SARmaggedon Days Are Here Again (Again)

Reading my emails, a headline leapt out at me: “The hidden cost of GDPR data access requests“. It led me to BetaNews, a website that looks like it is trapped in 1998, and a story describing research into SARs commissioned by Guardum, a purveyor of subject access request handling software. A sample of 100 Data Protection Officers were consulted, and you’ll never guess what the research uncovered.

SARs, it turns out, are time consuming and expensive. I award 10 GDPR points to the Guardum CTO for knowing that SARs weren’t introduced in 2018, but I have to take them away immediately because he goes on to claim that “There has also been a marked change in the way that lawyers are using DSARs as part of the data discovery process.” Apparently, lawyers are using SARs now. Imagine that. The article goes to say that “Fulfilling DSARs can involve finding, compiling and redacting data in digital and paper format across multiple departments both on company networks and in the cloud.“. There’s also a bit of a spoiler about whether the Pope is a Catholic.

According to Guardum, the average cost of a SAR is £4,884.53, the average DPO receives 27 SARs a month, and each one takes an average of 66 working hours to deal with. The article didn’t explain how these figures were arrived at, so I eagerly clicked the link to visit Guardum’s website for the full results. What I found was a fountain of guff. Strip out the endless bar and pie charts, and what Guardum wants to say is that 45% of the DPOs surveyed would like to automate some of the process because of a predicted landslide of SARs, provoked by angry furloughed and sacked staff.

I’m not sure about the logic of this – I can understand that everyone who loses their job will be upset and probably angry, and I’ve certainly dealt with lots of SARs related to a suspension or dismissal. But in those cases, the action taken was personal and direct – an individual was singled out by the employer for the treatment in question. I don’t see why people losing jobs in a pandemic will be so determined to send a SAR. It’s not like the reason for their predicament is a mystery.

The survey questions are opportunistic at best, and at worst, seem designed to allow Guardum to paint this picture of anxious DPOs uncertain about how they’re going to handle the post Covid-19 SARmageddon that the company is evidently desperate for. 75% of respondents are described as having difficulties dealing with SARs during the lockdown, though this actually translates as good news. 72% are coping but expect a SAR backlog when they get back to the office, while just 3% fearing a ‘mountain’ of requests. The headline on one slide is that 30% anticipate a ‘massive’ increase in SARs, but the reality is 55% expect the same as before and 15% think they’ll get less. 73% supposedly think that furloughed or laid off staff will be a ‘big factor’ in the predicted increase, even though the breakdown shows that only 20% think it will be the single biggest factor. To emphasise, these are requests that haven’t happened yet. The people who say that they will are the ones flogging the software to deal with the problem.

So far, so what? Guardum have software to sell and a cynical pitch about Covid-19 to achieve that. Does it matter? In the grand scheme of things, no, it doesn’t. I’m probably not the only person currently experiencing a crash course in What’s Really Important. But in the micro scheme of things, bullshit deserves to be called out, especially when it’s designed to exploit a crisis that’s causing misery and death across the world. Many of the revelations in this survey are staggeringly banal – nearly 50% of people find tracking the data down across multiple departments to be a slog, while 63% have to search both paper and electronic records. Who with any experience in Data Protection would think it was worth pointing this out? Meanwhile, the assertions about how long a SAR takes or how much it costs are wholly unexplained. It’s meaningless to claim that the mean cost of a SAR is £4,884.53 if you don’t explain how that was calculated (inevitably, the CTO is touting this figure on LinkedIn).

Guardum aren’t necessarily the experts at Data Protection that they might have us believe. For one thing, despite being a UK company, both the survey results and their website exclusively refer to ‘PII’ rather than personal data. For another, part of the criteria for participating in the survey was that the DPO needed to work for a company with more than 250 employees. This was, for a time, the threshold for a mandatory DPO but despite being changed, some dodgy training companies and consultants didn’t notice and ran courses which highlighted the 250 figure even when it was gone. Most importantly, nearly half of the people who responded to the survey don’t know what they’re doing. The survey was purportedly targeted at DPOs, but 44% of respondents are identified as being in ‘C-level’ jobs – perhaps this is to give a veneer of seniority, but C-level jobs are precisely the senior roles that are likely attract a conflict of interests. Guardum talked to people in the wrong jobs, and apparently didn’t realise this.

The ‘About’ page of Guardum’s website proclaims “Guardum supports privacy by design – where data privacy is engineered into your business processes during design rather than as an afterthought“, but the execution is less confident. There is a questionnaire that shows how much an organisation can save by using the Guardum product, but when you complete it, you have to fill in your name, company and email to get the results, and there’s no privacy policy or transparency information about how this information will be used. Moreover, if you try to use the contact form, clicking on the link to the terms and conditions results in ‘page not found’.

