Whoops!

Yesterday, after at least a year of pondering it, the Information Commissioner asked the Universities and Colleges Admissions Service (UCAS) to sign an undertaking, agreeing to change the way in which they obtain consent to use students’ data. The data is obtained as part of the application process and subsequently used for marketing a variety of products and services, and UCAS has agreed to change its approach. It’s important to note that this is an undertaking, so UCAS has not been ordered to do anything, nor are there any direct consequences if they fail to do what is stated in the undertaking. An undertaking is a voluntary exercise – it is not served, it does not order or require, it simply documents an agreement by a Data Controller to do something.

Aspects of the story concern me. The ICO’s head of enforcement is quoted as saying: “By failing to give these applicants a clear option to avoid marketing, they were being unfairly faced with the default option of having their details used for commercial purposes” but given that the marketing was sent by text and email, the opportunity to “avoid” marketing is not what should have been in place. If UCAS wanted to sell access to university and college applicants, they needed consent – which means opt-in, not opt-out. As the undertaking itself points out, consent is defined in the EU Data Protection Directive as freely given – an opt-out cannot constitute this in my opinion. If you think that an opt-out does constitute consent, try transposing that thinking into any other situation where consent is required, and see how creepy your thinking has suddenly become. Consent should be a free choice, made actively. We should not have to stop commercial companies from texting and emailing us – the onus should be on them to make an attractive offer we want to take up, not on consumers to bat away their unwanted attentions.

It’s entirely possible that the ICO’s position on consent is better expressed in the undertaking itself, but here we have a little problem. At least when it was published yesterday, half of the undertaking was missing. Only the oddly numbered pages were published, so presumably the person who scanned the document had a double-sided original and didn’t notice that they had scanned it single-sided. The published document also included one page of UCAS’ covering letter and the final signed page of the undertaking, which the ICO never normally publishes. This mistake reveals some interesting nuggets that we wouldn’t normally know, from the trivial (the Chief Executive of UCAS signed the undertaking with a fountain pen, something of which I wholeheartedly approve) to the potentially significant (the covering letter sets out when UCAS might divert resources away from complying with the undertaking).

But that’s not the point. The point is that the ICO uploaded the wrong document to the internet, and this is not the first time it has happened. I know this because on a previous occasion, I contacted the ICO to tell them that they had done it, and many people on my training courses have also seen un-redacted enforcement and FOI notices on the ICO website. The data revealed in the UCAS case is not sensitive (although I don’t know how the UCAS Chief would feel about her signature being published on the internet), but that’s not the point either. The ICO has spent the last ten years taking noisy, self-righteous action against a variety of mainly public bodies for security slip-ups, and the past five issuing monetary penalties for the same, including several following the accidental publication of personal data on the internet.

The issue here is simple: does the ICO’s accidental publication of this undertaking constitute a breach of the 7th Data Protection Principle? They know about the risk because they’ve done it before. Have they taken appropriate technical and organisational measures to prevent this from happening? Is there a clear process to ensure that the right documents are published? Are documents checked before they are uploaded? Does someone senior check whether the process is being followed? Is everyone involved in the process properly trained in the handling of personal data, and in the technology required to publish documents onto the web? And even if all of these measures are in place, is action taken when such incidents are identified? If the ICO can give positive answers to all these questions, then it is not a breach. Stuff happens. But if they have not, it is a breach.

There is no possibility, no matter how hilarious it would be, that the ICO will issue a CMP on itself following this incident, although it is technically possible. What should happen is that the ICO should quickly and effectively take steps to prevent this from happening again. However, if the Information Commissioner’s Office does not ask the Information Commissioner Christopher Graham to sign an undertaking, publicly stating what these measures will be, they cannot possibly speak and act with authority the next time they ask someone else to the same. Whether they redact Mr Graham’s signature is entirely a matter for them.

UPDATE: without acknowledging their mistake, the Information Commissioner’s Office has now changed the undertaking to be the version they clearly intended to publish. One wonders if anything has been done internally, or if they are simply hoping that only smartarses like me noticed in the first place.

TSUNAMI

Last month, the Information Commissioner, Christopher Graham, made an appearance on the Today programme. As always, Graham made big, broad, compelling points, claiming that his office needed more resources to deal with the ‘tsunami’ of complaints about the Google Right to Be Forgotten* case and stronger powers to do mandatory audits of both public (and because of some prompting from Justin Webb) private sector organisations. Graham implied that organisations refusing to volunteer for audits was part of the problem.

