Advertising standards

This week, the great and the good and some other people descend on Cambridge for the 30th Annual Privacy Laws and Business’ three day Data Protection Conference in Cambridge. It’s a big event, with Data Protection regulators, practitioners and a large collective noun of DP lawyers all milling around St John’s College listening to each other talk. I’ve only been once – no employer I’ve ever worked for wanted to pay, so I ended up pitching PLB a talk about crap Data Protection stories so I could get in for nothing. The cheapest possible ticket is a one day option for charities and the public sector at £437.50 +VAT; for 3 days, that goes up to £1242.50 + VAT, while someone working for a company with more than 500 employees will pay £1775 + VAT, plus more for accommodation or the optional Sunday night dinner. The college bars have extended opening hours in case you have more money to burn.

As PLB’s amusingly vulgar marketing makes clear, this is no dry academic event. For attendees with the requisite funds, the conference is an opportunity to ‘take your place at the privacy top table‘ and enjoy ‘Privileged Access‘ to the various Data Protection regulators in attendance. Emails from PLB promise that DP Authorities such as Helen Dixon from Ireland, Isabelle Falque-Pierrotin from France and our very own Elizabeth Denham will be available for ‘priceless informal one-to-one discussions’ and will be ‘pleased to engage you in discussion‘. Imagine that.

The UK’s Information Commissioner is being particularly accommodating this year. As well as being listed on the conference website as a ‘Supporter’ of this commercial event, the Commissioner herself is giving a talk on Tuesday and chairing another session while no fewer than five ICO staff members will be in attendance (a fact advertised by PLB in the ‘top table’ email). Perhaps most generously of all, Mrs Denham is the star of an advert for the conference, happily plugging the relaxed atmosphere and expert PLB staff while exhorting viewers to attend. And this is where I have a problem.

There’s nothing wrong with the ICO appearing at commercial events like this – big conferences are a legitimate way to make the organisation more visible and get messages out. It’s very different if the ICO is endorsing the event in question. The PLB conference is not a charity or public sector event – it is a commercial conference run for profit. The ICO’s speaking engagement policy says explicitly that ICO officers should avoid accepting invitations where ‘our attendance can be interpreted as ICO endorsement of a commercial organisation over those of competitors‘, and yet Denham has gone further than that, by actively promoting the conference and the expertise of PLB’s staff. The same policy states that the ICO logo must not be displayed when labelled as a ‘supporter’ – which is exactly what PLB are doing with the logo on their website.

I made an FOI request to the ICO about Denham’s appearance in the advert, asking for emails and other correspondence about why she agreed to do it. In the initial response, there was no evidence of an invitation, only emails arranging the filming itself. When I queried this, I was told that the original request was made and agreed to verbally last October, and while there may have been some follow-ups by email shortly thereafter, they will have been deleted because the ICO deletes all emails from everyone’s inbox after six months. So Denham, who famously burnishes her records management credentials, didn’t think it was worth keeping a record of why she had decided to endorse a commercial event, despite breaching her own speaking engagement policy and code of conduct by doing so.

The correspondence I did get was nevertheless illuminating. When I made my request, I used the word ‘advert’ because PLB were describing it as a ‘conference video’ and I wanted to underline what it really was. However, the word ‘advert’ is used routinely by ICO staff in their emails – there is no question that Denham and her staff perceived it as being something else. The content of Denham’s turn came directly from Stewart Dresner, PLB’s Chief Executive. Even specific phrases that she uses (the sickly ‘summer school‘ for example, at which she at least has the decency to laugh while saying) come direct from one of his emails to her. After it was filmed, Denham was keen to check that Dresner thought the video was OK, and he replied with a sentence that should have pulled everyone up short: “I greatly appreciate you taking this step and so effectively endorsing several important features of our conference” (my emphasis). The ICO is an independent regulator; endorsing commercial products or events should be beyond the pale. The ICO’s code of conduct is obviously based on the Civil Service Code, but they have adapted it in a key passage. The Civil Service Code says that officers should not use information they have obtained in the course of their work to favour others, but the ICO goes further:

You should not misuse your official position, or information acquired during the course of your duties, to further your private interests or those of others

If you are a member of the senior management team, or a member of staff who is either working on a contract or dealing with issues which could raise matters of substance, you should ensure that any possible conflicts of interest are identified at an early stage and that appropriate action is taken to resolve them.