I have to declare my bias here – I don’t believe that any ‘solution’ can fully deal with the SAR response process, and I think people who tout AI gizmos that automatically redact “PII” are probably selling snake oil. Some of the SAR grind comes in finding the data, but a lot of it is about judgement – what should you redact? How much should you redact? Anyone who claims that they can replace humans when dealing with an HR, mental health or social care is writing cheques that no product I have ever seen can cash. So when I land on a website like Guardum’s, my back is up and my scepticism is turned all the way up. It would be nice if once, I saw a product that wasn’t sold with bullshit. But not only is Guardum’s pitch heavy with management buzzwords, they’re using fear as a marketing tool. Just last week, they ran a webinar about weathering the ‘Post Pandemic DSAR Storm‘.

Guardum claim that they provide “the only solution that can fully meet the DSAR challenge of responding in the tight 30-day deadline, giving you back control, time and money that are lost using other solutions“. Nowhere do they mention that you can extend the deadline by up to two months is a request is complex (and many are). But even if their claims are true, why do they need to sell their product via catastrophising? If their expertise goes back to the 1984 Act, why are they calling it PII and talking up the opinions of DPOs who are in the wrong job? Why oversell the results of their survey? Why hide the basis of the hours and cost calculations on which is all of this is being flogged?  And what on earth is a ‘Certified Blockchain Expert‘?

The future post-Covid is an uncertain place. I find the utopianism of some commentators hard to swallow, partly because people are still dying and partly because the much-predicted end of the office will have career-changing consequences for people like me. But at least the LinkedIn prophets are trying to explore positives for themselves and others in an undeniably grim situation. The people running Guardum seem only to want scare people into getting a demo of their software. If one is looking for positives, the fact that the ICO has waved the white flag means that no organisation needs to be unduly concerned about DP fines at the moment, and despite some of the concerns expressed in Guardum’s survey, nobody in the UK has ever been fined for not answering a SAR on time. The old advice about deleting data you don’t need and telling your managers not to slag people off in emails and texts will save you as much SAR misery as any software package, and I can give you that for free.

Blast from the past

As we all endure the lockdown and the uncertainty about when and how it might end, I have been trying to avoid thinking about the past. It’s tempting to dwell on the last time I went to the cinema (Home, Manchester ironically to watch ‘The Lighthouse’), the last time I went to a pub (Tweedies in Grasmere, just hours before Johnson closed them all), the last face-to-face training course I ran (lovely people, awful drive home). But thinking back to what I had, and the uncertainty about how, when and if I will get it back, doesn’t make the interminable Groundhog Days move any faster. I’d be better off just ploughing on and working out what to do next.

So it was a strange experience to be thrown backwards in time to the heady days of 2017, when the GDPR frenzy was at its height, and the world and his dog were setting up GDPR consultancies. People still make fun of the outdated nature of my company name, but I registered 2040 Training in 2008, and I’m proud of its pre-GDPR nomenclature. The list of GDPR-themed companies that are now dissolved is a melancholy roll call – goodbye GDPR Ltd, GDPR Assist (not that one), GDPR Assistance, GDPR Certification Group (got to admire their optimism), GDPR Claims, GDPR Compliance, GDPR Compliance Consulting, GDPR Compliance Consultancy, GDPR Compliance for SMEs and GDPR Consultants International (offices in New York, Paris and Peckham). You are all with the Angels now.

I was cast into this reverie by a friend who drew my attention to GDPR Legal, a relatively new GDPR company, and a few moments on their website was like climbing into a DeLorean. It was all there. The professional design, the ability to provide all possible services related to Data Protection (you can get a DPO for as little as £100 a month), and of course “qualified DPO’s (sic)”. I was disappointed that there was no mention of them being certified and nary a hint of the IBITGQ, but you can’t have everything. They still pulled out some crowdpleasers, including flatulent business speak and the obvious fact that they are trying to sell software, sometimes in the same couple of sentences: “Our service includes a comprehensive consult to help identify gaps and opportunities, a comprehensive report that includes a project plan with timelines and milestones, a cost analysis, and a schedule. We also offer a software suite that will help you get there quickly and smoothly.” Timelines and milestones, people. This is what we want.

The lack of any detail is possibly a matter for concern. The website claims that the company’s specialists have “over 50 years of experience delivering a pragmatic consulting service with qualified DPO’s and GDPR Practitioner skills” but it is difficult to find out who any of them are. There is no ‘meet the team’ or ‘our people’ section. I might be wrong, but I don’t think there’s a single human being’s name anywhere on there. If you had all these brilliant experienced professionals, wouldn’t you want to advertise who they are – I might make fun of them, but even the folk who have blocked me on LinkedIn aren’t ashamed of saying who their consultants are. Is it 50 people with a year’s experience each? Indeed, the only name I can associate with the company (via Companies House) is the Director, a man who has no experience in Data Protection, but is also director of a shedload of software and marketing companies. Any time the site needs to get into any detail, it hyperlinks to the ICO.

