We need to talk about Ardi

This week, Private Eye reported that the publishers Kogan Page had withdraw a book about the GDPR by Ardi Kolah, after they received allegations of plagiarism from several sources. Most references to the GDPR Handbook have been scrubbed from Kolah’s online history and Kogan Page’s website is terse, to say the least. The fate of Kolah’s book is interesting not only because the high profile author is involved in both Henley Business School’s GDPR course and the British Computer Society’s Data Protection Certificate, but because Kolah has repeatedly sought to build his reputation through an association with the Information Commissioner, Elizabeth Denham.

The ‘About the Author’ section of his book describes Kolah as having “worked closely” with Denham, and there is some substance to the claim. Not only did Denham write the foreword for the book (and also for Kolah’s luxury leather-bound edition of the GDPR), she invited him to be one of the judges of her inaugural Data Protection Officer award.

Denham’s foreword describes him admiringly as a veteran of the Data Protection sector. She describes the UK’s data protection community before her arrival from Canada as a “small group of people ready to help each other out to raise standards“. She claims Kolah was someone who “flew the flag for data protection many years before it broke into the mainstream with the GDPR“. After some flannel, she returns to the theme: “Ardi and others of his generation often walked a rather lonely path in their efforts to have data protection taken seriously by the mainstream” and praises the book as “authoritative“.

I made an FOI request to the ICO asking if she wrote the foreword because I had a sneaking suspicion that Kolah himself might have been the author. The response was emphatic: “The Commissioner wrote the foreword and was the author of the Word document that was sent to Mr Kolah with the foreword in it. Mr Kolah had no input in the content of the foreword, did not ask for any input and did not ask for any copy approval of the foreword. The version sent to him on 6th April represented the Commissioner’s final wording to appear in the book unedited and unabridged.” This means that Denham is entirely responsible for the claims about Ardi Kolah’s career in Data Protection that appear in the foreword, and I think that’s a problem.

For most of his career, Kolah has been a PR guy. He worked as head of communications or PR for a variety of different organisations between 1995 and (at least) 2012. He worked for the BBC up until 1995, but after that, he did PR for Arthur Andersen, Cancer Research and Logica among others. His own CV on LinkedIn shows him as ‘Global Head of Public Relations’ for Brit Insurance until 2012. The notion that Kolah was flying the flag for Data Protection for “many years” and he was part of a generation of people who worked thanklessly in the DP mines is plainly unsustainable. Even now, his Twitter account describes him as a “Commentator on all things sales and marketing and social media“. Kolah’s own timeline doesn’t mention Data Protection until 2012, when he says founded a company called Go DPO, and even so, it’s hard to square his version with other available information.

An experienced training consultant called Darren Verrian is also on LinkedIn, and he  says that he started work on Go DPO in May 2015, three years after Kolah. This is interesting because Verrian describes himself as ‘co-founder’ of the business. Furthermore, Companies House shows that on 2nd June 2015, Kolah and Verrian registered two companies, one called Go DPO EU Recruitment (which was dissolved in February 2018), and another called Go DPO EU Compliance (which is still trading). Subsequently, they registered Go DPO EU Advisory Services in February 2016 (dissolved in March 2018), and finally Go DPO EU Consultancy Services in August 2017 (also still trading). Weirdly, despite his claim that he was running Go DPO in 2012, a company called Genworth Financial announced on 28th May 2012 that they had hired Kolah as their Director of Communications. Kolah doesn’t mention Genworth Financial anywhere on his LinkedIn CV.

I think it’s impossible to reconcile Denham’s claims about Kolah’s longstanding involvement in Data Protection with his own CV, but the contradiction between Kolah and Verrian’s respective claims and the facts on Companies House make it worse. As far as I can see, Ardi Kolah is not a Data Protection veteran: he’s just good at PR. Since I started to make mischief at his expense, several people have approached me with stories of Kolah’s error-strewn, self-promoting performances at conferences, and his now-disgraced book is an bloated mix of turgid management-speak and basic errors.

