Cop out

On May 3rd 2018, Elizabeth Denham appeared on Channel 4 News as part of her long running commitment to generating headlines. Denham’s track record on the programme is not great – it was on the same programme in March that she adopted the interesting tactic (uniquely, as far as I can see) of informing an organisation in public and in advance that she planned to apply for a warrant to raid them, losing what might be a useful element of surprise in order to look tough in front of Jon Snow.

In the more recent interview, the Commissioner claimed that she had the power to fine directors and had done so. I made an FOI request about this, and the ICO admitted that “we do not have the power to directly fine directors“, directly contradicting what Denham said. You can tell me that ICO has the power to go after directors in limited circumstances that can result in a court issuing a fine and that must be what she meant (ICO did) but that’s not good enough. The DP regulator went on the telly and claimed to have a power she doesn’t have – it’s surely part of Denham’s job to increase understanding of Data Protection, not to muddy the waters.

In the same interview, Denham cheerily announced that she saw herself as a Sheriff of the internet. Arguably, she should be a Mountie but let’s leave that to one side. I assumed that the statement was a throwaway, not a serious statement of how Denham sees herself and her office. I was wrong. There’s a pattern. In a fawning profile by the Observer’s Carole Cadwalladr a few weeks ago, the Commissioner delivered a soundbite that I suspect is intended to epitomise the Denham Era: “Data crimes are real crimes“. And in the recently leaked DCMS Committee report into Fake News, she was at it again:

For the public, we need to be able to understand why an individual sees a certain ad. Why does an individual see a message in their newsfeed that somebody else does not see? We are really the data cops here. We are doing a data audit to be able to understand and to pull back the curtain on the advertising model around political campaigning and election

I think the misleading impression being created here could attract the label ‘fake news’ just as much as any of the internet nonsense Denham and her fanbase are supposedly against. Data crimes are usually not real crimes, and in most cases, the ICO are not the cops. The GDPR doesn’t make anything a criminal offence, and the offences under the Data Protection Act 2018, like those in its predecessor the 1998 Act, are specific. It’s a criminal offence to take, procure or sell personal data without the permission of the data controller; it’s an offence to re-identify depersonalised data (in circumstances so tightly defined I doubt there will be a successful prosecution), and it can be an offence to oblige someone to make a subject access request. Admittedly, the DPA 2018 is stricter in this area – offences under the DPA 1998 were not recordable so you wouldn’t get a criminal record if you committed them, a position that is sensibly reversed in the new version.

However, in some circumstances, the DPA 2018 is less oriented towards offences than the  DPA 1998. A breach of an Enforcement or Information Notice is no longer subject to prosecution, being punishable by a penalty instead. That might result in stricter punishments, but that depends on Wilmslow showing a willingness to use the powers, and in any case, it’s not a criminal sanction. The much-vaunted criminal prosecution of SCL by the Commissioner over David Carroll’s subject access request is doomed in my opinion, but if it goes ahead, it will almost certainly be the last prosecution for a breach of a notice. None of the DP offences are punishable with prison, and for all Denham’s bluster about being a data cop, she never publicly applies the pressure for custodial sentences. For all his faults, her predecessor Christopher Graham never missed an opportunity to do so.

If Facebook willingly shared its customers personal data with Cambridge Analytica, it would not be a criminal offence. If they reused their customers’ data and sold it to list brokers, it would not be a criminal offence. As drafted, the ‘victim’ of most data protection offences would be the data controller, not the person whose data is misappropriated, sold or misused. Denham wants to conjure up images of cops and robbers, but she’s misleading the public. Who knows, maybe she doesn’t want people to realise that the only sanction for the majority of data transgressions are monetary penalty that she has the power to approve. Maybe she means ‘data crimes should be real crimes‘, but if that’s the case, that what she should say instead of giving the wrong impression.

