The DNs don’t work

I’m going to say it again. I really like Christopher Graham. Anyone would have looked dynamic after Richard “BACKLOG” Thomas, but I believe he’s trying to make a difference in his role. I’m not sure we’d get on personally, but that’s definitely more about me than him. I have absolutely no doubt that he means business. And what’s more, blogger’s hyperbole aside, I don’t really think that everyone who works at the ICO is an idiot. In fact, when I think of all the people at the ICO who I definitely think are idiots, I could count them on the fingers of one hand, if we count thumbs as fingers and I was Anne Boleyn.

But in writing to the Financial Times to refute the claim that the ICO is a toothless regulator, Mr Graham said this: “The record shows that the Information Commissioner’s Office regularly makes difficult decisions that challenge Whitehall”. He pointed out that he has issued a number of Decision Notices against the Cabinet Office and most importantly, he is a regulator with powers of prosecution.  This isn’t fooling anyone. Even FOI Man Paul Gibbons is having his doubts about the Commissioner’s rigour, and he’s so nice he didn’t lose his temper when I suggested he change his name to Paul Chimpanzees.  What’s really strange about Graham’s response – apart from what Paul accurately identified as his eccentrically clear aim at the messenger – is what’s missing. Although I think the quality of ICO FOI casework has generally gone down, I don’t deny that on a good day, Wilmslow is capable of stepping up and making the right calls on individual decisions. What Mr Graham has to answer is whether his office is capable of taking enforcement action; not to deal with individual complaints, but with the wider approach of a Government department that sees FOI as an inconvenience.

However, in case we need evidence that action might be necessary, let’s consider the decision notices issued to the Cabinet Office in 2013 by the ICO, to bask in the heat of their effectiveness:

Decision FS504279906

The Cabinet Office are revealed to have failed to respond to a previous ICO Decision Notice (that thing that is supposed to be Contempt of Court). They fail to do an internal review in the ICO’s recommended timescale. They claim to the ICO to have disclosed a contract to the applicant, but repeatedly fail to confirm that this has actually happened. They then use the applicant’s complaint to the ICO as an excuse not to disclose anything else. They claim that a disclosure will harm Capita’s commercial interests, even though they haven’t actually asked Capita what they think about the disclosure. The ICO tells the Cabinet Office that “it is essential that the Cabinet Office ensures that there is no repetition of these issues in relation to future requests”. This is the last time in 2013 that the ICO use the word ‘essential’ in this context. It’s January.

Decision FS50435121

The Cabinet Office carefully interpret a request about contacts with Common Purpose so that information they have already disclosed to another applicant is not disclosed. They refuse the request as vexatious (the ICO overturns this).

Decision FS504364434

The Cabinet Office fails to do an internal review in the ICO’s recommended timescale. It claims that the Statistics and Registration Service Act 2007 provides a prohibition on disclosure. It doesn’t. They try to use s22 (information published in the future) but are “unclear and inconsistent” with the ICO about when and by whom the requested information will be published. The Decision Notice states that the ICO normally offers one opportunity to explain the application of an exemption, but in this case, the Cabinet Office has failed to give a satisfactory answer at the third time of asking. One can only wonder why they get special treatment.

Decision FS50445422

The Cabinet Office applies an exemption without specifying which information is covered by the exemption in question. The applicant requests an internal review on 19th January 2012, and the Cabinet Office responds three months later. The ICO no longer uses the word ‘essential’ when discussing how important it is that the Cabinet Office not do this again.

Decision FS50457668

The request in question is made on 1st March 2012. The Cabinet Office respond on 10th May 2012.