I didn’t identify the examples of apparent plagiarism or report them to Kogan Page, but I have seen them and it’s obvious to me why the publishers withdrew the book. I think Kolah owes everyone who bought the book an apology, and Kogan Page owes them a refund (I’m aware that they did offer a refund to at least one purchaser on the proviso that he returned the book). Perhaps Kolah did Data Protection work before May 2015 but I can’t find it. Maybe he can reconcile his and Verrian’s accounts and explain why no variant of a company called Go DPO was registered in 2012. But even if 2012 really is when he started, the way Denham characterises him in her foreword is at best wildly exaggerated, and a slap in the face for those of us who really have been working on UK data protection for a long time.

Moreover, unless he can refute the plagiarism allegations (and having seen what they’re based on, it would require a lot more than spin to achieve that), I think Kolah should resign from three of his current roles. There is no way that someone guilty of plagiarism should have a role on an exam board, at a prestigious business school or as Editor-in-Chief of a widely published journal. If he does not, then the BCS, Henley Business School and the editorial board of Journal of Data Protection and Privacy (many of whom are quoted in the book endorsing it) should sack him. They cannot be seen to tolerate plagiarism. Whether his friends at Amplified Business Content (who organise many of the conferences that Kolah speaks at) or Hitachi (who employ him as a part-time DPO) still think he’s an appropriate person to work with is none of my business.

A more important question than the fate of Mr Kolah is what this mess says about Elizabeth Denham. Kolah trades on his ‘close working relationship‘ with the Commissioner. Denham should have shut down this inappropriate use of her name, but instead, she promoted both Kolah’s book and the man himself by asking him to be a judge of the DPO award. When I made an FOI request to the ICO about Denham’s relationship with Kolah, they were in denial, refusing to accept that writing a foreword was an endorsement:

it may be helpful to note that we do not consider that writing a foreword in an official capacity to be an endorsement or to be otherwise advertising a commercial product. A decision to write a foreword or review is normally taken on the basis of the ICO being aware of the author’s standing as a practitioner or expert, and the value the book adds to the information rights community

ICO comments received by Private Eye suggest that while Denham definitely wrote the foreword, she may not have even read the book. Kolah sent it to her, but the ICO said she did not study the book, relying instead on her ‘prior confidence‘ in the author. Along with several other people, I have asked the ICO to show what evidence Denham relied on to make her assertions about Kolah’s long history in UK data protection. They admit that no such information is held. Denham made assertions to support her friend and help sell his book, and I don’t think she can substantiate them.

The Information Commissioner should not endorse commercial products, and this isn’t the first time she’s been willing to lend her authority when doing so. Kolah’s book has turned out to be damaged goods, but if she’d had the sense not to endorse anything, she wouldn’t have this problem. What this says about Denham’s judgement isn’t pretty, and I think it’s untenable for her to stay silent on the matter. Rather than throwing spokespersons under the bus, Denham should explain it herself. What due diligence did she do on Kolah? Did anyone even Google him? Why does she think he’s got a long and distinguished career in Data Protection when he hasn’t? And most of all, how can she assure us that she’s independent when she can be persuaded to make a mistake as big as this?

 

Live and Let Dai

To say that anything connected with GDPR is the worst example of its kind is a foolhardy business. I’ve read so many terrible articles, LinkedIn posts and Tweets about GDPR, to single any one of them out and say ‘THIS ONE IS THE WORST’ seems pointless. Most of them are bad. However, after watching 33 minutes of waffle, padding and gleefully misinformed bullshit, I am reckless enough to say that the intellectual property lawyer Dai Davis’ talk here is the worst presentation or talk I have seen about the GDPR in any format.

Admittedly, the trainer in me hated it because of the incompetence – Davis has to keep going back to the podium to change slides because he hasn’t brought a remote, and he pads the talk out with protracted questions to the audience that don’t add anything to what he is saying. When someone intelligent-sounding in the audience takes him on by asking a proper question, he runs a mile.