So far, so what? You probably think this blog is cruel. If someone wants to set up a company selling GDPR services, why do I care? Isn’t this just sour grapes at another disruptive entrant in the vibrant GDPR market?

There are two reasons why I call these people out. The first is their privacy policy. It’s not a good sign when a privacy policy page on a GDPR company’s website begins with ‘Privacy Policy coming soon’, but as it happens, immediately below is the company’s privacy policy. Well, I say it’s their’s. It’s oddly formatted, and when you click on the links that are supposed to take you to the policy’s constituent parts, you’re in fact redirected to the log-in page for GoDaddy, with whom the site was registered. All the way through, there are lots of brackets in places that they don’t belong. It didn’t take me long to work out what was going on – I think the brackets were the elements of the template policy that GDPR Legal has used which needed to be personalised, and they’ve forgotten to remove them. 50 collective years of experience, and nobody is competent enough to write the company’s own privacy policy, they just use someone else’s template. Indeed, if you search for the first part of the policy “Important information and who we are“, it leads you to dozens of websites using the same template, from Visit Manchester to NHS Improvement. I can’t find where it originated, but it’s an indictment of the quality of work here that they took it off the shelf and didn’t even format it properly. My Privacy Policy is smart-arsery of the first order, but at least I wrote it myself.

The other reason is worse. GDPR Legal has a blog with three posts on it. Two are bland and short, but the most recent, published just this week, is much longer and more detailed. It reads very differently from other parts of the site, and there was something about the tone and structure that was familiar to me. It didn’t take long to remember where I had seen something like this before. The blog is about GDPR and children, and this is the second paragraph:

Because kids are less aware of the risks involved in handing over their personal data, they need greater protection when you are collecting and processing their data.Here is a guide and checklist for what you need to know about GDPR and children’s data.”

This is the first sentence of the ICO’s webpage about GDPR and children:

Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.

Coincidence, you think? This is the third line:

If a business processes children’s personal data then great care and thought should be given about the need to protect them from the outset, and any systems and processes should be designed with this in mind

This is the second line of the ICO’s page:

If you process children’s personal data then you should think about the need to protect them from the outset, and design your systems and processes with this in mind

Blog, fourth para:

Compliance with the data protection principles and in particular fairness should be central to all processing of children’s personal data. ”

ICO page, third line:

“Compliance with the data protection principles and in particular fairness should be central to all your processing of children’s personal data

They rejigged the first few elements a little, but after that, whoever was doing it evidently got bored and it’s pretty much word for word:

GDPR Legal Blog:

A business needs to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child.

ICO page

You need to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child.

GDPR Legal Blog

General Checklists

  • We comply with all the requirements of the GDPR, not just those specifically relating to children and included in this checklist. 
  • We design our processing with children in mind from the outset and use a data protection by design and by default approach. 
  • We make sure that our processing is fair and complies with the data protection principles. 
  • As a matter of good practice, we use DPIAs (data protection impact assessments) to help us assess and mitigate the risks to children. 
  • If our processing is likely to result in a high risk to the rights and freedom of children then we always do a DPIA. 
  • As a matter of good practice, we take children’s views into account when designing our processing.

ICO page: 



  • We comply with all the requirements of the GDPR, not just those specifically relating to children and included in this checklist.
  • We design our processing with children in mind from the outset, and use a data protection by design and by default approach.
  • We make sure that our processing is fair and complies with the data protection principles.
  • As a matter of good practice, we use DPIAs to help us assess and mitigate the risks to children.
  • If our processing is likely to result in a high risk to the rights and freedom of children then we always do a DPIA.
  • As a matter of good practice, we take children’s views into account when designing our processing.”

NB: I’ve screenshotted all of it.

Someone at GDPR Legal lifted the whole thing uncredited and passed it off as their own work. A company that claims to be able to provide “practical and bespoke advice”, guiding “major projects in some of the UK’s largest businesses” nicked content from the ICO’s website. This kind of cutting and pasting gives plagiarism a bad name. At least GDPR’s previous Grand Master Plagiarist did it in style with some top-drawer endorsements.

