Catch the Pidgeon

Even before the fundraising sector met its Data Protection nemesis in December, with two charities cruelly hung out on the rack, forbidden ever to raise funds again (CORRECTION: given two of the smallest fines in Data Protection history and not forbidden from doing anything), various blogs, and tweets showed that anguished tin-rattlers were confused about what they were accused of.

A classic of the genre was published just over a week ago by Third Sector, penned by Stephen Pidgeon, a “consultant and teacher” (one assumes modesty prevented the publication from mentioning that until recently he chaired the Institute of Fundraising’s Standards Committee, responsible for the until-recently legally incorrect Code of Fundraising Practice). Pidgeon made a series of assertions in his article, and the most important of them is wrong.

Pidgeon describes profiling as a serendipitous activity – a fundraiser innocently planning some door-drops (not a hint of pestering spam in this charming scenario, nor any resort to a data-mining outfit like Prospecting for Gold) happens to notice that a donor has sold a business, and so decides to add his details to an existing campaign. The scheme is ruined by the ICO who says: “That’s not allowed – it’s against the Data Protection Act without express permission“. As Pidgeon points out, the DPA is much vaguer than that. If the Commissioner had indeed said this, it would be nonsense. The problem is, they didn’t.

Both charity notices set out the ICO’s position on charity profiling – it cannot be secret. The same is true for data sharing and appending new data to records that the subject didn’t provide. Neither notice finds profiling without consent to be a breach. Admittedly, of the Data Protection only offers one other option to justify profiling in these circumstances (legitimate interests), but either Pidgeon doesn’t know what the notice says, or he is deliberately misleading his audience. The word ‘permission’ does not appear in either notice, and the word ‘consent’ isn’t mentioned either.

Pidgeon also asserts that wealth profiling is not confined to charities:

This issue is not confined to charities. Yet, in all the 100-plus ICO adjudications in 2016, I could not find a single commercial firm censured for wealth screening.

To be pedantic, they’re not unenforceable ‘adjudications’, they’re formal legal notices, and if you add up all of the DP and PECR monetary penalty and enforcement notices in 2016, you don’t get to 100. He might be including the undertakings, which could be compared to the blancmange adjudications that charities have grown used to, but they’re irrelevant in a conversation about enforcement. The more important point is that like others, including the fundraising apologist academic Ian McQuillin and the researcher Matt Ide, Pidgeon claims that everyone does wealth screening but only the charities are getting punished for it. The Daily Mail hasn’t exposed Marks and Spencers or Greggs for wealth screening – possibly because they’re good at keeping it secret, but a more likely explanation is that they don’t do it. Until someone in the charity sector shows evidence of another organisation doing secret profiling, it’s just a distraction from the fact that – as Pidgeon claims – most of the charity sector have been doing it unlawfully for years.

Many in the sector also seem persuaded that the ICO action is a weird anti-charity vendetta. MacQuillin’s contributions to the Critical Fundraising Blog pondered the mystifying question of why the data protection regulator has taken action when household name organisations have been exposed for breaching data protection. The ICO takes action for three reasons – an organisation reports itself for something, ICO gets lots of complaints about something, or something makes a big splash in the press. There were thousands of complaints about charity fundraising, but all went to the toothless Fundraising Standards Board, who hardly ever passed them on to ICO. So it was the Daily Mail’s headlines that did the trick – the heartbreaking story of Olive Cooke but more importantly for the ICO’s purposes, the flamboyantly unlawful way in which charities treated Samuel Rae, trading his data relentlessly with anyone who wanted it.

In pursuing his false claim about consent, Pidgeon derisively summarised what charities might have to say to prospective donors: “We want to find out how rich you are; tick here to agree”! As a first draft, this has some merit, but a charity involved in wealth screening should also add ‘We want to know whether you are worth more alive or dead‘. The consent claim is a red herring, but perhaps unwittingly, Pidgeon has hit on the real problem for fundraisers: daylight. The foundation of Data Protection is fairness, and the only way to achieve it, regardless of whether consent is part of the mix, is to tell the subject the purposes for which their data will be used. Stretching the law as far as they can, the ICO has invented the concept of ‘reasonable expectations’. Reasonable expectations doesn’t appear in the Data Protection Act, but the ICO’s idea is that if you are only doing something that the person would expect, you don’t have to spell it out. One might take issue with this because it’s not in the Act, but it’s a sensible idea. The ICO’s emphasis has always been on being transparent over unexpected or objectionable processing.

