Taking the piss

On page 74 of the Information Commissioner’s newly published Annual Report, you can find the welcome news that the ICO reduced the amount of water in flushing toilets and the timings of auto flushing in urinals. Sadly, the expansion of the organisation’s footprint in Wilmslow, due to swelling numbers of staff, has led to an increase in overall emissions (insert your own joke). There is an abundance of other information about other environmental issues, including paper consumption and car journeys,

Strangely, if you look for information about one of the landmark events of UK Data Protection in 2019 – 2020, there is no sign. In December 2019, the Information Commissioner issued its first ever penalty under the General Data Protection Regulation against a company called Doorstep Dispensaree. Several pages of the report are taken up illustrating “The Year in Summary”, and the only thing mentioned for December is the launch of a consultation about AI. It’s not that the ICO had so many things to report on; one of the highlights for June 2019 was “The Information Commissioner makes a speech at a G20 side event in Tokyo“. Odd that an event which is very much the ‘only invited to the evening do’ of international speaking gigs makes the cut, but the first and so far only UK GDPR fine does not.

There are several reasons for this, I believe, all of which go to the heart of what is wrong with Elizabeth Denham’s disastrous term as Commissioner. The first is Denham’s vanity, mistaking public appearances and headlines for actual achievements. Allied to her Kim Jong Un tendencies is the prioritisation of international work and pet projects over the basics of regulation. Finally, there is a fundamental dishonesty at play – it should be deeply embarrassing for Denham that she hasn’t made a serious attempt to enforce the GDPR in two years. Because it is evidence of this failure, Doorstep Dispensaree (a solid and encouragingly detailed enforcement case that should have been the ICO’s bread and butter during this period) is written out of the story. It didn’t happen.

Most of the report is a soup of meaningless buzzphrases, presumably designed to disguise the hollow nature of what is being described. There have been “deep dive sessions” with the “most significant Digital Economy Stakeholders“, an “Innovation Listening Tour” and an “Innovation Hub”, which the ICO hopes to open up to “innovative organisations” like “catapults” and “incubators“. I think all of this that they’ve had lots of meetings; the outcomes are impossible to identify beyond wonderful “engagement“, a word which appears 22 times (‘penalty‘ appears 4 times).

It is possible to identify a couple of interesting themes. One is the ICO’s determination to support capitalism and The Man. One of the main strategic goals is “enabling innovation and economic growth“, while another is increasing trust and confidence in the way personal data is used. These are not regulatory outcomes, they are economic goals. Actual enforcement of the law is demoted to the fifth out of six goals. The ICO has established a team of people to work on the economic growth agenda, led by a Head of Economic Analysis seconded from an organisation that Wilmslow has decided we don’t need to know the name of.

The other obvious strand is both depressing and familiar, especially to an ICO refugee of such ancient vintage as myself. The joke in the ICO when I was there (2001 – 2002, fact fans) was that it didn’t matter that we never took action because “thinking is doing”, a phrase attributed to Francis Aldhouse, the Deputy Commissioner at the time. Thinking is Doing paralysed the ICO for years, but the spell was broken first by the impossibility of ignoring the cycle of security breaches begun by HMRC’s lost discs, and then by Chris Graham. For all his flaws, Graham revolutionised the ICO by allowing his staff to demolish the shameful FOI backlog and embrace the penalty powers that the lost discs fiasco gifted to Wilmslow.

Thinking is Doing is back. Doorstep Dispensaree (a thing that happened) doesn’t warrant a mention, but the BA and Marriott penalties (things that did not happen) are mentioned approvingly because they “received a large amount of media attention

One of the case studies in the Annual Report covers the ICO’s investigation into Ad Tech. After a flurry of meetings, press releases and agreeable dinners at Cibo, the ICO was supposedly poised to rewrite the internet, but instead, the Executive Director of Shiny Things Simon McDougall promised that whatever they did, ICO would not to spoil the ad industry’s Christmas. Then, when Covid-19 gave him cover, he dropped the whole thing like a stone. McDougall is paid between £115,000 and £120,000 per year, and his contract has been renewed until July 2021, for reasons I cannot begin to understand.

The closer that the report gets to reality rather than Denham’s preoccupations with politics and online harms, the harder it gets to spare her blushes. The report cites 236 instances of “regulatory action“, but it’s really hard to work out what this means. Of that total, just 15 are fines, 7 are enforcement notices, and 8 are assessment notices (i.e. mandatory audits). There are 8 prosecutions and 4 cautions. 54 of the “regulatory actions” are in fact information notices, which do not represent action at all.

