Going Unnoticed

Last week, I came across an interview with Elizabeth Denham on a Canadian website called The Walrus that was published in April. There are some interesting nuggets – Denham seems to out herself as a Remainer in the third paragraph (a tad awkward given that she has only enforced on the other side) and also it turns out that the Commissioner has framed pictures of herself taking on Facebook in her office. More important is the comparison she draws between her Canadian jobs and her current role: “That’s why I like being where I am now,” she says, settling herself at a boardroom table. “To actually see people prosecuted.”

Denham probably wasn’t thinking of the run of legitimate but low-key prosecutions of nosy admin staff and practice managers which her office has carried out in recent months, which means she was up to her old tricks of inaccurately using the language of crime and prosecution to describe powers that are civil (or more properly, administrative). Since GDPR came in, she’s even less likely to prosecute than before, given that she no longer has the power to do so for an ignored enforcement or information notice. I don’t know whether she genuinely doesn’t understand how her powers work or is just using the wrong words because she thinks it makes for a better quote.

Publicity certainly plays a far greater part in the ICO’s enforcement approach than it should. A few months back, I made an FOI request to the ICO asking about a variety of enforcement issues and the information I received was fascinating. The response was late (because of course it was), but it was very thorough and detailed, and what it reveals is significant.

ICO enforcement breaks down into two main types. Enforcement notices are used where the ICO wants to stop unlawful practices or otherwise put things right. Monetary penalties are a punishment for serious breaches. Occasionally, they are used together, but often the bruised organisation is willing to go along with whatever the ICO wants, or has already put things right, so an enforcement notice is superfluous. The ICO is obliged to serve a notice of intent (NOI) in advance of a final penalty notice, giving the controller the opportunity to make representations. There is no equivalent requirement for preliminary enforcement notices, but in virtually every case, the ICO serves a preliminary notice anyway, also allowing for representations.

According to my FOI response, in 2017, the ICO issued 8 preliminary enforcement notices (PENs), but only 4 were followed up by a final enforcement notice; in 2018, 5 PENs were issued, and only 3 resulted in a final notice. The ratio of NOIs to final penalties is much closer; in 2017, there were 19 NOIs, and only one was not followed up with a penalty. In 2018, 21 NOIs were issued, 20 of which resulted in a penalty. Nevertheless, the PEN / NOI stage is clearly meaningful. In multiple cases, whatever the controller said stopped the intended enforcement in its tracks. In the light of many GDPR ‘experts’ confusion about when fines are real or proposed, the fact that not every NOI results in a fine is worth noting.

The response shows the risks of neglecting to issue a PEN. In July 2018, the ICO issued Aggregate IQ (AKA AIQ) with the first GDPR enforcement notice (indeed, it was the first GDPR enforcement action altogether). My FOI reveals that it was one of only a few cases where a preliminary notice was not issued. The AIQ EN was unenforceable, ordering them to cease processing any personal data about any UK or EU “citizens” obtained from UK political organisations “or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes”. AIQ was forbidden from ever holding personal data about any EU citizen for any advertising purpose, even if that purpose was entirely lawful, and despite the fact that the GDPR applies to residents, not citizens. AIQ appealed, but before that appeal could be heard, the ICO capitulated and replaced the notice with one that required AIQ to delete a specific dataset, and only after the conclusion of an investigation in Canada. It cannot be a coincidence that this badly written notice was published as part of the launch of the ICO’s first report into Data Analytics. It seems that ICO rushed it, ignoring the normal procedure, so that the Commissioner had things to announce.

The ICO confirmed to me that it hasn’t served a penalty without an NOI, which is as it should be, but the importance of the NOI stage is underlined by another case announced with the first AIQ EN. The ICO issued a £500,000 penalty against Facebook, except that what was announced in July 2018 was the NOI, rather than the final penalty. Between July and October, the ICO would have received representations from Facebook, and as a result, the story in the final penalty was changed. The NOI claims that a million UK Facebook users’ data was passed to Cambridge Analytica and SCL among others for political purposes, but the final notice acknowledges that the ICO has no evidence that any UK users data was used for campaigning. As an aside, this means that ICO has no evidence Cambridge Analytica used Facebook data in the Brexit referendum. The final notice is based on a hypothetical yarn about the risk of a US visitor’s data being processed while passing through the UK, and an assertion that even though UK Facebook users’ data wasn’t abused for political purposes (the risk did not “eventuate“), it could have been, so there. I’ve spent years emphasising that the incident isn’t the same as a breach, but going for the maximum penalty on something that didn’t happen, having said previously that it did, is perhaps the wrong time to listen to me.

If you haven’t read the final Facebook notice, you really should. ICO’s argument is that UK users data could have been abused for political purposes even though it wasn’t, and the mere possibility would cause people substantial distress. I find this hard to swallow. I suspect ICO felt they had effectively announced the £500,000 penalty; most journalists reported the NOI as such. Despite Facebook’s representations pulling the rug out from under the NOI, I guess that the ICO couldn’t back down. There had to be a £500,000 penalty, so they worked backwards from there. The Commissioner now faces an appeal on a thin premise, as well as accusations from Facebook that Denham was biased when making her decision.

