The Secret Seven

Last year, I wrote about the fact that Councillor Alex Ganotis, Labour leader of Stockport Council is also a group manager at the Information Commissioner’s Office. After an FOI request, the ICO admitted that he managed the teams responsible for complaints about political parties and local councils. At the time, I argued that this was an unacceptable conflict of interest, and something had to be done about it.

In May this year, shortly after being elected as Manchester’s new Mayor, Andy Burnham appointed Cllr Ganotis as his Environmental Tsar. You can watch a video of the announcement here, and ponder such fascinating questions as why Burnham’s nose is so red, or why throughout the first two minutes, the camera keeps cutting to a wide shot that captures Ganotis’ uncomfortable facial expressions while Burnham is talking. The announcement piqued my interest. If he was organising a grand summit of environmental worthies, would Cllr Ganotis really have time to work at the ICO? And if so, what effect would the review into political activities that Elizabeth Denham announced have on his role?

I made an FOI request to the ICO for the following information:

1) In 2016, the ICO confirmed to me that Alex Ganotis was manager of the team that dealt with complaints about councils and political parties, despite being Leader of Stockport Council at the time. Can you confirm whether Mr Ganotis is still a member of ICO staff, and if so, what is his current job, and what arrangements have been made to avoid any potential conflict of interest?

2) What is the current ICO policy and process for dealing with political party affiliations and potential conflicts of interest?

3) In August 2016, the Information Commissioner announced in an interview with the BBC’s Martin Rosenbaum that she had ordered a review of the involvement of ICO staff in political activities. I would like to see any report or findings arising out of the review, or other summary of the review and its findings, and details of any actions that were taken as a result of it.

4) I would like to receive all current declarations made by any member of staff of involvement in political activities

5) What specific measures have been taken in respect of each staff member who has made a declaration to ensure that there is no conflict of interest?

The response made for fascinating reading. For one thing, Cllr Ganotis remains a Group Manager at Wilmslow and although his group no longer deals with political parties, it still covers issues related to all local authorities in the UK except for those in Greater Manchester, Cheshire or Derbyshire. How politicians and others in every council outside the North West feel about complaints about their authorities still being supervised by the Leader of a Labour Council and a close ally of Andy Burnham is hard to judge. They might be thrilled. Maybe the ICO should ask them.

The report I received under item (3) of my request did contain an option to remove Cllr Ganotis from work involving local authorities altogether, but one of the reasons that this option was not recommended was the fact that “it could be seen to question the professionalism of Alex and other members of staff and their ability to apply the law without bias or political influence“. How Cllr Ganotis’ political career could possibly be seen to reflect on other people is beyond me, but it is jarring that a significant factor in the decision to keep him involved in council work might have been the effect on him, rather than the Commissioner’s ability to operate independently. To be blunt, the ICO as a whole is more important.

UPDATE: I have attached the ICO’s report into the conflict of interest here, so readers can judge whether how objective and balanced it is: Commissioner Information Note – Political Activities.pdf

Unless every team in the ICO handles complaints about local authorities (and to lesser extent, government), Cllr Ganotis should have been moved to one that doesn’t. Having decide to pursue a high-profile political career, asking him to make a sacrifice to avoid conflicts of interest and their perception would not be too much. I am surprised that Cllr Ganotis has not requested such a transfer himself. To risk even the perception of influence over decisions about politically-run organisations, and at the same time pursue a high-profile political career suggests either an enormous amount of faith in one’s ability to compartmentalise, or just old fashioned hubris.

The review identified gaps in the ICO’s Political Activities Policy, with recommended “updates” including a stipulation that staff must avoid party political activities which might impair their ability to perform their duties impartially, a requirement to inform the ICO if their activities or areas of responsibility change, and the scope to remove permission to undertake political activities if an individual’s ICO role or political activity changes. Needless to say, this means that none of this existed before.

