A cure for blindness

The first time I read the GDPR properly, something leapt out at me. For years, the received wisdom about the subject access and other rights provided by the legislation was that they were ‘applicant blind’. You could ask the person for assistance in locating their data, but you could not ask them why they were asking. Even if you knew that the person wanted to wind you up, you had to ignore that. When I got to the GDPR articles about subject rights, it struck me that this was no longer the case.

The relevant text in the final version (Article 12.5) is as follows:

Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

(a)  charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

(b)  refuse to act on the request

Looking at the foundation, the basis on which the request has been made, opens the door to the applicant’s motive. An unfounded request is one for which there is no legitimate basis, a request which is unwarranted. You cannot come to a conclusion that a request is either ‘unfounded’ and ‘excessive’ in many cases without looking at the person, why they have asked and what they intend to do with the data. The word ‘manifestly’ places a high threshold – it must very obviously be the case that the request is unfounded, but nevertheless, the words are there, and they must be there to allow the controller to refuse in some circumstances. If I’m wrong, tell me what those words are there for.

Believing that GDPR allows controllers to refuse requests because of the motives of the applicant often gets me into disagreements with other DP professionals. Perhaps because the ‘applicant blind’ idea is so basic to some people’s understand of how Data Protection works, or because they disapprove of the idea, a lot of people disagree. Last year, a controversy started when anti-abortion campaigners in Dublin filmed pro-choice demonstrators, and someone on Twitter provided a template SAR request for pro-choice people to use. The idea was to (in one Tweeter’s words) ‘swamp’ the anti-abortion campaign with SAR requests, even to show up and get yourself filmed solely so that you could make a SAR. More recently, pro-Remain campaigners, angry that they are receiving entirely legal election literature from the Brexit Party, suggested making SARs to the party to find out where their data had been sourced from. Virtually every time I pointed out that the data would have come from the electoral register, rendering the SAR pointless, they said they would do it anyway to annoy the Brexit Party and waste their time.

I support the idea of abortion without any hesitation, and I commend those who campaign in favour of the right to abortion. I am also what you might call a Hard Remainer – I wish we weren’t leaving the EU, and when we do, I would support a campaign to go back in on a Full Schengen, Join the Euro platform, partly because I think these things are good on balance, and partly because it would annoy people who voted Leave. Nevertheless, I think the anti-abortion campaign were perfectly within their rights to refuse SARs where they could identify a person’s Twitter comments saying that they intended to do a SAR to waste their time, and if the Brexit Party do the same now, I believe that this would be justified. I think GDPR allows for refusals of requests that are made for reasons other than concerns about personal data.

And if you don’t agree with me, you don’t agree with the Information Commissioner either.

For years, the failed FOI campaigner Alan Dransfield has been sending angry emails and complaints to various people at the Information Commissioner’s Office, usually late at night. I know this because as well as copying in various journalists, news organisations, and politicians, he also includes me. It’s hard to know what Dransfield hopes to achieve with these screeds, which blend an aggressive misreading of how the law works, defamatory accusations against ICO staff and RANDOM words in CAPITALS. Usually these emails come out of nowhere, but his most recent missive was in response to an email from the Information Commissioner, refusing to answer a subject access request he had made to them.

If you ever wanted an extreme case to test the limits of what is acceptable, it’s Dransfield. The ICO’s refusal says that since April 2016, Dransfield has sent them over 120 requests for information under the Data Protection Act 2018 (DPA 2018), the Freedom of Information Act 2000 (FOIA) and Environmental Information Regulations 2004 (EIR). In addition, the email contains this remarkable statement:

since May 2018 we have received in excess of 290 items of correspondence from you. Many of these communications have included unsubstantiated accusations of the ICO’s complicity in various crimes and have targeted members of ICO staff with the intention of causing distress

The ICO refusal points out that having previously refused his FOI and EIR requests as vexatious, they are now no longer even acknowledging them because they are about matters which have been dealt with (something which FOI plainly allows). They then go on to say this:

Your requests for information under Article 15 of the GDPR appear to be similarly motivated. We consider that these requests are not made to legitimately establish what information we hold and how we are handling your personal data, but part of a campaign to challenge the decisions that have already been concluded within due process

As well as copying me into his legally illiterate complaints, Dransfield sometimes emails me direct to call me a dickhead or spew out misogynistic and homophobic abuse, but it’s clear that ICO staff have it much worse than me. He’s a toxic character who thrives on causing discomfort and outrage. You might say that if ‘unfounded’ works on him, it’s only because he’s such an extreme case. But Dransfield is not alone. There are other vexatious, unpleasant people whose SARs will be made in the same vein of perpetuating a complaint or a campaign. Most importantly, look at the basis of the ICO’s refusal: we’re saying no because we don’t think you’re making this request for the right reasons. The ICO believes that an unfounded request is one made for the ‘wrong’ reasons.