Had the NOI not been published (like virtually every other NOI for the past ten years), the pressure of headlines would have been absent. Facebook have already made the not unreasonable point in the Tribunal that as the final penalty has a different premise than the NOI, the process is unfair. Without a public NOI, Facebook could have put this to the ICO behind closed doors, and an amended NOI could have been issued with no loss of face. If Facebook’s representations were sufficiently robust, the case could have been dropped altogether, as happened in other cases in both 2017 and 2018. For the sake of a few days’ headlines, Denham would not be facing the possibility of a career-defining humiliation at the hands of Facebook of all people, maybe even having to pay their costs. It’s not like there aren’t a dozen legitimate cases to be made against Facebook’s handling of personal data, but this is the hill the ICO has chosen to die on. Maybe I’m wrong and Facebook will lose their appeal, but imagine if they win and this farrago helps them to get there.

The other revelation in my FOI response is an area of enforcement that the ICO does not want to publicise at all. In 2016, the ICO issued a penalty on an unnamed historical society, and in 2017, another was served on an unnamed barrister. I know this because the ICO published the details, publicly confirming the nature of the breach, amount of the penalty as well as the type of organisation. One might argue that they set a precedent in doing so. What I didn’t know until this FOI request is that there have been a further 3 secret monetary penalties, 1 in 2017 and 2 in 2018. The details have not been published, and the ICO refused to give me any information about them now.

The exemptions set out the ICO’s concerns. They claim that it might be possible for me to identify individual data subjects, even though both the barrister and historical society breaches involved very limited numbers of people but were still published. They also claim that disclosure will prejudice their ability to enforce Data Protection law, using this justification:

“We are relying on this exemption to withhold information from you where the disclosure of that information is held for an ongoing regulatory process (so, we are yet to complete our regulatory process and our intentions could still be affected by the actions of a data controller) or the information is held in relation to sensitive matters and its disclosure would adversely affect relationships which we need to maintain with the organisations involved. It is essential that organisations continue to engage with us in a constructive and collaborative way without fear that the information they provide to us will be made public prematurely, or at a later date, if it is inappropriate to do so. Disclosure of the withheld information at this time would therefore be likely to prejudice our ability to effectively carry out our regulatory function”

The ICO routinely releases the names of data controllers she has served monetary penalties and enforcement notices on without any fears about the damage to their relationship. Just last week, she was expressing how “deeply concerned” she is about the use of facial recognition by the private sector, despite being at the very beginning of her enquiries into one such company. And if maintaining working relationships at the expense of transparency is such a vital principle, how can they justify the publication of the Facebook NOI for no more lofty reason than to sex up the release of the analytics report? They say “It is essential that organisations continue to engage with us in a constructive and collaborative way without fear that the information they provide to us will be made public prematurely”, and yet the Facebook NOI was published prematurely despite the fact that it was a dud. What will that have done to the ICO’s relationship with a controller as influential and significant as Facebook? What incentive do FB have to work with Wilmslow in a constructive and collaborative way now? And if identifying the subjects is an issue, what is to stop the ICO from saying ‘we fined X organisation £100,000’ but refusing to say why, or alternatively, describing the incident but anonymising the controller?

It doesn’t make sense to publicise enforcement when it’s not finished, and it doesn’t make sense to keep it secret when it’s done. Every controller that has been named and shamed by the ICO should be demanding to know why these penalties have been kept secret, while Facebook have every right to demand that the Commissioner account for the perverse and ill-judged way in which she took action against them. Meanwhile, we should all ask why the information rights regulator is in such a mess.

And one final question: did she bring the framed pictures with her or did we pay to get them done?

Home, James

A few months ago, I wrote a blog about data protection and nonsense, highlighting inaccurate claims made by training companies, marketers and pressure groups. A bad tempered spat ensued in comments on LinkedIn between myself and Russell James, the marketer behind the lobbying attempt to change the ICO’s funding model to include cost recovery. James insisted that it didn’t matter that a letter sent by four MPs to the DCMS asking for the change, apparently at his instigation, contained inaccurate claims (the description of DP breaches as ‘crimes’) and embarrassingly got the name of the Information Commissioner wrong (it’s the Independent Commissioner of Information, according to the distinguished Parliamentarians, or whoever actually wrote it).

I asked James what the Information Commissioner’s Office themselves thought of his plan to allow the ICO to recoup the costs of investigations from those “found guilty of data crimes” (which I think means those who are in the receiving end of enforcement from Wilmslow, although it’s hard to be 100% certain). The idea that someone would persuade MPs to lobby the ICO’s sponsor department to change their funding mechanism without at least the tacit approval of the Commissioner or her staff seemed ridiculous, but the normally prolix Mr James was silent on the matter. So I decided to ask the Information Commissioner.