The GDPR frenzy is over. Some of the new entrants have gone from strength to strength, and some of them are now selling kitchens. The current crisis will test everyone, and I doubt that the DP landscape will look the same in a year’s time. Nevertheless, while I hope the data protection sector remains robust enough to accommodate both the slick, corporate operations, and a few maniac artisans like me, it surely doesn’t need chancers any more? I hope we can all agree that a company that can’t even design its own privacy policy, that won’t admit who its experts are, and who steals from the regulator deserves to be shamed? I hope this blog might persuade a few unwary punters to do some due diligence before handing over their cash and perhaps pick a company who writes their own material. Whatever the LinkedIn blockers think of me, and I of them, surely we’re all better than this?

A load of Balls

On Tuesday, the self-styled “Private Prosecutor” Marcus J Ball announced to the world that he had Done An FOI.

I have sent an FOI request to St Thomas’s NHS Trust requesting confirmation/proof that Boris Johnson wasn’t lying about being admitted there or the severity of his condition. The PR timing is just too perfect. I fear that he may be dodging responsibility by becoming a victim.

When challenged on the wisdom of his request, he claimed that it was his ‘duty’ to ask:

We have a duty to ask, even if we suspect they’ll blank us. It only took me 5 minutes to do that tiny bit of civilian side scrutiny. It’ll be on the record that he was doubted“.

My first instinct was that the Trust should refuse the request as vexatious. As is often noted, S14 of the FOI Act doesn’t define ‘vexatious’ so the meaning of the word has been scrutinised in multiple ICO decisions and Tribunal cases. The notorious Dransfield case resulted in useful guidance on what might constitute a vexatious request. One possibility is that the request lacks a serious purpose or value, and I think this could fairly be applied to Ball’s request. He is plainly aware that his request is unlikely to receive an answer (“even if we suspect they’ll blank us” and “We have a duty to ask the question regardless of whether or not we think they’ll allow it to be answered.” He is also happy to impugn the integrity of the thousands of people who handle FOIs, saying in another tweet that “Also, in my experience some people working in FOI offices have a moral compass. Occasionally.

Ball’s purpose is to put “on the record” his doubts about Johnson’s version of events. The FOI Act lacks a purpose clause that explains what it is for, but sending an FOI request is plainly not an appropriate way to make a point. Either you want the information or you don’t – making performative FOIs like this one undermine the system, especially at a time of national emergency. When politicians want examples of stupid FOIs to attack the whole system (they’ve done it before, and they’ll do it again), I guarantee that Ball’s effort will be chosen.

But on reflection, there is a cleaner answer. Section 40 of FOI applies to any disclosure of personal data which would breach the GDPR. The data that Ball has requested is confirmation / proof of Johnson being admitted to hospital and information confirming the severity of his condition. This data is “data concerning health“, meaning that it is special categories data (SCD). Article 9 of the GDPR prohibits any processing of SCD unless an exemption applies.

In order for Johnson’s SCD to be disclosed, the disclosure of data would have to satisfy the first data protection principle, meaning that the disclosure has to be lawful, fair and transparent. The third element is easy enough – the Trust could simply tell Johnson his data was being disclosed. The middle element is a bit subjective; if you think that Johnson deserves to have his health records disclosed because he’s a lying racist, then you’ll probably think it’s fair. However, if you think that even lying racists deserve to have their health records protected, you’ll probably think that it isn’t. The clincher is the first part – lawful. The disclosure of Johnson’s data must be lawful, so an SCD exemption would have to apply. There are a number of such exemptions, but only two apply in this situation – the data subject (Johnson) gives their explicit consent, or the data has manifestly been put into the public domain by the data subject. You don’t have to take my word for this – the Information Commissioner’s Office’s personal data FOI flowchart says the same.

Ball argues that there is a public interest in the disclosure – it doesn’t matter whether you agree with him because public interest is irrelevant to these exemptions. For ordinary data, legitimate interests can make a disclosure lawful, and over the years, the ICO has developed an approach of a legitimate interest being disclosures of personal data when it is in the public interest. But legitimate interests isn’t an SCD exemption.  Of course, you might argue that because Johnson has commented on his illness, that means he has manifestly put his data into the public domain and Ball’s request should be answered. I disagree. All it means is that the Trust can say again what Johnson has already said – and we already know that Ball and his acolytes don’t believe what Johnson has said. The Trust can’t lawfully add any additional details to what is already in the public domain.

Of course, Johnson could give consent. The argument has been made many times: what does he have to hide? By saying this, the doubters themselves have taken consent off the table. If you’re saying that unless a person consents to the disclosure of their medical records, you’ll accuse them of lying (or at best, doubt that they’re telling the truth), you’re applying pressure to the data subject. This undermines the possibility of the consent being freely given, and consent that isn’t freely given isn’t consent. Even if Johnson was pressured into giving consent, the Trust should decide that his consent was invalid, and set it aside.