Decision FS50461244

An applicant asking about training provided to David Cameron before his appearance at Leveson receives no information because he uses the phrase ‘coaching’ instead of ‘legal assistance’. At first, the Cabinet Office states it holds no information. At internal review, it claims that it holds information, but will publish the information in the future, citing a statement made by Jeremy Hunt about the publication of what turns out to be something else. When the ICO investigates, the Cabinet Office changes its mind again and decides it holds no information. It states that an objective reading of the request to say that the use of the phrase ‘coaching’ can only refer to a specific type of information. However, when the ICO points out that the applicant has asked for information about coaching “or” ‘preparation, the Cabinet Office reverts to a subjective reading of the request, claiming that the applicant uses ‘coaching’ and ‘preparation’ interchangeably, even thought this makes no sense in terms of what the applicant actually asked for.

Remember: I am receiving legal assistance, you are being prepared, he is being coached.

Decision FS50465008

The Cabinet Office refuse to answer a request because an email is not a document [Discuss]. They imply that you cannot request information unless you already know what it is, but at the risk of a Top Shop / Rihanna situation as regards the FT and Chris Cook, I’ll stop there.

Decision FS50465636

The Cabinet Office claim that no information is held based on a restrictive interpretation of the request. You’ll never guess what happens then. The internal review is completed outside the ICO’s recommended timescale.

Decision FS50466327

The internal review is completed outside the ICO’s recommended timescale. I know, me too.

Decision FS50472269

The Cabinet Office maintain a position of holding no information in relation to the applicant’s request until the ICO investigates. Guess what they find then?

Decision FS50474524

The Cabinet Office claim that telling the public how many times a committee on better regulation has met would affect ministerial collective responsibility. The ICO states that their arguments about the harm caused by disclosure are made as if the applicant has asked for other information.

Decision FS50475014

The Cabinet Office claim that they cannot find the requested information within the FOI timescales, but on internal review decide that the request is not valid.

Decision FS50478062

The Cabinet Office claim that ongoing investigations into the conduct of Jimmy Savile will be harmed because those involved will be less candid if information about why Savile received honours is released, an argument that the ICO regards as ‘highly speculative’. I agree that the use of the word ‘horseshit’ would probably have been unbecoming.

Decision FS50478062

The applicant makes their request on 9th July 2012. The Cabinet Office responds on 27th September 2012. The applicant requests an internal review on the same day. The Cabinet Office respond on 26th November 2012.

Decision FS50481901

The request is made on 28th November 2012. No response has been received by 21st January 2013. The ICO intervenes on March 6th 2013, and the Cabinet Office then ask the applicant for clarification, which he provides the same day. The Cabinet Office fail to answer and the Decision Notice is necessary simply to oblige them to do so.

Decision FS50490256

The Cabinet Office fail to give a valid response to an FOI request, and the Decision Notice is necessary to oblige them to provide an internal review.

Decision FS50498628 (22nd July 2013)

A Decision Notice is necessary to oblige the Cabinet Office to respond to this FOI request.

Decision FS5050001 (24th July, just over a week before Christopher Graham writes to the FT)

The applicant makes their request in September 2012, and only after being prompted on 8th March 2013 does the Cabinet Office promise on 10th April 2013 to reply by 8th May 2013. On 10th of June 2013, the ICO tells the Cabinet Office to respond by July 8th (nearly a year after the request was originally made). The Cabinet Office tell the ICO on the 17th July – less than three weeks before Christopher Graham’s stout defence of the ICO’s approach on the FT’s letter’s page – that they cannot possibly respond without the appropriate clearance. Which, I hope you’ll agree, is like slapping your buttocks heartily as you moon the policeman who is trying to arrest you.

I have no doubt that the ICO will continue to make variable FOI Decisions, many good, some appalling. But the FOI Act will remain unenforced, because someone in the Commissioner’s Office is apparently afraid of the Cabinet Office and is apparently obliging the boss to pretend that the Decision Notices as described above are going to to do the trick. They haven’t and they won’t. The Cabinet Office would fight tooth and nail to protect disclosures about the Schleswig-Holstein Question. They have learned nothing from FOI’s introduction. Moreover, every public authority, every quango, every council, every NHS Trust, every police force, every college, every last one of them from Walberswick Council up is entitled to point to the Cabinet Office and say, if you didn’t do them, you’re not going to do us. So why should anyone take the ICO seriously on FOI?