Assuming this is correct (and obviously this is a rare case where I think the ICO has got it right), the next question is how far this goes. For years, the UK courts argued that using SARs to pursue litigation was an abuse of process – is that use of a SAR unfounded? I think that weaponised political SARs are unfounded, and even if you disagree, I don’t think you can tell me that it’s impossible. The net result of Dransfield’s adventures in FOI was establishing a principle that has been used to refuse many requests as vexatious – exactly the opposite of what he wanted. His campaign against the Commissioner may, ironically, have the same effect in GDPR.

The ICO rejects SARs they believe have been made for the wrong reasons. If they do this for themselves, there have to be circumstances where they will agree when other controllers do this. Pandora’s Box has been opened. Controllers who are dealing with vexatious applicants or orchestrated campaigns should think very seriously about whether denying a person their subject access right is an acceptable thing to do, but they should do so in the knowledge that the UK’s Data Protection regulator has already done it.

 

Home, James

A few months ago, I wrote a blog about data protection and nonsense, highlighting inaccurate claims made by training companies, marketers and pressure groups. A bad tempered spat ensued in comments on LinkedIn between myself and Russell James, the marketer behind the lobbying attempt to change the ICO’s funding model to include cost recovery. James insisted that it didn’t matter that a letter sent by four MPs to the DCMS asking for the change, apparently at his instigation, contained inaccurate claims (the description of DP breaches as ‘crimes’) and embarrassingly got the name of the Information Commissioner wrong (it’s the Independent Commissioner of Information, according to the distinguished Parliamentarians, or whoever actually wrote it).

I asked James what the Information Commissioner’s Office themselves thought of his plan to allow the ICO to recoup the costs of investigations from those “found guilty of data crimes” (which I think means those who are in the receiving end of enforcement from Wilmslow, although it’s hard to be 100% certain). The idea that someone would persuade MPs to lobby the ICO’s sponsor department to change their funding mechanism without at least the tacit approval of the Commissioner or her staff seemed ridiculous, but the normally prolix Mr James was silent on the matter. So I decided to ask the Information Commissioner.

I made an FOI request including all of the following information:
1) Any recorded information about approaches made by Russell James or others to the ICO about the idea of the ICO adopting a cost-recovery model, including any correspondence with Mr James or his associates.
2) Any responses provided to James or others about the ICO adopting a cost-recovery model.
3) Any correspondence with Tom Tugendhat, Yvette Cooper, Dominic Grieve or Damian Collins, or their staff about the idea of a cost-recovery model, or the letter sent to the DCMS
4) Any internal discussion of the cost-recovery model.
5) Any correspondence, notes of meetings or other records of meetings between Mr James and any ICO member of staff, including the names of the staff. (this was subsequently clarified to cover only the cost recovery model, and not any other correspondence Mr James might have had with the ICO.)

Whatever the ICO made of Mr James’ ambitious plan, I was certain that this request would capture their thoughts. At worst, the ICO might refuse to disclose their internal discussions of the idea, but at least I might get some sense of the extent of them.

The ICO provided me with three paragraphs from a letter sent to them by Mr James around the time the MPs wrote to the DCMS. James told me that ICI letter was written by the office of Tom Tugendhat, but this one was remarkably similar in tone, and had the same lack of understanding of how the Data Protection enforcement regime works. James told the ICO that they were about to “leverage significant revenue“. Greatly increased income for the DCMS via the huge sums GDPR fines paid to them would, James asserted, result in much more cash for Wilmslow. This sounds great, if it wasn’t for the the fact that the ICO hasn’t issued a single penalty under the GDPR yet. More importantly, he is confused about what happens to the penalties, and how the ICO is funded. DP penalties have always been paid into the Treasury’s consolidated fund, bypassing the DCMS altogether. Moreover, the ICO doesn’t receive any funding from the DCMS for its Data Protection work. As this document (freely available on the ICO’s website) states, all the ICO’s DP work is paid for by DP fees collected from Data Controllers, as has been the case for many years. The ICO could do a CNIL-style €50 million penalty every week, and neither they nor the DCMS would see a cent of it.

