A load of Balls

On Tuesday, the self-styled “Private Prosecutor” Marcus J Ball announced to the world that he had Done An FOI.

I have sent an FOI request to St Thomas’s NHS Trust requesting confirmation/proof that Boris Johnson wasn’t lying about being admitted there or the severity of his condition. The PR timing is just too perfect. I fear that he may be dodging responsibility by becoming a victim.

When challenged on the wisdom of his request, he claimed that it was his ‘duty’ to ask:

We have a duty to ask, even if we suspect they’ll blank us. It only took me 5 minutes to do that tiny bit of civilian side scrutiny. It’ll be on the record that he was doubted“.

My first instinct was that the Trust should refuse the request as vexatious. As is often noted, S14 of the FOI Act doesn’t define ‘vexatious’ so the meaning of the word has been scrutinised in multiple ICO decisions and Tribunal cases. The notorious Dransfield case resulted in useful guidance on what might constitute a vexatious request. One possibility is that the request lacks a serious purpose or value, and I think this could fairly be applied to Ball’s request. He is plainly aware that his request is unlikely to receive an answer (“even if we suspect they’ll blank us” and “We have a duty to ask the question regardless of whether or not we think they’ll allow it to be answered.” He is also happy to impugn the integrity of the thousands of people who handle FOIs, saying in another tweet that “Also, in my experience some people working in FOI offices have a moral compass. Occasionally.

Ball’s purpose is to put “on the record” his doubts about Johnson’s version of events. The FOI Act lacks a purpose clause that explains what it is for, but sending an FOI request is plainly not an appropriate way to make a point. Either you want the information or you don’t – making performative FOIs like this one undermine the system, especially at a time of national emergency. When politicians want examples of stupid FOIs to attack the whole system (they’ve done it before, and they’ll do it again), I guarantee that Ball’s effort will be chosen.

But on reflection, there is a cleaner answer. Section 40 of FOI applies to any disclosure of personal data which would breach the GDPR. The data that Ball has requested is confirmation / proof of Johnson being admitted to hospital and information confirming the severity of his condition. This data is “data concerning health“, meaning that it is special categories data (SCD). Article 9 of the GDPR prohibits any processing of SCD unless an exemption applies.

In order for Johnson’s SCD to be disclosed, the disclosure of data would have to satisfy the first data protection principle, meaning that the disclosure has to be lawful, fair and transparent. The third element is easy enough – the Trust could simply tell Johnson his data was being disclosed. The middle element is a bit subjective; if you think that Johnson deserves to have his health records disclosed because he’s a lying racist, then you’ll probably think it’s fair. However, if you think that even lying racists deserve to have their health records protected, you’ll probably think that it isn’t. The clincher is the first part – lawful. The disclosure of Johnson’s data must be lawful, so an SCD exemption would have to apply. There are a number of such exemptions, but only two apply in this situation – the data subject (Johnson) gives their explicit consent, or the data has manifestly been put into the public domain by the data subject. You don’t have to take my word for this – the Information Commissioner’s Office’s personal data FOI flowchart says the same.

Ball argues that there is a public interest in the disclosure – it doesn’t matter whether you agree with him because public interest is irrelevant to these exemptions. For ordinary data, legitimate interests can make a disclosure lawful, and over the years, the ICO has developed an approach of a legitimate interest being disclosures of personal data when it is in the public interest. But legitimate interests isn’t an SCD exemption.  Of course, you might argue that because Johnson has commented on his illness, that means he has manifestly put his data into the public domain and Ball’s request should be answered. I disagree. All it means is that the Trust can say again what Johnson has already said – and we already know that Ball and his acolytes don’t believe what Johnson has said. The Trust can’t lawfully add any additional details to what is already in the public domain.

Of course, Johnson could give consent. The argument has been made many times: what does he have to hide? By saying this, the doubters themselves have taken consent off the table. If you’re saying that unless a person consents to the disclosure of their medical records, you’ll accuse them of lying (or at best, doubt that they’re telling the truth), you’re applying pressure to the data subject. This undermines the possibility of the consent being freely given, and consent that isn’t freely given isn’t consent. Even if Johnson was pressured into giving consent, the Trust should decide that his consent was invalid, and set it aside.

