A poor lookout

I doubt I will ever wholly approve of anyone in the role of Information Commissioner until the Ministry of Justice comes to its senses and gives the job to me. However, I have always much preferred the verve and acerbity of Christopher Graham to the overcautious lawyerly approach of his predecessor, Richard Thomas. I don’t believe that Thomas would have been willing to enforce in the way Graham has managed (albeit that Mr Graham’s approach is fixated on one part of the public sector, and one part of one data protection principle), and he was nowhere near as good on the media stage – important for anyone in the role.

However, Graham’s interview with the Independent – timed presumably to coincide with the extension of his tenure to the legal maximum of 7 years –   was dispiriting.

Some of the flaws in the article are not attributed directly to Graham – the text describes action taken under PECR as an attempt to ‘prosecute’, which is incorrect because it was a civil action. It’s entirely possible that this was the Indie’s mistake but it doesn’t help anyone to understand what the ICO does (presumably one aim of doing the interview) and it should have been corrected. But when the text later describes the Commissioner as having a ‘right to compulsory audit’ local government, this is also wrong. The ICO can do mandatory audits of Government and there was a consultation to give it powers to do the same for the NHS. Compulsory audits for local government aren’t on the table. This is a mistake that Christopher Graham has made before, so I suspect it came from him, but it’s also a sign of the limit on the current Commissioner’s ambitions. Where is the evidence that he wants such powers?

Something that can definitely be attributed to Mr Graham is his crass, discourteous description of local government as ‘hopeless’. Every council delegate at next week’s ICO Data Protection Officer’s Conference should make it their business to challenge him on it, and frankly, councils should stop cowering in front of the ICO, stop reporting incidents to his office and stop cooperating with its entirely voluntary audits unless they actively want one. The weekend’s big data protection story was the theft of data from Aviva and subsequent sale to claims management companies. Graham has done an admirable job of agitating for bigger fines for data theft, but part of the ICO’s beloved seventh principle requires organisations to take steps to prevent ‘unlawful processing’. It’s not just about catching the thieves afterwards, but attempting to thwart them in advance. I am certain that the ICO doesn’t have a clue whether the financial services industry is exemplary or hopeless in this regard. Mr Graham hasn’t even asked for the mandatory audit powers to find out. Councils are an easy target because they constantly move data around and FOI means that, unlike the private sector, they can’t keep their dirty laundry hidden. The ‘hopeless’ remark may have been off-the-cuff, but it suggests knowledge that his office hasn’t put the hours in to possess. Besides, Mr Graham is a journalist and would know that such a remark would make the final edit, so it’s an insulting message he wanted to send. I’d love to know what word he uses to describe the ICO’s non-existent enforcement of the FOI Act, to the extent that some government departments openly thumb their noses at his office, and thus at him.

More of a concern is Graham’s remark that ““People have been challenging me on the bus about care.data. That’s the talking point but Snowden hasn’t been, which is kind of a surprise.” There are two things that bother me about this. Firstly, it suggests that Graham is out of touch with the public. It is not the ICO’s job to represent the public, it is their job to ensure that data controllers comply with the law (technically, the courts have more of a role in upholding individual rights than the ICO does). But nevertheless, Graham’s expectation that people would be button-holing him about the security services rather than the NHS is a tad elitist. The NSA’s spying on us all is obnoxious, but care.data is much more likely to have a direct effect on the man on the 130 bus to Wilmslow. More crucially, however, Snowden is not really on Graham’s territory. There is a very broad exemption in the DPA that you may not agree with, but which puts any activity ‘necessary’ for national security completely outside the DPA, and off the ICO’s radar. If the Commissioner was more concerned with matters that are more directly covered by his legislation, he might have avoided giving such inaccurate advice on care.data and pseudonymisation when on the BBC Breakfast sofa. It’s interesting that the Commissioner admits that his office failed to persuade NHS England to write to all citizens about care.data, which suggests that the stakeholder engagement approach doesn’t bear fruit.

Most depressing of all, however, is Graham’s complaint about the loss of the Scottish Borders appeal. Borders won their appeal because the ICO failed to establish a crucial part of the test that the law has set for them. The ICO has to show that it is “likely” that the breach – in this case, the failure to have a proper contract in place with a company scanning and disposing of records – would cause damage or distress. The ICO’s approach in Borders (and others) was to assume.  For the ICO, lost records = identity theft. The civil burden of proof is lower than the criminal one, but it should not simply be what a clever man reckons. I made an FOI request for any evidence of the ICO’s claim that a lost passport number leads to identity theft, and they admitted that they don’t have any. If they propose to fine an organisation £250,000, the ICO ought to have more than an assumption and crucially, the law requires that they have more. But Mr Graham doesn’t appear to understand that: he complains: “I couldn’t prove that someone of malicious intent had picked up all this personal information and was going to be doing people down”. This is not why the case was lost (although it’s true that he couldn’t prove that).