An Information Notice is an investigatory tool which might led to action, and might not; in itself, it’s just demanding information. What are the other 139 “regulatory actions“, and why doesn’t the Commissioner what to admit what they are? Has there been a blizzard of warnings and reprimands that are being kept secret? Or, as the inclusion of information notices denotes, is the maths necessary to create the 236 more akin to gymnastics?

The report boasts of ICO intervention in a number of court cases, and happily sets out their successful involvement in the Elgizouli case. It’s a sign of how thin-skinned Denham’s ICO has become that they can’t bring themselves to admit that in the other two cases they cite (the challenges to South Wales Police’s use of facial recognition and the DPA’s immigration exemption), they backed the losing side.

In the end, the figures don’t lie. The toilet flush numbers are encouraging, but other information is less reassuring. The ICO set itself a target of resolving (i.e. closing) 80% of complaints within 12 weeks. Despite receiving less complaints than in the previous year, gaining 100 staff and receiving a massive boost in funding, they managed only 74%. 84 cases are more than a year old. Despite 46% of complaints received being about subject access, the ICO took no enforcement action against subject access infringements in the period.

Perhaps most damning of all, the total number of fines issued in the period (£2,409,000) was less than half what it was in 2018 – 2019 (£5,436,000). There are people who praise the ICO for their guidance and conference appearances, but this is like measuring the police for their road safety demonstrations in schools. The ICO isn’t a “proportionate and practical regulator” – it’s far from where it should be, achieving nothing but emissions of hot air.

Denham’s foreword has an almost valedictory tone. There’s a strong effort to defend the ICO’s determination to spend time on anything as long as it isn’t related to the UK, but the final thought is about how Denham thinks she has achieved her objective of transforming the ICO into “an information rights regulator that is helpful, authoritative, tech-savvy, practical and firm“. While what she’s actually done is hollowed out a passable regulator and turned it into an ineffective, politically biased think-tank, the only positive thing I can take away from this annual report is the hope that if Denham thinks it’s mission accomplished, she will move on to pastures new. Hopefully her successor will have some experience at putting out fires.

Role playing

A few weeks ago, the Data Protection world was shaken by a decision from the Belgian DP Authority to fine an organisation €50,000 after they appointed their Head of the Compliance, Risk Management and Audit department as their Data Protection Officer. I’ve commented before about my frustration that too many organisations are unable to comprehend the independence and relative freedom of the DPO role as anything other than a senior-level job – in such places, the role is a DPOINO, a Data Protection Officer In Name Only, with a younger, more junior but much more expert person actually carrying out the role. The DPOINO in these organisations is usually a middle-aged white man, and the real DPO is a younger woman. I imagine you are shocked to read this.

The Belgian decision is not ridiculous – it is difficult for someone in a senior position to escape decisions about hiring and firing (for example) or system design, activities that risk dragging the incumbent into determining the purposes. If the DPO was less senior, even in the same department, the risk of conflicts of interests would be lower. There are better, more imaginative models, but I think seniority is always fatal. Needless to say, some commentators have drawn more other conclusions.

Writing for Scottish Housing News, Daradjeet Jagpal questioned whether it was time for his audience (Registered Social Landlords in Scotland) to review their DPO appointments. Despite this being a single case in a foreign jurisdiction with tenuous direct application to a non-EU country like the UK, Jagpal fell back on the consistency mechanism, and warned his readers that the ICO might adopt the same approach, skipping over the fact that Wilmslow’s approach to the GDPR has been to go to sleep. A quick survey of the possible candidates – mainly heads of various RSL departments – do not make the grade for Jagpal, and rather patronisingly, he dismisses the idea that a Corporate Services Officer would be “comfortable or sufficiently confident to challenge the CEO on non-compliance“. Take that, many DPOs who I know and love.

Jagpal comes to the conclusion that “The obvious solution is for RSLs to appoint an external DPO” which is remarkable, given that Jagpal is described in the article as “a leading provider of outsourced DPO services to RSLs across Scotland“. I’m not suggesting that he’s is over-egging the Belgian decision for nakedly commercial purposes, but he does place weirdly heavy emphasis on EU standards and pressures which are clearly either dead or dying for Brexit Britain, and he barely entertains the idea that Scottish RSLs might just appoint a DPO in-house.

To be fair, the Belgian decision is a real thing that happened, and while I disagree with Jagpal’s assessment of its implications, he’s accurately described the situation. The same cannot be said of everyone in the outsourced DPO sector. In a webinar hosted by everyone’s favourite LinkedIn spammers, Data Protection World Forum, the CEO of The DPO Centre, Rob Masson decided to get creative. Masson spoke of the “quite strict guidelines” (AKA legal requirements) about who can be a DPO and the importance of avoiding conflicts of interest. He went on to say “we’ve got to remember that the role of the Data Protection Officer is to represent the needs of the Data Subjects. It’s not necessarily to represent the needs of the organisation.”

