Analyse This

With no small amount of fanfare, the Information Commissioner Elizabeth Denham recently announced a “formal” investigation into the use of data analytics for political purposes. The use of targeted ads in political campaigns – especially those where the Right triumphed – has been much in the headlines, and the ICO clearly feels the need to react. Denham blogged on her website: “this investigation is a high priority for my office in our work to uphold the rights of individuals and ensure that political campaigners and companies providing services to political parties operate within UK law.”. The investigation was greeted with enthusiasm – the journalist Carole Cadwalladr who has made a lot of the running over analytics in the Observer was supportive and the Data Protection activist Paul-Olivier Dehaye hailed it as ‘very important’.

Saying that Facebook is probably abusing privacy rights (and acting as a conduit for the abuse of privacy rights) is a bit like saying that rain is wet. Some of Cadwalladr’s reports have drawn fascinating (if hotly disputed) links between various right-wing vampires like Nigel Farage, Dominic Cummings and Steve Bannon, and draw interesting (and hotly disputed) links between various Brexit campaigns and the tech firm Cambridge Analytica. Other of her stories are lame; a recent article complained that people Cadwalladr doesn’t approve of are outbidding people she does approve of when buying Facebook ads, which isn’t really news.

Worse than that, another article enthusiastically repeated Stephen Kinnock MP’s calls for an investigation into Tory data use, ignoring the fact that on the same day, Labour was hoovering up emails on its website without a privacy policy (which, like the marketing emails they will inevitably send) is a breach of Data Protection. The article makes the false claim that it is illegal to use data about political opinions without consent. Several people (including the chair of the National Association of Data Protection Officers) pointed this out to Cadwalladr, but the article is uncorrected at the time of writing. If you want to write about political parties and campaigns abusing data protection and privacy and you only acknowledge the dodgy things that one side gets up to, your allegations should not be taken too seriously. Politics is a swamp, and everyone is covered in slime. Given Cadwalladr’s shaky understanding of Data Protection law, it’s not hard to believe that her interest in the topic is mainly motivated by politics, and the ICO needs to be careful not to be sucked in.

It’s odd that allegations made to the ICO about data misuse by Owen Smith and Jeremy Corbyn, or candidates for the UNITE leadership have come to nothing, and yet here we have a formal investigation announced with great flourish into an issue that is largely perceived as affecting the right. I’m left-wing myself, but if Denham is going to take action over the political use of personal data, I expect her to be scrupulously even-handed.

However, I doubt very much whether action on this issue will ever happen. Just after the announcement, I made an FOI request to the Commissioner’s office about the nature of the investigation – how many people were involved and where from, what powers the ICO was using to conduct the investigation, and who the most senior person involved was. What I was trying to find out was simple – is this an investigation likely to lead to guidance or enforcement?

Here is what my FOI revealed (questions in bold, ICO answers below)

1) Under what specific powers is the investigation being carried out?

Initial intelligence gathering would fall under the general duties of the Commissioner to promote good practice (section 51) of the DPA. This may lead to use of investigatory powers and enforcement where necessary, under the provisions set out in Part V of the DPA, as well as the CMP powers at section 55A.  The Commissioner also has powers of entry and inspection under schedule 9 of the DPA.

2) How many members of staff are involved in the investigation?

It’s difficult to give an exact number, the ‘group’ involved will need to be established and documented in terms of reference which will be done shortly. At this stage, from the information we hold, we can say that 16 member of staff have been involved and another 4 members of staff are also expected to be involved as the investigation progresses.

3, 4 and 5-
 
What are the job titles of the staff involved?
What is the name of the most senior person involved in the investigation?
Which department and team do these staff belong to?

Senior Policy Officer – Private Sector Engagement
Group Manager – Private Sector Engagement
Policy Officer – Private Sector Engagement
Lead Communications Officer – Communication Planning
Senior Policy Officer – Public Policy and Parliament
Intelligence and Research Officer – Intelligence Team
Team Manager (Intelligence) – Intelligence Team
Lead Intelligence and research Officer – Intelligence Team
Team Manager – Enforcement (PECR) – Investigations
Group Manager (Public Policy & Parliament) – Public Policy and Parliament
Senior Policy Officer (Public Policy & Parliament) – Public Policy and Parliament
Team Manager (Enforcement Team 2) – Enforcement
Team Manager – Communications – Communications Planning
Head of Corporate Affairs – Communications Planning
Group Manager – Public Sector Engagement – Public Sector Engagement

The most senior person is Steve Wood – Head of International Strategy & Intelligence – International & Intelligence Management

*************************************************************************************

What does this tell us?