 

Senior officers like Robert Parker, the ICO’s head of communications, and Steve Wood, recently appointed Deputy Commissioner after Rob Luke’s mysterious cameo appearance, were involved throughout this correspondence. Even if Denham didn’t think an endorsement could be problematic, her staff should have intervened. Most of the ICO’s senior management were at least copied into the emails I’ve received, and none of them identified a problem in the Commissioner personally endorsing a commercial event in breach of her own policies. There is a telling moment in the correspondence where Dresner complains that PLB were not aware of Denham giving evidence to Parliament. Dresner’s expectation is that PLB will be tipped off about such appearances: “we do suggest that you distinguish between your mass media list, who would receive some media releases, and your specialist media list, who would receive all of them“. It’s clear that Dresner expects special treatment – and why wouldn’t he? The Commissioner herself is advertising his conference.

Nobody at the ICO would ever recommend anything that I did or was involved in because I write stuff like this, so you might think this is all just sour grapes. Given that I don’t think the ICO is an effective regulator, I couldn’t seek their approval even if they would give it but in any case, I don’t want Wilmslow’s endorsement. If I have anything going for me as a itinerant jobbing consultant, it’s that I am independent and I encourage the people I deal with to think and act independently. What’s distasteful about this episode is that the Commissioner, for whom independence isn’t a bonus but a necessity, doesn’t seem to act in the same way. Using the regulator’s name to flog conference places should be inconceivable, and yet this is what Denham has done. However prestigious or expert they may appear, the Information Commissioner should not personally or corporately recommend or endorse commercial products and organisations. This shouldn’t have happened, and it must not happen again.

Analyse This

With no small amount of fanfare, the Information Commissioner Elizabeth Denham recently announced a “formal” investigation into the use of data analytics for political purposes. The use of targeted ads in political campaigns – especially those where the Right triumphed – has been much in the headlines, and the ICO clearly feels the need to react. Denham blogged on her website: “this investigation is a high priority for my office in our work to uphold the rights of individuals and ensure that political campaigners and companies providing services to political parties operate within UK law.”. The investigation was greeted with enthusiasm – the journalist Carole Cadwalladr who has made a lot of the running over analytics in the Observer was supportive and the Data Protection activist Paul-Olivier Dehaye hailed it as ‘very important’.

Saying that Facebook is probably abusing privacy rights (and acting as a conduit for the abuse of privacy rights) is a bit like saying that rain is wet. Some of Cadwalladr’s reports have drawn fascinating (if hotly disputed) links between various right-wing vampires like Nigel Farage, Dominic Cummings and Steve Bannon, and draw interesting (and hotly disputed) links between various Brexit campaigns and the tech firm Cambridge Analytica. Other of her stories are lame; a recent article complained that people Cadwalladr doesn’t approve of are outbidding people she does approve of when buying Facebook ads, which isn’t really news.

Worse than that, another article enthusiastically repeated Stephen Kinnock MP’s calls for an investigation into Tory data use, ignoring the fact that on the same day, Labour was hoovering up emails on its website without a privacy policy (which, like the marketing emails they will inevitably send) is a breach of Data Protection. The article makes the false claim that it is illegal to use data about political opinions without consent. Several people (including the chair of the National Association of Data Protection Officers) pointed this out to Cadwalladr, but the article is uncorrected at the time of writing. If you want to write about political parties and campaigns abusing data protection and privacy and you only acknowledge the dodgy things that one side gets up to, your allegations should not be taken too seriously. Politics is a swamp, and everyone is covered in slime. Given Cadwalladr’s shaky understanding of Data Protection law, it’s not hard to believe that her interest in the topic is mainly motivated by politics, and the ICO needs to be careful not to be sucked in.

