Categories
Direct Marketing

Unambiguously yours

 

There’s an old joke about a tourist in Ireland asking for directions and getting the reply ‘If I was you, I wouldn’t start from here’. To anyone in the position of wondering whether to contact all of the people on their mailing list to get GDPR-standard consent to send marketing, fund-raising or promotional emails and texts, I can only say this: I wouldn’t start from here.

With apologies to regular readers who already know (there must be six of you by now), the problem comes because most of the people advising on the solution don’t seem to know what the problem is. They think that the General Data Protection Regulation makes a significant change to the nature of consent from what is required now, and so they tell their clients and employers that there is an urgent need to carry out a ‘re-consenting’ exercise. A memo has clearly gone out – a distinguished correspondent has sent me two examples of organisations sending out emails to get consent in the past week, and yesterday, the charity Stonewall used Valentine’s Day as a prompt to beg its supporters to ‘not leave us this way’. It was lovely, and it is probably an admission that Stonewall have been acting unlawfully since at least 2003, if not 1998.

Here’s the problem. The 1995 Data Protection Directive defines consent like this:

any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed

and

the data subject has unambiguously given his consent

If you’re new to this, read those sentences a few times. Think about ‘freely given’. Think about the consent being an ‘indication’, something by which the person ‘signifies’ their ‘agreement’. Think about ‘unambiguously given‘. If you think that this be interpreted as an opt-out, where are your car keys? Consent, according to you, is me taking your car keys and leaving you a legalistic note somewhere that says that unless you tell me not to borrow your car, I can borrow your car. Or because I borrowed it another time and you didn’t object, I can keep borrowing your car until you tell me not to.

This is nonsense. Consent cannot be inferred. It cannot be implied. A badly written opt-out buried in terms and conditions, consent assumed because I made a donation, the fact that you have my email address and you assume that I must have given it to you with my consent for marketing rather than (for example) you bought it from a list broker who launders dodgy data like drug money – none of these examples constitute consent. Consent is consent. You asked and I said yes. We all know what it means and to pretend otherwise is to lie so you can persuade yourself that you can spam people.

Yes, the GDPR adds a couple of things. It requires consent to be ‘demonstrable’. It states explicitly that consent can only be obtained by a ‘statement or by a clear affirmative action’. But if you claim that the absence of the above phrase in the Directive is any help to the opt-out model, you’re lying to yourself. An opt-out is inherently ambiguous, and the directive says that consent cannot be unambiguous. I might have misunderstood the wording (especially if the language was clunky or technical, which it often is), the data may have been obtained for a different purpose and the consent option is buried in terms and conditions, I might just have missed it or forgotten. The Directive is clear.

Jump ahead to the Privacy and Electronic Communications Regulations, based on Directive 2002/58/EC (often known the ePrivacy Directive). The definition of consent comes from the Data Protection Directive, and so if the ePrivacy Directive says you need consent, what you need is unambiguous, freely given, specific and informed consent. The ePrivacy Directive is enacted by the Privacy and Electronic Communications (EC Directive) Regulations 2003, or PECR (which all good people pronounce as ‘Pecker’ and revel in the opportunities that doing so affords them).

PECR makes life even harder for the opt-outers. For emails, PECR says that the recipient must have “previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender“. If you think that a person can ‘notify’ you by not doing something (i.e. not opting-out), once again, where are your car keys?

Surprisingly given all the execrable practice to which the Commissioner happily turns a blind eye, Wilmslow fired a shot across everyone’s bows with three enforcement cases last year. Morrisons and Flybe are to some extent red herrings as they deliberately targeted people who had explicitly opted out of receiving direct marketing, so when the companies emailed them asking them to opt back in, it was plainly bullshit. The Honda case is more interesting, in the sense that Honda ignored everyone who had opted in (because they’d opted in) and everyone who had opted out (naturally). They contacted people where they didn’t know either way, where they held no evidence of consent. Despite the fact that in all three cases, the contact itself wasn’t selling anything, all were sent for marketing purposes, and here, the ICO argued that the organisations didn’t have consent for sending emails for marketing purposes. It’s been argued by idiots that all Honda were trying to do was comply with GDPR, but that’s patently false. They were trying to pack out their marketing list before a perceived change in the law (GDPR) while ignoring another law that was just fine thanks (PECR).

And now we come to the payoff. If Stonewall (and all the others) have consent to send fund-raising emails, they don’t need to ask again. If they don’t have freely given, specific, informed and unambiguous consent, they shouldn’t be sending emails for marketing purposes now, even if the purpose is to ask for consent from people who are happy to give it because the email is inherently unlawful. It wouldn’t be unlawful for Stonewall to write to all of its supporters and ask them for consent, because post isn’t electronic so PECR doesn’t apply. I would say that there is plainly a legitimate interest for them to use post to ask people for permission to send fund-raising and promotional correspondence by email, so there is no GDPR problem.

The problem with a re-consenting exercise is that the organisation is basically admitting to a PECR breach. The problem is exacerbated by doing that re-consenting exercise by email, because as Honda have demonstrated, doing so is in itself a breach of PECR. People complained to the ICO about the Honda emails, which is why they enforced. If you do a re-consenting exercise by email, anyone irritated enough by the request may well complain. Then what?

So what do I think organisations should do in the light of all this? Well, I wouldn’t start from here. But ignoring the law for a moment, this might be a time to be pragmatic. If you send people content that they want and you don’t annoy them (email being less annoying and distracting than phone or text in my opinion), if you have nice big bright unsubscribe buttons, and if YOU RESPECT BLOODY UNSUBSCRIBE REQUESTS (Hello Daily Telegraph), what’s the risk? Why draw attention to yourself?

I am convinced that sending emails to people who haven’t opted-in is unlawful unless you’ve got the soft opt-in (which because it’s predicated on data gathered through a sale, most charities won’t have). But many organisations have been content to do that for years despite it being unlawful now. So what’s actually changing? I think everyone should comply with the law because privacy – the right to be left alone – is a vital foundation for a civilised society. But if you’re sitting on a mailing list and you’re not sure what to do with it, I would forgive you if you took a slower, longer path, taking every natural opportunity to get renewed consent from existing contacts, getting strong unambiguous consent from anyone new, and hoping that churn and natural wastage gets you where you need to be. And if you’re wrestling with this right now and you’ve read this far, good luck and best wishes.

Categories
Direct Marketing

Zero Gravity

 

In March, I received an unsolicited email from a company called Gravicus. It was scaremongering nonsense, touting their data management software via the threat of director liability for data breaches. So far, so what: I get a lot of spammy junk from GDPR people to my 2040 Training email address, but this was to a personal Gmail address that I don’t give out all that often. The email claimed that it had been sent to me because I was “registered on Leadiro”, who I have never heard of. Under PECR, email sent to an address for which I am an individual subscriber can only be sent with consent (or soft opt-in), and given that I had heard of neither Gravicus or Leadiro before the email arrived, they had neither.

I contacted Gravicus to make a subject access request on 20th March, asking how they had obtained my data, what Leadiro had told them and for any other personal data about me that they held. Separately, I contacted Leadiro and asked them why they were selling my data. Leadiro got back to me, and confirmed that they had not supplied my data to Gravicus.

Having had no reply from Gravicus beyond an automated acknowledgement, I emailed them again on April 2nd, asking for confirmation that my request was being dealt with, and also passing on what Leadiro said. A week went by with no acknowledgement, so I wrote to the company’s registered office address and business address, chasing them up.

Gravicus finally reacted on 16th April via a letter from their lawyers, Keystone Law. Keystone admitted on behalf of their clients that the Leadiro story was false, and that my data had been harvested from the “business oriented and professional website” LinkedIn. I apparently connected “voluntarily” with a named Gravicus consultant, who then exported her connections to obtain contact details of “relevant professionals in the sector”. Nearly a month into my request, Gravicus wanted a copy of my passport and utility bill, certified by a lawyer, accountant or similar professional, as well as the £10 fee. I paid the £10 and sent an uncertified copy of my passport. The lawyers still demanded the utility bill as proof of my address, despite the fact that Gravicus’ own version of events shows that they would have nothing to compare it to – they have only ever dealt with me via email or Twitter. In any case, Keystone had already named the individual who harvested my address, so if it was wrong to reply to my subject access request without proof of address, why was it right to give me the name of the consultant? I threatened to complain to the Information Commissioner, and they backed down. I have no doubt that Gravicus took this approach to obstruct my request, which when they had already breached PECR and Data Protection isn’t the best way to resolve a problem.