The main contributors are Engagement (which is presumably the successor to the old Strategic Liaison department whose chief role was holding hands with stakeholders), and policy (whose main contribution to the debate on big data is this endless and almost unreadable discussion paper). The most senior person involved is Steve Wood, who has an academic background. Of the 16 involved, just two are from Enforcement, outnumbered even by the comms staff. Apologists for Wilmslow will leap on that bit that says “This may lead to use of investigatory powers and enforcement where necessary“, but my response to that is an armpit fart. The ICO is starting from the perspective of promoting good practice run by an academic, which is just about the silliest response to this issue that I can think of.

Some areas that the ICO regulates are prime candidates for guidance. The public sector, charities and regulated industries are likely to be influenced by what the ICO says. Other areas – list broking and compensation claims spring to mind – are immune to policy and guidance, but politics is the best example. Politics is about power – if a party, campaign or individual can take power while breaching DP law, they will. It isn’t that they don’t understand the law, it is that they don’t care. No political party or campaign will be influenced by ICO guidance, and to pretend otherwise is childish. All major political parties (Labour, LibDems, SNP, Tory) have received a PECR Enforcement Notice over automated calls, and yet they flout PECR all the time with emails and yet more calls, as anyone who heard from David Lammy knows only too well. Even when the ICO fined Leave.EU during the referendum, the campaign’s reaction (“Whatever”) could not have been more derisive because they could afford to pay the fine. Either the ICO comes into politics using its powers to the maximum possible extent against everyone (£500,000 penalties, or more useful, enforcement notices that are backed up by prosecution), or they should leave the field.

We already know that the outcome of this investigation will be revealed long after the election is over, when anything that the Commissioner says or does will have no effect on the real world. On the evidence of my FOI, I predict there will be no fines, no enforcement notices, no action. There will be a long, thorough and thoughtful report that nobody in politics will pay attention to, and only people like me will read. The first task of the Supervisory Authority under GDPR is to ‘monitor and enforce’. Long ago, when I worked there, the joke went around the ICO that senior officers operated under the mantra ‘thinking is doing’, as an excuse to avoid taking any action. I don’t care if no senior officer ever actually said this – on big strategic issues, the ICO has always laboured under this approach. Denham’s first big splash was to follow through on charity enforcement when the easy choice was to back down. She deserves praise for that decision. However, If there is an international right-wing conspiracy to hijack democracy across the world, I don’t think a thought symposium is going to save us.

Another fine mess

For those working in Data Protection, there are many interesting things to note about the forthcoming General Data Protection Regulation. There is the clarification of consent, which may send tawdry marketers into a spin. There is the tightening of the rules over criminal records. There is the helpful emphasis on risk. My current favourite thing is a sly anti-establishment streak – here and there, the GDPR returns to the theme of the power imbalance between the data subject and the big public institution, and seeks to even up the score.

For some, however, there is only one thing to talk about. All that matters is the fines. Fines fines fines, all day long. A conference held in London last week was Fine City as far as the tweets were concerned. COMPANIES MIGHT GO BUST, apparently. Meanwhile, the Register breathlessly reheated a press release from cyber security outfit NCC Group, featuring a magical GDPR calculator that claims ICO’s 2016 penalties would have been either £59 million or £69 million under GDPR (the figure is different in the Register’s headline and story, and I can’t be bothered to find the original because it’s all bullshit).

This is my prediction. There will never be a maximum GDPR penalty in the UK. Nobody will ever be fined €20 million (however we calculate it in diminishing Brexit Pounds), or 4% of annual turnover. There will be a mild swelling in the amount of fines, but the dizzy heights so beloved of the phalanx of new GDPR experts (TRANSLATION: people in shiny suits who were in sales and IT in 2015) will never be scaled. It’s a nonsense myth from people with kit to sell. I have something to sell, friends, and I’m not going to sell it like this.