The rest of the FOI request suggests a continuing unwillingness to face the issue of political involvement. Including Cllr Ganotis, eight staff members have made declarations of involvement in political activities, but the ICO refused to tell me who the other seven are, or what they do, claiming that the data is sensitive personal data. This is true, but it is not automatically a barrier to disclosure. For one thing, the Secret Seven could be asked for consent, and this is not the only route to disclosure.

There is surely a legitimate interest in knowing whether people working for an independent regulator such as the Commissioner have political affiliations, especially when you consider the ICO’s involvement in political matters. Over the past few years, the ICO has fined Leave.EU, David Lammy MP over his London Mayoral Campaign, the Daily Telegraph for its pro-Tory emails during the 2015 election, and in recent months, they took no action against Virgin Trains following Jeremy Corbyn’s antics in a train vestibule. More importantly, the Commissioner herself announced a formal investigation into the use of data analytics for political purposes with no small amount of fanfare, involving 20 staff. The ICO is knee-deep in politics and transparency over the declared political activities of the staff is in the public interest.

As the data is sensitive personal data, legitimate interests would not be enough; a condition must also be met from Schedule 3 of the Data Protection Act as well. One of the conditions is that the Data Subject has put their sensitive data into the public domain. If, for example, a senior ICO staff member was to mention on their LinkedIn page that they were a Councillor for 9 years, the Campaigns and Communications Officer for an MEP for five years, listed the Liberal Democrats as one of their main interests and was recommended for ‘politics’ and ‘political campaigning’ by dozens of people, I think I can argue that at least this one has manifestly made their political views public. The ICO refusal says “our staff do not have a reasonable expectation that their declarations would be disclosed into the public domain“, but the staff member in question was a candidate for the LibDems in the 2015 General Election, so I humbly suggest that the cat is out of the bag. Either this person is one of the seven, and the ICO’s arguments are false, or they haven’t made a declaration, and the ICO’s claim to me that “the review and policies are sufficient to demonstrate that we avoid conflicts in our work” is nonsense. Again, did they consider this before refusing me?

Every national, local, or internal party election or referendum runs on personal data, and personal data is exploited, analysed, shared, lost, stolen and misused in every single one of them. If you can name a major vote in this decade that hasn’t resulted in a DP snarl-up, you’ve a better memory than me. If there is one word that shines through everything the Commissioner sent me on this topic, last time and this time, it’s  complacency. The policies and procedures that existed before and the ones that have replaced them are built on an obvious assumption that a box needs to be ticked. Of course nobody is actually going to do anything untoward, the managers are on top of it, staff will proactively declare any conflicts of interest and besides, we have a procedure. But they thought it was all fine before. If I had not written my blog last summer, Cllr Ganotis would still be responsible for managing complaints involving his council, his party and his opposition.

I don’t think the Commissioner’s Office takes this seriously. I am amazed that Alex Ganotis is still allowed any influence over the ICO’s decisions about local government, regardless of how objective or benign that influence might be. I am appalled that anyone in the ICO’s senior management could think that this is acceptable. Every time the Commissioner acts or doesn’t act on a political issue, do we always need to ask: who was involved? What bias, conscious or unconscious, did they bring to bear? What other interests do they serve? In a world dominated by fake news and internet froth, the ICO’s independence and objectivity should be their highest priority. It isn’t.

Analyse This

With no small amount of fanfare, the Information Commissioner Elizabeth Denham recently announced a “formal” investigation into the use of data analytics for political purposes. The use of targeted ads in political campaigns – especially those where the Right triumphed – has been much in the headlines, and the ICO clearly feels the need to react. Denham blogged on her website: “this investigation is a high priority for my office in our work to uphold the rights of individuals and ensure that political campaigners and companies providing services to political parties operate within UK law.”. The investigation was greeted with enthusiasm – the journalist Carole Cadwalladr who has made a lot of the running over analytics in the Observer was supportive and the Data Protection activist Paul-Olivier Dehaye hailed it as ‘very important’.

