Categories
Cabinet Office

The DNs don’t work

   

I’m going to say it again. I really like Christopher Graham. Anyone would have looked dynamic after Richard “BACKLOG” Thomas, but I believe he’s trying to make a difference in his role. I’m not sure we’d get on personally, but that’s definitely more about me than him. I have absolutely no doubt that he means business. And what’s more, blogger’s hyperbole aside, I don’t really think that everyone who works at the ICO is an idiot. In fact, when I think of all the people at the ICO who I definitely think are idiots, I could count them on the fingers of one hand, if we count thumbs as fingers and I was Anne Boleyn.

But in writing to the Financial Times to refute the claim that the ICO is a toothless regulator, Mr Graham said this: “The record shows that the Information Commissioner’s Office regularly makes difficult decisions that challenge Whitehall”. He pointed out that he has issued a number of Decision Notices against the Cabinet Office and most importantly, he is a regulator with powers of prosecution.  This isn’t fooling anyone. Even FOI Man Paul Gibbons is having his doubts about the Commissioner’s rigour, and he’s so nice he didn’t lose his temper when I suggested he change his name to Paul Chimpanzees.  What’s really strange about Graham’s response – apart from what Paul accurately identified as his eccentrically clear aim at the messenger – is what’s missing. Although I think the quality of ICO FOI casework has generally gone down, I don’t deny that on a good day, Wilmslow is capable of stepping up and making the right calls on individual decisions. What Mr Graham has to answer is whether his office is capable of taking enforcement action; not to deal with individual complaints, but with the wider approach of a Government department that sees FOI as an inconvenience.

However, in case we need evidence that action might be necessary, let’s consider the decision notices issued to the Cabinet Office in 2013 by the ICO, to bask in the heat of their effectiveness:

Decision FS504279906

The Cabinet Office are revealed to have failed to respond to a previous ICO Decision Notice (that thing that is supposed to be Contempt of Court). They fail to do an internal review in the ICO’s recommended timescale. They claim to the ICO to have disclosed a contract to the applicant, but repeatedly fail to confirm that this has actually happened. They then use the applicant’s complaint to the ICO as an excuse not to disclose anything else. They claim that a disclosure will harm Capita’s commercial interests, even though they haven’t actually asked Capita what they think about the disclosure. The ICO tells the Cabinet Office that “it is essential that the Cabinet Office ensures that there is no repetition of these issues in relation to future requests”. This is the last time in 2013 that the ICO use the word ‘essential’ in this context. It’s January.

Decision FS50435121

The Cabinet Office carefully interpret a request about contacts with Common Purpose so that information they have already disclosed to another applicant is not disclosed. They refuse the request as vexatious (the ICO overturns this).

Decision FS504364434

The Cabinet Office fails to do an internal review in the ICO’s recommended timescale. It claims that the Statistics and Registration Service Act 2007 provides a prohibition on disclosure. It doesn’t. They try to use s22 (information published in the future) but are “unclear and inconsistent” with the ICO about when and by whom the requested information will be published. The Decision Notice states that the ICO normally offers one opportunity to explain the application of an exemption, but in this case, the Cabinet Office has failed to give a satisfactory answer at the third time of asking. One can only wonder why they get special treatment.

Decision FS50445422

The Cabinet Office applies an exemption without specifying which information is covered by the exemption in question. The applicant requests an internal review on 19th January 2012, and the Cabinet Office responds three months later. The ICO no longer uses the word ‘essential’ when discussing how important it is that the Cabinet Office not do this again.

Decision FS50457668

The request in question is made on 1st March 2012. The Cabinet Office respond on 10th May 2012.

Decision FS50461244

An applicant asking about training provided to David Cameron before his appearance at Leveson receives no information because he uses the phrase ‘coaching’ instead of ‘legal assistance’. At first, the Cabinet Office states it holds no information. At internal review, it claims that it holds information, but will publish the information in the future, citing a statement made by Jeremy Hunt about the publication of what turns out to be something else. When the ICO investigates, the Cabinet Office changes its mind again and decides it holds no information. It states that an objective reading of the request to say that the use of the phrase ‘coaching’ can only refer to a specific type of information. However, when the ICO points out that the applicant has asked for information about coaching “or” ‘preparation, the Cabinet Office reverts to a subjective reading of the request, claiming that the applicant uses ‘coaching’ and ‘preparation’ interchangeably, even thought this makes no sense in terms of what the applicant actually asked for.

Remember: I am receiving legal assistance, you are being prepared, he is being coached.

Decision FS50465008

The Cabinet Office refuse to answer a request because an email is not a document [Discuss]. They imply that you cannot request information unless you already know what it is, but at the risk of a Top Shop / Rihanna situation as regards the FT and Chris Cook, I’ll stop there.

Decision FS50465636

The Cabinet Office claim that no information is held based on a restrictive interpretation of the request. You’ll never guess what happens then. The internal review is completed outside the ICO’s recommended timescale.

Decision FS50466327

The internal review is completed outside the ICO’s recommended timescale. I know, me too.

Decision FS50472269

The Cabinet Office maintain a position of holding no information in relation to the applicant’s request until the ICO investigates. Guess what they find then?

Decision FS50474524

The Cabinet Office claim that telling the public how many times a committee on better regulation has met would affect ministerial collective responsibility. The ICO states that their arguments about the harm caused by disclosure are made as if the applicant has asked for other information.

Decision FS50475014

The Cabinet Office claim that they cannot find the requested information within the FOI timescales, but on internal review decide that the request is not valid.

Decision FS50478062

The Cabinet Office claim that ongoing investigations into the conduct of Jimmy Savile will be harmed because those involved will be less candid if information about why Savile received honours is released, an argument that the ICO regards as ‘highly speculative’. I agree that the use of the word ‘horseshit’ would probably have been unbecoming.

Decision FS50478062

The applicant makes their request on 9th July 2012. The Cabinet Office responds on 27th September 2012. The applicant requests an internal review on the same day. The Cabinet Office respond on 26th November 2012.

Decision FS50481901

The request is made on 28th November 2012. No response has been received by 21st January 2013. The ICO intervenes on March 6th 2013, and the Cabinet Office then ask the applicant for clarification, which he provides the same day. The Cabinet Office fail to answer and the Decision Notice is necessary simply to oblige them to do so.

Decision FS50490256

The Cabinet Office fail to give a valid response to an FOI request, and the Decision Notice is necessary to oblige them to provide an internal review.

Decision FS50498628 (22nd July 2013)

A Decision Notice is necessary to oblige the Cabinet Office to respond to this FOI request.

Decision FS5050001 (24th July, just over a week before Christopher Graham writes to the FT)

The applicant makes their request in September 2012, and only after being prompted on 8th March 2013 does the Cabinet Office promise on 10th April 2013 to reply by 8th May 2013. On 10th of June 2013, the ICO tells the Cabinet Office to respond by July 8th (nearly a year after the request was originally made). The Cabinet Office tell the ICO on the 17th July – less than three weeks before Christopher Graham’s stout defence of the ICO’s approach on the FT’s letter’s page – that they cannot possibly respond without the appropriate clearance. Which, I hope you’ll agree, is like slapping your buttocks heartily as you moon the policeman who is trying to arrest you.

I have no doubt that the ICO will continue to make variable FOI Decisions, many good, some appalling. But the FOI Act will remain unenforced, because someone in the Commissioner’s Office is apparently afraid of the Cabinet Office and is apparently obliging the boss to pretend that the Decision Notices as described above are going to to do the trick. They haven’t and they won’t. The Cabinet Office would fight tooth and nail to protect disclosures about the Schleswig-Holstein Question. They have learned nothing from FOI’s introduction. Moreover, every public authority, every quango, every council, every NHS Trust, every police force, every college, every last one of them from Walberswick Council up is entitled to point to the Cabinet Office and say, if you didn’t do them, you’re not going to do us. So why should anyone take the ICO seriously on FOI?

Chris Graham’s letter to the FT characterised the ICO as an FOI watchdog unafraid to bark when it needed to. The finest manager I have ever had (much love and respect to you, Kevin) once characterised the ICO as being the kind of hound who could at worst give you a nasty suck. These days, I’m not even sure Wilmslow could run to a love bite.

FOI is dead; long live the Cabinet Office.

