Cop out

On May 3rd 2018, Elizabeth Denham appeared on Channel 4 News as part of her long running commitment to generating headlines. Denham’s track record on the programme is not great – it was on the same programme in March that she adopted the interesting tactic (uniquely, as far as I can see) of informing an organisation in public and in advance that she planned to apply for a warrant to raid them, losing what might be a useful element of surprise in order to look tough in front of Jon Snow.

In the more recent interview, the Commissioner claimed that she had the power to fine directors and had done so. I made an FOI request about this, and the ICO admitted that “we do not have the power to directly fine directors“, directly contradicting what Denham said. You can tell me that ICO has the power to go after directors in limited circumstances that can result in a court issuing a fine and that must be what she meant (ICO did) but that’s not good enough. The DP regulator went on the telly and claimed to have a power she doesn’t have – it’s surely part of Denham’s job to increase understanding of Data Protection, not to muddy the waters.

In the same interview, Denham cheerily announced that she saw herself as a Sheriff of the internet. Arguably, she should be a Mountie but let’s leave that to one side. I assumed that the statement was a throwaway, not a serious statement of how Denham sees herself and her office. I was wrong. There’s a pattern. In a fawning profile by the Observer’s Carole Cadwalladr a few weeks ago, the Commissioner delivered a soundbite that I suspect is intended to epitomise the Denham Era: “Data crimes are real crimes“. And in the recently leaked DCMS Committee report into Fake News, she was at it again:

For the public, we need to be able to understand why an individual sees a certain ad. Why does an individual see a message in their newsfeed that somebody else does not see? We are really the data cops here. We are doing a data audit to be able to understand and to pull back the curtain on the advertising model around political campaigning and election

I think the misleading impression being created here could attract the label ‘fake news’ just as much as any of the internet nonsense Denham and her fanbase are supposedly against. Data crimes are usually not real crimes, and in most cases, the ICO are not the cops. The GDPR doesn’t make anything a criminal offence, and the offences under the Data Protection Act 2018, like those in its predecessor the 1998 Act, are specific. It’s a criminal offence to take, procure or sell personal data without the permission of the data controller; it’s an offence to re-identify depersonalised data (in circumstances so tightly defined I doubt there will be a successful prosecution), and it can be an offence to oblige someone to make a subject access request. Admittedly, the DPA 2018 is stricter in this area – offences under the DPA 1998 were not recordable so you wouldn’t get a criminal record if you committed them, a position that is sensibly reversed in the new version.

However, in some circumstances, the DPA 2018 is less oriented towards offences than the  DPA 1998. A breach of an Enforcement or Information Notice is no longer subject to prosecution, being punishable by a penalty instead. That might result in stricter punishments, but that depends on Wilmslow showing a willingness to use the powers, and in any case, it’s not a criminal sanction. The much-vaunted criminal prosecution of SCL by the Commissioner over David Carroll’s subject access request is doomed in my opinion, but if it goes ahead, it will almost certainly be the last prosecution for a breach of a notice. None of the DP offences are punishable with prison, and for all Denham’s bluster about being a data cop, she never publicly applies the pressure for custodial sentences. For all his faults, her predecessor Christopher Graham never missed an opportunity to do so.

If Facebook willingly shared its customers personal data with Cambridge Analytica, it would not be a criminal offence. If they reused their customers’ data and sold it to list brokers, it would not be a criminal offence. As drafted, the ‘victim’ of most data protection offences would be the data controller, not the person whose data is misappropriated, sold or misused. Denham wants to conjure up images of cops and robbers, but she’s misleading the public. Who knows, maybe she doesn’t want people to realise that the only sanction for the majority of data transgressions are monetary penalty that she has the power to approve. Maybe she means ‘data crimes should be real crimes‘, but if that’s the case, that what she should say instead of giving the wrong impression.