None of the specified DPO tasks refer to data subjects. They require a DPO to advise the organisation on data protection matters, monitor its compliance with the GDPR and other laws, advise on and monitor the effectiveness of data protection impact assessments, and liaise with the Information Commissioner’s Office. If you wanted to be exceptionally generous to Masson, you could interpret the whole of the GDPR as reflecting the needs of data subjects to have their personal data properly regulated, and from there spin the DPO’s role as a facilitator of that. But that’s also nonsense. It’s as much in the interests of an organisation that the personal data they use is accurate and secure as it is for data subjects. The GDPR sometimes allows controllers to retain data despite a subject’s objection, to keep processing secret from them when it might prejudice certain purposes, and to balance their own wish to use data against the impact on the subject, deciding to use it without consent when they think they’ve assessed the situation properly.

If we’re talking about the needs of the organisation, I’d argue that most of the GDPR’s requirements reflect the needs of the controller. Some organisations are too lazy or stupid to see it, or they’re getting advice from the wrong people. It might seem like disposing of personal data that you genuinely don’t need any more is an unwelcome imposition, but it’s very much the healthy option. To use Masson’s own word, GDPR is the spinach that the organisation *needs*, even if it might prefer the Big Mac and Fries of not thinking about it.

A77 gives the subject the “right” to lodge a complaint with the relevant supervisory authority. A39(1)(a) says that the DPO “shall” inform and advise the organisation of their obligations. Contrast these provisions with the words in A38(4), the only element of the DPO articles that refers to subjects: “Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.” This obviously means that the DPO ought to be accessible to data subjects (one of my objections to senior DPOs is that they won’t go for this), but it also shows Masson’s version to be fantasy. There is no right to reply, no hint that the DPO is the subject’s advocate or representative. They’re at best a conduit for concerned subjects.

Obviously, the DPO isn’t just the loyal servant of the organisation, and they have to reconcile being an employee and an independent advisor. I disagree with Jagpal’s dismissal of junior officers as being capable of standing up to CEOs because I know so many who do it regularly. But he’s reflecting a real problem that many DPOs face. If the senior people don’t want to take the DPO’s advice, they are in an invidious position. Until the ICO shows that it is willing to back DPOs in these kinds of situations, it’s going to remain a precarious and stressful job for those facing unsympathetic management. Masson’s characterisation can only make this worse, feeding a perception that the DPO is not even there to help the business, but to pursue the interests of data subjects. Subjects come in all shapes and sizes, but some of them are hostile, difficult and aggressive, and telling a CEO who already doesn’t take data protection seriously that their DPO represents these people’s interests is toxic. This snake-oil may seem slick on a bullshit webinar, but if this unhelpful message reaches workplaces with already unsympathetic management, it’s going to make the work of beleaguered DPOs even harder.

I wonder if it’s a coincidence that Masson’s misreading of the GDPR could benefit his business – if the DPO really is there to serve the needs of the data subject, doesn’t an external figure make more sense than an in-house officer who won’t be doing what you want them to do anyway? There’s nothing in the GDPR that would make you think that this version of the DPO is correct, so it has to come from somewhere. If that’s it, rather than simple ignorance, I wonder if Masson has the guts to try to hawk this stuff in a forum where people might actually challenge him.

At this point, you might be thinking, so what? People talk shite to get business. They predict SARmageddons. They shout about 4% of annual turnover fines. They claim that first-tier decisions in Belgium should make you change your DPO.  Does it matter? Doesn’t every sector have its share of hype and froth? The answer is that I have to work in this one, and I think the truth matters. I also have to clean up other people’s bullshit. I have to overcome the hype and the scaremongering spread around by the other people in my industry. I know the popular mantra is that commercial folk should all be pitching in and helping each other, but by spreading misinformation, the likes of Rob Masson are already not doing that, so why should I?

The Information Commissioner’s Office isn’t going to enforce against organisations with an imperfect DPO choice – perhaps they should, but they won’t. They’ve done one GDPR fine in two years and I doubt we’ll see another one in 2020. Sidelined by government in the coronacrisis, facing a review from the DCMS (pointedly not postponed despite the pandemic) and humiliated by the collapse of multiple high profile actions, the ICO is an irrelevance. I’ll be surprised if they survive in their current form. The reason to choose the right DPO is that an independent, challenging person in the role will help organisations to make intelligent decisions that will build a culture of more secure, more accurate, more effectively used data. The DPO isn’t the voice of the subjects, they’re a valuable asset there to guide and assist the organisation. I won’t sell a single course place by saying so, but that doesn’t make it any less true.