Tesco’s Clubcard scheme is a useful example. Clubcard is a loyalty scheme, clearly based on profiling. The user knows that when they swipe their card, their purchases are analysed so that tailored offers and vouchers can be provided. Needless to say, Tesco also use the data for their sales and marketing strategy. If you look at the T&Cs for the Clubcard scheme, you will not find references to data sharing with third parties for wealth screening. They don’t need to – they can analyse your purchases instead. The user knows that profiling is inherent to the scheme, and they are not required to participate when shopping at Tesco. I have a Clubcard because I understand the system and I don’t believe that Tesco flogs my data. The profiling is the basis on which the whole thing operates. I have a choice about whether to shop at Tesco, and separately, whether to have a Clubcard when I do.

On the other hand, the RSPCA profiled seven million donors after they donated; presumably the lion’s share of all people who donated to the charity. The RSPCA did not tell people that this was the purpose for which their data will be used, and nobody outside the charity sector was aware of what was happening. Unlike Clubcard, donors could not participate without being screened and analysed by the charity. I have used the wealth-screening example on many of my training courses. The reaction is always surprise, and often revulsion.  Nobody ever leaps to the charity’s defence because secret profiling is a dodgy way to do business.

Pidgeon’s squeamishness about describing the process – the daft example of the story in the newspaper, his emphasis on data being gathered from the public domain – suggests that fundraisers are more ambivalent about their methods than they might like to admit. The existence of five facts in five separate publicly accessible places is different to the combination of those facts in one place, gathered with the intention of tailored marketing. A profile is greater than the sum of its parts, and people should be told that it exists. Pidgeon isn’t alone in his approach – Chris Carnie, the founder of ‘prospect research’ company Factary erroneously characterised myself and others as saying that using public domain data is “an intrusion into an individual’s privacy. That searching for a named individual in Companies House fundamentally affects the rights of that person“. All I said was that such research should be transparent, but this isn’t news that Carnie and his colleagues find palatable. Ide’s company goes as far as to assess the ‘ethical credentials‘ of a donor, which sounds a world away from noticing a story in a paper.

The Daily Mail is a revolting newspaper – the worst combination of small-minded, petty conservatism and curtain-twitching prurience. It is a matter of ongoing annoyance to me that the Mail is one of the very few national news outlets that covers Data Protection issues with any enthusiasm. I really wish the Guardian or the Times had exposed the ghastly exploitation of vulnerable people like Samuel Rae, or their hunger for information about possible donors. I wish Dispatches’ fine work on the shameful state of some fundraising call centres had got more attention. Nevertheless, none of this is the Mail’s fault, and fundraisers’ relentless blame-shifting needs to be called out for the cant that it is. Everyone knows whose fault this is.

The charity and fundraising sector isn’t in a mess over data protection because of the Daily Mail, and it isn’t there because of the Information Commissioner. This problem is the fault of some fundraisers and their agents not obeying the law, and trustees who didn’t ask them enough questions. MacQuillin claims that almost everything that has happened to the fundraising sector over the past two years is because of ‘fake news‘; Olive Cooke’s death wasn’t, her family says, the result of the spam tsunami that charities subjected her to. For one thing, this claim disgracefully ignores Samuel Rae, whose story would have caused the same interest even if it wasn’t the sequel to Olive Cooke. Moreover, it is itself fake news. If some of Pidgeon and MacQuillin’s compadres had done their job with a greater interest in the law, they wouldn’t be here now. This is the second or third time I have written this blog. With 11 more possible fines, and fundraisers still in denial about what they have done, I’ll probably have to write it again before long.

Human Wrongs

A few years ago I went to Strasbourg, home of the famous European Court of Human Rights. After admiring the building itself, I noticed a disabled man camping on the other side of the tracks that take visitors to the tram stop named, rather piously, ‘Droits De L’Homme’. He had a huge display in several languages, setting out the appalling injustice that the Court had dealt him by not upholding his case. There were several such men, who would no doubt have treated a ECHR victory as total vindication, but the loss was evidence only of the Court’s bias and corruption. I immediately thought of the notorious FOI applicant and progenitor of vexatious caselaw Alan Dransfield, and wondered if one day, he would be one of the poor souls, earnestly telling his sorry tale to tourists. This is unlikely of course, because Dransfield would spend his time shouting at every passer-by that they were a dickhead.