Saying that Facebook is probably abusing privacy rights (and acting as a conduit for the abuse of privacy rights) is a bit like saying that rain is wet. Some of Cadwalladr’s reports have drawn fascinating (if hotly disputed) links between various right-wing vampires like Nigel Farage, Dominic Cummings and Steve Bannon, and draw interesting (and hotly disputed) links between various Brexit campaigns and the tech firm Cambridge Analytica. Other of her stories are lame; a recent article complained that people Cadwalladr doesn’t approve of are outbidding people she does approve of when buying Facebook ads, which isn’t really news.

Worse than that, another article enthusiastically repeated Stephen Kinnock MP’s calls for an investigation into Tory data use, ignoring the fact that on the same day, Labour was hoovering up emails on its website without a privacy policy (which, like the marketing emails they will inevitably send) is a breach of Data Protection. The article makes the false claim that it is illegal to use data about political opinions without consent. Several people (including the chair of the National Association of Data Protection Officers) pointed this out to Cadwalladr, but the article is uncorrected at the time of writing. If you want to write about political parties and campaigns abusing data protection and privacy and you only acknowledge the dodgy things that one side gets up to, your allegations should not be taken too seriously. Politics is a swamp, and everyone is covered in slime. Given Cadwalladr’s shaky understanding of Data Protection law, it’s not hard to believe that her interest in the topic is mainly motivated by politics, and the ICO needs to be careful not to be sucked in.

It’s odd that allegations made to the ICO about data misuse by Owen Smith and Jeremy Corbyn, or candidates for the UNITE leadership have come to nothing, and yet here we have a formal investigation announced with great flourish into an issue that is largely perceived as affecting the right. I’m left-wing myself, but if Denham is going to take action over the political use of personal data, I expect her to be scrupulously even-handed.

However, I doubt very much whether action on this issue will ever happen. Just after the announcement, I made an FOI request to the Commissioner’s office about the nature of the investigation – how many people were involved and where from, what powers the ICO was using to conduct the investigation, and who the most senior person involved was. What I was trying to find out was simple – is this an investigation likely to lead to guidance or enforcement?

Here is what my FOI revealed (questions in bold, ICO answers below)

1) Under what specific powers is the investigation being carried out?

Initial intelligence gathering would fall under the general duties of the Commissioner to promote good practice (section 51) of the DPA. This may lead to use of investigatory powers and enforcement where necessary, under the provisions set out in Part V of the DPA, as well as the CMP powers at section 55A.  The Commissioner also has powers of entry and inspection under schedule 9 of the DPA.

2) How many members of staff are involved in the investigation?

It’s difficult to give an exact number, the ‘group’ involved will need to be established and documented in terms of reference which will be done shortly. At this stage, from the information we hold, we can say that 16 member of staff have been involved and another 4 members of staff are also expected to be involved as the investigation progresses.

3, 4 and 5-
 
What are the job titles of the staff involved?
What is the name of the most senior person involved in the investigation?
Which department and team do these staff belong to?

Senior Policy Officer – Private Sector Engagement
Group Manager – Private Sector Engagement
Policy Officer – Private Sector Engagement
Lead Communications Officer – Communication Planning
Senior Policy Officer – Public Policy and Parliament
Intelligence and Research Officer – Intelligence Team
Team Manager (Intelligence) – Intelligence Team
Lead Intelligence and research Officer – Intelligence Team
Team Manager – Enforcement (PECR) – Investigations
Group Manager (Public Policy & Parliament) – Public Policy and Parliament
Senior Policy Officer (Public Policy & Parliament) – Public Policy and Parliament
Team Manager (Enforcement Team 2) – Enforcement
Team Manager – Communications – Communications Planning
Head of Corporate Affairs – Communications Planning
Group Manager – Public Sector Engagement – Public Sector Engagement

The most senior person is Steve Wood – Head of International Strategy & Intelligence – International & Intelligence Management

*************************************************************************************

What does this tell us?

