TSUNAMI

Last month, the Information Commissioner, Christopher Graham, made an appearance on the Today programme. As always, Graham made big, broad, compelling points, claiming that his office needed more resources to deal with the ‘tsunami’ of complaints about the Google Right to Be Forgotten* case and stronger powers to do mandatory audits of both public (and because of some prompting from Justin Webb) private sector organisations. Graham implied that organisations refusing to volunteer for audits was part of the problem.

To be clear, I think that a properly resourced Information Commissioner is vital for a healthy democracy, both to deal effectively with FOI and to ensure some measure of protection for personal data. There is the side issue that no matter how much money the ICO has, they also need the resolve to deal with big targets, but that’s a blog I’ve written more than once. Moreover, I also think that the ICO should have been given the power to do mandatory audits for everyone. The current position (which means only Central Government has mandatory audits) is absurd. I’m not wholly convinced by the rigour of the ICO’s audit process (they have given an ostensibly clean bill of health to organisations that I know to be hopeless), but that’s again a question for another time. There is no reason why the ICO should not have the powers.

However, I was curious enough about Mr Graham’s claims that I decided to make an FOI request for two key facts: how many Right to be Forgotten complaints had been received as part of the ‘tsunami’, and which organisations had refused an ICO audit. They answered my request in two parts.

I don’t know how many complaints they have received now, but on the 18th July 2014, the Right to be Forgotten complaint tsunami numbered 12. There was a po-faced explanation for the apparent disparity between Mr Graham’s language and the actual facts “We understand that the statement as written in your request might sound as though we had already received more complaints than this – we anticipate receiving more in the coming months as Google inform more people of the outcome of their considerations.

It took the ICO slightly longer to answer the second part of my request, which was for the names of the organisations that have refused a voluntary audit. Bear in mind, Graham made the case that expanded audit powers were necessary because organisations refuse. In a remarkable coincidence, the ICO responded to this second question on the 20th working day, and the answer was two (if you’re interested, Staffordshire County Council and Network Rail). Again, perhaps conscious of the apparent contradiction between the Commissioner’s interview and the facts, the ICO pointed out that 75 organisations had failed to respond to a request for a voluntary audit.

There are two problems with this. Even though I agree with Christopher Graham that he needs more resources and better powers, his soundbites don’t ring true. The ICO’s head of enforcement Steve Eckersley made a good case this week for changing the threshold on PECR by pointing at the concrete effects of the Niebel decision at the Upper Tribunal. The ICO gets more complaints about PECR than the DPA and FOI combined, and those involved in the dodgy spam trade will be undeterred by enforcement notices. The ICO tried using enforcement notices on PECR breaches in the last decade, and all they had to show for it were puny fines from the magistrates – like the DPA, a conviction for a PECR breach doesn’t even go on your criminal record. Mr Eckersley’s case is sound and based on evidence, but I’m not sure about Mr Graham. Rather than jump on the Right to be Forgotten bandwagon, the Commissioner should point to the rampant inaccuracy, the black market in information, and demand resources to deal with that.

The other problem with the ICO’s response is the sleight of hand involved in the 75 non-responses. Many organisations that I train on FOI are paranoid about the ICO, fearful that any slip or mistake will bring down Wilmslow’s furious anger. Anyone who has been watching the Cabinet Office will know what a silly attitude this is, but all you need to do is look at the why the ICO handles it’s own FOI. They want to bolster the Commissioner’s case, so they tell me about the 75 non-responders, but they don’t feel under any obligation to tell me who they are. “These have not refused requests to be audited, and are therefore outside the scope of your request. This information is therefore offered to provide additional context for your request.” This is bullshit. Either they’re outside the scope of my request, and we’re back to the problem that Graham wants new powers because just two organisations have refused an audit, or they’re relevant to Graham’s case and my request, and I should have been told who they are. They can’t have it both ways, and using an FOI response for such ungainly spin is hardly best practice.

Needless to say, now that they have brought them up, I want to know who the 75 are, and my follow-up FOI is already receiving their attention.

 

* It isn’t a right to be forgotten, it’s a right to have search results removed. I should stop playing Google’s game and using the phrase, but I don’t yet have a better one.