Nevertheless, the website ‘Amazon News Media’ chose to celebrate International Human Rights Day last month (10th December, diary fans) by publishing an open letter from Dransfield to the Justice Secretary Elizabeth Truss. Fans of Dransfield’s work will be pleased to see a number of familiar themes in the letter. Dransfield claims that the Information Commissioner’s Office is guilty of fraud and theft of public funds. There is ‘tangible evidence‘ that they, along with multiple public authorities, are involved in a conspiracy to pervert the course of justice:

The evidence of complicity between the ICO and Public Authorities seeking to avoid obligations under FOI by consistent misuse and abuse of Section 14/1 vexatious exemption is overwhelming

Dransfield doesn’t specify what the overwhelming / tangible evidence is, beyond asserting that he lost his case at the Court of Appeal, so QED: the fix is in. The letter makes a series of allegations about the ICO and demands that the Commissioner is sacked and replaced by himself. The allegations are a mixture of falsehood (he says that they don’t publish their register of interests when they do) and opinion (he claims it is a breach of an unspecified EU Trade law that the ICO usually uses 11KBW for legal services, ignoring the fact that they are the leading information law chambers in the UK). The only verifiable claim is the conflict of interest in having a council leader act as a manager of a team that deals with complaints about councils and political parties. Dransfield only knows about this because I did an FOI request about it and wrote about it here (inevitably, Dransfield spells his name wrong and the mistake slipped through Amazon News Media’s presumably robust fact checking procedures).

If you’re not familiar with it, the scale of the Dransfield conspiracy is breathtaking – construction companies including Balfour Beatty, multiple councils, the Health and Safety Executive, Dransfield’s MP Ben Bradshaw, the previous and current Information Commissioners and many of their staff, West Ham United, the Olympic Delivery Authority and various other Olympic bodies, former secretary of state Chris Grayling, myself, the Upper Tribunal, the Court of Appeal, the Supreme Court and the House of Lords, all working tirelessly to cover up the construction of a network of unsafe buildings and bridges across the UK. Only Dransfield has the insight to see the conspiracy in all its Byzantine complexity, and the entire UK legal system is ranged against him to stop his crusade.

There is, of course, another perspective, but Amazon News Media have seemingly backed Dransfield with gusto. The accompanying editorial hails “Mr Dransfield’s long experience as a social watchdog” and complains of his “extensive scapegoating” but demonstrates a slender grasp on the facts. For example, it claims that vexatiousness was planted at the second, Upper Tier Tribunal, rather than being a feature of the original refusal dealt with by the ICO. Moreover, like Dransfield, Amazon News Media make big play of the fact that it was the ICO who appealed to the Upper Tribunal and Court of Appeal, describing it as an “abuse” of the system. When Dransfield went to the First Tier Tribunal, he was appealing the ICO’s decision, not Devon’s original refusal. If the ICO disagrees with the FTT, it is they (and not Devon) who must take forward the appeal. The appeal process is not open only to the applicant – public authorities and applicants can challenge the Commissioner, but the Commissioner is entitled to challenge decisions that they think are wrong. This is how the system is designed, and Dransfield chose to use that system. Complaining about the result of a process you initiated is acting like the men outside the ECHR.

I put a comment on the Amazon News Media blog, pointing out that I had made 100s* of FOI requests without ever being refused as vexatious (the issue of Alex Ganotis’ role at the ICO just being one of many), pointing out that Dransfield’s hostility and abusive character is probably part of the problem. An unnamed representative of the organisation dismissed this – apparently, when Dransfield called the Information Commissioner Elizabeth Denham a ‘useless cow’ on Twitter, this was just “colourful language [that] perhaps reflects the insult of having your name unreasonably scape-goated for half a decade“. So perhaps the insult is Denham’s fault for not giving Dransfield the face-to-face meeting he’s been demanding since July. It’s an odd perspective, because Dransfield has been calling me a prick and a dickhead for disagreeing with him ever since this mess started.