But what if the Trust have data that demonstrates that he wasn’t as sick as he claimed? Ironically, the exemption would still apply. If they have any data concerning Johnson’s health, even if it showed he wasn’t as ill as he claimed to be, the exemption would still apply because data that shows you’re anything from in the peak of physical fitness to being at death’s door is still ‘data concerning health’. The exemption applies. You might argue that the hospital would be under a moral duty to reveal the truth, but that would be to undermine one of the foundations of medical practice: doctor / patient confidentiality. Even if Johnson was exaggerating his condition for political purposes, to decide not to use the exemption and disclose his medical data would violate doctor / patient confidentiality. It would set a dangerous precedent. If you ask me which I would prefer – letting Johnson get away with spin or watering down the assumption that what your doctors know about you should remain secret, I have no hesitation in siding with patient confidentiality. There’s an old line about how you judge a society by the state of its prisons – I think you judge a person’s true commitment to human rights by how keen they are for scumbags to have them. If you don’t think Johnson has a right to confidentiality over his health, you don’t really believe in confidentiality or privacy.

Suggesting that Johnson wasn’t admitted at all (as Ball does in his FOI) is to say that Johnson wasn’t sick. I’m not sure Ball and his supporters thought through the implications of this originally and following criticism, he was forced to acknowledge the problem:

Just to be 100% clear, I am not calling any NHS personnel dishonest. It seems that fans of Johnson want to twist my words in order to defend him. Instead, I am calling Johnson a liar. He is a known liar. And I want to know if he lied to public or the NHS about his condition.”

You don’t have to be a fan of Johnson to follow Ball’s words to their logical conclusion (I think Johnson is a lying racist). If you’re suggesting he lied to the NHS, you’re saying that they’re too incompetent to diagnose coronavirus. If you ask for confirmation of his being admitted to hospital, you’re raising the possibility that he wasn’t. If he wasn’t admitted to hospital, you’re accusing those at the hospital who dealt with him of either lying or deliberately covering this up. Ball isn’t shy about smearing people (his complaint about the judges was full of guilt by association, and he happily maligned the majority of FOI officers), so the reputations of everyone involved in Johnson’s care are apparently just collateral damage in his crusade. Much has been made of the claim that medical practitioners at the hospital were asked to sign the Official Secrets Act (I don’t actually know if this happened). If it *did* happen, is Ball seriously suggesting that the OSA is now being used to cover up a conspiracy involving the Government and numerous health professionals and NHS staff, but despite this, they’ll be obliged to admit all in reply to his FOI?

I believe Ball doesn’t just know he’s going to get refused, he probably wants to be. Whether they pick vexatious, or Data Protection, or confidentiality, he can use it for publicity (one of his companies is a PR company, so it’s clearly something he’s interested in). Then he can hype his request for an internal review. Then there’s the appeal to the ICO. And then the Lower Tribunal. And then the Upper Tribunal. And then, if the inevitable crowd-finding allows, the Court of Appeal. Marcus can put on a smart suit for the Metro photographer and go to the Court of Appeal. Whatever the outcome, it can be spun as an achievement. For someone who wants to raise their profile, FOI is a long and protracted process with plentiful opportunities for publicity-inducing setbacks. It’s just another crusade to be spun as fighting for truth and please donate here.

I think Marcus J Ball is a chancer; he’s obviously entitled to make this request, but I’m entitled to say that it’s an attention-seeking waste of time and NHS staff could better spend their time on other things. Any other things. Ball poses as a campaigner for truth but he promotes himself using misdirection and bullshit. He says he “prosecuted Boris Johnson for lying about £5 billion of public spending” and the website for his company ‘Stop Lying in Politics’ lists a number of “achievements” including the above mentioned prosecution, a High Court Judge being “held to account” and £700,000 raised by crowdfunding. The truth is that his prosecution of Johnson failed, the “holding to account” bit was Ball petulantly complaining to a regulator after he lost, and at least some of the £700,000 went on cupcakes, self-defence lessons, and Ball’s salary. ‘Stop Lying in Politics’ is described as not for profit and a ‘social enterprise’, but according to Companies House, it’s a company with one shareholder (Ball). His use of FOI in this case is primarily to promote Marcus J Ball, and can only contaminate the legislation in the eyes of people who are always looking for excuses to water it down.

Whatever the Trust do with his request, they can’t win. Ignoring it will be proof of the conspiracy. Refusing it will be proof of the conspiracy. Answering it would be a breach of confidentiality and data protection. The best they can do is answer it as quickly as possible, give Ball the refusal he’s probably desperate for, and hope that his noise gets lost in all the other nonsense our beleaguered society is drowning in.