But what if the Trust have data that demonstrates that he wasn’t as sick as he claimed? Ironically, the exemption would still apply. If they have any data concerning Johnson’s health, even if it showed he wasn’t as ill as he claimed to be, the exemption would still apply because data that shows you’re anything from in the peak of physical fitness to being at death’s door is still ‘data concerning health’. The exemption applies. You might argue that the hospital would be under a moral duty to reveal the truth, but that would be to undermine one of the foundations of medical practice: doctor / patient confidentiality. Even if Johnson was exaggerating his condition for political purposes, to decide not to use the exemption and disclose his medical data would violate doctor / patient confidentiality. It would set a dangerous precedent. If you ask me which I would prefer – letting Johnson get away with spin or watering down the assumption that what your doctors know about you should remain secret, I have no hesitation in siding with patient confidentiality. There’s an old line about how you judge a society by the state of its prisons – I think you judge a person’s true commitment to human rights by how keen they are for scumbags to have them. If you don’t think Johnson has a right to confidentiality over his health, you don’t really believe in confidentiality or privacy.

Suggesting that Johnson wasn’t admitted at all (as Ball does in his FOI) is to say that Johnson wasn’t sick. I’m not sure Ball and his supporters thought through the implications of this originally and following criticism, he was forced to acknowledge the problem:

Just to be 100% clear, I am not calling any NHS personnel dishonest. It seems that fans of Johnson want to twist my words in order to defend him. Instead, I am calling Johnson a liar. He is a known liar. And I want to know if he lied to public or the NHS about his condition.”

You don’t have to be a fan of Johnson to follow Ball’s words to their logical conclusion (I think Johnson is a lying racist). If you’re suggesting he lied to the NHS, you’re saying that they’re too incompetent to diagnose coronavirus. If you ask for confirmation of his being admitted to hospital, you’re raising the possibility that he wasn’t. If he wasn’t admitted to hospital, you’re accusing those at the hospital who dealt with him of either lying or deliberately covering this up. Ball isn’t shy about smearing people (his complaint about the judges was full of guilt by association, and he happily maligned the majority of FOI officers), so the reputations of everyone involved in Johnson’s care are apparently just collateral damage in his crusade. Much has been made of the claim that medical practitioners at the hospital were asked to sign the Official Secrets Act (I don’t actually know if this happened). If it *did* happen, is Ball seriously suggesting that the OSA is now being used to cover up a conspiracy involving the Government and numerous health professionals and NHS staff, but despite this, they’ll be obliged to admit all in reply to his FOI?

I believe Ball doesn’t just know he’s going to get refused, he probably wants to be. Whether they pick vexatious, or Data Protection, or confidentiality, he can use it for publicity (one of his companies is a PR company, so it’s clearly something he’s interested in). Then he can hype his request for an internal review. Then there’s the appeal to the ICO. And then the Lower Tribunal. And then the Upper Tribunal. And then, if the inevitable crowd-finding allows, the Court of Appeal. Marcus can put on a smart suit for the Metro photographer and go to the Court of Appeal. Whatever the outcome, it can be spun as an achievement. For someone who wants to raise their profile, FOI is a long and protracted process with plentiful opportunities for publicity-inducing setbacks. It’s just another crusade to be spun as fighting for truth and please donate here.

I think Marcus J Ball is a chancer; he’s obviously entitled to make this request, but I’m entitled to say that it’s an attention-seeking waste of time and NHS staff could better spend their time on other things. Any other things. Ball poses as a campaigner for truth but he promotes himself using misdirection and bullshit. He says he “prosecuted Boris Johnson for lying about £5 billion of public spending” and the website for his company ‘Stop Lying in Politics’ lists a number of “achievements” including the above mentioned prosecution, a High Court Judge being “held to account” and £700,000 raised by crowdfunding. The truth is that his prosecution of Johnson failed, the “holding to account” bit was Ball petulantly complaining to a regulator after he lost, and at least some of the £700,000 went on cupcakes, self-defence lessons, and Ball’s salary. ‘Stop Lying in Politics’ is described as not for profit and a ‘social enterprise’, but according to Companies House, it’s a company with one shareholder (Ball). His use of FOI in this case is primarily to promote Marcus J Ball, and can only contaminate the legislation in the eyes of people who are always looking for excuses to water it down.

Whatever the Trust do with his request, they can’t win. Ignoring it will be proof of the conspiracy. Refusing it will be proof of the conspiracy. Answering it would be a breach of confidentiality and data protection. The best they can do is answer it as quickly as possible, give Ball the refusal he’s probably desperate for, and hope that his noise gets lost in all the other nonsense our beleaguered society is drowning in.