 

SARmaggedon Days Are Here Again (Again)

Reading my emails, a headline leapt out at me: “The hidden cost of GDPR data access requests“. It led me to BetaNews, a website that looks like it is trapped in 1998, and a story describing research into SARs commissioned by Guardum, a purveyor of subject access request handling software. A sample of 100 Data Protection Officers were consulted, and you’ll never guess what the research uncovered.

SARs, it turns out, are time consuming and expensive. I award 10 GDPR points to the Guardum CTO for knowing that SARs weren’t introduced in 2018, but I have to take them away immediately because he goes on to claim that “There has also been a marked change in the way that lawyers are using DSARs as part of the data discovery process.” Apparently, lawyers are using SARs now. Imagine that. The article goes to say that “Fulfilling DSARs can involve finding, compiling and redacting data in digital and paper format across multiple departments both on company networks and in the cloud.“. There’s also a bit of a spoiler about whether the Pope is a Catholic.

According to Guardum, the average cost of a SAR is £4,884.53, the average DPO receives 27 SARs a month, and each one takes an average of 66 working hours to deal with. The article didn’t explain how these figures were arrived at, so I eagerly clicked the link to visit Guardum’s website for the full results. What I found was a fountain of guff. Strip out the endless bar and pie charts, and what Guardum wants to say is that 45% of the DPOs surveyed would like to automate some of the process because of a predicted landslide of SARs, provoked by angry furloughed and sacked staff.

I’m not sure about the logic of this – I can understand that everyone who loses their job will be upset and probably angry, and I’ve certainly dealt with lots of SARs related to a suspension or dismissal. But in those cases, the action taken was personal and direct – an individual was singled out by the employer for the treatment in question. I don’t see why people losing jobs in a pandemic will be so determined to send a SAR. It’s not like the reason for their predicament is a mystery.

The survey questions are opportunistic at best, and at worst, seem designed to allow Guardum to paint this picture of anxious DPOs uncertain about how they’re going to handle the post Covid-19 SARmageddon that the company is evidently desperate for. 75% of respondents are described as having difficulties dealing with SARs during the lockdown, though this actually translates as good news. 72% are coping but expect a SAR backlog when they get back to the office, while just 3% fearing a ‘mountain’ of requests. The headline on one slide is that 30% anticipate a ‘massive’ increase in SARs, but the reality is 55% expect the same as before and 15% think they’ll get less. 73% supposedly think that furloughed or laid off staff will be a ‘big factor’ in the predicted increase, even though the breakdown shows that only 20% think it will be the single biggest factor. To emphasise, these are requests that haven’t happened yet. The people who say that they will are the ones flogging the software to deal with the problem.

So far, so what? Guardum have software to sell and a cynical pitch about Covid-19 to achieve that. Does it matter? In the grand scheme of things, no, it doesn’t. I’m probably not the only person currently experiencing a crash course in What’s Really Important. But in the micro scheme of things, bullshit deserves to be called out, especially when it’s designed to exploit a crisis that’s causing misery and death across the world. Many of the revelations in this survey are staggeringly banal – nearly 50% of people find tracking the data down across multiple departments to be a slog, while 63% have to search both paper and electronic records. Who with any experience in Data Protection would think it was worth pointing this out? Meanwhile, the assertions about how long a SAR takes or how much it costs are wholly unexplained. It’s meaningless to claim that the mean cost of a SAR is £4,884.53 if you don’t explain how that was calculated (inevitably, the CTO is touting this figure on LinkedIn).

Guardum aren’t necessarily the experts at Data Protection that they might have us believe. For one thing, despite being a UK company, both the survey results and their website exclusively refer to ‘PII’ rather than personal data. For another, part of the criteria for participating in the survey was that the DPO needed to work for a company with more than 250 employees. This was, for a time, the threshold for a mandatory DPO but despite being changed, some dodgy training companies and consultants didn’t notice and ran courses which highlighted the 250 figure even when it was gone. Most importantly, nearly half of the people who responded to the survey don’t know what they’re doing. The survey was purportedly targeted at DPOs, but 44% of respondents are identified as being in ‘C-level’ jobs – perhaps this is to give a veneer of seniority, but C-level jobs are precisely the senior roles that are likely attract a conflict of interests. Guardum talked to people in the wrong jobs, and apparently didn’t realise this.

The ‘About’ page of Guardum’s website proclaims “Guardum supports privacy by design – where data privacy is engineered into your business processes during design rather than as an afterthought“, but the execution is less confident. There is a questionnaire that shows how much an organisation can save by using the Guardum product, but when you complete it, you have to fill in your name, company and email to get the results, and there’s no privacy policy or transparency information about how this information will be used. Moreover, if you try to use the contact form, clicking on the link to the terms and conditions results in ‘page not found’.