Categories
Brexit

The Red Menace

Just before New Year, the pro-Brexit, anti-single market pressure group Change Britain published a report about the possible savings that could accrue to the UK if we cut all ties with the EU. Keen observers of current politics will be astonished to learn that the amount is in the multiple billions. One of the top savings is from repealing the Data Protection Act 1998, which Change Britain claims costs the economy a whopping £1,058,830,000, while (if I am reading the table right), giving a benefit of precisely nothing. It’s a prime example of ‘harmful EU red tape‘ that Change Britain is very much against.

 

Curiously, the report doesn’t include any mention the General Data Protection Regulation, despite the fact that the Government announced several months before its publication that GDPR will apply in the UK, reflecting the reality that it will come into force before we leave. The report does not hint at any cost in repealing the DPA and replacing it with something else, or the wasted effort currently being expended by organisations large and small in preparing for GDPR, all of which they want to cancel out. The economic benefit of being able to share data across EU borders isn’t priced in at all, even if we accept the £1 billion cost at face value. Inevitably, Change Britain’s report has the mindset of an Oscar Wilde cynic, knowing the price of everything and the value of nothing. Although the DPA is clunky and badly enforced, the benefits of saying that personal data should be obtained fairly, used transparently, kept in good order and processed securely are enormous.
 

 

I emailed Change Britain just before New Year asking the questions outlined below. I would like to express my gratitude to the Change Britain staff member who took the time to give me two courteous replies when many people were probably on holiday or hung-over.
 

 

Can you confirm that Change Britain believes that the GDPR should not be implemented, as well as advocating the repeal of the Data Protection Act? Can I ask what analysis you have done into the effects of repealing DP, in terms of its effects on the security and quality of personal data, and the rights of UK citizens to know how their data is used, and to get access to it on request?
 
Can you also provide me with any proposals Change Britain have for replacing the Data Protection Act / GDPR, or is the idea to remove any controls or protections on the way personal data is used in the UK post-Brexit?
 
Finally, can you give me any analysis on the effect of repealing the DPA / not implementing GDPR on the ability of UK companies to exchange personal data with EU countries, and how this would affect the UK’s adequacy for Data Protection purposes? As I am sure you already know, not having adequate data protection provisions would make it virtually impossible for EU and UK companies to do business with each other, because no personal data could be shared outside the EU.
 

 

In their reply, Change Britain didn’t explain why they hadn’t mentioned GDPR in the first place, but noted that the Coalition Government said in 2013 that the GDPR could ‘impose unnecessary additional costs on current businesses‘, a comment made on a version of the GDPR which is quite different to the one we’re actually getting. The emphasis was on ensuring that “expensive red tape is cut so that the burden on business is reduced“.
 

 

They didn’t really answer the questions, but the thrust of their preferred approach seemed to come here: “We believe that it is possible to secure a new relationship that allows ongoing data sharing between the UK and the EU and gives UK policy makers an opportunity to deal with the issues they have identified with EU laws and – in so doing – reduce the burden of red tape on British businesses“. They didn’t mention the fact that the current government has announced that the GDPR will apply or what the implications of that might be for their proposal. Crucially, while they clearly wanted to “reduce the burdens”, they did not explain to me what these burdens were.

 

It seemed to me that Change Britain were describing the Mother of Worst Case Scenarios: repeal of the DPA with a UK only replacement instead of adopting the GDPR, some kind of negotiated deal over EU data sharing with all the fragility that entails in the world of Max Schrems, a situation which could well mean UK businesses with EU customers separately adopting GDPR for their customers. Of course, there are many who think that an adequacy finding for the UK post-Brexit is going to hard to achieve, and so some kind of UK Privacy Shield arrangement (AKA Daragh O Brien‘s Privacy Brolly) is the likely outcome. But I’m not aware of anyone in the DP world who thinks this is a good idea – it’s just what we might end up with.

 

I emailed them again. I asked whether they were proposing what I thought they were proposing (making it sound as complicated and horrendous as I did just now). I wondered whether they had a list of the specific burdens that they objected to. I also asked if they had an analysis of the costs of reversing the current position on GDPR, given all the time and money that is currently going into preparing for it precisely because the government has said that we should. Finally, I asked whether a Privacy Shield arrangement was should be the aim, given the fiery death of Safe Harbor and the fact that the prognosis for Privacy Shield is somewhat toasty (to paraphrase).

 

They were kind enough to reply again, but with a striking lack of detail. “Brexit is an opportunity to repeal laws that don’t work and introduce better versions” they told me. They did not dispute my interpretation of what they want, which is astonishing. They are “aware of the legitimate issues that you have raised, however we also believe that the concerns raised about the impact of the EU’s data protection regime on small businesses should also be given equal weight when the Government considers the opportunities that come from Brexit”. They didn’t explain how reversing current government policy and forcing UK businesses to operate at least two different DP systems, no matter how large or small they might be was in the interests of anyone, and especially, how this would save a billion pounds. There is no reason why a small business wouldn’t be one of the enterprises running Change Britain’s UK DP at home, and the GDPR abroad, notwithstanding the *increase* in red tape that their proposal would involve. Change Britain want two laws in place of one, after all.

 

Despite claiming that Data Protection doesn’t work, Change Britain have not carried out any analysis on the burdens associated with it to underpin their demand that it should be abolished. They have not calculated the cost of abolishing it and replacing it with something else – indeed, I would go as far as to say that they showed no evidence of having thought about it. They could only point me to the previous government’s (now outdated) view of GDPR, and reports produced by the British Chambers of Commerce in 2005 and 2010. It seems to be a case of UK good, EU bad, even as the GDPR is being scrutinised around the world as a model to emulate, or at least react to.

 

Change Britain’s abolition of the DPA and the abandonment of the GDPR is an economically illiterate idea on a par with Vote Leave’s NHS Bus Promise. It makes no sense except as a sound-bite in a press release designed solely for headlines and incapable of surviving serious analysis. Change Britain’s idea is the opposite of what the Government has told UK businesses to prepare for. It is a recipe for confusion and uncertainty. It is utterly irresponsible.

 

Whatever you think of Brexit, it has wiped the future clean. Anyone who confidently predicts what the UK will look like in 2020 or 2025 is a fool or a liar. I think it will be a disaster, but other opinions are equally valid. The UK Government’s confirmation that GDPR will apply is a small strand of certainty. Even though the Secretary of State left the door open for change at some stage (which she has every right to do), we know what’s coming next for Data Protection, despite Brexit. In their antipathy towards the EU and all its works, Change Britain want to murder even this tiny certainty. They have no original thoughts on why they think it’s a good idea beyond money-saving that they cannot possibly stand up. They cannot offer any hint of what they want to replace DPA / GDPR with, except that it must be homegrown. It cannot be European in origin. I very much hope that their proposal gets the shortest shrift that the DCMS has in stock.

 

Make no mistake, compliance with GDPR will be difficult for some, but I suspect that many of the organisations most keen to decry the GDPR would struggle equally to comply with the 1984 Data Protection Act, produced by the Thatcher Government, which even now has parallels with both our current DP Act and the GDPR. The GDPR is clearer, less technical and more understandable than the DPA. It is in most ways an improvement. Change Britain’s proposal is vandalism, and we should wash it away.

 

FULL DISCLOSURE: I voted Remain, I wholly accept that the UK is going to leave the EU as a result of the referendum, I am more convinced than I was before that it is a stupid idea, and in a free country, you should defend my right to say so.
Categories
Boris Johnson

The Joy Of Text

Einstein said he couldn’t predict what weapons the third world war would be fought with, but the fourth war would play out with sticks and stones.  The direction of the FOI arms race is equally hard to predict. Tony Blair’s era in power gave us ‘sofa government’, a term coined to describe the informal, un-minuted approach to decision-making that he supposedly preferred. More recently, Lord McNally has scared us with the “post-it-note culture’, with vital information recorded in the most temporary of media, to be screwed up and dumped as soon as the decision is made. Given Government Ministers’ propensity for putting stuff in the wrong bin, perhaps 3M will produce Post-It pads made of rice paper, so the offending article can be swallowed and FOI thwarted for ever more. But after sofas and post-its, have we now got ‘Txt Gvmnt’?
 