There’s another problem. By setting herself up as the Internet Sheriff, Denham is creating expectations I don’t believe she’s prepared to meet. In all her public appearances, the Commissioner is clearly trying to mark out the internet and new technology as her manor. Supporters like Cadwalladr are only too happy to play along. The Observer piece contains a brief but devastating verdict on thirty or so years of ICO work and four previous Commissioners: “a somewhat dusty regulator dealing in a niche topic“. I’m the last person to defend the ICO, but this writes off Wilmslow’s endeavours on phone hacking, union blacklisting, the lost HMRC data disks and many DP and PECR fines which even I can’t deny have changed behaviour for the better in many sectors. I can’t say that Denham endorses this trashing of her predecessors’ efforts, but she hasn’t repudiated it either. What must her staff think of it?

Strip away the recent headlines for prosecutions and £500,000 fines that haven’t actually happened yet, and Denham’s record is hardly the Data Protection equivalent of Wyatt Earp taking on the Clantons. When dealing with the misuse of 1.6 million people’s data by the Royal Free Hospital and the AI company owned by Google (exactly the kind of tech territory we’re supposed to believe she wants to police), Denham’s ICO asked the Royal Free to sign an undertaking. There is no automatic sanction if they go back on it. Faced with multiple instances of charities profiling potential donors in secret (not a million miles away from the kind of surreptitious data gathering that attracts her current ire), Denham’s response was reportedly to cut the originally proposed fines, such that Oxfam was fined just £6000. Late in 2017, Sheriff Denham issued an enforcement notice against the Ministry of Justice over shameful and long-running subject access backlogs that doubtlessly affected many people in desperate legal circumstances. She gave them eight months to comply and sneaked the notice out on the last working day before Christmas without a press release.

You can tell me that the ICO has consistently issued monetary penalties on Denham’s watch but so did Graham, though the double whammy of £400,000 CMPs on both TalkTalk and Carphone Warehouse weigh against my argument to some extent. But beyond those, Denham has done nothing revolutionary or interesting in enforcement. There has been no action on accuracy or retention, and little on the vital first principle beyond the charity cases that were obviously started under Graham.

Outwardly, Denham seems poised and plausible. Fate has dealt her the biggest data protection story in a decade and some overly sympathetic press coverage, so maybe she’s right to milk it and build up her part. There’s no question that she has a higher public profile than any of the Commissioners who have gone before her, and I know a lot of people in the DP world who think that this is automatically a good thing. I’m not convinced. I think ‘data crimes are real crimes’ could become as unhelpful a distraction as the pervasive ‘GDPR = consent’ myth, and nothing about the past two years convinces me that Denham really has what it takes to round up the internet’s outlaws. As always, I will delighted to be proved wrong; some eyecatching monster scalps is what I have spent years of blogging asking for, and it will make my job easier for the next few years. But unless she really pulls out the big guns, the Commissioner’s legacy may be less Gunfight at the IT Corral, and more Denham’s Last Stand.


Not now, Brian, we’re busy

Imagine that you are employed by a mobile phone network. Somebody working for a claims management firm approaches you, offering a large sum of money to steal the customer database, especially the mobile numbers. They want to send PPI claim text messages to all of the people on the list. You download the customer data, sell it, and pocket the proceeds. Having got it, you decide to sell the list to a rival mobile company. You put the information on a disc, and flog it on eBay. The people who send the PPI texts could receive a Civil Monetary Penalty of up to £500,000 as they do not have consent. But even if you are caught and prosecuted, the worst that can happen is to the thief is a maximum £5000 fine. The offence is not recordable, so you will not end up with a criminal record. The chances of being caught are slim, but the deterrent is even smaller.

Imagine if the government had long ago realised that the fines were not enough, and had taken the trouble to amend the law to punish white-collar data thieves with up to two years in jail. But around the time the law was being changed, the Prime Minister of the day met with representatives of a special interest group. Despite the fact that the new punishment was not intended to affect this group and detailed measures had been taken to protect them, the lobbyists were not satisfied, and they demanded that the prison sentence be held back. Even though the chances of their industry being affected by the change were very small, they could not accept even the slightest possibility that any one of their number could even face the possibility of a night in a cell.

If anyone else had held the country to ransom and prevented changes to a law that were entirely in the public interest, the press would be up in arms, pointing the finger with relish. If unions, lawyers, doctors or social workers – indeed, any regulated profession or group – expected crimes to have puny, worthless punishments just in case one of their own was imperilled, the Daily Mail would shout their condemnation from the highest rooftop.

