Categories
Christopher Graham

A bridge too far

 

June is a significant time for Data Protection in the UK. At the end the month, we have the EU vote (where a vote to leave will throw at least the timetable for implementation of the new General Data Protection Regulation into disarray) and Christopher Graham steps down as Information Commissioner, to be replaced by Elizabeth Denham. There are several reasons to be optimistic about Denham’s appointment – she is the first Information Commissioner to have previous experience of privacy and FOI work, she has already taken on big corporate interests in Canada, and she isn’t Richard Thomas.

However, Denham inherits a series of headaches as she begins her reign as Elizabeth II, and it’s difficult to know which of them will be the hardest to shake off. There is the GDPR implementation, which would be a challenge even without the uncertainty that Brexit will create. She also has to tackle the ICO’s lack of independence from Government, which results in scandalous outcomes like the admission in an FOI response that Wilmslow takes orders from its sponsor department (see answer 3 here). But perhaps biggest of all is the ICO’s approach to enforcement.

On FOI, the ICO doesn’t approach enforcement – it does pointless monitoring and audits without any evidence of success, and the major government departments use the ICO as their internal review, sometimes not bothering to answer requests unless ordered to do so by an ICO case officer. The sole enforcement notice in the past five years wasn’t even promoted by the office because the now departed Deputy Commissioner Graham Smith didn’t want to draw attention to the failure to tackle Whitehall’s FOI abuses.

On Data Protection, the approach is to enforce against self-reported security breaches. There is nothing wrong with lots of enforcement on security – it’s a significant requirement of the legislation and many people are concerned about it. The problem is that Wilmslow doesn’t enforce on anything else, despite breaches of the other principles being widespread and obvious. Unless I missed one, the ICO has issued 61 Data Protection monetary penalties since getting the power to do so. Two have been for non-security breaches: Pharmacy 2U (1st principle data sharing without consent) and Prudential Insurance (accuracy). The overwhelming majority of enforcement notices (and undertakings, if you count them, which you shouldn’t) are on security matters. This is despite the fact that the UK has a massive culture of unlawful data sharing, over-retention, flouted subject access and perhaps most obvious, rampant, damaging inaccuracy. The ICO does nothing about it.

A classic example is a story reported in the Observer about the Dartford Crossing between Kent and Essex. Automatic Number Plate Recognition is used by Highways England to issue penalty charges to drivers who use the crossings without paying by phone or web within a fixed period of time. The only problem is that drivers who have never used the crossing are getting the penalties, but it is more or less inconceivable that the ICO will take action.

Having used the crossing myself, I can confirm that there are some Data Protection issues with the signage around the bridge / tunnel – the Observer article explains well how the signs can easily be confused with those for the London congestion charge, which works entirely differently. This is, in itself, a potential data protection breach, as personal data needs to be obtained fairly, especially when the data being obtained (the license plate) will not only be used to levy a charge, but because court action may result for non-payment.

One person is quoted in the article as having being charged  because the system misread a ‘C’ as a ‘G’. The Observer also reports that hire car users sometimes find penalties aimed at the wrong person because Highways England don’t specify a date that the charge applies to. In another case, the person receiving the charge had sold the car in question, and had a letter from DVLA to prove it. As with most of these situations, terrible customer service and inflexible processes mean that even when a charge is applied to the wrong person, nobody in the food chain has the authority or the inclination to sort things out. Both of the individuals cited in detail by the Observer were headed for the baliffs until the Observer got involved, and all action was terminated. Research by Auto Express notes that only 1 in 25 people appeal their penalty, but 80% of those that do are successful.

Every time Highways England / Dart Charge issues a penalty against the wrong person, it is a breach of the fourth Data Protection principle, which states that “Personal data shall be accurate, and where necessary, up to date”. Note the lack of any qualification or context here – data is accurate, or it’s a breach. Clearly, this means that most organisations are breach DP every minute of every day simply because of typos, but even adopting a flexible approach, there can be no doubt that demanding money and threatening court action is a situation where the Data Controller must be certain that the data is accurate, and if they get the wrong person, it’s a breach. The security principle talks about “appropriate measures” to prevent incidents, but the fourth principle doesn’t: it’s absolute.

Highways England / Dart Charge have breached the DPA, but would it be possible for the ICO to take action? In order to issue a monetary penalty, the ICO has to meet a series of tests.

1. The breach is serious

Dart Charge are pursuing people for debts they don’t owe. It’s serious.

2. The breach is deliberate

This one is potentially tricky, as we would need evidence that Highways England know that they are operating on the basis of inaccurate information in order for the breach to be deliberate. I can’t prove that Highways England are deliberately pursuing people, knowing that they are the wrong targets, although one of the Observer readers quoted gives clear evidence that they might be: “I spent 20 minutes trying to get through to someone who kept telling me I had to pay, even though he could see the problem”. However, we don’t need deliberate if we have:

3. The Data Controller knew or ought to have known about the risk and failed to take steps to prevent it

This test is clearly met – Highways England know that most of their penalty charges are overturned on appeal, they know that their system misreads licence plate characters, that it fails to properly distinguish dates, and they know that people contact them multiple times with evidence that the charge is wrong, but they ignore this evidence until they are embarrassed into action by a national newspaper. The breaches are still happening.

4. The breach is likely to cause damage or distress

Innocent individuals who have not used the Dartford Crossing are being pursued and threatened with legal action if they do not pay money that they do not owe. The breach is causing damage and distress and is highly likely to do so.

The ICO does not enforce on accuracy and they won’t touch this case. If I tried to report it to them, they would ignore my complaint because I have not been affected (if an affected person complained, they would do an unenforceable assessment). They do not ask Data Controllers to report incidents of damaging inaccuracy, and they do not even advocate investigating incidents of inaccuracy in the way that they do for security. This despite that fact that inaccuracy leads to the wrong medical treatment being given, innocent people’s houses being raided by the police, and old men nearly drowning in canals. The ICO took no enforcement action in any of these cases, despite them being in the public domain. I have dozens of others. Meanwhile, the Commissioner chunters on about a series of accidents and mishaps without any direct evidence of harm (ironically, even the pace of security enforcement has slowed, with only three DP monetary penalties at all so far this year).

Whatever Ms Denham’s priorities might be, she cannot ignore this. The ICO has shirked its responsibilities on the other principles for too long. A quick glance at the articles relevant to enforcement show that the GDPR is specifically designed to give breaches of the principles the higher maximum penalty. It’s a riposte to the ICO’s enforcement priorities since the HMRC lost discs incident in 2007, and it’s a bridge that the new Commissioner must be willing to cross.

Categories
Charities

Culture, Media and Spam

 

Most of the news and comment I heard about the Queen’s Speech suggested that it was a hole in the air, with the Government wanting to avoid doing anything of any consequence before the resolution of the EU vote in June. It was a surprise, therefore, to see provisions in the proposed Digital Economy Bill that will change the face of direct marketing.

At the moment, the rules for direct marketing are a mixture of Data Protection (for postal marketing) and PECR (for email & texts, live calls, automated calls and fax). PECR breaks down into subsets, with some forms of marketing requiring consent (email & text, automated calls, fax) and some done without consent and with opt-out (live calls, with the ability to opt-out of all calls via the Telephone Preference Service.

