The Secret Seven

Last year, I wrote about the fact that Councillor Alex Ganotis, Labour leader of Stockport Council is also a group manager at the Information Commissioner’s Office. After an FOI request, the ICO admitted that he managed the teams responsible for complaints about political parties and local councils. At the time, I argued that this was an unacceptable conflict of interest, and something had to be done about it.

In May this year, shortly after being elected as Manchester’s new Mayor, Andy Burnham appointed Cllr Ganotis as his Environmental Tsar. You can watch a video of the announcement here, and ponder such fascinating questions as why Burnham’s nose is so red, or why throughout the first two minutes, the camera keeps cutting to a wide shot that captures Ganotis’ uncomfortable facial expressions while Burnham is talking. The announcement piqued my interest. If he was organising a grand summit of environmental worthies, would Cllr Ganotis really have time to work at the ICO? And if so, what effect would the review into political activities that Elizabeth Denham announced have on his role?

I made an FOI request to the ICO for the following information:

1) In 2016, the ICO confirmed to me that Alex Ganotis was manager of the team that dealt with complaints about councils and political parties, despite being Leader of Stockport Council at the time. Can you confirm whether Mr Ganotis is still a member of ICO staff, and if so, what is his current job, and what arrangements have been made to avoid any potential conflict of interest?

2) What is the current ICO policy and process for dealing with political party affiliations and potential conflicts of interest?

3) In August 2016, the Information Commissioner announced in an interview with the BBC’s Martin Rosenbaum that she had ordered a review of the involvement of ICO staff in political activities. I would like to see any report or findings arising out of the review, or other summary of the review and its findings, and details of any actions that were taken as a result of it.

4) I would like to receive all current declarations made by any member of staff of involvement in political activities

5) What specific measures have been taken in respect of each staff member who has made a declaration to ensure that there is no conflict of interest?

The response made for fascinating reading. For one thing, Cllr Ganotis remains a Group Manager at Wilmslow and although his group no longer deals with political parties, it still covers issues related to all local authorities in the UK except for those in Greater Manchester, Cheshire or Derbyshire. How politicians and others in every council outside the North West feel about complaints about their authorities still being supervised by the Leader of a Labour Council and a close ally of Andy Burnham is hard to judge. They might be thrilled. Maybe the ICO should ask them.

The report I received under item (3) of my request did contain an option to remove Cllr Ganotis from work involving local authorities altogether, but one of the reasons that this option was not recommended was the fact that “it could be seen to question the professionalism of Alex and other members of staff and their ability to apply the law without bias or political influence“. How Cllr Ganotis’ political career could possibly be seen to reflect on other people is beyond me, but it is jarring that a significant factor in the decision to keep him involved in council work might have been the effect on him, rather than the Commissioner’s ability to operate independently. To be blunt, the ICO as a whole is more important.

UPDATE: I have attached the ICO’s report into the conflict of interest here, so readers can judge whether how objective and balanced it is: Commissioner Information Note – Political Activities.pdf

Unless every team in the ICO handles complaints about local authorities (and to lesser extent, government), Cllr Ganotis should have been moved to one that doesn’t. Having decide to pursue a high-profile political career, asking him to make a sacrifice to avoid conflicts of interest and their perception would not be too much. I am surprised that Cllr Ganotis has not requested such a transfer himself. To risk even the perception of influence over decisions about politically-run organisations, and at the same time pursue a high-profile political career suggests either an enormous amount of faith in one’s ability to compartmentalise, or just old fashioned hubris.

The review identified gaps in the ICO’s Political Activities Policy, with recommended “updates” including a stipulation that staff must avoid party political activities which might impair their ability to perform their duties impartially, a requirement to inform the ICO if their activities or areas of responsibility change, and the scope to remove permission to undertake political activities if an individual’s ICO role or political activity changes. Needless to say, this means that none of this existed before.

The rest of the FOI request suggests a continuing unwillingness to face the issue of political involvement. Including Cllr Ganotis, eight staff members have made declarations of involvement in political activities, but the ICO refused to tell me who the other seven are, or what they do, claiming that the data is sensitive personal data. This is true, but it is not automatically a barrier to disclosure. For one thing, the Secret Seven could be asked for consent, and this is not the only route to disclosure.

There is surely a legitimate interest in knowing whether people working for an independent regulator such as the Commissioner have political affiliations, especially when you consider the ICO’s involvement in political matters. Over the past few years, the ICO has fined Leave.EU, David Lammy MP over his London Mayoral Campaign, the Daily Telegraph for its pro-Tory emails during the 2015 election, and in recent months, they took no action against Virgin Trains following Jeremy Corbyn’s antics in a train vestibule. More importantly, the Commissioner herself announced a formal investigation into the use of data analytics for political purposes with no small amount of fanfare, involving 20 staff. The ICO is knee-deep in politics and transparency over the declared political activities of the staff is in the public interest.