There’s another problem. By setting herself up as the Internet Sheriff, Denham is creating expectations I don’t believe she’s prepared to meet. In all her public appearances, the Commissioner is clearly trying to mark out the internet and new technology as her manor. Supporters like Cadwalladr are only too happy to play along. The Observer piece contains a brief but devastating verdict on thirty or so years of ICO work and four previous Commissioners: “a somewhat dusty regulator dealing in a niche topic“. I’m the last person to defend the ICO, but this writes off Wilmslow’s endeavours on phone hacking, union blacklisting, the lost HMRC data disks and many DP and PECR fines which even I can’t deny have changed behaviour for the better in many sectors. I can’t say that Denham endorses this trashing of her predecessors’ efforts, but she hasn’t repudiated it either. What must her staff think of it?

Strip away the recent headlines for prosecutions and £500,000 fines that haven’t actually happened yet, and Denham’s record is hardly the Data Protection equivalent of Wyatt Earp taking on the Clantons. When dealing with the misuse of 1.6 million people’s data by the Royal Free Hospital and the AI company owned by Google (exactly the kind of tech territory we’re supposed to believe she wants to police), Denham’s ICO asked the Royal Free to sign an undertaking. There is no automatic sanction if they go back on it. Faced with multiple instances of charities profiling potential donors in secret (not a million miles away from the kind of surreptitious data gathering that attracts her current ire), Denham’s response was reportedly to cut the originally proposed fines, such that Oxfam was fined just £6000. Late in 2017, Sheriff Denham issued an enforcement notice against the Ministry of Justice over shameful and long-running subject access backlogs that doubtlessly affected many people in desperate legal circumstances. She gave them eight months to comply and sneaked the notice out on the last working day before Christmas without a press release.

You can tell me that the ICO has consistently issued monetary penalties on Denham’s watch but so did Graham, though the double whammy of £400,000 CMPs on both TalkTalk and Carphone Warehouse weigh against my argument to some extent. But beyond those, Denham has done nothing revolutionary or interesting in enforcement. There has been no action on accuracy or retention, and little on the vital first principle beyond the charity cases that were obviously started under Graham.

Outwardly, Denham seems poised and plausible. Fate has dealt her the biggest data protection story in a decade and some overly sympathetic press coverage, so maybe she’s right to milk it and build up her part. There’s no question that she has a higher public profile than any of the Commissioners who have gone before her, and I know a lot of people in the DP world who think that this is automatically a good thing. I’m not convinced. I think ‘data crimes are real crimes’ could become as unhelpful a distraction as the pervasive ‘GDPR = consent’ myth, and nothing about the past two years convinces me that Denham really has what it takes to round up the internet’s outlaws. As always, I will delighted to be proved wrong; some eyecatching monster scalps is what I have spent years of blogging asking for, and it will make my job easier for the next few years. But unless she really pulls out the big guns, the Commissioner’s legacy may be less Gunfight at the IT Corral, and more Denham’s Last Stand.

 

The Naked Truth

The story of Damian Green’s porn-clogged computer has several facets, with a surprising number of them related to data protection. Whether it was a breach for former Deputy Commissioner Bob Quick to reveal that there was porn on the computer is hard to say for certain – I think Quick has a journalistic defence in revealing hypocrisy given that the Government is current waging a moralistic war on adult websites, but you are welcome to disagree. The fact that Quick has form for revealing information that he shouldn’t have only adds spice to the mix.

The question of why Green’s other accuser Neil Lewis still has his police notebooks raises more serious questions. Did he keep them without authorisation from the Met? If he did, this could be a criminal offence under Data Protection’s Section 55 for which Lewis would be liable. Did the Met Police fail to recover them properly? This would be a serious breach of the seventh data protection principle, for which the Met should expect to answer. In any case, I have to agree with those who say that public servants should respect confidences even after they leave the service. Sensitive material should never be retained by former officers of any organisation. I know my reaction to the story is clouded by the entertaining spectacle of seeing a politician caught with his pants down, or at least, unzipped. The question of how the story came to light needs to be interrogated.