I made an FOI request including all of the following information:
1) Any recorded information about approaches made by Russell James or others to the ICO about the idea of the ICO adopting a cost-recovery model, including any correspondence with Mr James or his associates.
2) Any responses provided to James or others about the ICO adopting a cost-recovery model.
3) Any correspondence with Tom Tugendhat, Yvette Cooper, Dominic Grieve or Damian Collins, or their staff about the idea of a cost-recovery model, or the letter sent to the DCMS
4) Any internal discussion of the cost-recovery model.
5) Any correspondence, notes of meetings or other records of meetings between Mr James and any ICO member of staff, including the names of the staff. (this was subsequently clarified to cover only the cost recovery model, and not any other correspondence Mr James might have had with the ICO.)

Whatever the ICO made of Mr James’ ambitious plan, I was certain that this request would capture their thoughts. At worst, the ICO might refuse to disclose their internal discussions of the idea, but at least I might get some sense of the extent of them.

The ICO provided me with three paragraphs from a letter sent to them by Mr James around the time the MPs wrote to the DCMS. James told me that ICI letter was written by the office of Tom Tugendhat, but this one was remarkably similar in tone, and had the same lack of understanding of how the Data Protection enforcement regime works. James told the ICO that they were about to “leverage significant revenue“. Greatly increased income for the DCMS via the huge sums GDPR fines paid to them would, James asserted, result in much more cash for Wilmslow. This sounds great, if it wasn’t for the the fact that the ICO hasn’t issued a single penalty under the GDPR yet. More importantly, he is confused about what happens to the penalties, and how the ICO is funded. DP penalties have always been paid into the Treasury’s consolidated fund, bypassing the DCMS altogether. Moreover, the ICO doesn’t receive any funding from the DCMS for its Data Protection work. As this document (freely available on the ICO’s website) states, all the ICO’s DP work is paid for by DP fees collected from Data Controllers, as has been the case for many years. The ICO could do a CNIL-style €50 million penalty every week, and neither they nor the DCMS would see a cent of it.

James also claims in his letter that his campaign has “ministerial support from government officials“; I don’t know if that he’s claiming the support of ministers, or the support of government officials, but the phrase itself sounds like it was written by someone who doesn’t know the difference between the two. I’d ask him which it was, but I sent him a single direct message asking for comments before publishing the last blog I wrote this issue. He ignored me, but later pretended that I had deluged him with many such messages. If Tugendhat hadn’t tweeted the ICI letter, I’d think it was fake.

Whatever the shortcomings of Mr James’ insights into Data Protection (when I told him I was making an FOI about his plan, he thought it was the same as a SAR), his confidence in the success of the James Tax is hard to fault. According to him, it is now “a short time before your department (ICO) will have a more resilient financial footing“. Given this thrilling news, one can only speculate at how excited the fine folk of the ICO would be at the impending cash bonanza.

Alas, apart from a copy of the ICI letter, which the ICO sensibly chose not to provide to me as it was plainly in the public domain, they held no data about the James Tax. None. Nothing. Nada. Indeed, they made a point of telling me: “For clarity, I can confirm that we do not hold any information which falls within the scope of the other parts of your request“.  This means that they did not have any recorded discussions about it, share the letter internally, or even reply to that part of Mr James’ letter. If anyone had anything to say about the James Tax, they didn’t want to write it down.

Mr James has set himself up as the doughty defender of “Liz and the crew” as he once described his surprisingly reticent friends in Wilmslow to me. He has launched a campaign to change the law and roped four two highly respectable MPs in to support it. I think it is reasonable to ask whether someone with such a misbegotten understanding of how Data Protection works is the right person to change it. Given that the ICO has seemingly offered no support, not even a comment on his plan, I assume that they do not welcome the idea. It’s not hard to imagine why – calculating the costs of an investigation is extra work and bureaucracy. Moreover, if the ICO is entitled to claim the costs of victory, surely it should be forced to foot the bill for defeat – every time the ICO’s enforcement team’s investigation results in no action, the ICO should contribute to the time the controller spent in answering the many letters and information notices for which the office is celebrated.

If a case goes to appeal, while the James Tax would presumably allow the costs of going to the Tribunal to be recouped if successful, for fairness’ sake, the same logic must apply the other way around. If the Tribunal vindicates the ICO’s target (and losses at the Tribunal are not unknown, especially in recent times), presumably the ICO would have to pay the legal bills too. There are already financial incentives and advantages for the Commissioner. If the ICO issues a financial penalty, the controller gets a 20% discount if they choose not to appeal. If a controller’s actions are truly misbegotten and they choose to appeal, the Tribunal and the courts above can award costs against the recalcitrant data controller. To change the relationship further in the ICO’s interests should not just be one-way.

If the James Tax includes recouping costs of dealing with appeals (and my arguments with him on LinkedIn suggests that it does), this will also have a negative effect on one of the most important parts of the DP enforcement system. Any controller who has been fined will, according to the James Tax, already face the added cost of the ICO’s investigation. Appealing – already a roll of dice in many cases – will be that much more of a risk. As well as their own costs, controllers will have to factor in the additional ICO tally.