It is a breach of LinkedIn’s terms and conditions to

  • “Disclose information that you do not have the consent to disclose”
  • “Copy, use, disclose or distribute any information obtained from the Services, whether directly or through third parties (such as search engines), without the consent of LinkedIn”
  • “Use, disclose or distribute any data obtained in violation of this policy”

Harvesting and using email addresses from LinkedIn in breach of their terms and conditions, without transparency and a legal basis is a clear breach of Data Protection. Gravicus did not have my consent, and by misrepresenting the source of my data in the email that they sent me, they blew any chance of relying on legitimate interests. Their use of my data was unlawful. Gravicus’ lawyers claimed that the confusion over where my data came from was understandable because Leadiro was one source that they were using. But that isn’t true. The CEO of Leadiro told me explicitly: “Gravicus are not a Leadiro customer, and have never been a Leadiro customer“. Added to that, sending a marketing email to an individual subscriber without consent is a breach of PECR, and Gravicus knew I was an individual subscriber because their records had my address marked as ‘Personal’.

Despite the fact that Gravicus’ original spam email touted data breaches as being the personal responsibility of directors, one of the shabbiest things about their response is the way they sought to throw their consultant under the bus. They named her straight away, and claimed that the company didn’t know that she was harvesting emails from LinkedIn, even though their lawyers continually stressed that I had voluntarily made my email available to her. In other words, you asked for it, but we didn’t know it was happening. I don’t believe this, but it doesn’t matter whose idea it was. The directors are responsible for what their company does, not some consultant who blocks people on Twitter when they ask awkward questions. Instead of dealing with me like a human being, Gravicus lawyered up and tried to obstruct my subject access request with bogus demands for unnecessary personal data, itself an additional breach of DP law.

This might seem like a lot of fuss for a spam email. But look at what Gravicus is selling as a data processor. Their product works like this: “Tell Osprey your data sources, provide your access credentials and it will connect automatically to analyse your data“. As a data processor, they will have access to a huge amount of sensitive and possibly special categories personal data held by their clients. The GDPR states that data controllers “shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject“.

Gravicus harvested my data unlawfully, they gave me false information about where personal data has been obtained from, they demanded excessive personal data when dealing with my subject access request, and they sent me unlawful unsolicited emails in breach of PECR. They claim that they’ve stopped gathering data in this way, but it never should have happened in the first place, and suggests that the directors don’t know what’s going on in their company. In any case, when caught out, they hide behind their lawyers and consultants instead of dealing direct. Any organisation thinking of using them as a data processor should think long and hard about whether Gravicus can offer the kind of guarantees that GDPR requires.

Categories
DCMS

The Red Menace

 

Just before New Year, the pro-Brexit, anti-single market pressure group Change Britain published a report about the possible savings that could accrue to the UK if we cut all ties with the EU. Keen observers of current politics will be astonished to learn that the amount is in the multiple billions. One of the top savings is from repealing the Data Protection Act 1998, which Change Britain claims costs the economy a whopping £1,058,830,000, while (if I am reading the table right), giving a benefit of precisely nothing. It’s a prime example of ‘harmful EU red tape‘ that Change Britain is very much against.

 

Curiously, the report doesn’t include any mention the General Data Protection Regulation, despite the fact that the Government announced several months before its publication that GDPR will apply in the UK, reflecting the reality that it will come into force before we leave. The report does not hint at any cost in repealing the DPA and replacing it with something else, or the wasted effort currently being expended by organisations large and small in preparing for GDPR, all of which they want to cancel out. The economic benefit of being able to share data across EU borders isn’t priced in at all, even if we accept the £1 billion cost at face value. Inevitably, Change Britain’s report has the mindset of an Oscar Wilde cynic, knowing the price of everything and the value of nothing. Although the DPA is clunky and badly enforced, the benefits of saying that personal data should be obtained fairly, used transparently, kept in good order and processed securely are enormous.
 

 

I emailed Change Britain just before New Year asking the questions outlined below. I would like to express my gratitude to the Change Britain staff member who took the time to give me two courteous replies when many people were probably on holiday or hung-over.
 

 

Can you confirm that Change Britain believes that the GDPR should not be implemented, as well as advocating the repeal of the Data Protection Act? Can I ask what analysis you have done into the effects of repealing DP, in terms of its effects on the security and quality of personal data, and the rights of UK citizens to know how their data is used, and to get access to it on request?
 
Can you also provide me with any proposals Change Britain have for replacing the Data Protection Act / GDPR, or is the idea to remove any controls or protections on the way personal data is used in the UK post-Brexit?
 
Finally, can you give me any analysis on the effect of repealing the DPA / not implementing GDPR on the ability of UK companies to exchange personal data with EU countries, and how this would affect the UK’s adequacy for Data Protection purposes? As I am sure you already know, not having adequate data protection provisions would make it virtually impossible for EU and UK companies to do business with each other, because no personal data could be shared outside the EU.
 

 

In their reply, Change Britain didn’t explain why they hadn’t mentioned GDPR in the first place, but noted that the Coalition Government said in 2013 that the GDPR could ‘impose unnecessary additional costs on current businesses‘, a comment made on a version of the GDPR which is quite different to the one we’re actually getting. The emphasis was on ensuring that “expensive red tape is cut so that the burden on business is reduced“.
 

 

They didn’t really answer the questions, but the thrust of their preferred approach seemed to come here: “We believe that it is possible to secure a new relationship that allows ongoing data sharing between the UK and the EU and gives UK policy makers an opportunity to deal with the issues they have identified with EU laws and – in so doing – reduce the burden of red tape on British businesses“. They didn’t mention the fact that the current government has announced that the GDPR will apply or what the implications of that might be for their proposal. Crucially, while they clearly wanted to “reduce the burdens”, they did not explain to me what these burdens were.

 

It seemed to me that Change Britain were describing the Mother of Worst Case Scenarios: repeal of the DPA with a UK only replacement instead of adopting the GDPR, some kind of negotiated deal over EU data sharing with all the fragility that entails in the world of Max Schrems, a situation which could well mean UK businesses with EU customers separately adopting GDPR for their customers. Of course, there are many who think that an adequacy finding for the UK post-Brexit is going to hard to achieve, and so some kind of UK Privacy Shield arrangement (AKA Daragh O Brien‘s Privacy Brolly) is the likely outcome. But I’m not aware of anyone in the DP world who thinks this is a good idea – it’s just what we might end up with.

 

I emailed them again. I asked whether they were proposing what I thought they were proposing (making it sound as complicated and horrendous as I did just now). I wondered whether they had a list of the specific burdens that they objected to. I also asked if they had an analysis of the costs of reversing the current position on GDPR, given all the time and money that is currently going into preparing for it precisely because the government has said that we should. Finally, I asked whether a Privacy Shield arrangement was should be the aim, given the fiery death of Safe Harbor and the fact that the prognosis for Privacy Shield is somewhat toasty (to paraphrase).

 

They were kind enough to reply again, but with a striking lack of detail. “Brexit is an opportunity to repeal laws that don’t work and introduce better versions” they told me. They did not dispute my interpretation of what they want, which is astonishing. They are “aware of the legitimate issues that you have raised, however we also believe that the concerns raised about the impact of the EU’s data protection regime on small businesses should also be given equal weight when the Government considers the opportunities that come from Brexit”. They didn’t explain how reversing current government policy and forcing UK businesses to operate at least two different DP systems, no matter how large or small they might be was in the interests of anyone, and especially, how this would save a billion pounds. There is no reason why a small business wouldn’t be one of the enterprises running Change Britain’s UK DP at home, and the GDPR abroad, notwithstanding the *increase* in red tape that their proposal would involve. Change Britain want two laws in place of one, after all.