It’s odd that allegations made to the ICO about data misuse by Owen Smith and Jeremy Corbyn, or candidates for the UNITE leadership have come to nothing, and yet here we have a formal investigation announced with great flourish into an issue that is largely perceived as affecting the right. I’m left-wing myself, but if Denham is going to take action over the political use of personal data, I expect her to be scrupulously even-handed.

However, I doubt very much whether action on this issue will ever happen. Just after the announcement, I made an FOI request to the Commissioner’s office about the nature of the investigation – how many people were involved and where from, what powers the ICO was using to conduct the investigation, and who the most senior person involved was. What I was trying to find out was simple – is this an investigation likely to lead to guidance or enforcement?

Here is what my FOI revealed (questions in bold, ICO answers below)

1) Under what specific powers is the investigation being carried out?

Initial intelligence gathering would fall under the general duties of the Commissioner to promote good practice (section 51) of the DPA. This may lead to use of investigatory powers and enforcement where necessary, under the provisions set out in Part V of the DPA, as well as the CMP powers at section 55A.  The Commissioner also has powers of entry and inspection under schedule 9 of the DPA.

2) How many members of staff are involved in the investigation?

It’s difficult to give an exact number, the ‘group’ involved will need to be established and documented in terms of reference which will be done shortly. At this stage, from the information we hold, we can say that 16 member of staff have been involved and another 4 members of staff are also expected to be involved as the investigation progresses.

3, 4 and 5-
 
What are the job titles of the staff involved?
What is the name of the most senior person involved in the investigation?
Which department and team do these staff belong to?

Senior Policy Officer – Private Sector Engagement
Group Manager – Private Sector Engagement
Policy Officer – Private Sector Engagement
Lead Communications Officer – Communication Planning
Senior Policy Officer – Public Policy and Parliament
Intelligence and Research Officer – Intelligence Team
Team Manager (Intelligence) – Intelligence Team
Lead Intelligence and research Officer – Intelligence Team
Team Manager – Enforcement (PECR) – Investigations
Group Manager (Public Policy & Parliament) – Public Policy and Parliament
Senior Policy Officer (Public Policy & Parliament) – Public Policy and Parliament
Team Manager (Enforcement Team 2) – Enforcement
Team Manager – Communications – Communications Planning
Head of Corporate Affairs – Communications Planning
Group Manager – Public Sector Engagement – Public Sector Engagement

The most senior person is Steve Wood – Head of International Strategy & Intelligence – International & Intelligence Management

*************************************************************************************

What does this tell us?

The main contributors are Engagement (which is presumably the successor to the old Strategic Liaison department whose chief role was holding hands with stakeholders), and policy (whose main contribution to the debate on big data is this endless and almost unreadable discussion paper). The most senior person involved is Steve Wood, who has an academic background. Of the 16 involved, just two are from Enforcement, outnumbered even by the comms staff. Apologists for Wilmslow will leap on that bit that says “This may lead to use of investigatory powers and enforcement where necessary“, but my response to that is an armpit fart. The ICO is starting from the perspective of promoting good practice run by an academic, which is just about the silliest response to this issue that I can think of.

Some areas that the ICO regulates are prime candidates for guidance. The public sector, charities and regulated industries are likely to be influenced by what the ICO says. Other areas – list broking and compensation claims spring to mind – are immune to policy and guidance, but politics is the best example. Politics is about power – if a party, campaign or individual can take power while breaching DP law, they will. It isn’t that they don’t understand the law, it is that they don’t care. No political party or campaign will be influenced by ICO guidance, and to pretend otherwise is childish. All major political parties (Labour, LibDems, SNP, Tory) have received a PECR Enforcement Notice over automated calls, and yet they flout PECR all the time with emails and yet more calls, as anyone who heard from David Lammy knows only too well. Even when the ICO fined Leave.EU during the referendum, the campaign’s reaction (“Whatever”) could not have been more derisive because they could afford to pay the fine. Either the ICO comes into politics using its powers to the maximum possible extent against everyone (£500,000 penalties, or more useful, enforcement notices that are backed up by prosecution), or they should leave the field.