I have no quibble with DP officers and IG managers hurling a blood-curdling depiction of the penalties at senior management when they’re trying to get more / some resources to deal with the GDPR onslaught – I would have done it. There is probably a proper term for the mistake NCC made with their calculation, but I’m calling it the Forgetting The ICO Has To Do It Syndrome. NCC say Pharmacy2U’s penalty would inflate from £130,000 to £4.4 million, ignoring the fact that the decision would not be made by a robot. Pharmacy2U flogged the data of elderly and vulnerable people to dodgy health supplement merchants, and ICO *only* fined them £130,000, despite having a maximum of £500,000. Of course, some penalties have caused genuine pain for cash-strapped public authorities, but when NCC say that their adjusted-for-GDPR Pharmacy2U fine represented “a significant proportion of its revenues and potentially enough to put it out of business“, they’re not adjusting their hot air for reality.

Take the example of a monetary penalty issued by the ICO in March against a barrister. The barrister was involved in proceedings at the Family Court and the Court of Protection, so her files contained sensitive information about children and vulnerable adults. Despite guidance issued by the Law Society in 2013, they were stored unencrypted on her home computer. While upgrading the software on the machine, her husband backed up the files to online storage. Some of the files were indexed by search engines, and were subsequently found by a local authority lawyer.

The ICO fined the barrister £1000, reduced to £800 if they paid on time. I don’t think all barristers are loaded, but most could pay a penalty of £800 without going bankrupt. £800 isn’t remotely enough for a breach as basic and avoidable as this. The aggravating factors are everywhere – the Law Society guidance, the lack of encryption, the fact that the husband had access to the data. If the ICO was capable of issuing a £4.4 million penalty, they’d fine a barrister more than £800 for this mess. And what’s worse, they redacted the barrister’s name from the notice. The ICO offered no explanation for this, so I made an FOI request for the barrister’s name and for information about why the name was redacted.

They refused to give me the name, but disclosed internal correspondence about their decision to redact. There is a lot in the response to be concerned about. For one thing, in refusing to give me the name, the ICO contradicts its own penalty notice. The notice describes an ongoing contravention from 2013 (when the Law Society guidance was issued) to 2016 (when the data was discovered). Nevertheless, the FOI response states that “this data breach was considered a one off error“, and a reference to this characterisation is also made in the notes they disclosed to me.

If it was a one-off error, ICO couldn’t have issued the penalty, because they don’t have the power to fine people for incidents, only for breaches (in this case, the absence of appropriate technical and organisation security measures required by the Seventh Data Protection principle). Given that the notice states explicitly that the breach lasted for years, the ICO’s response isn’t true. It’s bad enough that the ICO is still mixing up incidents and breaches four years after this confusion lost them the Scottish Borders Tribunal appeal, it’s even worse that they seem not to understand the point of fining Data Controllers.

In the notes disclosed to me about the decision to redact the notice, ICO officials discuss the “negative impact” of the fine on the barrister, especially as she is a “professional person who is completely reliant on referrals from external clients“. Despite the Head of Enforcement putting a succinct and pragmatic case for disclosure: “it is easier to explain why we did (proportionate, deterrent effect) rather than why we didn’t“, he is unfortunately persuaded that the most important thing is to “avoid any damage to reputation”. Bizarrely, one person claimed that they could “get the deterrent message across” despite not naming the barrister.

The GDPR requires that fines be “effective, proportionate and dissuasive” – an anonymous £800 fine fails on each point. Anyone who takes their professional obligations seriously needs no horror stories to persuade them. For those who do not, an effective, proportionate and dissuasive penalty is either a stinging fine or naming and shaming. The ICO had no appetite for either option, and effectively let the barrister get away with it. They valued her professional reputation above the privacy of people whose data she put at risk, and future clients who will innocently give their confidential and private information to someone with this shoddy track record.