In the wake of the DfE private email kerfuffle (I’ve downgraded it from a hoo-ha), I read a story about Boris Johnson using both private emails and text messages to get around FOI. It had never occurred to me that a text message would be covered by FOI. Had I ever thought about it, I would have said they were, but the scrappy and informal medium I always use as an example of how far FOI goes is the Post-It. I was therefore intrigued to find out whether Boris had been sending interesting secret texts, and whether anyone would try some sleight of hand to say that they weren’t covered. I nearly didn’t ask on the basis that Boris and the GLA are local government, and I generally operate a ‘don’t shit where you eat’ approach to my FOI requests. But if Boris was trying to keep things out of sight, the possibilities were endless and if nothing else, here was the opportunity to see how the Mayor renders ‘cripes’ and ‘spiffing’ in text speak. So I asked for the following;
 
the content of any text message sent or received on official business between 1September 2011 and the present day (24 September) and still retained as at the time of this request by any of the following individuals:
  • the Mayor of London, Boris Johnson
  • Any of the deputy mayors
  • Guto Harri, Director of External Affairs
I should confess that I didn’t realise Harri had left the BBC until I saw his name on the Mayor’s website and I threw him in on a whim. I hope the aftermath book he will inevitably write is as good as fellow ex-BBC turned spinner Lance Price’s was. If Boris is anything like the Boris of the popular imagination, it may be a bit more Hogarthian.
 
They turned me down on cost grounds. It’s difficult for me to say that I am disappointed with the reply because firstly, it contains one of the features of an FOI response that I always used to enjoy when deploying it, i.e. the Show-Stopping Estimated Cost of Response. In this case, the SSECoR was a whopping £2,550.  My rule of thumb when trying to make this technique convincing was always to aim for a grand and while I am slightly sceptical about the idea that it would require the claimed 3-4 minutes per text to cut and paste all the messages, I accept that it would be a horrendous task, well over the cost limit.
 
Which leads me on to the second thing about the response that didn’t disappoint. The admirable estimate was based on the fact that “there are approximately 1,530 messages relating to GLA business sent and received by the people specified in this period (based on an average of 81 text messages per working day and 20 text messages on each Saturday and Sunday)”. My request covered six people, so the number is nowhere near as daft as it sounded to me when I first read it. I know someone who can send 81 text messages in an hour (many of them admittedly the electronic equivalent of finger painting). But nevertheless, that’s a lot of correspondence between important people doing important jobs – remember, my request explicitly asked only for texts sent for official business, so anything about lunch arrangements or ping pong would have been excluded from the calculations. Texts sent and deleted before my request was made would also be out of the game. I’m clearly very naive, because I didn’t anticipate there being enough messages for my request to fail on cost grounds. 


UPDATE: The estimable tweeter @FOIMonkey, who understands the black arts of mobile technology, advises me that the estimate may not be entirely realistic (AKA “nonsense”), so I have put in an internal review on principle.


And there’s the payoff.  If you live in London, a fair amount of official correspondence about how your city is governed lives only on a phone, and may be being generated only with a thumb (OK, I can’t imagine Boris doing that insane teenage texting thing, but you never know). Have I finally reached the age where the way things work inevitably seems trivial? Will I start to use the phrase ‘new-fangled’? Or should we have concerns about the people who govern the so-called engine of our economy using their phones to run the place? What important information might reside in that most transitory of places? And are they using Twitter to run London as well? (NB, of course they bloody are)
 
Full credit to the FOI people at the Mayor’s Office, they didn’t flinch. I didn’t get my shocking Boris text revelations because I asked for too many of them and was legitimately refused, not because of any ‘texts aren’t covered by FOI’ nonsense.  But think on this; up and down the land, there are enough people with iPhones, Blackberrys and intermittent common sense to make the prospect of what FOI might do with text messages more than interesting.  All it will take is for someone to work out a better question than the one I asked.
 
And for my next experiment, Twitter or BBM?

Categories
Blacklists

Are You Now, or Have You Ever Been

     

The Labour Party’s recent – if belated – interest in the Consulting Association is a good thing. The late Ian Kerr ran a secret blacklist for a range of big-name construction companies, and there is simply no defence for what he and they did. The fundamental principle of Data Protection is fairness, and fairness is not just about the general notion of being equal and proportionate – the DPA specifically requires organisations to inform individuals about how their data is used. Even if the construction industry needed a quick central system for checking the reliability of casual employees, it would be vital for workers to know about and have access to it to ensure that the facts were correct and the decisions justifiable. The secret nature of the system, of course, was to cover the real aim of rooting out people who might ask awkward questions about health and safety or working conditions.

It is hard to imagine anything more squalid than a hugely successful industry – bloated with public sector contracts and many establishment connections – targeting ordinary working people who want to prevent deaths, accidents and unfair working practices. This activity is a stain on their reputations and they must not be allowed to forget it. The anger directed by unions, Liberty and individual workers is justified. The fact that the construction companies escaped largely unpunished is a scandal. The chief responsibility for this disgraceful business lies at their door.

However, much of the ire is bizarrely directed at the Information Commissioner. Despite his cack-handed defence on the Today programme, the current Commissioner Christopher Graham is not to blame for the construction companies’ apparent impunity, nor is his predecessor. I think Richard Thomas’ tenure as Information Commissioner was fairly disastrous (especially for FOI), but the Consulting Association prosecution was possibly the biggest success of his time in the job. Few of the criticisms hold any water. Unions have demanded that the entire CA database should be handed over to them – using publicity and FOI to achieve this. This would be a breach of the Data Protection Act. The ICO obtained the database as part of an investigation, and whatever the motives of the unions, it would be unfair to every person on that list for their information to be given out to every angry union that demands it.

The ICO has also been criticised for not proactively contacting all of the people on the list. As someone who already thinks that the ICO does not put enough resources into enforcement, the idea that they would spend the doubtless huge sums of money contacting thousands of people (after sorting through the information to identify them properly) is ludicrous. The ICO is not there to help people pursue claims – they are there to enforce the law, not to take sides and support individual actions. It was their job to take on the problem – they did that.

The biggest criticism levelled against the ICO is the lack of prosecutions for the construction companies. The Unions and various Labour figures have been loud and self-righteous in their outrage over the perceived lack of action. The £5000 fine for Kerr was paltry, and the enforcement notices issued to the construction companies lacked the required sting. But all of this is Labour’s fault. Exposing Kerr and seizing his database was the most the ICO could do – as his operation depended on secrecy, the raid killed it. The only criminal offence that the ICO could charge Kerr with was non-notification and the maximum penalty for non-notification was £5000. It was not a criminal breach of the Data Protection Act to run or use a blacklist when the construction companies encouraged Kerr to do so and paid his bills and fine for him. In 2009, the ICO did not have the power to issue Civil Monetary Penalties. No regulator can prosecute without a specific offence, and there were no offences on the statute book. His current CMP powers are not retrospective, and if they should have been, it was Labour’s decision not to make that happen.

It’s easy to attack the ‘disgraceful belligerence’ of Chris Graham’s performance on Today, as Val Shawcross, a Labour London Assembly Member, did on Twitter. Jessica Asato, prospective Labour candidate in Norwich, does the same on Labour List: “Scandalously, when prosecution was sought for Ian Kerr the CEO of the Consulting Association (and apparently a previous employee of the Economic League) he was only fined £5000 for data protection issues and none of the firms who paid for the information were fined at all.” If this is a scandal, it is a scandal that Asato’s party devised. A fine for the companies was more or less impossible, unless the ICO also prosecuted them for not notifying their use of the CA database. The maximum fine would have been £5000, even if the prosecution had been successful.

The Data Protection Act 1998 and its associated regulations were created and passed by a Labour Government. If the ICO’s response –  the strongest possible legal response – was inadequate, it was because the Blair and Brown governments made it that way. Breaches of data protection had no adequate punishment until the shambolic data handling within Government embarrassed Brown into a U-turn. Labour still backed away from making data theft an imprisonable offence under pressure for the Daily Mail, and even now, Section 63 even makes it impossible for the ICO to prosecute the Government or the Royal Household for a criminal DPA breach. Any union, any worker, any ambitious politician who wants to raise the issue of why the construction companies got out of jail free cannot go after the ICO, and they are being dishonest if they do.

Chuka Ummuna, the Shadow Business Secretary, is making a lot of what is an unfashionable issue and he deserves credit for doing so. He wasn’t an MP when Labour set Data Protection up without any teeth, and so his hands are fairly clean. Nevertheless, I can’t help thinking that the party’s enthusiasm for the issue now might have something to do with the fact that they are no longer in government making decisions, and awarding humongous PFI contracts to the businesses that were guilty of the ‘affront to justice’ that Asato finds so offensive.