Green’s use of the Shaggy Defence to claim that he knows nothing about the porn begs more questions. If he didn’t download it, this means that someone else did (none of the Tories defending him seem to claim that it doesn’t exist). Part of Green’s outrage when his office was raided in 2008 was the threat to the sanctity of Parliamentary Privilege and the confidentiality due to his constituents. In the light of this, Green needs to explain how it was possible for someone else to download porn onto his computer. The best case scenario for him is that this was the result of malware, rather than someone else being able to log into his computer without his knowledge. Of course, malware infecting an MP’s computer is a story in itself. Regardless of whether this story should be in the public domain, we can’t be expected to ignore it now. As someone who processes highly sensitive data about his constituents (as well as possibly other sensitive information), at some point Green has to explain who had access to his computer and what they were doing downloading porn. Or he has to admit that it was him.

I don’t know what, if anything, Green is guilty of, but his fellow Tory Nadine Dorries’ spectacular contribution on Saturday doesn’t allow for any ambiguity. The MP for Mid Bedfordshire has a habit of deleting tweets when she (or someone else running her account) realises how stupid they make her look, so I have screengrabbed this one and I reproduce it in full here:

My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!

UPDATE: There’s more:

All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, ‘what is the password?

ANOTHER UPDATE: Robert Syms MP is at it as well

As a constituency MP, Dorries will be handling sensitive correspondence on a wide variety of matters, and she has publicly confirmed that access to information is open to a wide variety of people, including interns on exchange programmes. To this, there is no defence. The seventh data protection principle states that a data controller must have in place appropriate technical and organisational security measures to prevent “unauthorised or unlawful processing of personal data, and against accidental loss of or destruction of or damage to personal data“. This means a mix of technical measures like passwords and encryption and organisational measures like ensuring that passwords are not shared or written down. Dorries has confirmed she has authorised password sharing in her office – which is bad enough in itself because it means passwords are spoken aloud or written down, greatly increasing the chance of the password being known to someone nefarious. But worse than that, she says specifically that a wide group of people share her login. There is no way of knowing who has accessed what, because even if the intern has done it, it looks like Nadine was the person responsible.

The only way that Dorries has not admitted a clear breach of Data Protection’s security principle is if she (or whoever wrote the tweet) is lying in order to defend Green,  which is quite the stupidest thing I can imagine.

There are several possible breaches here – Quick’s original revelations about Green, Lewis’ retention of his notebooks / the Met’s failure to recover them when he left, Green’s insecure computer equipment and Dorries’ admission of her completely lax security. While Quick and Green’s problems are somewhat murky, Lewis / Met Police and Dorries present much more straightforward issues for the Information Commissioner. Both should be investigated as a matter of urgency.

Given Dorries’ casual admission of the insecure way in which her office operates, a much wider investigation might be required. Elizabeth Denham has put huge resources into investigating the possibility of political use of analytics and big data in an unlawful way, even though it’s hard to imagine anything coming of it. On the other hand, here we have a sitting MP openly admitting that constituents’ data is unsafe – how many more of Dorries’ colleagues operate in a similarly unlawful fashion? I cannot complain to the ICO about these matters, as I am not affected by them. However, the issues are serious, and Wilmslow should step in immediately. A bland press release reminding MPs to process data safely is not good enough; the ICO needs to demonstrate that Data Protection law applies to MPs just as it does to the rest of us.

The Secret Seven

Last year, I wrote about the fact that Councillor Alex Ganotis, Labour leader of Stockport Council is also a group manager at the Information Commissioner’s Office. After an FOI request, the ICO admitted that he managed the teams responsible for complaints about political parties and local councils. At the time, I argued that this was an unacceptable conflict of interest, and something had to be done about it.

