt-out isn’t relevant either. Because the opt-out was offered, it is now part of the fairness package, and not to deliver on it is a breach.

The Information Commissioner has three options. The most obvious what is what we have had before: some strongly worded correspondence, alternating with hand-holding for their HSCIC friends (including a relatively new HSCIC IG officer who used to be at the ICO, working on care.data). The ICO dropped the ball spectacularly on care.data, anxious to enable what they must have thought was an important undertaking by a valued stakeholder. David Smith, the Deputy Commissioner with responsibility for Data Protection, is keen to stress that the ICO can be an enabler, and care.data before the public backlash is what that looks like.

Secondly, the ICO could issue a civil monetary penalty. Thousands of peoples’ data are being used unfairly, there is a serious breach of the first principle, and no doubt, many of those affected will be upset, annoyed or even distressed by the news. But the ICO has come unstuck at the First and Upper Tier Tribunal when trying to take action on distress, so I can understand why they might not favour this as an option.

The third option is the action they should obviously take, but I wonder if anyone in Wilmslow is bold enough. There is no damage or distress threshold for an Enforcement Notice, there is a clear step that the Information Commissioner can order the HSCIC to take (action all of the opt-outs, resourcing that in preference to the work on active data sharing), and there is a serious sanction underpinning an Enforcement Notice if it is not complied with (prosecution for the organisation or its board members). If the HSCIC believe that their power to obtain this information engages the Section 35 exemption in DP, which removes the requirement to process personal data fairly, they would be welcome to explain this to the Tribunal. I used to think that this might work for them, but I’m not so sure now and I’d be thrilled to see them try.

The ICO has tried stakeholder engagement and they got very little for the public as a result. I can understand why a CMP may seem a disproportionate and unattractive move. I fear they will do nothing. But if the Commissioner’ Office wants to show that it is serious about holding organisations to account for anything other than self-reported security incidents, they could have an Enforcement Notice out in days. It would be a huge sign that the Commissioner is willing to get into difficult territory to uphold their legislation rather than maintain pleasant relations with government. I would sing their praises if they took the opportunity. The question is, do they have the guts?

Categories
Cabinet Office

Bah Humbug

If I was a proper FOI requester, I would await the delivery of each response like an excited child on Christmas Eve, willing the appearance of the day when I will receive my presents. Instead, I am very much the adult embodiment of the child I used to be; I have bursts of enthusiasm that dull to indifference, especially now that my attention has to last over the passage of 20 working days. My FOI request to the Cabinet Office about the correspondence based adventures of Oliver Letwin MP is very much in that category (as an aside, the absence of tweets from @OliverLetwinMP remains a disappointment but I fancy he is merely whetting our appetite for a stonking tweeted SNAFU at some future date).

On the day that the Daily Mirror revealed Letwin’s insouciant approach to office filing and data protection, I fired off an FOI to the Cabinet Office demanding all manner of smoking guns, the outcome of which would allow me to write a stinging blog post of such revelatory and rhetorical brilliance that I would be carried aloft on the metaphorical shoulders of my readership, and given a column in the Guardian or the Financial Times. The days dragged by. I trained many fine folk around the nation, and received yet another rejection for my novel. By the time the Cabinet Office responded, I was on holiday in Morocco, and I didn’t really give a toss: Alan and Lionel be damned, I was trying to find ‘Casablanca Beer’.

Now safely ensconced in the UK with water pouring through the ceiling into my bedroom (to any readers in South Manchester, I can recommend a fine plumber), invoices to send, courses to write, and another publisher to find, I went fickle on my Letwin expose. Part of this is the fact that the 20 working days was distended by a generous 7 extras, by which time I had almost forgotten I had made the request. Part of it was the fact that Letwin had readily signed an ICO undertaking, showing at least some measure of contrition. And of course, in the interim, Vince Cable had decided to outgun Letwin with some DP flouting of his own. But most of all, I lost interest because the high seriousness of my original request was undercut by the ‘meh’ nature of the response.

I asked:

  • has Mr Letwin disposed of correspondence containing personal data about other people?
  • Did the correspondence relate to his constituency role, his Cabinet Office role, or both?
  • what kind of details were included (e.g. names and addresses, email addresses, information about personal circumstances or complaints)? I do not believe that providing a generic description of the data would constitute a breach of the Data Protection Act.
  • Has either Mr Letwin (in his capacity as an MP) or the Cabinet Office (as a data controller) informed the Information Commissioner of these incidents, on the basis that there is a possibility that the Seventh Data Protection principle has been breached, as it relates to security?
  • Has Mr Letwin received any data protection training in his capacity as a Cabinet Office minister?
  • Is any such training now planned?
  • When the statement provided by the Cabinet Office was released, claiming that the information disposed of was ‘not sensitive’, had the person making the statement considered the Data Protection implications of disposing of correspondence in bins in public parks?
  • Does the Cabinet Office have a policy or procedure about the appropriate disposal of paper records?