We already have Denham grumbling about appeals, even using a speech by Mark Zuckerberg about possible regulation in the US as an excuse to demand he drops his appeal against the Facebook fine in the UK. James’ ideas might further suppress the possibility of appealing against ICO decisions. For everyone involved in the sector, this would be a disaster. To borrow James’ inaccurate criminal characterisation of DP enforcement, the ICO is already the investigator, prosecutor and judge – I don’t want to strengthen that hand any more. Moreover, in the interview above, Denham signalled disdain for the concerns of ordinary people, stating that they don’t complain about the right things. As part of its analytics investigation, the ICO has enforced on cases where there have been no complaints. Denham’s ICO need to be challenged, and challenged regularly. The tribunals and the courts frequently give detailed and helpful explanations of how the law works – ICO never produced guidance on consent as useful as the Tribunal’s decision in Optical Express, and whether the ICO wins or loses, all sorts of insights are available in Tribunal decisions.

Nobody appeals lightly. Combine Denham’s hostility to challenge with the James Tax, and we might lose vital opportunities for debate and caselaw. You can dismiss this blog as just an opportunity for me to take the piss out of another GDPR certified professional, but James has set himself up as a public campaigner. He wants to change how the ICO is funded and how all controllers are potentially treated. This cannot just pass without scrutiny, especially as he appears to lack both an understanding of the system he wants to change, and the support of the regulator whose powers he wants to alter. If the people arguing for changes don’t even think it’s important what the ICO is called or whether it’s a ‘department’ or not, we should wonder what other important details they have missed.

Head in the Sandbox

The Information Commissioner’s Office recently held a workshop about their proposed Regulatory Sandbox. The idea of the sandbox is that organisations can come to the ICO with new proposals in order to test out their lawfulness in a safe environment. The hoped-for outcome is that products and services that are at the same time innovative and compliant will emerge.

There is no mention of a sandbox process in the GDPR or the DPA 2018. There is a formal mechanism for controllers to consult the ICO about new ideas that carry high risk (prior consultation) but the circumstances where that happens are prescribed. It’s more about managing risk than getting headlines. Unlike Data Protection Impact Assessments, prior consultation or certification, the design and operation of the sandbox is entirely within the ICO’s control. It is important to know who is having an influence its development, especially as the sandbox approach is not without risk.

Although Mrs Denham is not above eye-catching enforcement when it suits her, the ICO is often risk averse, and has shown little appetite for challenging business models. For example, the UK’s vibrant data broking market – which is fundamentally opaque and therefore unlawful – has rarely been challenged by Wilmslow, especially not the bigger players. They often get treated as stakeholders. The sandbox could make this worse – big organisations will come with their money-making wheezes, and it’s hard to imagine that ICO staff will want to tell them that they can’t do what they want. The sandbox could leave the ICO implicated, having approved or not prevented dodgy practices to avoid the awkwardness of saying no.

Even if you disagree with me about these risks, it’s surely a good thing that the ICO is transparent about who is having an influence on the process. So I made an FOI request to the ICO, requesting the names and companies or organisations of those who attended the meeting. As is tradition, they replied on the 20th working day to refuse to tell me. According to Wilmslow, disclosure of the attendees’ identities is exempt for four different reasons. Transparency will prejudice the ICO’s ability to carry out its regulatory functions, disclosure of the names of the attendees is a breach of data protection, revealing the names of the organisations will cause them commercial damage, and finally, the information was supplied with an expectation of confidentiality, and so disclosure will breach that duty.

These claims are outrageous. DPIAs and prior disclosure exist, underpinned both by the law and by European Data Protection Board guidance. Despite the obvious benefits of developing a formal GDPR certification process (both allowing controllers to have their processing assessed, and the creation of a new industry at a time when the UK needs all the economic activity it can get), the ICO’s position on certification is supremely arrogant: “The ICO has no plans to accredit certification bodies or carry out certification at this time“. A process set out in detail in the GDPR is shunned, with the ICO choosing instead to spend huge amounts of time and money on a pet project which has no legal basis. Certification could spread expertise across the UK; the sandbox will inevitably be limited to preferred stakeholders. If they’re hiding the identities of those who show up to the workshop, it’s hard to imagine that the actual process will be any more transparent.

The ICO’s arguments about commercial prejudice under S43 of FOI are amateurish: “To disclose that a company has sent delegates to the event may in itself indicate to the wider sector and therefore potential competitors that they are in development of, or in the planning stages of a new innovative product which involves personal data“. A vital principle of FOI is that when using a prejudice-based exemption, you need to show cause and effect. Disclosure will or will be likely to lead to the harm described. How on earth could a company lose money, or become less competitive, purely because it was revealed that they attended an ICO event (which is what using S43 means)?