To be clear, I think that a properly resourced Information Commissioner is vital for a healthy democracy, both to deal effectively with FOI and to ensure some measure of protection for personal data. There is the side issue that no matter how much money the ICO has, they also need the resolve to deal with big targets, but that’s a blog I’ve written more than once. Moreover, I also think that the ICO should have been given the power to do mandatory audits for everyone. The current position (which means only Central Government has mandatory audits) is absurd. I’m not wholly convinced by the rigour of the ICO’s audit process (they have given an ostensibly clean bill of health to organisations that I know to be hopeless), but that’s again a question for another time. There is no reason why the ICO should not have the powers.

However, I was curious enough about Mr Graham’s claims that I decided to make an FOI request for two key facts: how many Right to be Forgotten complaints had been received as part of the ‘tsunami’, and which organisations had refused an ICO audit. They answered my request in two parts.

I don’t know how many complaints they have received now, but on the 18th July 2014, the Right to be Forgotten complaint tsunami numbered 12. There was a po-faced explanation for the apparent disparity between Mr Graham’s language and the actual facts “We understand that the statement as written in your request might sound as though we had already received more complaints than this – we anticipate receiving more in the coming months as Google inform more people of the outcome of their considerations.

It took the ICO slightly longer to answer the second part of my request, which was for the names of the organisations that have refused a voluntary audit. Bear in mind, Graham made the case that expanded audit powers were necessary because organisations refuse. In a remarkable coincidence, the ICO responded to this second question on the 20th working day, and the answer was two (if you’re interested, Staffordshire County Council and Network Rail). Again, perhaps conscious of the apparent contradiction between the Commissioner’s interview and the facts, the ICO pointed out that 75 organisations had failed to respond to a request for a voluntary audit.

There are two problems with this. Even though I agree with Christopher Graham that he needs more resources and better powers, his soundbites don’t ring true. The ICO’s head of enforcement Steve Eckersley made a good case this week for changing the threshold on PECR by pointing at the concrete effects of the Niebel decision at the Upper Tribunal. The ICO gets more complaints about PECR than the DPA and FOI combined, and those involved in the dodgy spam trade will be undeterred by enforcement notices. The ICO tried using enforcement notices on PECR breaches in the last decade, and all they had to show for it were puny fines from the magistrates – like the DPA, a conviction for a PECR breach doesn’t even go on your criminal record. Mr Eckersley’s case is sound and based on evidence, but I’m not sure about Mr Graham. Rather than jump on the Right to be Forgotten bandwagon, the Commissioner should point to the rampant inaccuracy, the black market in information, and demand resources to deal with that.

The other problem with the ICO’s response is the sleight of hand involved in the 75 non-responses. Many organisations that I train on FOI are paranoid about the ICO, fearful that any slip or mistake will bring down Wilmslow’s furious anger. Anyone who has been watching the Cabinet Office will know what a silly attitude this is, but all you need to do is look at the why the ICO handles it’s own FOI. They want to bolster the Commissioner’s case, so they tell me about the 75 non-responders, but they don’t feel under any obligation to tell me who they are. “These have not refused requests to be audited, and are therefore outside the scope of your request. This information is therefore offered to provide additional context for your request.” This is bullshit. Either they’re outside the scope of my request, and we’re back to the problem that Graham wants new powers because just two organisations have refused an audit, or they’re relevant to Graham’s case and my request, and I should have been told who they are. They can’t have it both ways, and using an FOI response for such ungainly spin is hardly best practice.

Needless to say, now that they have brought them up, I want to know who the 75 are, and my follow-up FOI is already receiving their attention.

 

* It isn’t a right to be forgotten, it’s a right to have search results removed. I should stop playing Google’s game and using the phrase, but I don’t yet have a better one.

What’s the damage?

BTO Solicitors recently marked the publication of the Information Commissioner’s annual report with a blog by two of their advocate solicitors about the Commissioner’s recent enforcement activity. BTO enjoyed a notable coup in 2013 by overturning the ICO’s £250,000 civil monetary penalty against Scottish Borders Council. I agree with the blog’s authors, Laura Irvine and Paul Motion, that the Borders case was hopeless; it is the low point in the ICO’s obsessive pursuit of “data breaches”. For several years, Wilmslow seemed to believe that [incident = breach] was a winning formula, and when tested in the Borders case, they were found wanting. The blog asserts that in several other cases, the ICO would equally have found it difficult to defend their CMPs, and again, I agree. Borders is not the only flawed CMP, and others could probably have been overturned.