In May this year, shortly after being elected as Manchester’s new Mayor, Andy Burnham appointed Cllr Ganotis as his Environmental Tsar. You can watch a video of the announcement here, and ponder such fascinating questions as why Burnham’s nose is so red, or why throughout the first two minutes, the camera keeps cutting to a wide shot that captures Ganotis’ uncomfortable facial expressions while Burnham is talking. The announcement piqued my interest. If he was organising a grand summit of environmental worthies, would Cllr Ganotis really have time to work at the ICO? And if so, what effect would the review into political activities that Elizabeth Denham announced have on his role?

I made an FOI request to the ICO for the following information:

1) In 2016, the ICO confirmed to me that Alex Ganotis was manager of the team that dealt with complaints about councils and political parties, despite being Leader of Stockport Council at the time. Can you confirm whether Mr Ganotis is still a member of ICO staff, and if so, what is his current job, and what arrangements have been made to avoid any potential conflict of interest?

2) What is the current ICO policy and process for dealing with political party affiliations and potential conflicts of interest?

3) In August 2016, the Information Commissioner announced in an interview with the BBC’s Martin Rosenbaum that she had ordered a review of the involvement of ICO staff in political activities. I would like to see any report or findings arising out of the review, or other summary of the review and its findings, and details of any actions that were taken as a result of it.

4) I would like to receive all current declarations made by any member of staff of involvement in political activities

5) What specific measures have been taken in respect of each staff member who has made a declaration to ensure that there is no conflict of interest?

The response made for fascinating reading. For one thing, Cllr Ganotis remains a Group Manager at Wilmslow and although his group no longer deals with political parties, it still covers issues related to all local authorities in the UK except for those in Greater Manchester, Cheshire or Derbyshire. How politicians and others in every council outside the North West feel about complaints about their authorities still being supervised by the Leader of a Labour Council and a close ally of Andy Burnham is hard to judge. They might be thrilled. Maybe the ICO should ask them.

The report I received under item (3) of my request did contain an option to remove Cllr Ganotis from work involving local authorities altogether, but one of the reasons that this option was not recommended was the fact that “it could be seen to question the professionalism of Alex and other members of staff and their ability to apply the law without bias or political influence“. How Cllr Ganotis’ political career could possibly be seen to reflect on other people is beyond me, but it is jarring that a significant factor in the decision to keep him involved in council work might have been the effect on him, rather than the Commissioner’s ability to operate independently. To be blunt, the ICO as a whole is more important.

UPDATE: I have attached the ICO’s report into the conflict of interest here, so readers can judge whether how objective and balanced it is: Commissioner Information Note – Political Activities.pdf

Unless every team in the ICO handles complaints about local authorities (and to lesser extent, government), Cllr Ganotis should have been moved to one that doesn’t. Having decide to pursue a high-profile political career, asking him to make a sacrifice to avoid conflicts of interest and their perception would not be too much. I am surprised that Cllr Ganotis has not requested such a transfer himself. To risk even the perception of influence over decisions about politically-run organisations, and at the same time pursue a high-profile political career suggests either an enormous amount of faith in one’s ability to compartmentalise, or just old fashioned hubris.

The review identified gaps in the ICO’s Political Activities Policy, with recommended “updates” including a stipulation that staff must avoid party political activities which might impair their ability to perform their duties impartially, a requirement to inform the ICO if their activities or areas of responsibility change, and the scope to remove permission to undertake political activities if an individual’s ICO role or political activity changes. Needless to say, this means that none of this existed before.

The rest of the FOI request suggests a continuing unwillingness to face the issue of political involvement. Including Cllr Ganotis, eight staff members have made declarations of involvement in political activities, but the ICO refused to tell me who the other seven are, or what they do, claiming that the data is sensitive personal data. This is true, but it is not automatically a barrier to disclosure. For one thing, the Secret Seven could be asked for consent, and this is not the only route to disclosure.