Labour Pains

As the pandemic takes hold, an unwelcome distraction comes with news that an internal Labour Party report into how it dealt with antisemitism has been leaked, showing up in the hands of some of the dumbest people in left-wing politics. The document was unredacted, and contains the personal data of multiple complainants to the party. Some of them have already reported that as result, their data is being circulated in the most unpleasant corners of the internet and Comrade Leaker might have put them at direct risk. The new leadership team of Sir Keir Starmer and Angela Rayner have announced an investigation into how the report came to commissioned, how it came to be leaked and other related matters. It is embarrassing that the Socialist Campaign Group of Labour MPs have signed a statement demanding that the report is published “in full”, meaning that the former Shadow Justice Secretary and former Shadow Home Secretary among many other Labour MPs want the confidentiality of complainants to be breached solely to facilitate internal faction fighting. As a humble Labour Party member, I call upon the Campaign Group to withdraw their knuckle-headed demand, acknowledge that what they’re asking for would be a breach of GDPR and confidentiality, and apologise to the innocent people they wanted to throw under the bus.

The MP and Campaign Group member Lloyd Russell-Moyle tweeted on Sunday that those interested in the Data Protection aspects of the leak were missing the point, preferring to concentrate on the political implications. In any case, he pointed to the public interest defence available in the GDPR for the circulation of such data. He has since deleted that tweet, and has now admitted sharing a link to the unredacted report with a private Facebook group of party members. Mr Russell-Moyle’s (albeit temporary) confidence in the public interest nature of disclosure caught my eye, especially as his depiction of how the law works in this context was a bit of a dog’s breakfast.

All things being equal, GDPR would have something to say about the unauthorised dissemination of personal data, but despite Mr Russell-Moyle’s claim, it does not contain an explicit public interest defence, and in any case is not the most relevant law. The Data Protection Act 2018 contains a series of offences covering the misuse of personal data, retaining what was criminal under the DPA 1998 but adding some new ones. The offences aren’t strictly required to comply with the GDPR and go further than what it requires. However, they allow the Information Commissioner’s Office to pursue individuals who deliberately or recklessly misuse data more neatly than GDPR does. I spend a lot of time kicking the ICO, so it is only right that I say that this prosecution work is one of those things that they generally do well and for the right reasons.

Section 170 of the DPA 2018 makes it an offence knowingly or recklessly to obtain or disclose personal data without the consent of the data controller, to procure such a disclosure to another person, or to retain data without the controller’s consent. Selling or offering to sell unlawfully obtained data is also an offence. Incidents that lead to ICO prosecutions are often connected with employment – the person gets legitimate access to data as part of their job, and then they look at records they have no reason to, or they share data with others, or they sell it. My favourite recent prosecution is the spectacular case where a senior council manager declared an interest in a recruitment exercise in which his wife was a candidate. Despite this, he then gave her data about the other candidates. After she got the job, the incident was discovered; she lost the job, her husband was sacked and he was subsequently prosecuted. It took a global pandemic to make me essentially unemployed, so I admire someone with the determination to do it to themselves with such panache. The crucial issue isn’t necessarily how you got access, it’s whether what you did with the data was authorised by the controller. People often make the mistake of thinking that the person who has to authorise the use is the data subject, but the law is clear. If I as the controller deliberately give you the data – even if I do so insecurely or without proper transparency – it’s not an offence (it might be a GDPR infringement). If you take a copy and share or sell it without the controller’s permission, the offences may be in play.

There can be tension over who gets the blame – years ago, one of my former employers discovered that an ex-member of staff had sent data about multiple staff members to their personal email account. While it was obviously disclosed without my employer’s authorisation, the ICO case officer who investigated asked us a lot of smart questions about security and access arrangements in the team where the culprit worked. It was plain to me that they were trying to work out whether it would be better to pursue the individual for copying the data, or my employer for not better preventing them from doing so. Fortunately for us, a splendid team manager was able to satisfy the ICO that we’d done everything one could reasonably expect. For Labour, this could be a problem. It’s impossible to know where the report was obtained from or how it came to be leaked, but if Wilmslow investigates this (and in my opinion, they have to), it will be just as legitimate to for them to probe Labour’s internal data management as the actions of the leaker. It must, however, be both.

