Not now, Brian, we’re busy

Imagine that you are employed by a mobile phone network. Somebody working for a claims management firm approaches you, offering a large sum of money to steal the customer database, especially the mobile numbers. They want to send PPI claim text messages to all of the people on the list. You download the customer data, sell it, and pocket the proceeds. Having got it, you decide to sell the list to a rival mobile company. You put the information on a disc, and flog it on eBay. The people who send the PPI texts could receive a Civil Monetary Penalty of up to £500,000 as they do not have consent. But even if you are caught and prosecuted, the worst that can happen is to the thief is a maximum £5000 fine. The offence is not recordable, so you will not end up with a criminal record. The chances of being caught are slim, but the deterrent is even smaller.

Imagine if the government had long ago realised that the fines were not enough, and had taken the trouble to amend the law to punish white-collar data thieves with up to two years in jail. But around the time the law was being changed, the Prime Minister of the day met with representatives of a special interest group. Despite the fact that the new punishment was not intended to affect this group and detailed measures had been taken to protect them, the lobbyists were not satisfied, and they demanded that the prison sentence be held back. Even though the chances of their industry being affected by the change were very small, they could not accept even the slightest possibility that any one of their number could even face the possibility of a night in a cell.

If anyone else had held the country to ransom and prevented changes to a law that were entirely in the public interest, the press would be up in arms, pointing the finger with relish. If unions, lawyers, doctors or social workers – indeed, any regulated profession or group – expected crimes to have puny, worthless punishments just in case one of their own was imperilled, the Daily Mail would shout their condemnation from the highest rooftop.

And yet, we have to swallow special pleading from journalists in the name of press freedom, and live with a rampant black market in personal data as a consequence. The Information Commissioner is obviously desperate to tackle it, but the results in court are often ludicrous. The man who received stolen medical data from his girlfriend to use for personal injury claims was fined £1050. He memorably boasted after the verdict We’re going to Bella Italia after this and I’m having a fillet steak. A bank worker stole information from her employer about the victim of a sex attack committed by her husband. Her punishment was an £800 fine. Whatever you think about the publication of the BNP member address list, a fine of £200 for endangering life (and probably risking mass misidentification) is almost satire.

This is what any journalist who attacks the data theft prison sentence expects us all to tolerate for their safety. Gone is ‘publish and be damned’, to be replaced with ‘publish and be insulated from the consequences’. A number of Parliamentary committees have called for the sentence to be enabled, and the Information Commissioner himself is excoriating about a system where the punishments for data theft are so derisory. In the recent past, the constant refrain from Government has been wait for Leveson. We cannot pre-empt Leveson.

And now, Leveson has spoken, and regardless of what you think about the doomed suggestion of statutory underpinning and regulation, the data theft issue is very simple. Leveson argues for the prison sentence to be made live. When passed, the Data Protection Act contained a public interest defence for those accused of stealing data or procuring stolen data. When the last Labour Government recognised the failure of the current system and sought to introduce the prison sentence, they also amended the DPA further, making clear that all a journalist needs is a ‘reasonable belief’ that they are acting in the public interest to escape prosecution. Even though the prison sentence was not brought into force, this additional defence was.

At this point, before saying something contentious, the sensible writer includes a few sentences about how important they think press freedom and journalistic endeavour are. The secret hope of every blogger is probably that their sublime writing will catch the eye of a sympathetic editor and they will be catapulted from the amateur sphere and be given a weekly column, or at least a spot of freelance at the Guardian. Biting that hand that hasn’t even picked up the food is surely blogger suicide. But I can’t be arsed. I honestly don’t want to live in a country where journalists get locked up for doing good work, but I think I live in a country where newspapers can get mixed up in axe murders with impunity, so I doubt that Fleet Street will crumble if I fail to invoke the spirit of Voltaire before suggesting something that hacks might see as a check on their activities. They have David Cameron, Michael Gove and Boris Johnson and that’s all they need.

Besides, I come to exempt journalists, not to bury them. I think that the only solution to the data theft problem is to remove journalists from the equation. Lord Justice Leveson proposes significant amendments to the S32 exemption from DPA, which currently allows those processing personal data for journalistic, artistic and literary purposes to escape virtually all of the Data Protection principles as long as this is ‘necessary’. I think Sir Brian’s ideas don’t address the bigger picture, and should be binned. The press will never support any infringement of their liberties, whatever the justification, and some papers will monster anyone who supports such a plan. Meanwhile, the possibility of a prison sentence is likely to have a much better deterrent effect on office workers, nurses and cops tempted to steal or suborn others to steal personal data than a paltry fine and no record. If newspapers feel that they face this threat too, scaremongering about investigative journalists (rather than phone hackers and dumpster divers) ending up behind bars for speaking truth to power (rather than figuratively or actually smelling celebrity knickers) will continue its harmful knock-on effect.