Chris Graham’s letter to the FT characterised the ICO as an FOI watchdog unafraid to bark when it needed to. The finest manager I have ever had (much love and respect to you, Kevin) once characterised the ICO as being the kind of hound who could at worst give you a nasty suck. These days, I’m not even sure Wilmslow could run to a love bite.

FOI is dead; long live the Cabinet Office.

Signifying nothing

I was an FOI / DP officer in local government for the first five years of FOI’s operation, and like everyone else in the field, I got used to spotting trends – certain topics would come up again and again, certain requests would follow certain events. Of course, I also got used to certain names – journalists from the Mirror, the Telegraph, and the Sunday Times, and activists / staffers from the opposition political parties. Reading an old article by the Bureau of Investigative Journalism about Michael Gove’s special advisers this morning, I was struck by how many names I recognised from those requests.

There is nothing remotely sinister about this. In opposition, the research departments of both the Conservatives and the Liberal Democrats (as well as some campaigning MPs and their researchers) made enthusiastic use of FOI, and so they should have. This is one of the things that FOI is designed for – to allow access to unpublished information so that authority can be questioned and challenged. The political motive is irrelevant. When the two coalition parties eventually find themselves in opposition again, they will use FOI to the same ends. Presumably, in those places where they are in local government opposition, they still do. Anyone who complains about this is naïve to the point of stupidity – oppositions oppose, and they will hunt out useful and inconvenient stories wherever they can find them.

I point this out not to criticise Gove’s minions for their use of FOI – I commend them for it. My point is to suggest that the Education Secretary’s current attitude to FOI and the way his circle have apparently tried to circumvent it is hypocritical and counter-intuitive. The evolutionary end of Gove’s three-year war with transparency and accountability is the public letter he wrote this week to the Information Commissioner, throwing in the towel over his attempts to allow religious and other groups to apply to run free schools in secret. Gove’s petulant missive was big on claim: “We are aware of personal attacks on individuals who simply want to improve educational standards and choice locally” and “We have been told of instances where teachers have lost their jobs simply by virtue of their association with a Free School application”. But it was short on detail. A few years ago, Gove managed to get massive headlines about unfair adoption practices based on a story that turned out to be an anecdote passed on by a third party which no-one in his department had checked. The language here is interesting – ‘We are aware’ and ‘We have been told’ are careful phrases perhaps intended to give Mr. Gove plausible deniability if his claims can be proved to be scaremongering bollocks.

If Gove wanted to make a public interest argument against disclosure of free school applicants, real evidence of personal attacks and what sound like potential illegal sackings of teachers would be gold. The thrust of Gove’s letter is that a legal and legitimate policy is being undermined by unfair and possibly illegal activities that will be exacerbated by the disclosure of the applicants. I have no evidence that Gove and his advisers have invented or exaggerated the mischief, but if these cases are real, it is very hard to understand why he is ducking the opportunity to present evidence of them to the Tribunal. It is even harder to understand why there is not currently a huge public effort to get the sacked teachers reinstated, and their tormentors punished. After all, it is not illegal to be involved in a free school, so why would Gove tolerate such appalling treatment and what is he doing to stop it, other than whining about nasty Chris Graham?

In a calorific interview with Jan Moir in the Daily Mail, Gove described himself as a Marmite politician. The one time I tried Marmite, I vomited so hard and for so long that I burst blood vessels in my nose, so I think I know what he means. But it does nothing for those who are not his acolytes that he tries to suggest that an independent public servant is somehow opposing or assisting those who oppose government policy merely by doing his job. We already know that whatever Gove used private email for, he didn’t have a sufficiently solid case to test its legitimacy at the Tribunal. We know that his Department has a sufficiently poor record on responding to FOI requests that they’re being subjected to monitoring again by the ICO. There are plenty of issues where Gove and transparency seem to have an unfamiliar relationship: sales of school playing fields, headteacher’s salaries, and his own policies to name three. Even Gove’s online cheerleaders won’t use their real names (whoever actually runs the  @toryeducation Twitter account, they are oddly ashamed of being associated with it in public).