But consider this line from the full version of the Queen’s Speech:

Protection for consumers from spam email and nuisance calls by ensuring consent is obtained for direct marketing, and that the Information Commissioner is empowered to impose fines on those who break the rules.

My first reaction to this was that the Department for Culture, Media and Sport were incompetent: PECR already requires consent for email, and the Information Commissioner already has the power to impose fines for breaches of consent. Whatever else, this is still true, and DCMS should explain why they are announcing things that have been in place since 2003 (consent for email) and 2011 (fines) respectively. Nevertheless, it’s impossible to interpret this sentence as meaning anything other than a change in the rules for live calls. It’s not earth-shattering: it’s only lawful to cold-call people who aren’t on TPS and who haven’t directly opted out, which is probably a minority of the overall population. But nevertheless, the proposal as written abolishes the need for the Telephone Preference Service and inverts current practice.

It certainly has the merit of neatness: PECR would make more sense if all electronic direct marketing had to be opt-in. However, it will have consequences far and wide. There are plenty of lead generators and telemarketing companies who still make cold-calls, and they would be dead in the water. I would shed no tears over this (I think the lead generation and list broking industry is fundamentally unlawful, and most of the folk in the call centres would just end up in hopefully less rancid call centres). However, killing off the telemarketing industry is bold.

It will also create an even more stark contrast with the Fundraising Preference Service, which in its current form allows someone to stop all contact with all charities. It’s not even clear whether a person will technically be able to opt-in to individual charities that they do want to hear from if they’re on the FPS. It would be moronic if this situation wasn’t clarified, but people who do moronic things tend to be good at maintaining their standards. Given that the Digital Economy Bill apparently puts all* electronic marketing on an opt-in basis, charities might legitimately argue that the FPS is unnecessary, and they would have a point.

There are other issues. If all email marketing has to be done on the basis on consent, this also presumably kills off the ‘soft opt-in’. The ‘soft opt-in’ allows a company to send email marketing on an opt-out basis, as long as the email address in question has been obtained in the course of a sale, and as long as the products being marketed are their own, and are similar to the one that was originally purchased. Requiring all email marketing to be done on the basis of consent would remove this option (NB: if you think the absence of an opt-out can be interpreted as consent, you are a moron).

Finally, the proposal doesn’t mention texts, hence my * above. Texts are as much of a nuisance for people as live calls or emails, and have been the subject of routine enforcement action by the Information Commissioner since 2011. PECR treats email and text as the same, so it’s entirely possible that the Government are treating them so. It’s equally possible that this is a back of a fag packet proposal to bulk out a weak bill in a thin speech. One indicator that this might be the case is that the Information Commissioner, explicitly mentioned in the proposal, has not reacted to it in any way. There is no press release, and not a single tweet, despite a run of tweets this week about nuisance calls and other PECR related action. One could be forgiven for thinking that they didn’t know about it (I will be doing an FOI to find out).

You might think that spinning 833 words out of a single sentence is overkill, but on the face of it, the proposed change will have a considerable impact. Like me, I hope you will be watching the progress of the Digital Economy Bill with interest.

Categories
Charities

Less than ideal

 

Last week, Stephen Lee, an academic and former fundraiser was reported as having attacked the Information Commissioner’s Office for their interpretation of direct marketing at a fundraising conference. It was, he said “outrageous” that the Commissioner’s direct marketing guidance stated that any advertising or marketing material that promoted the aims and ideals of a not-for-profit organisation was covered by Data Protection. According to Lee, only fundraising activities should be considered to be marketing.

[NB: Third Sector articles are sometimes open to all and sometimes limited to subscribers. If the links don’t work, please accept my apologies!]

He is quoted as saying “Who says that’s right? Just the ICO. Who did it consult? No one.” and  went on to say “Why and how and in what way should we be compelled to comply with that proposition?”

Who says that’s right? Who did the ICO consult? Well, let me see now.

1) The Council of Europe

In 1985, the Council of Europe issued a Recommendation on the protection of personal data used for the purposes of direct marketing. The definition of direct marketing includes both the offer of goods or services and “any other messages” to a segment of the population. The recommendation predates the guidance Mr Lee disparages by more than 30 years.

2) The 1995 Data Protection Directive

The Directive makes clear that direct marketing rules apply equally to charitable organisations and political parties as they do to commercial organisations, and emphasises the need for people to be able to opt-out of direct marketing. By redrawing the definition, Mr Lee would contradict this fundamental right.

3) The Data Protection Act 1998

Given that Mr Lee feels qualified to make bold statements about the interpretation of the Data Protection Act, it’s odd that he doesn’t seem to have taken the time to read it. Section 11 of the Act states that the definition of Direct Marketing “the communication (by whatever means) of any advertising and marketing material which is directed at particular individuals”. The important word there is “any” – organisations do not get to pick and choose which of their promotional messages are covered and which are not.

4) The Privacy and Electronic Communications Regulations 2003

PECR sets up the rules for consent over electronic direct marketing (consent for automated calls, opt-out and TPS for live calls, consent for emails and texts). It does not define direct marketing, but instead says this “Expressions used in these Regulations that are not defined in paragraph (1) and are defined in the Data Protection Act 1998 shall have the same meaning as in that Act”. Therefore, the DPA definition applies to PECR.

5) The Information Tribunal (now the First Tier Tribunal)

In 2005, the Information Commissioner served an Enforcement Notice on the Scottish National Party after they repeatedly and unrepentantly used automated calls featuring Sean Connery to promote the party in the General Election. The SNP appealed, and in 2006, the Information Tribunal considered the issue. One of the main elements of the SNP appeal was against the ICO’s definition of direct marketing. Although the case is about a political party, the ICO’s submissions are based on the proposition that charities as well as political parties are covered by the definition of direct marketing, and that the definition cannot be restricted to fundraising alone. The Tribunal accepted the ICO’s view in full, and dismissed the appeal.

6) The charity sector and anyone else who wanted to be consulted

The ICO may have issued guidance in the 1980s or 1990s on the definition of direct marketing, but the idea that promoting aims and ideals is part of it has been their view since 1999. In guidance issued on the precursor to PECR, the ICO stated clearly that direct marketing includes “not just to the offer for sale of goods or services, but also the promotion of an organisations aims and ideals”. They specifically mentioned charities, as they have ever since. Virtually every iteration of the ICO’s guidance on PECR and direct marketing has been subject to public consultation – indeed, the very guidance Lee is talking about was subject to a public consultation.

Here’s the problem. Lee is an Honorary Fellow of the Institute of Fundraising, and has a long association with it. The IoF has been the most consistently pernicious influence on the charity sector’s compliance with data protection and privacy law in the past ten years. Their guidance and public utterances on data protection are often misleading, and they recently had to change their own Code of Practice because it was legally incorrect. At best, they haven’t noticed the ICO position on charities and direct marketing for more than 15 years. At worst, they deliberately ignored it in favour of an interpretation that largely suits fundraisers. Lee complained at the conference about the “appalling” communication between the ICO and charity umbrella bodies, but Richard Marbrow of the ICO summed the problem up all too well:

One of the things the sector asked for was clarity, and I will try and bring you that. The trouble is, if you then say ‘we don’t like that clarity, could we have some different clarity please?’, we’re not going to get on very well.”