We already know that the outcome of this investigation will be revealed long after the election is over, when anything that the Commissioner says or does will have no effect on the real world. On the evidence of my FOI, I predict there will be no fines, no enforcement notices, no action. There will be a long, thorough and thoughtful report that nobody in politics will pay attention to, and only people like me will read. The first task of the Supervisory Authority under GDPR is to ‘monitor and enforce’. Long ago, when I worked there, the joke went around the ICO that senior officers operated under the mantra ‘thinking is doing’, as an excuse to avoid taking any action. I don’t care if no senior officer ever actually said this – on big strategic issues, the ICO has always laboured under this approach. Denham’s first big splash was to follow through on charity enforcement when the easy choice was to back down. She deserves praise for that decision. However, If there is an international right-wing conspiracy to hijack democracy across the world, I don’t think a thought symposium is going to save us.

Small change

Some senior figures in the charity sector have sought to deal with the Information Commissioner’s recent enforcement against the RSPCA and the British Heart Foundation by suggesting that the ICO’s action is disproportionate and unfair. The fundraiser sorry, academic, Ian MacQuillin has written two blogs which touch on the theme, while a few days ago, Robert Meadowcroft, the Chief Executive of Muscular Dystrophy UK tweeted:

If the is impartial regulator it will investigate practices of and not simply pursue charities

As 2016 is now disappearing over the horizon, I thought it was worth testing the hypothesis that the ICO is taking disproportionate action against charities, and the fines and other enforcement against charities are unrepresentative. TL:DR – it’s complete nonsense.

In 2016, the ICO issued 34 civil monetary penalties – 11 under the Data Protection Act, and 23 under the Privacy and Electronic Communications Regulations (PECR). There are a number of different ways of looking at the figures, and none of them show any evidence of disproportionality.

1) Charity CMPs as a proportion of the total in 2016

Of the 34 penalties, 2 were against charities, so 6% of the ICO’s CMPs in 2016 were against charities.

2) Amount charities were fined, as a proportion of the total in 2016

The CMP total was £3,225,500. The total of CMPs issued against charities was £43,000. This is 1.3% of the total.

3) Proportion of Data Protection CMPs issued to charities in 2016

If you look only at the CMPs issued under Data Protection, the charity proportion is not insignificant – there were 11 DP CMPs, so the 2 charity CMPs are 18% of the total – the same as the police, 1 more than councils, but less than the private sector or the NHS (3 each). However, this is the only comparison where charities feature significantly, and they are not the dominant sector. The next two comparisons are also instructive.

4) Proportion of PECR CMPs issued to charities in 2016

None. This is despite widespread breaches of PECR by charities, including phoning donors who are on TPS and sending texts and emails without consent (for example, the vast majority of mobile numbers gathered via charity posters in 2016 were obtained in breach of PECR).

5) Proportion of CMPs issued for marketing related activities in 2o16

There were 21 PECR CMPs related to marketing, and 2 DP CMPs related to marketing, making 23 marketing CMPs in all. 2 were against charities, which is 9.5% of the total. Given the big charities’ disastrous approach to marketing, this relatively small number is astonishing.

6) Level of CMPs in 2016

The average DP CMP was £108,500; the average charity DP CMP was £21,500.

The average PECR CMP was £84,666.75; there were no charity PECR CMPs.

The highest DP CMP was £400,000; the highest charity DP CMP was £25,000.