The important thing about Gove’s letter is that shows that posturing and insults are no substitute for the rigour that FOI refusals require. The argument that the public have a right to know who wants to run schools in England is a solid and obvious one to make, and if Gove and his adjutants don’t have anything sufficiently concrete to counter it, then they have to accept defeat and move on.  The letter simply shows that Gove has nothing else – on this issue at least – but bluster. It doesn’t matter what his letter says or what bad faith it attributes to others. On the matter of FOI principle, the Secretary of State has come up empty.

The other important thing to note about Gove’s battles with FOI is the legacy he has left for those who follow him. As I said at the start, the same people that are allegedly trying to get around FOI originally found it valuable. By relentlessly exposing the Information Commissioner’s lack of appetite for taking on recalcitrant Government departments, Gove has taught the Labour Party a valuable lesson for the next time they are in power. The Information Commissioner will not take enforcement action against Gove’s department despite endless justification. I believe that the DfE are unable or unwilling to comply with a legal demand to get their FOI house in order, and issuing an Enforcement Notice would inevitably result in a confrontation the ICO does not have the stomach for. Chris Graham is the most effective Information Commissioner so far and he is a very smart communicator but  his office seems to struggle with properly enforcing FOI and Gove has proved it. One day, the coalition’s successors will lose an election (they didn’t win the last one), and once again, they will want to use FOI for wholly legitimate campaigning activities. However much Labour might now be trying to argue the case for FOI, they brought it in and then their Leader spurned it. Gove’s disdain for FOI may end up pulling up the ladder the next time his party needs it.

Not now, Brian, we’re busy

Imagine that you are employed by a mobile phone network. Somebody working for a claims management firm approaches you, offering a large sum of money to steal the customer database, especially the mobile numbers. They want to send PPI claim text messages to all of the people on the list. You download the customer data, sell it, and pocket the proceeds. Having got it, you decide to sell the list to a rival mobile company. You put the information on a disc, and flog it on eBay. The people who send the PPI texts could receive a Civil Monetary Penalty of up to £500,000 as they do not have consent. But even if you are caught and prosecuted, the worst that can happen is to the thief is a maximum £5000 fine. The offence is not recordable, so you will not end up with a criminal record. The chances of being caught are slim, but the deterrent is even smaller.

Imagine if the government had long ago realised that the fines were not enough, and had taken the trouble to amend the law to punish white-collar data thieves with up to two years in jail. But around the time the law was being changed, the Prime Minister of the day met with representatives of a special interest group. Despite the fact that the new punishment was not intended to affect this group and detailed measures had been taken to protect them, the lobbyists were not satisfied, and they demanded that the prison sentence be held back. Even though the chances of their industry being affected by the change were very small, they could not accept even the slightest possibility that any one of their number could even face the possibility of a night in a cell.

If anyone else had held the country to ransom and prevented changes to a law that were entirely in the public interest, the press would be up in arms, pointing the finger with relish. If unions, lawyers, doctors or social workers – indeed, any regulated profession or group – expected crimes to have puny, worthless punishments just in case one of their own was imperilled, the Daily Mail would shout their condemnation from the highest rooftop.

And yet, we have to swallow special pleading from journalists in the name of press freedom, and live with a rampant black market in personal data as a consequence. The Information Commissioner is obviously desperate to tackle it, but the results in court are often ludicrous. The man who received stolen medical data from his girlfriend to use for personal injury claims was fined £1050. He memorably boasted after the verdict We’re going to Bella Italia after this and I’m having a fillet steak. A bank worker stole information from her employer about the victim of a sex attack committed by her husband. Her punishment was an £800 fine. Whatever you think about the publication of the BNP member address list, a fine of £200 for endangering life (and probably risking mass misidentification) is almost satire.