The ICO’s personal data and confidentiality arguments are equally weak – everyone who attended the meeting would know the identities of everyone else, and all were acting in an official or commercial capacity. This was not a secret or private meeting about a specific project; anyone with an interest was able to apply to attend. Revealing their attendance is not unfair, and there is plainly a legitimate interest in knowing who the ICO is talking to about a project into which the office is putting significant resources, and which will have an impact on products or services that may affect millions of people. The determination to hide this basic information and avoid scrutiny of the sandbox process undermines the credibility of the project itself, and makes the ICO’s claim to be an effective defender of public sector transparency ever more hypocritical.

Worst of all, if disclosure of the attendees’ identity was the calamity for commercial sensitivity and personal data that the ICO claims it to be, there should be an immediate and thorough investigation of how the information I requested came to be revealed on the ICO’s website and twitter account. The entire event was recorded and a promotional video was released. Several attendees (whose names and companies I cannot be given because of confidentiality, data protection and commercial prejudice) are identified and interviewed on camera, while there are numerous shots of other attendees who are clearly identifiable. Either the ICO has betrayed the confidentiality and personal data rights of these people, putting their companies at direct commercial risk, or their FOI response is a cack-handed attempt to avoid legitimate scrutiny. Either way, I strongly recommend that the left hand and the right hand in Wilmslow make some rudimentary attempts to get to know one another.

Long ago, I was one of a number of online commentators described by the ICO’s comms people as a ‘driver of negative sentiment’. More recently, one of Denham’s more dedicated apologists accused me of being one of the regulator’s “adversaries”. I’m not a fan of the ICO, and I never have been. But this stinks. The determination to throw every conceivable exemption at a simple request to know who the ICO is talking to suggests that the office is afraid of scrutiny, afraid of having to justify what they’re doing and how they’re doing it. The incompetence of refusing to give me information that is on display on their website and Twitter account shows contempt for their obligations as an FOI regulator. The ICO has its head in the sand; as we drift out of the European mainstream into a lonely future on the fringes, their secrecy and incompetence should be matters of concern for anyone who cares about Data Protection.

A case in point(lessness)

The Information Commissioner did a bit of business in Hendon Magistrates’ Court recently, as SCL Elections was fined £15000 for breaching an enforcement notice. Long ago, Professor David Carroll made a subject access request to Cambridge Analytica. As Cambridge Analytica was based in the US where SARs do not apply, they passed it to SCL Elections, a related company established in the UK, to process his request. Having received a response, Carroll claimed it was inadequate and complained to the ICO. After some correspondence, SCL and Cambridge Analytica went into administration. The ICO then served SCL with an enforcement notice over Carroll’s SAR, and SCL failed to comply with or appeal it.

On the face of it, it’s a win – fines in the Mags for breaches of ICO notices are usually in the low thousands, and after more than a year of a multi-million-pound investigation into data analytics, this seems a rare example of something actually happening. Following the humiliation of the first GDPR enforcement notice against AIQ, which had to be withdrawn and replaced, and the Facebook £500,000 penalty which was immediately appealed, you could argue that it’s a solid result for Team Wilmslow.

But the ICO reaction is weird – their website misleadingly claims that SCL was ‘also known as Cambridge Analytica’. SCL was a shareholder in Cambridge Analytica but the two companies are separate and based in different countries. Moreover, the ICO press release states “In pleading guilty, the company has accepted it should have responded fully to Professor Carroll’s subject access request and the ICO’s notice in the first place” but this is not what reality suggests. SCL’s guilty plea was helpfully tweeted out by Denham’s hagiographer Carole Cadwalladr, and it clearly says that they were pleading guilty to failing to answer the notice, not to any ‘misuse of data’.

Denham seems stuck in the past. This prosecution is, she says, ‘the first against Cambridge Analytica’ and her comment implies it won’t be the last, despite the fact that both SCL and Cambridge Analytica are being wound up. Since May 2018, the ICO’s needle on GDPR has barely twitched beyond that abortive AIQ notice, but the noise on analytics has been deafening. Whatever Cambridge Analytica did back in 2016, a massive change like GDPR requires a Commissioner completely focussed on implementing it. Stories about delays and poor decisions at the ICO are rife in the Data Protection community at the moment; the ICO can’t even keep its website up and running, and yet Denham seems dedicated to fighting old battles like a Japanese soldier lost in the Pacific who doesn’t know WW2 is over.

I can’t see what the SCL case has achieved. Carroll has trumpeted the criminal nature of the prosecution, claiming it proves that CA was a ‘criminal enterprise’, but the case is a relic. Under GDPR / DPA 2018, ignoring an enforcement notice is no longer a criminal offence and so there will never be another case like this. SCL might have pleaded guilty, but the substantive question of whether they gave Carroll all the data he was entitled to remains unresolved. They didn’t admit that they hadn’t, and the court cannot order them to deliver any outstanding data even if the judge thought that they should. The punishment for ignoring an enforcement notice can only ever be a financial one – a fine on conviction under the old rules, a penalty from the ICO under the new. The ICO must have known this going in.