What’s the damage?

BTO Solicitors recently marked the publication of the Information Commissioner’s annual report with a blog by two of their advocate solicitors about the Commissioner’s recent enforcement activity. BTO enjoyed a notable coup in 2013 by overturning the ICO’s £250,000 civil monetary penalty against Scottish Borders Council. I agree with the blog’s authors, Laura Irvine and Paul Motion, that the Borders case was hopeless; it is the low point in the ICO’s obsessive pursuit of “data breaches”. For several years, Wilmslow seemed to believe that [incident = breach] was a winning formula, and when tested in the Borders case, they were found wanting. The blog asserts that in several other cases, the ICO would equally have found it difficult to defend their CMPs, and again, I agree. Borders is not the only flawed CMP, and others could probably have been overturned.

Having said that, I think their review of recent action is eccentric, even myopic. They assert that the Commissioner “has not changed his approach to “likelihood” since the Scottish Borders appeal“, selecting two examples (Jala Transport and Bank of Scotland) to support their contention. I don’t know whether these two CMPs are sustainable, but they exemplify the difference between a one-off incident and an ongoing breach. I am certain that both are the latter. Jala’s *director* routinely carried the sole copy of his customer database on an unencrypted hard drive which he placed on the passenger seat of his car, while the Bank of Scotland proved incapable of preventing staff from sending faxes to the wrong destination even after the ICO started to investigate them. I think it’s instructive that neither organisation appealed.

Moreover, the argument that the ICO is on the same track is a lot easier to make if you stick rigidly to action taken in 2013, so that’s what Irvine and Motion’s blog does. There have only been 3 CMPs for Data Protection in 2014, and I believe that each would survive Tribunal scrutiny. As always, the incidents are eye-catching – an anti-abortion hacker gets access to the identity of women potentially seeking abortion, a police station is sold with evidence tapes identifying suspects, victims and witnesses, and a filing cabinet is sold with despite containing personal data about compensation payments paid to victims of terror attacks. However, I think it is likely that if BPAS did not properly maintain their website, it would come under attack from anti-abortion campaigners. It is likely that if Kent Police did not properly organise and monitor the clearance of their buildings, evidence would be left behind – and the same goes for the Department of Justice. In each case, the data was sensitive personal data, and to steal a word from BTO’s own blog, to argue that the loss of such data would not be likely to cause damage is frankly bizarre. The 2014 decisions may not be perfect, but they must have been made with the outcome of the Borders case in mind, and I think these three cases show a more robust process and defensible process at work.

The blog ends by considering Christopher Niebel’s successful appeal over the ICO’s £300,000 CMP for his industrial-scale spamming. It’s unlikely that anyone will mount a campaign larger than Niebel’s, which Judge Wikeley described as “a considerable public nuisance“, so the outcome of his appeal may effectively make the UK’s current PECR regime unenforceable. Wikeley suggested that had the bar been set lower (nuisance, rather than damage or distress), the outcome of the appeal might have been different. In response, the Government is currently consulting on whether to make precisely that change. BTO’s blog opposes this, fitting the Niebel case into the narrative of a wayward, overreaching Commissioner:

The likelihood of damage must be based on more than conjecture and distress has to be more than mere irritation. If evidential thresholds are getting in the way of monetary penalties the answer is to provide the requisite evidence, not to call for the lowering of the threshold and potentially criminalising conduct that is undeserving of such categorisation.

ICO’s use of conjecture is flawed and it’s what lost them the Borders case. But the above statement takes a seemingly ideological position that PECR breaches must go unpunished unless substantial damage can be established, without explaining why the law should not be used protect the public from intrusion and irritation. It’s not clear why Irvine and Motion are keen to keep a regime that lets spam go unpunished, and I’m convinced that leaving the threshold as it is will have that effect. Wikeley did not argue that ICO should have done a better job, but that the evidence wasn’t there to hit the target. By implication, with the test as it is, it won’t ever be. More importantly, neither the ICO or the DCMS (the department responsible for PECR) have suggested ‘criminalising’ any conduct. To claim otherwise is a red herring.