This is what any journalist who attacks the data theft prison sentence expects us all to tolerate for their safety. Gone is ‘publish and be damned’, to be replaced with ‘publish and be insulated from the consequences’. A number of Parliamentary committees have called for the sentence to be enabled, and the Information Commissioner himself is excoriating about a system where the punishments for data theft are so derisory. In the recent past, the constant refrain from Government has been wait for Leveson. We cannot pre-empt Leveson.

And now, Leveson has spoken, and regardless of what you think about the doomed suggestion of statutory underpinning and regulation, the data theft issue is very simple. Leveson argues for the prison sentence to be made live. When passed, the Data Protection Act contained a public interest defence for those accused of stealing data or procuring stolen data. When the last Labour Government recognised the failure of the current system and sought to introduce the prison sentence, they also amended the DPA further, making clear that all a journalist needs is a ‘reasonable belief’ that they are acting in the public interest to escape prosecution. Even though the prison sentence was not brought into force, this additional defence was.

At this point, before saying something contentious, the sensible writer includes a few sentences about how important they think press freedom and journalistic endeavour are. The secret hope of every blogger is probably that their sublime writing will catch the eye of a sympathetic editor and they will be catapulted from the amateur sphere and be given a weekly column, or at least a spot of freelance at the Guardian. Biting that hand that hasn’t even picked up the food is surely blogger suicide. But I can’t be arsed. I honestly don’t want to live in a country where journalists get locked up for doing good work, but I think I live in a country where newspapers can get mixed up in axe murders with impunity, so I doubt that Fleet Street will crumble if I fail to invoke the spirit of Voltaire before suggesting something that hacks might see as a check on their activities. They have David Cameron, Michael Gove and Boris Johnson and that’s all they need.

Besides, I come to exempt journalists, not to bury them. I think that the only solution to the data theft problem is to remove journalists from the equation. Lord Justice Leveson proposes significant amendments to the S32 exemption from DPA, which currently allows those processing personal data for journalistic, artistic and literary purposes to escape virtually all of the Data Protection principles as long as this is ‘necessary’. I think Sir Brian’s ideas don’t address the bigger picture, and should be binned. The press will never support any infringement of their liberties, whatever the justification, and some papers will monster anyone who supports such a plan. Meanwhile, the possibility of a prison sentence is likely to have a much better deterrent effect on office workers, nurses and cops tempted to steal or suborn others to steal personal data than a paltry fine and no record. If newspapers feel that they face this threat too, scaremongering about investigative journalists (rather than phone hackers and dumpster divers) ending up behind bars for speaking truth to power (rather than figuratively or actually smelling celebrity knickers) will continue its harmful knock-on effect.

S28 of the Data Protection Act gives those using personal data for the purposes of national security a total exemption from its requirements. Rather than continue to have the debate on data theft railroaded by a sideshow that is becoming increasingly sanctimonious, let’s extend that approach to journalists. Give them a ‘get out of jail free card’ and stop our personal data from being plundered everywhere else.

Mother! Eat the Cookie! Eat It!

My favourite part of the Information Commissioner’s website is the blog, where a succession of ICO notables talk about how marvellous their particular corner of the business is. The enterprise appears to be modelled on the Opinion section of The Onion, and I look forward to each new instalment with childlike enthusiasm. I’m really hoping they let the Internal Compliance people do one about people who make subject access requests in green ink. They have my permission to publish the mugshot from my driving license.

In the meantime, the one entitled ‘Education key to cookie law success’ by Dave Evans is certainly worth a read. Evans opens his post with the startling claim that “One area where I’ve seen most progress is cookie guidance”, a statement that makes sense only if he’s talking about the document produced by the International Chamber of Commerce, but the rest of the blog is definitely about the apparently marvellous work the ICO has been doing on cookies. I’ve been running – with a growing sense of futility – online courses on the cookie law for more than a year, and in the context of the ICO, “success” and “cookies” are phrases that repel each other like the opposing poles of a magnet. Cookies affect the private sector at least as much as the public sector, and often, much more so. This perhaps explains why the ICO has found it so challenging. Consider some of the landmarks:

  • The ICO published guidance called ‘Changes to the rules on using cookies and similar technologies for storing information’ on 9th May 2011 that stated: “The new legislation comes into force on 26 May 2011. You need to take steps now to prepare and ensure you are ready to comply.” The Commissioner himself ‘urged’ website owners to get to work in an associated press release:
  • Two weeks later, the day before the regulations came into force, the ICO suddenly decided not to enforce this same law for a year.
  • Even though the Commissioner’s slightly patronising school-themed ‘Half-Term Report’ of December 2011 included the comment that “if you are struggling with this part of the rule you are seriously lagging behind”, six months later, Dave Evans was reported by The Register to have said “We don’t expect all organisations not compliant on the 27th to have some evidence of taking action to be compliant.”.
  • On 13th December 2011, the ICO stated that consent – the vital disputed issue at the centre of all the cookie confusion – “must involve some form of communication where an individual knowingly indicates their acceptance”. They deliberately highlighted this quote out on their website. Two days before the ICO ended its self-imposed cookie enforcement abstinence in May 2012, they issued guidance that stated, “while explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant”.

In other words, anything to avoid going after the private sector. This unwillingness to take action was underlined by an interview Evans gave to a website  in April in which he said that the ICO might not to enforce against someone breaching the cookie law, purely because the website might lose money: “if a company’s revenue would drop if it went for a strict opt-in, then we could look at different ways of educating users and gaining consent”. Every cookie case has already been pre-judged as not meeting the threshold for a civil monetary penalty.

Even though the ICO’s current position seems to be ‘whatever it is you’re doing about cookies is fine’, some in the web industry are so frustrated they have taken to goading the Commissioner to take action against them . In response to this criticism, the ICO’s position probably reveals what lies behind the problem. A spokesman said: “It’s worth noting that this website criticises those regulations, but the ICO is responsible only for regulating those who must comply with the law, and not for how it was drafted

The ICO’s response raises the question of why the change happened in the first place. The argument about whether consent needs to be active or can be inferred from some specific action is a bit sterile – the intention of the change was clearly to shift the onus from users opting-out to websites getting evidence of users’ preferences. In the old version of the Regulations, users of the internet were to be given “the opportunity to refuse the storage of or access to” a cookie; in the new version, users must have “given his or her consent”. Few of the EU’s citizens spend fretful nights over the lurking menace of cookies on their computers, even those who are concerned over their privacy. Subtly dropped onto your machine by unseen electronic tentacles, the cookie is more insidious than the noisy spam text, but it’s equally easy to get rid of. Most web browsers include an option to reject them outright or purge them at the click of a mouse. So why make the change?

My answer to this question is simple, and it goes some way to explaining the ICO’s clod-hopping reluctance to engage with the cookie changes. The cookie changes are their fault. Though the story is a familiar one to many, I’m surprised that it hasn’t been revisited more often in recent months. Some years ago, a company called Phorm started to hit the headlines. The Phorm product (WebWise) worked like this: ISPs provide data to Phorm about the browsing habits of their customers using a cookie. Websites access the cookie, and knowing what sites had been browsed, allows them to display just random adverts, but ones tailored to the interests indicated by the recent browsing. Everyone makes money (except the user whose web browsing has been monetised).

Less ambitious / troubling versions of this idea are alive and well on the internet right now, but the idea of the ISP tracking your every move and selling the results to others didn’t go down very well with Joe Punter. The alleged KGB past of the company’s saturnine CEO Kent Ertugrul probably didn’t help public perception much, but what really lit a fire under Phorm was the revelation that the system had been tested by BT and none of the customers involved knew about it. I should probably put the Phorm / BT case that what they did wasn’t a breach of anything, that no personal data was gathered etc. etc. But their interpretation doesn’t convince me and more importantly, there was no reason to do the trial in secret. BT deserves opprobrium on that point alone. As the fury over the secret trial and the implications of the product itself increased, customers on all sides melted away, and Phorm pulled out of Europe altogether.