One strong element of Asato’s article still rings true, and brings us round (inevitably) to the part of this post which allows me to revert to type and have a dig at the Commissioner. She points out that blacklisting and stigmatising of union and other activists in construction is an ancient business, going back to the founding of the McCarthy-like Economic League in the 1920s. I think it’s safe to assume that there is a version of the Consulting Association running right now. Kerr is dead, but the idea that a practice that is at least 90 years old will suddenly stop because it was exposed is idiotic. Panorama exposed the League in 1994 and blacklisting didn’t die then. Deputy Commissioner David Smith sets out the ICO’s approach to the Consulting Association fairly on the office’s website, but he loses credibility with this unnecessary final flourish:

The construction blacklist remains a black spot on the history of employment in this country. While the work to close it down is long completed, our work to help those whose lives were affected by the blacklist continues.

Everyone involved in the Consulting Association case should be proud of the good work they did. If I was a very suspicious person, I would wonder whether Labour and the Unions see the ICO as a convenient whipping boy to cover up their own failings on this matter. But I support Asato when she says that the work on closing down blacklists is almost certainly not over. Rather than attacking the ICO for doing the right thing, workers, unions, politicians and advocates for better Data Protection should chide the ICO for resting on its laurels. It should be knocking on doors across the construction industry and demanding evidence that the 2009 enforcement notices – which have presumably not been withdrawn – are still being complied with. The stick they wield now is a lot bigger, and they should not persuade themselves that they don’t need to use it.

Categories
Baroness Deech

Every time you attack the Data Protection Act, a fairy dies

     

According to comments reported in the Daily Mail (http://tinyurl.com/bqa5dpm), Baroness Deech says that a school should be able to tell a university that a prospective applicant’s mother is an alcoholic, and their father abandoned them, without fear that the parent or child be able to find out. The inability to share information so vital to the matriculation process, coupled with the drastic effect on job references that Deech is so exercised about she cannot actually cite any examples, is so damaging that were she to be made Prime Minister for the morning, abolishing the whole Data Protection Act would be her first task.

In the years I have been working on Data Protection, I have encountered some ludicrous views on the Act’s idiosyncrasies, so I cannot say for certain that the noble Baroness’ musings are the worst. I still have a soft spot for Tom Utley’s haunting account of his niece’s flute exam results not being accessible allegedly because of the machinations of the Data Protection Act. He was clearly so thunderstruck by the story he used it twice, first in the Daily Telegraph (http://tinyurl.com/dxte7kt) and later in the Daily Mail (http://tinyurl.com/cdw4tuo). I like the tale because its account of a daft teacher mistakenly using the DPA as an excuse not to give out the results, and then said results actually being obtained because a request was made under the DPA, is an advert for the legislation, not a condemnation. At worst, all Mr Utley’s story does is underline the vital need for good quality, pragmatic Data Protection training, if you know what I mean.

Anyway, Deech’s opinions are more troubling because she is not trying to fill a newspaper column, but is (ostensibly) a sensible and serious establishment figure with a seat in the House of Lords. In her fantasy PM moment, she would prevent social services clients from finding out what happened to them as children, stop individuals from correcting inaccuracies in their credit records, and ban patients from seeing their medical records. There would be no right to stop marketing, no ability to sue for damages for unfair or inaccurate uses of data. Your records would not need to be adequate or accurate. Security would be optional. And of course, the foundation of the DPA, the obligation on organisations to tell you what they’re doing with your data and why, that would be gone as well. All so that important people who know best can exchange their opinions without having to justify them. We’ve already had GPs bleating about having to hand over medical records without being able to charge insurance companies £97 for them (http://tinyurl.com/cu99nsy), and now the establishment wants to kill vital legislation so we can get back to the good old days when you could exchange information in secret. Because that never did anyone any harm, right?

It’s possible that Deech doesn’t know what else the DPA does, and in wishing to allow institutions to provide life-changing references without those affected (and other third parties) being able to assess fairness and accuracy, she doesn’t know what else she is wishing away. I doubt it – I’m sure her genuinely illustrious career in the law, academia and public service would have introduced her to its wider implications. And besides, Wikipedia claims (http://tinyurl.com/cyrhu6j) that her first cousin is the UK’s Blackbelt Openness Champ Maurice Frankel, so perhaps he might have given her a few pointers. But even on its own terms, her antipathy to transparency would shift power from individuals back to organisations, allowing them to say what they like about people with impunity. It’s an elitist and undemocratic approach – but I did mention that she is a member of the House of Lords.

When writing a reference, you have to be objective, fair, and accurate. If you have a valid opinion that the person might not like, you should include it and stand by it. If organisations really want to send or receive references written by people too spineless to justify their comments, they’ll end up with references written by people who might make them up to settle scores. Indeed, Deech’s proposal would facilitate that.

The Data Protection Act is often abused. Organisations routinely hide behind ‘Data Protection’ as a cover for poor or unhelpful customer service (for example, there are several ways to quickly and easily allow family members legitimate access to a relative’s account which DP does nothing to prevent). People who are confused, uncertain or indecisive about the use and sharing of personal information sometimes use Data Protection as a shield for their hesitancy. As we enter the festive season, head teachers up and down the land may tell parents that ‘Data Protection’ prevents them from filming their kids at Nativity Plays (parents are, in that context, absolutely exempt from the Data Protection Act under Section 36). But the Act is solid and sensible, and gives us rights and protections we need to protect us from the powerful, the arrogant and the lazy. We need a better explained, better regulated DPA, not an abolished one.

So I would like to add the first item to my Christmas list for Santa’s perusal. I would like Baroness Deech to get her wish, but only for herself. Like George Bailey’s journey to a Bedford Falls where he didn’t exist in ‘It’s A Wonderful Life’, I request that Santa lets the Baroness experience a world where the admittedly imperfect but nevertheless essential Data Protection Act simply doesn’t apply to her, and anyone can share any information about her, regardless of purpose, quality or relevance. People who don’t need to can read her personnel file or her medical records, and write references that she isn’t allowed to see, or even know about. She can’t correct inaccuracies, and her data is strewn around the streets on lost pen-drives and files left on the rooves of cars.

OK, we’re all apparently experiencing that last bit, but you get the idea.

Categories
Apocalypse

Libya, Syria… is Norfolk next?

   

I had intended this blog to cover all aspects of information governance including marketing, but unfortunately, my anorak’s habit of reading terms and conditions has already got the better of me in a possibly irrelevant way.


In Waitrose’s weekly magazine, they had a competition sponsored by Jordan’s Cereals to win a weekend in Norfolk. As always, the terms and conditions seek to ensure that if Anything Happens, the promoters will not be in the frame for any legal action. However, I have to assume that Jordan’s are using some kind of parent company devised for a prize trip to a Disaster Movie, because the alternative foresees a nightmarish future for Norfolk. Forget the torment in the Middle East and the tropical storm in New York, it’s all apparently coming to East Anglia


The first bit is covers the corporate back in general terms:


“The Jordan’s & Ryvita Company Limited accepts no responsibility for any damage, loss, liabilities, injury or disappointment incurred or suffered by You as a result of entering the 
Competition to accepting any prize”. 


Now, I’m with Jordan’s here. If the winner doesn’t enjoy their trip to Pensthorpe, or the runners-up find their Emma Bridgewater bowls to be less than delightful, I don’t think they should be able to sue anyone for ‘Disappointment’. I’ve been disappointed by something pretty much every day since I was nine, and I’ve always accepted it as a character flaw rather than an opportunity for litigation.


However, the next bit sounds like legal brainstorming gone a little too far. I say again, the winner goes to Norfolk.


“The Jordans & Ryvita Company Limited shall not be liable for any failure to comply with its obligations where the failure is caused by something outside of its reasonable control. Such circumstances shall include, but not be limited to weather conditions, fire, flood, hurricane, strike, industrial dispute, war, hostilities, political unrest, riots, civil commotion, accidents, supervening legislation, or any other circumstances amounting to force majeure.”


I’m assuming that plague, alien invasion and Giant Lovesick Ape from Skull Island are wrapped up in ‘any other circumstances’. There’s a town not a million miles away from me that does look like it has suffered a hurricane, but generally speaking, unless the winner has cheated death in a Final Destination movie, I don’t believe Norfolk is likely to play host to any of the anticipated calamities. Or is this simply an awful portent of what is to come?

Categories
Another bunch of people who will now hate my guts

What do they know?

     

A few months ago, a dispute arose between the popular / reviled* FOI request website What Do They Know and a landlord in Bournemouth, after his address was inadvertently included in an FOI response. The landlord asked for his address to be removed, and What Do They Know refused. WDTK volunteer Richard Taylor described all this on the site, drawing attention to the fact that the address was still there. I can see no evidence that WDTK informed the landlord that they would publicise the fact that he had complained; my guess is that they did not.