The sending of text messages, emails or automated calls without clear consent is already unlawful; the only debate is what the penalty should be for doing so. In wanting to keep the current threshold, Irvine and Motion seem more keen to protect the rights of spammers than the public. There’s a difference between criticising a poor case (Borders) and defending a target that no-one can hit. Damage and distress is not a concept that comes from the Directive – as Wikeley says, setting the bar there was a UK decision. The Directive demands ‘an effective, proportionate and dissuasive penalty‘ and Niebel shows that we don’t have one. Leaving the substantial damage threshold in place is not (as Irvine and Motion put it) “a realistic approach to assessment of the human consequences of data breaches and PECR breaches“; to do so ignores those consequences and by default, protects the illegal spam business model.

Like Irvine and Motion, I think the ICO approach is flawed and inconsistent. However, I support civil monetary penalties for breaches of both Data Protection and PECR and I think they should be maintained and improved. Evidence of the ineffectiveness of the criminal regime abounds. A few weeks ago, the Information Commissioner announced that they had successfully prosecuted Stephen Siddell, manager of an Enterprise car rental outlet in Southport. Mr Siddell was selling data about their clients to a claims management company. When the private sector is sometimes less forthcoming about their security problems than the public sector, Enterprise should be praised for calling the ICO rather than sacking their errant manager and keeping a lid on the problem. Mr Siddell was fined £500 (plus £300 in costs and victim surcharges). The claims management firm remains under investigation and so for the moment is not being named. Meanwhile, the Mail on Sunday reports today that Jayesh Shah, a man who boasted to an undercover reporter that he sent 500,000 spam text messages a day, has been fined £4000 for non-notification (plus costs of around £3000 in costs and surcharges) by magistrates in North London.

Mr Siddell’s future employment prospects are probably bleak, but with such small penalties, someone else will take his place. Police officers are treated fairly mercilessly when caught for data theft, but there is a still a queue of cops willing to raid the PNC. Meanwhile, though the comments about his weight and dress sense in the Mail’s comment section will have been unwelcome, Mr Shah can treat the £7000 outcome as an acceptable business expense. The criminal portion of the DPA provides scant punishment for data thieves (small fines and no criminal record as the offences are not recordable). It is possible for the ICO to issue enforcement notices against spammers and those who breach DP, but the only punishment for breaching an enforcement notice is the same paltry fines. A company prosecuted for breaching an enforcement notice can be closed down and replaced by a clean twin in next to no time.

I enjoy kicking the ICO as much as the next person, and their mishandling of CMP enforcement in recent years is a matter of concern. However, across the UK, Data Protection and privacy are still more honoured in the breach than the observance. There is big money to be made out of exploiting data, and as with health and safety, too many are willing to cut corners, regardless of the harm and distress that might be caused. Indeed, I think CMPs should be broken out of the security stranglehold and applied to damaging inaccuracy and unfairness as well. Rather than keeping the PECR threshold at an unattainable level, I think we should drop it to a straightforward tariff, with a flat rate penalty for every unlawful contact (say £1 per email, £5 per text and £10 per phone call). Post Niebel, private sector organisations that comply with the law will be priced out of the market by those who don’t unless there is a change. Without effective penalties, public sector organisations without a functioning privacy culture will continue to make decisions that put data – and in some cases, the public – at risk.

In their understandable enthusiasm to knock the ICO, I fear Irvine and Motion have lost sight of the purpose of the legislation. It is there to protect the public and to facilitate lawful, legitimate business activities. Personal data should be respected and handled with care. People have a right to a private and a home life without being pestered by spivs. The law and its implementation should penalise and deter misuse, intrusion and abuse. Some organisations will comply without sanction, but we need a strong, effective regime for those who won’t.

TELLING THE DIFFERENCE BETWEEN AN INCIDENT AND A BREACH

A handy guide for data protection regulators.