The most important thing about Lee’s outburst is the subtext – if any form of communication is not covered by the definition of direct marketing, then your consent is not required  in the first place and you have no right to stop receiving it. His interpretation is nonsense, but it is also ethically unsound. At its most basic level, privacy means the right to be left alone, the right to have an area of your life which is yours, which others can’t intrude into. Lee seems to want to erode that right. If his view was correct (it’s not), charities could bombard people with phone calls, texts or emails to tell them how marvellous they are, how important their work is, how vital they are for society. As long as they don’t ask for money, the logic of his argument is that people wouldn’t be able to stop them.

Lee’s other question (“Why and how and in what way should we be compelled to comply with that proposition?”) has an easy answer. Ignore it. Carry on breaching the law, ignoring the rules. I went to the cinema last night and saw adverts for two different charities that plainly breached PECR, so that seems to be the plan. Given that the furore over charities began with an innocent person bombarded with unwanted correspondence, it’s remarkable that senior figures in the charity sector are ready for another go, but if Mr Lee wants to drag charities’ reputations deeper into a swamp that they share with PPI scammers and payday loan merchants, he’s welcome.

But the ICO should not listen to their concerns, or open friendly channels of communication with the sector. They should apply the law firmly and regularly until the charities get the message. If this results in more enforcement against charities than other sectors, that will be only because the big charities are among the worst offenders and they haven’t put their houses in order. If charity giving suffers as a result, even amongst the many charities that have not transgressed, they should stop blaming others and look to their fundraisers, their colleagues and themselves.

Categories
Charities

Fair Cop

 

The bedrock of Data Protection is fairness. You cannot gain consent without fairness. Your interests are not legitimate interests if they are secret interests. Unless you have an exemption or you claim that telling the person represents disproportionate effort (i.e. the effort of telling outweighs the actual impact), you have to tell the person whose data you are using the purposes for which their data will be used, and any other information necessary to make the processing fair.

The ICO’s Privacy Notices Code of Practice is not ambiguous, nor was its predecessor. It is impossible to read the ICO’s published guidance on fair processing without taking away the key message, consistently repeated for more than a decade: if something is surprising or objectionable, especially if it involves some kind of impact or sharing outside the organisation, it should be spelt out. New-ish Information Commissioner Elizabeth Denham seems to have chosen to reverse the ICO’s previously timid, unimaginative approach to the first principle with a pair of civil monetary penalties against charities. We have one each for the Royal Society for the Prevention of Cruelty to Animals, and the British Heart Foundation, with the promise of more to come. You might say it was unfortunate that charities are first in line rather than, say, credit reference agencies or list brokers (to be a touch tautological). It was the charity sector’s misfortune to fall under the Daily Mail’s Basilisk gaze, and they have to accept that we are where we are.

To issue a civil monetary penalty, there are three hurdles for the ICO to clear. Firstly, there must be a serious breach. Both charities used commercial companies to profile thousands (and in one case, millions) of donors, buying up data from publicly available sources* to assess their wealth and resources, they shared data with other charities whose identity they did not know via a commercial company, and in the case of the RSPCA, they bought contact details to fill in data that donors had provided. The average donor did not have any idea that this was happening. I can see there’s a problem that when everyone in the charity sector knows that wealth screening goes on, it seems normal. But I’ve been using it as an example on my training courses ever since the Mail revealed it, and bear in mind that these are often seasoned data protection professionals who know about data sharing and disclosure, attendees are invariably shocked and some cases revolted by what I tell them.

There is no doubt in my mind that this processing needed to be spelt out, and there is no doubt from the notices that it was not. Carefully selected third parties or partners has been a stupid lie in marketing for years, but not even knowing where the data goes is much worse than the usual flogging it to all comers. At least the list broker knows who he’s flogging it to, even though the only careful selection is the ability to pay.

The second hurdle is the need to show that the breach is likely to cause damage or distress to the affected data subjects. It’s been known for quite some time that the ICO was planning to take enforcement action over the Mail stories, and the gossip I heard from charities was that fines were likely. I’ll be honest, I wasn’t convinced. The Information Commissioner lost a Data Protection Tribunal appeal from Scottish Borders Council because they bungled the damage / distress element of a £250000 CMP over pension records found in recycling bins. ICO made a flawed claim that the loss of paper pension records was likely to result in identity theft, but Borders had an expert witness who could argue convincingly that this was not true. The link between the breach (the absence of a contract with the company processing the data) and the damage was broken, and the ICO lost.

But this case is different. The ICO does not need to make a link between an incident and a breach, because they are bound up together here. Both notices show that the ICO has given considerable thought to the distress angle. There is no question that the charities breached the first principle, and their only hope for an appeal is to convince the Tribunal that people would not be caused substantial distress by secret profiling and data sharing after an act of generosity. This is not science, and all I can say is that I am persuaded. But for an appeal to be successful, the charities will need to persuade a Tribunal with strong experience and knowledge of DP and PECR from the numerous (and almost exclusively doomed) marketing appeals.

The third element requires the breach to be deliberate or a situation where the charities ought reasonably to have known about the breach. As I have already said, the ICO’s position on fair processing is well known in my sector and available to anyone who can type the ICO’s web address. I think it’s possible that the charities didn’t know what they were doing was a breach, but in my opinion, this is because the Institute of Fundraising and the Fundraising Standards Board effectively acted as a firewall between charities and reality. The advice (often inaccurate and out of date) came from the IoF, and complaints about charities went to the FRSB and no further. When your code of practice is written by the people who earn their living from fundraising and most in your sector are doing the same thing as you are, it’s not hard to fool yourself into thinking it’s OK. But ‘everybody does it’ will cut no ice with the Tribunal. The RSPCA and the BHF are not tiny charities flailing in the dark – they are massive, multi-million pound operations with vastly greater resources than many of my clients.

Daniel Fluskey, head of Policy for the Institute of Fundraising, whose apparent lack of experience or qualifications in Data Protection does not prevent him from writing inaccurate articles for the charity sector on GDPR, has already weighed in, saying that the ICO should be providing the specific wording that charities require: “Charities need more detail on the ICO’s view of what lawful practice looks like: what form of words would have passed the test?” The Information Commissioner is the regulator for every organisation, of every size and shape, that processes personal data. If they start writing tailored wording for charities, they will have to do it for everyone else as well. It is a ridiculous demand. I think the ICO should move on to the data pools, wealth screeners and list brokers, but if she could find the time to issue an enforcement notice on the Institute of Fundraising, forbidding them ever to speak or write on Data Protection matters again, the third sector would have a fighting chance of complying.

Besides, how hard is it to find compliant wording? Nobody – especially not the trade association for fundraisers – should be allowed to present this as a byzantine and complex task. The individual doesn’t need to know what software you’re using, or whether cookies are involved. They need to understand the purpose – what are you collecting, what are you going to do with it, who are you going to give it to? This should be presented without euphemism or waffle, but it’s when you strip out the legalistic nonsense, you see the problem. It isn’t that the poor charities were labouring under the burden of complex data protection rules. They could not comply with the Data Protection Act because what they were doing (and in RSPCA’s case, are apparently still doing) is so unattractive:

  • We will share your details with unspecified charities via a commercial company. We don’t know who they are.
  • We will buy your phone number, postal or email address from a commercial company if you have not given it to us.
  • We will use commercial companies to compile a profile of your wealth and property to work out whether to ask you for further donations. If you are likely to be worth a lot when you die, we will use this information to ask you for a bequest.