I can’t work out who runs the Amazon News Media site – it describes itself as “an evidence-based website practising freelance written and video journalism“, but the website, Twitter account and Facebook page are all somewhat anonymous. The site itself is registered to a David Hodgson in New Zealand, but the nameless person who runs the Twitter account told me that it is based in Swansea. Whoever they are,

UPDATE: I know who they are. I’ve read all 59 pages of the judgement.

They have made a fatal error in their analysis of Dransfield’s case. The editorial states that Dransfield enjoys “superior knowledge of lighting protection systems, and Health and Safety regulations” – the problem is that this is irrelevant to the case. S14 of FOI has no public interest test – it’s not about the information, but the process.

The Information Commissioner, the two Tribunals and the Court of Appeal are not supposed to decide whether Dransfield is right about the unsafe buildings. For the record, I think the conspiracy is a complete fantasy, and Dransfield’s requests are the result of a grudge against his former employer, Balfour Beatty. None of Dransfield’s blood-curdling predictions about fatal lightning strikes have come true, and I am not aware of anyone in the UK Health and Safety sector who backs his theories (I’m famously an arsehole and lots of people agree with me about Data Protection despite this impediment).

None of this matters. The question in play is not one about Health and Safety. The question is whether Dransfield’s torrent of requests, complaints and other correspondence were an abuse of the FOI system. Dransfield had every opportunity to put his case before four independent bodies – one of them agreed with him, and the others did not. It’s not impossible for Dransfield to be right about the buildings (as unlikely as this may seem) and yet, because of his hostility, his stubbornness and the sheer weight of his requests, they tip into vexatiousness.

Ironically, despite Dransfield’s antipathy towards the ICO (and his misogyny towards the new Commissioner), his demand that the ICO sort out the vexatious issue is completely wide of the mark. Even if Denham accepted that he was right, she is powerless to reverse the Dransfield decision. If Wilmslow executed a volte face tomorrow, the Court of Appeal decision would still stand. Public authorities could use the CoA judgement against the ICO in the Tribunals who would be bound by it. Only the courts can change the decision – it is out of the Commissioner’s hands. It’s tempting to believe that Dransfield knows this, and he directs his rage toward the ICO solely because he enjoys it, rather than knowing it will change the outcome.

In the end, Amazon News Media grew tired of my interventions and refused to publish my final comment unless I edited out all of the mansplaining, repetition and “snark”. Instead of being censored, you can – if you wish – read the comments on ANM, and then, by way of a conclusion to all this, I reproduce the comment that they found so objectionable.

You can twist what I have said in any direction that suits you. The decisions that the ICO makes are, obviously, about the public interest (where that applies, and with some exemptions, it doesn’t). Sometimes they get those decisions wrong, sometimes they get them right. When a decision has been tested at several levels, and then looked at subsequently by differently constituted tribunals, you have two choices. Either you can believe that there is an enormous conspiracy to subvert the FOI Act, or you can look at the particular case and decide that maybe the system got it right. There is no inner truth here – you believe what you want to believe based on your own prejudices.

What I said above is that Mr Dransfield’s letter, your publication of it and your conspiracy theories about the legal system will have no practical effect. Truss will not intervene because it isn’t her place to intervene in legal cases. The European Court of Human Rights will not intervene, because Mr Dransfield has been refused leave to appeal there. These are facts – you can put a political / paranoid spin on them if you like, but the spin doesn’t change the facts. If you want to stop vexatious decisions being made under Dransfield, someone needs to take a case all the way to the Court of Appeal and get Dransfield overturned. Alternatively, the FOI Act will have to be amended in Parliament. Given that you think the entire legal system is corrupt, I assume you’re not much keener on MPs. Which makes all of the above a monumental waste of time. But at least it gives you and Dransfield something to do.

* ANM refuse to believe that I have made 100s of FOI requests without proof. Given that they are willing to turn an abusive blowhard into a Human Rights champion without any justification, I am content to say that I have, and if they or you don’t believe me, I don’t care.

** It has been suggested to me that in my comment above, I said that the Court of Appeal can overturn Dransfield, whereas the suggestion is that actually, only the Supreme Court can do it i.e. the court *above* the Court of Appeal. If this is right (and I suspect that it is), the difficulty of reversing Dransfield is greater.