The Information Commissioner is a single appointee helped by hundreds of staff, but nevertheless, a single appointee who is given all of the powers and obligations. Mr Graham must understand how his powers work. Papers spilling out of a bin isn’t a breach. It’s an incident. The Commissioner cannot issue a CMP for papers spilling out of a bin, or any other incident in itself. In Borders, he had to establish that there was a breach: there was no contract, so job done. Then he had to show that incidents like the papers in the bin were foreseeable and likely to cause damage or distress. People sometimes don’t have proper contracts with long-standing and trusted suppliers. Is it likely that this will lead to the supplier dumping paper records in a recycling bin? Will this lead to damage and distress? Honestly, I don’t know, but that’s what Mr Graham couldn’t prove to the satisfaction of the Tribunal and frankly, I think the test should be rigorous if the stakes are as high as a quarter of a million pounds. The Deputy Commissioner David Smith was chided by the Tribunal at the time for focussing too much on the incident, and here the Commissioner makes the same fundamental mistake.

Most of the other matters I’ve raised here are presentational and you might say trivial; this final one isn’t. The role of the Commissioner is to be a figurehead, a public face to play up the big picture, but if Mr Graham wants to complain about losing Tribunal cases, he has to know why he lost, and I’m not sure from the evidence that he does. If he, and the office as a whole don’t learn the lessons, the important powers they were given under the tenure of his hesitant predecessor will become worthless. He’s still a more impressive figure than his predecessor, and almost certainly the most successful holder of the office so far. But this interview shows a Commissioner sniping at everyone but unsure of the details: not hopeless, but equally, not inspiring.


The Information Commissioner’s attempt to replace the previous “gold standard” FOI complaints handling with something slightly less rigorous was a good idea. I think the delays of Richard Thomas’s era were shameful, as regular readers of this blog will know (how are you both?). However, Graham flattered his predecessor. What was on offer was bronze – variable, timorous decisions made after fossilised delay – so the challenge was not simply to cut the backlog, but to make consistently good decisions as well. The fact that Graham’s regime now offers increasingly mediocre decisions delivered relatively quickly means that we’ve swapped bronze for the stuff they wrap a Kinder Surprise in.

You might think that this is merely show-off hyperbole. Hopefully you’ve been reading this blog long enough to know that I don’t care what you think, but even so, the objective observer doesn’t have to look far to find evidence of decisions rolling off the production line bearing the hallmark of baloney. Take this one, highlighted by the estimable Jon Baines on his blog. A Chief Inspector working for Sussex Police apparently sent some inadvisable messages from his work Blackberry, including a nursery rhyme about a disabled child. Oh, my aching sides.

Matthew Davis duly dispatched an FOI request to the force, which maintained that they didn’t hold the information in question, as it had been sent in a personal capacity. As long as the information was not being used by the force for any formal or official purpose, this would be true, but as Davis’ request was prompted by the fact that Sussex were reportedly investigating the issue, this claim was wrong, as the decision notes. So far so good. Regardless of the sender’s original intentions or expectations, once information is being processed for an official purpose, it’s up for grabs. Another candid copper came a-cropper* when expressing regret over her inability to make progress with her CPD because someone hadn’t died. As the force pointed out, whatever she expected, the information had to be disclosed.

In my opinion, the decision nosedives by accepting the argument that the message is the Chief Inspector’s personal data. My opinion is clearly ill-informed, as I am basing it on what the Sun said. However, if we take the significant risk of accepting what they say at face value, the requested data is a rude version of the Twelve Days of Christmas without any context. I don’t know the work in question, but it’s presumably on a par with the extended [insert name of town you don’t like] Earthquake Appeal gag that people with boring jobs email to each other (Google’s top result for it at the moment is Barnsley). Even if Chief Inspector Ling was the author of the rhyme, I don’t think you could easily argue that it was his personal data. However, assuming that he wasn’t, I don’t believe that the fact that he forwarded the email to others makes its contents is his personal data.

Consider paragraph 16 from the decision: “The Commissioner notes that the withheld information is information that clearly relates to an individual, the Chief Inspector whose name is readily identifiable via the press. The information was sent from his phone and the information is clearly held by the Sussex Police in a way that clearly relates it to him. Context is important and in this context the Commissioner accepts that the public would learn something about the Chief Inspector if it was disclosed.”

Apart from the fact that he’s almost certainly a tool?

