Caesar’s Wife

In May 2016, the Labour member for Heatons North, Alex Ganotis, became Leader of Stockport Council, having been a councillor for some years. A month or so later, I read a story mentioning him in the Manchester Evening News, and his name rang a bell. Alex Ganotis is also a Group Manager at the Information Commissioner’s Office – I know this because he has signed hundreds of FOI Decision Notices on behalf of the Commissioner.

I made an FOI request to the ICO to find out more about Mr Ganotis’ role – in particular, I wanted to know how likely it was that a professional politician might be involved in complaints to the ICO involving political parties or local government. If Mr Ganotis worked on financial services or health, for example, he would need to maintain a high degree of professionalism and neutrality, but there would be no immediate conflict of interest. So I asked the ICO what team he manages. The answer:

Mr Ganotis manages a team of staff who deal with complaints and concerns about councils and political parties

I had to read this several times before I could take it in.

The ICO’s Policy on party political activities is helpfully published on its website. It makes reassuring reading:

The ICO is an independent body and it is important for it to be free from party political bias, and to be clearly seen and acknowledged as being free from such bias……. It is of paramount importance that the ICO is acknowledged as being free from party political bias and influence. The work that we do can often be of a politically sensitive nature and any substantiated allegations of bias would have serious repercussions for the future of the ICO.

The policy sets out a process through which an ICO employee can gain approval for party political activities. I asked when Ganotis went through this process, and the ICO revealed that he was approved in October 2008, which means that his dual ICO / councillor role went on for nearly eight years before he became Leader – he did not seek re-approval when he became Leader, so it seems that the ICO has not reassessed his role now he is a council leader, nor has he asked for this to happen.

I asked for recorded information about the approval process for his role. The ICO has nothing. I asked for any recorded information about measures taken to ensure, in the Policy’s words, that ‘potential for conflicts of interest’ have been minimised with regard to Mr Ganotis’ role. Nothing is held. The ICO added “Mr Ganotis’ line manager and his peers are responsible for assigning decision notices and make a judgement on a case-by-case basis as to what he is assigned, taking into account whether individual cases could pose a potential conflict of interest.” There are no formal arrangements, no written criteria or parameters, nothing to measure or audit against. The ICO enthusiastically fines organisations hundreds of thousands of pounds for failing to maintain properly documented processes, but in the case of having a professional politician managing a team that deals with hundreds of complaints about political parties and councils, the ICO itself sees no need for rigour. Trust whoever decided that this is OK, Wilmslow says, because we have nothing else to offer.

Mr Ganotis is a Group Manager, answering to a Head of Department, but the ICO’s response makes clear that the former Information Commissioner himself, Richard Thomas, approved of the arrangement: “the Commissioner at that time was made aware of his standing and subsequent election“. When I wrote this blog originally, I assumed it was Christopher Graham who was Commissioner, but he did not take over until 2009. ICO trivia fans may remember that Graham was himself once a councillor (for the Liberal Party) and a twice-unsuccessful parliamentary candidate – one wonders if he knew about Ganotis’ status, and if he did not, why nobody told him.

Anyone who has political beliefs or leanings and works in local or central government knows the awkward but vital requirement to set those beliefs aside and act neutrally in the public interest. As a Labour voter in every election since 1992, I have done it myself. It is not easy, but you don’t need to be a saint to achieve it. I cast no doubt on Mr Ganotis’ personal integrity, or ability to do the same. But anyone who thinks that’s the point just needs to Google the title of this blog.

Mr Ganotis has signed hundreds of FOI decision notices on behalf of the Information Commissioner, exercising the Commissioner’s statutory powers. Those notices include  councils across the UK, and government departments run by ministers who, in his other role, Mr Ganotis publicly opposes, and he has been doing so for years. The ICO disclosed to me a spreadsheet of the cases that Ganotis’ team has dealt with since January 2014 (records before that are routinely destroyed). A quick glance at the organisations concerned give a flavour of the issues that pass across the team’s desk in just one month. In July 2016, I can see the Labour Party (8 times), Momentum, Saving Labour, and Progress. It is hard to imagine any team would be more steeped in politics and arguments about political activity than this one, and the (former) Information Commissioner decided that a professional politician was the right person to manage it.