The ICO took no action against either Phorm or BT for the secret trial, and a perfect way to understand their approach is to track down a document entitled “Phorm: The ICO View”, published in April 2008, but no longer on their website (thanks, WhatDoTheyKnow for reminding me of it, and to @blepharon for this link). “Whether or not the deployment of the Phorm products raise matters of concern to the Commissioner will depend on the extent to which the assurances Phorm has provided so far are true. The Commissioner has no reason to doubt the information provided by Phorm but some technical experts have publicly expressed concerns.”. The instinct when dealing with big organisations, ‘stakeholders’ or the private sector is believe what you’re told and accommodate and ameliorate rather than act. It’s hard to believe a council or NHS trust being given the same generous benefit of the doubt.

Look at Google. When dealing with the allegation that Google had secretly slurped Wi-Fi data from thousands of UK citizens, former Assistant Commissioner Phil Jones and Dave Evans (remember him?) met with Google, resulting in a decision to delete all the inconvenient and potentially incriminating data, with no further questions. Google was a valued stakeholder needing only a friendly meeting, rather than a data controller that might have breached the law. Evans’ blog states: “In my experience of working as the ICO’s industry strategic liaison manager, the vast majority of businesses want to operate within the law”. But Evans’ experience ought to show that the Streetview data turned out to be more personal than previously advertised, resulting in the ICO having to ask Google to sign an undertaking. Their press release at the time said that Google had been ‘instructed’ to sign, but the whole point of an undertaking is that it is voluntary. Only now that this undertaking has apparently been breached has Google Streetview finally been passed to the Head of Enforcement. Altogether, it’s not quite a ringing endorsement of strategic liaising.

The softly-softly approach is the hallmark of Phorm: believe what you’re told, take no action against the big player. To take action on the secret trial would have been to take on BT, a challenge for which the ICO showed no appetite. As a consequence, as well as infraction proceedings against the UK, I suspect the ICO decision that Phorm use of cookies did not breach privacy, data protection or surveillance law in the UK made a change EU cookie law seem much more necessary. Monitoring and exploitation of web-browsing data is precisely the kind of thing that makes a shift in the balance necessary – had the ICO attempted to argue that the legal status quo did have something to say about Phorm, I doubt we’d be where we are now.

To misquote The Dark Knight, I believe in Chris Graham, the current commissioner. He clearly has more guts than his predecessor, he sorted out the shameful FOI backlog, he has taken more enforcement action than any of the three previous Wilmslow incumbents put together, and his public persona is polite but increasingly pugnacious, precisely the kind of attitude to persuade recalcitrant organisations to take Data Protection seriously. But the cookie debacle is evidence of the Old ICO alive and well: vague, deferential, ineffectual, and embarrassing. In other words, nobody’s definition of success.

NB: The tradition in writing about cookies is to use one of a limited number of obvious cookies puns or references in the title. I have chosen the most obscure I can think of, and if you recognise it, you should be as ashamed of yourself as I am.

Walk the walk

Chris Graham gave an impressive interview to the Guardian which is published today. It’s nice to see the Information Commissioner standing up for the principles of transparency and Freedom of Information in the face of what everyone can see is an establishment backlash. As the article says:

There are some very powerful voices saying it [the act] has all been a horrible mistake. Specifically, Tony Blair, Gus O’Donnell [the former head of the civil service] and the prime minister himself,” he said before adding the name of Simon Jenkins, the former Times editor and Guardian columnist.

To that list, we can also add Francis Maude, who imagines that he can make FOI redundant, and various slippery ministers who have allegedly been using private emails to get around legitimate scrutiny of their activities. Graham makes a compelling case, arguing that those who talk down FOI set the tone for everyone else. It cannot be a coincidence that the Cabinet Office’s record on FOI is dismal, given that it was until recently run by O’Donnell. The former Cabinet Secretary’s public antipathy towards FOI reared its head only when he decided to retire, but it’s probably a safe assumption that he wasn’t privately cheerleading for it before that.