If the NCC Group, and all the various vendors and GDPR carpetbaggers are to be believed, within a year, the UK will operate under a regime of colossal, multi-million pound fines that will bring errant businesses to their knees. In reality, the ICO cut the fines on charities by 90% to avoid upsetting donors, and rendered their enforcement against an irresponsible data controller pointless for fear of putting her out of business.

These two pictures cannot be reconciled. It is entirely possible for the ICO to put someone out of business – indeed, many recipients of their PECR penalties are forced into liquidation (this may be a ploy to avoid the fines, but nevertheless, the businesses close). But the majority of PECR penalties are issued against businesses operating on the very fringe of legality – they are not mainstream data controllers. They are not nice, professional barristers. They are not the audience for the Great GDPR Fine Hysteria. If the ICO cannot stomach the risk of putting a single barrister out of business pour encourager les autres, it is disingenuous to pretend that they will rain down fire on mainstream data controllers after May 2018. We’ll get more of the same – cautious, reactive, distracted by the incident, and unwilling to take aim at hard targets. Plus ça change.

Catch the Pidgeon

Even before the fundraising sector met its Data Protection nemesis in December, with two charities cruelly hung out on the rack, forbidden ever to raise funds again (CORRECTION: given two of the smallest fines in Data Protection history and not forbidden from doing anything), various blogs, and tweets showed that anguished tin-rattlers were confused about what they were accused of.

A classic of the genre was published just over a week ago by Third Sector, penned by Stephen Pidgeon, a “consultant and teacher” (one assumes modesty prevented the publication from mentioning that until recently he chaired the Institute of Fundraising’s Standards Committee, responsible for the until-recently legally incorrect Code of Fundraising Practice). Pidgeon made a series of assertions in his article, and the most important of them is wrong.

Pidgeon describes profiling as a serendipitous activity – a fundraiser innocently planning some door-drops (not a hint of pestering spam in this charming scenario, nor any resort to a data-mining outfit like Prospecting for Gold) happens to notice that a donor has sold a business, and so decides to add his details to an existing campaign. The scheme is ruined by the ICO who says: “That’s not allowed – it’s against the Data Protection Act without express permission“. As Pidgeon points out, the DPA is much vaguer than that. If the Commissioner had indeed said this, it would be nonsense. The problem is, they didn’t.

Both charity notices set out the ICO’s position on charity profiling – it cannot be secret. The same is true for data sharing and appending new data to records that the subject didn’t provide. Neither notice finds profiling without consent to be a breach. Admittedly, of the Data Protection only offers one other option to justify profiling in these circumstances (legitimate interests), but either Pidgeon doesn’t know what the notice says, or he is deliberately misleading his audience. The word ‘permission’ does not appear in either notice, and the word ‘consent’ isn’t mentioned either.

Pidgeon also asserts that wealth profiling is not confined to charities:

This issue is not confined to charities. Yet, in all the 100-plus ICO adjudications in 2016, I could not find a single commercial firm censured for wealth screening.

To be pedantic, they’re not unenforceable ‘adjudications’, they’re formal legal notices, and if you add up all of the DP and PECR monetary penalty and enforcement notices in 2016, you don’t get to 100. He might be including the undertakings, which could be compared to the blancmange adjudications that charities have grown used to, but they’re irrelevant in a conversation about enforcement. The more important point is that like others, including the fundraising apologist academic Ian McQuillin and the researcher Matt Ide, Pidgeon claims that everyone does wealth screening but only the charities are getting punished for it. The Daily Mail hasn’t exposed Marks and Spencers or Greggs for wealth screening – possibly because they’re good at keeping it secret, but a more likely explanation is that they don’t do it. Until someone in the charity sector shows evidence of another organisation doing secret profiling, it’s just a distraction from the fact that – as Pidgeon claims – most of the charity sector have been doing it unlawfully for years.

Many in the sector also seem persuaded that the ICO action is a weird anti-charity vendetta. MacQuillin’s contributions to the Critical Fundraising Blog pondered the mystifying question of why the data protection regulator has taken action when household name organisations have been exposed for breaching data protection. The ICO takes action for three reasons – an organisation reports itself for something, ICO gets lots of complaints about something, or something makes a big splash in the press. There were thousands of complaints about charity fundraising, but all went to the toothless Fundraising Standards Board, who hardly ever passed them on to ICO. So it was the Daily Mail’s headlines that did the trick – the heartbreaking story of Olive Cooke but more importantly for the ICO’s purposes, the flamboyantly unlawful way in which charities treated Samuel Rae, trading his data relentlessly with anyone who wanted it.