The landlord complained to the ICO. Replying to the ICO on behalf of the charity, Taylor claimed that there was a legitimate interest in continued publication, but hedged his bets by stating that WDTK was exempt under DP’s S32 journalistic purposes exemption. The ICO rejected both arguments and asked WDTK to remove the original spreadsheet. Again, Taylor wrote in detail about this on the site, revealing in the process that the landlord had complained to the ICO. It’s worth noting that the ICO never reveals the identity of those who make complaints to it, and I can find no evidence that the complaint was made public anywhere else. None of my correspondence with the charity has revealed any.

A similar issue arose last year. Another council published the name of a Unison official (apparently in error) and What Do They Know refused to take it down. Again, Taylor revealed the fact that the individual had complained to the ICO, although on this occasion the ICO chose to take no action. Taylor also researched the complainant and published information about his wife on the WDTK page. Though the information Taylor gathered was clearly in the public domain, at best, it suggests an unsympathetic attitude to those who raise concerns when their data gets published on the site.

The first Data Protection principle requires Data Controllers to process data fairly, lawfully and according to a set of conditions. In this case, the data controller is UK Citizens Online Democracy, the charity which runs My Society. Data Protection requires that people must be told how their data will be used, while the only condition available to What Do They Know is legitimate interest, which must be balanced against any prejudice to the rights and freedoms of data subjects. If you complain to What Do They Know, or to the ICO about What Do They Know, they’ll make this public and a volunteer may research your family relationships and publish that too. As Taylor’s comments are always couched in terms of ‘we’ and ‘us’, I believe that that this approach is endorsed by the charity as a whole. This blows the legitimate interest argument out of the water: if a person cannot complain to either What Do They Know or the ICO without the matter being published by What Do They Know, there is clearly prejudice to their rights and freedoms.

The doomed use of S32 piqued my interest, so last month I asked What Do They Know for copies of: “any procedures or guidance available to control how personal data is obtained and published by My Society in the context of the What Do They Know website”. Of course, the charity isn’t covered by the Freedom of Information Act, but for an organisation whose public commitment to FOI and transparency verges on the obsessive, it’s not unreasonable to ask them to apply FOI standards to themselves. A month later, I received a reply:

“Personal data generally comes from users and public bodies and the site, and emails sent by it, contain lots of warnings when material is to be published online. We do our best to ensure our users, including those responding to requests at public bodies, are fully aware of what we do with the information we obtain.

NB: if you’re writing a blog post, please note how we write mySociety.”

That’s right – they didn’t give me the guidance, but Heaven Forbid I get the branding wrong. I persisted, pointing out they’d dodged the request for procedures in favour of a vague narrative answer. This time, I received a reply from Mark Cridge, the Chief Executive, setting out the decision-making process for What Do They Know (there was an opportunity for him to distance the charity from Taylor’s actions here, and he didn’t take it). On the specific request for procedures, despite the fact I’d pointed out that my request had been sidestepped, this was his reply:

We also have policies on our private internal wiki, which volunteers can refer to which provide more detailed guidance on our established policies, specific data protection guidance and key learnings from our experience of running the service for the past eight years

But he didn’t provide them, though this was what I had asked for twice. Yes, the charity is not covered by FOI and can do what it likes when annoying people like me ask them questions. No, this approach is not consistent with the values of an FOI campaigning organisation. In any case, it doesn’t matter, because I already know what the Private Wiki says about Personal Data:

Personal data in general

  1. We only consider takedown requests when we get them. We don’t pre- or post-moderate the site.
  2. The source of personal data is irrelevant, whether it is inadvertent, leaked with intent, or from someone who later develops “Google remorse”. The source of complaint/takedown request is also irrelevant, whether it comes from the data subject or a third party.
  3. Our responsibilities are therefore about deciding whether to continue to publishing or not, in line with our obligations as Data Processors, when a complaint about personal data drawn to our attention, i.e. on a case-by-case basis
  4. We have DPA Section 32 on our side, so we look at the PCC code and weigh up the public interest

The guidance proves that Taylor’s use of S32 isn’t just a randomly clutched straw. S32 is an immense exemption – it removes more or less every Data Protection requirement except security. The fact that it doesn’t apply to What Do They Know (and we know that this is the ICO’s position) isn’t the only problem. The reference to What Do They Know being ‘Data Processors’ is even more stupid. Data Processors have no data protection responsibilities – they are merely agents of someone else. There are two problems here. First, it’s impossible for the charity to be simultaneously a data controller using S32 and a data processor – they’re either one or the other. Second, the subtext of both positions is that the operation of What Do They Know exists in a vacuum – whether it’s because they’re journalists or data processors, they’re not answerable for DP issues.

The absurdity of the charity thinking it’s a data processor is plain as soon as you try to work out on whose behalf they would be operating. They’re definitely not data processors for the public authorities, who have no option but to send data to the website. It’s equally ridiculous for the charity to think that they’re Data Processors for the applicants. If this was true, UKCOD wouldn’t be allowed to remove material from requests without the applicants’ permission, applicants would be the ones dealing with the ICO over complaints, and every What Do They Know user would need a binding legal contract with the charity, or find themselves in breach of the Data Protection Act’s seventh principle.

Guidance like this could easily create a sense of immunity and entitlement – whatever happens, we’re not covered. Worse that that, the volunteer who seems to take the lead on Data Protection issues is Taylor, an anti-privacy zealot who films people without their permission, without properly identifying himself and publishing the results despite their explicit requests for him not to. When I contacted him about this intrusive behaviour earlier this year, he justified his antics with similarly vague S32 arguments. He also compared himself to Channel 4 News and Roger Cook, although I don’t think they ever stood in the rain filming a meeting through a window despite being invited inside. He also told me that he didn’t need to provide a Data Protection notification for his website because he claims the ICO says that ‘personal websites’ are exempt. They’re not, and the ICO doesn’t say so. I can’t prove that Taylor wrote the WDTK guidance, but I think it’s a safe assumption.

Whenever I write a blog like this about people who perceive themselves to be doing the right thing for the right reasons, one of the criticisms that is thrown back at me is that I am being deliberately negative. Why can’t I offer something constructive? Indeed, the last time I criticised What Do They Know, this is exactly what the former Director of My Society Tom Steinberg said. I did write a blog with some helpful suggestions of how What Do They Know could be improved, but none of my suggestions were taken up. This time around, I put my money where my mouth is. Last year, long before I corresponded with UKCOD or Taylor about these matters, I offered free Data Protection training to the volunteers at a time and venue of their convenience. I didn’t want any PR; indeed, I would have asked them to keep it a secret. Of course, I am not a cheerleader for What Do They Know – I think it can be an unhelpfully ideological enterprise, sometimes showcasing the worst aspects of FOI – but the offer was genuine and it fell by the wayside for reasons that were never explained.

So here we are. Cridge told me that the policies and procedures he didn’t want to show me will be reviewed, but how long has the above-quoted nonsense held sway? A What Do They Know volunteers can shame complainants and dig into their backgrounds, while the organisation fails to be transparent over its flawed guidance. Of course, I didn’t tell anyone at What Do They Know that I knew what the guidance said, but if transparency is such an unalloyed positive, why couldn’t I prise it out of them?

It’s impossible to blame UKCOD for the fact that public authorities sometimes inadvertently disclose information in response to FOI requests. It would be unacceptable if data was accidentally sent to a single applicant. Nevertheless, What Do They Know magnifies the problem by publishing all responses and failing to moderate what goes onto the site. I’m not convinced Richard Taylor is qualified to be involved in complex decisions about the publication or removal of personal data on behalf of a charity. I certainly don’t have confidence in a system based on wildly illogical guidance, and which allows volunteers to publish information about complainants and research their backgrounds. Complainants must be treated with respect, even if their complaints fail.

UKCOD’s management and trustees cannot hide behind the volunteer nature of What Do They Know – the website is not a naturally occurring phenomenon, and it needs to be managed and controlled. They created it, they run it, knowing that they lack the resources to proactively moderate it. In the light of this, if it is in the public interest for FOI requests to be broadcast, exactly the same approach should be taken for how What Do They Know is run.