7) Other enforcement in 2016

There were 22 enforcement notices issued by the ICO in 2016, 8 under DP and 14 under PECR. 1 of the 8 DP enforcement notices was against a charity, which is 4.5% of the total, or 12.5% of the total DP enforcement notices. Either way, it is a small percentage of the total. Again, if you count the number of marketing related enforcement notices, there were 15, of which 1 was against a charity. This is 6.6% of the total.

8) CMPs since 2010

There have been 69 DP CMPs since 2010 that I can find (they drop off the ICO’s website after a few years); 4 were issued against registered charities, which is 5.8% of the total. The average DP CMP was £114, 163, whereas the average charity was £78,250. It is worth noting that these figures are slightly skewed by the £200,000 penalty against the British Pregnancy Advisory Service, which is a registered charity but receives most of its funding from the NHS.

The CMP against the British Heart Foundation was the 8th lowest CMP overall, while the CMP against the RSPCA was the 9th lowest. The only organisations to receive lower penalties than the charities were small businesses, unincorporated associations, and a bankrupt lawyer.

There have been 47 PECR CMPs that I can find since 2012; none have been issued on charities, which is 0% of the total.

Conclusion

These figures will likely be different in 2017. The ICO has signalled that more DP enforcement against charities is coming, and so the proportion of DP penalties may rise when the totals are in, but that depends on a variety of different factors including the number of other penalties and the ICO’s general approach. However, when you look at the facts for 2016, MacQuillin and Meadowcroft are wrong. Despite years of ignoring the Data Protection and PECR requirements in favour of a flawed, fundraiser-driven approach, the ICO has not taken disproportionate action against the charities. The action taken is a small percentage of the overall total. Special pleading and blame-shifting will not help the sector. Compliance with the law will.

Any last requests?

A month ago, the redoubtable information rights expert and blogger Jon Baines wrote about an odd change on the ICO’s website. Just after the EU referendum vote, the ICO published a bold statement, calling for Data Protection standards in the UK to be equivalent to those in the EU. Shortly after, the statement disappeared. Around a week later, it was replaced by something more bland. Jon wondered why the ICO had resiled from their original position. He was, however, fortunate to receive a comment from an ICO spokesman:

“We noted the debates about different options that emerged following the referendum result and we decided to move to a simpler statement to avoid being too closely associated to any one particular position”

I believe that this statement is untrue.

After a conversation with Jon, I made an FOI request to the ICO for “Any recorded information on the decision to remove the statement, including who made the decision to remove it, and why it was removed“. Remarkably, the ICO claims to hold just one email that is relevant to my request (I’m not convinced, so I am following this up), but I think it’s reasonable to conclude that the ICO did not change the statement because they “noted the debates“. They changed the statement because the Department for Culture, Media and Sport, the government department responsible for Data Protection, asked them to.

A DCMS official emailed Christopher Graham, the former Information Commissioner, directly on 28th June:

Screen Shot 2016-08-26 at 09.07.02

The revised version is identical to the statement that you’ll find here on the ICO website.

The DCMS position is understandable – a few days after an unexpected vote, it’s not hard to imagine that they hadn’t reached a final position on GDPR. I’d be surprised if they were certain now, frustrating as that might be for the likes of me. But when the DCMS talks about it being far to early for “us” to be so definitive, they are not talking about the ICO, which is legally separate from and independent of Government. If the former Commissioner and his staff believed that the DPA is out of date and not fit for purpose, they were right to say so. Bear in mind that the statement in question was made after the vote, not when the ICO view could in any way have influenced its outcome (or when such an allegation could be made). DCMS are free to disagree with them, and indeed to ignore them if they so choose. I think GDPR-lite is a terrible idea, but they can pursue if they think it’s right. I’m not even sure I want to criticise the DCMS request – it’s quite clearly not an instruction.

However, for the ICO to change their statement (and by default, their official position on the GDPR) is a significant and worrying step. The ICO’s position can be identical to the DCMS one, but only if that’s because the ICO thinks DCMS is correct. It would be in no-one’s interests for the ICO to challenge and contradict DCMS merely to show that they’re nobody’s poodle. But Wilmslow’s reaction to the Brexit vote was clear, and now it’s not. Was the original position wrong? Is there any reason why the ICO cannot be allied to one particular position if they think it’s the right one?