I have to declare my bias here – I don’t believe that any ‘solution’ can fully deal with the SAR response process, and I think people who tout AI gizmos that automatically redact “PII” are probably selling snake oil. Some of the SAR grind comes in finding the data, but a lot of it is about judgement – what should you redact? How much should you redact? Anyone who claims that they can replace humans when dealing with an HR, mental health or social care is writing cheques that no product I have ever seen can cash. So when I land on a website like Guardum’s, my back is up and my scepticism is turned all the way up. It would be nice if once, I saw a product that wasn’t sold with bullshit. But not only is Guardum’s pitch heavy with management buzzwords, they’re using fear as a marketing tool. Just last week, they ran a webinar about weathering the ‘Post Pandemic DSAR Storm‘.

Guardum claim that they provide “the only solution that can fully meet the DSAR challenge of responding in the tight 30-day deadline, giving you back control, time and money that are lost using other solutions“. Nowhere do they mention that you can extend the deadline by up to two months is a request is complex (and many are). But even if their claims are true, why do they need to sell their product via catastrophising? If their expertise goes back to the 1984 Act, why are they calling it PII and talking up the opinions of DPOs who are in the wrong job? Why oversell the results of their survey? Why hide the basis of the hours and cost calculations on which is all of this is being flogged?  And what on earth is a ‘Certified Blockchain Expert‘?

The future post-Covid is an uncertain place. I find the utopianism of some commentators hard to swallow, partly because people are still dying and partly because the much-predicted end of the office will have career-changing consequences for people like me. But at least the LinkedIn prophets are trying to explore positives for themselves and others in an undeniably grim situation. The people running Guardum seem only to want scare people into getting a demo of their software. If one is looking for positives, the fact that the ICO has waved the white flag means that no organisation needs to be unduly concerned about DP fines at the moment, and despite some of the concerns expressed in Guardum’s survey, nobody in the UK has ever been fined for not answering a SAR on time. The old advice about deleting data you don’t need and telling your managers not to slag people off in emails and texts will save you as much SAR misery as any software package, and I can give you that for free.

Blast from the past

As we all endure the lockdown and the uncertainty about when and how it might end, I have been trying to avoid thinking about the past. It’s tempting to dwell on the last time I went to the cinema (Home, Manchester ironically to watch ‘The Lighthouse’), the last time I went to a pub (Tweedies in Grasmere, just hours before Johnson closed them all), the last face-to-face training course I ran (lovely people, awful drive home). But thinking back to what I had, and the uncertainty about how, when and if I will get it back, doesn’t make the interminable Groundhog Days move any faster. I’d be better off just ploughing on and working out what to do next.

So it was a strange experience to be thrown backwards in time to the heady days of 2017, when the GDPR frenzy was at its height, and the world and his dog were setting up GDPR consultancies. People still make fun of the outdated nature of my company name, but I registered 2040 Training in 2008, and I’m proud of its pre-GDPR nomenclature. The list of GDPR-themed companies that are now dissolved is a melancholy roll call – goodbye GDPR Ltd, GDPR Assist (not that one), GDPR Assistance, GDPR Certification Group (got to admire their optimism), GDPR Claims, GDPR Compliance, GDPR Compliance Consulting, GDPR Compliance Consultancy, GDPR Compliance for SMEs and GDPR Consultants International (offices in New York, Paris and Peckham). You are all with the Angels now.

I was cast into this reverie by a friend who drew my attention to GDPR Legal, a relatively new GDPR company, and a few moments on their website was like climbing into a DeLorean. It was all there. The professional design, the ability to provide all possible services related to Data Protection (you can get a DPO for as little as £100 a month), and of course “qualified DPO’s (sic)”. I was disappointed that there was no mention of them being certified and nary a hint of the IBITGQ, but you can’t have everything. They still pulled out some crowdpleasers, including flatulent business speak and the obvious fact that they are trying to sell software, sometimes in the same couple of sentences: “Our service includes a comprehensive consult to help identify gaps and opportunities, a comprehensive report that includes a project plan with timelines and milestones, a cost analysis, and a schedule. We also offer a software suite that will help you get there quickly and smoothly.” Timelines and milestones, people. This is what we want.