 

Despite claiming that Data Protection doesn’t work, Change Britain have not carried out any analysis on the burdens associated with it to underpin their demand that it should be abolished. They have not calculated the cost of abolishing it and replacing it with something else – indeed, I would go as far as to say that they showed no evidence of having thought about it. They could only point me to the previous government’s (now outdated) view of GDPR, and reports produced by the British Chambers of Commerce in 2005 and 2010. It seems to be a case of UK good, EU bad, even as the GDPR is being scrutinised around the world as a model to emulate, or at least react to.

 

Change Britain’s abolition of the DPA and the abandonment of the GDPR is an economically illiterate idea on a par with Vote Leave’s NHS Bus Promise. It makes no sense except as a sound-bite in a press release designed solely for headlines and incapable of surviving serious analysis. Change Britain’s idea is the opposite of what the Government has told UK businesses to prepare for. It is a recipe for confusion and uncertainty. It is utterly irresponsible.

 

Whatever you think of Brexit, it has wiped the future clean. Anyone who confidently predicts what the UK will look like in 2020 or 2025 is a fool or a liar. I think it will be a disaster, but other opinions are equally valid. The UK Government’s confirmation that GDPR will apply is a small strand of certainty. Even though the Secretary of State left the door open for change at some stage (which she has every right to do), we know what’s coming next for Data Protection, despite Brexit. In their antipathy towards the EU and all its works, Change Britain want to murder even this tiny certainty. They have no original thoughts on why they think it’s a good idea beyond money-saving that they cannot possibly stand up. They cannot offer any hint of what they want to replace DPA / GDPR with, except that it must be homegrown. It cannot be European in origin. I very much hope that their proposal gets the shortest shrift that the DCMS has in stock.

 

Make no mistake, compliance with GDPR will be difficult for some, but I suspect that many of the organisations most keen to decry the GDPR would struggle equally to comply with the 1984 Data Protection Act, produced by the Thatcher Government, which even now has parallels with both our current DP Act and the GDPR. The GDPR is clearer, less technical and more understandable than the DPA. It is in most ways an improvement. Change Britain’s proposal is vandalism, and we should wash it away.

 

FULL DISCLOSURE: I voted Remain, I wholly accept that the UK is going to leave the EU as a result of the referendum, I am more convinced than I was before that it is a stupid idea, and in a free country, you should defend my right to say so.
Categories
David Cameron

Walk the walk

 

Chris Graham gave an impressive interview to the Guardian which is published today. It’s nice to see the Information Commissioner standing up for the principles of transparency and Freedom of Information in the face of what everyone can see is an establishment backlash. As the article says:

There are some very powerful voices saying it [the act] has all been a horrible mistake. Specifically, Tony Blair, Gus O’Donnell [the former head of the civil service] and the prime minister himself,” he said before adding the name of Simon Jenkins, the former Times editor and Guardian columnist.

To that list, we can also add Francis Maude, who imagines that he can make FOI redundant, and various slippery ministers who have allegedly been using private emails to get around legitimate scrutiny of their activities. Graham makes a compelling case, arguing that those who talk down FOI set the tone for everyone else. It cannot be a coincidence that the Cabinet Office’s record on FOI is dismal, given that it was until recently run by O’Donnell. The former Cabinet Secretary’s public antipathy towards FOI reared its head only when he decided to retire, but it’s probably a safe assumption that he wasn’t privately cheerleading for it before that.

Graham also skewered Maude’s patronising line on transparency, by arguing that “Sometimes the full story is in the background papers and minutes of meetings rather than just raw data.

Graham’s analysis is right. People don’t always pay attention to the people at the top (just look at what happened to poor Bob Diamond, an honest man undone by a tiny number of unruly minions), but if they are given any excuse to be lazy, or to misbehave by the example set higher up, they’ll do it (just look at what happened…). I know of an organisation where the head of IT complains that having to remember a password to activate their Blackberry is too onerous and makes them look daft. The person responsible for Data Security might as well quit for all the good their efforts will do. If David Cameron was the politician he claimed to be – the one who offered ‘the most open and transparent government ever‘ – then his approach to FOI would be very different. No-one would have believed Cameron if he pretended he was a big fan of the legislation, but a respectable politician would acknowledge it as an inconvenient but necessary part of an accountable democracy. Instead he whinges about FOI furring up the arteries of government while the Cabinet Office holds secret information on plans to charge for FOI requests that they at first claim does not exist.

Graham’s aplomb at dealing with the media draws a sharp and creditable contrast with his hesitant predecessor. Occasionally, there is misjudgement (as I said before, “wake up and smell the CMP” was an awful headline and whoever came up with it should be made to sit a corner for a while). Nevertheless, the Commissioner is saying the right things and anyone who supports FOI should be happy that he isn’t congratulating himself for not taking on the big targets, which is what Richard Thomas did at Leveson.

The problem for Graham is clearly not a lack of ambition or self-belief. In one sense, the problem of doing the job of championing transparency is that you have to do it in a world shrouded in bullshit and euphemism. I listened to less than an hour of of BBC Radio 4’s Today programme this morning, and as well as all the usual spin and lies, even the language was dishonest. After John Humphrys took someone to task for describing G4S as a ‘partner’ instead of a ‘contractor’, I started to hear the word everywhere, and never in a truthful context. Corporations bankrolling the Olympics were ‘partners’ rather than ‘advertisers’; TV companies screening Scottish Premiership Football were ‘partners’ rather than well, TV companies. Everyone wanted to wrap professional and commercial relationships in a blanket that implied a shared and personal endeavour, rather than each side being interested only in getting what they could out of the deal with minimum effort. The same circumlocutions infect politics and government, national and local. Doing the FOI job in these circumstances is like wading through custard.

However, one thing he can do is keep his own house in order. The Tribunal often has to criticise the ICO for their handling of FOI compliance – read paragraph 25 of this recent decision for a good example. The ICO ignores its own guidance on FOI by challenging an FOI applicant using an obvious pseudonym for no real reason, and then exemplifies the inherent flaw in that guidance by backing down the moment the fake-named applicant pushes back. More seriously, a certain blogger asked a sensible question about information notices and ended up finding out that the ICO doesn’t know how many information notices they have issued under FOI. As well as the clear implication that ICO staff are not following their own procedures (if they were, it would not exceed the FOI cost limit for the ICO to find all of the notices), there is a bigger point that whoever is corporately responsible for FOI strategy within the Office doesn’t have all of the information they need to do their job. How can they look for patterns of underlying problems (which multiple info notices would suggest) if they don’t even know how many they’ve issued?

I am, of course, assuming that someone is doing this, rather than everyone frenetically trying to keep the backlog on a leash. If they’re not, Graham’s words turn to ash in his mouth. Things are better than they were. Graham’s profile is bigger. The frenetic backlog bashing does at least mean that organisations cannot rely simply on the passage of time to escape accountability. I don’t imagine ministers slept easy in their beds when the ICO stood its ground on private email (and ministers should never sleep easy). For all of these things, Chris Graham deserves credit. But talk is cheap. Until the ICO can show that its own FOI and records management practice is exemplary, it cannot lecture anyone else. Until it shows that the most recalcitrant government departments will be brought to heel on FOI, every council and NHS trust will be justified in saying that they’re busy and under-resourced, and FOI is a burden they don’t need.

So two cheers for being a great advocate – the third is reserved for delivery.

Categories
David Cameron

Revenge of the Nincompoop

 

With his charm, TOWIE tan and beaming smile, ageing smoothie Tony Blair increasingly resembles Lewis Archer, the character Nigel Havers played in Coronation Street. Ingratiating, suave but clearly with a huge amount of dodgy business in his past, Blair sidles up to us, offering a wonderful future. Unfortunately, like his fictional cousin, Blair’s past hangs around him like a fart in a lift, and we know that he’ll let us down again. As he jets into the UK to “re-engage”, his statement to the Justice Committee on FOI, a parsimonious 570 words (HT @alistair_sloan), hardly persuades me to fall in love with him again.