1) You are being asked about an eye-catching incident that is making the headlines, but which you have not investigated in any way. Is this:

a) AN INCIDENT
b) A BREACH

2) You have investigated an incident, and identified a specific principle that has not been properly complied with by the Data Controller. Is this:

a) A BREACH
b) IT’S A BREACH NOW, IT’S OK

If you answered

Mainly As: You’re correct
Mainly Bs: You work at the Information Commissioner’s Office

Next week: WORKING OUT WHETHER TO ISSUE ENFORCEMENT ACTION UNDER FOI

A poor lookout

I doubt I will ever wholly approve of anyone in the role of Information Commissioner until the Ministry of Justice comes to its senses and gives the job to me. However, I have always much preferred the verve and acerbity of Christopher Graham to the overcautious lawyerly approach of his predecessor, Richard Thomas. I don’t believe that Thomas would have been willing to enforce in the way Graham has managed (albeit that Mr Graham’s approach is fixated on one part of the public sector, and one part of one data protection principle), and he was nowhere near as good on the media stage – important for anyone in the role.

However, Graham’s interview with the Independent – timed presumably to coincide with the extension of his tenure to the legal maximum of 7 years –   was dispiriting.

Some of the flaws in the article are not attributed directly to Graham – the text describes action taken under PECR as an attempt to ‘prosecute’, which is incorrect because it was a civil action. It’s entirely possible that this was the Indie’s mistake but it doesn’t help anyone to understand what the ICO does (presumably one aim of doing the interview) and it should have been corrected. But when the text later describes the Commissioner as having a ‘right to compulsory audit’ local government, this is also wrong. The ICO can do mandatory audits of Government and there was a consultation to give it powers to do the same for the NHS. Compulsory audits for local government aren’t on the table. This is a mistake that Christopher Graham has made before, so I suspect it came from him, but it’s also a sign of the limit on the current Commissioner’s ambitions. Where is the evidence that he wants such powers?

Something that can definitely be attributed to Mr Graham is his crass, discourteous description of local government as ‘hopeless’. Every council delegate at next week’s ICO Data Protection Officer’s Conference should make it their business to challenge him on it, and frankly, councils should stop cowering in front of the ICO, stop reporting incidents to his office and stop cooperating with its entirely voluntary audits unless they actively want one. The weekend’s big data protection story was the theft of data from Aviva and subsequent sale to claims management companies. Graham has done an admirable job of agitating for bigger fines for data theft, but part of the ICO’s beloved seventh principle requires organisations to take steps to prevent ‘unlawful processing’. It’s not just about catching the thieves afterwards, but attempting to thwart them in advance. I am certain that the ICO doesn’t have a clue whether the financial services industry is exemplary or hopeless in this regard. Mr Graham hasn’t even asked for the mandatory audit powers to find out. Councils are an easy target because they constantly move data around and FOI means that, unlike the private sector, they can’t keep their dirty laundry hidden. The ‘hopeless’ remark may have been off-the-cuff, but it suggests knowledge that his office hasn’t put the hours in to possess. Besides, Mr Graham is a journalist and would know that such a remark would make the final edit, so it’s an insulting message he wanted to send. I’d love to know what word he uses to describe the ICO’s non-existent enforcement of the FOI Act, to the extent that some government departments openly thumb their noses at his office, and thus at him.

More of a concern is Graham’s remark that ““People have been challenging me on the bus about care.data. That’s the talking point but Snowden hasn’t been, which is kind of a surprise.” There are two things that bother me about this. Firstly, it suggests that Graham is out of touch with the public. It is not the ICO’s job to represent the public, it is their job to ensure that data controllers comply with the law (technically, the courts have more of a role in upholding individual rights than the ICO does). But nevertheless, Graham’s expectation that people would be button-holing him about the security services rather than the NHS is a tad elitist. The NSA’s spying on us all is obnoxious, but care.data is much more likely to have a direct effect on the man on the 130 bus to Wilmslow. More crucially, however, Snowden is not really on Graham’s territory. There is a very broad exemption in the DPA that you may not agree with, but which puts any activity ‘necessary’ for national security completely outside the DPA, and off the ICO’s radar. If the Commissioner was more concerned with matters that are more directly covered by his legislation, he might have avoided giving such inaccurate advice on care.data and pseudonymisation when on the BBC Breakfast sofa. It’s interesting that the Commissioner admits that his office failed to persuade NHS England to write to all citizens about care.data, which suggests that the stakeholder engagement approach doesn’t bear fruit.