And yet, we have to swallow special pleading from journalists in the name of press freedom, and live with a rampant black market in personal data as a consequence. The Information Commissioner is obviously desperate to tackle it, but the results in court are often ludicrous. The man who received stolen medical data from his girlfriend to use for personal injury claims was fined £1050. He memorably boasted after the verdict We’re going to Bella Italia after this and I’m having a fillet steak. A bank worker stole information from her employer about the victim of a sex attack committed by her husband. Her punishment was an £800 fine. Whatever you think about the publication of the BNP member address list, a fine of £200 for endangering life (and probably risking mass misidentification) is almost satire.

This is what any journalist who attacks the data theft prison sentence expects us all to tolerate for their safety. Gone is ‘publish and be damned’, to be replaced with ‘publish and be insulated from the consequences’. A number of Parliamentary committees have called for the sentence to be enabled, and the Information Commissioner himself is excoriating about a system where the punishments for data theft are so derisory. In the recent past, the constant refrain from Government has been wait for Leveson. We cannot pre-empt Leveson.

And now, Leveson has spoken, and regardless of what you think about the doomed suggestion of statutory underpinning and regulation, the data theft issue is very simple. Leveson argues for the prison sentence to be made live. When passed, the Data Protection Act contained a public interest defence for those accused of stealing data or procuring stolen data. When the last Labour Government recognised the failure of the current system and sought to introduce the prison sentence, they also amended the DPA further, making clear that all a journalist needs is a ‘reasonable belief’ that they are acting in the public interest to escape prosecution. Even though the prison sentence was not brought into force, this additional defence was.

At this point, before saying something contentious, the sensible writer includes a few sentences about how important they think press freedom and journalistic endeavour are. The secret hope of every blogger is probably that their sublime writing will catch the eye of a sympathetic editor and they will be catapulted from the amateur sphere and be given a weekly column, or at least a spot of freelance at the Guardian. Biting that hand that hasn’t even picked up the food is surely blogger suicide. But I can’t be arsed. I honestly don’t want to live in a country where journalists get locked up for doing good work, but I think I live in a country where newspapers can get mixed up in axe murders with impunity, so I doubt that Fleet Street will crumble if I fail to invoke the spirit of Voltaire before suggesting something that hacks might see as a check on their activities. They have David Cameron, Michael Gove and Boris Johnson and that’s all they need.

Besides, I come to exempt journalists, not to bury them. I think that the only solution to the data theft problem is to remove journalists from the equation. Lord Justice Leveson proposes significant amendments to the S32 exemption from DPA, which currently allows those processing personal data for journalistic, artistic and literary purposes to escape virtually all of the Data Protection principles as long as this is ‘necessary’. I think Sir Brian’s ideas don’t address the bigger picture, and should be binned. The press will never support any infringement of their liberties, whatever the justification, and some papers will monster anyone who supports such a plan. Meanwhile, the possibility of a prison sentence is likely to have a much better deterrent effect on office workers, nurses and cops tempted to steal or suborn others to steal personal data than a paltry fine and no record. If newspapers feel that they face this threat too, scaremongering about investigative journalists (rather than phone hackers and dumpster divers) ending up behind bars for speaking truth to power (rather than figuratively or actually smelling celebrity knickers) will continue its harmful knock-on effect.

S28 of the Data Protection Act gives those using personal data for the purposes of national security a total exemption from its requirements. Rather than continue to have the debate on data theft railroaded by a sideshow that is becoming increasingly sanctimonious, let’s extend that approach to journalists. Give them a ‘get out of jail free card’ and stop our personal data from being plundered everywhere else.

Carry On Motorman

My next blog post was supposed to be something a bit different, but I’m waiting for someone to respond to a complaint I’ve made before completing it. In the meantime, all I have is more Motorman ICO material. The muddle over the legal advice I wanted that they didn’t have and the legal advice they did have that they thought I didn’t want (and it turns out, could only have a bit of) is now parked in the ICO’s FOI complaints queue. I doubt there will be any appetite to expedite it, but I can wait.