I’m sure the Justice Committee were genuinely offended that Blair did not do them the courtesy of appearing before them, and his no-show was disrespectful to Parliament (even his old colleague Jack Straw acknowledged this on the Today Programme). The Justice Committee’s work on FOI has been thoughtful, thorough and ultimately very sensible – every time I watched the proceedings, I was impressed by how positive many of the Committee members were about FOI. Blair’s refusal to participate was a disgrace, and they should have empty-chaired him. Nevertheless, giving the old fox a kicking also gave the media a handy peg on which to hang their coverage of the Committee’s report. And who am I to rise above the sideshow? I’ve picked out some of my favourite moments from Blair’s musings, but all I have to show for it is bile.

The Commissioner naturally tends towards curtailing the exemptions and especially where there is any sense of public anxiety faces a great temptation to stretch the ambit of the law.

This is bollocks. While Chris Graham is clearly presiding over a more assertive and truculent Information Commissioner’s Office, Blair’s views on FOI were set while Richard Thomas ran the shop. Blair’s experience of FOI would therefore have been in the backlog days, when information was only disclosed after years of dithering (i.e. long after the sensitivity had passed), and when the Tribunal made many of the bold decisions (the BBC Governors minutes for example) and rarely overturned the ICO’s disclosure orders. In other words, it was the judicial process that forced information out. Blair is a lawyer by profession, so shouldn’t he respect the legal process a bit more?

So the original idea was to make available the facts behind the decisions, not the confidential policy debate around those decisions.

The Act does not reflect this original idea, and what Blair fails to acknowledge is the FOI Act reflects the will of a Parliament dominated by his party and his people. Blair wants to create the impression that a fast one has been pulled, that the original intention has been perverted by the implementation. Labour’s first stab at FOI (the one sponsored by David Clark) went further than the Bill that was originally presented, and it is not the implementation of the Act that has created the problem Blair identifies. Section 35 is a blanket exemption for government policy making, but it has a public interest test. Section 36 is a wide exemption for discussions, advice and views, but it is loaded with hurdles. Nobody made Blair push this forward – he had been Prime Minister for 3 years by the time FOI was being debated and so he must have understood what effect the legislation was going t0 have. Blair was clearly unwilling to be straight with the public by either pulling the bill or forcing his MPs to vote through more restrictive provisions.

In reality, publication now goes way beyond that with the public interest tests giving a big impulsion in the direction of publication.

In other words, Blair sets himself and his version of politics against the public interest. I still can’t quite believe he said this. It’s worse than his self-flagellation in his autobiography, because he’s explicitly saying that the convenience of politicians is more important than the public interest.

Thus, the absolutely necessary committing to writing of often complex political and technical issues, is undermined. Of course, this is a subjective judgement. But I suspect it is one shared by most senior politicians

Only Tony could stress the value of ‘openness’ in a bid to defend secrecy. Blair failed to properly reform the House of Lords, bottled changing the electoral system, and looking at one of the few positive constitutional changes he achieved, he prefers secrecy and spin. Look at his choice of words: these are “complex political and technical issues” and “most senior politicians” feel the way he does, as he was no doubt saying to Kofi Annan and the Sultan of Brunei over the fish course at Davos. However he wants to be perceived, Blair’s statement comes across as elitist, conservative and imperious – FOI is a grubby and unwelcome intrusion that trespasses on the VIPs who run the world, and he resents the metaphorical presence of the hoi polloi at the top table. In reality, I suspect that what Blair really fears is that the Vaseline-lensed image of himself as International Man of Statesmanship will be undermined if we get confirmation of how he (and many other politicians) actually do their business.

But the truth is that, if people know that what they are saying is going to be published, they will be less frank and open in how they express themselves. If you believe, as I do, that such frankness and openness is essential to the proper conduct of decision-making, then again the impact of publication or even the threat of it, is counter-productive. 



Blair’s view of the civil service in particular and politics in general is damning. He describes a bunch of people who would rather keep inadequate records of major decisions, keep incomplete risk assessments, or withhold the best options for fear of what the public might make of them. Either he’s right, and the people running the country have a contemptuous view of the public, or he’s wrong. If Blair’s narrative is more about himself than the system, he clearly has a lot of things about the way he does business that he does not want us to know. Given his current role as jet-setting eminence grise for rich nations with ambivalent human rights records, one can only wonder what he got up to in office.

The purpose of the legislation was of course not to open such frank discussion to public view. It was to allow issues to be better debated; to permit people to access information about themselves held by Government; and to encourage the system to be more accountable.

It’s impressive that in such a meagre communication, Blair still has time to drop clangers that show he’s not really thinking about the substance of the issue, just whining about how it’s all so unfair. FOI provides greater access to personal data on the margins, but that is not its purpose and nobody could have thought it was, given that the Data Protection and Access to Health Records legislation had already ‘permitted’ (thanks Mr Tony Sir, so kind of you) this access in 1984, 1989 and 1998. If Blair really doesn’t know what his FOI Act did, he’s even more of a nincompoop than he claims to be. But wasn’t his statement to a Parliamentary Committee investigating what he considers to be his biggest career mistake important enough for one of his henchmen to fact-check it first?

Long term it will just result in a different way of conducting the business of Government.

Blair’s verdict on what this different way entails is less record keeping, worse decision-making. The problem is, that’s not a damning verdict on FOI or the people who use it to ask questions. It’s how he sees himself and the people he’s worked with, and how he thinks they react to increased scrutiny. Blair’s view is a relentlessly depressing critique of the political class he wants to protect. As another FOI reverse-ferret merchant said, he was the future once, and now he’s just a spokesman for political self-interest. I agree passionately with the above sentiment – FOI will result in a different way of doing business, but it doesn’t have to be the unrecorded, back-covering future that Blair cynically predicts. If politicians (some of whom I am perfectly prepared to believe are not bastards) grow up with FOI, they might actually make better, more informed decisions in the knowledge that journalists and troublemakers will catch them when they don’t. David Cameron has shown himself to be in the Blair mould, but that doesn’t constrain those who come after him.

In the meantime, one can only hope Blair stops pestering us and is eventually run out of the street, leaving only a trail of self-justification and Ambre Solaire.

Categories
David Cameron

A pair of Charlies

 

The establishment wagons are circling – after Simon Jenkins’ kneejerk salvo against FOI in the Guardian, now Charles Moore, the Godfather of traditionalist opinion, coughs up a deplorable rant in the Telegraph that makes Jenkins look positively forward-thinking.

The most obvious thing is that Moore doesn’t know what he’s talking about. He admits this himself – asserting that the current records of government will be empty for fear of FOI exposure, he says “Obviously, I have seen the files of the 1980s and not those of the present, post-FoI era, so I cannot speak with authority”. A couple of paragraphs later, Charles gets tired of this problem, so he inverts it, complaining that as a consequence of technology, “huge amounts of information are kept”. He claims that FOI “gave no thought” to email. Email is included, Charles, and there are even cost limits on requests to prevent unlimited and pointless trawls of them. A lack of evidence or a consistent chain of thought is thankfully no barrier to Moore’s unique insights, as he notes that “FOI provides an exemption for journalistic endeavour”, even though it doesn’t.

Moore’s bad manners in pontificating on a subject he hasn’t bothered to research ought to void his opinions (admittedly this might be a pot / kettle moment), but even when you take him on, all you find is a straightforward defence of the status quo, except the one he wants to defend is circa 1985. The scant record keeping he can’t prove is happening but nevertheless attributes to FOI is Moore’s explanation for the ill-thought-out nature of current government. This is like the tabloid journalists who want to use Jimmy Savile as a stick with which to beat Leveson – interfere with our work, and we won’t be able to expose these monsters, even though Savile’s monstrous behaviour went entirely unexposed. Moore’s antipathy to FOI is based on the premise that before 2005, government was entirely free of both “dishonesty and intrigue” and muddy, unrecorded thinking, and only now that FOI is infecting the process is the great machine of government beginning to malfunction.