The main contributors are Engagement (which is presumably the successor to the old Strategic Liaison department whose chief role was holding hands with stakeholders), and policy (whose main contribution to the debate on big data is this endless and almost unreadable discussion paper). The most senior person involved is Steve Wood, who has an academic background. Of the 16 involved, just two are from Enforcement, outnumbered even by the comms staff. Apologists for Wilmslow will leap on that bit that says “This may lead to use of investigatory powers and enforcement where necessary“, but my response to that is an armpit fart. The ICO is starting from the perspective of promoting good practice run by an academic, which is just about the silliest response to this issue that I can think of.

Some areas that the ICO regulates are prime candidates for guidance. The public sector, charities and regulated industries are likely to be influenced by what the ICO says. Other areas – list broking and compensation claims spring to mind – are immune to policy and guidance, but politics is the best example. Politics is about power – if a party, campaign or individual can take power while breaching DP law, they will. It isn’t that they don’t understand the law, it is that they don’t care. No political party or campaign will be influenced by ICO guidance, and to pretend otherwise is childish. All major political parties (Labour, LibDems, SNP, Tory) have received a PECR Enforcement Notice over automated calls, and yet they flout PECR all the time with emails and yet more calls, as anyone who heard from David Lammy knows only too well. Even when the ICO fined Leave.EU during the referendum, the campaign’s reaction (“Whatever”) could not have been more derisive because they could afford to pay the fine. Either the ICO comes into politics using its powers to the maximum possible extent against everyone (£500,000 penalties, or more useful, enforcement notices that are backed up by prosecution), or they should leave the field.

We already know that the outcome of this investigation will be revealed long after the election is over, when anything that the Commissioner says or does will have no effect on the real world. On the evidence of my FOI, I predict there will be no fines, no enforcement notices, no action. There will be a long, thorough and thoughtful report that nobody in politics will pay attention to, and only people like me will read. The first task of the Supervisory Authority under GDPR is to ‘monitor and enforce’. Long ago, when I worked there, the joke went around the ICO that senior officers operated under the mantra ‘thinking is doing’, as an excuse to avoid taking any action. I don’t care if no senior officer ever actually said this – on big strategic issues, the ICO has always laboured under this approach. Denham’s first big splash was to follow through on charity enforcement when the easy choice was to back down. She deserves praise for that decision. However, If there is an international right-wing conspiracy to hijack democracy across the world, I don’t think a thought symposium is going to save us.

Caesar’s Wife

In May 2016, the Labour member for Heatons North, Alex Ganotis, became Leader of Stockport Council, having been a councillor for some years. A month or so later, I read a story mentioning him in the Manchester Evening News, and his name rang a bell. Alex Ganotis is also a Group Manager at the Information Commissioner’s Office – I know this because he has signed hundreds of FOI Decision Notices on behalf of the Commissioner.

I made an FOI request to the ICO to find out more about Mr Ganotis’ role – in particular, I wanted to know how likely it was that a professional politician might be involved in complaints to the ICO involving political parties or local government. If Mr Ganotis worked on financial services or health, for example, he would need to maintain a high degree of professionalism and neutrality, but there would be no immediate conflict of interest. So I asked the ICO what team he manages. The answer:

Mr Ganotis manages a team of staff who deal with complaints and concerns about councils and political parties

I had to read this several times before I could take it in.

The ICO’s Policy on party political activities is helpfully published on its website. It makes reassuring reading:

The ICO is an independent body and it is important for it to be free from party political bias, and to be clearly seen and acknowledged as being free from such bias……. It is of paramount importance that the ICO is acknowledged as being free from party political bias and influence. The work that we do can often be of a politically sensitive nature and any substantiated allegations of bias would have serious repercussions for the future of the ICO.