S28 of the Data Protection Act gives those using personal data for the purposes of national security a total exemption from its requirements. Rather than continue to have the debate on data theft railroaded by a sideshow that is becoming increasingly sanctimonious, let’s extend that approach to journalists. Give them a ‘get out of jail free card’ and stop our personal data from being plundered everywhere else.

Carry On Motorman

My next blog post was supposed to be something a bit different, but I’m waiting for someone to respond to a complaint I’ve made before completing it. In the meantime, all I have is more Motorman ICO material. The muddle over the legal advice I wanted that they didn’t have and the legal advice they did have that they thought I didn’t want (and it turns out, could only have a bit of) is now parked in the ICO’s FOI complaints queue. I doubt there will be any appetite to expedite it, but I can wait.

But this week, a few more morsels bobbed to the surface. Thanks to the Independent, we know that in September 2011, the Information Commissioner personally reported Alec Owens, the ICO former investigator, to the police over the fact that he had copies of the Operation Motorman files. Owens had just made embarrassingly plausible allegations in the Independent that the ICO didn’t have the stomach to take on the press when they discovered the extent of blagging and hacking, and I don’t need to make a snide insinuation about the IC’s motives for shopping Owens, because Paul Farrelly MP has already put the boot in:

The knock on the door from police can only be interpreted as a counter-productive, cack-handed attempt to put the frighteners on before testimony in the public interest to the Leveson inquiry … Given [the committee’s] unsatisfactory experience with the ICO, nothing, frankly, would surprise me, but using the police in this way is a total misuse of resources and power

After the reports of the raid on Owens’ house, I made an FOI request to the Commissioner to find out more. Back then, it wasn’t clear who had dobbed Owens in, though the ICO seemed the obvious candidate.

This is some of what I asked for:

1)               The story [ about the raid on Owens’ house ] states that police were acting on “information received”. Did this information come from the Information Commissioner’s Office?

The first FOI response refused to confirm or deny any on the basis of the S40 Data Protection exemption. I don’t know whether it was Owens’ or (it turns out) Chris Graham’s data that was being protected, but I didn’t understand the response, so I asked for an internal review. Graham Smith, Deputy Commissioner, responded to my internal review last month, and he managed to make things worse. Smith’s response included this:

Technically I think the refusal on the grounds stated was correct. It may also have been strictly accurate to say that the ICO did not hold recorded information which answered your question.

Nevertheless, reviewing the situation now and in the light of information which has since come into the public domain, I can now answer your question by saying that in relation to matters referred to in the newspaper article, the police were acting on information which came from the ICO.

So on January 17th 2012, the ICO’s position was that when I originally asked about this in November 2011, they should have said that they had no recorded information about whether the ICO tipped off the police. However, Chris Graham confirmed in a letter to the Independent that he reported Owens to the Police in September 2011. For the ‘no info’ story to be true, Chris Graham would need to have acted in a personal capacity or alternatively dialled 999 and wrote nothing down. Is it entirely implausible to suggest that both the initial response and internal review were disingenuous i.e. neither respondent wanted to point the finger at the boss? Or that the first response was based on an inadequate search? Or am I just paranoid?

You can argue that Chris Graham was entitled to report Owens (his letter to the Independent certainly does), but that doesn’t explain the Alice in Wonderland FOI responses. It also doesn’t explain why he bothered to report Owens when one of the defences against a S55 offence is the public interest. As he said to the Independent, Owens believes he has such a defence, and his use of the Motorman evidence (however obtained) has been to raise issues of public concern. Even if you think Owens is motivated by a desire to stick it to his former employer (imagine that), it doesn’t take a genius to see that the case would go nowhere – and Cheshire Police have confirmed to the Indie that Alec Owens faces no further action.