When Reactiv Media appealed their PECR penalty, the Tribunal rejected their appeal and increased the penalty. Like a lot of the spammers, they put themselves into administration to avoid paying up, but this option is not available to household name charities. If either the RSPCA or BHF appeal, they are dragging themselves deeper into the mud, and very possibly spending thousands more of donors’ money to do so. If they say that what they did wasn’t a breach, or that they couldn’t have been expected to know that it was, their officers, advice and business model will be scrutinised to a doubtlessly painful extent. The claims management company Quigley and Carter found themselves described as “feckless” and “most unimpressive” in the course of being filleted during a recent failed appeal. Do charities really want that? Even if they decide to roll the dice solely on distress, does either charity really want to acknowledge a serious breach that they knew or ought to have know about in the hope of getting the fine overturned on a technicality? Do they want ICO to call donors as witnesses?

The business model of pressure selling, TPS-busting, heavy texting, data sharing and donor-swapping adopted by some of the UK’s most celebrated charities resembles nothing so much as the activities of the claims management, PPI spammers (i.e. the scum of the earth). For all the noise and bluster on Twitter and in the charity press this week, there is an uncomfortable truth that has to be faced. The hated Daily Mail unearthed it, and the ICO has rightly acted on it. Some big charities have run an end-justifies-the-means approach to marketing and they have got away with it for a decade. Fundraisers ruled the roost, and compliance has been sidelined or ignored. Given how much money the RSPCA and the BHF have raised from fundamentally unlawful practices, they should pull back and rethink how they get donations in the future. They should ignore the Institute of Fundraising’s every word on Data Protection and PECR, and like every other charity, concentrate on reading and applying the ICO’s Code on Privacy Notices and guidance on Direct Marketing.

And right now, if there is a fundraiser sitting with the two CMP notices working out how to at the same time devise a method to raise loads of cash for their cause while complying with Data Protection and PECR, I hope they wipe the floor with everyone else.

*citation needed

Categories
Charities

Small change

 

Some senior figures in the charity sector have sought to deal with the Information Commissioner’s recent enforcement against the RSPCA and the British Heart Foundation by suggesting that the ICO’s action is disproportionate and unfair. The fundraiser sorry, academic, Ian MacQuillin has written two blogs which touch on the theme, while a few days ago, Robert Meadowcroft, the Chief Executive of Muscular Dystrophy UK tweeted:

If the  is impartial regulator it will investigate practices of  and not simply pursue charities

As 2016 is now disappearing over the horizon, I thought it was worth testing the hypothesis that the ICO is taking disproportionate action against charities, and the fines and other enforcement against charities are unrepresentative. TL:DR – it’s complete nonsense.

In 2016, the ICO issued 34 civil monetary penalties – 11 under the Data Protection Act, and 23 under the Privacy and Electronic Communications Regulations (PECR). There are a number of different ways of looking at the figures, and none of them show any evidence of disproportionality.

1) Charity CMPs as a proportion of the total in 2016

Of the 34 penalties, 2 were against charities, so 6% of the ICO’s CMPs in 2016 were against charities.

2) Amount charities were fined, as a proportion of the total in 2016

The CMP total was £3,225,500. The total of CMPs issued against charities was £43,000. This is 1.3% of the total.

3) Proportion of Data Protection CMPs issued to charities in 2016

If you look only at the CMPs issued under Data Protection, the charity proportion is not insignificant – there were 11 DP CMPs, so the 2 charity CMPs are 18% of the total – the same as the police, 1 more than councils, but less than the private sector or the NHS (3 each). However, this is the only comparison where charities feature significantly, and they are not the dominant sector. The next two comparisons are also instructive.

4) Proportion of PECR CMPs issued to charities in 2016

None. This is despite widespread breaches of PECR by charities, including phoning donors who are on TPS and sending texts and emails without consent (for example, the vast majority of mobile numbers gathered via charity posters in 2016 were obtained in breach of PECR).

5) Proportion of CMPs issued for marketing related activities in 2o16

There were 21 PECR CMPs related to marketing, and 2 DP CMPs related to marketing, making 23 marketing CMPs in all. 2 were against charities, which is 9.5% of the total. Given the big charities’ disastrous approach to marketing, this relatively small number is astonishing.

6) Level of CMPs in 2016

The average DP CMP was £108,500; the average charity DP CMP was £21,500.

The average PECR CMP was £84,666.75; there were no charity PECR CMPs.

The highest DP CMP was £400,000; the highest charity DP CMP was £25,000.

7) Other enforcement in 2016

There were 22 enforcement notices issued by the ICO in 2016, 8 under DP and 14 under PECR. 1 of the 8 DP enforcement notices was against a charity, which is 4.5% of the total, or 12.5% of the total DP enforcement notices. Either way, it is a small percentage of the total. Again, if you count the number of marketing related enforcement notices, there were 15, of which 1 was against a charity. This is 6.6% of the total.

8) CMPs since 2010

There have been 69 DP CMPs since 2010 that I can find (they drop off the ICO’s website after a few years); 4 were issued against registered charities, which is 5.8% of the total. The average DP CMP was £114, 163, whereas the average charity was £78,250. It is worth noting that these figures are slightly skewed by the £200,000 penalty against the British Pregnancy Advisory Service, which is a registered charity but receives most of its funding from the NHS.

The CMP against the British Heart Foundation was the 8th lowest CMP overall, while the CMP against the RSPCA was the 9th lowest. The only organisations to receive lower penalties than the charities were small businesses, unincorporated associations, and a bankrupt lawyer.

There have been 47 PECR CMPs that I can find since 2012; none have been issued on charities, which is 0% of the total.

Conclusion

These figures will likely be different in 2017. The ICO has signalled that more DP enforcement against charities is coming, and so the proportion of DP penalties may rise when the totals are in, but that depends on a variety of different factors including the number of other penalties and the ICO’s general approach. However, when you look at the facts for 2016, MacQuillin and Meadowcroft are wrong. Despite years of ignoring the Data Protection and PECR requirements in favour of a flawed, fundraiser-driven approach, the ICO has not taken disproportionate action against the charities. The action taken is a small percentage of the overall total. Special pleading and blame-shifting will not help the sector. Compliance with the law will.

Categories
CCTV

Eye in the sky

 

There’s nothing that says ‘Silly Season’ more than a Twitterstorm about a photograph of the top of a comedian’s head. After the National Police Air Service (NPAS) tweeted an image of the comedian Michael McIntyre, inviting their followers to guess who it was (it was Michael McIntyre), a variety of human rights lawyers, legal commentators, data protection experts and morons weighed in to give their view. In itself, the incident was not significant and seemingly no harm was done to Mr McIntyre. However, there are serious questions to be answered here. While I could forgive the Information Commissioner for brushing it off as a lot of fuss about nothing, they shouldn’t.

Firstly, it is a Data Protection breach to tweet a photograph of an individual in such circumstances. If you are new to this blog (Hi, how are you, that’s a lovely item of clothing you have on), then you might not understand my impatience with the argument that McIntyre was in public and therefore DP does not apply, McIntyre has no expectations of privacy, blah, blah, stupid blah. I’ve dealt with it many times before. Data Protection applies whenever personal data is gathered: filming someone in the street is less intrusive and therefore less likely to breach the DPA fairness and excessive provisions than filming someone in the shower, but the law still applies.Data Protection always requires the person gathering the data to meet a data protection condition. Nothing in the Act removes this requirement if the data is gathered from a public place, which is why the Information Commissioner has published detailed codes of practice on public space CCTV since the current DPA’s inception, and has had to revise it significantly twice because of CCTV’s complexity. If you don’t agree, tell me in the comments which section of the Act says that I am wrong.