Over the past few years, the Labour Party has carried out its obnoxious and unfair purge, struggled with allegations of member data misuse on all sides (Corbyn, Momentum and Owen Smith), and demonstrated the traditional party blindness to PECR. I have myself blogged sorrowfully but repeatedly about Labour’s Data Protection and privacy woes for several years. In all of that time, only David Lammy’s doomed automated calls have faced any enforcement action (and he wasn’t even an official Labour candidate in the election concerned). To be clear, I have no evidence of any influence being brought to bear on this. But, as the ICO’s own policy states explicitly, “the organisation does seek to ensure that the potential for conflicts of interest is minimised as is the possibility of the ICO being accused of being politically biased“. In this, Mr Ganotis, his line manager and the former Commissioner have failed, and failed spectacularly. How can anyone in politics have confidence in the ICO’s decisions?

Any FOI decision notice involving a council or a government department signed by Mr Ganotis could be tainted, and there are hundreds of them. The ICO’s failure to take action against the Labour Party for a consistently terrible approach to Data Protection and privacy issues is no longer just over-caution, but potentially something far more objectionable. Every case Mr Ganotis has been involved in could be perfect, but the ICO cannot guarantee this with a straight face; their own policy recognises the problem of perception, but their practice is blind to it. They could have moved Ganotis at any point since 2008 to another job of equal standing, and the problem would have evaporated. He is still in place.

That Mr Ganotis could not see that continuing to manage a team responsible for complaints about political parties and councils was incompatible with his role first as councillor and then as Council Leader raises a question about his judgement. That the ICO’s management was either unwilling or incapable of identifying and remedying the potential conflict of interest is a matter of serious public concern.

I have spent a decade and a half criticising, satirising and annoying the ICO in the hope that for no other reason than to spite me, they will become a more effective, more enthusiastic regulator of Data Protection. But this is too much. This is a genuine failure of governance. It could pollute a host of formal decisions (and indecisions) stretching back for years. It has to be dealt with.

I don’t understand how Mr Ganotis could ever sensibly manage the team responsible for political parties and enjoy the confidence of the public. Richard Thomas and Chris Graham should have stopped it, and I hope that the new Commissioner will ask questions about how her managers and Human Resources team could allow such a shocking situation to occur. But if all this isn’t put right, if this bizarre conflict of interest continues acknowledged but unaddressed, we should all look very closely at every decision that emerges from Wilmslow with a more sceptical eye than even I thought possible.

Labour pains

Last month, I registered as a supporter of the Labour Party in order to vote for the leader and deputy leader. I am a lifelong Labour voter, and no, I don’t care what you think about that, and if you tell me what you think about that in the comments, I will let your comment through solely so that I can edit it to replace your drivel with the word “Bellend”. WordPress lets me do this, friends, so choose wisely.

The choice of candidates for Leader is as tempting as being asked whether you want a smack in the face or a kick up the arse, while the inevitability of Deputy Tom Watson is just horrible. There are few experiences as emetic as opening an envelope to find Watson’s huge smug face staring out at you. If only I had a dartboard. Nevertheless, if the party is going to let me participate in the process of choosing which leader will lose the 2020 election, it seems churlish to pass up the opportunity. I actively want to vote for Stella Creasy, so there is some crumb of meaning in there somewhere, apart from the fact that she’s not going to win.

When I signed up, the Labour Party required me to agree to receive communications from the party. There was no more to it than that, and no terms and conditions for me to consult before signing up. It was a fait accompli – sign up and get the messages or go away and don’t vote. This is a straightforward breach of the Privacy and Electronic Communications Regulations 2003 (PECR). Communications from a political party are marketing. Regulation 22 states that marketing emails can only be sent if the recipient has notified the sender that they have consented to receive them. Consent is the same ‘freely given, specific and informed’ consent that you need for Data Protection. If there is any doubt about what that means for marketing emails, the Information Commissioner’s excellent guidance on Direct Marketing is – by ICO standards – uncharacteristically clear: “Consent cannot be a condition of subscribing to a service or completing a transaction”.