 

(*delete as appropriate)

Categories
Another bunch of people who will now hate my guts

Fair Cop

       

The bedrock of Data Protection is fairness. You cannot gain consent without fairness. Your interests are not legitimate interests if they are secret interests. Unless you have an exemption or you claim that telling the person represents disproportionate effort (i.e. the effort of telling outweighs the actual impact), you have to tell the person whose data you are using the purposes for which their data will be used, and any other information necessary to make the processing fair.

The ICO’s Privacy Notices Code of Practice is not ambiguous, nor was its predecessor. It is impossible to read the ICO’s published guidance on fair processing without taking away the key message, consistently repeated for more than a decade: if something is surprising or objectionable, especially if it involves some kind of impact or sharing outside the organization, it should be spelled out. New-ish Information Commissioner Elizabeth Denham seems to have chosen to reverse the ICO’s previously timid, unimaginative approach to the first principle with a pair of civil monetary penalties against charities. We have one each for the Royal Society for the Prevention of Cruelty to Animals, and the British Heart Foundation, with the promise of more to come. You might say it was unfortunate that charities are first in line rather than, say, credit reference agencies or list brokers (to be a touch tautological). It was the charity sector’s misfortune to fall under the Daily Mail’s Basilisk gaze, and they have to accept that we are where we are.

To issue a civil monetary penalty, there are three hurdles for the ICO to clear. Firstly, there must be a serious breach. Both charities used commercial companies to profile thousands (and in one case, millions) of donors, buying up data from publicly available sources* to assess their wealth and resources, they shared data with other charities whose identity they did not know via a commercial company, and in the case of the RSPCA, they bought contact details to fill in data that donors had provided. The average donor did not have any idea that this was happening. I can see there’s a problem that when everyone in the charity sector knows that wealth screening goes on, it seems normal. But I’ve been using it as an example on my training courses ever since the Mail revealed it, and bear in mind that these are often seasoned data protection professionals who know about data sharing and disclosure, attendees are invariably shocked and some cases revolted by what I tell them.

There is no doubt in my mind that this processing needed to be spelt out, and there is no doubt from the notices that it was not. Carefully selected third parties or partners have been a stupid lie in marketing for years, but not even knowing where the data goes is much worse than the usual flogging it to all comers. At least the list broker knows who he’s flogging it to, even though the only careful selection is the ability to pay.

The second hurdle is the need to show that the breach is likely to cause damage or distress to the affected data subjects. It’s been known for quite some time that the ICO was planning to take enforcement action over the Mail stories, and the gossip I heard from charities was that fines were likely. I’ll be honest, I wasn’t convinced. The Information Commissioner lost a Data Protection Tribunal appeal from Scottish Borders Council because they bungled the damage / distress element of a £250000 CMP over pension records found in recycling bins. ICO made a flawed claim that the loss of paper pension records was likely to result in identity theft, but Borders had an expert witness who could argue convincingly that this was not true. The link between the breach (the absence of a contract with the company processing the data) and the damage was broken, and the ICO lost.

But this case is different. The ICO does not need to make a link between an incident and a breach, because they are bound up together here. Both notices show that the ICO has given considerable thought to the distress angle. There is no question that the charities breached the first principle, and their only hope for an appeal is to convince the Tribunal that people would not be caused substantial distress by secret profiling and data sharing after an act of generosity. This is not science, and all I can say is that I am persuaded. But for an appeal to be successful, the charities will need to persuade a Tribunal with strong experience and knowledge of DP and PECR from the numerous (and almost exclusively doomed) marketing appeals.

The third element requires the breach to be deliberate or a situation where the charities ought reasonably to have known about the breach. As I have already said, the ICO’s position on fair processing is well known in my sector and available to anyone who can type the ICO’s web address. I think it’s possible that the charities didn’t know what they were doing was a breach, but in my opinion, this is because the Institute of Fundraising and the Fundraising Standards Board effectively acted as a firewall between charities and reality. The advice (often inaccurate and out of date) came from the IoF, and complaints about charities went to the FRSB and no further. When your code of practice is written by the people who earn their living from fundraising and most in your sector are doing the same thing as you are, it’s not hard to fool yourself into thinking it’s OK. But everybody does it’ will cut no ice with the Tribunal. The RSPCA and the BHF are not tiny charities flailing in the dark – they are massive, multi-million-pound operations with vastly greater resources than many of my clients.

Daniel Fluskey, Head of Policy for the Institute of Fundraising, whose apparent lack of experience or qualifications in Data Protection does not prevent him from writing inaccurate articles for the charity sector on GDPR, has already weighed in, saying that the ICO should be providing the specific wording that charities require: “Charities need more detail on the ICO’s view of what lawful practice looks like: what form of words would have passed the test?” The Information Commissioner is the regulator for every organisation, of every size and shape, that processes personal data. If they start writing tailored wording for charities, they will have to do it for everyone else as well. It is a ridiculous demand. I think the ICO should move on to the data pools, wealth screeners and list brokers, but if she could find the time to issue an enforcement notice on the Institute of Fundraising, forbidding them ever to speak or write on Data Protection matters again, the third sector would have a fighting chance of complying.

Besides, how hard is it to find compliant wording? Nobody – especially not the trade association for fundraisers – should be allowed to present this as a byzantine and complex task. The individual doesn’t need to know what software you’re using, or whether cookies are involved. They need to understand the purpose – what are you collecting, what are you going to do with it, who are you going to give it to? This should be presented without euphemism or waffle, but it’s when you strip out the legalistic nonsense, you see the problem. It isn’t that the poor charities were labouring under the burden of complex data protection rules. They could not comply with the Data Protection Act because what they were doing (and in RSPCA’s case, are apparently still doing) is so unattractive:

  • We will share your details with unspecified charities via a commercial company. We don’t know who they are.
  • We will buy your phone number, postal or email address from a commercial company if you have not given it to us.
  • We will use commercial companies to compile a profile of your wealth and property to work out whether to ask you for further donations. If you are likely to be worth a lot when you die, we will use this information to ask you for a bequest.

When Reactiv Media appealed their PECR penalty, the Tribunal rejected their appeal and increased the penalty. Like a lot of the spammers, they put themselves into administration to avoid paying up, but this option is not available to household name charities. If either the RSPCA or BHF appeal, they are dragging themselves deeper into the mud, and very possibly spending thousands more of donors’ money to do so. If they say that what they did wasn’t a breach, or that they couldn’t have been expected to know that it was, their officers, advice and business model will be scrutinised to a doubtlessly painful extent. The claims management company Quigley and Carter found themselves described as “feckless” and “most unimpressive” in the course of being filleted during a recent failed appeal. Do charities really want that? Even if they decide to roll the dice solely on distress, does either charity really want to acknowledge a serious breach that they knew or ought to have know about in the hope of getting the fine overturned on a technicality? Do they want ICO to call donors as witnesses?

The business model of pressure selling, TPS-busting, heavy texting, data sharing and donor-swapping adopted by some of the UK’s most celebrated charities resembles nothing so much as the activities of the claims management, PPI spammers (i.e. the scum of the earth). For all the noise and bluster on Twitter and in the charity press this week, there is an uncomfortable truth that has to be faced. The hated Daily Mail unearthed it, and the ICO has rightly acted on it. Some big charities have run an end-justifies-the-means approach to marketing and they have got away with it for a decade. Fundraisers ruled the roost, and compliance has been sidelined or ignored. Given how much money the RSPCA and the BHF have raised from fundamentally unlawful practices, they should pull back and rethink how they get donations in the future. They should ignore the Institute of Fundraising’s every word on Data Protection and PECR, and like every other charity, concentrate on reading and applying the ICO’s Code on Privacy Notices and guidance on Direct Marketing.

And right now, if there is a fundraiser sitting with the two CMP notices working out how to at the same time devise a method to raise loads of cash for their cause while complying with Data Protection and PECR, I hope they wipe the floor with everyone else.

*citation needed

The bedrock of Data Protection is fairness. You cannot gain consent without fairness. Your interests are not legitimate interests if they are secret interests. Unless you have an exemption or you claim that telling the person represents disproportionate effort (i.e. the effort of telling outweighs the actual impact), you have to tell the person whose data you are using the purposes for which their data will be used, and any other information necessary to make the processing fair.