The lack of any detail is possibly a matter for concern. The website claims that the company’s specialists have “over 50 years of experience delivering a pragmatic consulting service with qualified DPO’s and GDPR Practitioner skills” but it is difficult to find out who any of them are. There is no ‘meet the team’ or ‘our people’ section. I might be wrong, but I don’t think there’s a single human being’s name anywhere on there. If you had all these brilliant experienced professionals, wouldn’t you want to advertise who they are – I might make fun of them, but even the folk who have blocked me on LinkedIn aren’t ashamed of saying who their consultants are. Is it 50 people with a year’s experience each? Indeed, the only name I can associate with the company (via Companies House) is the Director, a man who has no experience in Data Protection, but is also director of a shedload of software and marketing companies. Any time the site needs to get into any detail, it hyperlinks to the ICO.

So far, so what? You probably think this blog is cruel. If someone wants to set up a company selling GDPR services, why do I care? Isn’t this just sour grapes at another disruptive entrant in the vibrant GDPR market?

There are two reasons why I call these people out. The first is their privacy policy. It’s not a good sign when a privacy policy page on a GDPR company’s website begins with ‘Privacy Policy coming soon’, but as it happens, immediately below is the company’s privacy policy. Well, I say it’s their’s. It’s oddly formatted, and when you click on the links that are supposed to take you to the policy’s constituent parts, you’re in fact redirected to the log-in page for GoDaddy, with whom the site was registered. All the way through, there are lots of brackets in places that they don’t belong. It didn’t take me long to work out what was going on – I think the brackets were the elements of the template policy that GDPR Legal has used which needed to be personalised, and they’ve forgotten to remove them. 50 collective years of experience, and nobody is competent enough to write the company’s own privacy policy, they just use someone else’s template. Indeed, if you search for the first part of the policy “Important information and who we are“, it leads you to dozens of websites using the same template, from Visit Manchester to NHS Improvement. I can’t find where it originated, but it’s an indictment of the quality of work here that they took it off the shelf and didn’t even format it properly. My Privacy Policy is smart-arsery of the first order, but at least I wrote it myself.

The other reason is worse. GDPR Legal has a blog with three posts on it. Two are bland and short, but the most recent, published just this week, is much longer and more detailed. It reads very differently from other parts of the site, and there was something about the tone and structure that was familiar to me. It didn’t take long to remember where I had seen something like this before. The blog is about GDPR and children, and this is the second paragraph:

Because kids are less aware of the risks involved in handing over their personal data, they need greater protection when you are collecting and processing their data.Here is a guide and checklist for what you need to know about GDPR and children’s data.”

This is the first sentence of the ICO’s webpage about GDPR and children:

Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.

Coincidence, you think? This is the third line:

If a business processes children’s personal data then great care and thought should be given about the need to protect them from the outset, and any systems and processes should be designed with this in mind

This is the second line of the ICO’s page:

If you process children’s personal data then you should think about the need to protect them from the outset, and design your systems and processes with this in mind

Blog, fourth para:

Compliance with the data protection principles and in particular fairness should be central to all processing of children’s personal data. ”

ICO page, third line:

“Compliance with the data protection principles and in particular fairness should be central to all your processing of children’s personal data

They rejigged the first few elements a little, but after that, whoever was doing it evidently got bored and it’s pretty much word for word:

GDPR Legal Blog:

A business needs to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child.

ICO page

You need to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child.

GDPR Legal Blog

General Checklists

  • We comply with all the requirements of the GDPR, not just those specifically relating to children and included in this checklist. 
  • We design our processing with children in mind from the outset and use a data protection by design and by default approach. 
  • We make sure that our processing is fair and complies with the data protection principles. 
  • As a matter of good practice, we use DPIAs (data protection impact assessments) to help us assess and mitigate the risks to children. 
  • If our processing is likely to result in a high risk to the rights and freedom of children then we always do a DPIA. 
  • As a matter of good practice, we take children’s views into account when designing our processing.

ICO page: 

Checklists

General

  • We comply with all the requirements of the GDPR, not just those specifically relating to children and included in this checklist.
  • We design our processing with children in mind from the outset, and use a data protection by design and by default approach.
  • We make sure that our processing is fair and complies with the data protection principles.
  • As a matter of good practice, we use DPIAs to help us assess and mitigate the risks to children.
  • If our processing is likely to result in a high risk to the rights and freedom of children then we always do a DPIA.
  • As a matter of good practice, we take children’s views into account when designing our processing.”

NB: I’ve screenshotted all of it.

Someone at GDPR Legal lifted the whole thing uncredited and passed it off as their own work. A company that claims to be able to provide “practical and bespoke advice”, guiding “major projects in some of the UK’s largest businesses” nicked content from the ICO’s website. This kind of cutting and pasting gives plagiarism a bad name. At least GDPR’s previous Grand Master Plagiarist did it in style with some top-drawer endorsements.