I think it is objectively fair to say that dishonesty and incompetence are not entirely new concepts to the British ruling elite, unless Moore thinks that the Suez Crisis, Profumo, the Mau Mau cover-ups, the sinking of the Belgrano, Hillsborough, the Poll Tax, the Iraq Supergun and the Cones Hotline are all examples of honest government and strategic thinking at their most sublime. But even if I’m wrong, Moore’s evidence for the ill-considered nature of current decision-making is “this week, energy pricing”. But the energy cock-up doesn’t support his case  – the problem with Cameron’s policy announcement is that he announced it without telling other ministers or finishing it off. It’s not FOI that’s the problem here, it’s a rattled PM shooting his mouth off.

I am in a worse position than Moore to comment on what’s really happening in Central Government because I don’t have privileged access to civil servants – he can assert that “officials tell me that the striking thing about modern government files is that they do not really exist”, and I’m sure he’s not just making that up for effect. Most of my clients are outside Central Government, so I don’t know the truth of it. Axe-grinders like Gus O’Donnell and Jack Straw and establishment apologists like Moore tell us that FOI is leaving behind only scorched earth – nothing is written down, everything is deleted.

I apologise for saying this again, but as the Justice Committee found, firstly we only have their word for it – no real evidence of this process exists beyond the moaning of yesterday’s men and the bleatings of their few allies in the media. But more importantly, even if it was true, this is not an argument for abolishing FOI. This is an argument for better politicians, for braver politicians. Moore’s case for secrecy is set out clearly enough. Government and the civil service need to operate with the security of knowing that their information will be kept secret for decades.

Without such security, there can be no honesty. It is simple: if you fear your private communication will be laid before the world, you will write it quite differently, or not at all.”

The electorate has to be infantilised, patronised, kept in the dark – we’re not mature enough to know how decisions are made, not even after the deciding is done. According to Charles Moore, the people who pay for the process aren’t entitled to see how it works. Only much later (when everyone affected might be dead) should a historian be allowed access, and then present this to the smaller number of people who read the history books. Rather than being entitled to ask what the current government is doing now, Moore says that we should only be allowed to buy his book about what went on thirty years after it makes any difference. We need history, but we also need contemporaneous accountability, investigation and a bit of well-aimed mischief to keep our rulers on their toes. If David Cameron stops keeping proper records to hide what he and his associates have done, we can judge him on that. I’m optimistic enough to think that a new generation of politicians can emerge who are willing to live with the uncertainty and discomfort that FOI inevitably brings. The ICO’s unacceptable FOI backlogs delayed the dawn of this new era, and the pain is perhaps sharper for the fact that the false start between 2005 and 2009 lulled Whitehall into thinking that FOI wasn’t as difficult as it turns to be and always should have been. As Jon Baines pointed out on Twitter, Moore’s own paper shows evidence that a different perspective may already be growing.

Moore says I’m a “prig” for wanting a more equal arrangement than that, but his approach is hardly respectable. As a columnist, Moore is relying on his opinions rather than research and facts, and he attacks tools that his own colleagues use with almost excessive enthusiasm. There’s one Telegraph journalist in particular that I can always use as shorthand for “hack that makes shedloads of FOIs”. But more importantly, Moore is also a relic of an age of deference where people in authority could be trusted to make decisions in secret, their thinking only revealed decades later. The world has moved on; George Osborne can’t even escape live-tweeted scrutiny on the Pendolino, and Moore’s inflexible, establishment approach makes him seem like an appalling old waxwork.

And with that seamless link, my last thought is about the events that occasioned Moore’s whinge – the use of the veto to prevent disclosure of Prince Charles’ letters to government departments. Again, the irony of Moore’s position on FOI is underlined by the fact that he chooses to attack the legislation using a vehicle that shows how government retains the upper hand. FOI Man has nailed the FOI issues, and Joan Smith of the Guardian has skewered the Prince, so I have little to add, except to say that Moore’s parting shot is ridiculous: “proper process is dying, and the courtiers are back in charge”. What FOI has shown us here is that Moore’s idea of the proper process (deference and secrecy) takes precedence. How can the couriers be in charge, when the law is changed to keep the Prince’s interference secret no matter what the public interest might be, and the heir to the throne’s constitutional neutrality is preserved only by the fig leaf of the process?

Categories
David Cameron

Not now, Brian, we’re busy

 

Imagine that you are employed by a mobile phone network. Somebody working for a claims management firm approaches you, offering a large sum of money to steal the customer database, especially the mobile numbers. They want to send PPI claim text messages to all of the people on the list. You download the customer data, sell it, and pocket the proceeds. Having got it, you decide to sell the list to a rival mobile company. You put the information on a disc, and flog it on eBay. The people who send the PPI texts could receive a Civil Monetary Penalty of up to £500,000 as they do not have consent. But even if you are caught and prosecuted, the worst that can happen is to the thief is a maximum £5000 fine. The offence is not recordable, so you will not end up with a criminal record. The chances of being caught are slim, but the deterrent is even smaller.

Imagine if the government had long ago realised that the fines were not enough, and had taken the trouble to amend the law to punish white-collar data thieves with up to two years in jail. But around the time the law was being changed, the Prime Minister of the day met with representatives of a special interest group. Despite the fact that the new punishment was not intended to affect this group and detailed measures had been taken to protect them, the lobbyists were not satisfied, and they demanded that the prison sentence be held back. Even though the chances of their industry being affected by the change were very small, they could not accept even the slightest possibility that any one of their number could even face the possibility of a night in a cell.

If anyone else had held the country to ransom and prevented changes to a law that were entirely in the public interest, the press would be up in arms, pointing the finger with relish. If unions, lawyers, doctors or social workers – indeed, any regulated profession or group – expected crimes to have puny, worthless punishments just in case one of their own was imperilled, the Daily Mail would shout their condemnation from the highest rooftop.

And yet, we have to swallow special pleading from journalists in the name of press freedom, and live with a rampant black market in personal data as a consequence. The Information Commissioner is obviously desperate to tackle it, but the results in court are often ludicrous. The man who received stolen medical data from his girlfriend to use for personal injury claims was fined £1050. He memorably boasted after the verdict We’re going to Bella Italia after this and I’m having a fillet steak. A bank worker stole information from her employer about the victim of a sex attack committed by her husband. Her punishment was an £800 fine. Whatever you think about the publication of the BNP member address list, a fine of £200 for endangering life (and probably risking mass misidentification) is almost satire.

This is what any journalist who attacks the data theft prison sentence expects us all to tolerate for their safety. Gone is ‘publish and be damned’, to be replaced with ‘publish and be insulated from the consequences’. A number of Parliamentary committees have called for the sentence to be enabled, and the Information Commissioner himself is excoriating about a system where the punishments for data theft are so derisory. In the recent past, the constant refrain from Government has been wait for Leveson. We cannot pre-empt Leveson.

And now, Leveson has spoken, and regardless of what you think about the doomed suggestion of statutory underpinning and regulation, the data theft issue is very simple. Leveson argues for the prison sentence to be made live. When passed, the Data Protection Act contained a public interest defence for those accused of stealing data or procuring stolen data. When the last Labour Government recognised the failure of the current system and sought to introduce the prison sentence, they also amended the DPA further, making clear that all a journalist needs is a ‘reasonable belief’ that they are acting in the public interest to escape prosecution. Even though the prison sentence was not brought into force, this additional defence was.

At this point, before saying something contentious, the sensible writer includes a few sentences about how important they think press freedom and journalistic endeavour are. The secret hope of every blogger is probably that their sublime writing will catch the eye of a sympathetic editor and they will be catapulted from the amateur sphere and be given a weekly column, or at least a spot of freelance at the Guardian. Biting that hand that hasn’t even picked up the food is surely blogger suicide. But I can’t be arsed. I honestly don’t want to live in a country where journalists get locked up for doing good work, but I think I live in a country where newspapers can get mixed up in axe murders with impunity, so I doubt that Fleet Street will crumble if I fail to invoke the spirit of Voltaire before suggesting something that hacks might see as a check on their activities. They have David Cameron, Michael Gove and Boris Johnson and that’s all they need.