The ICO’s Privacy Notices Code of Practice is not ambiguous, nor was its predecessor. It is impossible to read the ICO’s published guidance on fair processing without taking away the key message, consistently repeated for more than a decade: if something is surprising or objectionable, especially if it involves some kind of impact or sharing outside the organization, it should be spelled out. New-ish Information Commissioner Elizabeth Denham seems to have chosen to reverse the ICO’s previously timid, unimaginative approach to the first principle with a pair of civil monetary penalties against charities. We have one each for the Royal Society for the Prevention of Cruelty to Animals, and the British Heart Foundation, with the promise of more to come. You might say it was unfortunate that charities are first in line rather than, say, credit reference agencies or list brokers (to be a touch tautological). It was the charity sector’s misfortune to fall under the Daily Mail’s Basilisk gaze, and they have to accept that we are where we are.

To issue a civil monetary penalty, there are three hurdles for the ICO to clear. Firstly, there must be a serious breach. Both charities used commercial companies to profile thousands (and in one case, millions) of donors, buying up data from publicly available sources* to assess their wealth and resources, they shared data with other charities whose identity they did not know via a commercial company, and in the case of the RSPCA, they bought contact details to fill in data that donors had provided. The average donor did not have any idea that this was happening. I can see there’s a problem that when everyone in the charity sector knows that wealth screening goes on, it seems normal. But I’ve been using it as an example on my training courses ever since the Mail revealed it, and bear in mind that these are often seasoned data protection professionals who know about data sharing and disclosure, attendees are invariably shocked and some cases revolted by what I tell them.

There is no doubt in my mind that this processing needed to be spelt out, and there is no doubt from the notices that it was not. Carefully selected third parties or partners has been a stupid lie in marketing for years, but not even knowing where the data goes is much worse than the usual flogging it to all comers. At least the list broker knows who he’s flogging it to, even though the only careful selection is the ability to pay.

The second hurdle is the need to show that the breach is likely to cause damage or distress to the affected data subjects. It’s been known for quite some time that the ICO was planning to take enforcement action over the Mail stories, and the gossip I heard from charities was that fines were likely. I’ll be honest, I wasn’t convinced. The Information Commissioner lost a Data Protection Tribunal appeal from Scottish Borders Council because they bungled the damage / distress element of a £250000 CMP over pension records found in recycling bins. ICO made a flawed claim that the loss of paper pension records was likely to result in identity theft, but Borders had an expert witness who could argue convincingly that this was not true. The link between the breach (the absence of a contract with the company processing the data) and the damage was broken, and the ICO lost.

But this case is different. The ICO does not need to make a link between an incident and a breach, because they are bound up together here. Both notices show that the ICO has given considerable thought to the distress angle. There is no question that the charities breached the first principle, and their only hope for an appeal is to convince the Tribunal that people would not be caused substantial distress by secret profiling and data sharing after an act of generosity. This is not science, and all I can say is that I am persuaded. But for an appeal to be successful, the charities will need to persuade a Tribunal with strong experience and knowledge of DP and PECR from the numerous (and almost exclusively doomed) marketing appeals.

The third element requires the breach to be deliberate or a situation where the charities ought reasonably to have known about the breach. As I have already said, the ICO’s position on fair processing is well known in my sector and available to anyone who can type the ICO’s web address. I think it’s possible that the charities didn’t know what they were doing was a breach, but in my opinion, this is because the Institute of Fundraising and the Fundraising Standards Board effectively acted as a firewall between charities and reality. The advice (often inaccurate and out of date) came from the IoF, and complaints about charities went to the FRSB and no further. When your code of practice is written by the people who earn their living from fundraising and most in your sector are doing the same thing as you are, it’s not hard to fool yourself into thinking it’s OK. But ‘everybody does it’ will cut no ice with the Tribunal. The RSPCA and the BHF are not tiny charities flailing in the dark – they are massive, multi-million pound operations with vastly greater resources than many of my clients.

Daniel Fluskey, head of Policy for the Institute of Fundraising, whose apparent lack of experience or qualifications in Data Protection does not prevent him from writing inaccurate articles for the charity sector on GDPR, has already weighed in, saying that the ICO should be providing the specific wording that charities require: “Charities need more detail on the ICO’s view of what lawful practice looks like: what form of words would have passed the test?” The Information Commissioner is the regulator for every organisation, of every size and shape, that processes personal data. If they start writing tailored wording for charities, they will have to do it for everyone else as well. It is a ridiculous demand. I think the ICO should move on to the data pools, wealth screeners and list brokers, but if she could find the time to issue an enforcement notice on the Institute of Fundraising, forbidding them ever to speak or write on Data Protection matters again, the third sector would have a fighting chance of complying.

Besides, how hard is it to find compliant wording? Nobody – especially not the trade association for fundraisers – should be allowed to present this as a byzantine and complex task. The individual doesn’t need to know what software you’re using, or whether cookies are involved. They need to understand the purpose – what are you collecting, what are you going to do with it, who are you going to give it to? This should be presented without euphemism or waffle, but it’s when you strip out the legalistic nonsense, you see the problem. It isn’t that the poor charities were labouring under the burden of complex data protection rules. They could not comply with the Data Protection Act because what they were doing (and in RSPCA’s case, are apparently still doing) is so unattractive:

  • We will share your details with unspecified charities via a commercial company. We don’t know who they are.
  • We will buy your phone number, postal or email address from a commercial company if you have not given it to us.
  • We will use commercial companies to compile a profile of your wealth and property to work out whether to ask you for further donations. If you are likely to be worth a lot when you die, we will use this information to ask you for a bequest.

When Reactiv Media appealed their PECR penalty, the Tribunal rejected their appeal and increased the penalty. Like a lot of the spammers, they put themselves into administration to avoid paying up, but this option is not available to household name charities. If either the RSPCA or BHF appeal, they are dragging themselves deeper into the mud, and very possibly spending thousands more of donors’ money to do so. If they say that what they did wasn’t a breach, or that they couldn’t have been expected to know that it was, their officers, advice and business model will be scrutinised to a doubtlessly painful extent. The claims management company Quigley and Carter found themselves described as “feckless” and “most unimpressive” in the course of being filleted during a recent failed appeal. Do charities really want that? Even if they decide to roll the dice solely on distress, does either charity really want to acknowledge a serious breach that they knew or ought to have know about in the hope of getting the fine overturned on a technicality? Do they want ICO to call donors as witnesses?

The business model of pressure selling, TPS-busting, heavy texting, data sharing and donor-swapping adopted by some of the UK’s most celebrated charities resembles nothing so much as the activities of the claims management, PPI spammers (i.e. the scum of the earth). For all the noise and bluster on Twitter and in the charity press this week, there is an uncomfortable truth that has to be faced. The hated Daily Mail unearthed it, and the ICO has rightly acted on it. Some big charities have run an end-justifies-the-means approach to marketing and they have got away with it for a decade. Fundraisers ruled the roost, and compliance has been sidelined or ignored. Given how much money the RSPCA and the BHF have raised from fundamentally unlawful practices, they should pull back and rethink how they get donations in the future. They should ignore the Institute of Fundraising’s every word on Data Protection and PECR, and like every other charity, concentrate on reading and applying the ICO’s Code on Privacy Notices and guidance on Direct Marketing.

And right now, if there is a fundraiser sitting with the two CMP notices working out how to at the same time devise a method to raise loads of cash for their cause while complying with Data Protection and PECR, I hope they wipe the floor with everyone else.

*citation needed

Participates from the Chicago Federation of LaborChicago Jobs with Justice, Nabisco 600, and the religious community, including IWJ Board Chair Pastor Doug Mork, delivered powerful messages of support for Nabisco workers and the campaign to end the outsourcing of union jobs by Nabisco/Mondelēz.

Check out the event in the video below!

Categories
Accuracy

A bridge too far

June is a significant time for Data Protection in the UK. At the end the month, we have the EU vote (where a vote to leave will throw at least the timetable for implementation of the new General Data Protection Regulation into disarray) and Christopher Graham steps down as Information Commissioner, to be replaced by Elizabeth Denham. There are several reasons to be optimistic about Denham’s appointment – she is the first Information Commissioner to have previous experience of privacy and FOI work, she has already taken on big corporate interests in Canada, and she isn’t Richard Thomas.

However, Denham inherits a series of headaches as she begins her reign as Elizabeth II, and it’s difficult to know which of them will be the hardest to shake off. There is the GDPR implementation, which would be a challenge even without the uncertainty that Brexit will create. She also has to tackle the ICO’s lack of independence from Government, which results in scandalous outcomes like the admission in an FOI response that Wilmslow takes orders from its sponsor department (see answer 3 here). But perhaps biggest of all is the ICO’s approach to enforcement.