There is surely a legitimate interest in knowing whether people working for an independent regulator such as the Commissioner have political affiliations, especially when you consider the ICO’s involvement in political matters. Over the past few years, the ICO has fined Leave.EU, David Lammy MP over his London Mayoral Campaign, the Daily Telegraph for its pro-Tory emails during the 2015 election, and in recent months, they took no action against Virgin Trains following Jeremy Corbyn’s antics in a train vestibule. More importantly, the Commissioner herself announced a formal investigation into the use of data analytics for political purposes with no small amount of fanfare, involving 20 staff. The ICO is knee-deep in politics and transparency over the declared political activities of the staff is in the public interest.

As the data is sensitive personal data, legitimate interests would not be enough; a condition must also be met from Schedule 3 of the Data Protection Act as well. One of the conditions is that the Data Subject has put their sensitive data into the public domain. If, for example, a senior ICO staff member was to mention on their LinkedIn page that they were a Councillor for 9 years, the Campaigns and Communications Officer for an MEP for five years, listed the Liberal Democrats as one of their main interests and was recommended for ‘politics’ and ‘political campaigning’ by dozens of people, I think I can argue that at least this one has manifestly made their political views public. The ICO refusal says “our staff do not have a reasonable expectation that their declarations would be disclosed into the public domain“, but the staff member in question was a candidate for the LibDems in the 2015 General Election, so I humbly suggest that the cat is out of the bag. Either this person is one of the seven, and the ICO’s arguments are false, or they haven’t made a declaration, and the ICO’s claim to me that “the review and policies are sufficient to demonstrate that we avoid conflicts in our work” is nonsense. Again, did they consider this before refusing me?

Every national, local, or internal party election or referendum runs on personal data, and personal data is exploited, analysed, shared, lost, stolen and misused in every single one of them. If you can name a major vote in this decade that hasn’t resulted in a DP snarl-up, you’ve a better memory than me. If there is one word that shines through everything the Commissioner sent me on this topic, last time and this time, it’s  complacency. The policies and procedures that existed before and the ones that have replaced them are built on an obvious assumption that a box needs to be ticked. Of course nobody is actually going to do anything untoward, the managers are on top of it, staff will proactively declare any conflicts of interest and besides, we have a procedure. But they thought it was all fine before. If I had not written my blog last summer, Cllr Ganotis would still be responsible for managing complaints involving his council, his party and his opposition.

I don’t think the Commissioner’s Office takes this seriously. I am amazed that Alex Ganotis is still allowed any influence over the ICO’s decisions about local government, regardless of how objective or benign that influence might be. I am appalled that anyone in the ICO’s senior management could think that this is acceptable. Every time the Commissioner acts or doesn’t act on a political issue, do we always need to ask: who was involved? What bias, conscious or unconscious, did they bring to bear? What other interests do they serve? In a world dominated by fake news and internet froth, the ICO’s independence and objectivity should be their highest priority. It isn’t.

Advertising standards

This week, the great and the good and some other people descend on Cambridge for the 30th Annual Privacy Laws and Business’ three day Data Protection Conference in Cambridge. It’s a big event, with Data Protection regulators, practitioners and a large collective noun of DP lawyers all milling around St John’s College listening to each other talk. I’ve only been once – no employer I’ve ever worked for wanted to pay, so I ended up pitching PLB a talk about crap Data Protection stories so I could get in for nothing. The cheapest possible ticket is a one day option for charities and the public sector at £437.50 +VAT; for 3 days, that goes up to £1242.50 + VAT, while someone working for a company with more than 500 employees will pay £1775 + VAT, plus more for accommodation or the optional Sunday night dinner. The college bars have extended opening hours in case you have more money to burn.

As PLB’s amusingly vulgar marketing makes clear, this is no dry academic event. For attendees with the requisite funds, the conference is an opportunity to ‘take your place at the privacy top table‘ and enjoy ‘Privileged Access‘ to the various Data Protection regulators in attendance. Emails from PLB promise that DP Authorities such as Helen Dixon from Ireland, Isabelle Falque-Pierrotin from France and our very own Elizabeth Denham will be available for ‘priceless informal one-to-one discussions’ and will be ‘pleased to engage you in discussion‘. Imagine that.