I’ve got three problems now. This is the second time I have made an FOI request to the ICO, got an initially bewildering response which has been rendered even more bizarre when I asked for an internal review. The evidence of What Do They Know and anecdotes from other applicants suggest that the ICO’s approach to its own FOI requests is troubling. They cannot be a credible FOI regulator if their FOI practice is not on a par with the best of the public sector. The HSE cannot have its staff falling off ladders. I have trained quite a few organisations recently who do FOI with more clarity and understanding than the Commissioner’s Office, and the folk in Wilmslow should take a look in the mirror before writing any more preachy FOI press releases. Their new FOI guidance is really nice; I know they wrote it, but have they read it?

Second problem: one of the other questions I raised in my FOI was this:

What action is the Information Commissioner’s Office taking in response to this apparent breach of the Seventh Data Protection principle? Will the ICO’s own procedures be investigated?

The answer to that one was straightforward: “We can confirm that no recorded information is held.” In plain English, no. An employee apparently takes a huge amount of information – so huge that the ICO is currently and I imagine legitimately refusing to trawl through to satisfy hacking-obsessed MPs on the grounds of the massive effort it would require. The information includes the personal details of hundreds of innocent people. And yet, both as a responsible Data Controller and as the Data Protection Regulator, the Information Commissioner told me that they are not investigating the incident. Who cares if it was a historic event, just imagine what they would do if anyone else was guilty of such complacency? An NHS body on the South Coast is complaining about a proposed ICO civil monetary penalty that they think should be treated as a theft but the ICO is treating as 7th principle breach, so we know that the ICO is willing and able to distinguish between the two. Does Chris Graham believe other Data Controllers do not need to investigate breaches of this magnitude when they come to light because they’re historic? If so, he should say so openly.

And there’s my final problem. As an outsider, I think Operation Motorman looks like a diligent and through investigation undone by a failure of nerve on behalf of Richard Thomas and his Deputy. It is a matter of public record that both men dispute this, but Thomas’ own Leveson testimony convinced me that he didn’t want to go after Fleet Street. But this isn’t Christopher Graham’s problem. He has to deal with phone hacking and its repercussions now and he should be allowed to protect current ICO staff who were around at the time from unfair criticism. The ICO has sometimes looked like a proxy for politicians and journalists to monster because they can only get hold of members of the Murdoch family occasionally. And to be fair, the current holier-than-thou attitude of some MPs is sick-making when you consider that nothing that the Motorman-era Commissioner’s Office could have done would have had the same effect as political leaders of all persuasions not acting like Rupert Murdoch’s handmaidens.

However, the current Commissioner should not let his predecessor’s decisions (or lack of them) become an albatross around his neck. To ask for Owens to be investigated without finding out how he could have taken the data looks like spiteful doublethink. The inelegant and defensive FOI responses I’ve received only make matters worse. We need a bit of truth and reconciliation here, but the truth should come first. The previous Commissioner dropped the ball after Motorman. Alec Owens is entitled to be treated as a whistle-blower, not a criminal. If it was a crime for him to have those records, he’s got a defence and it was surely a breach of the Seventh Data Protection principle for them to be accessible. The ICO should be allowed to move forward but only if they stop pretending that they haven’t put a foot wrong, and only if they show that as a public authority and data controller, they can walk the walk as well as talk the talk. Until that happens, annoying bloggers like me will be the least of their problems.

Today’s post is brought to you by the letters I, C and O

Previously on the 2040 Information Law Blog…
Last September, a former Investigator from the Information Commissioner’s office (subsequently identified as Alec Owens) gave an interview to the Independent, in which he condemned his erstwhile employer for bottling the decision to prosecute journalists who had employed the private investigator Steve Whittamore. The Deputy Information Commissioner, David Smith, refuted Owens’ claims, stating that the ICO received legal advice that the journalists could not successfully be prosecuted. I requested the advice, and the ICO’s response was that it was not held. Shortly after, the ICO supplied legal advice – which included a consideration of issues around prosecuting journalists – to the Leveson enquiry. I asked for an internal review because, to paraphrase, they appeared to be taking the piss.
And now…
Before I continue, gentle reader, let us dally for a moment with a document called ‘Not what we do, but how we do it’. You can find it here, and it describes the values by which all ICO staff should do their job. I’ve mentioned it before, but I don’t think it’s as widely known as it deserves to be. Ernest Hemingway said that every writer needs a built-in bullshit detector. I read page 8 of this document, and my detector nearly gave me a hernia. The Information Commissioner’s Office is supposed to be a ‘model of best practice’. ICO Staff are exhorted not to “ask others to do what we are not prepared to do ourselves”. The ICO expects to be judged by high standards. Please keep this in mind as we proceed.