Equally, if the ICO is going to change its public position, it should be honest with the public about why it is doing so. The statement on the ICO website says

At the annual report launch on 28 June 2016, Information Commissioner Christopher Graham updated the ICO statement

Whereas, what it should say is:

At the request of the DCMS, at the annual report launch on 28 June 2016, Information Commissioner Christopher Graham updated the ICO statement

As embarrassing as this might be, if the ICO is content to follow the debate about the future of the GDPR in the UK rather than leading it, it should be honest enough to admit that this is their position. I’ve already blogged about the bizarre situation that the ICO team that deals with complaints about political parties and councils are managed by a serving Labour Council leader. Here is another situation where the ICO’s ability to make robust, independent decisions appears to be compromised.

This depressing episode happened in the dying days of the previous Commissioner’s tenure; more than ever, I am glad that he is gone. We have a new Commissioner about whom I have seen and heard nothing but encouraging things. I can only hope that when faced with decisions like this in the future, Elizabeth Denham takes an more independent approach.

Caesar’s Wife

In May 2016, the Labour member for Heatons North, Alex Ganotis, became Leader of Stockport Council, having been a councillor for some years. A month or so later, I read a story mentioning him in the Manchester Evening News, and his name rang a bell. Alex Ganotis is also a Group Manager at the Information Commissioner’s Office – I know this because he has signed hundreds of FOI Decision Notices on behalf of the Commissioner.

I made an FOI request to the ICO to find out more about Mr Ganotis’ role – in particular, I wanted to know how likely it was that a professional politician might be involved in complaints to the ICO involving political parties or local government. If Mr Ganotis worked on financial services or health, for example, he would need to maintain a high degree of professionalism and neutrality, but there would be no immediate conflict of interest. So I asked the ICO what team he manages. The answer:

Mr Ganotis manages a team of staff who deal with complaints and concerns about councils and political parties

I had to read this several times before I could take it in.

The ICO’s Policy on party political activities is helpfully published on its website. It makes reassuring reading:

The ICO is an independent body and it is important for it to be free from party political bias, and to be clearly seen and acknowledged as being free from such bias……. It is of paramount importance that the ICO is acknowledged as being free from party political bias and influence. The work that we do can often be of a politically sensitive nature and any substantiated allegations of bias would have serious repercussions for the future of the ICO.

The policy sets out a process through which an ICO employee can gain approval for party political activities. I asked when Ganotis went through this process, and the ICO revealed that he was approved in October 2008, which means that his dual ICO / councillor role went on for nearly eight years before he became Leader – he did not seek re-approval when he became Leader, so it seems that the ICO has not reassessed his role now he is a council leader, nor has he asked for this to happen.

I asked for recorded information about the approval process for his role. The ICO has nothing. I asked for any recorded information about measures taken to ensure, in the Policy’s words, that ‘potential for conflicts of interest’ have been minimised with regard to Mr Ganotis’ role. Nothing is held. The ICO added “Mr Ganotis’ line manager and his peers are responsible for assigning decision notices and make a judgement on a case-by-case basis as to what he is assigned, taking into account whether individual cases could pose a potential conflict of interest.” There are no formal arrangements, no written criteria or parameters, nothing to measure or audit against. The ICO enthusiastically fines organisations hundreds of thousands of pounds for failing to maintain properly documented processes, but in the case of having a professional politician managing a team that deals with hundreds of complaints about political parties and councils, the ICO itself sees no need for rigour. Trust whoever decided that this is OK, Wilmslow says, because we have nothing else to offer.