The UK’s Information Commissioner is being particularly accommodating this year. As well as being listed on the conference website as a ‘Supporter’ of this commercial event, the Commissioner herself is giving a talk on Tuesday and chairing another session while no fewer than five ICO staff members will be in attendance (a fact advertised by PLB in the ‘top table’ email). Perhaps most generously of all, Mrs Denham is the star of an advert for the conference, happily plugging the relaxed atmosphere and expert PLB staff while exhorting viewers to attend. And this is where I have a problem.

There’s nothing wrong with the ICO appearing at commercial events like this – big conferences are a legitimate way to make the organisation more visible and get messages out. It’s very different if the ICO is endorsing the event in question. The PLB conference is not a charity or public sector event – it is a commercial conference run for profit. The ICO’s speaking engagement policy says explicitly that ICO officers should avoid accepting invitations where ‘our attendance can be interpreted as ICO endorsement of a commercial organisation over those of competitors‘, and yet Denham has gone further than that, by actively promoting the conference and the expertise of PLB’s staff. The same policy states that the ICO logo must not be displayed when labelled as a ‘supporter’ – which is exactly what PLB are doing with the logo on their website.

I made an FOI request to the ICO about Denham’s appearance in the advert, asking for emails and other correspondence about why she agreed to do it. In the initial response, there was no evidence of an invitation, only emails arranging the filming itself. When I queried this, I was told that the original request was made and agreed to verbally last October, and while there may have been some follow-ups by email shortly thereafter, they will have been deleted because the ICO deletes all emails from everyone’s inbox after six months. So Denham, who famously burnishes her records management credentials, didn’t think it was worth keeping a record of why she had decided to endorse a commercial event, despite breaching her own speaking engagement policy and code of conduct by doing so.

The correspondence I did get was nevertheless illuminating. When I made my request, I used the word ‘advert’ because PLB were describing it as a ‘conference video’ and I wanted to underline what it really was. However, the word ‘advert’ is used routinely by ICO staff in their emails – there is no question that Denham and her staff perceived it as being something else. The content of Denham’s turn came directly from Stewart Dresner, PLB’s Chief Executive. Even specific phrases that she uses (the sickly ‘summer school‘ for example, at which she at least has the decency to laugh while saying) come direct from one of his emails to her. After it was filmed, Denham was keen to check that Dresner thought the video was OK, and he replied with a sentence that should have pulled everyone up short: “I greatly appreciate you taking this step and so effectively endorsing several important features of our conference” (my emphasis). The ICO is an independent regulator; endorsing commercial products or events should be beyond the pale. The ICO’s code of conduct is obviously based on the Civil Service Code, but they have adapted it in a key passage. The Civil Service Code says that officers should not use information they have obtained in the course of their work to favour others, but the ICO goes further:

You should not misuse your official position, or information acquired during the course of your duties, to further your private interests or those of others

If you are a member of the senior management team, or a member of staff who is either working on a contract or dealing with issues which could raise matters of substance, you should ensure that any possible conflicts of interest are identified at an early stage and that appropriate action is taken to resolve them.

 

Senior officers like Robert Parker, the ICO’s head of communications, and Steve Wood, recently appointed Deputy Commissioner after Rob Luke’s mysterious cameo appearance, were involved throughout this correspondence. Even if Denham didn’t think an endorsement could be problematic, her staff should have intervened. Most of the ICO’s senior management were at least copied into the emails I’ve received, and none of them identified a problem in the Commissioner personally endorsing a commercial event in breach of her own policies. There is a telling moment in the correspondence where Dresner complains that PLB were not aware of Denham giving evidence to Parliament. Dresner’s expectation is that PLB will be tipped off about such appearances: “we do suggest that you distinguish between your mass media list, who would receive some media releases, and your specialist media list, who would receive all of them“. It’s clear that Dresner expects special treatment – and why wouldn’t he? The Commissioner herself is advertising his conference.