Graham also skewered Maude’s patronising line on transparency, by arguing that “Sometimes the full story is in the background papers and minutes of meetings rather than just raw data.

Graham’s analysis is right. People don’t always pay attention to the people at the top (just look at what happened to poor Bob Diamond, an honest man undone by a tiny number of unruly minions), but if they are given any excuse to be lazy, or to misbehave by the example set higher up, they’ll do it (just look at what happened…). I know of an organisation where the head of IT complains that having to remember a password to activate their Blackberry is too onerous and makes them look daft. The person responsible for Data Security might as well quit for all the good their efforts will do. If David Cameron was the politician he claimed to be – the one who offered ‘the most open and transparent government ever‘ – then his approach to FOI would be very different. No-one would have believed Cameron if he pretended he was a big fan of the legislation, but a respectable politician would acknowledge it as an inconvenient but necessary part of an accountable democracy. Instead he whinges about FOI furring up the arteries of government while the Cabinet Office holds secret information on plans to charge for FOI requests that they at first claim does not exist.

Graham’s aplomb at dealing with the media draws a sharp and creditable contrast with his hesitant predecessor. Occasionally, there is misjudgement (as I said before, “wake up and smell the CMP” was an awful headline and whoever came up with it should be made to sit a corner for a while). Nevertheless, the Commissioner is saying the right things and anyone who supports FOI should be happy that he isn’t congratulating himself for not taking on the big targets, which is what Richard Thomas did at Leveson.

The problem for Graham is clearly not a lack of ambition or self-belief. In one sense, the problem of doing the job of championing transparency is that you have to do it in a world shrouded in bullshit and euphemism. I listened to less than an hour of of BBC Radio 4’s Today programme this morning, and as well as all the usual spin and lies, even the language was dishonest. After John Humphrys took someone to task for describing G4S as a ‘partner’ instead of a ‘contractor’, I started to hear the word everywhere, and never in a truthful context. Corporations bankrolling the Olympics were ‘partners’ rather than ‘advertisers’; TV companies screening Scottish Premiership Football were ‘partners’ rather than well, TV companies. Everyone wanted to wrap professional and commercial relationships in a blanket that implied a shared and personal endeavour, rather than each side being interested only in getting what they could out of the deal with minimum effort. The same circumlocutions infect politics and government, national and local. Doing the FOI job in these circumstances is like wading through custard.

However, one thing he can do is keep his own house in order. The Tribunal often has to criticise the ICO for their handling of FOI compliance – read paragraph 25 of this recent decision for a good example. The ICO ignores its own guidance on FOI by challenging an FOI applicant using an obvious pseudonym for no real reason, and then exemplifies the inherent flaw in that guidance by backing down the moment the fake-named applicant pushes back. More seriously, a certain blogger asked a sensible question about information notices and ended up finding out that the ICO doesn’t know how many information notices they have issued under FOI. As well as the clear implication that ICO staff are not following their own procedures (if they were, it would not exceed the FOI cost limit for the ICO to find all of the notices), there is a bigger point that whoever is corporately responsible for FOI strategy within the Office doesn’t have all of the information they need to do their job. How can they look for patterns of underlying problems (which multiple info notices would suggest) if they don’t even know how many they’ve issued?

I am, of course, assuming that someone is doing this, rather than everyone frenetically trying to keep the backlog on a leash. If they’re not, Graham’s words turn to ash in his mouth. Things are better than they were. Graham’s profile is bigger. The frenetic backlog bashing does at least mean that organisations cannot rely simply on the passage of time to escape accountability. I don’t imagine ministers slept easy in their beds when the ICO stood its ground on private email (and ministers should never sleep easy). For all of these things, Chris Graham deserves credit. But talk is cheap. Until the ICO can show that its own FOI and records management practice is exemplary, it cannot lecture anyone else. Until it shows that the most recalcitrant government departments will be brought to heel on FOI, every council and NHS trust will be justified in saying that they’re busy and under-resourced, and FOI is a burden they don’t need.

So two cheers for being a great advocate – the third is reserved for delivery.