Having said that, I think their review of recent action is eccentric, even myopic. They assert that the Commissioner “has not changed his approach to “likelihood” since the Scottish Borders appeal“, selecting two examples (Jala Transport and Bank of Scotland) to support their contention. I don’t know whether these two CMPs are sustainable, but they exemplify the difference between a one-off incident and an ongoing breach. I am certain that both are the latter. Jala’s *director* routinely carried the sole copy of his customer database on an unencrypted hard drive which he placed on the passenger seat of his car, while the Bank of Scotland proved incapable of preventing staff from sending faxes to the wrong destination even after the ICO started to investigate them. I think it’s instructive that neither organisation appealed.

Moreover, the argument that the ICO is on the same track is a lot easier to make if you stick rigidly to action taken in 2013, so that’s what Irvine and Motion’s blog does. There have only been 3 CMPs for Data Protection in 2014, and I believe that each would survive Tribunal scrutiny. As always, the incidents are eye-catching – an anti-abortion hacker gets access to the identity of women potentially seeking abortion, a police station is sold with evidence tapes identifying suspects, victims and witnesses, and a filing cabinet is sold with despite containing personal data about compensation payments paid to victims of terror attacks. However, I think it is likely that if BPAS did not properly maintain their website, it would come under attack from anti-abortion campaigners. It is likely that if Kent Police did not properly organise and monitor the clearance of their buildings, evidence would be left behind – and the same goes for the Department of Justice. In each case, the data was sensitive personal data, and to steal a word from BTO’s own blog, to argue that the loss of such data would not be likely to cause damage is frankly bizarre. The 2014 decisions may not be perfect, but they must have been made with the outcome of the Borders case in mind, and I think these three cases show a more robust process and defensible process at work.

The blog ends by considering Christopher Niebel’s successful appeal over the ICO’s £300,000 CMP for his industrial-scale spamming. It’s unlikely that anyone will mount a campaign larger than Niebel’s, which Judge Wikeley described as “a considerable public nuisance“, so the outcome of his appeal may effectively make the UK’s current PECR regime unenforceable. Wikeley suggested that had the bar been set lower (nuisance, rather than damage or distress), the outcome of the appeal might have been different. In response, the Government is currently consulting on whether to make precisely that change. BTO’s blog opposes this, fitting the Niebel case into the narrative of a wayward, overreaching Commissioner:

The likelihood of damage must be based on more than conjecture and distress has to be more than mere irritation. If evidential thresholds are getting in the way of monetary penalties the answer is to provide the requisite evidence, not to call for the lowering of the threshold and potentially criminalising conduct that is undeserving of such categorisation.

ICO’s use of conjecture is flawed and it’s what lost them the Borders case. But the above statement takes a seemingly ideological position that PECR breaches must go unpunished unless substantial damage can be established, without explaining why the law should not be used protect the public from intrusion and irritation. It’s not clear why Irvine and Motion are keen to keep a regime that lets spam go unpunished, and I’m convinced that leaving the threshold as it is will have that effect. Wikeley did not argue that ICO should have done a better job, but that the evidence wasn’t there to hit the target. By implication, with the test as it is, it won’t ever be. More importantly, neither the ICO or the DCMS (the department responsible for PECR) have suggested ‘criminalising’ any conduct. To claim otherwise is a red herring.

The sending of text messages, emails or automated calls without clear consent is already unlawful; the only debate is what the penalty should be for doing so. In wanting to keep the current threshold, Irvine and Motion seem more keen to protect the rights of spammers than the public. There’s a difference between criticising a poor case (Borders) and defending a target that no-one can hit. Damage and distress is not a concept that comes from the Directive – as Wikeley says, setting the bar there was a UK decision. The Directive demands ‘an effective, proportionate and dissuasive penalty‘ and Niebel shows that we don’t have one. Leaving the substantial damage threshold in place is not (as Irvine and Motion put it) “a realistic approach to assessment of the human consequences of data breaches and PECR breaches“; to do so ignores those consequences and by default, protects the illegal spam business model.

Like Irvine and Motion, I think the ICO approach is flawed and inconsistent. However, I support civil monetary penalties for breaches of both Data Protection and PECR and I think they should be maintained and improved. Evidence of the ineffectiveness of the criminal regime abounds. A few weeks ago, the Information Commissioner announced that they had successfully prosecuted Stephen Siddell, manager of an Enterprise car rental outlet in Southport. Mr Siddell was selling data about their clients to a claims management company. When the private sector is sometimes less forthcoming about their security problems than the public sector, Enterprise should be praised for calling the ICO rather than sacking their errant manager and keeping a lid on the problem. Mr Siddell was fined £500 (plus £300 in costs and victim surcharges). The claims management firm remains under investigation and so for the moment is not being named. Meanwhile, the Mail on Sunday reports today that Jayesh Shah, a man who boasted to an undercover reporter that he sent 500,000 spam text messages a day, has been fined £4000 for non-notification (plus costs of around £3000 in costs and surcharges) by magistrates in North London.