James also claims in his letter that his campaign has “ministerial support from government officials“; I don’t know if that he’s claiming the support of ministers, or the support of government officials, but the phrase itself sounds like it was written by someone who doesn’t know the difference between the two. I’d ask him which it was, but I sent him a single direct message asking for comments before publishing the last blog I wrote this issue. He ignored me, but later pretended that I had deluged him with many such messages. If Tugendhat hadn’t tweeted the ICI letter, I’d think it was fake.

Whatever the shortcomings of Mr James’ insights into Data Protection (when I told him I was making an FOI about his plan, he thought it was the same as a SAR), his confidence in the success of the James Tax is hard to fault. According to him, it is now “a short time before your department (ICO) will have a more resilient financial footing“. Given this thrilling news, one can only speculate at how excited the fine folk of the ICO would be at the impending cash bonanza.

Alas, apart from a copy of the ICI letter, which the ICO sensibly chose not to provide to me as it was plainly in the public domain, they held no data about the James Tax. None. Nothing. Nada. Indeed, they made a point of telling me: “For clarity, I can confirm that we do not hold any information which falls within the scope of the other parts of your request“.  This means that they did not have any recorded discussions about it, share the letter internally, or even reply to that part of Mr James’ letter. If anyone had anything to say about the James Tax, they didn’t want to write it down.

Mr James has set himself up as the doughty defender of “Liz and the crew” as he once described his surprisingly reticent friends in Wilmslow to me. He has launched a campaign to change the law and roped four two highly respectable MPs in to support it. I think it is reasonable to ask whether someone with such a misbegotten understanding of how Data Protection works is the right person to change it. Given that the ICO has seemingly offered no support, not even a comment on his plan, I assume that they do not welcome the idea. It’s not hard to imagine why – calculating the costs of an investigation is extra work and bureaucracy. Moreover, if the ICO is entitled to claim the costs of victory, surely it should be forced to foot the bill for defeat – every time the ICO’s enforcement team’s investigation results in no action, the ICO should contribute to the time the controller spent in answering the many letters and information notices for which the office is celebrated.

If a case goes to appeal, while the James Tax would presumably allow the costs of going to the Tribunal to be recouped if successful, for fairness’ sake, the same logic must apply the other way around. If the Tribunal vindicates the ICO’s target (and losses at the Tribunal are not unknown, especially in recent times), presumably the ICO would have to pay the legal bills too. There are already financial incentives and advantages for the Commissioner. If the ICO issues a financial penalty, the controller gets a 20% discount if they choose not to appeal. If a controller’s actions are truly misbegotten and they choose to appeal, the Tribunal and the courts above can award costs against the recalcitrant data controller. To change the relationship further in the ICO’s interests should not just be one-way.

If the James Tax includes recouping costs of dealing with appeals (and my arguments with him on LinkedIn suggests that it does), this will also have a negative effect on one of the most important parts of the DP enforcement system. Any controller who has been fined will, according to the James Tax, already face the added cost of the ICO’s investigation. Appealing – already a roll of dice in many cases – will be that much more of a risk. As well as their own costs, controllers will have to factor in the additional ICO tally.

We already have Denham grumbling about appeals, even using a speech by Mark Zuckerberg about possible regulation in the US as an excuse to demand he drops his appeal against the Facebook fine in the UK. James’ ideas might further suppress the possibility of appealing against ICO decisions. For everyone involved in the sector, this would be a disaster. To borrow James’ inaccurate criminal characterisation of DP enforcement, the ICO is already the investigator, prosecutor and judge – I don’t want to strengthen that hand any more. Moreover, in the interview above, Denham signalled disdain for the concerns of ordinary people, stating that they don’t complain about the right things. As part of its analytics investigation, the ICO has enforced on cases where there have been no complaints. Denham’s ICO need to be challenged, and challenged regularly. The tribunals and the courts frequently give detailed and helpful explanations of how the law works – ICO never produced guidance on consent as useful as the Tribunal’s decision in Optical Express, and whether the ICO wins or loses, all sorts of insights are available in Tribunal decisions.