Although he thought it was in the GDPR, Russell-Moyle was right that the public interest can be a defence for otherwise unlawful misuses of data. The person accused of an offence can put forward a defence of prevention or detection of crime, a legal obligation or statutory requirement to use the data or they can seek to prove in the particular circumstances that obtaining, disclosing, procuring or retaining was justified as being in the public interest. They can also try to prove that they reasonably believed that they had a right to use the data, that had they asked, the controller would have agreed, or finally, in using the data for the special purposes (which include journalism), “in the particular circumstances the obtaining, disclosing, procuring or retaining was justified as being in the public interest.

It’s worth thinking carefully about that group of defences. Under the old 1998 Act, they were drafted differently, allowing a person to argue that they had a ‘reasonable belief’ that their actions were justified in the public interest. The ‘reasonable belief’ element is gone – the defence only works if the person can prove objectively that the disclosure was in the public interest, rather than that they thought it was. There’s an excellent and detailed explanation of this change in Shepherd vs ICO, a data misuse case that the ICO lost a year or so ago. More importantly, all of this applies to the personal data itself, not to a document in which it might be found. Russell-Moyle’s deleted claim was that “there’s a public interest defence which will be strong in this case“, but is that true? There might be a public interest in disclosing the document or whatever revelations can be gleaned from it, either for journalistic purposes or the wider public interest. But is there really a public interest in the disclosure of the complainants’ personal data? I doubt it and it seems that Russell-Moyle now agrees, having acknowledged that “I wanted to make it clear that the report that has been leaked contains important information but it also contains the personal details of minors and those who deserve confidentiality after they made complaints“. If a person seeks to defend themselves from an allegation of a criminal disclosure of personal data, the public interest in revealing internal party machinations is irrelevant. What matters is whether disclosure or retention of the specific personal data is in the public interest.

Anyone who copied and disclosed an unredacted copy of the  report without clear permission from the Labour Party may have committed an offence under S170. Anyone who similarly possesses a copy of it may also have committed an offence. This latter issue might be of particular interest to the ICO as the retention offence is new, and I’m sure there will be some in Wilmslow who want to show that it has teeth. This is especially the case after the ICO investigated the retention of notebooks by ex-Met Police officers and found that they couldn’t taken action because retention wasn’t an offence under the 1998 Act.

The public interest has been badly served here. By redacting the data of complainants, whoever obtained and leaked this data could have built the foundations of a solid public interest defence, and more importantly, shown some care for people who do not deserve to be victims of Labour’s interminable civil war. The leakers could have protected those caught up in this mess, and whatever internecine battles Labour’s factions want to fight could have played out without collateral damage. But whoever these idiots are, they didn’t care about the damage their actions might cause. Blameless individuals have been put at further risk having already suffered abuses and indignities at the party’s hands. The Campaign Group’s moronic statement and Russell-Moyle’s humiliating climbdown from confident defence to mealy-mouthed apology are hallmarks of the thoughtlessness that underpins this sorry episode, but the real blame should be directed towards the snakes who circulated the unredacted report. It is a betrayal of everything that Labour ought to stand for, and a line must be drawn. Between Labour’s internal investigation and what should be the ICO’s inevitable involvement, the people responsible for this leak should face nothing less than the same public exposure as their victims, with a punishment to match.

My Corona

I’m not the first person to point out that the current flood of Covid-19 emails are reminiscent of the Great GDPR Consent Panic of 2018. Organisations you have no memory of ever interacting with are suddenly there as well as many household names, reassuring you of their ability to keep going despite the crisis. Some of them make sense – I got one from the Post Office yesterday telling me that they’re still open, which might be useful information to some. But a lot of them use almost an identical template to say very little – everyone’s home working, they really hope I’m OK, and they look forward to seeing me again after the Apocalypse. I would like to know what difference the companies think they’re going to make, but I’m not going to name and shame the worst ones or even unsubscribe from most of them – these are panicky and uncertain times, and a bit of corporate spam isn’t the worst thing that’s happening.

One email, however, stood out. I haven’t seen anything like it, and I hope no other company is as crass as Osano, the Texas-based ‘data privacy’ outfit headed by one Arlo Gilbert, who took the trouble to email me this morning to say how amazing they are, and how untouched by the global crisis they have been.

The story of how Osano came by my email address is instructive. Last year, Gilbert was putting himself about on Twitter, trumpeting his company which had been in the Data Privacy business since the grand old year of 2018. The Osano website is the Platonic ideal of the 2018 Era Privacy Company – very well designed, cool and slick, and bristling with enthusiasm for a subject that the company’s owners had literally only just found. Some DP and Privacy practitioners are as much activist as they are practitioner (which is why they hate me), but few would have the gall to present their company as a female superhero, saving the world one file at a time. Needless to say, when you look at Osano’s team, they’re all men.