In pursuing his false claim about consent, Pidgeon derisively summarised what charities might have to say to prospective donors: “We want to find out how rich you are; tick here to agree”! As a first draft, this has some merit, but a charity involved in wealth screening should also add ‘We want to know whether you are worth more alive or dead‘. The consent claim is a red herring, but perhaps unwittingly, Pidgeon has hit on the real problem for fundraisers: daylight. The foundation of Data Protection is fairness, and the only way to achieve it, regardless of whether consent is part of the mix, is to tell the subject the purposes for which their data will be used. Stretching the law as far as they can, the ICO has invented the concept of ‘reasonable expectations’. Reasonable expectations doesn’t appear in the Data Protection Act, but the ICO’s idea is that if you are only doing something that the person would expect, you don’t have to spell it out. One might take issue with this because it’s not in the Act, but it’s a sensible idea. The ICO’s emphasis has always been on being transparent over unexpected or objectionable processing.

Tesco’s Clubcard scheme is a useful example. Clubcard is a loyalty scheme, clearly based on profiling. The user knows that when they swipe their card, their purchases are analysed so that tailored offers and vouchers can be provided. Needless to say, Tesco also use the data for their sales and marketing strategy. If you look at the T&Cs for the Clubcard scheme, you will not find references to data sharing with third parties for wealth screening. They don’t need to – they can analyse your purchases instead. The user knows that profiling is inherent to the scheme, and they are not required to participate when shopping at Tesco. I have a Clubcard because I understand the system and I don’t believe that Tesco flogs my data. The profiling is the basis on which the whole thing operates. I have a choice about whether to shop at Tesco, and separately, whether to have a Clubcard when I do.

On the other hand, the RSPCA profiled seven million donors after they donated; presumably the lion’s share of all people who donated to the charity. The RSPCA did not tell people that this was the purpose for which their data will be used, and nobody outside the charity sector was aware of what was happening. Unlike Clubcard, donors could not participate without being screened and analysed by the charity. I have used the wealth-screening example on many of my training courses. The reaction is always surprise, and often revulsion.  Nobody ever leaps to the charity’s defence because secret profiling is a dodgy way to do business.

Pidgeon’s squeamishness about describing the process – the daft example of the story in the newspaper, his emphasis on data being gathered from the public domain – suggests that fundraisers are more ambivalent about their methods than they might like to admit. The existence of five facts in five separate publicly accessible places is different to the combination of those facts in one place, gathered with the intention of tailored marketing. A profile is greater than the sum of its parts, and people should be told that it exists. Pidgeon isn’t alone in his approach – Chris Carnie, the founder of ‘prospect research’ company Factary erroneously characterised myself and others as saying that using public domain data is “an intrusion into an individual’s privacy. That searching for a named individual in Companies House fundamentally affects the rights of that person“. All I said was that such research should be transparent, but this isn’t news that Carnie and his colleagues find palatable. Ide’s company goes as far as to assess the ‘ethical credentials‘ of a donor, which sounds a world away from noticing a story in a paper.

The Daily Mail is a revolting newspaper – the worst combination of small-minded, petty conservatism and curtain-twitching prurience. It is a matter of ongoing annoyance to me that the Mail is one of the very few national news outlets that covers Data Protection issues with any enthusiasm. I really wish the Guardian or the Times had exposed the ghastly exploitation of vulnerable people like Samuel Rae, or their hunger for information about possible donors. I wish Dispatches’ fine work on the shameful state of some fundraising call centres had got more attention. Nevertheless, none of this is the Mail’s fault, and fundraisers’ relentless blame-shifting needs to be called out for the cant that it is. Everyone knows whose fault this is.