More seriously, a good chunk of the talk is taken up with an attempt to create a formula for how much you should spend on data protection compliance based on the likelihood of being fined. It’s an eye-catching and controversial thing to throw out in a conference, but I don’t believe even Davis knows what point he’s making. Is he really saying that a every organisation should spend a meaningless, averaged-out €2000 to comply with GDPR, or is that just a flourish? Every organisation is different to another, and will have radically different priorities and appetites for risk, so trying to create a standardised methodology is so random and unhelpful, I don’t think it’s a serious point.  Given the number of basic mistakes and baseless assertions he makes in such a short time, however, the only thing I can add to his calculations is that however much you spend on GDPR, you should probably not spend it on advice from him.

I may not have got them all, but here is as full a collection of all the blunders as I could manage:

  • Davis cannot remember how many deputies the Commissioner has, but he knows that it’s between 11 and 13. There are 3 deputies (James Dipple-Johnstone, Paul Arnold and Steve Wood); there have never been more than 3.
  • Davis consistently gets the name of the ICO wrong – it’s almost always the ‘Information Commission Office’, although he varies it at least once with ‘Information Commission Data Protection Officer’ (he wasn’t talking about their DPO). To be charitable, it might be because he’s talking quickly, but the errors are relentless. He clearly thinks that Elizabeth Denham’s job title is ‘ICO’. because he calls her this repeatedly, and talks about what he would do if he was “the ICO“.
  • He asserts that the GDPR is not a ‘step change’ from the old legislation solely because it has lots of words, even though many of those words are very similar to words in the same order in the old version
  • He notes that there has not been a GDPR fine yet. Davis was speaking on May 30th, two days after the first 72 hours to *report* a relevant breach would have elapsed.
  • He asserts several times that in theory “every single breach” has to be reported to the ICO. This is completely false. There is a specific definition of a breach in the GDPR and incidents that do not meet a certain threshold of risk do not have to be reported.
  • He says that telecoms companies had to report breaches to the ICO since 2012. Communications providers have had this duty since 2011, not just telecoms companies.
  • Davis claims that public sector bodies self-report breaches to the ICO because they have no idea about how to take a commercial risk. There is the problem that public sector bodies are not commercial organisations by and large, so that argument makes no sense, but it’s also factually incorrect. To take one example, NHS bodies (the example shouted out by an audience member) have been obliged by the operation of the Information Governance Toolkit to report breaches to the ICO since at least 1st June 2013 (I think it was actually earlier than this, but that’s the one given in a Toolkit document that Davis could have found with a single Google search if facts were something he had any curiosity about).
  • Davis claims that the ICO is not really responsible for prosecutions for S55 offences, despite talking exclusively about prosecutions that the ICO carried out.
  • He includes the prosecutions in his calculations for the risk of being fined by the ICO, seemingly unaware that fines and prosecutions are two entirely distinct activities, with S55 prosecutions being against individuals rather than organisations. Throughout, Davis talks about the ICO enforcing on ‘people’, so I don’t know if he knows that the penalties were issued against data controllers.
  • He says that there were 18000 complaints in 2016 and the ICO has done nothing about nearly all of them. As someone who thinks the ICO is crap, even I have to acknowledge that most of these complaints were resolved informally and the absence of a fine does not mean that nothing happened. In quite a few cases, the complaint would not have been valid, and so no action would be appropriate.
  • He twice says that the maximum penalty for a breach under the DPA 1998 was £5,000,000; it was £500,000.
  • He quotes the head of the ICO’s ‘Breach Notification Division’, which does not exist.
  • He claims that the GDPR contains more loopholes that requires the ICO to hire criminal lawyers. The standard of evidence for a GDPR breach is balance of probabilities, and GDPR removes the requirement to prove damage or distress for a monetary penalty.
  • He says the ICO has 700 staff – they haven’t recruited these staff yet.
  • He tells a story of how he tells his hotel clients (who, if they exist, have my pity) that they cannot claim to be GDPR compliant because they use “mobile telephones” and allow their staff to send text messages. According to Davis, it is impossible to use mobile phones securely.

At the point where Davis says “smart lawyers like me“, my jaw did not drop, it fell off.