Labour Pains

As the pandemic takes hold, an unwelcome distraction comes with news that an internal Labour Party report into how it dealt with antisemitism has been leaked, showing up in the hands of some of the dumbest people in left-wing politics. The document was unredacted, and contains the personal data of multiple complainants to the party. Some of them have already reported that as result, their data is being circulated in the most unpleasant corners of the internet and Comrade Leaker might have put them at direct risk. The new leadership team of Sir Keir Starmer and Angela Rayner have announced an investigation into how the report came to commissioned, how it came to be leaked and other related matters. It is embarrassing that the Socialist Campaign Group of Labour MPs have signed a statement demanding that the report is published “in full”, meaning that the former Shadow Justice Secretary and former Shadow Home Secretary among many other Labour MPs want the confidentiality of complainants to be breached solely to facilitate internal faction fighting. As a humble Labour Party member, I call upon the Campaign Group to withdraw their knuckle-headed demand, acknowledge that what they’re asking for would be a breach of GDPR and confidentiality, and apologise to the innocent people they wanted to throw under the bus.

The MP and Campaign Group member Lloyd Russell-Moyle tweeted on Sunday that those interested in the Data Protection aspects of the leak were missing the point, preferring to concentrate on the political implications. In any case, he pointed to the public interest defence available in the GDPR for the circulation of such data. He has since deleted that tweet, and has now admitted sharing a link to the unredacted report with a private Facebook group of party members. Mr Russell-Moyle’s (albeit temporary) confidence in the public interest nature of disclosure caught my eye, especially as his depiction of how the law works in this context was a bit of a dog’s breakfast.

All things being equal, GDPR would have something to say about the unauthorised dissemination of personal data, but despite Mr Russell-Moyle’s claim, it does not contain an explicit public interest defence, and in any case is not the most relevant law. The Data Protection Act 2018 contains a series of offences covering the misuse of personal data, retaining what was criminal under the DPA 1998 but adding some new ones. The offences aren’t strictly required to comply with the GDPR and go further than what it requires. However, they allow the Information Commissioner’s Office to pursue individuals who deliberately or recklessly misuse data more neatly than GDPR does. I spend a lot of time kicking the ICO, so it is only right that I say that this prosecution work is one of those things that they generally do well and for the right reasons.

Section 170 of the DPA 2018 makes it an offence knowingly or recklessly to obtain or disclose personal data without the consent of the data controller, to procure such a disclosure to another person, or to retain data without the controller’s consent. Selling or offering to sell unlawfully obtained data is also an offence. Incidents that lead to ICO prosecutions are often connected with employment – the person gets legitimate access to data as part of their job, and then they look at records they have no reason to, or they share data with others, or they sell it. My favourite recent prosecution is the spectacular case where a senior council manager declared an interest in a recruitment exercise in which his wife was a candidate. Despite this, he then gave her data about the other candidates. After she got the job, the incident was discovered; she lost the job, her husband was sacked and he was subsequently prosecuted. It took a global pandemic to make me essentially unemployed, so I admire someone with the determination to do it to themselves with such panache. The crucial issue isn’t necessarily how you got access, it’s whether what you did with the data was authorised by the controller. People often make the mistake of thinking that the person who has to authorise the use is the data subject, but the law is clear. If I as the controller deliberately give you the data – even if I do so insecurely or without proper transparency – it’s not an offence (it might be a GDPR infringement). If you take a copy and share or sell it without the controller’s permission, the offences may be in play.

There can be tension over who gets the blame – years ago, one of my former employers discovered that an ex-member of staff had sent data about multiple staff members to their personal email account. While it was obviously disclosed without my employer’s authorisation, the ICO case officer who investigated asked us a lot of smart questions about security and access arrangements in the team where the culprit worked. It was plain to me that they were trying to work out whether it would be better to pursue the individual for copying the data, or my employer for not better preventing them from doing so. Fortunately for us, a splendid team manager was able to satisfy the ICO that we’d done everything one could reasonably expect. For Labour, this could be a problem. It’s impossible to know where the report was obtained from or how it came to be leaked, but if Wilmslow investigates this (and in my opinion, they have to), it will be just as legitimate to for them to probe Labour’s internal data management as the actions of the leaker. It must, however, be both.

Although he thought it was in the GDPR, Russell-Moyle was right that the public interest can be a defence for otherwise unlawful misuses of data. The person accused of an offence can put forward a defence of prevention or detection of crime, a legal obligation or statutory requirement to use the data or they can seek to prove in the particular circumstances that obtaining, disclosing, procuring or retaining was justified as being in the public interest. They can also try to prove that they reasonably believed that they had a right to use the data, that had they asked, the controller would have agreed, or finally, in using the data for the special purposes (which include journalism), “in the particular circumstances the obtaining, disclosing, procuring or retaining was justified as being in the public interest.