What I got was this:

The Information Commissioner has considered the matter and his report can be found at http://www.ico.gov.uk.

Enquiries made by the Information Commissioner’s Office (ICO) found that ‘among the documents were letters and emails from…constituents, including personal data such as their names, addresses, telephone numbers and email addresses, although in one instance there was some limited information about an individual’s health problems’. Mr Letwin has signed an undertaking with the ICO whereby he has agreed to dispose of personal data in a secure manner.

Ministers do not receive data protection training. Mr Letwin has been made aware of his responsibilities by the Information Commissioner. Data handling procedures in Government are set out at www.cabinetoffice.gov.uk/resource-library/data-handling-procedures-government. When handling data which contains personal information about identifiable living individuals, the Cabinet Office must ensure that it complies with the provisions of the Data Protection Act 1998. In particular, personal data must not be collected or retained unnecessarily, and appropriate security measures must be taken to protect the information.

I should point out that it is far from clear what information the Cabinet Office holds in relation to what I asked for – it’s possibly that they hold a shedload of emails and other information, but I didn’t get them. They did not provide any meaningful response to the penultimate bullet point in my request. The fact Ministers do not receive data protection training is disgraceful, and the fact that no training is planned, especially given that they knew about Vince when they responded, is shameful. They don’t tell me how to get an internal review, or provide me with any advice or assistance.

But what do I do? This desultory response at least provides me with some useful material for my next training course as the ‘before’ part of a ‘what FOI requests should look like’ exercise. If I complain, the Cabinet Office will either tell me that the original response was just dandy, or they’ll send me an apology in the name of a senior officer, written by a junior one (I was that junior officer once). I could complain to the ICO, adding to a backlog of requests, and in six months to a year, they’ll do something either way that by then, I will not care about at all. And is that a good use of anyone’s time?

In a world where the Cabinet Secretary badmouths FOI as his parting shot to government (www.guardian.co.uk/politics/2011/nov/23/freedom-of-information-act-government), and a former PM’s chief lieutenant feels entitled to go on Radio 4 and aggressively not understand how FOI works (www.bbc.co.uk/programmes/b006qjfq), to quote Slim Pickens in ‘Blazing Saddles’, I am depressed. Will an internal review make any difference? No. With Sir Gus O’Donnell sending a message to civil servants that FOI is a problem, rather than a natural part of the checks and balances, I don’t see the point of putting them to the trouble. And if I now don’t care so much about Letwin’s adventures in St James’ Park, am I entitled to ask for one? Well, no, so I won’t.

However, the one advantage FOI has over Christmas is that you don’t have to wait all year (unless you’ve made an FOI to a certain organisation if WDTK is any way to judge it), and you don’t have to be good to get presents. I’ve already moved on to the bizarre goings-on involving a former ICO employee getting raided by the cops after badmouthing our alma mater, and the fact that when the ICO meets big international corporations, they keep remarkably scant records. These are both blog posts for another time, so if you’re excited, you’ll simply have to wait to unwrap them.

And yes, as we heathens invented Christmas, we are entitled to enjoy it, and my blogs will be aggressively inflected with a yuletide theme until January. So if you don’t like it, Bah Humbug to you!

Categories
Cabinet Office

The Cabinet Office & FOI, A Retrospective, 2010-2011

   

As you know, FOI is under threat from a disparate coalition of interest groups, all of whom profess strong support for the idea of FOI and transparency in principle, but who object strongly when it applies to them. As I have already blogged, it’s the FOI equivalent of saying ‘I’m not racist but..” With friends like ACPO – who ask in their Justice Committee evidence for an absolute exemption for all investigations data, a charge for every FOI and vast restrictions on the time taken per request – FOI doesn’t need enemies.

However, the real cuckoo in the nest might be closer to the centre, with a more seductive and plausible message that could still plunge a stiletto into FOI’s back. Led by the Coalition’s answer to George Sanders, Francis Maude, the Cabinet Office wears what looks like a bulletproof vest when it comes to openness. Why, they’re the champions of Transparency, the sponsors of Open Data. One could mistake the Cabinet Office for a shining beacon of openness in the murky fog of secretive government. George Francis Maude promises a quantum leap in transparency and goes around the world promoting openness. He must be OK: in some of these photos, he’s rocking that smart jacket / jeans combo that says, I’m here for business, but a party’s definitely not out of the question.