The policy sets out a process through which an ICO employee can gain approval for party political activities. I asked when Ganotis went through this process, and the ICO revealed that he was approved in October 2008, which means that his dual ICO / councillor role went on for nearly eight years before he became Leader – he did not seek re-approval when he became Leader, so it seems that the ICO has not reassessed his role now he is a council leader, nor has he asked for this to happen.

I asked for recorded information about the approval process for his role. The ICO has nothing. I asked for any recorded information about measures taken to ensure, in the Policy’s words, that ‘potential for conflicts of interest’ have been minimised with regard to Mr Ganotis’ role. Nothing is held. The ICO added “Mr Ganotis’ line manager and his peers are responsible for assigning decision notices and make a judgement on a case-by-case basis as to what he is assigned, taking into account whether individual cases could pose a potential conflict of interest.” There are no formal arrangements, no written criteria or parameters, nothing to measure or audit against. The ICO enthusiastically fines organisations hundreds of thousands of pounds for failing to maintain properly documented processes, but in the case of having a professional politician managing a team that deals with hundreds of complaints about political parties and councils, the ICO itself sees no need for rigour. Trust whoever decided that this is OK, Wilmslow says, because we have nothing else to offer.

Mr Ganotis is a Group Manager, answering to a Head of Department, but the ICO’s response makes clear that the former Information Commissioner himself, Richard Thomas, approved of the arrangement: “the Commissioner at that time was made aware of his standing and subsequent election“. When I wrote this blog originally, I assumed it was Christopher Graham who was Commissioner, but he did not take over until 2009. ICO trivia fans may remember that Graham was himself once a councillor (for the Liberal Party) and a twice-unsuccessful parliamentary candidate – one wonders if he knew about Ganotis’ status, and if he did not, why nobody told him.

Anyone who has political beliefs or leanings and works in local or central government knows the awkward but vital requirement to set those beliefs aside and act neutrally in the public interest. As a Labour voter in every election since 1992, I have done it myself. It is not easy, but you don’t need to be a saint to achieve it. I cast no doubt on Mr Ganotis’ personal integrity, or ability to do the same. But anyone who thinks that’s the point just needs to Google the title of this blog.

Mr Ganotis has signed hundreds of FOI decision notices on behalf of the Information Commissioner, exercising the Commissioner’s statutory powers. Those notices include  councils across the UK, and government departments run by ministers who, in his other role, Mr Ganotis publicly opposes, and he has been doing so for years. The ICO disclosed to me a spreadsheet of the cases that Ganotis’ team has dealt with since January 2014 (records before that are routinely destroyed). A quick glance at the organisations concerned give a flavour of the issues that pass across the team’s desk in just one month. In July 2016, I can see the Labour Party (8 times), Momentum, Saving Labour, and Progress. It is hard to imagine any team would be more steeped in politics and arguments about political activity than this one, and the (former) Information Commissioner decided that a professional politician was the right person to manage it.

Over the past few years, the Labour Party has carried out its obnoxious and unfair purge, struggled with allegations of member data misuse on all sides (Corbyn, Momentum and Owen Smith), and demonstrated the traditional party blindness to PECR. I have myself blogged sorrowfully but repeatedly about Labour’s Data Protection and privacy woes for several years. In all of that time, only David Lammy’s doomed automated calls have faced any enforcement action (and he wasn’t even an official Labour candidate in the election concerned). To be clear, I have no evidence of any influence being brought to bear on this. But, as the ICO’s own policy states explicitly, “the organisation does seek to ensure that the potential for conflicts of interest is minimised as is the possibility of the ICO being accused of being politically biased“. In this, Mr Ganotis, his line manager and the former Commissioner have failed, and failed spectacularly. How can anyone in politics have confidence in the ICO’s decisions?