Besides, I come to exempt journalists, not to bury them. I think that the only solution to the data theft problem is to remove journalists from the equation. Lord Justice Leveson proposes significant amendments to the S32 exemption from DPA, which currently allows those processing personal data for journalistic, artistic and literary purposes to escape virtually all of the Data Protection principles as long as this is ‘necessary’. I think Sir Brian’s ideas don’t address the bigger picture, and should be binned. The press will never support any infringement of their liberties, whatever the justification, and some papers will monster anyone who supports such a plan. Meanwhile, the possibility of a prison sentence is likely to have a much better deterrent effect on office workers, nurses and cops tempted to steal or suborn others to steal personal data than a paltry fine and no record. If newspapers feel that they face this threat too, scaremongering about investigative journalists (rather than phone hackers and dumpster divers) ending up behind bars for speaking truth to power (rather than figuratively or actually smelling celebrity knickers) will continue its harmful knock-on effect.

S28 of the Data Protection Act gives those using personal data for the purposes of national security a total exemption from its requirements. Rather than continue to have the debate on data theft railroaded by a sideshow that is becoming increasingly sanctimonious, let’s extend that approach to journalists. Give them a ‘get out of jail free card’ and stop our personal data from being plundered everywhere else.

Categories
Data Protection

Going Unnoticed

 

Last week, I came across an interview with Elizabeth Denham on a Canadian website called The Walrus that was published in April. There are some interesting nuggets – Denham seems to out herself as a Remainer in the third paragraph (a tad awkward given that she has only enforced on the other side) and also it turns out that the Commissioner has framed pictures of herself taking on Facebook in her office. More important is the comparison she draws between her Canadian jobs and her current role: “That’s why I like being where I am now,” she says, settling herself at a boardroom table. “To actually see people prosecuted.”

Denham probably wasn’t thinking of the run of legitimate but low-key prosecutions of nosy admin staff and practice managers which her office has carried out in recent months, which means she was up to her old tricks of inaccurately using the language of crime and prosecution to describe powers that are civil (or more properly, administrative). Since GDPR came in, she’s even less likely to prosecute than before, given that she no longer has the power to do so for an ignored enforcement or information notice. I don’t know whether she genuinely doesn’t understand how her powers work or is just using the wrong words because she thinks it makes for a better quote.

Publicity certainly plays a far greater part in the ICO’s enforcement approach than it should. A few months back, I made an FOI request to the ICO asking about a variety of enforcement issues and the information I received was fascinating. The response was late (because of course it was), but it was very thorough and detailed, and what it reveals is significant.

ICO enforcement breaks down into two main types. Enforcement notices are used where the ICO wants to stop unlawful practices or otherwise put things right. Monetary penalties are a punishment for serious breaches. Occasionally, they are used together, but often the bruised organisation is willing to go along with whatever the ICO wants, or has already put things right, so an enforcement notice is superfluous. The ICO is obliged to serve a notice of intent (NOI) in advance of a final penalty notice, giving the controller the opportunity to make representations. There is no equivalent requirement for preliminary enforcement notices, but in virtually every case, the ICO serves a preliminary notice anyway, also allowing for representations.

According to my FOI response, in 2017, the ICO issued 8 preliminary enforcement notices (PENs), but only 4 were followed up by a final enforcement notice; in 2018, 5 PENs were issued, and only 3 resulted in a final notice. The ratio of NOIs to final penalties is much closer; in 2017, there were 19 NOIs, and only one was not followed up with a penalty. In 2018, 21 NOIs were issued, 20 of which resulted in a penalty. Nevertheless, the PEN / NOI stage is clearly meaningful. In multiple cases, whatever the controller said stopped the intended enforcement in its tracks. In the light of many GDPR ‘experts’ confusion about when fines are real or proposed, the fact that not every NOI results in a fine is worth noting.

The response shows the risks of neglecting to issue a PEN. In July 2018, the ICO issued Aggregate IQ (AKA AIQ) with the first GDPR enforcement notice (indeed, it was the first GDPR enforcement action altogether). My FOI reveals that it was one of only a few cases where a preliminary notice was not issued. The AIQ EN was unenforceable, ordering them to cease processing any personal data about any UK or EU “citizens” obtained from UK political organisations “or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes”. AIQ was forbidden from ever holding personal data about any EU citizen for any advertising purpose, even if that purpose was entirely lawful, and despite the fact that the GDPR applies to residents, not citizens. AIQ appealed, but before that appeal could be heard, the ICO capitulated and replaced the notice with one that required AIQ to delete a specific dataset, and only after the conclusion of an investigation in Canada. It cannot be a coincidence that this badly written notice was published as part of the launch of the ICO’s first report into Data Analytics. It seems that ICO rushed it, ignoring the normal procedure, so that the Commissioner had things to announce.

The ICO confirmed to me that it hasn’t served a penalty without an NOI, which is as it should be, but the importance of the NOI stage is underlined by another case announced with the first AIQ EN. The ICO issued a £500,000 penalty against Facebook, except that what was announced in July 2018 was the NOI, rather than the final penalty. Between July and October, the ICO would have received representations from Facebook, and as a result, the story in the final penalty was changed. The NOI claims that a million UK Facebook users’ data was passed to Cambridge Analytica and SCL among others for political purposes, but the final notice acknowledges that the ICO has no evidence that any UK users data was used for campaigning. As an aside, this means that ICO has no evidence Cambridge Analytica used Facebook data in the Brexit referendum. The final notice is based on a hypothetical yarn about the risk of a US visitor’s data being processed while passing through the UK, and an assertion that even though UK Facebook users’ data wasn’t abused for political purposes (the risk did not “eventuate“), it could have been, so there. I’ve spent years emphasising that the incident isn’t the same as a breach, but going for the maximum penalty on something that didn’t happen, having said previously that it did, is perhaps the wrong time to listen to me.

If you haven’t read the final Facebook notice, you really should. ICO’s argument is that UK users data could have been abused for political purposes even though it wasn’t, and the mere possibility would cause people substantial distress. I find this hard to swallow. I suspect ICO felt they had effectively announced the £500,000 penalty; most journalists reported the NOI as such. Despite Facebook’s representations pulling the rug out from under the NOI, I guess that the ICO couldn’t back down. There had to be a £500,000 penalty, so they worked backwards from there. The Commissioner now faces an appeal on a thin premise, as well as accusations from Facebook that Denham was biased when making her decision.

Had the NOI not been published (like virtually every other NOI for the past ten years), the pressure of headlines would have been absent. Facebook have already made the not unreasonable point in the Tribunal that as the final penalty has a different premise than the NOI, the process is unfair. Without a public NOI, Facebook could have put this to the ICO behind closed doors, and an amended NOI could have been issued with no loss of face. If Facebook’s representations were sufficiently robust, the case could have been dropped altogether, as happened in other cases in both 2017 and 2018. For the sake of a few days’ headlines, Denham would not be facing the possibility of a career-defining humiliation at the hands of Facebook of all people, maybe even having to pay their costs. It’s not like there aren’t a dozen legitimate cases to be made against Facebook’s handling of personal data, but this is the hill the ICO has chosen to die on. Maybe I’m wrong and Facebook will lose their appeal, but imagine if they win and this farrago helps them to get there.

The other revelation in my FOI response is an area of enforcement that the ICO does not want to publicise at all. In 2016, the ICO issued a penalty on an unnamed historical society, and in 2017, another was served on an unnamed barrister. I know this because the ICO published the details, publicly confirming the nature of the breach, amount of the penalty as well as the type of organisation. One might argue that they set a precedent in doing so. What I didn’t know until this FOI request is that there have been a further 3 secret monetary penalties, 1 in 2017 and 2 in 2018. The details have not been published, and the ICO refused to give me any information about them now.