But here’s the problem. Maude’s top-down Transparency (always capital T) is geared towards an open-source, re-use model which is intrinsically positive, but totally separate from the accountability / scrutiny aim of FOI. Transparency agenda is skewed heavily towards a technocentric, app-designing, economic model. It will probably create jobs. This is great and puts the previous government to shame. Public bodies who bleat about the commercial reuse of their data forget that the private sector pays its taxes and funds their activities. But this Transparency has little to do with the kind of transparency that FOI offers. Real (small t) transparency is about letting everyone come in and scrutinise what is going on. FOI should not be mediated, except by sensible harm thresholds like the public interest test and an even-handed regulator. If you see one of those, let me know. Maude is keen to order disclosure, but this is still the exercise of power by the elite. If you want to know something that the Coalition doesn’t want you to know or simply hasn’t thought of, Maude’s Transparency will not help.

Transparency could be used as a Trojan Horse to justify curbs on FOI. You don’t need FOI, we’ll be told, because look at these shiny Transparency jewels we’ve decided to give you. This will be a fiction. The point of FOI is that you get to ask about what you want to know, not what The Nice Man Wants To Tell You

In June 2011, the Cabinet Office signed an undertaking for the Information Commissioner, promising to make improvements to its approach to FOI. So let’s ignore the siren lure of Transparency and look behind it to see how the  openness champions deal with FOI. I have read all of the Information Commissioner’s Decision Notices issued to the Cabinet Office in the past twelve months. It’s a roll call of shame that spits in the face of the fine folk who work on Open Data and Transparency. You can read the highlights at the end of this post, and I encourage you to use the reference numbers to find and read some of the decision notices in full here.

Most of these decision notices cover requests received before that undertaking was signed, but all cover the period of the Coalition, when Maude and others were trumpeting Transparency and Openness like it was going out of fashion. They might claim it’s all change since the undertaking, but these requests are an insight into what the Cabinet Officer were doing while the Ministers were hyping their Transparency agenda. How could this all happen on their watch if their commitment to openness is real?

In 2010-11 (as before), the Cabinet Office routinely extended the time taken to consider the public interest test, and frequently missed its own distended deadlines. Applicants who made entirely legitimate requests were refused because their requests were said to have no serious purpose or value (and the ICO overturned these refusals). On several occasions, the Information Commissioner’s Office was forced to order the Cabinet Office to make a decision, in cases that had been running for many months.

Two issues are particularly damning. There are several cases where the Cabinet Office issued a formal refusal for data that they had not searched for, and which ultimately turned out not to be held. In other words, they’re saying no rather than actually looking for the information. Worse still, in numerous cases, the ICO remarks that the Cabinet Office has advanced inadequate arguments for refusals that they then have to overturn. In some cases, the Cabinet Office fails to respond to the ICO altogether.

The Cabinet Office has a lamentable track record on FOI – this could be explained in part by the outgoing Cabinet Secretary was outspoken in his criticism of the legislation and his belief that it should be restricted. However, the Cabinet Office appear not to have taken the Information Commissioner seriously either, which should be unthinkable. Nevertheless, by not taking formal enforcement action against the Cabinet Office, Chris Graham has gambled that asking them to sign an undertaking to comply with legal obligations will have the effect that dozens of formal decision notices issued since 2005 have not. He may have fettered his discretion on all future FOI enforcement – if he doesn’t enforce against this level of compliance, when will he ever do so? Who could possibly be worse? If he goes after a Parish Council with an enforcement notice, the circle will be complete – like DPA, the big fish swim away while the minnows get netted. But more importantly, if the Coalition try to argue that FOI is safe in their hands, that any changes are just to reflect the austere times we are all in together, that their Transparency is a worthwhile alternative, take a look at this list and decide what you think of that idea. We desperately need a more agile, more entrepreneurial approach to public sector data. But we also need the opportunity to ask awkward questions, and up to now, the Cabinet Office hasn’t even paid lip service to that principle.