Any FOI decision notice involving a council or a government department signed by Mr Ganotis could be tainted, and there are hundreds of them. The ICO’s failure to take action against the Labour Party for a consistently terrible approach to Data Protection and privacy issues is no longer just over-caution, but potentially something far more objectionable. Every case Mr Ganotis has been involved in could be perfect, but the ICO cannot guarantee this with a straight face; their own policy recognises the problem of perception, but their practice is blind to it. They could have moved Ganotis at any point since 2008 to another job of equal standing, and the problem would have evaporated. He is still in place.

That Mr Ganotis could not see that continuing to manage a team responsible for complaints about political parties and councils was incompatible with his role first as councillor and then as Council Leader raises a question about his judgement. That the ICO’s management was either unwilling or incapable of identifying and remedying the potential conflict of interest is a matter of serious public concern.

I have spent a decade and a half criticising, satirising and annoying the ICO in the hope that for no other reason than to spite me, they will become a more effective, more enthusiastic regulator of Data Protection. But this is too much. This is a genuine failure of governance. It could pollute a host of formal decisions (and indecisions) stretching back for years. It has to be dealt with.

I don’t understand how Mr Ganotis could ever sensibly manage the team responsible for political parties and enjoy the confidence of the public. Richard Thomas and Chris Graham should have stopped it, and I hope that the new Commissioner will ask questions about how her managers and Human Resources team could allow such a shocking situation to occur. But if all this isn’t put right, if this bizarre conflict of interest continues acknowledged but unaddressed, we should all look very closely at every decision that emerges from Wilmslow with a more sceptical eye than even I thought possible.

Labour pains

Last month, I registered as a supporter of the Labour Party in order to vote for the leader and deputy leader. I am a lifelong Labour voter, and no, I don’t care what you think about that, and if you tell me what you think about that in the comments, I will let your comment through solely so that I can edit it to replace your drivel with the word “Bellend”. WordPress lets me do this, friends, so choose wisely.

The choice of candidates for Leader is as tempting as being asked whether you want a smack in the face or a kick up the arse, while the inevitability of Deputy Tom Watson is just horrible. There are few experiences as emetic as opening an envelope to find Watson’s huge smug face staring out at you. If only I had a dartboard. Nevertheless, if the party is going to let me participate in the process of choosing which leader will lose the 2020 election, it seems churlish to pass up the opportunity. I actively want to vote for Stella Creasy, so there is some crumb of meaning in there somewhere, apart from the fact that she’s not going to win.

When I signed up, the Labour Party required me to agree to receive communications from the party. There was no more to it than that, and no terms and conditions for me to consult before signing up. It was a fait accompli – sign up and get the messages or go away and don’t vote. This is a straightforward breach of the Privacy and Electronic Communications Regulations 2003 (PECR). Communications from a political party are marketing. Regulation 22 states that marketing emails can only be sent if the recipient has notified the sender that they have consented to receive them. Consent is the same ‘freely given, specific and informed’ consent that you need for Data Protection. If there is any doubt about what that means for marketing emails, the Information Commissioner’s excellent guidance on Direct Marketing is – by ICO standards – uncharacteristically clear: “Consent cannot be a condition of subscribing to a service or completing a transaction”.

Labour cannot lawfully make the receipt of marketing emails and texts a condition of registering as a supporter. Every email and text sent to a registered supporter who has not actively and separately consented to receiving the emails and texts is a breach of PECR. The breach is particularly serious in my case, because in 2013 I exercised my rights under Section 11 of the Data Protection Act with all of the serious English political parties (and UKIP); this means that none of them can send me marketing, and so even the junk mail that each of the campaigns is sending me by post is unlawful. This is not my view; this is the view clearly expressed in the ICO guidance. The fact that I can opt-out is irrelevant. I should not have to (and anyway, I already have). Labour is arrogantly and cynically ignoring legislation that it passed when in government in order to hassle its most active supporters.