The exemptions set out the ICO’s concerns. They claim that it might be possible for me to identify individual data subjects, even though both the barrister and historical society breaches involved very limited numbers of people but were still published. They also claim that disclosure will prejudice their ability to enforce Data Protection law, using this justification:

“We are relying on this exemption to withhold information from you where the disclosure of that information is held for an ongoing regulatory process (so, we are yet to complete our regulatory process and our intentions could still be affected by the actions of a data controller) or the information is held in relation to sensitive matters and its disclosure would adversely affect relationships which we need to maintain with the organisations involved. It is essential that organisations continue to engage with us in a constructive and collaborative way without fear that the information they provide to us will be made public prematurely, or at a later date, if it is inappropriate to do so. Disclosure of the withheld information at this time would therefore be likely to prejudice our ability to effectively carry out our regulatory function”

The ICO routinely releases the names of data controllers she has served monetary penalties and enforcement notices on without any fears about the damage to their relationship. Just last week, she was expressing how “deeply concerned” she is about the use of facial recognition by the private sector, despite being at the very beginning of her enquiries into one such company. And if maintaining working relationships at the expense of transparency is such a vital principle, how can they justify the publication of the Facebook NOI for no more lofty reason than to sex up the release of the analytics report? They say “It is essential that organisations continue to engage with us in a constructive and collaborative way without fear that the information they provide to us will be made public prematurely”, and yet the Facebook NOI was published prematurely despite the fact that it was a dud. What will that have done to the ICO’s relationship with a controller as influential and significant as Facebook? What incentive do FB have to work with Wilmslow in a constructive and collaborative way now? And if identifying the subjects is an issue, what is to stop the ICO from saying ‘we fined X organisation £100,000’ but refusing to say why, or alternatively, describing the incident but anonymising the controller?

It doesn’t make sense to publicise enforcement when it’s not finished, and it doesn’t make sense to keep it secret when it’s done. Every controller that has been named and shamed by the ICO should be demanding to know why these penalties have been kept secret, while Facebook have every right to demand that the Commissioner account for the perverse and ill-judged way in which she took action against them. Meanwhile, we should all ask why the information rights regulator is in such a mess.

And one final question: did she bring the framed pictures with her or did we pay to get them done?

Categories
Data Protection

SARmaggedon Days Are Here Again (Again)

 

Reading my emails, a headline leapt out at me: “The hidden cost of GDPR data access requests“. It led me to BetaNews, a website that looks like it is trapped in 1998, and a story describing research into SARs commissioned by Guardum, a purveyor of subject access request handling software. A sample of 100 Data Protection Officers were consulted, and you’ll never guess what the research uncovered.

SARs, it turns out, are time consuming and expensive. I award 10 GDPR points to the Guardum CTO for knowing that SARs weren’t introduced in 2018, but I have to take them away immediately because he goes on to claim that “There has also been a marked change in the way that lawyers are using DSARs as part of the data discovery process.” Apparently, lawyers are using SARs now. Imagine that. The article goes to say that “Fulfilling DSARs can involve finding, compiling and redacting data in digital and paper format across multiple departments both on company networks and in the cloud.“. There’s also a bit of a spoiler about whether the Pope is a Catholic.

According to Guardum, the average cost of a SAR is £4,884.53, the average DPO receives 27 SARs a month, and each one takes an average of 66 working hours to deal with. The article didn’t explain how these figures were arrived at, so I eagerly clicked the link to visit Guardum’s website for the full results. What I found was a fountain of guff. Strip out the endless bar and pie charts, and what Guardum wants to say is that 45% of the DPOs surveyed would like to automate some of the process because of a predicted landslide of SARs, provoked by angry furloughed and sacked staff.

I’m not sure about the logic of this – I can understand that everyone who loses their job will be upset and probably angry, and I’ve certainly dealt with lots of SARs related to a suspension or dismissal. But in those cases, the action taken was personal and direct – an individual was singled out by the employer for the treatment in question. I don’t see why people losing jobs in a pandemic will be so determined to send a SAR. It’s not like the reason for their predicament is a mystery.

The survey questions are opportunistic at best, and at worst, seem designed to allow Guardum to paint this picture of anxious DPOs uncertain about how they’re going to handle the post Covid-19 SARmageddon that the company is evidently desperate for. 75% of respondents are described as having difficulties dealing with SARs during the lockdown, though this actually translates as good news. 72% are coping but expect a SAR backlog when they get back to the office, while just 3% fearing a ‘mountain’ of requests. The headline on one slide is that 30% anticipate a ‘massive’ increase in SARs, but the reality is 55% expect the same as before and 15% think they’ll get less. 73% supposedly think that furloughed or laid off staff will be a ‘big factor’ in the predicted increase, even though the breakdown shows that only 20% think it will be the single biggest factor. To emphasise, these are requests that haven’t happened yet. The people who say that they will are the ones flogging the software to deal with the problem.

So far, so what? Guardum have software to sell and a cynical pitch about Covid-19 to achieve that. Does it matter? In the grand scheme of things, no, it doesn’t. I’m probably not the only person currently experiencing a crash course in What’s Really Important. But in the micro scheme of things, bullshit deserves to be called out, especially when it’s designed to exploit a crisis that’s causing misery and death across the world. Many of the revelations in this survey are staggeringly banal – nearly 50% of people find tracking the data down across multiple departments to be a slog, while 63% have to search both paper and electronic records. Who with any experience in Data Protection would think it was worth pointing this out? Meanwhile, the assertions about how long a SAR takes or how much it costs are wholly unexplained. It’s meaningless to claim that the mean cost of a SAR is £4,884.53 if you don’t explain how that was calculated (inevitably, the CTO is touting this figure on LinkedIn).

Guardum aren’t necessarily the experts at Data Protection that they might have us believe. For one thing, despite being a UK company, both the survey results and their website exclusively refer to ‘PII’ rather than personal data. For another, part of the criteria for participating in the survey was that the DPO needed to work for a company with more than 250 employees. This was, for a time, the threshold for a mandatory DPO but despite being changed, some dodgy training companies and consultants didn’t notice and ran courses which highlighted the 250 figure even when it was gone. Most importantly, nearly half of the people who responded to the survey don’t know what they’re doing. The survey was purportedly targeted at DPOs, but 44% of respondents are identified as being in ‘C-level’ jobs – perhaps this is to give a veneer of seniority, but C-level jobs are precisely the senior roles that are likely attract a conflict of interests. Guardum talked to people in the wrong jobs, and apparently didn’t realise this.

The ‘About’ page of Guardum’s website proclaims “Guardum supports privacy by design – where data privacy is engineered into your business processes during design rather than as an afterthought“, but the execution is less confident. There is a questionnaire that shows how much an organisation can save by using the Guardum product, but when you complete it, you have to fill in your name, company and email to get the results, and there’s no privacy policy or transparency information about how this information will be used. Moreover, if you try to use the contact form, clicking on the link to the terms and conditions results in ‘page not found’.

I have to declare my bias here – I don’t believe that any ‘solution’ can fully deal with the SAR response process, and I think people who tout AI gizmos that automatically redact “PII” are probably selling snake oil. Some of the SAR grind comes in finding the data, but a lot of it is about judgement – what should you redact? How much should you redact? Anyone who claims that they can replace humans when dealing with an HR, mental health or social care is writing cheques that no product I have ever seen can cash. So when I land on a website like Guardum’s, my back is up and my scepticism is turned all the way up. It would be nice if once, I saw a product that wasn’t sold with bullshit. But not only is Guardum’s pitch heavy with management buzzwords, they’re using fear as a marketing tool. Just last week, they ran a webinar about weathering the ‘Post Pandemic DSAR Storm‘.

Guardum claim that they provide “the only solution that can fully meet the DSAR challenge of responding in the tight 30-day deadline, giving you back control, time and money that are lost using other solutions“. Nowhere do they mention that you can extend the deadline by up to two months is a request is complex (and many are). But even if their claims are true, why do they need to sell their product via catastrophising? If their expertise goes back to the 1984 Act, why are they calling it PII and talking up the opinions of DPOs who are in the wrong job? Why oversell the results of their survey? Why hide the basis of the hours and cost calculations on which is all of this is being flogged?  And what on earth is a ‘Certified Blockchain Expert‘?