The idea, of course, is a data controller will comply with an enforcement notice rather than face the possible punishment, but when the ICO served the notice on SCL, they were already in administration, so they were unlikely to respond in the normal way. Indeed, as the administrators confirmed, the prosecution was only possible because they gave ICO permission to take it forward. In a bizarre twist, the administrators’ guilty plea also revealed that data relating to Carroll isn’t in their possession – it is stored on the servers seized by the ICO on the celebrated Night of the Blue Jackets. So we’re in the bewildering position of the ICO starting enforcement on a defunct company, aware that the enforcement in question cannot result in any personal data being disclosed, and in the full knowledge that any relevant information is actually in their possession. It’s DP enforcement designed by MC Escher. You have to wonder why ICO didn’t just give Carroll his data themselves.

Underneath the surface froth, there are some interesting issues. SCL’s approach to the ICO (as set out in the enforcement notice) is an exemplar in how not to deal with a regulator. In my former life as a Data Protection Officer, I was guilty of a ‘make them blink first’ approach to ICO case officers, but I never did anything as stupid as to make comparisons to the Taliban in my correspondence, or to demand that the ICO stop harassing my employer. More importantly, SCL committed a glaring tactical mistake by switching their approach mid-race. Initially, they answered Carroll’s request, but then u-turned into a claim that his request was invalid because he was a US citizen (hence the remark that he was no more entitled to make a request than a member of the Taliban). In my opinion, had they stuck to their guns and argued that there was no more data, the case would have been less appealing as an enforcement issue. In deciding to change tack, the onus is on them to convince the ICO of the change, rather than getting all holier-than-thou.

Equally interesting is Carroll’s claim that he should be treated as a creditor of the business, which he outlined to the FTProf Carroll argues that the data originally held by Cambridge Analytica actually belongs to the users and should be returned to them, despite the insolvency. “I am a data creditor — just like the financial creditors,” he says. “There are outstanding obligations to me.”

I think this argument is nonsense, but the idea that data subjects own their data is a popular myth (revived with enthusiasm by the introduction of the GDPR). The problem / advantage with personal data is that it can be easily and quickly replicated; I can take a copy of your data without your permission, but unlike a conventional theft, you still have it. You can get access to the data I hold about you under a SAR or portability, but once again, I give you a copy and keep my version. Only in limited circumstances can you request that I delete it, and there are many exceptions.

Admittedly, GDPR gives the subject more control over their data than before, but it doesn’t give them ownership. It’s misleading to suggest that a data controller doesn’t really own personal data when there are so many circumstances where they can obtain, disclose, retain or destroy it without the permission of the subject, and when the opportunities for the subject to object are so limited. I don’t think Carroll understands this, but it would be interesting to see his ‘creditor’ notion tested.

Teasing this out might have been a justification for the ICO to enforce on SCL, except for the obvious fact that these issues would never be raised by doing so. If SCL hadn’t pleaded guilty, the question for the court would be whether SCL breached the notice and nothing else. Because SCL made no attempt to comply with or appeal the notice, they never had much to argue about. The enforcement notice was remarkably misguided considering ICO actually holds the data, but it is a tribute to SCL’s ineptitude that they didn’t choose to highlight this by appealing.

According to Carroll, the fight goes on with other cases, so his beef with SCL / Cambridge Analytica might one day result in something interesting, but there’s nothing here. I don’t believe that the ICO has any business enforcing Data Protection on behalf of Americans when they’re so lackadaisical about doing so on behalf of people in the UK, and so this case is an almost offensive waste of resources. But even if you disagree, all they’ve achieved here is given the corpse of SCL a good kicking, with a result that doesn’t tell us anything about the future or very much about the past.

 

Regulating the FOIA into obscurity?

This is a guest post from the redoubtable John Slater, whose tireless efforts to hold DWP to account are a lesson in how FOI should be used. John has had real success in wrestling information out of a stubborn and secretive system, but the post describes the hurdles in the way of the applicant, and the shameful way in which the ICO makes things worse. It’s not a quick read but there’s a lot to say. I think anyone with an interest in how the benefits system operates, or how healthy the FOI system is at the moment should give it the time it deserves. I’m very grateful to John for writing it and letting me host it.

I suspect that most people reading this have experience of submitting a request for information (“RFI”) under the FOIA and all the frustrations that can come with it. Some people may have complained to the office of the Information Commissioner (“ICO”) while others may have just given up when their RFI was refused. I suspect that a smaller number of people, who had the time, appealed ICO decisions to the First-Tier and Upper Tribunals.

Via my involvement with the FOIA I have been dealing with the ICO for approximately 6 years. My interaction has ranged from normal FOIA complaints through to appeals to the First-Tier and Upper Tribunals.

Setting aside the minor issues one typically experiences with any large organization I have to say that my experience of dealing with the ICO has been very positive. Even when a decision notice (“DN”) went against me I could understand why and how that decision was reached. In respect of appeals to the First-Tier and Upper Tribunals I have nothing but praise for the people involved, even when I was appealing an ICO decision.