Nobody appeals lightly. Combine Denham’s hostility to challenge with the James Tax, and we might lose vital opportunities for debate and caselaw. You can dismiss this blog as just an opportunity for me to take the piss out of another GDPR certified professional, but James has set himself up as a public campaigner. He wants to change how the ICO is funded and how all controllers are potentially treated. This cannot just pass without scrutiny, especially as he appears to lack both an understanding of the system he wants to change, and the support of the regulator whose powers he wants to alter. If the people arguing for changes don’t even think it’s important what the ICO is called or whether it’s a ‘department’ or not, we should wonder what other important details they have missed.

Head in the Sandbox

The Information Commissioner’s Office recently held a workshop about their proposed Regulatory Sandbox. The idea of the sandbox is that organisations can come to the ICO with new proposals in order to test out their lawfulness in a safe environment. The hoped-for outcome is that products and services that are at the same time innovative and compliant will emerge.

There is no mention of a sandbox process in the GDPR or the DPA 2018. There is a formal mechanism for controllers to consult the ICO about new ideas that carry high risk (prior consultation) but the circumstances where that happens are prescribed. It’s more about managing risk than getting headlines. Unlike Data Protection Impact Assessments, prior consultation or certification, the design and operation of the sandbox is entirely within the ICO’s control. It is important to know who is having an influence its development, especially as the sandbox approach is not without risk.

Although Mrs Denham is not above eye-catching enforcement when it suits her, the ICO is often risk averse, and has shown little appetite for challenging business models. For example, the UK’s vibrant data broking market – which is fundamentally opaque and therefore unlawful – has rarely been challenged by Wilmslow, especially not the bigger players. They often get treated as stakeholders. The sandbox could make this worse – big organisations will come with their money-making wheezes, and it’s hard to imagine that ICO staff will want to tell them that they can’t do what they want. The sandbox could leave the ICO implicated, having approved or not prevented dodgy practices to avoid the awkwardness of saying no.

Even if you disagree with me about these risks, it’s surely a good thing that the ICO is transparent about who is having an influence on the process. So I made an FOI request to the ICO, requesting the names and companies or organisations of those who attended the meeting. As is tradition, they replied on the 20th working day to refuse to tell me. According to Wilmslow, disclosure of the attendees’ identities is exempt for four different reasons. Transparency will prejudice the ICO’s ability to carry out its regulatory functions, disclosure of the names of the attendees is a breach of data protection, revealing the names of the organisations will cause them commercial damage, and finally, the information was supplied with an expectation of confidentiality, and so disclosure will breach that duty.

These claims are outrageous. DPIAs and prior disclosure exist, underpinned both by the law and by European Data Protection Board guidance. Despite the obvious benefits of developing a formal GDPR certification process (both allowing controllers to have their processing assessed, and the creation of a new industry at a time when the UK needs all the economic activity it can get), the ICO’s position on certification is supremely arrogant: “The ICO has no plans to accredit certification bodies or carry out certification at this time“. A process set out in detail in the GDPR is shunned, with the ICO choosing instead to spend huge amounts of time and money on a pet project which has no legal basis. Certification could spread expertise across the UK; the sandbox will inevitably be limited to preferred stakeholders. If they’re hiding the identities of those who show up to the workshop, it’s hard to imagine that the actual process will be any more transparent.

The ICO’s arguments about commercial prejudice under S43 of FOI are amateurish: “To disclose that a company has sent delegates to the event may in itself indicate to the wider sector and therefore potential competitors that they are in development of, or in the planning stages of a new innovative product which involves personal data“. A vital principle of FOI is that when using a prejudice-based exemption, you need to show cause and effect. Disclosure will or will be likely to lead to the harm described. How on earth could a company lose money, or become less competitive, purely because it was revealed that they attended an ICO event (which is what using S43 means)?

The ICO’s personal data and confidentiality arguments are equally weak – everyone who attended the meeting would know the identities of everyone else, and all were acting in an official or commercial capacity. This was not a secret or private meeting about a specific project; anyone with an interest was able to apply to attend. Revealing their attendance is not unfair, and there is plainly a legitimate interest in knowing who the ICO is talking to about a project into which the office is putting significant resources, and which will have an impact on products or services that may affect millions of people. The determination to hide this basic information and avoid scrutiny of the sandbox process undermines the credibility of the project itself, and makes the ICO’s claim to be an effective defender of public sector transparency ever more hypocritical.