Last Friday, slightly later than advertised, I received my review response from the other Deputy Commissioner, Mr Graham Smith. Graham was my boss once, but if he recalls what a [expletive deleted] I was at the time, he shows no sign of it.

The apparent contradiction is explained. The advice I asked for, the one David Smith cited, has been disposed of. Graham offers me no explanation why. The explanation of why it was highlighted in the Independent is that David Smith used ‘What Price Privacy’ as a guide for what the advice said. The ICO is not obliged to adopt permanent contextualisation, but Smith’s statement would carry less weight had he said “According to ‘What Price Privacy’, we got some advice that we didn’t keep”. None of this makes the ICO’s statement to the Independent untrue. But I wasn’t convinced by that statement in the first place, hence my FOI request. Take a wild stab in the dark about what I think now.

So what about the other advice, the one supplied to Leveson? Even though he thinks it was irrelevant to my original request, Graham gave me the section of it mentioning journalists, with the other seven pages of advice redacted into inky blackness. Needless to say, the disclosed section isn’t a smoking gun that greenlights a smackdown on hacks, but riddle me this: the advice I received says “I understand that policy considerations have led to the view that enforcement of some sort, rather than prosecution is the way forward”. He even asks for the reasoning not to prosecute. So why did the second lawyer engaged by the ICO think it was a policy matter, when statements given to the Independent cite legal issues based on the first advice?

According to the internal review, the initial search identified this second piece of legal advice. My request clearly was for the advice that David Smith quoted in his statement to the Independent. So if you want to be bloody-minded (and when I was an FOI officer, bloody-minded was my middle name), the fact that the ICO identified advice about prosecuting journalists implicated in Operation Motorman during a search for advice about prosecuting journalists implicated in Operation Motorman is irrelevant, because it wasn’t the advice about prosecuting journalists implicated in Operation Motorman I had asked for. But given what this second piece of advice says, I think I can be forgiven for being cynical about why I didn’t get it.

Moreover, the initial FOI response says this: “In response to your request, we do not hold recorded information in relation to this request. We do not hold a written legal advice in relation to the decision not to prosecute the journalists involved in Operation Motorman.” (in other words, they don’t say ‘the legal advice you asked for’). If Graham Smith’s internal review is correct, the initial response was not. This should be of concern to the ICO and everyone they regulate, even if the only problem is that the initial response was imperfectly expressed.

Nobody can ask for an FOI search to include things that the punter hasn’t asked for; my point is that this search turned up something of clear, direct relevance to my request. It seems eccentric to the point of obfuscation not to mention it to me. Friends, my advice is to be as helpful as is practical because (a) that’s clearly in the spirit of the legislation and (b) it’ll almost certainly save you work in the long run. But I wouldn’t advise you to ask for clarification after 14 working days and then start the clock from then, and the ICO did that to me as well. The ICO seems to think that you can take a totally unimaginative reading of the request and ignore anything else, no matter how relevant it might be.

And here’s another thing. The ICO, like all public authorities, is under a duty to provide applicants with advice and assistance. In Graham Smith’s view, the ICO was under no obligation to advise or assist me by telling me even though what I had asked for was no longer held, a closely related document had been found. And no advice or assistance was required to explain where the advice I asked for has gone. The internal review did not accept any requirement to provide advice and assistance about anything.

So what’s my point? Well, I have two of them. Alec Owens accused the ICO of lacking the guts to take on Fleet Street. I believe him now. In another FOI internal review, Graham Smith confirmed to me that the police raid on Owen’s home shortly before his Leveson appearance followed a tipoff from someone at the ICO. Make of that what you will, but Owens’ allegations back up the fact that the ICO has a flimsy track record with big targets: the secret Phorm trials involving BT and the Wi-Fi scraping that Google originally said hadn’t happened are two good examples (if you think an undertaking counts, you’re reading the wrong blog). Even the current wave of fines – for which the ICO deserves credit – is directed only at self-reported public sector targets that largely won’t fight back. Until the ICO fines a big bank or utility company for a DPA breach, or issues an FOI enforcement notice to a central Government department, I see a credibility gap. I don’t believe that the only DP and FOI villains in the UK are Councils, NHS Trusts and similarly local organisations, but only they have anything to fear from the Commissioner right now.