But this week, a few more morsels bobbed to the surface. Thanks to the Independent, we know that in September 2011, the Information Commissioner personally reported Alec Owens, the ICO former investigator, to the police over the fact that he had copies of the Operation Motorman files. Owens had just made embarrassingly plausible allegations in the Independent that the ICO didn’t have the stomach to take on the press when they discovered the extent of blagging and hacking, and I don’t need to make a snide insinuation about the IC’s motives for shopping Owens, because Paul Farrelly MP has already put the boot in:

The knock on the door from police can only be interpreted as a counter-productive, cack-handed attempt to put the frighteners on before testimony in the public interest to the Leveson inquiry … Given [the committee’s] unsatisfactory experience with the ICO, nothing, frankly, would surprise me, but using the police in this way is a total misuse of resources and power

After the reports of the raid on Owens’ house, I made an FOI request to the Commissioner to find out more. Back then, it wasn’t clear who had dobbed Owens in, though the ICO seemed the obvious candidate.

This is some of what I asked for:

1)               The story [ about the raid on Owens’ house ] states that police were acting on “information received”. Did this information come from the Information Commissioner’s Office?

The first FOI response refused to confirm or deny any on the basis of the S40 Data Protection exemption. I don’t know whether it was Owens’ or (it turns out) Chris Graham’s data that was being protected, but I didn’t understand the response, so I asked for an internal review. Graham Smith, Deputy Commissioner, responded to my internal review last month, and he managed to make things worse. Smith’s response included this:

Technically I think the refusal on the grounds stated was correct. It may also have been strictly accurate to say that the ICO did not hold recorded information which answered your question.

Nevertheless, reviewing the situation now and in the light of information which has since come into the public domain, I can now answer your question by saying that in relation to matters referred to in the newspaper article, the police were acting on information which came from the ICO.

So on January 17th 2012, the ICO’s position was that when I originally asked about this in November 2011, they should have said that they had no recorded information about whether the ICO tipped off the police. However, Chris Graham confirmed in a letter to the Independent that he reported Owens to the Police in September 2011. For the ‘no info’ story to be true, Chris Graham would need to have acted in a personal capacity or alternatively dialled 999 and wrote nothing down. Is it entirely implausible to suggest that both the initial response and internal review were disingenuous i.e. neither respondent wanted to point the finger at the boss? Or that the first response was based on an inadequate search? Or am I just paranoid?

You can argue that Chris Graham was entitled to report Owens (his letter to the Independent certainly does), but that doesn’t explain the Alice in Wonderland FOI responses. It also doesn’t explain why he bothered to report Owens when one of the defences against a S55 offence is the public interest. As he said to the Independent, Owens believes he has such a defence, and his use of the Motorman evidence (however obtained) has been to raise issues of public concern. Even if you think Owens is motivated by a desire to stick it to his former employer (imagine that), it doesn’t take a genius to see that the case would go nowhere – and Cheshire Police have confirmed to the Indie that Alec Owens faces no further action.

I’ve got three problems now. This is the second time I have made an FOI request to the ICO, got an initially bewildering response which has been rendered even more bizarre when I asked for an internal review. The evidence of What Do They Know and anecdotes from other applicants suggest that the ICO’s approach to its own FOI requests is troubling. They cannot be a credible FOI regulator if their FOI practice is not on a par with the best of the public sector. The HSE cannot have its staff falling off ladders. I have trained quite a few organisations recently who do FOI with more clarity and understanding than the Commissioner’s Office, and the folk in Wilmslow should take a look in the mirror before writing any more preachy FOI press releases. Their new FOI guidance is really nice; I know they wrote it, but have they read it?

Second problem: one of the other questions I raised in my FOI was this:

What action is the Information Commissioner’s Office taking in response to this apparent breach of the Seventh Data Protection principle? Will the ICO’s own procedures be investigated?

The answer to that one was straightforward: “We can confirm that no recorded information is held.” In plain English, no. An employee apparently takes a huge amount of information – so huge that the ICO is currently and I imagine legitimately refusing to trawl through to satisfy hacking-obsessed MPs on the grounds of the massive effort it would require. The information includes the personal details of hundreds of innocent people. And yet, both as a responsible Data Controller and as the Data Protection Regulator, the Information Commissioner told me that they are not investigating the incident. Who cares if it was a historic event, just imagine what they would do if anyone else was guilty of such complacency? An NHS body on the South Coast is complaining about a proposed ICO civil monetary penalty that they think should be treated as a theft but the ICO is treating as 7th principle breach, so we know that the ICO is willing and able to distinguish between the two. Does Chris Graham believe other Data Controllers do not need to investigate breaches of this magnitude when they come to light because they’re historic? If so, he should say so openly.