Most depressing of all, however, is Graham’s complaint about the loss of the Scottish Borders appeal. Borders won their appeal because the ICO failed to establish a crucial part of the test that the law has set for them. The ICO has to show that it is “likely” that the breach – in this case, the failure to have a proper contract in place with a company scanning and disposing of records – would cause damage or distress. The ICO’s approach in Borders (and others) was to assume.  For the ICO, lost records = identity theft. The civil burden of proof is lower than the criminal one, but it should not simply be what a clever man reckons. I made an FOI request for any evidence of the ICO’s claim that a lost passport number leads to identity theft, and they admitted that they don’t have any. If they propose to fine an organisation £250,000, the ICO ought to have more than an assumption and crucially, the law requires that they have more. But Mr Graham doesn’t appear to understand that: he complains: “I couldn’t prove that someone of malicious intent had picked up all this personal information and was going to be doing people down”. This is not why the case was lost (although it’s true that he couldn’t prove that).

The Information Commissioner is a single appointee helped by hundreds of staff, but nevertheless, a single appointee who is given all of the powers and obligations. Mr Graham must understand how his powers work. Papers spilling out of a bin isn’t a breach. It’s an incident. The Commissioner cannot issue a CMP for papers spilling out of a bin, or any other incident in itself. In Borders, he had to establish that there was a breach: there was no contract, so job done. Then he had to show that incidents like the papers in the bin were foreseeable and likely to cause damage or distress. People sometimes don’t have proper contracts with long-standing and trusted suppliers. Is it likely that this will lead to the supplier dumping paper records in a recycling bin? Will this lead to damage and distress? Honestly, I don’t know, but that’s what Mr Graham couldn’t prove to the satisfaction of the Tribunal and frankly, I think the test should be rigorous if the stakes are as high as a quarter of a million pounds. The Deputy Commissioner David Smith was chided by the Tribunal at the time for focussing too much on the incident, and here the Commissioner makes the same fundamental mistake.

Most of the other matters I’ve raised here are presentational and you might say trivial; this final one isn’t. The role of the Commissioner is to be a figurehead, a public face to play up the big picture, but if Mr Graham wants to complain about losing Tribunal cases, he has to know why he lost, and I’m not sure from the evidence that he does. If he, and the office as a whole don’t learn the lessons, the important powers they were given under the tenure of his hesitant predecessor will become worthless. He’s still a more impressive figure than his predecessor, and almost certainly the most successful holder of the office so far. But this interview shows a Commissioner sniping at everyone but unsure of the details: not hopeless, but equally, not inspiring.

Goodbye Silver Service, Say Hello to Lead

The Information Commissioner has two powers to make FOI and the EIRs work, and a backup power to facilitate the other two. They’re found in FOI but apply to both. Under Section 50, the Commissioner can resolve a complaint about an individual FOI / EIR complaint by issuing a Decision Notice, which determines whether the public authority’s response was partially or wholly right or wrong. Under Section 52, the Information Commissioner can issue an Enforcement Notice, which allows the ICO to order a public authority to put right any failing, and unlike S50 is not linked to an individual complaint. Logically, the Enforcement Notice makes sense as a tool to deal with consistent or corporate FOI failings, as anything identified during an individual complaint can be resolved in a Decision Notice. As regular readers will know, the Enforcement Notice exists in name only as the Commissioner has not issued one since 2010 and seems effectively to have retired it.

In the middle is the S51 Information Notice, which is more specific. Most FOI / EIR complaints are resolved through protracted but willing correspondence, but occasionally an organisation won’t play along and so S51 allows the Commissioner to demand information. It’s a powerful tool, but it’s not an end in itself. “If the Commissioner reasonably requires information“, the Information Notice does the job. This usually happens when a recalcitrant organisation has already been asked for information and either fails to or refuses to supply it. One of the tantalising things about the Information Notice is that it refers to recorded and unrecorded information – the ICO can demand an explanation of what has gone on even if such an explanation has not been written down. But that’s for another time.