The GDPR frenzy is over. Some of the new entrants have gone from strength to strength, and some of them are now selling kitchens. The current crisis will test everyone, and I doubt that the DP landscape will look the same in a year’s time. Nevertheless, while I hope the data protection sector remains robust enough to accommodate both the slick, corporate operations, and a few maniac artisans like me, it surely doesn’t need chancers any more? I hope we can all agree that a company that can’t even design its own privacy policy, that won’t admit who its experts are, and who steals from the regulator deserves to be shamed? I hope this blog might persuade a few unwary punters to do some due diligence before handing over their cash and perhaps pick a company who writes their own material. Whatever the LinkedIn blockers think of me, and I of them, surely we’re all better than this?

Going Unnoticed

Last week, I came across an interview with Elizabeth Denham on a Canadian website called The Walrus that was published in April. There are some interesting nuggets – Denham seems to out herself as a Remainer in the third paragraph (a tad awkward given that she has only enforced on the other side) and also it turns out that the Commissioner has framed pictures of herself taking on Facebook in her office. More important is the comparison she draws between her Canadian jobs and her current role: “That’s why I like being where I am now,” she says, settling herself at a boardroom table. “To actually see people prosecuted.”

Denham probably wasn’t thinking of the run of legitimate but low-key prosecutions of nosy admin staff and practice managers which her office has carried out in recent months, which means she was up to her old tricks of inaccurately using the language of crime and prosecution to describe powers that are civil (or more properly, administrative). Since GDPR came in, she’s even less likely to prosecute than before, given that she no longer has the power to do so for an ignored enforcement or information notice. I don’t know whether she genuinely doesn’t understand how her powers work or is just using the wrong words because she thinks it makes for a better quote.

Publicity certainly plays a far greater part in the ICO’s enforcement approach than it should. A few months back, I made an FOI request to the ICO asking about a variety of enforcement issues and the information I received was fascinating. The response was late (because of course it was), but it was very thorough and detailed, and what it reveals is significant.

ICO enforcement breaks down into two main types. Enforcement notices are used where the ICO wants to stop unlawful practices or otherwise put things right. Monetary penalties are a punishment for serious breaches. Occasionally, they are used together, but often the bruised organisation is willing to go along with whatever the ICO wants, or has already put things right, so an enforcement notice is superfluous. The ICO is obliged to serve a notice of intent (NOI) in advance of a final penalty notice, giving the controller the opportunity to make representations. There is no equivalent requirement for preliminary enforcement notices, but in virtually every case, the ICO serves a preliminary notice anyway, also allowing for representations.

According to my FOI response, in 2017, the ICO issued 8 preliminary enforcement notices (PENs), but only 4 were followed up by a final enforcement notice; in 2018, 5 PENs were issued, and only 3 resulted in a final notice. The ratio of NOIs to final penalties is much closer; in 2017, there were 19 NOIs, and only one was not followed up with a penalty. In 2018, 21 NOIs were issued, 20 of which resulted in a penalty. Nevertheless, the PEN / NOI stage is clearly meaningful. In multiple cases, whatever the controller said stopped the intended enforcement in its tracks. In the light of many GDPR ‘experts’ confusion about when fines are real or proposed, the fact that not every NOI results in a fine is worth noting.

The response shows the risks of neglecting to issue a PEN. In July 2018, the ICO issued Aggregate IQ (AKA AIQ) with the first GDPR enforcement notice (indeed, it was the first GDPR enforcement action altogether). My FOI reveals that it was one of only a few cases where a preliminary notice was not issued. The AIQ EN was unenforceable, ordering them to cease processing any personal data about any UK or EU “citizens” obtained from UK political organisations “or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes”. AIQ was forbidden from ever holding personal data about any EU citizen for any advertising purpose, even if that purpose was entirely lawful, and despite the fact that the GDPR applies to residents, not citizens. AIQ appealed, but before that appeal could be heard, the ICO capitulated and replaced the notice with one that required AIQ to delete a specific dataset, and only after the conclusion of an investigation in Canada. It cannot be a coincidence that this badly written notice was published as part of the launch of the ICO’s first report into Data Analytics. It seems that ICO rushed it, ignoring the normal procedure, so that the Commissioner had things to announce.

The ICO confirmed to me that it hasn’t served a penalty without an NOI, which is as it should be, but the importance of the NOI stage is underlined by another case announced with the first AIQ EN. The ICO issued a £500,000 penalty against Facebook, except that what was announced in July 2018 was the NOI, rather than the final penalty. Between July and October, the ICO would have received representations from Facebook, and as a result, the story in the final penalty was changed. The NOI claims that a million UK Facebook users’ data was passed to Cambridge Analytica and SCL among others for political purposes, but the final notice acknowledges that the ICO has no evidence that any UK users data was used for campaigning. As an aside, this means that ICO has no evidence Cambridge Analytica used Facebook data in the Brexit referendum. The final notice is based on a hypothetical yarn about the risk of a US visitor’s data being processed while passing through the UK, and an assertion that even though UK Facebook users’ data wasn’t abused for political purposes (the risk did not “eventuate“), it could have been, so there. I’ve spent years emphasising that the incident isn’t the same as a breach, but going for the maximum penalty on something that didn’t happen, having said previously that it did, is perhaps the wrong time to listen to me.