Inevitably, privacy champion Tom Watson has sent me the most emails, and demonstrated the least compliant approach. One of the emails had an option to tell Watson if you were going to vote for him, and so I clicked on the link to say no. I was then presented with a webpage asking me who I was going to vote for, as well as two pre-ticked boxes for ‘Send me email updates’ and ‘Send me text message updates’. A pre-ticked box doesn’t constitute consent (consent has not been ‘given’), but nevertheless, I unticked the boxes, clicked the box for ‘Stella’ and submitted.

Instantly, despite having told Watson’s campaign that I don’t want to vote for him and I don’t want to receive his email updates, I received a further email from Watson telling me how brilliant he is and how I should give him my second preference. There is no chance of this: not only will I never vote for Watson, I have always been fond of Ben Bradshaw, because he is Alan Dransfield‘s MP and he looks like he has skinned Hugh Grant and is wearing his face as a trophy. The second preference email was yesterday, and today, I have already received another email from a Watson supporter who has (no doubt spontaneously) written a paean to Watson that happens to include most of the examples the Watson campaign is using elsewhere. I am absolutely thrilled that the Watson campaign has apparently shared my email address with random strangers.

Needless to say, I have emailed Watson to point out his bad practice (and I didn’t use the word ‘hypocrite’, so see how I have matured) and more importantly, I have written a detailed letter of complaint to Iain McNicol, the party’s General Secretary. This is not my first rodeo with McNicol, so I know that all I will get is a reply stating ‘we’re perfectly entitled to do this and if you don’t like it, then opt out’. This reply is useful solely because the ICO understandably expects me to complain to the offending organisation first before going to them, and complaining to them is the only thing I can apart from write this blog for people who probably already agree with me.

Of course, the most the ICO will probably do is tell Labour to stop emailing me, which makes them (at least in this context) the world’s most convoluted unsubscribe button. But nevertheless, rather like voting for Creasy even though she’s going to lose because I honestly think she is the best candidate, I will complain about Labour’s habitual breaches of PECR because they need to be called out on it, even though no enforcement will follow.

A bunch of Tw*ts

The Englishman who wades into Scottish politics on either side, especially if he lives in England, is probably taking a huge risk of being disagreed with vehemently, no matter what he says. Nevertheless, the explosion of interest into the so-called ‘Clypegate‘ list has a Data Protection angle that I cannot resist.

To summarise, it seems that the Scottish Labour Party have assembled a list of supporters of the Scottish National Party who have said things on Twitter and Facebook that the Scottish Labour Party do not like. The list – inevitably tagged a dossier – has been passed to the tabloids to stir up some kind of frenzy about the so-called ‘Cybernats’. Some of the statements are fairly strong, but I doubt they are worse than anything said in the average pub conversation about politicians. I’m certain every term applied to Gordon Brown and Donald Dewar has been said of Alex Salmond by Labour supporters. As someone who voted Labour in the recent election, I can think of a few more constructive things that the smouldering remnants of Labour in Scotland could be doing with their time, but this is what they decided to do, so we are where we are.

Now, if you were hoping for anything more in the way of politics, you’re going to be disappointed. From here on in, it’s ANORAK TIME!

The Data Protection Act has many requirements for the processing of data, but the chief hurdle is the first DP principle, which requires three things. The processing of personal data must be fair, lawful, and conditions must be met. Regular readers will know that consent is not required, as there are alternatives to consent in the lists of conditions. Let’s consider the three elements in turn;

FAIR: fair has two meanings. The use of data has to be fair in the dictionary sense of the word and it also has to be fair in the DP sense, which means the Data Controller (Labour) has to tell the subject (the SNP tweeter) how their data will be used unless an exemption applies. Many organisations believe that because personal data is in the public domain, it is fair game. The Information Commissioner’s own guidance on personal data online stated in 2010 that this was not the case, and we have a very recent example (Samaritans Radar, which also focused on tweets) where the ICO stated that tweets were personal data (depending on their content), and so DP applied.