The charity and fundraising sector isn’t in a mess over data protection because of the Daily Mail, and it isn’t there because of the Information Commissioner. This problem is the fault of some fundraisers and their agents not obeying the law, and trustees who didn’t ask them enough questions. MacQuillin claims that almost everything that has happened to the fundraising sector over the past two years is because of ‘fake news‘; Olive Cooke’s death wasn’t, her family says, the result of the spam tsunami that charities subjected her to. For one thing, this claim disgracefully ignores Samuel Rae, whose story would have caused the same interest even if it wasn’t the sequel to Olive Cooke. Moreover, it is itself fake news. If some of Pidgeon and MacQuillin’s compadres had done their job with a greater interest in the law, they wouldn’t be here now. This is the second or third time I have written this blog. With 11 more possible fines, and fundraisers still in denial about what they have done, I’ll probably have to write it again before long.

The Red Menace

Just before New Year, the pro-Brexit, anti-single market pressure group Change Britain published a report about the possible savings that could accrue to the UK if we cut all ties with the EU. Keen observers of current politics will be astonished to learn that the amount is in the multiple billions. One of the top savings is from repealing the Data Protection Act 1998, which Change Britain claims costs the economy a whopping £1,058,830,000, while (if I am reading the table right), giving a benefit of precisely nothing. It’s a prime example of ‘harmful EU red tape‘ that Change Britain is very much against.

Curiously, the report doesn’t include any mention the General Data Protection Regulation, despite the fact that the Government announced several months before its publication that GDPR will apply in the UK, reflecting the reality that it will come into force before we leave. The report does not hint at any cost in repealing the DPA and replacing it with something else, or the wasted effort currently being expended by organisations large and small in preparing for GDPR, all of which they want to cancel out. The economic benefit of being able to share data across EU borders isn’t priced in at all, even if we accept the £1 billion cost at face value. Inevitably, Change Britain’s report has the mindset of an Oscar Wilde cynic, knowing the price of everything and the value of nothing. Although the DPA is clunky and badly enforced, the benefits of saying that personal data should be obtained fairly, used transparently, kept in good order and processed securely are enormous.

I emailed Change Britain just before New Year asking the questions outlined below. I would like to express my gratitude to the Change Britain staff member who took the time to give me two courteous replies when many people were probably on holiday or hung-over.

Can you confirm that Change Britain believes that the GDPR should not be implemented, as well as advocating the repeal of the Data Protection Act? Can I ask what analysis you have done into the effects of repealing DP, in terms of its effects on the security and quality of personal data, and the rights of UK citizens to know how their data is used, and to get access to it on request?
Can you also provide me with any proposals Change Britain have for replacing the Data Protection Act / GDPR, or is the idea to remove any controls or protections on the way personal data is used in the UK post-Brexit?
Finally, can you give me any analysis on the effect of repealing the DPA / not implementing GDPR on the ability of UK companies to exchange personal data with EU countries, and how this would affect the UK’s adequacy for Data Protection purposes? As I am sure you already know, not having adequate data protection provisions would make it virtually impossible for EU and UK companies to do business with each other, because no personal data could be shared outside the EU.

In their reply, Change Britain didn’t explain why they hadn’t mentioned GDPR in the first place, but noted that the Coalition Government said in 2013 that the GDPR could ‘impose unnecessary additional costs on current businesses‘, a comment made on a version of the GDPR which is quite different to the one we’re actually getting. The emphasis was on ensuring that “expensive red tape is cut so that the burden on business is reduced“.

They didn’t really answer the questions, but the thrust of their preferred approach seemed to come here: “We believe that it is possible to secure a new relationship that allows ongoing data sharing between the UK and the EU and gives UK policy makers an opportunity to deal with the issues they have identified with EU laws and – in so doing – reduce the burden of red tape on British businesses“. They didn’t mention the fact that the current government has announced that the GDPR will apply or what the implications of that might be for their proposal. Crucially, while they clearly wanted to “reduce the burdens”, they did not explain to me what these burdens were.