Leaving aside how garbled and smug Davis’ performance is, you might wish to charitable and take on his central thesis – that you probably won’t get a GDPR fine. He’s right. There have been relatively few penalties under Data Protection thus far and so the risk of getting one is relatively small. I cannot disagree with this banal point because I have made it myself any times. However, I can’t tell if his conclusion is simply that nobody should bother complying or whether there would have been a ‘however, you should comply because…’ moment, because there isn’t a conclusion. Presumably because he has run out of time, Davis just stops. So what, Dai? What’s your point? What should the audience do with this information? Should they just ignore GDPR?  There’s definitely a sense of this when he says that 10 years from now, the owner of a B&B will not know what GDPR is.

If Davis had the guts or the discipline to get to a conclusion that GDPR doesn’t matter, that would have been something. His contempt for detail would still be an impediment, but ‘Ignore GDPR’ is an assertion worth tackling. I could counter by arguing that the threat of a fine isn’t a good reason to comply, but respecting human dignity and avoiding harm to real people though inaccuracy, intrusion and insecurity is, but Davis never stops circling the airport, so I don’t even know if that’s what he’s saying.

If his contention that organisations don’t have the ability to measure risk effectively and need to get GDPR in perspective, that’s actually a good point, but he makes it so incompetently that again I’m not motivated to take him on. I have grudging sympathy for the idea that reputational damage is an overhyped risk (again, it’s not a point he makes clearly), but I know that many in the Data Protection world would passionately disagree, and I suspect that they could use Facebook’s current woes as evidence that public perception over data misuse isn’t something that boardrooms can ignore.

In the end, I think Davis is a clever man pontificating about a subject he neither cares for or understands, but the danger is that people will watch the talk and be contaminated by it. You could argue that I am making it worse by drawing attention to it solely so I can take the piss. All I can say is, the talk is out there. People will see it. As this is the case, if you find his argument (such as it is) attractive, it’s worth pointing out how sloppy and ill-informed his thinking is. It’s worth asking if this is the ‘Ignore GDPR’ guy, why would you listen to him?

Cop out

On May 3rd 2018, Elizabeth Denham appeared on Channel 4 News as part of her long running commitment to generating headlines. Denham’s track record on the programme is not great – it was on the same programme in March that she adopted the interesting tactic (uniquely, as far as I can see) of informing an organisation in public and in advance that she planned to apply for a warrant to raid them, losing what might be a useful element of surprise in order to look tough in front of Jon Snow.

In the more recent interview, the Commissioner claimed that she had the power to fine directors and had done so. I made an FOI request about this, and the ICO admitted that “we do not have the power to directly fine directors“, directly contradicting what Denham said. You can tell me that ICO has the power to go after directors in limited circumstances that can result in a court issuing a fine and that must be what she meant (ICO did) but that’s not good enough. The DP regulator went on the telly and claimed to have a power she doesn’t have – it’s surely part of Denham’s job to increase understanding of Data Protection, not to muddy the waters.

In the same interview, Denham cheerily announced that she saw herself as a Sheriff of the internet. Arguably, she should be a Mountie but let’s leave that to one side. I assumed that the statement was a throwaway, not a serious statement of how Denham sees herself and her office. I was wrong. There’s a pattern. In a fawning profile by the Observer’s Carole Cadwalladr a few weeks ago, the Commissioner delivered a soundbite that I suspect is intended to epitomise the Denham Era: “Data crimes are real crimes“. And in the recently leaked DCMS Committee report into Fake News, she was at it again:

For the public, we need to be able to understand why an individual sees a certain ad. Why does an individual see a message in their newsfeed that somebody else does not see? We are really the data cops here. We are doing a data audit to be able to understand and to pull back the curtain on the advertising model around political campaigning and election

I think the misleading impression being created here could attract the label ‘fake news’ just as much as any of the internet nonsense Denham and her fanbase are supposedly against. Data crimes are usually not real crimes, and in most cases, the ICO are not the cops. The GDPR doesn’t make anything a criminal offence, and the offences under the Data Protection Act 2018, like those in its predecessor the 1998 Act, are specific. It’s a criminal offence to take, procure or sell personal data without the permission of the data controller; it’s an offence to re-identify depersonalised data (in circumstances so tightly defined I doubt there will be a successful prosecution), and it can be an offence to oblige someone to make a subject access request. Admittedly, the DPA 2018 is stricter in this area – offences under the DPA 1998 were not recordable so you wouldn’t get a criminal record if you committed them, a position that is sensibly reversed in the new version.