Nobody at the ICO would ever recommend anything that I did or was involved in because I write stuff like this, so you might think this is all just sour grapes. Given that I don’t think the ICO is an effective regulator, I couldn’t seek their approval even if they would give it but in any case, I don’t want Wilmslow’s endorsement. If I have anything going for me as a itinerant jobbing consultant, it’s that I am independent and I encourage the people I deal with to think and act independently. What’s distasteful about this episode is that the Commissioner, for whom independence isn’t a bonus but a necessity, doesn’t seem to act in the same way. Using the regulator’s name to flog conference places should be inconceivable, and yet this is what Denham has done. However prestigious or expert they may appear, the Information Commissioner should not personally or corporately recommend or endorse commercial products and organisations. This shouldn’t have happened, and it must not happen again.

Analyse This

With no small amount of fanfare, the Information Commissioner Elizabeth Denham recently announced a “formal” investigation into the use of data analytics for political purposes. The use of targeted ads in political campaigns – especially those where the Right triumphed – has been much in the headlines, and the ICO clearly feels the need to react. Denham blogged on her website: “this investigation is a high priority for my office in our work to uphold the rights of individuals and ensure that political campaigners and companies providing services to political parties operate within UK law.”. The investigation was greeted with enthusiasm – the journalist Carole Cadwalladr who has made a lot of the running over analytics in the Observer was supportive and the Data Protection activist Paul-Olivier Dehaye hailed it as ‘very important’.

Saying that Facebook is probably abusing privacy rights (and acting as a conduit for the abuse of privacy rights) is a bit like saying that rain is wet. Some of Cadwalladr’s reports have drawn fascinating (if hotly disputed) links between various right-wing vampires like Nigel Farage, Dominic Cummings and Steve Bannon, and draw interesting (and hotly disputed) links between various Brexit campaigns and the tech firm Cambridge Analytica. Other of her stories are lame; a recent article complained that people Cadwalladr doesn’t approve of are outbidding people she does approve of when buying Facebook ads, which isn’t really news.

Worse than that, another article enthusiastically repeated Stephen Kinnock MP’s calls for an investigation into Tory data use, ignoring the fact that on the same day, Labour was hoovering up emails on its website without a privacy policy (which, like the marketing emails they will inevitably send) is a breach of Data Protection. The article makes the false claim that it is illegal to use data about political opinions without consent. Several people (including the chair of the National Association of Data Protection Officers) pointed this out to Cadwalladr, but the article is uncorrected at the time of writing. If you want to write about political parties and campaigns abusing data protection and privacy and you only acknowledge the dodgy things that one side gets up to, your allegations should not be taken too seriously. Politics is a swamp, and everyone is covered in slime. Given Cadwalladr’s shaky understanding of Data Protection law, it’s not hard to believe that her interest in the topic is mainly motivated by politics, and the ICO needs to be careful not to be sucked in.

It’s odd that allegations made to the ICO about data misuse by Owen Smith and Jeremy Corbyn, or candidates for the UNITE leadership have come to nothing, and yet here we have a formal investigation announced with great flourish into an issue that is largely perceived as affecting the right. I’m left-wing myself, but if Denham is going to take action over the political use of personal data, I expect her to be scrupulously even-handed.

However, I doubt very much whether action on this issue will ever happen. Just after the announcement, I made an FOI request to the Commissioner’s office about the nature of the investigation – how many people were involved and where from, what powers the ICO was using to conduct the investigation, and who the most senior person involved was. What I was trying to find out was simple – is this an investigation likely to lead to guidance or enforcement?

Here is what my FOI revealed (questions in bold, ICO answers below)

1) Under what specific powers is the investigation being carried out?

Initial intelligence gathering would fall under the general duties of the Commissioner to promote good practice (section 51) of the DPA. This may lead to use of investigatory powers and enforcement where necessary, under the provisions set out in Part V of the DPA, as well as the CMP powers at section 55A.  The Commissioner also has powers of entry and inspection under schedule 9 of the DPA.