The messages on the site also provides all of the classic GDPR bullshit flavours: teeth-grindingly pious: “When Osano helps companies to comply with the law, the interest of humanity is served, and the internet becomes a better place“, evidence-free scare-mongering “In recent months, numerous groups have undertaken “DDOS Compliance Attacks” whereby they band together and submit thousands of fraudulent DSAR/SRRs in an attempt to harm businesses”, and as is traditional, BIG CLAIMS ABOUT THE BUSINESS. Osano claims to have built “the world’s first data set that objectively measures the data privacy practices for every company on the planet“, and have carried out risk assessments on the compliance capabilities of 10,000 vendors. Disappointingly, despite the alleged ongoing nature of these risk assessments, that number is the same as it was last October.

Wary of some of Osano’s claims last year, I decided to do a bit of digging. I used the contact form on their website to ask whether they had carried out a risk assessment of my company. Although it seemed unlikely, given that Osano has this dataset that can measure any company on the planet, and there were / are 10,000 vendors on their list, it was surely possible? The contact form had an opt-in box to receive information from Osano, and I made sure not to tick it.

You’ll never guess what happened then. I received no acknowledgement or reply from Osano about my enquiry. Nothing. However, I started to receive marketing emails from Osano, always in the name of Arlo, telling me of how their team were “aggressively building new capabilities” and offering “Searchable blockchain-based audit log of consents to comply with information requests and government inquiries“, as if my bullshit bingo card could not be more complete. I can’t pretend that my request would have constituted a subject access request, focussed as it was on my company, but a sensible organisation might at least have sought to check. Moreover, having explicitly gone for a consent option for their marketing, every email that Osano has sent me since is in breach of the very GDPR that they claim to uphold.

Which brings me to Arlo’s recent missive. He begins by recounting how some people were wiped out by the 1990s Dotcom bubble. Then, it was the 2009 crash that wounded many. Now the Covid-19 pandemic means that “businesses around the world are closing their doors“. But what does that mean for data privacy now, friends, what does that mean?

NOTHING!

As recently as a few days ago, attorneys were filing class-action lawsuits against companies for violations of California Consumer Privacy Act (CCPA). Today the California Attorney General announced that they would not be delaying prosecution for breaches of CCPA. Data privacy remains a mission-critical component of any modern business, even during a global pandemic.

I’m writing this blog just before doing a webinar on the outbreak, and I can confirm that I am not going to be telling the beautiful people who attend that they can throw DP into the garbage and do what they like (UPDATE: I broke a piece of equipment just before starting and spent the rest of the session spiralling in panic, which bodes Very Well for my online future). Privacy and data protection are central to a just and fair society, and if we throw them out of the window in a crisis, we might not get them back. However, waving the shroud of litigation while people are dying is as low a pitch for your glossy software as it’s possible to get. It’s ugly and everyone in the privacy and data protection sectors should turn their backs on this kind of marketing.

Arlo continues.

“I debated the need to draft a COVID-19 response for our customers in the face of my own inbox overflowing with explanations of how companies are managing during this difficult time.”

Translation: Arlo wondered if this was a bandwagon I needed to jump on.

“However, thousands of companies rely on Osano, and it has become clear that we need to address any concerns that may exist.”

Translation: Arlo decided that the answer was yes.

So what message does this titan of the tech business want to send to his customers? What reassurance, what inspiring words for the future does Arlo have for us all? After gloating that Osano is better at home-working that everyone else, Gilbert has decided that what the pandemic needs to know is how much money his company has.

Osano is well funded with many years of runway and positive gross margins. While other companies may be giving away Ducati motorcycles at conventions and buying Superbowl ads, Osano has always made capital-efficient growth s [sic] core of how we operate.

All of this is a long-winded way of saying that Osano is in great shape. This virus and the downturn in the economy have not changed our daily work habits in any way. Rest assured that there are few companies better equipped to respond to this new work-from-home lifestyle than Osano.”

Nothing about the customers and how they’re doing. Nothing about the effect on this crisis on the person reading the email, beyond a desultory “Stay safe out there” at the very end. The only message Arlo Gilbert wants to give the disease-stricken world is how brilliantly he and his company are handling it. There’s a small part of me that wonders to what extent this is protesting too much, that Arlo wants to tell people how great everything is because he himself needs to hear it. But probably not. The one group of people who are destined to come out of this well are the people at the top. The rest of us will just have to pick up the pieces.