Last month, the Information Commissioner published a decision notice about an EIR request to Hackney Council. The applicant wanted to see what turned out to be a lot of information about the planning application for a Free School. Hackney’s handling of the request was – to say the least – inelegant, and I apologise in advance for the way in which I will linger on the case in every EIR training course I run for Act Now Training over the next few years. It’s one of those ‘What Not To Do’ situations. After some delay (Hackney) and hand-wringing (the ICO), Hackney settled on the decision that the request was manifestly unreasonable, and the ICO gave Hackney a deadline to communicate this decision to the applicant. The Decision Notice explains what happened next:

The Council failed to respond within this deadline and so the Commissioner issued an information notice under section 51 of the FOIA. This obliged the Council to write to the complainant specifying that, if this was now its position, regulation 12(4)(b) was believed to apply, and to write to the ICO with a full explanation of its reasoning for the citing of that exceptionIn line with the information notice the Council wrote to the complainant on 16 August 2013 and advised him that the Council now relied on regulation 12(4)(b) on account of the time and cost of complying with these requests”. Remarkably, or as the ICO would have it “Regrettably“, the ICO had to chase Hackney for the required explanation.

This is not the usual ICO dithering. This is far worse than that. The Information Commissioner cannot use an Information Notice to require a public authority to do anything except provide it with information. The Commissioner could order Hackney to answer the request, but only by using a Decision Notice under Section 50. Moreover, if the ICO describes the situation accurately, Hackney apparently breached the bit of the Information Notice that might have been valid (the requirement to explain why they thought 12(4)(b) applied), but the ICO did nothing about it other than ‘chasing’. If taken before a judge, a breach of an Information Notice is treated as a contempt of court.

You may be sitting there thinking that this is a molehill. Big deal, you might say. They cited the wrong bit of the legislation. They didn’t follow up on the exercise of their powers. At length, they made a decision and have now ordered Hackney to disclose the information to the applicant. Job done. If that’s what you’re thinking, you’re wrong.

The Information Commissioner’s Decision Notice seems to say that it exercised its powers in an unlawful way. They have announced that even when they use their interim enforcement powers (however incompetently), they will not follow through on it and will limply ‘chase’ rather than prosecute. No aspect of the ICO’s enforcement is entirely successful. The Commissioner has suffered reverses on both Data Protection and PECR enforcement recently. Data Protection enforcement is unfairly skewed towards public sector security and is based too much on unproven assumptions about identity theft and a fixation with the incident, not the underlying breach. But the Commissioner’s reverses on DP and PECR are matters of interpretation, not basic competence – neither recent Tribunal loss was tossed out. The ICO’s antics on the Hackney case suggest that people working on FOI either don’t know how their powers work, or they don’t care.

The best case scenario for the ICO is that somehow, the author of the notice has explained what they did so badly that some kind of strong message to Hackney to answer the request has been conflated with the Information Notice. They could have done it properly but made it sound like they didn’t. But it’s hard to imagine how this is possible when language as concrete as this is used: the Information Notice “obliged the Council to write to the complainant” and Hackney’s response to the applicant was “in line with the Notice“.

The final decision – where the Council was ordered to disclose using S50 – was signed off by a senior manager who, if they didn’t actually write the notice presumably read it and saw no problem with the misuse of the Information Notice it described. Even if the author was deluded, the Group Manager must surely know what an Information Notice is for, and could have cleared up the misunderstanding. Indeed, the notice even comes with the dreaded sanctimonious ‘Other matters’ section where the cock-up is warmed over again. They couldn’t have missed it.

While many ICO decisions sail through clumsily but probably get the right result, the inability to make enforcement decisions against big targets like the Cabinet Office and the Department for Education, and the inability to enforce lawfully against anyone make me think that FOI within the Information Commissioner’s office is broken. They’re so unwilling to enforce, they now don’t actually know how to. Chris Graham has clearly shown a willingness to take enforcement action on DP and PECR, but FOI continues to be a rolling embarrassment, threatening to bring his office into disrepute. Either he sorts this mess out, or he should give FOI up and let someone else do it properly instead.