Mr Siddell’s future employment prospects are probably bleak, but with such small penalties, someone else will take his place. Police officers are treated fairly mercilessly when caught for data theft, but there is a still a queue of cops willing to raid the PNC. Meanwhile, though the comments about his weight and dress sense in the Mail’s comment section will have been unwelcome, Mr Shah can treat the £7000 outcome as an acceptable business expense. The criminal portion of the DPA provides scant punishment for data thieves (small fines and no criminal record as the offences are not recordable). It is possible for the ICO to issue enforcement notices against spammers and those who breach DP, but the only punishment for breaching an enforcement notice is the same paltry fines. A company prosecuted for breaching an enforcement notice can be closed down and replaced by a clean twin in next to no time.

I enjoy kicking the ICO as much as the next person, and their mishandling of CMP enforcement in recent years is a matter of concern. However, across the UK, Data Protection and privacy are still more honoured in the breach than the observance. There is big money to be made out of exploiting data, and as with health and safety, too many are willing to cut corners, regardless of the harm and distress that might be caused. Indeed, I think CMPs should be broken out of the security stranglehold and applied to damaging inaccuracy and unfairness as well. Rather than keeping the PECR threshold at an unattainable level, I think we should drop it to a straightforward tariff, with a flat rate penalty for every unlawful contact (say £1 per email, £5 per text and £10 per phone call). Post Niebel, private sector organisations that comply with the law will be priced out of the market by those who don’t unless there is a change. Without effective penalties, public sector organisations without a functioning privacy culture will continue to make decisions that put data – and in some cases, the public – at risk.

In their understandable enthusiasm to knock the ICO, I fear Irvine and Motion have lost sight of the purpose of the legislation. It is there to protect the public and to facilitate lawful, legitimate business activities. Personal data should be respected and handled with care. People have a right to a private and a home life without being pestered by spivs. The law and its implementation should penalise and deter misuse, intrusion and abuse. Some organisations will comply without sanction, but we need a strong, effective regime for those who won’t.

TELLING THE DIFFERENCE BETWEEN AN INCIDENT AND A BREACH

A handy guide for data protection regulators.

1) You are being asked about an eye-catching incident that is making the headlines, but which you have not investigated in any way. Is this:

a) AN INCIDENT
b) A BREACH

2) You have investigated an incident, and identified a specific principle that has not been properly complied with by the Data Controller. Is this:

a) A BREACH
b) IT’S A BREACH NOW, IT’S OK

If you answered

Mainly As: You’re correct
Mainly Bs: You work at the Information Commissioner’s Office

Next week: WORKING OUT WHETHER TO ISSUE ENFORCEMENT ACTION UNDER FOI

A poor lookout

I doubt I will ever wholly approve of anyone in the role of Information Commissioner until the Ministry of Justice comes to its senses and gives the job to me. However, I have always much preferred the verve and acerbity of Christopher Graham to the overcautious lawyerly approach of his predecessor, Richard Thomas. I don’t believe that Thomas would have been willing to enforce in the way Graham has managed (albeit that Mr Graham’s approach is fixated on one part of the public sector, and one part of one data protection principle), and he was nowhere near as good on the media stage – important for anyone in the role.

However, Graham’s interview with the Independent – timed presumably to coincide with the extension of his tenure to the legal maximum of 7 years –   was dispiriting.

Some of the flaws in the article are not attributed directly to Graham – the text describes action taken under PECR as an attempt to ‘prosecute’, which is incorrect because it was a civil action. It’s entirely possible that this was the Indie’s mistake but it doesn’t help anyone to understand what the ICO does (presumably one aim of doing the interview) and it should have been corrected. But when the text later describes the Commissioner as having a ‘right to compulsory audit’ local government, this is also wrong. The ICO can do mandatory audits of Government and there was a consultation to give it powers to do the same for the NHS. Compulsory audits for local government aren’t on the table. This is a mistake that Christopher Graham has made before, so I suspect it came from him, but it’s also a sign of the limit on the current Commissioner’s ambitions. Where is the evidence that he wants such powers?