  • FS50371317 (02/02/2012): the applicant asks for copies of unpublished photographs taken by named Cabinet Office photographer. Cabinet Office refuse on the basis of Section 36 (prejudice to the effective conduct of public affairs). The refusal is automatically invalid because the qualified person (who has to be a minister) was not involved. When the ICO investigated, they discovered that no such photographs were held, and S36 had been cited instead of actually searching for the picture.
  • FS50379301 (16/11/11): Applicant asking about minister’s meetings about setting up of statutory register of lobbyist asks for internal review on 8/11/10. The Cabinet Office do not respond until 20/4/11. ICO complains that Cabinet Office ignores repeated refusals to supply data to them so that it can consider complaint, and later remarks that no exceptional circumstances explain the delay in providing an internal review.
  • FS50348732 (03/11/11): In response to FOI requests about the refurbishment of Downing Street, Cabinet Office claims that information will be published in future. They then change the claim to no information held. The Information Commissioner finds that information is indeed held. “The Commissioner is particularly concerned that the response to the Information Notice appeared to contradict the previous response from the public authority that no searches had been necessary, suggesting that no searches had been carried out.”
  • FS50362049 (03/10/2011): Cabinet Office refuses to confirm or deny whether Government discussed the Nestle takeover of Rowntree in 1988 (which the ICO orders them to do).
  • FS50341963 (08/09/2011): The applicant’s asks for meeting records of a committee which hasn’t met, and the Cabinet Office fail to explain this. They use an exemption to refuse information that does not exist. The ICO comments: “The initial refusal notice provided to the complainant by the Cabinet Office was insufficient and unduly briefthe Commissioner would also note his disappointment that the Cabinet Office failed to avail itself of the opportunity, during the Commissioner’s investigation, to voluntarily disclose to the complainant the specified non-exempt information
  • FS50392356 (4/8/2011): The applicant asks about Andy Coulson’s legal fees on 20 December 2010. Request acknowledged, but no response received at the time of the decision notice (i.e. three months after the undertaking). ICO warns the Cabinet Office that the absence of a response would be referred to Enforcement. The Cabinet Office do not respond. The ICO issues a Decision Notice solely to order them to answer the request.
  • FS50366824 (19/07/2011): Applicant makes meta-request for correspondence about a previous request (re: compensation paid by Libya to IRA victims). Cabinet Office claims request lacks serious purpose or value. Internal review requested on 2/1/2011, but no response is received. The Cabinet Office fail to respond to the ICO, and do not provide evidence for why the request represents a serious burden. “The Commissioner is concerned that in this case the internal review has yet to be completed despite the public authority having taken over 160 working days thus far in which to complete the review, despite the publication of his guidance on the matter.”
  • FS50362370 (19/07/2011): Response to internal review was only received after intervention of the ICO. The applicant wants to know the make and model of printers used for comparison purposes in Sir Phillips Green’s study of government efficiency. Cabinet Office does not want to prejudice negotiations with or to identify supplier. This is the same cabinet office that wants all organisations to publish all spending over £500. Did someone say bullshit?
  • FS50347053 (20/06/2011): On the 28 February, 13 May and 23 May 2011 the Commissioner wrote to the public authority asking it to provide a detailed explanation of its refusal of the complainant’s request for information as amended and a copy of the withheld information. ICO ends up ordering Cabinet Office to disclose salaries of those who earn £150,000.
  • FS50368481 (23 May 2011): Requests are submitted on 24/07/10 and (in expanded form) 6 January 2011. There is no response, though the requests were acknowledged. ICO contacted Cabinet Office on 10 Feb 2011 asking for response in 10 days. This does not happen. ICO forced to issue decision notice solely to force Cabinet Office to answer the requests.
  • FS50354351 (21/03/2011): Request about weapons of mass destruction. The Cabinet Office extends public interest deadline twice, and twice fails to respond to an IC request to resolve the case.
  • FS50310716 (8/3/11) Request for Job descriptions for the employees who support the Government Chief Whip, his deputies and assistants and for funding allocations. ICO had to intervene to get an internal review completed.
  • FS50318536 (17/3/2011): Cabinet Office says they hold data but disclosure would prejudice international relations claimed extra 20 days, then went vexatious despite him having made, then said it should have refused to confirm or deny under Section 40. They held no information. “On 13 December 2010 the Commissioner wrote to the Cabinet Office asking it to provide its arguments in support of its application of section 14. Following several telephone calls from the Commissioner seeking the Cabinet Office’s response to his investigation, the public authority provided its response on 2 March 2011.”
  • FS50300732 (15/2/11): Applicant requests “unredacted minutes” and is sent a link to webpage featuring redacted minutes. Applicant asks for internal review in Nov 2009 and ICO has to intervene in May 2010 to force internal review, threatening to issue an information notice if the Cabinet Office does not respond. They take 150 days to respond, and ICO is forced to take them to task.“During the course of his investigation, the Commissioner has encountered considerable delay on account of the Cabinet Office’s reluctance to meet the timescales for response set out in his letters. Furthermore, the Commissioner has been met with resistance in his attempts to understand the Cabinet Office’s reasons for handling the request as it did and for invoking particular exemptions. The delays and resistance were such that the Commissioner was forced to issue an Information Notice in order to obtain details relevant to his investigation