If you want to talk to your customers at the moment, think very carefully about what you want to say. Don’t send unsolicited spam in breach of laws you claim to cherish. I have an email for my mailing list which I wrote days ago but find extremely difficult to send because getting the tone right seems so difficult in the current climate. I’m not ashamed to say that my business has been wiped out. I have no work, and apart from online courses, no prospect of work for months. I’ve made a couple of prudent financial decisions that mean I don’t have to worry for now, but reading Gilbert’s tech-bro muscle flexing must be sickening for people who have lost their jobs, their colleagues or their loved ones. A lot of people on LinkedIn are desperate to emphasise the positives, raising the possibility of founding a new Uber or writing the 21st Century King Lear, but in reality, surviving without losing your mind seems a triumph to me. Deciding that what you need to do now is boast about your positive gross margins is the act of an Osanohole.

Just the candidates we need

A few months ago, the ICO received a Freedom of Information request on What Do They Know from a ‘Dwayne Dibbley’, asking interesting questions about the recruitment of Ellis Parry to the post of ICO Data Ethics Adviser. As soon as the post was announced, I was interested in how it came about because in my opinion, the ICO has no business creating a wholly optional job like this at a time when it has admitted that the regular work of the office has already been affected by luxury items like the Cambridge Analytica ‘investigation’. The hallmark of Elizabeth Denham’s tenure has been vanity projects and headline-chasing at the expense of the day job, and this seemed to be the pinnacle of her approach. I was, therefore, interested to see what Mr Dibbley’s request revealed.

I knew there was a problem. I didn’t recognise the name, but it didn’t ring true. I could tell it was made up, and so could the ICO (Dwayne Dibbley transpires to be a character in Red Dwarf). Shortly after, they asked for proof of Mr Dibbley’s ID and the request went dead. Technically, the request was not valid, but still, I found their approach annoying. In the same rough period, the ICO accepted FOIs from WDTK applicants as diverse as ‘dan74’, ‘John Smith, ’Tilly P’, ’navartne’ and ‘Gogos’. It might just be the ICO dodging a request because they could, but equally, it might be that they had something to hide.

I decided to make Dibbley’s request myself, explicitly referring to the previous refusal, but adding a question about why they blocked the request, and who decided to do it. Conveniently, they claimed to hold no information about that. However, I received a detailed bundle of correspondence, tracking the post from the development of the job description all the way until the successful recruitment of Mr Parry, and the writing of a blog which was published in the name of the Executive Director for Technology Policy and Innovation Simon McDougall, but which was actually written by the ‘Group Manager, Speechwriting and External Comms’.

There were a few interesting nuggets in the pile of internal correspondence – McDougall is one of those people who works in the ICO’s stupendously expensive London offices (in another FOI, I discovered that when he visits the ICO HQ, he bills the ICO for his meals at the Coach and Four Public House, very possibly the dullest pub in Wilmslow), while Parry was one of only two people to apply for the job. One aspect of the discussions that I enjoyed was the fact that the Data Ethics Adviser’s remit was to include whether the ICO needs a Data Ethics Adviser.

Mostly, it was the kind of dry procedural back-and-forth that you would expect to see a public body go through when creating a new post. Indeed, it was all so boring that the first time I read it, I missed the amazing revelation it contained. On June 14th 2019, at the very beginning of the drafting of the job description, there was an email discussion between McDougall, Ali Shah (the Head of Technology Policy) plus the Head of Innovation, a Group Manager from the Innovation team and McDougall’s Private Secretary. The ICO released all of the emails to me unredacted, naming all of these people, but I’ve decided to leave most of the names out.

As part of the discussion, Shah expressed concern about the scope of the JD.

“Will it have enough specificity to separate out Ellis? I don’t think it does, and reading the JD neutrally, I can think of a couple of people who would be equally or more qualified.”

Note that Shah refers to ‘Ellis’ – this is a person who all of these senior people are apparently on first name terms with. He explicitly did not want to be neutral about a job the ICO is about to recruit, and wanted to change the job description to exclude possibly better qualified applicants. Moreover, when the JD was circulated, the Group Manager added a comment which suggested a change to “and” from “and/or” on one of the criteria, observing:

There will be a lot of people who have the dp background but not the ethics. Asking for both will narrow the field to just the candidates we need; thinking of Ali’s comment here.”