It seemed to me that Change Britain were describing the Mother of Worst Case Scenarios: repeal of the DPA with a UK only replacement instead of adopting the GDPR, some kind of negotiated deal over EU data sharing with all the fragility that entails in the world of Max Schrems, a situation which could well mean UK businesses with EU customers separately adopting GDPR for their customers. Of course, there are many who think that an adequacy finding for the UK post-Brexit is going to hard to achieve, and so some kind of UK Privacy Shield arrangement (AKA Daragh O Brien‘s Privacy Brolly) is the likely outcome. But I’m not aware of anyone in the DP world who thinks this is a good idea – it’s just what we might end up with.

I emailed them again. I asked whether they were proposing what I thought they were proposing (making it sound as complicated and horrendous as I did just now). I wondered whether they had a list of the specific burdens that they objected to. I also asked if they had an analysis of the costs of reversing the current position on GDPR, given all the time and money that is currently going into preparing for it precisely because the government has said that we should. Finally, I asked whether a Privacy Shield arrangement was should be the aim, given the fiery death of Safe Harbor and the fact that the prognosis for Privacy Shield is somewhat toasty (to paraphrase).

They were kind enough to reply again, but with a striking lack of detail. “Brexit is an opportunity to repeal laws that don’t work and introduce better versions” they told me. They did not dispute my interpretation of what they want, which is astonishing. They are “aware of the legitimate issues that you have raised, however we also believe that the concerns raised about the impact of the EU’s data protection regime on small businesses should also be given equal weight when the Government considers the opportunities that come from Brexit”. They didn’t explain how reversing current government policy and forcing UK businesses to operate at least two different DP systems, no matter how large or small they might be was in the interests of anyone, and especially, how this would save a billion pounds. There is no reason why a small business wouldn’t be one of the enterprises running Change Britain’s UK DP at home, and the GDPR abroad, notwithstanding the *increase* in red tape that their proposal would involve. Change Britain want two laws in place of one, after all.

Despite claiming that Data Protection doesn’t work, Change Britain have not carried out any analysis on the burdens associated with it to underpin their demand that it should be abolished. They have not calculated the cost of abolishing it and replacing it with something else – indeed, I would go as far as to say that they showed no evidence of having thought about it. They could only point me to the previous government’s (now outdated) view of GDPR, and reports produced by the British Chambers of Commerce in 2005 and 2010. It seems to be a case of UK good, EU bad, even as the GDPR is being scrutinised around the world as a model to emulate, or at least react to.

Change Britain’s abolition of the DPA and the abandonment of the GDPR is an economically illiterate idea on a par with Vote Leave’s NHS Bus Promise. It makes no sense except as a sound-bite in a press release designed solely for headlines and incapable of surviving serious analysis. Change Britain’s idea is the opposite of what the Government has told UK businesses to prepare for. It is a recipe for confusion and uncertainty. It is utterly irresponsible.

Whatever you think of Brexit, it has wiped the future clean. Anyone who confidently predicts what the UK will look like in 2020 or 2025 is a fool or a liar. I think it will be a disaster, but other opinions are equally valid. The UK Government’s confirmation that GDPR will apply is a small strand of certainty. Even though the Secretary of State left the door open for change at some stage (which she has every right to do), we know what’s coming next for Data Protection, despite Brexit. In their antipathy towards the EU and all its works, Change Britain want to murder even this tiny certainty. They have no original thoughts on why they think it’s a good idea beyond money-saving that they cannot possibly stand up. They cannot offer any hint of what they want to replace DPA / GDPR with, except that it must be homegrown. It cannot be European in origin. I very much hope that their proposal gets the shortest shrift that the DCMS has in stock.

Make no mistake, compliance with GDPR will be difficult for some, but I suspect that many of the organisations most keen to decry the GDPR would struggle equally to comply with the 1984 Data Protection Act, produced by the Thatcher Government, which even now has parallels with both our current DP Act and the GDPR. The GDPR is clearer, less technical and more understandable than the DPA. It is in most ways an improvement. Change Britain’s proposal is vandalism, and we should wash it away.

FULL DISCLOSURE: I voted Remain, I wholly accept that the UK is going to leave the EU as a result of the referendum, I am more convinced than I was before that it is a stupid idea, and in a free country, you should defend my right to say so.