Worst of all, if disclosure of the attendees’ identity was the calamity for commercial sensitivity and personal data that the ICO claims it to be, there should be an immediate and thorough investigation of how the information I requested came to be revealed on the ICO’s website and twitter account. The entire event was recorded and a promotional video was released. Several attendees (whose names and companies I cannot be given because of confidentiality, data protection and commercial prejudice) are identified and interviewed on camera, while there are numerous shots of other attendees who are clearly identifiable. Either the ICO has betrayed the confidentiality and personal data rights of these people, putting their companies at direct commercial risk, or their FOI response is a cack-handed attempt to avoid legitimate scrutiny. Either way, I strongly recommend that the left hand and the right hand in Wilmslow make some rudimentary attempts to get to know one another.

Long ago, I was one of a number of online commentators described by the ICO’s comms people as a ‘driver of negative sentiment’. More recently, one of Denham’s more dedicated apologists accused me of being one of the regulator’s “adversaries”. I’m not a fan of the ICO, and I never have been. But this stinks. The determination to throw every conceivable exemption at a simple request to know who the ICO is talking to suggests that the office is afraid of scrutiny, afraid of having to justify what they’re doing and how they’re doing it. The incompetence of refusing to give me information that is on display on their website and Twitter account shows contempt for their obligations as an FOI regulator. The ICO has its head in the sand; as we drift out of the European mainstream into a lonely future on the fringes, their secrecy and incompetence should be matters of concern for anyone who cares about Data Protection.

Out of control

The General Secretary of the Labour Party, Jennie Formby, sent a letter to its Deputy Leader, Tom Watson, this week, expressing concern about Watson’s request that complaints about anti-semitism be copied or forwarded to him so that he could ensure that they were being dealt with properly. Formby outlined concerns about the effect on the complaints process that I am not qualified to answer, but she also raised the spectre of GDPR and Data Protection, and here, I am somewhat sceptical of her arguments.

Formby is right to say that political opinions are classed by the GDPR as special categories data and so require extra protection as compared to ordinary data like a name and address. I’m surprised that she didn’t also mention that many of the complaints would also include the religious or philosophical beliefs of complainants or the complained- about, as well as possibly their racial or ethnic origin. Why Formby didn’t want to highlight the religious and racial dimensions of complaints about anti-semitism is a bit of a poser.

To claim that Watson isn’t taking a risk by soliciting this data when he wasn’t already is clearly false. The best way to avoid Data Protection problems is not to process data in the first place, and as the third GDPR principle requires data minimisation, the safest choice for Watson is to trust the process and not receive any data. The problem arises if he doesn’t, or if he feels responsible for ensuring that it is working. If you think he’s operating purely politically, that’s your choice but I’m going to give him the benefit of the doubt. I’ve already had several heated disagreements on Twitter about this, mainly with people who are certain that he’s going to breach GDPR but uncertain about which particular element is in play.

So here’s my opinion. Tom Watson, in his capacity as Deputy Leader of the Labour Party, can process special categories data concerning complaints about anti-semitism, and Jennie Formby is wrong to argue that he cannot. It’s entirely possible that Mr Watson will follow the GDPR principles to the letter, and it’s entirely possible he will make an almighty cock-up of it. If he does, he should face the consequences. The Labour Party is no stranger to dodgy data dealings – it bought data that had been unlawfully obtained on its behalf by Emma’s Diary for the 2017 General Election, and while Emma’s Diary got fined, Labour didn’t. Sometimes, DP gets breached and nothing happens.

Formby said the following:

The suggestion that you as an individual data controller should receive and store data relating to complaints unrelated to your personal role as an MP, on a private email address, or indeed any other system, is completely unacceptable and exposes you, and the Party, to significant compliance risks.

Like all MPs, Watson is an individual data controller, but only when acting as MP for West Bromwich East and the constituency issues associated with that role. If Watson was acting as an MP and party members chose to forward their own complaints to him, or provide complaints made to them by others, it would be odd, but the Labour Party would not be responsible as Formby claims. Watson would be the controller. However, Watson is the party’s Deputy Leader and it is plain that he was acting in that capacity when he sought to receive the complaints – this is plainly a Labour Party matter, not an issue concerning the fine folk of West Brom.