The meaning is clear – the job description was written deliberately to exclude other candidates so that Ellis Parry would be more likely to get the job. At £45,000, this job is better paid than most in the ICO – the effort to favour this one candidate (if that’s the right word for a job that hasn’t even been advertised) excluded many possibly qualified people from inside the ICO as well as a variety of people outside who have spent considerable careers pondering how data ethics work.

It would be bad for any public sector organisation to stitch up a job for a specific candidate before it had even been advertised – posts should be given on merit, rather than to those favoured by the senior staff. For a regulator that purports to be almost a moral guardian in many contexts to do it would be even harder to swallow. Perhaps only Denham’s calamitous stewardship of the ICO could lead to this shoddy behaviour happening over a job with ‘Ethics’ in the title. I cannot claim that you couldn’t make it up, because these are the people who let a Labour Council Leader run the team that investigates complaints about political parties. Denham is the Commissioner who awarded thousands of pounds to her mates without putting it out to tender, and endorsed a book that she hadn’t read. By now, this is what I expect. None of the senior people in the email chain raised any objection to Shah’s explicit wish to stack the deck in favour of Mr Parry. As far as I can see, they just got on with it.

I have no idea if Mr Parry’s previous career working for BP or Astra Zeneca gives him insights into Data Ethics that puts him so far above the rest of the sector that his chauffeured journey to the job could be justified. I would like to be outraged, but actually, the fact that senior people at the ICO were sufficiently unethical to do this and stupid enough to write it down is exactly what I expect the people at this organisation’s overpaid and inflated top table to do. I didn’t think the ICO needed to recruit a Data Ethics Adviser, but this tawdry episode suggests that all of their work should be directed at its own activities. I fear that the ICO is in a bad place, given the grim mixture of incompetence and poor judgement that regularly tumbles out of it. I can only hope that recruitment for Denham’s successor – which cannot come too soon – is delivered more fairly than this was.

National Spam Service

During the hysteria in the run-up to May 2018, one of the ways in which it was easy to spot GDPR practitioners whose sole Data Protection experience was doing That Dreadful Course Run By Those Awful People was their lack of awareness of the Privacy and Electronic Communications Regulations 2003, known to its friends as PECR. As organisations fell over themselves to get ‘GDPR consent’, they demonstrated how much they didn’t know. The crucial elements of both as they related to marketing (and much else) weren’t changing, and the experts advising differently were just demonstrating their lack of understanding.

So it is with a garbled dog’s dinner of a story in the Mail on Sunday, combining anti-EU fear-mongering, moronic MPs, and proud ignorance of how the law works. According to Glen Owen’s feverish tale “Doctors will be banned from warning patients about the risks of coronavirus under EU rules that are set to become law in Britain despite Brexit“. None of this statement is true, and more importantly, the crucial elements on which the story is based are not new. The story claims that the Information Commissioner Elizabeth Denham “is working to put EU data protection laws into a statutory code that the Government would have no power to amend“. As a consequence, doctors would be prevented from sending messages about the corona virus, and “Council tax bills would also rise because local authorities would be forced to print leaflets to publicise services such as bin collections“. This garbage is supported by some frothing at the mouth from dim rentaquote MP Ben Bradley about “bully-boy diktats” and EU red tape.

Bradley is a proven liar whose previous misdeeds including publishing false claims about Indian call-centres, libelling Jeremy Corbyn and standing up for police brutality, so his knee-jerk nonsense should be ignored. There is an interesting quote from an unnamed Downing Street source which is presumably Dominic Cummings, describing Denham as an “unelected anti-Brexit pen-pusher“. Denham has plainly been angling for some kind of involvement in online harms, but given Dom’s disdain for QE2, I suspect she’s not going to be on anyone’s shortlist.

The origin of the story is the Information Commissioner’s draft Code of Practice on Direct Marketing, a document that the Commissioner is obliged by law to create in accordance with the Data Protection Act 2018, legislation passed by the previous Tory Government. Obviously, the current regime may take issue with their predecessors, but if Boris Johnson and his cadre of far-right headbangers don’t want Denham to do what the law requires her to do, they should amend the DPA. Obviously, the content of the code is up to the ICO and so I guess the alleged anti-Brexit conspiracy to smuggle EU red tape into UK law could happen there. The problem with this conspiracy theory is that the EU laws that the Tories and the Mail are so furious about are already on the UK statute book, and will continue to be so. Unless, of course, the Government use their majority to change things, as they have the power to do.