And there’s my final problem. As an outsider, I think Operation Motorman looks like a diligent and through investigation undone by a failure of nerve on behalf of Richard Thomas and his Deputy. It is a matter of public record that both men dispute this, but Thomas’ own Leveson testimony convinced me that he didn’t want to go after Fleet Street. But this isn’t Christopher Graham’s problem. He has to deal with phone hacking and its repercussions now and he should be allowed to protect current ICO staff who were around at the time from unfair criticism. The ICO has sometimes looked like a proxy for politicians and journalists to monster because they can only get hold of members of the Murdoch family occasionally. And to be fair, the current holier-than-thou attitude of some MPs is sick-making when you consider that nothing that the Motorman-era Commissioner’s Office could have done would have had the same effect as political leaders of all persuasions not acting like Rupert Murdoch’s handmaidens.

However, the current Commissioner should not let his predecessor’s decisions (or lack of them) become an albatross around his neck. To ask for Owens to be investigated without finding out how he could have taken the data looks like spiteful doublethink. The inelegant and defensive FOI responses I’ve received only make matters worse. We need a bit of truth and reconciliation here, but the truth should come first. The previous Commissioner dropped the ball after Motorman. Alec Owens is entitled to be treated as a whistle-blower, not a criminal. If it was a crime for him to have those records, he’s got a defence and it was surely a breach of the Seventh Data Protection principle for them to be accessible. The ICO should be allowed to move forward but only if they stop pretending that they haven’t put a foot wrong, and only if they show that as a public authority and data controller, they can walk the walk as well as talk the talk. Until that happens, annoying bloggers like me will be the least of their problems.

Today’s post is brought to you by the letters I, C and O

Previously on the 2040 Information Law Blog…
Last September, a former Investigator from the Information Commissioner’s office (subsequently identified as Alec Owens) gave an interview to the Independent, in which he condemned his erstwhile employer for bottling the decision to prosecute journalists who had employed the private investigator Steve Whittamore. The Deputy Information Commissioner, David Smith, refuted Owens’ claims, stating that the ICO received legal advice that the journalists could not successfully be prosecuted. I requested the advice, and the ICO’s response was that it was not held. Shortly after, the ICO supplied legal advice – which included a consideration of issues around prosecuting journalists – to the Leveson enquiry. I asked for an internal review because, to paraphrase, they appeared to be taking the piss.
And now…
Before I continue, gentle reader, let us dally for a moment with a document called ‘Not what we do, but how we do it’. You can find it here, and it describes the values by which all ICO staff should do their job. I’ve mentioned it before, but I don’t think it’s as widely known as it deserves to be. Ernest Hemingway said that every writer needs a built-in bullshit detector. I read page 8 of this document, and my detector nearly gave me a hernia. The Information Commissioner’s Office is supposed to be a ‘model of best practice’. ICO Staff are exhorted not to “ask others to do what we are not prepared to do ourselves”. The ICO expects to be judged by high standards. Please keep this in mind as we proceed.

Last Friday, slightly later than advertised, I received my review response from the other Deputy Commissioner, Mr Graham Smith. Graham was my boss once, but if he recalls what a [expletive deleted] I was at the time, he shows no sign of it.

The apparent contradiction is explained. The advice I asked for, the one David Smith cited, has been disposed of. Graham offers me no explanation why. The explanation of why it was highlighted in the Independent is that David Smith used ‘What Price Privacy’ as a guide for what the advice said. The ICO is not obliged to adopt permanent contextualisation, but Smith’s statement would carry less weight had he said “According to ‘What Price Privacy’, we got some advice that we didn’t keep”. None of this makes the ICO’s statement to the Independent untrue. But I wasn’t convinced by that statement in the first place, hence my FOI request. Take a wild stab in the dark about what I think now.