As the data is sensitive personal data, legitimate interests would not be enough; a condition must also be met from Schedule 3 of the Data Protection Act as well. One of the conditions is that the Data Subject has put their sensitive data into the public domain. If, for example, a senior ICO staff member was to mention on their LinkedIn page that they were a Councillor for 9 years, the Campaigns and Communications Officer for an MEP for five years, listed the Liberal Democrats as one of their main interests and was recommended for ‘politics’ and ‘political campaigning’ by dozens of people, I think I can argue that at least this one has manifestly made their political views public. The ICO refusal says “our staff do not have a reasonable expectation that their declarations would be disclosed into the public domain“, but the staff member in question was a candidate for the LibDems in the 2015 General Election, so I humbly suggest that the cat is out of the bag. Either this person is one of the seven, and the ICO’s arguments are false, or they haven’t made a declaration, and the ICO’s claim to me that “the review and policies are sufficient to demonstrate that we avoid conflicts in our work” is nonsense. Again, did they consider this before refusing me?

Every national, local, or internal party election or referendum runs on personal data, and personal data is exploited, analysed, shared, lost, stolen and misused in every single one of them. If you can name a major vote in this decade that hasn’t resulted in a DP snarl-up, you’ve a better memory than me. If there is one word that shines through everything the Commissioner sent me on this topic, last time and this time, it’s  complacency. The policies and procedures that existed before and the ones that have replaced them are built on an obvious assumption that a box needs to be ticked. Of course nobody is actually going to do anything untoward, the managers are on top of it, staff will proactively declare any conflicts of interest and besides, we have a procedure. But they thought it was all fine before. If I had not written my blog last summer, Cllr Ganotis would still be responsible for managing complaints involving his council, his party and his opposition.

I don’t think the Commissioner’s Office takes this seriously. I am amazed that Alex Ganotis is still allowed any influence over the ICO’s decisions about local government, regardless of how objective or benign that influence might be. I am appalled that anyone in the ICO’s senior management could think that this is acceptable. Every time the Commissioner acts or doesn’t act on a political issue, do we always need to ask: who was involved? What bias, conscious or unconscious, did they bring to bear? What other interests do they serve? In a world dominated by fake news and internet froth, the ICO’s independence and objectivity should be their highest priority. It isn’t.

Number crunching

At least according to Wikipedia, St Basil of Caeseria is the patron saint of hospital administrators, while lighthouse keepers enjoy the patronage of both St Dunstan and St Venerius the Hermit. In the light of such specificity, it seems unjust that Freedom of Information Officers have no more appropriate option that St Thomas More, who covers the broad spectrum of politicians, statesmen, lawyers, civil servants, and court clerks. My vote would go to St Jude, who sponsors lost or hopeless causes, although a case could possibly be made for St Alban, who as well as converts and refugees, is the patron saint of torture victims.

St Albans Council hit the local headlines in September, when the St Albans and Harpenden Review reported the huge burden on the council represented by FOI requests. Councils bleating about the cost of FOI is not a new story, and I have complained about it repeatedly. But fans of the genre will have enjoyed some novel twists among the usual invented cost totals and reassurances that the Council takes FOI seriously. For one thing, the Council Leader Julian Daly aimed his fire at commercial companies rather than the public: “what makes me particularly annoyed are requests from businesses using FOI to get detailed information for commercial gain, instead of investing in market research“. Paul Bradshaw has already beaten me to the observation that businesses, like the public, are taxpayers anyway, but more importantly, it’s hard to imagine how a company would get market research data in any other way than FOI, unless the information was already published.

A second element was even more intriguing. In breaking down the percentages for April to June, St Albans claimed that as well as the whopping 57% of requests from commercial applicants, 13% of requests were from the Metropolitan Police. The technical term for this is bollocks, but I didn’t want to say so without checking. I made an FOI request to St Albans Council after the story resurfaced in the Herts Advertiser in October, and the results were interesting.

One question I asked was: “Did any of these police requests mention ‘Freedom of Information’ or ‘FOI’?“. Although they devoted several paragraphs to explaining their FOI process, St Albans did not actually answer, so I am going to assume that none of them did. It is true that an FOI applicant does not need to specify that they are making an FOI request, and St Albans drew my attention to a section on the Information Commissioner’s website which says that any request for information that is plainly not an EIR or a subject access request should be treated as an FOI: “Any other non-routine request for information you hold should be dealt with under the Freedom of Information Act“. It is always unwise to rely on the ICO’s website, which is generally written as if the reader is a nine-year-old; complexity and subtlety are studiously avoided. Nevertheless, even on the face of it, the ICO’s text does not support St Albans’ interpretation. A request from the police as part of an investigation is plainly ‘routine’ – St Albans received more of such requests than they did FOI requests from the public, a total of 35 in one three month period.