PECR is UK law, so the rules that require marketing emails to be sent to individual subscribers only with their consent are already there. EU GDPR is currently the law in the UK until the end of the transitional period, and after that, specific regulations will automatically convert the EU GDPR into the UK GDPR. The idea that Denham is sneaking anything into UK law in her Direct Marketing code is nonsense. Anyone who claims otherwise is either a liar or a moron. In Ben Bradley’s case, it’s plainly the latter (this is a person who argued for benefit claimants to have enforced vasectomies), but as far as Downing Street is concerned, it’s likely that Cummings is using Data Protection as part of his ongoing game of 3D chess with reality. The Government doesn’t care that the story isn’t true, they just want to keep Brexiters in a heightened state of annoyance and frustration.

The one thing that the ICO does have control over – and this has nothing to do with the EU – is the definition of direct marketing. Unless the government passes legislation that specifically defines what constitutes marketing (something neither Labour or the Tories have ever done), and until a court gives some definitive judgment on a definition, the meaning of ‘direct marketing’ and therefore the type of message you need consent for, has to be determined by someone. The current someone is the Information Commissioner. The ICO definition includes “the promotion of aims and ideals as well as advertising goods or services“. On this, the ICO has been consistent for more than a decade. Richard Thomas took action against all major political parties in the mid-2000s and won a Tribunal case against the Scottish National Party on the basis of this definition, so the idea that somehow Denham’s interpretation is some of kind of plot to undermine Brexit is just evidence of Cummings’ addiction to fake news and lack of attention to detail.

If you drill right down, the seed of the Mail story is on pages 22 and 23 of the draft code, where an example contrasts two different kinds of message from a GP practice. A neutrally-worded message about screening is not marketing, but a text advertising a flu jab clinic would be. To be honest, if I received texts from my GP practice telling me I was due for a cardio-vascular risk check, I would think of it as marketing and expect only to receive such texts with consent, but that’s an argument for a different blog. What the draft Direct Marketing Code is saying is what the ICO has been saying consistently for many years, but unlike the old Direct Marketing guidance, this time they have included public sector examples, of which the GP case is one.

I don’t know how we get from this example in the code to the government propaganda in the Mail – perhaps Downing Street is constantly scanning for opportunities to wind people up over Brexit and the EU. Given that the ICO fined Vote Leave, it’s possible that Cummings nurses a personal grudge against Denham, and so this might simply be a symptom of his wounded ego. It’s equally possible that the NHS isn’t happy that the ICO is turning its attention – at least in principle – to the large amount of marketing that it does under the false guise of public health messages. This could be NHS folk briefing the Mail to defend their ability to spam people about purely optional services.

My point is that the story is wholly without foundation. This isn’t an anti-Brexit plot, and the message that the ICO is sending shouldn’t be controversial. I don’t know about you, but the only messages I receive from my council about bin collection are an annual leaflet explaining how they work – an email would be useless as I would easily delete it, whereas I can put the leaflet on the fridge. Unlike Ben Bradley, I can’t get outraged about the cost of printing a leaflet that I actually need (but which wouldn’t meet the ICO definition of marketing if it was sent electronically). If you want the NHS to have carte blanche to send whatever messages they think we need to hear, get ready for an onslaught of digitised nanny state lectures about drinking, diet and exercise, your phone pinging like a pinball machine.

There will be a lot more of this. The pro-Brexit media / government cabal have to keep the pot boiling and Data Protection is something that many journalists and politicians are too stubborn to get to grips with, so it will be a handy target. It would be nice if there was a competent Commissioner who could put the case for sensible Data Protection. Instead we have Disaster Denham, with her record of one-sided enforcement against pro-Brexit campaigns and her obsession with Facebook and Cambridge Analytica which even her own office has had to admit had nothing to do with Brexit. The Mail gleefully picked on her huge salary, and they could just as easily focus on her expensive tastes in international travel and extending the ICO top table. If the government really does have Data Protection in its sights as Bradley suggests, it’s hard to imagine a worse defender than a profligate absentee who has cocked up nearly every big enforcement case she has touched. I’m not famed for being an optimist, but we have a government stupid and ideological enough to ruin Data Protection, and a Commissioner without the moral authority to stop them. Indeed, I’ll make a prediction – the GP examples are correct, and the ICO will cut them from the final version of the code in hopes of appeasing No 10.

Nevertheless, when you read this kind of nonsense in the Mail, remember to take it with a pinch of salt that definitely exceeds NHS guidelines.