Labour fail on both counts. Gathering together tweets and providing them to a newspaper to name and shame the individuals is not fair in my opinion. But more importantly, Labour did not tell the subjects that their data would be used in this way. Clearly members of the Scottish Labour Party will look at what is being tweeted; they may analyse and try to counteract it. If you don’t like the idea of people you don’t like reading your tweets, go private or stop tweeting. However, the conscious selection and specific analysis of a person’s tweets is processing personal data as is passing it to a newspaper, and none of the DP exemptions allows Labour to do this in secret.

The use of the data was not fair.

LAWFUL: this is a tricky one where I expect I will get little agreement, especially from people who might read this hoping to see Labour eviscerated. DP requires that data processing should not breach other relevant laws e.g. Human Rights privacy or confidentiality. I do not believe that Labour’s use of the data was unlawful – Carina Trimingham’s Facebook account was pruriently raided by the Daily Mail so that they could make cheap jibes about her, but she still lost her Human Rights privacy case. Twitter and Facebook are not private places unless you lock your account. Get used to that.

CONDITIONS: DP requires that one of a prescribed set of conditions is met to justify the use of personal data, and one from a second list if the data is defined as ‘sensitive’. A person’s political opinions are sensitive data, so this means that Scottish Labour needed not one condition, but two. The tricky part is usually the sensitive data condition, but as it happens, I don’t think Labour have a problem here. One of the conditions for processing sensitive personal data is that the sensitive data has “been made public as a result of steps deliberately taken by the data subject‘. I think this box is ticked – the political opinions were tweeted out into a public forum by the subject.

But that’s not the problem. The problem is that a condition is also required from the first set, and here Labour are stuffed. They don’t have consent, a contract, a legal power or obligation, and they are not protecting anyone’s vital interests. The only condition left is ‘legitimate interests‘, where they have to claim that their legitimate interest in monitoring and publicising rude tweetersis not ‘unwarranted’ because of ‘prejudice to the rights and freedoms or legitimate interests of the data subject’. I am not remotely convinced that monitoring of ordinary folk – even if they are supporters or members of a party – is a legitimate interest in this context.

I have registered to vote in the Labour leadership elections, and had to declare that I support the aims and values of the Labour Party. That was not an easy declaration to make, but I definitely don’t support any other party and I never have. If Labour wanted to find out whether I was in fact a Conservative or SNP supporter pretending to be Labour, and looked at my Twitter account to find out, I believe that would be a legitimate interest. They would still have a problem with fairness, and would have to tell me that this was going to happen (they didn’t).

I don’t believe the two situations are comparable however. But even if I did, even if Scottish Labour monitored their opponents legitimately, it’s impossible to argue that legitimate monitoring is not undermined by passing the data to journalists, especially as journalists are (under Section 32) virtually exempt from the Data Protection Act. If the monitoring was done to identify genuine abuse and report it to Twitter or Facebook, I believe that would be legitimate and would not be unwarranted. But this all seems to be for PR and political points scoring. I cannot read this as legitimate interests with no unwarranted harm.

There are other questions – does the dossier breach the DP requirement for accuracy for example? But we don’t need to get into that. Two significant breaches of the first principle are sufficient to say that Labour has breached the Act. That’s it.

The only remaining question is what should happen now. I believe Scottish Labour should stop in their tracks, grow up and apologise. If that doesn’t happen (and even if it does), this is a gift to their opponents that will undoubtedly result in complaints to the ICO. Regular readers will know that I am always sceptical that the ICO will stray outside their comfort zone of security fines, but it is open to them to issue either an enforcement notice stopping Labour from doing this, or (very unlikely) issue a penalty. It is worth noting that by the time the ICO quietly disposed of complaints about the Samaritans, the charity had stopped their Radar project and may never restart it. Political parties are rarely so intelligent, and if the ICO are faced with an intransigent Labour response, not admitting that they have done wrong, anything is possible. Much as I would like to see Labour pick themselves up and offer something more optimistic, it seems that they have instead blundered into another bruising debacle of their own design.