While I am writing this, Radio 4’s Today programme is covering the story, and John Humphrys has just asked the crucial question: “what on earth does this have to do with policing?“. That’s what makes it a breach, because the answer is ‘nothing’. Policing organisations have wider scope to process personal data than other bodies, but only for national security and crime prevention & detection. Celeb-spotting comes under neither heading. NPAS would need to demonstrate that tweeting a picture of McIntyre was fair, lawful, and was necessary for a legitimate interest causing no unwarranted harm to McIntyre’s interests (the only data protection condition for processing that would apply here. They would have to show that the use of personal data outside the original policing purpose (which is what they’re up there for) was not incompatible. They would need to demonstrate that the use of McIntyre’s image was relevant to the policing purpose and not excessive. If you’re wondering, what I’m doing here is simply running through the Data Protection principles, and I’ve got multiple breaches just from the first three.

Even this innocuous image could have caused harm. The woman standing next to McIntyre in the picture is his publicist and they were leaving Global Radio’s studios after an interview. But what if NPAS inadvertently tweeted a picture of a celebrity and the person they were having an affair with? In 1995, CCTV operators in Brentwood Council once saw a man walking down the street carrying a knife and contacted the police. After the incident was resolved, Brentwood proudly shared images of the man to show how their CCTV system had tackled a dangerous individual, and his identity was subsequently revealed in the media. Except that Mr Peck wasn’t a danger to anyone but himself, and the Council obliged Mr Peck to reveal the details of his suicide attempt to family and friends who may not otherwise have known, as well as effectively libelling him. After eight years, Mr Peck rightly won a privacy case at the European Court of Human Rights. Bodies with the power to watch and record us should not casually toss images of us around without a proper justification.

I have wider concerns. If NPAS are merrily spotting celebrities and tweeting the results to thousands of people, what else are they doing? What do they do if they spot someone that they know? Will we get down-top shots of young women? Fat-shaming tweets if they see someone who is massively obese? The ICO’s CCTV Code of Practice places a strong emphasis on the requirement for CCTV operators to receive detailed training, but this casually intrusive incident doesn’t suggest that it’s working. In fact, I suspect that this incident is the tip of an iceberg that goes very deep. We’ve already seen police CCTV operators jailed for voyeurism; if the police don’t treat their surveillance with single-minded professionalism, that’s where this will end up. The tweet has been deleted, but if someone somewhere isn’t investigating what else has gone wrong, they should be.

The question of who should be doing that is a good one. NPAS describes itself as “a truly national (England and Wales) policing service“. It is hosted by West Yorkshire Police, but provides air support to all police forces in England and Wales. When scouring the skies of London for stand-up comedians, it is clearly providing a service to the Metropolitan Police. There are therefore a range of possibilities as to who is responsible, in Data Protection parlance, who is the Data Controller? Is NPAS a data processor for each force, in which case Met Police should answer for what happened here (and more importantly for the other more serious breaches of DP that I suspect have occurred). Is NPAS a data controller jointly with the Met Police, so they are both responsible? This is my guess, but my esteemed colleague Jon Baines has already noted that NPAS hasn’t completed a Data Protection notification, which if they are a Data Controller would be a criminal offence. If NPAS is a processor for the forces, each one of them would need to subject NPAS to a legally binding contract meeting all of the requirements of the 7th Data Protection principle. It’s a mess, but not one that the forces and Information Commissioner should be allowed to ignore.

I have already met a few people on Twitter whose knee-jerk understanding of Data Protection convinces them that this is nonsense. It’s not a breach, it’s not even personal data. It’s all in the public domain, and there’s nothing to see here but Michael McIntyre’s head. If those people are happy with this, they’re saying that the next time they furtively pick their nose, adjust their balls or their boobs while nobody is looking, or just walk down the street minding their own business, the police can record it and broadcast it to the world, and that’s just fine. I don’t think they should be allowed to make that decision for everyone else.

Categories
Caredata

A very long engagement

 

Tim Kelsey’s appearance on the Today programme was not illuminating. No compromise, no acknowledgement that the process has been badly handled, and the plan to slip leaflets about the process in with the pizza menus was on the advice of ‘competent marketing agencies’ (the sound you just heard was the launch of an FOI request about who they were and what they said). It must be nice to make such a fantastic hash of your job, and be capable of thinking you’re still a winner.

From the perspective of someone who is uncomfortable with the care.data process, I would have been happy had he promised a proper, personally addressed opt-out (which is better than what we have now). I would have been even happier had he promised consent. I wouldn’t say for certain that a fair version of care.data is impossible but I don’t think one will ever be offered. I doubt NHS England wants to spend the money on sending personally addressed letters to everyone, and they don’t respect their fellow citizens enough to choose consent, so I’m actually happy that Kelsey is sticking to his guns. Because we’re not going to get a fair, democratic version of the system, I’d rather he keep infantilising the public. This tactic has already led to two delays –  a third try at the same patronising “engagement” will surely kill the scheme off forever.

However, one thing struck me about the interview. Justin Webb asked Kelsey the straight question of whether a letter would be sent to every affected citizen. Kelsey said that all options were on the table, but was keen to plug his ‘Get hip with the 21st Century’ bluster about direct mail not being the right way to communicate. We’re using the Vulcan Mind Meld, Grandad. On the basis that Twitter has hardly been a roaring success for the care.data campaign (look at the #caredata hashtag if you don’t believe me), I wondered whether there might be more to Kelsey’s statement than panicked airtime filling. If so, what else is he planning, because I think the expensive letter option is the only game in town?

It’s entirely possible that NHS England has no plans to contact citizens directly at all. I predict posters, the reappearance of the NHS smurfs in the cheapest conceivable TV ad breaks, or adverts on radio stations I don’t listen to because I am old. But let’s assume that Kelsey and NHS England are thinking about some kind of direct contact. What are the options?

POST

Writing to every citizen directly would be more or less legal in Data Protection terms.  Assuming that NHS England has a reliable source for every person (not every address) in England, I believe that contacting everyone would be lawful and fair, even if they loaded the correspondence with propaganda. This is partly because Data Protection has its limitations, but also because there’s nothing in the DPA to say that you can’t contact people unless you have their permission, even if the correspondence is marketing. Unless NHS England sends everyone a bald postcard that says ‘we’re taking your data for research, here’s your opt-out’, it’s highly likely that the correspondence would be marketing. The ICO’s definition of marketing is far wider than simply the offer for sale of goods and services, but the DPA does not prevent an organisation from sending unsolicited marketing by post unless the person has used their Section 11 data protection right to opt-out.

Legally, I think that’s NHS England’s only option for direct contact.  It is inconceivable that if they are going to pay to contact us all, NHS England would just provide a bald statement of the facts. They would (and you might think they are entitled to) provide the reasons why care.data is a good thing. I believe this fits solidly into the ICO’s definition of ‘promotion of ideals’, which makes post their only legal option.