The future post-Covid is an uncertain place. I find the utopianism of some commentators hard to swallow, partly because people are still dying and partly because the much-predicted end of the office will have career-changing consequences for people like me. But at least the LinkedIn prophets are trying to explore positives for themselves and others in an undeniably grim situation. The people running Guardum seem only to want scare people into getting a demo of their software. If one is looking for positives, the fact that the ICO has waved the white flag means that no organisation needs to be unduly concerned about DP fines at the moment, and despite some of the concerns expressed in Guardum’s survey, nobody in the UK has ever been fined for not answering a SAR on time. The old advice about deleting data you don’t need and telling your managers not to slag people off in emails and texts will save you as much SAR misery as any software package, and I can give you that for free.

Categories
Data Protection

Role playing

 

A few weeks ago, the Data Protection world was shaken by a decision from the Belgian DP Authority to fine an organisation €50,000 after they appointed their Head of the Compliance, Risk Management and Audit department as their Data Protection Officer. I’ve commented before about my frustration that too many organisations are unable to comprehend the independence and relative freedom of the DPO role as anything other than a senior-level job – in such places, the role is a DPOINO, a Data Protection Officer In Name Only, with a younger, more junior but much more expert person actually carrying out the role. The DPOINO in these organisations is usually a middle-aged white man, and the real DPO is a younger woman. I imagine you are shocked to read this.

The Belgian decision is not ridiculous – it is difficult for someone in a senior position to escape decisions about hiring and firing (for example) or system design, activities that risk dragging the incumbent into determining the purposes. If the DPO was less senior, even in the same department, the risk of conflicts of interests would be lower. There are better, more imaginative models, but I think seniority is always fatal. Needless to say, some commentators have drawn more other conclusions.

Writing for Scottish Housing News, Daradjeet Jagpal questioned whether it was time for his audience (Registered Social Landlords in Scotland) to review their DPO appointments. Despite this being a single case in a foreign jurisdiction with tenuous direct application to a non-EU country like the UK, Jagpal fell back on the consistency mechanism, and warned his readers that the ICO might adopt the same approach, skipping over the fact that Wilmslow’s approach to the GDPR has been to go to sleep. A quick survey of the possible candidates – mainly heads of various RSL departments – do not make the grade for Jagpal, and rather patronisingly, he dismisses the idea that a Corporate Services Officer would be “comfortable or sufficiently confident to challenge the CEO on non-compliance“. Take that, many DPOs who I know and love.

Jagpal comes to the conclusion that “The obvious solution is for RSLs to appoint an external DPO” which is remarkable, given that Jagpal is described in the article as “a leading provider of outsourced DPO services to RSLs across Scotland“. I’m not suggesting that he’s is over-egging the Belgian decision for nakedly commercial purposes, but he does place weirdly heavy emphasis on EU standards and pressures which are clearly either dead or dying for Brexit Britain, and he barely entertains the idea that Scottish RSLs might just appoint a DPO in-house.

To be fair, the Belgian decision is a real thing that happened, and while I disagree with Jagpal’s assessment of its implications, he’s accurately described the situation. The same cannot be said of everyone in the outsourced DPO sector. In a webinar hosted by everyone’s favourite LinkedIn spammers, Data Protection World Forum, the CEO of The DPO Centre, Rob Masson decided to get creative. Masson spoke of the “quite strict guidelines” (AKA legal requirements) about who can be a DPO and the importance of avoiding conflicts of interest. He went on to say “we’ve got to remember that the role of the Data Protection Officer is to represent the needs of the Data Subjects. It’s not necessarily to represent the needs of the organisation.”

None of the specified DPO tasks refer to data subjects. They require a DPO to advise the organisation on data protection matters, monitor its compliance with the GDPR and other laws, advise on and monitor the effectiveness of data protection impact assessments, and liaise with the Information Commissioner’s Office. If you wanted to be exceptionally generous to Masson, you could interpret the whole of the GDPR as reflecting the needs of data subjects to have their personal data properly regulated, and from there spin the DPO’s role as a facilitator of that. But that’s also nonsense. It’s as much in the interests of an organisation that the personal data they use is accurate and secure as it is for data subjects. The GDPR sometimes allows controllers to retain data despite a subject’s objection, to keep processing secret from them when it might prejudice certain purposes, and to balance their own wish to use data against the impact on the subject, deciding to use it without consent when they think they’ve assessed the situation properly.

If we’re talking about the needs of the organisation, I’d argue that most of the GDPR’s requirements reflect the needs of the controller. Some organisations are too lazy or stupid to see it, or they’re getting advice from the wrong people. It might seem like disposing of personal data that you genuinely don’t need any more is an unwelcome imposition, but it’s very much the healthy option. To use Masson’s own word, GDPR is the spinach that the organisation *needs*, even if it might prefer the Big Mac and Fries of not thinking about it.

A77 gives the subject the “right” to lodge a complaint with the relevant supervisory authority. A39(1)(a) says that the DPO “shall” inform and advise the organisation of their obligations. Contrast these provisions with the words in A38(4), the only element of the DPO articles that refers to subjects: “Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.” This obviously means that the DPO ought to be accessible to data subjects (one of my objections to senior DPOs is that they won’t go for this), but it also shows Masson’s version to be fantasy. There is no right to reply, no hint that the DPO is the subject’s advocate or representative. They’re at best a conduit for concerned subjects.

Obviously, the DPO isn’t just the loyal servant of the organisation, and they have to reconcile being an employee and an independent advisor. I disagree with Jagpal’s dismissal of junior officers as being capable of standing up to CEOs because I know so many who do it regularly. But he’s reflecting a real problem that many DPOs face. If the senior people don’t want to take the DPO’s advice, they are in an invidious position. Until the ICO shows that it is willing to back DPOs in these kinds of situations, it’s going to remain a precarious and stressful job for those facing unsympathetic management. Masson’s characterisation can only make this worse, feeding a perception that the DPO is not even there to help the business, but to pursue the interests of data subjects. Subjects come in all shapes and sizes, but some of them are hostile, difficult and aggressive, and telling a CEO who already doesn’t take data protection seriously that their DPO represents these people’s interests is toxic. This snake-oil may seem slick on a bullshit webinar, but if this unhelpful message reaches workplaces with already unsympathetic management, it’s going to make the work of beleaguered DPOs even harder.

I wonder if it’s a coincidence that Masson’s misreading of the GDPR could benefit his business – if the DPO really is there to serve the needs of the data subject, doesn’t an external figure make more sense than an in-house officer who won’t be doing what you want them to do anyway? There’s nothing in the GDPR that would make you think that this version of the DPO is correct, so it has to come from somewhere. If that’s it, rather than simple ignorance, I wonder if Masson has the guts to try to hawk this stuff in a forum where people might actually challenge him.

At this point, you might be thinking, so what? People talk shite to get business. They predict SARmageddons. They shout about 4% of annual turnover fines. They claim that first-tier decisions in Belgium should make you change your DPO.  Does it matter? Doesn’t every sector have its share of hype and froth? The answer is that I have to work in this one, and I think the truth matters. I also have to clean up other people’s bullshit. I have to overcome the hype and the scaremongering spread around by the other people in my industry. I know the popular mantra is that commercial folk should all be pitching in and helping each other, but by spreading misinformation, the likes of Rob Masson are already not doing that, so why should I?

The Information Commissioner’s Office isn’t going to enforce against organisations with an imperfect DPO choice – perhaps they should, but they won’t. They’ve done one GDPR fine in two years and I doubt we’ll see another one in 2020. Sidelined by government in the coronacrisis, facing a review from the DCMS (pointedly not postponed despite the pandemic) and humiliated by the collapse of multiple high profile actions, the ICO is an irrelevance. I’ll be surprised if they survive in their current form. The reason to choose the right DPO is that an independent, challenging person in the role will help organisations to make intelligent decisions that will build a culture of more secure, more accurate, more effectively used data. The DPO isn’t the voice of the subjects, they’re a valuable asset there to guide and assist the organisation. I won’t sell a single course place by saying so, but that doesn’t make it any less true.