Small change

Some senior figures in the charity sector have sought to deal with the Information Commissioner’s recent enforcement against the RSPCA and the British Heart Foundation by suggesting that the ICO’s action is disproportionate and unfair. The fundraiser sorry, academic, Ian MacQuillin has written two blogs which touch on the theme, while a few days ago, Robert Meadowcroft, the Chief Executive of Muscular Dystrophy UK tweeted:

If the is impartial regulator it will investigate practices of and not simply pursue charities

As 2016 is now disappearing over the horizon, I thought it was worth testing the hypothesis that the ICO is taking disproportionate action against charities, and the fines and other enforcement against charities are unrepresentative. TL:DR – it’s complete nonsense.

In 2016, the ICO issued 34 civil monetary penalties – 11 under the Data Protection Act, and 23 under the Privacy and Electronic Communications Regulations (PECR). There are a number of different ways of looking at the figures, and none of them show any evidence of disproportionality.

1) Charity CMPs as a proportion of the total in 2016

Of the 34 penalties, 2 were against charities, so 6% of the ICO’s CMPs in 2016 were against charities.

2) Amount charities were fined, as a proportion of the total in 2016

The CMP total was £3,225,500. The total of CMPs issued against charities was £43,000. This is 1.3% of the total.

3) Proportion of Data Protection CMPs issued to charities in 2016

If you look only at the CMPs issued under Data Protection, the charity proportion is not insignificant – there were 11 DP CMPs, so the 2 charity CMPs are 18% of the total – the same as the police, 1 more than councils, but less than the private sector or the NHS (3 each). However, this is the only comparison where charities feature significantly, and they are not the dominant sector. The next two comparisons are also instructive.

4) Proportion of PECR CMPs issued to charities in 2016

None. This is despite widespread breaches of PECR by charities, including phoning donors who are on TPS and sending texts and emails without consent (for example, the vast majority of mobile numbers gathered via charity posters in 2016 were obtained in breach of PECR).

5) Proportion of CMPs issued for marketing related activities in 2o16

There were 21 PECR CMPs related to marketing, and 2 DP CMPs related to marketing, making 23 marketing CMPs in all. 2 were against charities, which is 9.5% of the total. Given the big charities’ disastrous approach to marketing, this relatively small number is astonishing.

6) Level of CMPs in 2016

The average DP CMP was £108,500; the average charity DP CMP was £21,500.

The average PECR CMP was £84,666.75; there were no charity PECR CMPs.

The highest DP CMP was £400,000; the highest charity DP CMP was £25,000.

7) Other enforcement in 2016

There were 22 enforcement notices issued by the ICO in 2016, 8 under DP and 14 under PECR. 1 of the 8 DP enforcement notices was against a charity, which is 4.5% of the total, or 12.5% of the total DP enforcement notices. Either way, it is a small percentage of the total. Again, if you count the number of marketing related enforcement notices, there were 15, of which 1 was against a charity. This is 6.6% of the total.

8) CMPs since 2010

There have been 69 DP CMPs since 2010 that I can find (they drop off the ICO’s website after a few years); 4 were issued against registered charities, which is 5.8% of the total. The average DP CMP was £114, 163, whereas the average charity was £78,250. It is worth noting that these figures are slightly skewed by the £200,000 penalty against the British Pregnancy Advisory Service, which is a registered charity but receives most of its funding from the NHS.

The CMP against the British Heart Foundation was the 8th lowest CMP overall, while the CMP against the RSPCA was the 9th lowest. The only organisations to receive lower penalties than the charities were small businesses, unincorporated associations, and a bankrupt lawyer.

There have been 47 PECR CMPs that I can find since 2012; none have been issued on charities, which is 0% of the total.

Conclusion

These figures will likely be different in 2017. The ICO has signalled that more DP enforcement against charities is coming, and so the proportion of DP penalties may rise when the totals are in, but that depends on a variety of different factors including the number of other penalties and the ICO’s general approach. However, when you look at the facts for 2016, MacQuillin and Meadowcroft are wrong. Despite years of ignoring the Data Protection and PECR requirements in favour of a flawed, fundraiser-driven approach, the ICO has not taken disproportionate action against the charities. The action taken is a small percentage of the overall total. Special pleading and blame-shifting will not help the sector. Compliance with the law will.