If you haven’t read the final Facebook notice, you really should. ICO’s argument is that UK users data could have been abused for political purposes even though it wasn’t, and the mere possibility would cause people substantial distress. I find this hard to swallow. I suspect ICO felt they had effectively announced the £500,000 penalty; most journalists reported the NOI as such. Despite Facebook’s representations pulling the rug out from under the NOI, I guess that the ICO couldn’t back down. There had to be a £500,000 penalty, so they worked backwards from there. The Commissioner now faces an appeal on a thin premise, as well as accusations from Facebook that Denham was biased when making her decision.

Had the NOI not been published (like virtually every other NOI for the past ten years), the pressure of headlines would have been absent. Facebook have already made the not unreasonable point in the Tribunal that as the final penalty has a different premise than the NOI, the process is unfair. Without a public NOI, Facebook could have put this to the ICO behind closed doors, and an amended NOI could have been issued with no loss of face. If Facebook’s representations were sufficiently robust, the case could have been dropped altogether, as happened in other cases in both 2017 and 2018. For the sake of a few days’ headlines, Denham would not be facing the possibility of a career-defining humiliation at the hands of Facebook of all people, maybe even having to pay their costs. It’s not like there aren’t a dozen legitimate cases to be made against Facebook’s handling of personal data, but this is the hill the ICO has chosen to die on. Maybe I’m wrong and Facebook will lose their appeal, but imagine if they win and this farrago helps them to get there.

The other revelation in my FOI response is an area of enforcement that the ICO does not want to publicise at all. In 2016, the ICO issued a penalty on an unnamed historical society, and in 2017, another was served on an unnamed barrister. I know this because the ICO published the details, publicly confirming the nature of the breach, amount of the penalty as well as the type of organisation. One might argue that they set a precedent in doing so. What I didn’t know until this FOI request is that there have been a further 3 secret monetary penalties, 1 in 2017 and 2 in 2018. The details have not been published, and the ICO refused to give me any information about them now.

The exemptions set out the ICO’s concerns. They claim that it might be possible for me to identify individual data subjects, even though both the barrister and historical society breaches involved very limited numbers of people but were still published. They also claim that disclosure will prejudice their ability to enforce Data Protection law, using this justification:

“We are relying on this exemption to withhold information from you where the disclosure of that information is held for an ongoing regulatory process (so, we are yet to complete our regulatory process and our intentions could still be affected by the actions of a data controller) or the information is held in relation to sensitive matters and its disclosure would adversely affect relationships which we need to maintain with the organisations involved. It is essential that organisations continue to engage with us in a constructive and collaborative way without fear that the information they provide to us will be made public prematurely, or at a later date, if it is inappropriate to do so. Disclosure of the withheld information at this time would therefore be likely to prejudice our ability to effectively carry out our regulatory function”

The ICO routinely releases the names of data controllers she has served monetary penalties and enforcement notices on without any fears about the damage to their relationship. Just last week, she was expressing how “deeply concerned” she is about the use of facial recognition by the private sector, despite being at the very beginning of her enquiries into one such company. And if maintaining working relationships at the expense of transparency is such a vital principle, how can they justify the publication of the Facebook NOI for no more lofty reason than to sex up the release of the analytics report? They say “It is essential that organisations continue to engage with us in a constructive and collaborative way without fear that the information they provide to us will be made public prematurely”, and yet the Facebook NOI was published prematurely despite the fact that it was a dud. What will that have done to the ICO’s relationship with a controller as influential and significant as Facebook? What incentive do FB have to work with Wilmslow in a constructive and collaborative way now? And if identifying the subjects is an issue, what is to stop the ICO from saying ‘we fined X organisation £100,000’ but refusing to say why, or alternatively, describing the incident but anonymising the controller?

It doesn’t make sense to publicise enforcement when it’s not finished, and it doesn’t make sense to keep it secret when it’s done. Every controller that has been named and shamed by the ICO should be demanding to know why these penalties have been kept secret, while Facebook have every right to demand that the Commissioner account for the perverse and ill-judged way in which she took action against them. Meanwhile, we should all ask why the information rights regulator is in such a mess.

And one final question: did she bring the framed pictures with her or did we pay to get them done?