2) How many members of staff are involved in the investigation?

It’s difficult to give an exact number, the ‘group’ involved will need to be established and documented in terms of reference which will be done shortly. At this stage, from the information we hold, we can say that 16 member of staff have been involved and another 4 members of staff are also expected to be involved as the investigation progresses.

3, 4 and 5-
 
What are the job titles of the staff involved?
What is the name of the most senior person involved in the investigation?
Which department and team do these staff belong to?

Senior Policy Officer – Private Sector Engagement
Group Manager – Private Sector Engagement
Policy Officer – Private Sector Engagement
Lead Communications Officer – Communication Planning
Senior Policy Officer – Public Policy and Parliament
Intelligence and Research Officer – Intelligence Team
Team Manager (Intelligence) – Intelligence Team
Lead Intelligence and research Officer – Intelligence Team
Team Manager – Enforcement (PECR) – Investigations
Group Manager (Public Policy & Parliament) – Public Policy and Parliament
Senior Policy Officer (Public Policy & Parliament) – Public Policy and Parliament
Team Manager (Enforcement Team 2) – Enforcement
Team Manager – Communications – Communications Planning
Head of Corporate Affairs – Communications Planning
Group Manager – Public Sector Engagement – Public Sector Engagement

The most senior person is Steve Wood – Head of International Strategy & Intelligence – International & Intelligence Management

*************************************************************************************

What does this tell us?

The main contributors are Engagement (which is presumably the successor to the old Strategic Liaison department whose chief role was holding hands with stakeholders), and policy (whose main contribution to the debate on big data is this endless and almost unreadable discussion paper). The most senior person involved is Steve Wood, who has an academic background. Of the 16 involved, just two are from Enforcement, outnumbered even by the comms staff. Apologists for Wilmslow will leap on that bit that says “This may lead to use of investigatory powers and enforcement where necessary“, but my response to that is an armpit fart. The ICO is starting from the perspective of promoting good practice run by an academic, which is just about the silliest response to this issue that I can think of.

Some areas that the ICO regulates are prime candidates for guidance. The public sector, charities and regulated industries are likely to be influenced by what the ICO says. Other areas – list broking and compensation claims spring to mind – are immune to policy and guidance, but politics is the best example. Politics is about power – if a party, campaign or individual can take power while breaching DP law, they will. It isn’t that they don’t understand the law, it is that they don’t care. No political party or campaign will be influenced by ICO guidance, and to pretend otherwise is childish. All major political parties (Labour, LibDems, SNP, Tory) have received a PECR Enforcement Notice over automated calls, and yet they flout PECR all the time with emails and yet more calls, as anyone who heard from David Lammy knows only too well. Even when the ICO fined Leave.EU during the referendum, the campaign’s reaction (“Whatever”) could not have been more derisive because they could afford to pay the fine. Either the ICO comes into politics using its powers to the maximum possible extent against everyone (£500,000 penalties, or more useful, enforcement notices that are backed up by prosecution), or they should leave the field.

We already know that the outcome of this investigation will be revealed long after the election is over, when anything that the Commissioner says or does will have no effect on the real world. On the evidence of my FOI, I predict there will be no fines, no enforcement notices, no action. There will be a long, thorough and thoughtful report that nobody in politics will pay attention to, and only people like me will read. The first task of the Supervisory Authority under GDPR is to ‘monitor and enforce’. Long ago, when I worked there, the joke went around the ICO that senior officers operated under the mantra ‘thinking is doing’, as an excuse to avoid taking any action. I don’t care if no senior officer ever actually said this – on big strategic issues, the ICO has always laboured under this approach. Denham’s first big splash was to follow through on charity enforcement when the easy choice was to back down. She deserves praise for that decision. However, If there is an international right-wing conspiracy to hijack democracy across the world, I don’t think a thought symposium is going to save us.