The fact that the Sun has already identified Chief Inspector Ling doesn’t automatically remove the DP considerations, but if the biggest risk is that the data subject might be identified, then frankly, the horse is well on its way to Tesco and the stable door is swinging in the wind. The notice itself identifies Ling by referring to the press coverage. If this was truly Ling’s personal data and the force was concerned about identifying him, Sussex’s only roll of the dice was a prim ‘not confirm / deny’. We’re not saying if an officer did or did not send a rude rhyme to his mates, and even if one did, we’re not saying which one it was. This approach seems illogical in the face of the Sun story, but anything else identifies Ling by confirming that the rhyme is held (or rather, not held because it was personal. If the Sun had it completely wrong and he didn’t send the emails, the lack of a not confirm / deny is outrageous.By rejecting the ‘not held’ line but accepting the personal data argument, the ICO have identified Chief Inspector Ling anyway.

However, I think this premise is flawed on its own terms. The highest UK court precedent for determining what is personal data – the Durant case – is full of contentious and controversial elements, but nevertheless, it provides at least one refinement of the DPA which I always find myself coming back to: focus. What or who is the focus of the rude rhyme about Hastings? Even if Ling wrote it, it seems safe to assume the focus of the rhyme is Hastings and the fine folk who inhabit it. Without any comment that he may have added about the rhyme (whether it’s ‘have you seen this disgraceful slur on the good citizens of Hastings?’ or ‘OMG! LOLZ!?!?!’), it’s just a rhyme. If an individual citizen of Hastings is identified in the rhyme, it could be their personal data, in the way that Katie Price’s disabled son would be the subject of one of Ling’s other alleged missives. But this rhyme is not Ling’s personal data.

Of course, knowing how dreadful the rhyme is might allow the recipient, and the wider public, to draw inferences about Chief Inspector Ling. Indeed, I’ve already decided precisely what kind of a person I think he is based on the allegation about him forwarding a Harvey Price joke. This decision notice already seems to confirm a senior police officer sent jokes that were sufficiently crass that they provoked complaints that led in turn to his suspension. What’s left in terms of personal data to be revealed? That Ling’s version of the Twelve Days Of Christmas is worse than just packed with gags about shellsuits and teenage mums?

As I have already admitted, I have made a series of assumptions, and the ICO – in receipt of all the correspondence – are in a better position to make the decision. But if their own formal decisions make no sense, I think it’s reasonable to speculate. We already know that the silver standard includes such impressive techniques as unattributed copying from Wikipedia, and now comes a definition of personal data with seemingly unlimited elasticity. What next?

* I would like formally to apologise for this horrible doggerel. I am deeply ashamed.

Revenge of the Nincompoop

With his charm, TOWIE tan and beaming smile, ageing smoothie Tony Blair increasingly resembles Lewis Archer, the character Nigel Havers played in Coronation Street. Ingratiating, suave but clearly with a huge amount of dodgy business in his past, Blair sidles up to us, offering a wonderful future. Unfortunately, like his fictional cousin, Blair’s past hangs around him like a fart in a lift, and we know that he’ll let us down again. As he jets into the UK to “re-engage”, his statement to the Justice Committee on FOI, a parsimonious 570 words (HT @alistair_sloan), hardly persuades me to fall in love with him again.

I’m sure the Justice Committee were genuinely offended that Blair did not do them the courtesy of appearing before them, and his no-show was disrespectful to Parliament (even his old colleague Jack Straw acknowledged this on the Today Programme). The Justice Committee’s work on FOI has been thoughtful, thorough and ultimately very sensible – every time I watched the proceedings, I was impressed by how positive many of the Committee members were about FOI. Blair’s refusal to participate was a disgrace, and they should have empty-chaired him. Nevertheless, giving the old fox a kicking also gave the media a handy peg on which to hang their coverage of the Committee’s report. And who am I to rise above the sideshow? I’ve picked out some of my favourite moments from Blair’s musings, but all I have to show for it is bile.

The Commissioner naturally tends towards curtailing the exemptions and especially where there is any sense of public anxiety faces a great temptation to stretch the ambit of the law.

This is bollocks. While Chris Graham is clearly presiding over a more assertive and truculent Information Commissioner’s Office, Blair’s views on FOI were set while Richard Thomas ran the shop. Blair’s experience of FOI would therefore have been in the backlog days, when information was only disclosed after years of dithering (i.e. long after the sensitivity had passed), and when the Tribunal made many of the bold decisions (the BBC Governors minutes for example) and rarely overturned the ICO’s disclosure orders. In other words, it was the judicial process that forced information out. Blair is a lawyer by profession, so shouldn’t he respect the legal process a bit more?