AUTOMATED CALLS

Automated calls are universally loathed as a form of marketing, so I’m certain that a scheme as cack-handedly managed as this one will hover over the option of making them. Automated calls are much cheaper than live calls, but to make them, you have to step wholly outside Data Protection. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (usually rendered as PECR, which you pronounce ‘pecker’ in order to get cheap laughs) state in regulation 19 that an automated marketing call can only be made if the subscriber (i.e. bill-payer) has “notified the caller” that they consent to receiving the call. That means explicit, opt-in consent for automated calls from NHS England. Nothing implied or inferred – they need active specific consent for automated marketing calls, or they can’t make them.

EMAILS (and as it happens TEXT MESSAGES)

The business sector did a smart lobbying job way back when PECR was drafted, so it is legally possible to send unsolicited business-to-business marketing emails, because PECR treats corporate subscribers (effectively organisations and their email addresses) differently from individual subscribers (i.e. an email account of any kind used solely for personal, home and recreational purposes). But for those individual subscribers i.e. you at home as a regular person, Regulation 22 has bad news for Kelsey’s 21st century engagement. The same rules apply – an active opt-in is the only option. The ‘Interpretation’ section of PECR makes clear that a text message is the same as an email, so the same rules apply – active opt-in. Even if NHS England can get hold of email addresses or mobile numbers (or exhort GPs to use the information they have), it is legally impossible to send messages about care.data unless they have active consent, or the messages are not marketing. And they will be marketing.

LIVE CALLS

I assume that live calls won’t be an option because they would be prohibitively expensive. However, just in case anyone is wondering, NHS England would have to screen all calls against the Telephone Preference Service list under PECR Regulation 21, ruling out millions of people (or making calls to them illegal).

Of course, these rules are routinely abused by Green Deal and PPI pests. The ICO’s efforts have been rather dismissively rebuffed by the First Tier Tribunal, so we await the Upper Tier to see whether the existing PECR rules can be properly enforced. But the difficulty of enforcing PECR does not grant NHS England permission to adopt the tactics of the snivelling spam-monger. PECR does not have public interest get-outs or exemptions. It applies to communications about care.data made by electronic means because they will inevitably be a promotion of NHS England’s ideals.

Of course, I may be way off. It’s entirely possible that the plan is for more soothing reassurance. It’s equally possible that care.data is dead, and nobody is willing to admit it yet. Given their stewardship of this so far, I doubt NHS England are above claiming that any contact would not be marketing, and going on a spam frenzy. The ICO – permanently on the back foot over care.data – would need to slap that down. But the Royal College for General Practitioners have demanded direct contact with patients, and it’s clear that their intervention (along with the BMA) has been decisive. Whatever options are on the table, NHS England does not have the legal consent necessary to contact patients by electronic means, even if they can get the data to do it. It would be illegal.

Time to warm up the franking machine.

Categories
Caredata

Dangerous Liaisons

 

We found this meeting to be productive and are pleased with the level of cooperation between our respective organisations” Letter from David Evans, Strategic Liaison, Information Commissioner’s Office, to Christine Outram, Director of Strategic Intelligence, NHS England, 26 September 2013

 

As the care.data leaflet arrived in people’s homes in January, the ICO published a blog by Dawn Monaghan, Group Manager for Public Services in the ICO’s Strategic Liaison team. The blog described the NHS approach to the extraction of data from GP practices, the communication activities to underpin this, and the ICO’s role which – accurately – Monaghan described as limited. However, the blog did not stop short of effectively endorsing the process. Having summarised the plan to have posters and leaflets in GPs surgeries and a household leaflet drop, Monaghan’s blog stated: “We see this as a sensible approach” and “we would consider it likely that the fair processing requirements under the DPA would be met“.

Within days, the media was reporting on widespread concerns about the sensible approach. By the time of Tim Kelsey’s Comical Ali appearance on Radio 4’s Today Programme to say that everything was absolutely fine just before the whole thing was put on hold, Monaghan was interviewed to say that NHS England had not done enough. Christopher Graham later complained to the Independent that they’d wanted a direct letter all along.

This reaction to the mess was correct – it was the original, syrupy reassurance that was odd. The ICO is an independent regulator, there to ensure data protection compliance and, where necessary, to take enforcement action to back that up. And yet here they were, effectively saying ‘it’s all fine’. I thought it was bizarre that the ICO could give any backing to NHS England’s approach, but they seemed to find it necessary to be supportive until they saw which way the wind was blowing.

My concerns were shared. In September 2013, Dr Geraint Lewis, Chief Data Officer of NHS England was warned that the communications plan – the ‘sensible approach’ – was “essentially passive”. There were real concerns that “a number of patients would be unaware of what is happening to their personal data”. Lewis was informed that the approach – essentially the same approach that was delivered in practice – was almost certainly not an “adequate standard to ensure data protection compliance”. In October 2013, Rachel Merrett of NHS England received an email expressing concern about the household leaflet drop. There was a serious question about the leaflet’s effectiveness, arriving as it would along with stuff from “the local window cleaner and the Domino’s Pizza leaflet”, likely to be “scooped up and placed in the bin without being read”.

The author of these communications was Dawn Monaghan. I made an FOI request to the ICO for correspondence and meeting notes between the ICO and NHS England and the HSCIC. A large quantity of material was disclosed, virtually all of it recording the frequent contacts between Strategic Liaison – Monaghan, Evans and occasionally the head of the team Jonathan Bamford – and various NHS England and HSCIC civil servants. The biggest players, Information Commissioner Christopher Graham and Head of Patients and Information Tim Kelsey – make cameos as early on, the ICO fails to persuade NHS England to contact each patient directly.

It’s difficult to find a proper description of what Strategic Liaison does on the ICO’s website, but the aim seems to be to maintain good relationships with large data controllers ‘stakeholders’. This seems clear from a ‘Strategic Liaison Organisational Review’ document put forward by Bamford in March 2013, asking for more staff. More staff would help meet the ICO’s objectives to “maintain its influence in key areas and on key issues”. Another key benefit was to ensure that “stakeholder satisfaction levels will be maintained”. So how’s that influence working out for you?

In practice, Strategic Liaison’s activities look like the provision of lots of free advice with no real gain for compliance or the public. From the Commissioner through Bamford to Monaghan and Evans, and in particular, in emails in August 2013, it is clear that the ICO wanted a direct communication with each patient, and they wanted the leaflet to set out very clearly what the ICO called an ‘opt-out’ until they acquiesced to NHS England’s terminology of an ‘objection’. In reality, the leaflet drop went ahead, and it contains only a mealy-mouthed references to objecting. There is no form to register an objection or website to do so – on the last page, it simply tells the reader “ask the practice to make a note of this in your medical record”. Even NHS England’s preferred word ‘objection’ does not appear.

All the while NHS England and HSCIC pressured Strategic Liaison for detailed advice about who they think the Data Controllers are in various permutations of the process, and even when they got the answers, they demanded to know the background thinking. This resulted in Monaghan sending a detailed letter in November 2013, setting out the ICO position in detail. The average data controller, seeking concrete answers to such questions, would be told to whistle for it. Ring the helpline today and see if I’m wrong.