Labour cannot lawfully make the receipt of marketing emails and texts a condition of registering as a supporter. Every email and text sent to a registered supporter who has not actively and separately consented to receiving the emails and texts is a breach of PECR. The breach is particularly serious in my case, because in 2013 I exercised my rights under Section 11 of the Data Protection Act with all of the serious English political parties (and UKIP); this means that none of them can send me marketing, and so even the junk mail that each of the campaigns is sending me by post is unlawful. This is not my view; this is the view clearly expressed in the ICO guidance. The fact that I can opt-out is irrelevant. I should not have to (and anyway, I already have). Labour is arrogantly and cynically ignoring legislation that it passed when in government in order to hassle its most active supporters.

Inevitably, privacy champion Tom Watson has sent me the most emails, and demonstrated the least compliant approach. One of the emails had an option to tell Watson if you were going to vote for him, and so I clicked on the link to say no. I was then presented with a webpage asking me who I was going to vote for, as well as two pre-ticked boxes for ‘Send me email updates’ and ‘Send me text message updates’. A pre-ticked box doesn’t constitute consent (consent has not been ‘given’), but nevertheless, I unticked the boxes, clicked the box for ‘Stella’ and submitted.

Instantly, despite having told Watson’s campaign that I don’t want to vote for him and I don’t want to receive his email updates, I received a further email from Watson telling me how brilliant he is and how I should give him my second preference. There is no chance of this: not only will I never vote for Watson, I have always been fond of Ben Bradshaw, because he is Alan Dransfield‘s MP and he looks like he has skinned Hugh Grant and is wearing his face as a trophy. The second preference email was yesterday, and today, I have already received another email from a Watson supporter who has (no doubt spontaneously) written a paean to Watson that happens to include most of the examples the Watson campaign is using elsewhere. I am absolutely thrilled that the Watson campaign has apparently shared my email address with random strangers.

Needless to say, I have emailed Watson to point out his bad practice (and I didn’t use the word ‘hypocrite’, so see how I have matured) and more importantly, I have written a detailed letter of complaint to Iain McNicol, the party’s General Secretary. This is not my first rodeo with McNicol, so I know that all I will get is a reply stating ‘we’re perfectly entitled to do this and if you don’t like it, then opt out’. This reply is useful solely because the ICO understandably expects me to complain to the offending organisation first before going to them, and complaining to them is the only thing I can apart from write this blog for people who probably already agree with me.

Of course, the most the ICO will probably do is tell Labour to stop emailing me, which makes them (at least in this context) the world’s most convoluted unsubscribe button. But nevertheless, rather like voting for Creasy even though she’s going to lose because I honestly think she is the best candidate, I will complain about Labour’s habitual breaches of PECR because they need to be called out on it, even though no enforcement will follow.

A bunch of Tw*ts

The Englishman who wades into Scottish politics on either side, especially if he lives in England, is probably taking a huge risk of being disagreed with vehemently, no matter what he says. Nevertheless, the explosion of interest into the so-called ‘Clypegate‘ list has a Data Protection angle that I cannot resist.

To summarise, it seems that the Scottish Labour Party have assembled a list of supporters of the Scottish National Party who have said things on Twitter and Facebook that the Scottish Labour Party do not like. The list – inevitably tagged a dossier – has been passed to the tabloids to stir up some kind of frenzy about the so-called ‘Cybernats’. Some of the statements are fairly strong, but I doubt they are worse than anything said in the average pub conversation about politicians. I’m certain every term applied to Gordon Brown and Donald Dewar has been said of Alex Salmond by Labour supporters. As someone who voted Labour in the recent election, I can think of a few more constructive things that the smouldering remnants of Labour in Scotland could be doing with their time, but this is what they decided to do, so we are where we are.

Now, if you were hoping for anything more in the way of politics, you’re going to be disappointed. From here on in, it’s ANORAK TIME!

The Data Protection Act has many requirements for the processing of data, but the chief hurdle is the first DP principle, which requires three things. The processing of personal data must be fair, lawful, and conditions must be met. Regular readers will know that consent is not required, as there are alternatives to consent in the lists of conditions. Let’s consider the three elements in turn;

FAIR: fair has two meanings. The use of data has to be fair in the dictionary sense of the word and it also has to be fair in the DP sense, which means the Data Controller (Labour) has to tell the subject (the SNP tweeter) how their data will be used unless an exemption applies. Many organisations believe that because personal data is in the public domain, it is fair game. The Information Commissioner’s own guidance on personal data online stated in 2010 that this was not the case, and we have a very recent example (Samaritans Radar, which also focused on tweets) where the ICO stated that tweets were personal data (depending on their content), and so DP applied.