Any last requests?

A month ago, the redoubtable information rights expert and blogger Jon Baines wrote about an odd change on the ICO’s website. Just after the EU referendum vote, the ICO published a bold statement, calling for Data Protection standards in the UK to be equivalent to those in the EU. Shortly after, the statement disappeared. Around a week later, it was replaced by something more bland. Jon wondered why the ICO had resiled from their original position. He was, however, fortunate to receive a comment from an ICO spokesman:

“We noted the debates about different options that emerged following the referendum result and we decided to move to a simpler statement to avoid being too closely associated to any one particular position”

I believe that this statement is untrue.

After a conversation with Jon, I made an FOI request to the ICO for “Any recorded information on the decision to remove the statement, including who made the decision to remove it, and why it was removed“. Remarkably, the ICO claims to hold just one email that is relevant to my request (I’m not convinced, so I am following this up), but I think it’s reasonable to conclude that the ICO did not change the statement because they “noted the debates“. They changed the statement because the Department for Culture, Media and Sport, the government department responsible for Data Protection, asked them to.

A DCMS official emailed Christopher Graham, the former Information Commissioner, directly on 28th June:

Screen Shot 2016-08-26 at 09.07.02

The revised version is identical to the statement that you’ll find here on the ICO website.

The DCMS position is understandable – a few days after an unexpected vote, it’s not hard to imagine that they hadn’t reached a final position on GDPR. I’d be surprised if they were certain now, frustrating as that might be for the likes of me. But when the DCMS talks about it being far to early for “us” to be so definitive, they are not talking about the ICO, which is legally separate from and independent of Government. If the former Commissioner and his staff believed that the DPA is out of date and not fit for purpose, they were right to say so. Bear in mind that the statement in question was made after the vote, not when the ICO view could in any way have influenced its outcome (or when such an allegation could be made). DCMS are free to disagree with them, and indeed to ignore them if they so choose. I think GDPR-lite is a terrible idea, but they can pursue if they think it’s right. I’m not even sure I want to criticise the DCMS request – it’s quite clearly not an instruction.

However, for the ICO to change their statement (and by default, their official position on the GDPR) is a significant and worrying step. The ICO’s position can be identical to the DCMS one, but only if that’s because the ICO thinks DCMS is correct. It would be in no-one’s interests for the ICO to challenge and contradict DCMS merely to show that they’re nobody’s poodle. But Wilmslow’s reaction to the Brexit vote was clear, and now it’s not. Was the original position wrong? Is there any reason why the ICO cannot be allied to one particular position if they think it’s the right one?

Equally, if the ICO is going to change its public position, it should be honest with the public about why it is doing so. The statement on the ICO website says

At the annual report launch on 28 June 2016, Information Commissioner Christopher Graham updated the ICO statement

Whereas, what it should say is:

At the request of the DCMS, at the annual report launch on 28 June 2016, Information Commissioner Christopher Graham updated the ICO statement

As embarrassing as this might be, if the ICO is content to follow the debate about the future of the GDPR in the UK rather than leading it, it should be honest enough to admit that this is their position. I’ve already blogged about the bizarre situation that the ICO team that deals with complaints about political parties and councils are managed by a serving Labour Council leader. Here is another situation where the ICO’s ability to make robust, independent decisions appears to be compromised.

This depressing episode happened in the dying days of the previous Commissioner’s tenure; more than ever, I am glad that he is gone. We have a new Commissioner about whom I have seen and heard nothing but encouraging things. I can only hope that when faced with decisions like this in the future, Elizabeth Denham takes an more independent approach.

Virgin Berth

If there could be anything worse than the provenance and target of a Wallasey brick spawning an industry of conspiracy theorists, then it’s probably the Burning Question of whether Virgin Trains East Coast’s release of CCTV images of Jeremy Corbyn spurning unoccupied seats to enjoy the proletarian solidarity of the vestibule floor breached Data Protection laws. If I get through today without reading The Canary’s take on the matter, I will be a happy man.

Of course, the only sensible answer to the question is “It doesn’t matter“. But let’s ignore that obvious fact in favour of the following.