However, in some circumstances, the DPA 2018 is less oriented towards offences than the  DPA 1998. A breach of an Enforcement or Information Notice is no longer subject to prosecution, being punishable by a penalty instead. That might result in stricter punishments, but that depends on Wilmslow showing a willingness to use the powers, and in any case, it’s not a criminal sanction. The much-vaunted criminal prosecution of SCL by the Commissioner over David Carroll’s subject access request is doomed in my opinion, but if it goes ahead, it will almost certainly be the last prosecution for a breach of a notice. None of the DP offences are punishable with prison, and for all Denham’s bluster about being a data cop, she never publicly applies the pressure for custodial sentences. For all his faults, her predecessor Christopher Graham never missed an opportunity to do so.

If Facebook willingly shared its customers personal data with Cambridge Analytica, it would not be a criminal offence. If they reused their customers’ data and sold it to list brokers, it would not be a criminal offence. As drafted, the ‘victim’ of most data protection offences would be the data controller, not the person whose data is misappropriated, sold or misused. Denham wants to conjure up images of cops and robbers, but she’s misleading the public. Who knows, maybe she doesn’t want people to realise that the only sanction for the majority of data transgressions are monetary penalty that she has the power to approve. Maybe she means ‘data crimes should be real crimes‘, but if that’s the case, that what she should say instead of giving the wrong impression.

There’s another problem. By setting herself up as the Internet Sheriff, Denham is creating expectations I don’t believe she’s prepared to meet. In all her public appearances, the Commissioner is clearly trying to mark out the internet and new technology as her manor. Supporters like Cadwalladr are only too happy to play along. The Observer piece contains a brief but devastating verdict on thirty or so years of ICO work and four previous Commissioners: “a somewhat dusty regulator dealing in a niche topic“. I’m the last person to defend the ICO, but this writes off Wilmslow’s endeavours on phone hacking, union blacklisting, the lost HMRC data disks and many DP and PECR fines which even I can’t deny have changed behaviour for the better in many sectors. I can’t say that Denham endorses this trashing of her predecessors’ efforts, but she hasn’t repudiated it either. What must her staff think of it?

Strip away the recent headlines for prosecutions and £500,000 fines that haven’t actually happened yet, and Denham’s record is hardly the Data Protection equivalent of Wyatt Earp taking on the Clantons. When dealing with the misuse of 1.6 million people’s data by the Royal Free Hospital and the AI company owned by Google (exactly the kind of tech territory we’re supposed to believe she wants to police), Denham’s ICO asked the Royal Free to sign an undertaking. There is no automatic sanction if they go back on it. Faced with multiple instances of charities profiling potential donors in secret (not a million miles away from the kind of surreptitious data gathering that attracts her current ire), Denham’s response was reportedly to cut the originally proposed fines, such that Oxfam was fined just £6000. Late in 2017, Sheriff Denham issued an enforcement notice against the Ministry of Justice over shameful and long-running subject access backlogs that doubtlessly affected many people in desperate legal circumstances. She gave them eight months to comply and sneaked the notice out on the last working day before Christmas without a press release.

You can tell me that the ICO has consistently issued monetary penalties on Denham’s watch but so did Graham, though the double whammy of £400,000 CMPs on both TalkTalk and Carphone Warehouse weigh against my argument to some extent. But beyond those, Denham has done nothing revolutionary or interesting in enforcement. There has been no action on accuracy or retention, and little on the vital first principle beyond the charity cases that were obviously started under Graham.