If something in Labour’s constitution explicitly forbids the Leader or Deputy Leader from having direct involvement in, or oversight of, complaints, Watson has a problem. Formby’s letter clearly sets out her opposition to political involvement in the complaints process, and if she can back that up with a clear reference to the party’s formal rules, any argument that I might make in Watson’s favour is severely weakened. Labour’s formal internal rules have great significance for whether his processing is lawful. But if there isn’t, as Deputy Leader, I can’t see how Watson’s claim to determine the purposes for which the party uses data isn’t valid. In all big organisations, senior people can decide how and why data is used. The controller isn’t one person, it’s the organisation itself, and so logically, more than one person is involved in determining the purposes. If the Deputy Leader isn’t an appropriate person to make these decision, who is? Is it just Mr Corbyn?

There are at least two people’s personal data involved in any complaint Watson wants to see – the complainant and the subject of the complaint. Watson has to justify the processing of the data generally, and if the data is special categories, he has to find an exemption that allows him to process the special data.

If any person chooses to forward or copy their own complaint to Watson or his staff, they plainly consent to him processing their data. He can process any data about their political, religious or philosophical beliefs or ethnicity on the basis of their explicit consent. Watson might struggle to demonstrate he has explicit consent unless the email says ‘I explicitly consent for you to process data about my religion, politics or ethnicity’, but in the real world, it’s impossible to believe that the Information Commissioner or the courts would uphold a complaint from the very same person who forwarded their own complaint. It’s nonsense.

If the complaint is submitted to Watson by a third party, this is more tricky, unless of course the person forwarding or copying the complaint (presumably an MP or other party member) gets consent from the complainant. If that consent exists, Watson is in the clear. If not, he must establish a lawful basis to process the data. In my opinion, he has a legitimate interest in receiving and monitoring complaints about anti-semitism in a party of which he is Deputy Leader, especially when a Jewish Labour MP has just left that party because of anti-semitism. Watson would need to evidence the legitimate interests assessment, but I believe he could make it out. It is surely the role of a Deputy Leader to want to make sure that complaints are being dealt with properly, especially when the issue is as important or potentially damaging as this?

If he doesn’t have consent from a complainant and the complaint contains special categories data, Watson has another hurdle to clear in terms of a special categories exemption. However, the GDPR allows the processing of special categories data in the following circumstances:

processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects

As long as a complaint was made by a current or former member, Watson can argue that his monitoring of the process is carried out in the course of the party’s legitimate activities. Alternatively, he could argue that it is necessary in the substantial public interest. I believe that ensuring that Labour is taking anti-semitism seriously meets that definition, although Watson also needs legal authorisation from the Data Protection Act 2018 to rely on that exemption. The authorisations include ensuring that equality of treatment is maintained (including the treatment of people with specific religious beliefs). I don’t think Watson needs this, but it’s there.

As far as the data of the complained-about goes, Watson plainly doesn’t have their consent and has no hope of obtaining it. However, I believe again that he has a legitimate interest in gathering the data, and if the data includes special categories like political opinions or religious beliefs, he can rely on the legitimate activities exemption quoted above. Once again, if you disagree, it’s worth noting that another exemption from the prohibition on processing special categories is the fact that the person clearly made the data public themselves. Many of the complaints about anti-Semitism come from comments made online or in public meetings and speeches – the meat of the complaint is very likely to concern public statements or utterances from the complained-about. You cannot object to Tom Watson reading a complaint about your tweets because you tweeted them into the public domain.

If Watson goes ahead with this, he has plenty of work to do. I do not believe that any of the above removes the obligations to comply with GDPR’s transparency requirements – everyone whose data he receives needs to be informed about the fact that their data will form part of the complaints process and Watson’s review. The data must be secure, not used for anything other than the complaints process, and of course, anyone whose data is being processed has rights over their data. Given the less than congenial state of intra-Labour relations, it’s not hard to imagine that the Deputy Leader might be left to his own devices should a nasty subject access request come knocking.

Of course, all of this is bollocks. The Labour General Secretary doesn’t really care about Data Protection (neither did her predecessor). This is politics. Anyone who describes their processing arrangements as ‘elaborate’ is making it up as they go along. No political party has a good record on Data Protection, which is why it’s a shame that the Information Commissioner is so shy about taking them on. Even though I believe that Watson wants to root out anti-semitism in Labour’s ranks, I wouldn’t be surprised if part of his aim is to send a message to Formby about the process.