First, if Virgin Trains released unpixelated images of other passengers, this would be a breach of the first Data Protection principle on the basis that it would be unfair. There is no legitimate interest in doing so, and it is plainly unfair to publish images of ordinary passengers minding their own business. There is NO CHANCE ON EARTH than the Information Commissioner will take any action against Virgin for this as there is no harm to the passengers concerned, and harm is a vital threshold for any enforcement action. Individual passengers could sue, but again, they would have to demonstrate at least distress. I went from London to Edinburgh on Virgin East Coast once so I have some sympathy with this argument.

Of course, nobody would give a toss about this if it were not for the perceived slight to JC, so let’s get to that.

The first Data Protection principle requires that personal data should be processed fairly, lawfully and according to a set of conditions. Virgin’s disclosure must clear all three hurdles.

Fair – in the general sense of the word, I believe that the processing of Corbyn’s data was fair. Presumably without the company’s consent, Corbyn filmed a publicity stunt about the state of their trains. Even if the content was true, I believe Corbyn opened the door for Virgin to reply about the state of the train that Corbyn was on. Fairness does have a separate, specific meaning, which requires the organisation to tell the Data Subject who they are, what purposes the data is being used for, and anything else necessary to make the processing fair.

I can’t find the privacy notice for Virgin Trains East (if it’s not on the trains, that’s a breach), but Virgin Trains West Coast has a detailed policy on its website that includes improving customer service, monitoring operational incidents and verifying claims. If something similar is on the East Coast trains, I don’t think Corbyn has much room for complaint. I think that responding to an unauthorised publicity stunt on one of their trains is probably compatible with verifying claims and monitoring operational incidents. And besides, the Information Commissioner’s Office has invented and long tolerated a notion of ‘reasonable expectations’ – that you can do anything with personal data that the person would reasonably expect you to do. If Corbyn didn’t expect Virgin to look at their CCTV to verify his claim that the train was ‘ram-packed‘ (or even ‘rammed’ or ‘jam-packed’), he’s an idiot.

There is the nugget of an issue here – the public perception of CCTV is that it is used solely as a means of detecting and investigating crime. It isn’t – it’s used for a variety of civil, disciplinary and publicity purposes and there’s nothing in the Data Protection Act to prevent this. However, companies like the West and East Virgins tend to stress security and crime over all things when dealing with CCTV, and this creates an expectation of its own. Everything depends on the information available on the train that JC travelled on.

There is one exemption that might come to Virgin’s aid – Section 32 renders all of the First Principle void (and most of the others) if a disclosure is made for ‘journalistic purposes’ and the public interest in publication is incompatible with compliance with the principles. The language is important – one does not need to be a journalist, only to be processing for the purposes of journalism. This opens the door to widespread and enthusiastic flouting of DPA by all sorts of corporate interests, but I find it hard to dismiss the possibility altogether.

Lawful – I believe that the disclosure was lawful. A train is not a private place (except in the toilets and this probably not the time for me to raise the urban myth about CCTV in train toilets), and Corbyn’s personal data in this context is not confidential or private. I can see no other law that disclosing this data would breach, so I think they’re in the clear.

Condition – Schedule 6(2) of the Data Protection Act states that data can be processed (in this context, disclosed) if it is necessary for the purposes of a legitimate interest, as long as the processing does not prejudice the rights, freedoms or legitimate interests of the subject. Corbin made a claim about the conditions he found on a particular train – I believe that Virgin unquestionably have a legitimate interest in disclosing Corbyn’s personal data in order to comment on the accuracy of his claim. If Virgin released images of Corbyn unprompted, legitimate interests are out of the window. But Corbyn started the ball rolling, and I cannot see how the use of overt CCTV for this purpose prejudices his interests. Of course, if the images were used in a misleading way, again, legitimate interests is dead, but frankly, that’s a much bigger problem.

Other conditions might be engaged but unless Virgin have actively defamed Corbyn by photoshopping them to look like the train had seats when it didn’t (which is what I presume The Canary’s take is), I believe that the use of images was adequate, relevant, and not excessive (principle 3), and accurate (principle 4). One might question how long the images have been retained for (principle 5), but there is no statutory time period – Virgin simply have to justify that the retention period matches the purposes outlined under the first principle.