It’s worth thinking carefully about that group of defences. Under the old 1998 Act, they were drafted differently, allowing a person to argue that they had a ‘reasonable belief’ that their actions were justified in the public interest. The ‘reasonable belief’ element is gone – the defence only works if the person can prove objectively that the disclosure was in the public interest, rather than that they thought it was. There’s an excellent and detailed explanation of this change in Shepherd vs ICO, a data misuse case that the ICO lost a year or so ago. More importantly, all of this applies to the personal data itself, not to a document in which it might be found. Russell-Moyle’s deleted claim was that “there’s a public interest defence which will be strong in this case“, but is that true? There might be a public interest in disclosing the document or whatever revelations can be gleaned from it, either for journalistic purposes or the wider public interest. But is there really a public interest in the disclosure of the complainants’ personal data? I doubt it and it seems that Russell-Moyle now agrees, having acknowledged that “I wanted to make it clear that the report that has been leaked contains important information but it also contains the personal details of minors and those who deserve confidentiality after they made complaints“. If a person seeks to defend themselves from an allegation of a criminal disclosure of personal data, the public interest in revealing internal party machinations is irrelevant. What matters is whether disclosure or retention of the specific personal data is in the public interest.

Anyone who copied and disclosed an unredacted copy of the  report without clear permission from the Labour Party may have committed an offence under S170. Anyone who similarly possesses a copy of it may also have committed an offence. This latter issue might be of particular interest to the ICO as the retention offence is new, and I’m sure there will be some in Wilmslow who want to show that it has teeth. This is especially the case after the ICO investigated the retention of notebooks by ex-Met Police officers and found that they couldn’t taken action because retention wasn’t an offence under the 1998 Act.

The public interest has been badly served here. By redacting the data of complainants, whoever obtained and leaked this data could have built the foundations of a solid public interest defence, and more importantly, shown some care for people who do not deserve to be victims of Labour’s interminable civil war. The leakers could have protected those caught up in this mess, and whatever internecine battles Labour’s factions want to fight could have played out without collateral damage. But whoever these idiots are, they didn’t care about the damage their actions might cause. Blameless individuals have been put at further risk having already suffered abuses and indignities at the party’s hands. The Campaign Group’s moronic statement and Russell-Moyle’s humiliating climbdown from confident defence to mealy-mouthed apology are hallmarks of the thoughtlessness that underpins this sorry episode, but the real blame should be directed towards the snakes who circulated the unredacted report. It is a betrayal of everything that Labour ought to stand for, and a line must be drawn. Between Labour’s internal investigation and what should be the ICO’s inevitable involvement, the people responsible for this leak should face nothing less than the same public exposure as their victims, with a punishment to match.

My Corona

I’m not the first person to point out that the current flood of Covid-19 emails are reminiscent of the Great GDPR Consent Panic of 2018. Organisations you have no memory of ever interacting with are suddenly there as well as many household names, reassuring you of their ability to keep going despite the crisis. Some of them make sense – I got one from the Post Office yesterday telling me that they’re still open, which might be useful information to some. But a lot of them use almost an identical template to say very little – everyone’s home working, they really hope I’m OK, and they look forward to seeing me again after the Apocalypse. I would like to know what difference the companies think they’re going to make, but I’m not going to name and shame the worst ones or even unsubscribe from most of them – these are panicky and uncertain times, and a bit of corporate spam isn’t the worst thing that’s happening.

One email, however, stood out. I haven’t seen anything like it, and I hope no other company is as crass as Osano, the Texas-based ‘data privacy’ outfit headed by one Arlo Gilbert, who took the trouble to email me this morning to say how amazing they are, and how untouched by the global crisis they have been.

The story of how Osano came by my email address is instructive. Last year, Gilbert was putting himself about on Twitter, trumpeting his company which had been in the Data Privacy business since the grand old year of 2018. The Osano website is the Platonic ideal of the 2018 Era Privacy Company – very well designed, cool and slick, and bristling with enthusiasm for a subject that the company’s owners had literally only just found. Some DP and Privacy practitioners are as much activist as they are practitioner (which is why they hate me), but few would have the gall to present their company as a female superhero, saving the world one file at a time. Needless to say, when you look at Osano’s team, they’re all men.

The messages on the site also provides all of the classic GDPR bullshit flavours: teeth-grindingly pious: “When Osano helps companies to comply with the law, the interest of humanity is served, and the internet becomes a better place“, evidence-free scare-mongering “In recent months, numerous groups have undertaken “DDOS Compliance Attacks” whereby they band together and submit thousands of fraudulent DSAR/SRRs in an attempt to harm businesses”, and as is traditional, BIG CLAIMS ABOUT THE BUSINESS. Osano claims to have built “the world’s first data set that objectively measures the data privacy practices for every company on the planet“, and have carried out risk assessments on the compliance capabilities of 10,000 vendors. Disappointingly, despite the alleged ongoing nature of these risk assessments, that number is the same as it was last October.