Mr Ganotis is a Group Manager, answering to a Head of Department, but the ICO’s response makes clear that the former Information Commissioner himself, Richard Thomas, approved of the arrangement: “the Commissioner at that time was made aware of his standing and subsequent election“. When I wrote this blog originally, I assumed it was Christopher Graham who was Commissioner, but he did not take over until 2009. ICO trivia fans may remember that Graham was himself once a councillor (for the Liberal Party) and a twice-unsuccessful parliamentary candidate – one wonders if he knew about Ganotis’ status, and if he did not, why nobody told him.

Anyone who has political beliefs or leanings and works in local or central government knows the awkward but vital requirement to set those beliefs aside and act neutrally in the public interest. As a Labour voter in every election since 1992, I have done it myself. It is not easy, but you don’t need to be a saint to achieve it. I cast no doubt on Mr Ganotis’ personal integrity, or ability to do the same. But anyone who thinks that’s the point just needs to Google the title of this blog.

Mr Ganotis has signed hundreds of FOI decision notices on behalf of the Information Commissioner, exercising the Commissioner’s statutory powers. Those notices include  councils across the UK, and government departments run by ministers who, in his other role, Mr Ganotis publicly opposes, and he has been doing so for years. The ICO disclosed to me a spreadsheet of the cases that Ganotis’ team has dealt with since January 2014 (records before that are routinely destroyed). A quick glance at the organisations concerned give a flavour of the issues that pass across the team’s desk in just one month. In July 2016, I can see the Labour Party (8 times), Momentum, Saving Labour, and Progress. It is hard to imagine any team would be more steeped in politics and arguments about political activity than this one, and the (former) Information Commissioner decided that a professional politician was the right person to manage it.

Over the past few years, the Labour Party has carried out its obnoxious and unfair purge, struggled with allegations of member data misuse on all sides (Corbyn, Momentum and Owen Smith), and demonstrated the traditional party blindness to PECR. I have myself blogged sorrowfully but repeatedly about Labour’s Data Protection and privacy woes for several years. In all of that time, only David Lammy’s doomed automated calls have faced any enforcement action (and he wasn’t even an official Labour candidate in the election concerned). To be clear, I have no evidence of any influence being brought to bear on this. But, as the ICO’s own policy states explicitly, “the organisation does seek to ensure that the potential for conflicts of interest is minimised as is the possibility of the ICO being accused of being politically biased“. In this, Mr Ganotis, his line manager and the former Commissioner have failed, and failed spectacularly. How can anyone in politics have confidence in the ICO’s decisions?

Any FOI decision notice involving a council or a government department signed by Mr Ganotis could be tainted, and there are hundreds of them. The ICO’s failure to take action against the Labour Party for a consistently terrible approach to Data Protection and privacy issues is no longer just over-caution, but potentially something far more objectionable. Every case Mr Ganotis has been involved in could be perfect, but the ICO cannot guarantee this with a straight face; their own policy recognises the problem of perception, but their practice is blind to it. They could have moved Ganotis at any point since 2008 to another job of equal standing, and the problem would have evaporated. He is still in place.

That Mr Ganotis could not see that continuing to manage a team responsible for complaints about political parties and councils was incompatible with his role first as councillor and then as Council Leader raises a question about his judgement. That the ICO’s management was either unwilling or incapable of identifying and remedying the potential conflict of interest is a matter of serious public concern.

I have spent a decade and a half criticising, satirising and annoying the ICO in the hope that for no other reason than to spite me, they will become a more effective, more enthusiastic regulator of Data Protection. But this is too much. This is a genuine failure of governance. It could pollute a host of formal decisions (and indecisions) stretching back for years. It has to be dealt with.

I don’t understand how Mr Ganotis could ever sensibly manage the team responsible for political parties and enjoy the confidence of the public. Richard Thomas and Chris Graham should have stopped it, and I hope that the new Commissioner will ask questions about how her managers and Human Resources team could allow such a shocking situation to occur. But if all this isn’t put right, if this bizarre conflict of interest continues acknowledged but unaddressed, we should all look very closely at every decision that emerges from Wilmslow with a more sceptical eye than even I thought possible.