NHS England and the HSCIC clearly wanted the ICO to sign off their proposals. Even though an independent regulator should refuse this outright, several times, Monaghan refers to sign-off as something which cannot be done yet. In September 2013, an email states “Until this has taken place, the ICO could not offer an endorsement or agree that the process or communication plans would be compliant”, while later on it is unlikely that “we will be able to reach a point of endorsement or assurance until…”. The ICO is there to regulate, not to give approval, and yet it seems they contemplated endorsing the process. Indeed, what is Monaghan’s January blog, if not a tacit thumbs up? Typical of the way things worked is Monaghan’s statement on 12 August 2013 that “we do not wish to cause unnecessary delays to the project”. Delays to the project are not the ICO’s problem. If NHS England didn’t want to wait for ICO advice (advice I don’t think the ICO should have given), they should have got their answers from their own lawyers and hoped for the best, like most other Data Controllers have to do.

No matter how quickly the ICO changed their mind after the wheels came off, no matter how strong some of the correspondence is (Monaghan’s bracing September 2013 letter to Lewis is a standout), the overall mood is cooperative, ameliorating, persuasive, which might be OK if it worked. Teddy Roosevelt once advised a friend to ‘speak softly, and carry a big stick’. Strategic Liaison don’t have so much as a twig. The worst threat they offer is refusing to sign off the communication plan, something they should never have offered to do in the first place.

The only mention of enforcement action anywhere in the correspondence comes in an email from Rachel Merritt of NHS England in November 2013, trying to get confirmation from the ICO that they will take action if GPs opt out their patients in bulk. If the ICO cannot issue guidance on this issue, then NHS England has a number of options on the table: “If a large number of GP practices bulked block [sic] their patients, consideration would need to be given to whether we can continue to offer the objection”. Acknowledging the NHS Constitution’s guarantee of a right to object, Merritt continues that if the objection offer was withdrawn, “we could consider and refuse on this basis that we cannot provide a health service”. There is no evidence of how Strategic Liaison even reacted to this outrageous suggestion, but the friendly cooperation certainly continued. NHS England’s meeting notes from the back-end of 2013 even imply that the ICO was considering whether action against bulk opt-outs was possible.

Meanwhile, the HSCIC expressed concern about subject access request numbers escalating, and the meeting notes state “ICO to bring up with health priority cross officers group the issue of support for subject access requests”, and on 19 September 2013 “ICO agreed to work with the HSCIC if such requests significantly increased”. This offer of support is unacceptable on its own terms, but the ICO’s own Subject Access Code of Practice states “You should be prepared to respond to peaks in the volume of SARs you receive”. Every other Data Controller has to put in additional resources, but elite stakeholders get a promise of support. As we know, Strategic Liaison has to maintain their satisfaction levels.

I have complained before that the ICO’s use of the word ‘customer’ when they mean ‘complainant’ sends out the wrong message. The ICO is an ineffective ombudsman, and their recent decision to concentrate more on regulatory issues than making every complainant happy is probably a good idea on balance. I doubt it will work, but that’s a separate question. It’s essential for the ICO to be neutral and to send out the message that they’re on the side of the public is wrong. They serve Parliament, the Data Protection Act and the public interest. But equally, it is wrong for them to assist certain favoured ‘stakeholders’, facilitating them with monthly meetings, daily emails, and detailed advice on demand, especially not when the ICO’s own requirements (if you can call them that) are unmet. Would NHS England have sent a clear letter with an opt-out form to every individual if Strategic Liaison had promised them an enforcement notice if they didn’t? We’ll never know, but you don’t have to read much of the correspondence to see that this kind of thing isn’t in their vocabulary. The ICO needs to publish guidance, it needs to deal with complaints (i.e. make assessments) and in certain cases, it needs to enforce. Why does it need to make friends?

If there is any future compliance question about care.data – particularly the issues of fair processing or data controllership – the ICO has been intimately involved in NHS England’s thought process. I don’t even think NHS England and HSCIC were cynically implicating Strategic Liaison – the approach of nuzzling up to stakeholders does that automatically. The days when the ICO didn’t even have an enforcement team are long gone, but Strategic Liaison represents an outdated strand of thinking. The senior people who ran the office when I was there – which was long, long ago – treated Data Protection as an extended debating society where everything could be settled with a civilised discussion. Strategic Liaison had a civilised discussion with NHS England, they didn’t get what they wanted, but in the end, was maintaining a good relationship an objective in itself?

The one question FOI doesn’t allow me to ask is what Strategic Liaison think they’ve achieved. Care.data was delayed again, and this time, the objection that NHS England had contemplated dropping is getting a statutory basis, but Strategic Liaison didn’t ask for these concessions. It’s probably more pleasant to maintain friendly relationships with big data controllers, but at least in this case, I can’t see what was achieved by it. The ICO has a mountain of FOI complaints, a difficult new approach to DP compliance to implement, a pile of enforcement and a new version of Data Protection on the horizon, all in a time of austerity. I wouldn’t keep Strategic Liaison going in the years of plenty, but we’re in famine now, and deploying some of the most experienced ICO staff to hold hands with an elite group of data controllers stakeholders is a waste of valuable people and resources.

Time for a new strategy.

Categories
Caredata

Careless

 

The people who run NHS England and the Health and Social Care Information Centre never wanted to give the public a choice about whether their data would be mined and sold for research purposes (and the clumsy, ill-infomed opt-out that was dragged out of them isn’t a proper choice anyway). It should therefore come as no surprise – as the front page of today’s Telegraph makes clear – that the opt-outs have not been processed. Despite this, it’s full steam ahead: “the NHS has insisted that it will continue to sell medical data to insurers and other third parties“.

I’ve already seen questions on Twitter about the likelihood of the Information Commissioner taking action. If they do, it’s worth considering what the HSCIC and NHS England have actually done wrong. I’ve said this before, and I will say it again: care.data is legal and does not require consent. Because of the powers that Parliament bestowed in the Health and Social Care Act 2012, consent is not required because a legal power exists that allows personal data to be extracted and shared. It doesn’t matter which way you slice it, had NHS England steamrollered care.data through when they had the chance, this wouldn’t even be a story.

Ironically, it is the fact that NHS England bowed to the predictable but apparently unexpected backlash and offered their weedy compromise, achieved in part by that mealy-mouthed leaflet hidden among the pizza menus, that puts them in a pickle. All personal data must be processed fairly, and by telling all citizens that they had a right to opt-out of the sharing of their health data, NHS England created a set of clear expectations. They didn’t have to, but they did. So by not properly resourcing the opt-out process, NHS England and the Health and Social Care Information Centre have breached the first principle.

Lack of funding isn’t an excuse or a mitigating factor. The fact that they could have gone ahead and done all of this without the opt-out isn’t relevant either. Because the opt-out was offered, it is now part of the fairness package, and not to deliver on it is a breach.

The Information Commissioner has three options. The most obvious what is what we have had before: some strongly worded correspondence, alternating with hand-holding for their HSCIC friends (including a relatively new HSCIC IG officer who used to be at the ICO, working on care.data). The ICO dropped the ball spectacularly on care.data, anxious to enable what they must have thought was an important undertaking by a valued stakeholder. David Smith, the Deputy Commissioner with responsibility for Data Protection, is keen to stress that the ICO can be an enabler, and care.data before the public backlash is what that looks like.