So what about the other advice, the one supplied to Leveson? Even though he thinks it was irrelevant to my original request, Graham gave me the section of it mentioning journalists, with the other seven pages of advice redacted into inky blackness. Needless to say, the disclosed section isn’t a smoking gun that greenlights a smackdown on hacks, but riddle me this: the advice I received says “I understand that policy considerations have led to the view that enforcement of some sort, rather than prosecution is the way forward”. He even asks for the reasoning not to prosecute. So why did the second lawyer engaged by the ICO think it was a policy matter, when statements given to the Independent cite legal issues based on the first advice?

According to the internal review, the initial search identified this second piece of legal advice. My request clearly was for the advice that David Smith quoted in his statement to the Independent. So if you want to be bloody-minded (and when I was an FOI officer, bloody-minded was my middle name), the fact that the ICO identified advice about prosecuting journalists implicated in Operation Motorman during a search for advice about prosecuting journalists implicated in Operation Motorman is irrelevant, because it wasn’t the advice about prosecuting journalists implicated in Operation Motorman I had asked for. But given what this second piece of advice says, I think I can be forgiven for being cynical about why I didn’t get it.

Moreover, the initial FOI response says this: “In response to your request, we do not hold recorded information in relation to this request. We do not hold a written legal advice in relation to the decision not to prosecute the journalists involved in Operation Motorman.” (in other words, they don’t say ‘the legal advice you asked for’). If Graham Smith’s internal review is correct, the initial response was not. This should be of concern to the ICO and everyone they regulate, even if the only problem is that the initial response was imperfectly expressed.

Nobody can ask for an FOI search to include things that the punter hasn’t asked for; my point is that this search turned up something of clear, direct relevance to my request. It seems eccentric to the point of obfuscation not to mention it to me. Friends, my advice is to be as helpful as is practical because (a) that’s clearly in the spirit of the legislation and (b) it’ll almost certainly save you work in the long run. But I wouldn’t advise you to ask for clarification after 14 working days and then start the clock from then, and the ICO did that to me as well. The ICO seems to think that you can take a totally unimaginative reading of the request and ignore anything else, no matter how relevant it might be.

And here’s another thing. The ICO, like all public authorities, is under a duty to provide applicants with advice and assistance. In Graham Smith’s view, the ICO was under no obligation to advise or assist me by telling me even though what I had asked for was no longer held, a closely related document had been found. And no advice or assistance was required to explain where the advice I asked for has gone. The internal review did not accept any requirement to provide advice and assistance about anything.

So what’s my point? Well, I have two of them. Alec Owens accused the ICO of lacking the guts to take on Fleet Street. I believe him now. In another FOI internal review, Graham Smith confirmed to me that the police raid on Owen’s home shortly before his Leveson appearance followed a tipoff from someone at the ICO. Make of that what you will, but Owens’ allegations back up the fact that the ICO has a flimsy track record with big targets: the secret Phorm trials involving BT and the Wi-Fi scraping that Google originally said hadn’t happened are two good examples (if you think an undertaking counts, you’re reading the wrong blog). Even the current wave of fines – for which the ICO deserves credit – is directed only at self-reported public sector targets that largely won’t fight back. Until the ICO fines a big bank or utility company for a DPA breach, or issues an FOI enforcement notice to a central Government department, I see a credibility gap. I don’t believe that the only DP and FOI villains in the UK are Councils, NHS Trusts and similarly local organisations, but only they have anything to fear from the Commissioner right now.

And the other point? I think the ICO’s handling of its own FOI requests needs attention. The first response to my advice request was inadequate and possibly inaccurate – the lack of advice and assistance was abysmal. A glance at the last couple of months of What do they know shows that the ICO has refused to admit which of its senior officers have had training and coaching and which hold its own chosen DP qualification (both overturned on appeal). An applicant asked directly whether the ICO had accidentally disclosed information, and the answer managed to evade the key question almost completely. And just this week, they released a heavily edited version of their security incident log with two entries completely obscured. You can imagine the scorn if this litany of clodhopping decisions were in the ICO’s sights, rather than being made in their building.