Outwardly, Denham seems poised and plausible. Fate has dealt her the biggest data protection story in a decade and some overly sympathetic press coverage, so maybe she’s right to milk it and build up her part. There’s no question that she has a higher public profile than any of the Commissioners who have gone before her, and I know a lot of people in the DP world who think that this is automatically a good thing. I’m not convinced. I think ‘data crimes are real crimes’ could become as unhelpful a distraction as the pervasive ‘GDPR = consent’ myth, and nothing about the past two years convinces me that Denham really has what it takes to round up the internet’s outlaws. As always, I will delighted to be proved wrong; some eyecatching monster scalps is what I have spent years of blogging asking for, and it will make my job easier for the next few years. But unless she really pulls out the big guns, the Commissioner’s legacy may be less Gunfight at the IT Corral, and more Denham’s Last Stand.

 

The Naked Truth

The story of Damian Green’s porn-clogged computer has several facets, with a surprising number of them related to data protection. Whether it was a breach for former Deputy Commissioner Bob Quick to reveal that there was porn on the computer is hard to say for certain – I think Quick has a journalistic defence in revealing hypocrisy given that the Government is current waging a moralistic war on adult websites, but you are welcome to disagree. The fact that Quick has form for revealing information that he shouldn’t have only adds spice to the mix.

The question of why Green’s other accuser Neil Lewis still has his police notebooks raises more serious questions. Did he keep them without authorisation from the Met? If he did, this could be a criminal offence under Data Protection’s Section 55 for which Lewis would be liable. Did the Met Police fail to recover them properly? This would be a serious breach of the seventh data protection principle, for which the Met should expect to answer. In any case, I have to agree with those who say that public servants should respect confidences even after they leave the service. Sensitive material should never be retained by former officers of any organisation. I know my reaction to the story is clouded by the entertaining spectacle of seeing a politician caught with his pants down, or at least, unzipped. The question of how the story came to light needs to be interrogated.

Green’s use of the Shaggy Defence to claim that he knows nothing about the porn begs more questions. If he didn’t download it, this means that someone else did (none of the Tories defending him seem to claim that it doesn’t exist). Part of Green’s outrage when his office was raided in 2008 was the threat to the sanctity of Parliamentary Privilege and the confidentiality due to his constituents. In the light of this, Green needs to explain how it was possible for someone else to download porn onto his computer. The best case scenario for him is that this was the result of malware, rather than someone else being able to log into his computer without his knowledge. Of course, malware infecting an MP’s computer is a story in itself. Regardless of whether this story should be in the public domain, we can’t be expected to ignore it now. As someone who processes highly sensitive data about his constituents (as well as possibly other sensitive information), at some point Green has to explain who had access to his computer and what they were doing downloading porn. Or he has to admit that it was him.

I don’t know what, if anything, Green is guilty of, but his fellow Tory Nadine Dorries’ spectacular contribution on Saturday doesn’t allow for any ambiguity. The MP for Mid Bedfordshire has a habit of deleting tweets when she (or someone else running her account) realises how stupid they make her look, so I have screengrabbed this one and I reproduce it in full here:

My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!

UPDATE: There’s more:

All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, ‘what is the password?

ANOTHER UPDATE: Robert Syms MP is at it as well

As a constituency MP, Dorries will be handling sensitive correspondence on a wide variety of matters, and she has publicly confirmed that access to information is open to a wide variety of people, including interns on exchange programmes. To this, there is no defence. The seventh data protection principle states that a data controller must have in place appropriate technical and organisational security measures to prevent “unauthorised or unlawful processing of personal data, and against accidental loss of or destruction of or damage to personal data“. This means a mix of technical measures like passwords and encryption and organisational measures like ensuring that passwords are not shared or written down. Dorries has confirmed she has authorised password sharing in her office – which is bad enough in itself because it means passwords are spoken aloud or written down, greatly increasing the chance of the password being known to someone nefarious. But worse than that, she says specifically that a wide group of people share her login. There is no way of knowing who has accessed what, because even if the intern has done it, it looks like Nadine was the person responsible.

The only way that Dorries has not admitted a clear breach of Data Protection’s security principle is if she (or whoever wrote the tweet) is lying in order to defend Green,  which is quite the stupidest thing I can imagine.