At its absolute worst, the release of Corbyn’s images might be unfair if the privacy notices on the train do not reasonably envisage the possibility of something like this happening. If Mr Corbyn was damaged in some way by this, the seriousness of the breach is increased, but not by much. It would be unlawful, but I see no public interest in taking action. Politics is a dirty business. Corbyn’s party breaches Data Protection all the time, so if he wants to take this up, he should do some digging in his own backyard.

And reserve a bloody seat next time.

UPDATE (24/8/16): The Information Commissioner has stated that they are “making enquiries” into Virgin’s disclosure of the CCTV images. The two possible enforcement routes available are a monetary penalty or an enforcement notice. The penalty requires the ICO to establish that there has been a serious breach of the Data Protection Act, likely to cause substantial damage or distress, and the data controller (Virgin Trains East Coast) either deliberately set out to breach the DPA, or knew (or ought to have known) that the breach would occur, and that the damage / distress would follow as a consequence. If you think that this incident meets that threshold, would you be interested in buying a used car?

The alternative is an enforcement notice. The enforcement notice can only apply if there is an ongoing breach that the data controller cannot or will not remedy. In other words, if Virgin promised never to disclose CCTV for publicity purposes again, it would be very difficult for the ICO to issue an enforcement notice. It would be disproportionate to take such significant action if it was clear that Virgin would not do the same thing again.

All this may be disappointing to those who wish to see Virgin, and its bearded figurehead, chastised for their assault on the integrity of JC, but this is not a serious breach. The NHS ignored opt-outs from the sharing of medical data for thousands of people over a prolonged period of time, and the worst that happened is that they were asked to sign an undertaking (an unenforceable public promise to behave better) at a time which best suited them in publicity terms. If you think that embarrassing Corbyn is worse than that, you ought to be ashamed of yourself.

The one good thing is that I don’t think the Labour Leader of Stockport Council, who moonlights as a Group Manager at the ICO, will end up dealing with the case. But who knows?

Caesar’s Wife

In May 2016, the Labour member for Heatons North, Alex Ganotis, became Leader of Stockport Council, having been a councillor for some years. A month or so later, I read a story mentioning him in the Manchester Evening News, and his name rang a bell. Alex Ganotis is also a Group Manager at the Information Commissioner’s Office – I know this because he has signed hundreds of FOI Decision Notices on behalf of the Commissioner.

I made an FOI request to the ICO to find out more about Mr Ganotis’ role – in particular, I wanted to know how likely it was that a professional politician might be involved in complaints to the ICO involving political parties or local government. If Mr Ganotis worked on financial services or health, for example, he would need to maintain a high degree of professionalism and neutrality, but there would be no immediate conflict of interest. So I asked the ICO what team he manages. The answer:

Mr Ganotis manages a team of staff who deal with complaints and concerns about councils and political parties

I had to read this several times before I could take it in.

The ICO’s Policy on party political activities is helpfully published on its website. It makes reassuring reading:

The ICO is an independent body and it is important for it to be free from party political bias, and to be clearly seen and acknowledged as being free from such bias……. It is of paramount importance that the ICO is acknowledged as being free from party political bias and influence. The work that we do can often be of a politically sensitive nature and any substantiated allegations of bias would have serious repercussions for the future of the ICO.

The policy sets out a process through which an ICO employee can gain approval for party political activities. I asked when Ganotis went through this process, and the ICO revealed that he was approved in October 2008, which means that his dual ICO / councillor role went on for nearly eight years before he became Leader – he did not seek re-approval when he became Leader, so it seems that the ICO has not reassessed his role now he is a council leader, nor has he asked for this to happen.

I asked for recorded information about the approval process for his role. The ICO has nothing. I asked for any recorded information about measures taken to ensure, in the Policy’s words, that ‘potential for conflicts of interest’ have been minimised with regard to Mr Ganotis’ role. Nothing is held. The ICO added “Mr Ganotis’ line manager and his peers are responsible for assigning decision notices and make a judgement on a case-by-case basis as to what he is assigned, taking into account whether individual cases could pose a potential conflict of interest.” There are no formal arrangements, no written criteria or parameters, nothing to measure or audit against. The ICO enthusiastically fines organisations hundreds of thousands of pounds for failing to maintain properly documented processes, but in the case of having a professional politician managing a team that deals with hundreds of complaints about political parties and councils, the ICO itself sees no need for rigour. Trust whoever decided that this is OK, Wilmslow says, because we have nothing else to offer.

