My next blog post was supposed to be something a bit different, but I’m waiting for someone to respond to a complaint I’ve made before completing it. In the meantime, all I have is more Motorman ICO material. The muddle over the legal advice I wanted that they didn’t have and the legal advice they did have that they thought I didn’t want (and it turns out, could only have a bit of) is now parked in the ICO’s FOI complaints queue. I doubt there will be any appetite to expedite it, but I can wait.
But this week, a few more morsels bobbed to the surface. Thanks to the Independent, we know that in September 2011, the Information Commissioner personally reported Alec Owens, the ICO former investigator, to the police over the fact that he had copies of the Operation Motorman files. Owens had just made embarrassingly plausible allegations in the Independent that the ICO didn’t have the stomach to take on the press when they discovered the extent of blagging and hacking, and I don’t need to make a snide insinuation about the IC’s motives for shopping Owens, because Paul Farrelly MP has already put the boot in:
“The knock on the door from police can only be interpreted as a counter-productive, cack-handed attempt to put the frighteners on before testimony in the public interest to the Leveson inquiry … Given [the committee’s] unsatisfactory experience with the ICO, nothing, frankly, would surprise me, but using the police in this way is a total misuse of resources and power”
After the reports of the raid on Owens’ house, I made an FOI request to the Commissioner to find out more. Back then, it wasn’t clear who had dobbed Owens in, though the ICO seemed the obvious candidate.
This is some of what I asked for:
1) The story [ about the raid on Owens’ house ] states that police were acting on “information received”. Did this information come from the Information Commissioner’s Office?
The first FOI response refused to confirm or deny any on the basis of the S40 Data Protection exemption. I don’t know whether it was Owens’ or (it turns out) Chris Graham’s data that was being protected, but I didn’t understand the response, so I asked for an internal review. Graham Smith, Deputy Commissioner, responded to my internal review last month, and he managed to make things worse. Smith’s response included this:
“Technically I think the refusal on the grounds stated was correct. It may also have been strictly accurate to say that the ICO did not hold recorded information which answered your question.
Nevertheless, reviewing the situation now and in the light of information which has since come into the public domain, I can now answer your question by saying that in relation to matters referred to in the newspaper article, the police were acting on information which came from the ICO.”
So on January 17th 2012, the ICO’s position was that when I originally asked about this in November 2011, they should have said that they had no recorded information about whether the ICO tipped off the police. However, Chris Graham confirmed in a letter to the Independent that he reported Owens to the Police in September 2011. For the ‘no info’ story to be true, Chris Graham would need to have acted in a personal capacity or alternatively dialled 999 and wrote nothing down. Is it entirely implausible to suggest that both the initial response and internal review were disingenuous i.e. neither respondent wanted to point the finger at the boss? Or that the first response was based on an inadequate search? Or am I just paranoid?
You can argue that Chris Graham was entitled to report Owens (his letter to the Independent certainly does), but that doesn’t explain the Alice in Wonderland FOI responses. It also doesn’t explain why he bothered to report Owens when one of the defences against a S55 offence is the public interest. As he said to the Independent, Owens believes he has such a defence, and his use of the Motorman evidence (however obtained) has been to raise issues of public concern. Even if you think Owens is motivated by a desire to stick it to his former employer (imagine that), it doesn’t take a genius to see that the case would go nowhere – and Cheshire Police have confirmed to the Indie that Alec Owens faces no further action.
I’ve got three problems now. This is the second time I have made an FOI request to the ICO, got an initially bewildering response which has been rendered even more bizarre when I asked for an internal review. The evidence of What Do They Know and anecdotes from other applicants suggest that the ICO’s approach to its own FOI requests is troubling. They cannot be a credible FOI regulator if their FOI practice is not on a par with the best of the public sector. The HSE cannot have its staff falling off ladders. I have trained quite a few organisations recently who do FOI with more clarity and understanding than the Commissioner’s Office, and the folk in Wilmslow should take a look in the mirror before writing any more preachy FOI press releases. Their new FOI guidance is really nice; I know they wrote it, but have they read it?
Second problem: one of the other questions I raised in my FOI was this:
What action is the Information Commissioner’s Office taking in response to this apparent breach of the Seventh Data Protection principle? Will the ICO’s own procedures be investigated?
The answer to that one was straightforward: “We can confirm that no recorded information is held.” In plain English, no. An employee apparently takes a huge amount of information – so huge that the ICO is currently and I imagine legitimately refusing to trawl through to satisfy hacking-obsessed MPs on the grounds of the massive effort it would require. The information includes the personal details of hundreds of innocent people. And yet, both as a responsible Data Controller and as the Data Protection Regulator, the Information Commissioner told me that they are not investigating the incident. Who cares if it was a historic event, just imagine what they would do if anyone else was guilty of such complacency? An NHS body on the South Coast is complaining about a proposed ICO civil monetary penalty that they think should be treated as a theft but the ICO is treating as 7th principle breach, so we know that the ICO is willing and able to distinguish between the two. Does Chris Graham believe other Data Controllers do not need to investigate breaches of this magnitude when they come to light because they’re historic? If so, he should say so openly.
And there’s my final problem. As an outsider, I think Operation Motorman looks like a diligent and through investigation undone by a failure of nerve on behalf of Richard Thomas and his Deputy. It is a matter of public record that both men dispute this, but Thomas’ own Leveson testimony convinced me that he didn’t want to go after Fleet Street. But this isn’t Christopher Graham’s problem. He has to deal with phone hacking and its repercussions now and he should be allowed to protect current ICO staff who were around at the time from unfair criticism. The ICO has sometimes looked like a proxy for politicians and journalists to monster because they can only get hold of members of the Murdoch family occasionally. And to be fair, the current holier-than-thou attitude of some MPs is sick-making when you consider that nothing that the Motorman-era Commissioner’s Office could have done would have had the same effect as political leaders of all persuasions not acting like Rupert Murdoch’s handmaidens.
However, the current Commissioner should not let his predecessor’s decisions (or lack of them) become an albatross around his neck. To ask for Owens to be investigated without finding out how he could have taken the data looks like spiteful doublethink. The inelegant and defensive FOI responses I’ve received only make matters worse. We need a bit of truth and reconciliation here, but the truth should come first. The previous Commissioner dropped the ball after Motorman. Alec Owens is entitled to be treated as a whistle-blower, not a criminal. If it was a crime for him to have those records, he’s got a defence and it was surely a breach of the Seventh Data Protection principle for them to be accessible. The ICO should be allowed to move forward but only if they stop pretending that they haven’t put a foot wrong, and only if they show that as a public authority and data controller, they can walk the walk as well as talk the talk. Until that happens, annoying bloggers like me will be the least of their problems.