There are several possible breaches here – Quick’s original revelations about Green, Lewis’ retention of his notebooks / the Met’s failure to recover them when he left, Green’s insecure computer equipment and Dorries’ admission of her completely lax security. While Quick and Green’s problems are somewhat murky, Lewis / Met Police and Dorries present much more straightforward issues for the Information Commissioner. Both should be investigated as a matter of urgency.

Given Dorries’ casual admission of the insecure way in which her office operates, a much wider investigation might be required. Elizabeth Denham has put huge resources into investigating the possibility of political use of analytics and big data in an unlawful way, even though it’s hard to imagine anything coming of it. On the other hand, here we have a sitting MP openly admitting that constituents’ data is unsafe – how many more of Dorries’ colleagues operate in a similarly unlawful fashion? I cannot complain to the ICO about these matters, as I am not affected by them. However, the issues are serious, and Wilmslow should step in immediately. A bland press release reminding MPs to process data safely is not good enough; the ICO needs to demonstrate that Data Protection law applies to MPs just as it does to the rest of us.

The Secret Seven

Last year, I wrote about the fact that Councillor Alex Ganotis, Labour leader of Stockport Council is also a group manager at the Information Commissioner’s Office. After an FOI request, the ICO admitted that he managed the teams responsible for complaints about political parties and local councils. At the time, I argued that this was an unacceptable conflict of interest, and something had to be done about it.

In May this year, shortly after being elected as Manchester’s new Mayor, Andy Burnham appointed Cllr Ganotis as his Environmental Tsar. You can watch a video of the announcement here, and ponder such fascinating questions as why Burnham’s nose is so red, or why throughout the first two minutes, the camera keeps cutting to a wide shot that captures Ganotis’ uncomfortable facial expressions while Burnham is talking. The announcement piqued my interest. If he was organising a grand summit of environmental worthies, would Cllr Ganotis really have time to work at the ICO? And if so, what effect would the review into political activities that Elizabeth Denham announced have on his role?

I made an FOI request to the ICO for the following information:

1) In 2016, the ICO confirmed to me that Alex Ganotis was manager of the team that dealt with complaints about councils and political parties, despite being Leader of Stockport Council at the time. Can you confirm whether Mr Ganotis is still a member of ICO staff, and if so, what is his current job, and what arrangements have been made to avoid any potential conflict of interest?

2) What is the current ICO policy and process for dealing with political party affiliations and potential conflicts of interest?

3) In August 2016, the Information Commissioner announced in an interview with the BBC’s Martin Rosenbaum that she had ordered a review of the involvement of ICO staff in political activities. I would like to see any report or findings arising out of the review, or other summary of the review and its findings, and details of any actions that were taken as a result of it.

4) I would like to receive all current declarations made by any member of staff of involvement in political activities

5) What specific measures have been taken in respect of each staff member who has made a declaration to ensure that there is no conflict of interest?

The response made for fascinating reading. For one thing, Cllr Ganotis remains a Group Manager at Wilmslow and although his group no longer deals with political parties, it still covers issues related to all local authorities in the UK except for those in Greater Manchester, Cheshire or Derbyshire. How politicians and others in every council outside the North West feel about complaints about their authorities still being supervised by the Leader of a Labour Council and a close ally of Andy Burnham is hard to judge. They might be thrilled. Maybe the ICO should ask them.

The report I received under item (3) of my request did contain an option to remove Cllr Ganotis from work involving local authorities altogether, but one of the reasons that this option was not recommended was the fact that “it could be seen to question the professionalism of Alex and other members of staff and their ability to apply the law without bias or political influence“. How Cllr Ganotis’ political career could possibly be seen to reflect on other people is beyond me, but it is jarring that a significant factor in the decision to keep him involved in council work might have been the effect on him, rather than the Commissioner’s ability to operate independently. To be blunt, the ICO as a whole is more important.