On FOI, the ICO doesn’t approach enforcement – it does pointless monitoring and audits without any evidence of success, and the major government departments use the ICO as their internal review, sometimes not bothering to answer requests unless ordered to do so by an ICO case officer. The sole enforcement notice in the past five years wasn’t even promoted by the office because the now-departed Deputy Commissioner Graham Smith didn’t want to draw attention to the failure to tackle Whitehall’s FOI abuses.

On Data Protection, the approach is to enforce against self-reported security breaches. There is nothing wrong with lots of enforcement on security – it’s a significant requirement of the legislation and many people are concerned about it. The problem is that Wilmslow doesn’t enforce on anything else, despite breaches of the other principles being widespread and obvious. Unless I missed one, the ICO has issued 61 Data Protection monetary penalties since getting the power to do so. Two have been for non-security breaches: Pharmacy 2U (1st principle data sharing without consent) and Prudential Insurance (accuracy). The overwhelming majority of enforcement notices (and undertakings, if you count them, which you shouldn’t) are on security matters. This is despite the fact that the UK has a massive culture of unlawful data sharing, over-retention, flouted subject access, and perhaps most obvious, rampant, damaging inaccuracy. The ICO does nothing about it.

A classic example is a story reported in the Observer about the Dartford Crossing between Kent and Essex. Automatic Number Plate Recognition is used by Highways England to issue penalty charges to drivers who use the crossings without paying by phone or web within a fixed period of time. The only problem is that drivers who have never used the crossing are getting the penalties, but it is more or less inconceivable that the ICO will take action.

Having used the crossing myself, I can confirm that there are some Data Protection issues with the signage around the bridge / tunnel – the Observer article explains well how the signs can easily be confused with those for the London congestion charge, which works entirely differently. This is, in itself, a potential data protection breach, as personal data needs to be obtained fairly, especially when the data being obtained (the license plate) will not only be used to levy a charge, but because court action may result for non-payment.

One person is quoted in the article as having being charged  because the system misread a ‘C’ as a ‘G’. The Observer also reports that hire car users sometimes find penalties aimed at the wrong person because Highways England don’t specify a date that the charge applies to. In another case, the person receiving the charge had sold the car in question, and had a letter from DVLA to prove it. As with most of these situations, terrible customer service and inflexible processes mean that even when a charge is applied to the wrong person, nobody in the food chain has the authority or the inclination to sort things out. Both of the individuals cited in detail by the Observer were headed for the baliffs until the Observer got involved, and all action was terminated. Research by Auto Express notes that only 1 in 25 people appeal their penalty, but 80% of those that do are successful.

Every time Highways England / Dart Charge issues a penalty against the wrong person, it is a breach of the fourth Data Protection principle, which states that “Personal data shall be accurate, and where necessary, up to date”. Note the lack of any qualification or context here – data is accurate, or it’s a breach. Clearly, this means that most organisations are breach DP every minute of every day simply because of typos, but even adopting a flexible approach, there can be no doubt that demanding money and threatening court action is a situation where the Data Controller must be certain that the data is accurate, and if they get the wrong person, it’s a breach. The security principle talks about “appropriate measures” to prevent incidents, but the fourth principle doesn’t: it’s absolute.

Highways England / Dart Charge have breached the DPA, but would it be possible for the ICO to take action? In order to issue a monetary penalty, the ICO has to meet a series of tests.

1. The breach is serious

Dart Charge are pursuing people for debts they don’t owe. It’s serious.

2. The breach is deliberate

This one is potentially tricky, as we would need evidence that Highways England know that they are operating on the basis of inaccurate information in order for the breach to be deliberate. I can’t prove that Highways England are deliberately pursuing people, knowing that they are the wrong targets, although one of the Observer readers quoted gives clear evidence that they might be: “I spent 20 minutes trying to get through to someone who kept telling me I had to pay, even though he could see the problem”. However, we don’t need deliberate if we have:

3. The Data Controller knew or ought to have known about the risk and failed to take steps to prevent it

This test is clearly met – Highways England know that most of their penalty charges are overturned on appeal, they know that their system misreads licence plate characters, that it fails to properly distinguish dates, and they know that people contact them multiple times with evidence that the charge is wrong, but they ignore this evidence until they are embarrassed into action by a national newspaper. The breaches are still happening.

4. The breach is likely to cause damage or distress

Innocent individuals who have not used the Dartford Crossing are being pursued and threatened with legal action if they do not pay money that they do not owe. The breach is causing damage and distress and is highly likely to do so.

The ICO does not enforce on accuracy and they won’t touch this case. If I tried to report it to them, they would ignore my complaint because I have not been affected (if an affected person complained, they would do an unenforceable assessment). They do not ask Data Controllers to report incidents of damaging inaccuracy, and they do not even advocate investigating incidents of inaccuracy in the way that they do for security. This despite the fact that inaccuracy leads to the wrong medical treatment being given, innocent people’s houses being raided by the police, and old men nearly drowning in canals. The ICO took no enforcement action in any of these cases, despite them being in the public domain. I have dozens of others. Meanwhile, the Commissioner chunters on about a series of accidents and mishaps without any direct evidence of harm (ironically, even the pace of security enforcement has slowed, with only three DP monetary penalties at all so far this year).

Whatever Ms Denham’s priorities might be, she cannot ignore this. The ICO has shirked its responsibilities on the other principles for too long. A quick glance at the articles relevant to enforcement show that the GDPR is specifically designed to give breaches of the principles the higher maximum penalty. It’s a riposte to the ICO’s enforcement priorities since the HMRC lost discs incident in 2007, and it’s a bridge that the new Commissioner must be willing to cross.

Categories
Accuracy Uncategorized

Actually asked questions

One of the annoying things about working on documents or advice for the public is the inevitable moment where someone asks “shouldn’t we have some FAQs?”. And then someone proceeds to write a series of questions that the organisation wants the public to know the answers to, rather than the answers to questions the public have actually asked. Frequently asked by who, is what I frequently want to know.

I am currently working on a product aimed giving data protection advice to charities. It will be free to access, and should hopefully be ready by the end of the year. It will take into account the current DP and PECR law, the Fundraising Preference Service and associated Regulator, as well as anticipating the GDPR in several key aspects. As part of this, I would like to include an ‘actually asked questions’ section, in which people working on DP or IG for charities ask questions, and I provide the answers.

This is where you (hopefully) come in.

I want to get real questions from practitioners and volunteers working in the charity sector. There are a whole bunch of things I want to say about the topic, but questions from the intended audience are vital to make the guidance meaningful. If you have any questions about Data Protection, PECR, marketing, volunteers, security or other related matters, please send them to the following email address:

[email protected]

You can be specific or general. You can ask about the detail, the background, individual scenarios relevant to your work or issues that cover the whole sector. I would be happy with 5 questions, or 500. You can also tell me things you think DP guidance for charities should include. I have the content more or less planned out, but I might have missed something.

There are a few things you need to know before sending a question in.

1. You will not receive an individual answer to your question. Your question, if at all possible, will be answered in the FAQ section of the product. It may be that your question is answered in the main body of the text, in which case, your question will not feature specifically but the answer will still be there. If it is impossible to answer your question – time permitting – I will reply direct to you to explain why and give some advice if I possibly can.

2. You will not be added to any mailing list, or receive any marketing as a result of participating. If you indicate in your email that you want to know when the product is available (it will be free, and getting access to it will not involve any obligations or commitments), then I will send you a single email to let you know. You will receive nothing else and your details will not be retained for any other purpose.

3. All questions will be treated anonymously. You, and the charity you are associated with, will not be identified or alluded to in the product, no matter what the nature of the question is. Even if the question is “can we sell our donors’ data to a claims management company?’ or “can we buy data even if we think it might have been stolen?”, you will not be identified. The sole purpose of this is to make the product more useful and lively by getting direct input from the intended audience. By the way, the answer to both of the above questions is no.

4. Questions sent in after 30 November won’t make the cut.

The final shape of the product may go one of several ways, so I am being vague about what it actually is – one option is easy but less interesting, the other is better but more time consuming. Nevertheless, to emphasise the point again, it will be free, and you will receive no marketing or further contact if you choose to participate.

I very much hope that if you have any questions or queries, or other issues you would like to raise, you will send them in. Thanks for reading – if you have the opportunity to tweet or circulate this to people in the charity sector who might have questions they want to ask, I would be very grateful if you would. I cannot promise that anyone who necessarily like what I have to say, but I’m very keen to find out what you’d like to know.