There is, however, a solution to the whole mess, should anyone wish to take it up. If Watson withdraws his request to see all the complaints, Formby could offer to supply him with pseudonymised versions of them. That way, Watson could carry out an appropriate supervisory role, ensuring that this most vital of tasks is carried out efficaciously, but at the same time, no directly identifiable personal data would be made available to him, and he could assure Formby that he would not attempt to identify the parties. The risk would be low, the data would be protected, and surely nobody could object to an elected Deputy Leader keeping a watchful eye on an issue that is so very important?

SPECIAL RULES FOR COMMENTING ON THIS POST

  1. Any comment containing the word ‘Israel’ goes in the bin.
  2. Any comment that is about who funds who goes in the bin.

Thank you, and good night.

The Whole Truth

A couple of days ago, the training company IT Governance reported that the Information Commissioner’s Office had banned Keith Hancock, director of a Manchester lead generation company, from being a company director for four years. The ICO had previously fined the company (Lad Media), and this was the follow-up. All good stuff, you might say, perhaps even a riposte to those awful people who say that the ICO never does anything. Except it isn’t true. The ICO didn’t ban anyone because they don’t have the power to do so. The action was taken by the Insolvency Service with the ICO’s assistance. Weirdly, the IT Governance’s scribe used quotes from the Insolvency Service’s press release without either reading or understanding what it said.

UPDATE: demonstrating the lack of class that is ITG’s hallmark, the story has now been updated without any reference to the fact that it had been wrong, or that they needed me to correct them. This is what it used to look like:

Screenshot 2019-02-15 at 20.04.11

I don’t expect IT Governance to get things right (their sales director once claimed that there had been GDPR fines of 6.2 billion against Facebook and Google), but you’d hope for higher standards from, say, the chairs of four Parliamentary Committees, right? Right? A week or so ago, a distinguished group of Parliamentarians (and Damian Collins) wrote to Jeremy Wright, Secretary of State for Culture, Media and Sport as part of a campaign to change the way the ICO is funded. The idea is that the ICO would get to recover the costs of its investigations from those found to be in breach of Data Protection law, and has been promoted by the Durham-based marketer Russell James. I think it’s a bad idea – it would require the ICO to record and cost the time they spend on every investigation, it could dissuade organisations from appealing ICO decisions (which is bad for everyone as ICO decisions need to be tested), and even where it was applied, it would see the ICO bogged down in arguments about how much they actually spent.

Leaving that aside, the letter itself is amateurish and inept. Several times, it refers to organisations being “found guilty“, something which only happens in criminal cases, thus ignoring the fact that much of the ICO’s work carried out under civil not criminal law. In similar vein, it refers to “data crimes“, a phrase presumably culled from Liz Denham’s misleading soundbite “data crimes are real crimes” (they’re not). This means that the scope of the letter isn’t clear – are they referring to civil breaches (which aren’t crimes), or are they referring to criminal offences, which in the ICO’s world are usually committed by individuals rather than organisations? I find it hard to believe that Dominic Grieve and Yvette Cooper would sign a letter than hadn’t been properly thought out, but as it turns out, they signed a letter that hadn’t even been proof-read. The penultimate paragraph includes a sentence that plainly has words missing “To strengthen the enforcement mechanism, and thus provide maximum credibility to the ICO should be able to recoup the costs of investigations…“, and most damning of all, it opens by describing the ICO as the ‘Independent Commissioner of Information’, which as Neil Bhatia pointed out would be make them the ICI, not the ICO.

UPDATE: a commenter below argues that I should not describe them as ‘civil’ breaches; rather, they should be described as breaches of administrative law. Technically, I think this is correct, although the point I was making is that they are definitely not crimes. I have made the entirely avoidable mistake of listening to the Information Commissioner, who describes them as ‘civil monetary penalties’, e.g. here. I will endeavour not to make the mistake of listening to the ICO again.

Here we have senior Parliamentarians putting their name to a letter that is badly written and incoherent, asking for changes to the funding of a regulator they can’t even accurately name. Russell James told me that the letter was drafted by Tom Tugendhat’s office, but it’s plain that nobody involved in its creation knows anything about Data Protection.