Secondly, the ICO could issue a civil monetary penalty. Thousands of peoples’ data are being used unfairly, there is a serious breach of the first principle, and no doubt, many of those affected will be upset, annoyed or even distressed by the news. But the ICO has come unstuck at the First and Upper Tier Tribunal when trying to take action on distress, so I can understand why they might not favour this as an option.

The third option is the action they should obviously take, but I wonder if anyone in Wilmslow is bold enough. There is no damage or distress threshold for an Enforcement Notice, there is a clear step that the Information Commissioner can order the HSCIC to take (action all of the opt-outs, resourcing that in preference to the work on active data sharing), and there is a serious sanction underpinning an Enforcement Notice if it is not complied with (prosecution for the organisation or its board members). If the HSCIC believe that their power to obtain this information engages the Section 35 exemption in DP, which removes the requirement to process personal data fairly, they would be welcome to explain this to the Tribunal. I used to think that this might work for them, but I’m not so sure now and I’d be thrilled to see them try.

The ICO has tried stakeholder engagement and they got very little for the public as a result. I can understand why a CMP may seem a disproportionate and unattractive move. I fear they will do nothing. But if the Commissioner’ Office wants to show that it is serious about holding organisations to account for anything other than self-reported security incidents, they could have an Enforcement Notice out in days. It would be a huge sign that the Commissioner is willing to get into difficult territory to uphold their legislation rather than maintain pleasant relations with government. I would sing their praises if they took the opportunity. The question is, do they have the guts?

Categories
Cabinet Office

Bah Humbug

If I was a proper FOI requester, I would await the delivery of each response like an excited child on Christmas Eve, willing the appearance of the day when I will receive my presents. Instead, I am very much the adult embodiment of the child I used to be; I have bursts of enthusiasm that dull to indifference, especially now that my attention has to last over the passage of 20 working days. My FOI request to the Cabinet Office about the correspondence based adventures of Oliver Letwin MP is very much in that category (as an aside, the absence of tweets from @OliverLetwinMP remains a disappointment but I fancy he is merely whetting our appetite for a stonking tweeted SNAFU at some future date).

On the day that the Daily Mirror revealed Letwin’s insouciant approach to office filing and data protection, I fired off an FOI to the Cabinet Office demanding all manner of smoking guns, the outcome of which would allow me to write a stinging blog post of such revelatory and rhetorical brilliance that I would be carried aloft on the metaphorical shoulders of my readership, and given a column in the Guardian or the Financial Times. The days dragged by. I trained many fine folk around the nation, and received yet another rejection for my novel. By the time the Cabinet Office responded, I was on holiday in Morocco, and I didn’t really give a toss: Alan and Lionel be damned, I was trying to find ‘Casablanca Beer’.

Now safely ensconced in the UK with water pouring through the ceiling into my bedroom (to any readers in South Manchester, I can recommend a fine plumber), invoices to send, courses to write, and another publisher to find, I went fickle on my Letwin expose. Part of this is the fact that the 20 working days was distended by a generous 7 extras, by which time I had almost forgotten I had made the request. Part of it was the fact that Letwin had readily signed an ICO undertaking, showing at least some measure of contrition. And of course, in the interim, Vince Cable had decided to outgun Letwin with some DP flouting of his own. But most of all, I lost interest because the high seriousness of my original request was undercut by the ‘meh’ nature of the response.

I asked:

  • has Mr Letwin disposed of correspondence containing personal data about other people?
  • Did the correspondence relate to his constituency role, his Cabinet Office role, or both?
  • what kind of details were included (e.g. names and addresses, email addresses, information about personal circumstances or complaints)? I do not believe that providing a generic description of the data would constitute a breach of the Data Protection Act.
  • Has either Mr Letwin (in his capacity as an MP) or the Cabinet Office (as a data controller) informed the Information Commissioner of these incidents, on the basis that there is a possibility that the Seventh Data Protection principle has been breached, as it relates to security?
  • Has Mr Letwin received any data protection training in his capacity as a Cabinet Office minister?
  • Is any such training now planned?
  • When the statement provided by the Cabinet Office was released, claiming that the information disposed of was ‘not sensitive’, had the person making the statement considered the Data Protection implications of disposing of correspondence in bins in public parks?
  • Does the Cabinet Office have a policy or procedure about the appropriate disposal of paper records?

What I got was this:

The Information Commissioner has considered the matter and his report can be found at http://www.ico.gov.uk.

Enquiries made by the Information Commissioner’s Office (ICO) found that ‘among the documents were letters and emails from…constituents, including personal data such as their names, addresses, telephone numbers and email addresses, although in one instance there was some limited information about an individual’s health problems’. Mr Letwin has signed an undertaking with the ICO whereby he has agreed to dispose of personal data in a secure manner.

Ministers do not receive data protection training. Mr Letwin has been made aware of his responsibilities by the Information Commissioner. Data handling procedures in Government are set out at www.cabinetoffice.gov.uk/resource-library/data-handling-procedures-government. When handling data which contains personal information about identifiable living individuals, the Cabinet Office must ensure that it complies with the provisions of the Data Protection Act 1998. In particular, personal data must not be collected or retained unnecessarily, and appropriate security measures must be taken to protect the information.

I should point out that it is far from clear what information the Cabinet Office holds in relation to what I asked for – it’s possibly that they hold a shedload of emails and other information, but I didn’t get them. They did not provide any meaningful response to the penultimate bullet point in my request. The fact Ministers do not receive data protection training is disgraceful, and the fact that no training is planned, especially given that they knew about Vince when they responded, is shameful. They don’t tell me how to get an internal review, or provide me with any advice or assistance.

But what do I do? This desultory response at least provides me with some useful material for my next training course as the ‘before’ part of a ‘what FOI requests should look like’ exercise. If I complain, the Cabinet Office will either tell me that the original response was just dandy, or they’ll send me an apology in the name of a senior officer, written by a junior one (I was that junior officer once). I could complain to the ICO, adding to a backlog of requests, and in six months to a year, they’ll do something either way that by then, I will not care about at all. And is that a good use of anyone’s time?

In a world where the Cabinet Secretary badmouths FOI as his parting shot to government (www.guardian.co.uk/politics/2011/nov/23/freedom-of-information-act-government), and a former PM’s chief lieutenant feels entitled to go on Radio 4 and aggressively not understand how FOI works (www.bbc.co.uk/programmes/b006qjfq), to quote Slim Pickens in ‘Blazing Saddles’, I am depressed. Will an internal review make any difference? No. With Sir Gus O’Donnell sending a message to civil servants that FOI is a problem, rather than a natural part of the checks and balances, I don’t see the point of putting them to the trouble. And if I now don’t care so much about Letwin’s adventures in St James’ Park, am I entitled to ask for one? Well, no, so I won’t.

However, the one advantage FOI has over Christmas is that you don’t have to wait all year (unless you’ve made an FOI to a certain organisation if WDTK is any way to judge it), and you don’t have to be good to get presents. I’ve already moved on to the bizarre goings-on involving a former ICO employee getting raided by the cops after badmouthing our alma mater, and the fact that when the ICO meets big international corporations, they keep remarkably scant records. These are both blog posts for another time, so if you’re excited, you’ll simply have to wait to unwrap them.

And yes, as we heathens invented Christmas, we are entitled to enjoy it, and my blogs will be aggressively inflected with a yuletide theme until January. So if you don’t like it, Bah Humbug to you!