Wary of some of Osano’s claims last year, I decided to do a bit of digging. I used the contact form on their website to ask whether they had carried out a risk assessment of my company. Although it seemed unlikely, given that Osano has this dataset that can measure any company on the planet, and there were / are 10,000 vendors on their list, it was surely possible? The contact form had an opt-in box to receive information from Osano, and I made sure not to tick it.

You’ll never guess what happened then. I received no acknowledgement or reply from Osano about my enquiry. Nothing. However, I started to receive marketing emails from Osano, always in the name of Arlo, telling me of how their team were “aggressively building new capabilities” and offering “Searchable blockchain-based audit log of consents to comply with information requests and government inquiries“, as if my bullshit bingo card could not be more complete. I can’t pretend that my request would have constituted a subject access request, focussed as it was on my company, but a sensible organisation might at least have sought to check. Moreover, having explicitly gone for a consent option for their marketing, every email that Osano has sent me since is in breach of the very GDPR that they claim to uphold.

Which brings me to Arlo’s recent missive. He begins by recounting how some people were wiped out by the 1990s Dotcom bubble. Then, it was the 2009 crash that wounded many. Now the Covid-19 pandemic means that “businesses around the world are closing their doors“. But what does that mean for data privacy now, friends, what does that mean?


As recently as a few days ago, attorneys were filing class-action lawsuits against companies for violations of California Consumer Privacy Act (CCPA). Today the California Attorney General announced that they would not be delaying prosecution for breaches of CCPA. Data privacy remains a mission-critical component of any modern business, even during a global pandemic.

I’m writing this blog just before doing a webinar on the outbreak, and I can confirm that I am not going to be telling the beautiful people who attend that they can throw DP into the garbage and do what they like (UPDATE: I broke a piece of equipment just before starting and spent the rest of the session spiralling in panic, which bodes Very Well for my online future). Privacy and data protection are central to a just and fair society, and if we throw them out of the window in a crisis, we might not get them back. However, waving the shroud of litigation while people are dying is as low a pitch for your glossy software as it’s possible to get. It’s ugly and everyone in the privacy and data protection sectors should turn their backs on this kind of marketing.

Arlo continues.

“I debated the need to draft a COVID-19 response for our customers in the face of my own inbox overflowing with explanations of how companies are managing during this difficult time.”

Translation: Arlo wondered if this was a bandwagon I needed to jump on.

“However, thousands of companies rely on Osano, and it has become clear that we need to address any concerns that may exist.”

Translation: Arlo decided that the answer was yes.

So what message does this titan of the tech business want to send to his customers? What reassurance, what inspiring words for the future does Arlo have for us all? After gloating that Osano is better at home-working that everyone else, Gilbert has decided that what the pandemic needs to know is how much money his company has.

Osano is well funded with many years of runway and positive gross margins. While other companies may be giving away Ducati motorcycles at conventions and buying Superbowl ads, Osano has always made capital-efficient growth s [sic] core of how we operate.

All of this is a long-winded way of saying that Osano is in great shape. This virus and the downturn in the economy have not changed our daily work habits in any way. Rest assured that there are few companies better equipped to respond to this new work-from-home lifestyle than Osano.”

Nothing about the customers and how they’re doing. Nothing about the effect on this crisis on the person reading the email, beyond a desultory “Stay safe out there” at the very end. The only message Arlo Gilbert wants to give the disease-stricken world is how brilliantly he and his company are handling it. There’s a small part of me that wonders to what extent this is protesting too much, that Arlo wants to tell people how great everything is because he himself needs to hear it. But probably not. The one group of people who are destined to come out of this well are the people at the top. The rest of us will just have to pick up the pieces.

If you want to talk to your customers at the moment, think very carefully about what you want to say. Don’t send unsolicited spam in breach of laws you claim to cherish. I have an email for my mailing list which I wrote days ago but find extremely difficult to send because getting the tone right seems so difficult in the current climate. I’m not ashamed to say that my business has been wiped out. I have no work, and apart from online courses, no prospect of work for months. I’ve made a couple of prudent financial decisions that mean I don’t have to worry for now, but reading Gilbert’s tech-bro muscle flexing must be sickening for people who have lost their jobs, their colleagues or their loved ones. A lot of people on LinkedIn are desperate to emphasise the positives, raising the possibility of founding a new Uber or writing the 21st Century King Lear, but in reality, surviving without losing your mind seems a triumph to me. Deciding that what you need to do now is boast about your positive gross margins is the act of an Osanohole.