The Information Commissioner’s Office can’t have it both ways – either they are a model of best practice (in which case, act like it), or they’re just another FOI public authority (in which case, cut the propaganda). Right now, if “it’s not what we do but how we do it”, then ‘we’ ought to be thoroughly ashamed of ourselves.  

Yes! We have no Bananas!

A few weeks ago, the Independent had a good splash over comments made by an insider in Operation Motorman, the ICO’s investigation into private investigators that started a ball rolling very slowly toward this summer’s phone hacking furore, and the remarkable humbling of Rupert Murdoch. In particular, the Independent’s source claimed that the ICO had bottled it, backing away from prosecuting those implicated in wrongdoing because they were afraid of the consequences of prosecuting journalists.
Despite the fact that seasoned ICO watchers might give this story some credence (see previous blog posts for my views on their rather lame approach to enforcing the DPA) the Information Commissioner’s Office issued a stern retort, stating firmly that the decision not to prosecute was based on “expert legal advice”:
This is a sound reason not to take action. One might wish for a Commissioner with a Quixotic urge to tilt at every windmill, but it would be expensive and a little self-indulgent. However, I was curious to read the advice to find out if it was as definitive as the ICO implied, especially given the fact that reliance on legal advice had been such a feature of the phone hacking case (i.e. the disagreement between the Murdoch clan and their erstwhile lawyers Harbottle Lewis over what HB’s advice on phone hacking meant). So I made an FOI request for the expert legal advice.
It was entirely likely that the ICO would refuse, using a possible double whammy of Section 30 (investigations) and Section 42 (legal privilege), but I thought I had a serious case of public interest on my side. Moreover, if they said no, this opened up the tantalising possibility of finally being the applicant in a worthwhile and challenging FOI case, with the added bonus that the public authority is one who will never pay me for training or consultancy (it’s bad policy to add to the workloads of potential customers, in my opinion).
So imagine my anticipation when the response finally arrived. They say yes, and I have a really interesting piece of information; they say no, and I can challenge them on the public interest. Given the gritty certainty of the ICO statement, there was only one outcome I had not foreseen despite the fact that I tell everyone I train that it’s the easiest answer in FOI, as long as it’s true: the advice is not held.
Readers of this blog (all four of you) may by now be inured to my ICO bashing, but frankly, I’m staggered. Are we to believe that the advice was received verbally, and never written down? I’m making an assumption that the advice was held, and has either been lost or destroyed. Either possibility is shocking.

The importance of the information is underlined by the way in which the Deputy Commissioner David Smith used it last month to defend the Commissioner’s Office from serious accusations. I’m not questioning anyone’s memory of what it said, but that’s a slender thread on which to hang a very weighty matter. I’ve put in a follow-up request, asking them to confirm whether or not it has been destroyed, but frankly, that’s a sideshow. I can just imagine the withering ‘Other Matters’ section of the decision notice that the ICO would take pleasure in writing if some other body was asked for such a pivotal piece of legal advice, with barbed remarks about records management. I still want to defend the ICO from people who want to abolish it, but frankly, they don’t exactly make it easy. The next time they criticise someone else for the quality of the record keeping, we should all take it with a pinch of salt.

Below is the response, including my request and their response. I’ve cut the review procedures and other elements, but left in all of their substantive response:

“Dear Mr Turner
Further to our acknowledgement dated 15 September 2011 we are now in a position to respond to your request for information under the Freedom of Information Act.

In your email dated 15 September 2011 you requested the following information:

In the Independent this morning, David Smith made the following statement.
“Our decision was based on expert legal advice that pursuing prosecutions would not be in the public interest, because of the difficulty in proving beyond all reasonable doubt that the journalists who received information from Mr Whittamore knew it could only be obtained illegally.”
I would like to request a copy of the legal advice Mr Smith refers to here. I assume you will consider the application of Section 42. Please take into account the following factors – Mr Smith has revealed the content of the legal advice, and disclosure of it is vital in terms of the public interest. The nature of the advice would assist in revealing whether allegations made in the Independent by a former ICO employee about the reasons for non-prosecution of journalists have any foundation.
In response to your request, we do not hold recorded information in relation to this request. We do not hold a written legal advice in relation to the decision not to prosecute the journalists involved in Operation Motorman.”