More importantly, when I asked how many of the Met Police requests were made under Section 29 of the Data Protection Act (i.e. made explicitly under completely separate legislation), they admitted that all of them were, and any data was disclosed under that section. It’s not clear (and I probably should have asked) whether St Albans formally refused these requests under FOI before disclosing under the DPA, but I bet that they didn’t. The police were using the Data Protection Act for what the ICO’s Data Sharing Code of Practice calls a ‘disclosure’, and what is more commonly (though less accurately) known as a data sharing request. They were asking not that the data be disclosed under FOI, but that it be disclosed one data controller to another, for the purposes of conducting a criminal investigation. The idea that anyone could think that this was an FOI request is nonsense.

It’s entirely logical for the same people who process FOI and EIR request to also handle subject access and DPA disclosures. Indeed, given that there is currently no formal obligation in England, Wales and Northern Ireland to collate and report FOI statistics to anyone, there is no reason why St Albans’ information requests team shouldn’t lump all of their workload into one system to keep track of it all. It would be nobody else’s business if they did. It’s possible that when the issue came up, the police requests were included by mistake.

The problem comes in the way that St Albans have tried to use the volume and cost of their requests as part of the FOI burden narrative that local government is still enthusiastically engaged in. A statistically significant portion of the requests they complained about were nothing to do with FOI at all. If St Albans Council can afford to stage free PR events for Eastenders Actors, then local taxpayers of any type making FOIs should pass without comment. However, if we are to have a debate about the FOI burden, it has to be conducted honestly. The Herts Advertiser version of the story remarked that St Albans received markedly more than surrounding authorities, and I can only conclude that this is because Dacorum and Watford don’t count electricity bills and stuff written on toilet walls in their FOI totals.

I don’t blame the FOI officers for this; I assume that most of the anti-FOI propaganda is generated by PR teams, senior officers and politicians. But given that it is certain that the St Albans figures have been exaggerated by the inclusion of police requests, any assertion they make about the total cost, the average cost to households, even the total number of requests that they have received, is meaningless. If public authorities want to talk about FOI, they have to start by getting their facts straight.

Tales from the Crypt

If you don’t work in local government, you may never have encountered the Local Government Ombudsman, an organisation devoted to giving nutcases somewhere to grind their axes investigating possible maladministration in councils. The scope of the LGO’s work includes everything that councils do, but inevitably many complaints are about the most sensitive areas: child protection, looked after children, adoption, and adult social care. In dealing with complaints from the public, the LGO gets access to genuinely and (in Data Protection terms) legally sensitive information. Inevitably, given that councils have been the target of more ICO civil monetary penalties than any other sector, largely because councils are dumb enough to keep dobbing themselves in to Wilmslow, many are keen to use the most secure way of sending this confidential data to the Ombudsman.

It may seem odd, therefore, that the LGO sent an email to councils last month, containing the following message:

Encrypt or not to encrypt – that is the question …..

We’ve had a number of issues accessing encrypted emails which have been sent to us by councils. Whilst we appreciate that your information security policy may dictate how you send information to us, if there is any discretion please only send encrypted emails when it’s absolutely necessary.

Someone mentioned the gist of it to me, but I made an FOI request to the LGO to be certain that they really were sending out such a daft message. The LGO’s Information and Records Manager rather sweetly explained in their response to me that “our intention in sending this request was discourage councils encrypting emails that contain no sensitive personal or confidential data. Of course, if councils are sending sensitive personal data we would expect them to encrypt it – as we would do ourselves“. This is a useful piece of context for someone asking for the information under the auspices of FOI. However, this isn’t what they said to the numerous council link officers who received the email, and who were expected to act upon its contents. It’s almost the opposite.

Encrypting devices within an organisation is an easier proposition, as all the devices and connecting software are already part of the same system. The problem with encrypting email is undoubtedly that it involves different systems and protocols butting heads in the attempt to make a connection. The LGO pointed out to me that their case management system contains its own email system which can make receipt of an encrypted email difficult. But this is the LGO’s problem and nobody else’s. Councils have no choice about whether to supply data – one of the ‘key facts’ about the LGO on their website is that “We have the same powers as the High Court to obtain information and documents“. Given the ICO’s historic fondness for fining the sector for data security lapses, if councils opt for encryption by default, they should be applauded, especially by the organisation set up to investigate their conduct.

This will inevitably pose problems for the LGO internally, but the solution to this is not to encourage councils to reverse sensible changes in behaviour that another regulator has been pushing them into. They are a regulator whose job it is to deal with a diverse and multilayered sector with widely disparate cultures and practices, and they have to be capable of swallowing the inconvenient implications of it this. However difficult it might be to cope with, especially without the clarification provided to me in my FOI response (and as far as I know, to no-one else), the LGO’s current advice is damaging and unsafe. Councils should ignore it, and the LGO should withdraw it.