UPDATE: I have attached the ICO’s report into the conflict of interest here, so readers can judge whether how objective and balanced it is: Commissioner Information Note – Political Activities.pdf

Unless every team in the ICO handles complaints about local authorities (and to lesser extent, government), Cllr Ganotis should have been moved to one that doesn’t. Having decide to pursue a high-profile political career, asking him to make a sacrifice to avoid conflicts of interest and their perception would not be too much. I am surprised that Cllr Ganotis has not requested such a transfer himself. To risk even the perception of influence over decisions about politically-run organisations, and at the same time pursue a high-profile political career suggests either an enormous amount of faith in one’s ability to compartmentalise, or just old fashioned hubris.

The review identified gaps in the ICO’s Political Activities Policy, with recommended “updates” including a stipulation that staff must avoid party political activities which might impair their ability to perform their duties impartially, a requirement to inform the ICO if their activities or areas of responsibility change, and the scope to remove permission to undertake political activities if an individual’s ICO role or political activity changes. Needless to say, this means that none of this existed before.

The rest of the FOI request suggests a continuing unwillingness to face the issue of political involvement. Including Cllr Ganotis, eight staff members have made declarations of involvement in political activities, but the ICO refused to tell me who the other seven are, or what they do, claiming that the data is sensitive personal data. This is true, but it is not automatically a barrier to disclosure. For one thing, the Secret Seven could be asked for consent, and this is not the only route to disclosure.

There is surely a legitimate interest in knowing whether people working for an independent regulator such as the Commissioner have political affiliations, especially when you consider the ICO’s involvement in political matters. Over the past few years, the ICO has fined Leave.EU, David Lammy MP over his London Mayoral Campaign, the Daily Telegraph for its pro-Tory emails during the 2015 election, and in recent months, they took no action against Virgin Trains following Jeremy Corbyn’s antics in a train vestibule. More importantly, the Commissioner herself announced a formal investigation into the use of data analytics for political purposes with no small amount of fanfare, involving 20 staff. The ICO is knee-deep in politics and transparency over the declared political activities of the staff is in the public interest.

As the data is sensitive personal data, legitimate interests would not be enough; a condition must also be met from Schedule 3 of the Data Protection Act as well. One of the conditions is that the Data Subject has put their sensitive data into the public domain. If, for example, a senior ICO staff member was to mention on their LinkedIn page that they were a Councillor for 9 years, the Campaigns and Communications Officer for an MEP for five years, listed the Liberal Democrats as one of their main interests and was recommended for ‘politics’ and ‘political campaigning’ by dozens of people, I think I can argue that at least this one has manifestly made their political views public. The ICO refusal says “our staff do not have a reasonable expectation that their declarations would be disclosed into the public domain“, but the staff member in question was a candidate for the LibDems in the 2015 General Election, so I humbly suggest that the cat is out of the bag. Either this person is one of the seven, and the ICO’s arguments are false, or they haven’t made a declaration, and the ICO’s claim to me that “the review and policies are sufficient to demonstrate that we avoid conflicts in our work” is nonsense. Again, did they consider this before refusing me?

Every national, local, or internal party election or referendum runs on personal data, and personal data is exploited, analysed, shared, lost, stolen and misused in every single one of them. If you can name a major vote in this decade that hasn’t resulted in a DP snarl-up, you’ve a better memory than me. If there is one word that shines through everything the Commissioner sent me on this topic, last time and this time, it’s  complacency. The policies and procedures that existed before and the ones that have replaced them are built on an obvious assumption that a box needs to be ticked. Of course nobody is actually going to do anything untoward, the managers are on top of it, staff will proactively declare any conflicts of interest and besides, we have a procedure. But they thought it was all fine before. If I had not written my blog last summer, Cllr Ganotis would still be responsible for managing complaints involving his council, his party and his opposition.

I don’t think the Commissioner’s Office takes this seriously. I am amazed that Alex Ganotis is still allowed any influence over the ICO’s decisions about local government, regardless of how objective or benign that influence might be. I am appalled that anyone in the ICO’s senior management could think that this is acceptable. Every time the Commissioner acts or doesn’t act on a political issue, do we always need to ask: who was involved? What bias, conscious or unconscious, did they bring to bear? What other interests do they serve? In a world dominated by fake news and internet froth, the ICO’s independence and objectivity should be their highest priority. It isn’t.