And the other point? I think the ICO’s handling of its own FOI requests needs attention. The first response to my advice request was inadequate and possibly inaccurate – the lack of advice and assistance was abysmal. A glance at the last couple of months of What do they know shows that the ICO has refused to admit which of its senior officers have had training and coaching and which hold its own chosen DP qualification (both overturned on appeal). An applicant asked directly whether the ICO had accidentally disclosed information, and the answer managed to evade the key question almost completely. And just this week, they released a heavily edited version of their security incident log with two entries completely obscured. You can imagine the scorn if this litany of clodhopping decisions were in the ICO’s sights, rather than being made in their building.

The Information Commissioner’s Office can’t have it both ways – either they are a model of best practice (in which case, act like it), or they’re just another FOI public authority (in which case, cut the propaganda). Right now, if “it’s not what we do but how we do it”, then ‘we’ ought to be thoroughly ashamed of ourselves.  

We can’t take them on, they’re too big for us

I watched Richard Thomas’ appearance at the Leveson Inquiry this time list week in sub-optimal conditions. Having arranged a £1000 car repair on the same morning as a dentist appointment, I was wiling away the time using the free WiFi at a Wetherspoons, surrounded by grim-faced men who see 9am as Guinness O’Clock. Normally, I like a drink as much as the next man, but when the next man sinks three pints before Lorraine Kelly has left the building, even I feel like an amateur. Not even the absurd £4.00 breakfast and cheaper-than-Starbucks tea cheered me up. Even so, Thomas’s performance (if that’s the right word) was the most depressing spectacle I have seen since the last time James Murdoch stared through his Joke Shop specs and denied he knew that the News of the World existed.

To paraphrase, Thomas’ case is that the legal advice he received contained a clear message that pursuing rogue journalists would be too costly and / or difficult. But his view on whether the ICO should have done so – despite insisting that he did not develop a policy of leaving them be – is as follows:
I have to say, and maybe this is with hindsight, but perhaps thank goodness we did not prosecute the journalists. The impact for the office would have been very, very demanding indeed. I don’t know when this was or at what point this was, but probably around about 2007, I can recall a conversation along the lines of somebody saying, “Thank God we didn’t take the journalists to court. They’d have gone all the way to Strasbourg.” In other words, they would have challenged any action we would have taken, we would have gone right to Strasbourg, the Court of Human Rights, Article issues coming in.
Mr Thomas was keen to refute former investigator Alec Owens’ claim that his deputy, Francis Aldhouse, said “We can’t take them [the press] on, they’re too big for us.” Neither Thomas or Aldhouse remembered this statement being uttered (equally neither stated for certain that it had not been said). However, how else might one fairly paraphrase that big quote above? Isn’t “We can’t take them on, they’re too big for us” a pretty fair summary of Thomas’s position? Thomas went to the Press Complaints Commission and asked them to deal with it. The ICO reported diligently to Parliament and asked them to deal with it. Under Richard Thomas’ Information Commissioner’s Office did not take the rogue journalists on directly.
Regardless of whether Owens’ account of what Francis Aldhouse said is accurate or not, it encapsulates a truth about Thomas’ approach to taking action on press misbehaviour. Incidentally, Thomas’ ungallant efforts to bring personal data about Owens’ disciplinary record and unhappy departure into both his witness statements and his evidence doesn’t in itself make the ex-cop’s forthright testimony untrue. One can only assume he had a Data Protection justification for using the data in this way. Fundamentally, those of us who weren’t in the room have to listen to the testimony of the three men, and decide whom we find more convincing.
Enforcement action should not only be taken against data controllers who lack the inclination or resources to push back – the mighty are not looking on with despair at the current run of fines against local councils. Even the admirable and valuable Consulting Association case had at its centre one man running a wholly indefensible and surreptitious blacklist; the construction companies who used it were collateral damage. Richard Thomas went to Leveson last week and said “thank goodness” that he didn’t go after a sector that would have fought him. Instead, he set out his belief that the ICO should primarily exist to promote good practice.
That’s just not enough for a small number of data controllers. The phone hacking scandal shows that commercial imperatives can sometimes trump not only the law, but also basic morality. If you want evidence for this, look no further than Kelvin McKenzie (, who wants an apology for Rupert Murdoch because although the NOTW hacked into a murdered girl’s phone messages, they may not have deleted them. Most organisations, in every sector, will follow good practice. Some will need a hand, and others will need a nudge. A few will need a kick. I’ve previously blogged that we probably don’t want a Commissioner who tilts at every windmill; watching Thomas’ rather hesitant, diffident evidence, we equally don’t want someone so relieved he didn’t do something so important.