Labour fail on both counts. Gathering together tweets and providing them to a newspaper to name and shame the individuals is not fair in my opinion. But more importantly, Labour did not tell the subjects that their data would be used in this way. Clearly members of the Scottish Labour Party will look at what is being tweeted; they may analyse and try to counteract it. If you don’t like the idea of people you don’t like reading your tweets, go private or stop tweeting. However, the conscious selection and specific analysis of a person’s tweets is processing personal data as is passing it to a newspaper, and none of the DP exemptions allows Labour to do this in secret.

The use of the data was not fair.

LAWFUL: this is a tricky one where I expect I will get little agreement, especially from people who might read this hoping to see Labour eviscerated. DP requires that data processing should not breach other relevant laws e.g. Human Rights privacy or confidentiality. I do not believe that Labour’s use of the data was unlawful – Carina Trimingham’s Facebook account was pruriently raided by the Daily Mail so that they could make cheap jibes about her, but she still lost her Human Rights privacy case. Twitter and Facebook are not private places unless you lock your account. Get used to that.

CONDITIONS: DP requires that one of a prescribed set of conditions is met to justify the use of personal data, and one from a second list if the data is defined as ‘sensitive’. A person’s political opinions are sensitive data, so this means that Scottish Labour needed not one condition, but two. The tricky part is usually the sensitive data condition, but as it happens, I don’t think Labour have a problem here. One of the conditions for processing sensitive personal data is that the sensitive data has “been made public as a result of steps deliberately taken by the data subject‘. I think this box is ticked – the political opinions were tweeted out into a public forum by the subject.

But that’s not the problem. The problem is that a condition is also required from the first set, and here Labour are stuffed. They don’t have consent, a contract, a legal power or obligation, and they are not protecting anyone’s vital interests. The only condition left is ‘legitimate interests‘, where they have to claim that their legitimate interest in monitoring and publicising rude tweetersis not ‘unwarranted’ because of ‘prejudice to the rights and freedoms or legitimate interests of the data subject’. I am not remotely convinced that monitoring of ordinary folk – even if they are supporters or members of a party – is a legitimate interest in this context.

I have registered to vote in the Labour leadership elections, and had to declare that I support the aims and values of the Labour Party. That was not an easy declaration to make, but I definitely don’t support any other party and I never have. If Labour wanted to find out whether I was in fact a Conservative or SNP supporter pretending to be Labour, and looked at my Twitter account to find out, I believe that would be a legitimate interest. They would still have a problem with fairness, and would have to tell me that this was going to happen (they didn’t).

I don’t believe the two situations are comparable however. But even if I did, even if Scottish Labour monitored their opponents legitimately, it’s impossible to argue that legitimate monitoring is not undermined by passing the data to journalists, especially as journalists are (under Section 32) virtually exempt from the Data Protection Act. If the monitoring was done to identify genuine abuse and report it to Twitter or Facebook, I believe that would be legitimate and would not be unwarranted. But this all seems to be for PR and political points scoring. I cannot read this as legitimate interests with no unwarranted harm.

There are other questions – does the dossier breach the DP requirement for accuracy for example? But we don’t need to get into that. Two significant breaches of the first principle are sufficient to say that Labour has breached the Act. That’s it.

The only remaining question is what should happen now. I believe Scottish Labour should stop in their tracks, grow up and apologise. If that doesn’t happen (and even if it does), this is a gift to their opponents that will undoubtedly result in complaints to the ICO. Regular readers will know that I am always sceptical that the ICO will stray outside their comfort zone of security fines, but it is open to them to issue either an enforcement notice stopping Labour from doing this, or (very unlikely) issue a penalty. It is worth noting that by the time the ICO quietly disposed of complaints about the Samaritans, the charity had stopped their Radar project and may never restart it. Political parties are rarely so intelligent, and if the ICO are faced with an intransigent Labour response, not admitting that they have done wrong, anything is possible. Much as I would like to see Labour pick themselves up and offer something more optimistic, it seems that they have instead blundered into another bruising debacle of their own design.