However, approximately 18 months ago things started to change for the worse. The time taken to respond to complaints seems to be inexorably increasing and the quality of the case work is deteriorating. I’ll use 3 of my current complaints to illustrate the problems that I and others are experiencing on a regular basis.

Case 1 – Universal Credit Programme Board Information Packs

In July 2017 I asked the DWP for the 3 most recent packs of information that were given to the Universal Credit (“UC”) Programme Board members at each monthly meeting. Given how controversial UC is and the history of the DWP being less than honest about it, this seemed to be a good route to try to find out what the senior people responsible for UC actually know and what they are doing about it.

For those not familiar with programme management terminology the programme board consists of senior people who are accountable and responsible for the UC programme, defining the direction of the programme and establishing frameworks to achieve its objectives. So apart from Neil Couling (senior responsible owner) and the secretary of state they are about as senior as it gets. The membership of the programme board can be found here:

https://www.whatdotheyknow.com/request/419990/response/1090823/attach/html/2/3044%20IR%20516%20IR%20604%20reply.pdf.html

Unsurprisingly the DWP refused my RFI on 16 August 2017 citing S.36. However it explained that it needed an extension to carry out the public interest test (“PIT”). On 14 September 2017 the DWP did exactly the same thing. This is a tactic that the DWP uses regularly and often issues monthly PIT extensions until the ICO becomes involved.

I complained to the ICO on 14 September 2017. On 22 November a DN was issued giving the DWP 35 calendar days to issue its response. On 3 January 2018 the DWP finally confirmed that it was engaging S.36 and that the public interest did not favour disclosure (I’ve yet to see a public interest test from the DWP that does favour disclosure). I submitted a revised complaint to the ICO on 9 January 2018 challenging S.36 and the public interest decision.

Despite the 5 month delay by the DWP the ICO bizarrely told me that I still had to exhaust the DWP internal review procedure before my complaint could be investigated. I had submitted 4 internal review requests (“IRR”) during the 5 months that the DWP treated the FOIA with such contempt. I know from previous experience that the DWP would use the same PIT ‘trick’ to delay answering my IRR. I explained this to the ICO and asserted that it has the authority to proceed without me having to submit another IRR. On 30 January the ICO accepted my complaint. I know about this from experience but I assume most people would have followed the ICO instruction and been stuck in another loop of 5 months until the DWP was told to issue its response to the IRR.

On 26 April my case was assigned to a case officer, just 3 months short of a year since I submitted my request to the DWP. Despite the DWP clearly citing S.36 the ICO allowed the DWP to get away with numerous delaying tactics and nothing happened for many months. Despite chasing the ICO on a number of occasions there appeared to be no progress. My patience ran out in October 2018 and I complained to the ICO about this and two other cases. On the face of it this appeared to have got things moving.

However, on 18 October 2018 I was told by the ICO that an information notice had been served on the DWP to obtain copies of the information I had requested. The DWP has 30 days to respond to these notices.

Whilst I’m not surprised by this (in fact I even suggested this was the case in my complaint) I struggle to understand how any organisation can investigate a complaint for almost 6 months without having a copy of the requested information. I can only hope that the DN I have been seeking for so long will appear at some point in 2018!

The delay has been so long that I have actually submitted another request for more current programme board packs. At the time of writing the DWP hasn’t provided a response within 20 days so that’s another complaint that I need to send to the ICO!

Case 2 – Aggregation of various RFIs

Between 4 February and 23 April 2018 the DWP aggregated 9 of my requests for information claiming that they were for the “same or similar” information. Well, what it actually said was:

We consider each of the seven requests to be of a similar nature as they all relate to either decision making or performance delivery of disability assessments on behalf of the Department for Work and Pensions.  In particular, all of the requests would be allocated to the same team for response as it falls within their specialised area. 

Under Section 12 of the FOI Act the Department is not therefore obliged to comply with your request and we will not be processing it further.

This seems to suggest that the DWP believes the requested information is the same or similar because they relate to activities it carries out and the teams that do them. This is a crude attempt to rely on the discredited concept of ‘overarching themes’ that was attempted in Benson v IC and the Governing Body of Buckinghamshire New University (EA20110016).  At [29] the Tribunal stated:

Whilst the Tribunal understood the Commissioner’s analysis the Tribunal felt that it was not compelling and relied on concepts that were not actually within the legislation – e.g. ‘overarching theme’. The Tribunal felt that any consequent uncertainty should, on balance, be resolved in the Appellant’s favour.

On 30 March I submitted a complaint to the ICO. My complaint involves 9 requests and deals with an important area of the FOIA, where there is very little precedent. A reasonable person might conclude that the ICO would be keen to act swiftly. On 27 April 2018 my complaint was assigned to a case officer so things were looking good. It is now coming towards the end of October and I have not had a single piece of correspondence from the ICO.

The requests that have been aggregated cover management information about how the DWP runs large controversial contracts that assess the eligibility for employment support allowance and personal independence payment (“PIP”). A previous RFI uncovered numerous problems with the quality of medical reports being produced for PIP assessments. This might explain why the DWP is so keen not to let me have the current information but not why there has been no progress by the ICO.