Something that can definitely be attributed to Mr Graham is his crass, discourteous description of local government as ‘hopeless’. Every council delegate at next week’s ICO Data Protection Officer’s Conference should make it their business to challenge him on it, and frankly, councils should stop cowering in front of the ICO, stop reporting incidents to his office and stop cooperating with its entirely voluntary audits unless they actively want one. The weekend’s big data protection story was the theft of data from Aviva and subsequent sale to claims management companies. Graham has done an admirable job of agitating for bigger fines for data theft, but part of the ICO’s beloved seventh principle requires organisations to take steps to prevent ‘unlawful processing’. It’s not just about catching the thieves afterwards, but attempting to thwart them in advance. I am certain that the ICO doesn’t have a clue whether the financial services industry is exemplary or hopeless in this regard. Mr Graham hasn’t even asked for the mandatory audit powers to find out. Councils are an easy target because they constantly move data around and FOI means that, unlike the private sector, they can’t keep their dirty laundry hidden. The ‘hopeless’ remark may have been off-the-cuff, but it suggests knowledge that his office hasn’t put the hours in to possess. Besides, Mr Graham is a journalist and would know that such a remark would make the final edit, so it’s an insulting message he wanted to send. I’d love to know what word he uses to describe the ICO’s non-existent enforcement of the FOI Act, to the extent that some government departments openly thumb their noses at his office, and thus at him.

More of a concern is Graham’s remark that ““People have been challenging me on the bus about care.data. That’s the talking point but Snowden hasn’t been, which is kind of a surprise.” There are two things that bother me about this. Firstly, it suggests that Graham is out of touch with the public. It is not the ICO’s job to represent the public, it is their job to ensure that data controllers comply with the law (technically, the courts have more of a role in upholding individual rights than the ICO does). But nevertheless, Graham’s expectation that people would be button-holing him about the security services rather than the NHS is a tad elitist. The NSA’s spying on us all is obnoxious, but care.data is much more likely to have a direct effect on the man on the 130 bus to Wilmslow. More crucially, however, Snowden is not really on Graham’s territory. There is a very broad exemption in the DPA that you may not agree with, but which puts any activity ‘necessary’ for national security completely outside the DPA, and off the ICO’s radar. If the Commissioner was more concerned with matters that are more directly covered by his legislation, he might have avoided giving such inaccurate advice on care.data and pseudonymisation when on the BBC Breakfast sofa. It’s interesting that the Commissioner admits that his office failed to persuade NHS England to write to all citizens about care.data, which suggests that the stakeholder engagement approach doesn’t bear fruit.

Most depressing of all, however, is Graham’s complaint about the loss of the Scottish Borders appeal. Borders won their appeal because the ICO failed to establish a crucial part of the test that the law has set for them. The ICO has to show that it is “likely” that the breach – in this case, the failure to have a proper contract in place with a company scanning and disposing of records – would cause damage or distress. The ICO’s approach in Borders (and others) was to assume.  For the ICO, lost records = identity theft. The civil burden of proof is lower than the criminal one, but it should not simply be what a clever man reckons. I made an FOI request for any evidence of the ICO’s claim that a lost passport number leads to identity theft, and they admitted that they don’t have any. If they propose to fine an organisation £250,000, the ICO ought to have more than an assumption and crucially, the law requires that they have more. But Mr Graham doesn’t appear to understand that: he complains: “I couldn’t prove that someone of malicious intent had picked up all this personal information and was going to be doing people down”. This is not why the case was lost (although it’s true that he couldn’t prove that).

The Information Commissioner is a single appointee helped by hundreds of staff, but nevertheless, a single appointee who is given all of the powers and obligations. Mr Graham must understand how his powers work. Papers spilling out of a bin isn’t a breach. It’s an incident. The Commissioner cannot issue a CMP for papers spilling out of a bin, or any other incident in itself. In Borders, he had to establish that there was a breach: there was no contract, so job done. Then he had to show that incidents like the papers in the bin were foreseeable and likely to cause damage or distress. People sometimes don’t have proper contracts with long-standing and trusted suppliers. Is it likely that this will lead to the supplier dumping paper records in a recycling bin? Will this lead to damage and distress? Honestly, I don’t know, but that’s what Mr Graham couldn’t prove to the satisfaction of the Tribunal and frankly, I think the test should be rigorous if the stakes are as high as a quarter of a million pounds. The Deputy Commissioner David Smith was chided by the Tribunal at the time for focussing too much on the incident, and here the Commissioner makes the same fundamental mistake.

Most of the other matters I’ve raised here are presentational and you might say trivial; this final one isn’t. The role of the Commissioner is to be a figurehead, a public face to play up the big picture, but if Mr Graham wants to complain about losing Tribunal cases, he has to know why he lost, and I’m not sure from the evidence that he does. If he, and the office as a whole don’t learn the lessons, the important powers they were given under the tenure of his hesitant predecessor will become worthless. He’s still a more impressive figure than his predecessor, and almost certainly the most successful holder of the office so far. But this interview shows a Commissioner sniping at everyone but unsure of the details: not hopeless, but equally, not inspiring.