Mr Ganotis is a Group Manager, answering to a Head of Department, but the ICO’s response makes clear that the former Information Commissioner himself, Richard Thomas, approved of the arrangement: “the Commissioner at that time was made aware of his standing and subsequent election“. When I wrote this blog originally, I assumed it was Christopher Graham who was Commissioner, but he did not take over until 2009. ICO trivia fans may remember that Graham was himself once a councillor (for the Liberal Party) and a twice-unsuccessful parliamentary candidate – one wonders if he knew about Ganotis’ status, and if he did not, why nobody told him.

Anyone who has political beliefs or leanings and works in local or central government knows the awkward but vital requirement to set those beliefs aside and act neutrally in the public interest. As a Labour voter in every election since 1992, I have done it myself. It is not easy, but you don’t need to be a saint to achieve it. I cast no doubt on Mr Ganotis’ personal integrity, or ability to do the same. But anyone who thinks that’s the point just needs to Google the title of this blog.

Mr Ganotis has signed hundreds of FOI decision notices on behalf of the Information Commissioner, exercising the Commissioner’s statutory powers. Those notices include  councils across the UK, and government departments run by ministers who, in his other role, Mr Ganotis publicly opposes, and he has been doing so for years. The ICO disclosed to me a spreadsheet of the cases that Ganotis’ team has dealt with since January 2014 (records before that are routinely destroyed). A quick glance at the organisations concerned give a flavour of the issues that pass across the team’s desk in just one month. In July 2016, I can see the Labour Party (8 times), Momentum, Saving Labour, and Progress. It is hard to imagine any team would be more steeped in politics and arguments about political activity than this one, and the (former) Information Commissioner decided that a professional politician was the right person to manage it.

Over the past few years, the Labour Party has carried out its obnoxious and unfair purge, struggled with allegations of member data misuse on all sides (Corbyn, Momentum and Owen Smith), and demonstrated the traditional party blindness to PECR. I have myself blogged sorrowfully but repeatedly about Labour’s Data Protection and privacy woes for several years. In all of that time, only David Lammy’s doomed automated calls have faced any enforcement action (and he wasn’t even an official Labour candidate in the election concerned). To be clear, I have no evidence of any influence being brought to bear on this. But, as the ICO’s own policy states explicitly, “the organisation does seek to ensure that the potential for conflicts of interest is minimised as is the possibility of the ICO being accused of being politically biased“. In this, Mr Ganotis, his line manager and the former Commissioner have failed, and failed spectacularly. How can anyone in politics have confidence in the ICO’s decisions?

Any FOI decision notice involving a council or a government department signed by Mr Ganotis could be tainted, and there are hundreds of them. The ICO’s failure to take action against the Labour Party for a consistently terrible approach to Data Protection and privacy issues is no longer just over-caution, but potentially something far more objectionable. Every case Mr Ganotis has been involved in could be perfect, but the ICO cannot guarantee this with a straight face; their own policy recognises the problem of perception, but their practice is blind to it. They could have moved Ganotis at any point since 2008 to another job of equal standing, and the problem would have evaporated. He is still in place.

That Mr Ganotis could not see that continuing to manage a team responsible for complaints about political parties and councils was incompatible with his role first as councillor and then as Council Leader raises a question about his judgement. That the ICO’s management was either unwilling or incapable of identifying and remedying the potential conflict of interest is a matter of serious public concern.

I have spent a decade and a half criticising, satirising and annoying the ICO in the hope that for no other reason than to spite me, they will become a more effective, more enthusiastic regulator of Data Protection. But this is too much. This is a genuine failure of governance. It could pollute a host of formal decisions (and indecisions) stretching back for years. It has to be dealt with.

I don’t understand how Mr Ganotis could ever sensibly manage the team responsible for political parties and enjoy the confidence of the public. Richard Thomas and Chris Graham should have stopped it, and I hope that the new Commissioner will ask questions about how her managers and Human Resources team could allow such a shocking situation to occur. But if all this isn’t put right, if this bizarre conflict of interest continues acknowledged but unaddressed, we should all look very closely at every decision that emerges from Wilmslow with a more sceptical eye than even I thought possible.