Case 3 – Datasets & Type of Data Held for Various Benefits About Claimants

On 26 February 2018 I asked the DWP to disclose the datasets and type of data it holds about various social security benefits. I am not asking for the actual data just the type of data and the “groups” or “sets” of data that it holds.

On 17 April 2018 the DWP refused my request citing S.31 (it eventually confirmed it meant section 31(1)(a))  and  S.24. After a further IRR the DWP reconfirmed its position and I complained to the ICO on 15 July. Some 3 months later on 11 October I was finally told that my case had been assigned to a case officer. Does this now mean I wait for a further 6 months before anything actually happens?

Conclusion

I know the ICO is very busy, partially due to the new Data Protection legislation, but the problems that I and others are experiencing can’t just be explained by “being busy”. Based on my previous experience of dealing with them I also don’t believe it is the fault of the case officers. These problems are due to serious organisational failings within the ICO. There doesn’t seem to be the type of business processes / workflow that one would expect to see in an organisation of this size. The line management oversight of case officers appears to be absent. Based on my own experience it seems to be that the line managers focus solely on protecting case officers while actually making matters worse for them as their workloads probably grow faster than they can cope with.

The ICO should have a small set of metrics about how it is dealing with cases. Surely line managers should be looking at cases where nothing has actually happened for 6 months and do something about it? The idea of management by exception has been around for a long time and yet I’m left with the impression that there are no exceptions set within the ICO and senior management have no impartial way of knowing what is actually going on at the case level.

People might wonder why this matters and that in these times of constrained budgets we should expect cases to take longer. I can’t accept this as one of the key drivers for the FOIA is that we get a chance to hold public authorities to account for their actions. For that to happen we need access to information while it is still relatively current.

It is generally known that there are certain large government departments that have very poor history in respect of FOIA. If someone requests information that these departments suspect will be embarrassing they will deliberately play the system to delay disclosure. From personal experience it’s all far too easy to do:

  1. Ignore the request completely until the ICO tells the department to respond (3+ months).
  2. Use the public interest test with impunity to introduce a 5 to 6 month delay before the requester can complain to the ICO about the exemption cited.
  3. 3 months before a case officer is assigned.
  4. At least 3 to 6 months before a DN is issued.

Total possible delay = 14 to 18 months.

The department can then appeal the DN to the First-Tier Tribunal (“FTT”), even if there is little chance of success. I’ve had 2 cases recently that have been appealed and then withdrawn just before the FTT hearing was due to take place. This added another 6 month delay let alone the cost to the public purse. If the DWP had actually gone through with the appeals and lost then that delay would probably be closer to 9 to 12 months.

This means that “playing the system” allows disreputable government departments to delay disclosure of embarrassing information by at least 2 years. Any media interest in the information can then be met with the claim that it is now ‘historical’ and things are better now.

A good example of this is the Project Assessment Review Reports (“PARs”) for the Universal Credit programme. I asked the DWP for these in April 2016 (see URL below):

https://www.whatdotheyknow.com/request/universal_credit_programme_proje#comment-82746

Using the delaying tactics described above and making the ICO issue an information notice to compel the DWP to release the PARs to them, they weren’t disclosed until March 2018. That’s a 2 year delay.

The ICO needs to sort out the internal delays that these government departments seem to be relying on. They also need to make sure there are meaningful consequences for public authorities that “play the system”. Writing strongly worded DNs telling public authorities off for abusing the system is meaningless. The ICO was highly critical of the DWP in its DN for the PARs case. A link to the DN is given below and the criticisms start at [62].

https://ico.org.uk/media/action-weve-taken/decision-notices/2017/2014762/fs50640285.pdf

The criticism has had absolutely no impact on the DWP.  It still regularly doesn’t reply in time and still produces “boilerplate” responses that have little bearing on the case in question.

As a result of the new GDPR and Facebook the Information Commissioner regularly seems to be in the media and was recently named as the most influential person in data-driven business in the updated DataIQ 100 list. I hear talk of the Commissioner being able to issue huge fines for data breaches and serving enforcement notices on organisations that are not complying with the FOIA.

The original white paper “your right to know” stated at [1.1]:

Unnecessary secrecy in Government leads to arrogance in government and defective decision-making. The perception of excess secrecy has become a corrosive influence in the decline of public confidence. Moreover, the climate of public opinion has changed; people expect much greater openness and accountability from government than they used to.”

If public authorities continue to be allowed to easily introduce delays of 2 years before disclosure then the regulator of the FOIA is failing in her role.  Before the FOIA we only had the thirty-year rule (now moving to the twenty-year rule) controlling when information was released to the public.

I suggest that we are rapidly approaching the situation where by default we have the “two-year rule” for information government departments do not want released. Unless the Commissioner does something about it that will slowly increase to the “three-year rule” and then the “four-year rule”. From my perspective its time the Commissioner stopped boasting about all the powers she has and started using them.