Bullshit is everywhere. In the same week as the ICI letter, Privacy International published a piece responding to Will.I.Am’s well-intentioned but counter-productive ideas about monetising personal data to benefit individuals. The piece included several completely false statements, including that fact that Cambridge Analytica had been fined by the ICO, and that Professor David Carroll had successfully sued the company to recover his data. I took this up with them and they attempted to correct the piece, but in doing so, they made it worse. The correction says “A previous version of the piece implied that Cambridge Analytica has been fined for their involvement in this scandal. The piece was updated on 7.02.2019 to make the text less ambiguous.” The problem with this is that the previous version didn’t imply anything: it said explicitly that Cambridge Analytica had been fined, and they haven’t. The correction goes on to say “The company has been fined for failing to respond to an access request by the Information Commissioner’s Office (ICO)”. It hasn’t. The ICO has prosecuted SCL Elections (not Cambridge Analytica) for failure to comply with an enforcement notice. Despite that famous raid, ICO hasn’t fined Cambridge Analytica or SCL, and the chances that they ever will be are roughly equivalent to me being invited to tea with the Commissioner.

You could be forgiven for asking ‘does it matter’? Does it matter that people get things wrong as long as their heart is the right place? Russell James told me repeatedly that it didn’t matter that the MPs’ letter was full of errors; what matters is that the letter was sent and the wheels are turning. It’s true that pedantry and point-scoring are an unhelpful feature of Data Protection discourse. However, there’s a difference between a conversation and a formal letter or article. More importantly, there’s a difference between pedantry and precision. If you’re talking about privacy impact assessments in the context of the GDPR and I correct you to say it’s a Data Protection Impact Assessment, I’m being a dick. We both know what you mean, and my correction adds nothing. If everyone thinks that the ICO fined Cambridge Analytica when they didn’t, it stops people asking questions about why Wilmslow has spent £2.5 million on an investigation that has resulted in a dodgy fine against Facebook and some mediocre PECR penalties on Arron Banks’ ramshackle empire. If MPs don’t understand the laws that they’re signing letters about, how do we know that they’ve scrutinised the campaign that they’re backing?

The problem is, the Commissioner’s Office are as bad as everyone else and sometimes they’re the source of the infection. Last week, the ICO tweeted that they’d fined Magnacrest Housing, when in fact, it was a court that issued the fine. When SCL Elections pleaded guilty to failing to respond to the ICO’s Enforcement Notice, the Commissioner proudly announced that they had taken action against Cambridge Analytica – although admittedly part of the same group, they’re two different companies, and nobody at the ICO wants to be precise about that because Headlines. The Commissioner herself has repeated the ‘data crimes are real crimes’ claim on many occasions, despite the fact that it’s both misleading and an unhelpful over-simplification. Denham endorsed a book she hadn’t read as “authoritative“, describing its author as someone who “flew the flag for data protection many years before it broke into the mainstream with the GDPR” when he was in fact a PR guy who jumped on the bandwagon.

Denham doesn’t even seem to be overly precise about what her job is – she was quoted by her corporate Twitter account yesterday as saying “What’s technically and legally possible is not necessarily morally sustainable in our society. That’s what the debate is about.” Denham is a regulator – it is her job to enforce the law. As several people have told me since I complained about the statement, Data Protection is principles-based and therefore not as fixed and binary as other areas of the law. I cannot deny this, but even taking it into account, the slippery and complex aspects of DP are still ultimately in the “legally possible” part of the Venn diagram. It’s none of the ICO’s business whether companies do things that are legally possible but morally questionable. If a company breaches DP or PECR, the ICO should take action. Either Cambridge Analytica broke DP law in the UK and the ICO can prove it, or they didn’t. It doesn’t matter that Alexander Nix is a smug gobshite because being a smug gobshite is not a breach of DP law.

We live in an era of fake news where the President of the United States routinely gaslights the world and AI can write prose like a human. The truth matters. Facts matter. Accuracy matters (it’s one of the GDPR principles after all). We all make mistakes. I do it all the time, and the best I can do is hold my hands up and do better next time. But when you’re a big organisation with a much bigger audience than some show-off trainer like me, when you’re an MP asking for a change in how a regulator is run, and especially when you’re charged with regulating something as important as the protection of personal data of 60 odd million people, it matters a lot more. You have to care about the facts because so many people are listening, and you have to take the time to get it right.

And now, in the time-honoured tradition of this blog, I will hit ‘Publish’ and spend the next hour spotting all the typos I’ve made and editing them out before anyone notices.