So the original idea was to make available the facts behind the decisions, not the confidential policy debate around those decisions.

The Act does not reflect this original idea, and what Blair fails to acknowledge is the FOI Act reflects the will of a Parliament dominated by his party and his people. Blair wants to create the impression that a fast one has been pulled, that the original intention has been perverted by the implementation. Labour’s first stab at FOI (the one sponsored by David Clark) went further than the Bill that was originally presented, and it is not the implementation of the Act that has created the problem Blair identifies. Section 35 is a blanket exemption for government policy making, but it has a public interest test. Section 36 is a wide exemption for discussions, advice and views, but it is loaded with hurdles. Nobody made Blair push this forward – he had been Prime Minister for 3 years by the time FOI was being debated and so he must have understood what effect the legislation was going t0 have. Blair was clearly unwilling to be straight with the public by either pulling the bill or forcing his MPs to vote through more restrictive provisions.

In reality, publication now goes way beyond that with the public interest tests giving a big impulsion in the direction of publication.

In other words, Blair sets himself and his version of politics against the public interest. I still can’t quite believe he said this. It’s worse than his self-flagellation in his autobiography, because he’s explicitly saying that the convenience of politicians is more important than the public interest.

Thus, the absolutely necessary committing to writing of often complex political and technical issues, is undermined. Of course, this is a subjective judgement. But I suspect it is one shared by most senior politicians

Only Tony could stress the value of ‘openness’ in a bid to defend secrecy. Blair failed to properly reform the House of Lords, bottled changing the electoral system, and looking at one of the few positive constitutional changes he achieved, he prefers secrecy and spin. Look at his choice of words: these are “complex political and technical issues” and “most senior politicians” feel the way he does, as he was no doubt saying to Kofi Annan and the Sultan of Brunei over the fish course at Davos. However he wants to be perceived, Blair’s statement comes across as elitist, conservative and imperious – FOI is a grubby and unwelcome intrusion that trespasses on the VIPs who run the world, and he resents the metaphorical presence of the hoi polloi at the top table. In reality, I suspect that what Blair really fears is that the Vaseline-lensed image of himself as International Man of Statesmanship will be undermined if we get confirmation of how he (and many other politicians) actually do their business.

But the truth is that, if people know that what they are saying is going to be published, they will be less frank and open in how they express themselves. If you believe, as I do, that such frankness and openness is essential to the proper conduct of decision-making, then again the impact of publication or even the threat of it, is counter-productive. 

Blair’s view of the civil service in particular and politics in general is damning. He describes a bunch of people who would rather keep inadequate records of major decisions, keep incomplete risk assessments, or withhold the best options for fear of what the public might make of them. Either he’s right, and the people running the country have a contemptuous view of the public, or he’s wrong. If Blair’s narrative is more about himself than the system, he clearly has a lot of things about the way he does business that he does not want us to know. Given his current role as jet-setting eminence grise for rich nations with ambivalent human rights records, one can only wonder what he got up to in office.

The purpose of the legislation was of course not to open such frank discussion to public view. It was to allow issues to be better debated; to permit people to access information about themselves held by Government; and to encourage the system to be more accountable.

It’s impressive that in such a meagre communication, Blair still has time to drop clangers that show he’s not really thinking about the substance of the issue, just whining about how it’s all so unfair. FOI provides greater access to personal data on the margins, but that is not its purpose and nobody could have thought it was, given that the Data Protection and Access to Health Records legislation had already ‘permitted’ (thanks Mr Tony Sir, so kind of you) this access in 1984, 1989 and 1998. If Blair really doesn’t know what his FOI Act did, he’s even more of a nincompoop than he claims to be. But wasn’t his statement to a Parliamentary Committee investigating what he considers to be his biggest career mistake important enough for one of his henchmen to fact-check it first?

Long term it will just result in a different way of conducting the business of Government.

Blair’s verdict on what this different way entails is less record keeping, worse decision-making. The problem is, that’s not a damning verdict on FOI or the people who use it to ask questions. It’s how he sees himself and the people he’s worked with, and how he thinks they react to increased scrutiny. Blair’s view is a relentlessly depressing critique of the political class he wants to protect. As another FOI reverse-ferret merchant said, he was the future once, and now he’s just a spokesman for political self-interest. I agree passionately with the above sentiment – FOI will result in a different way of doing business, but it doesn’t have to be the unrecorded, back-covering future that Blair cynically predicts. If politicians (some of whom I am perfectly prepared to believe are not bastards) grow up with FOI, they might actually make better, more informed decisions in the knowledge that journalists and troublemakers will catch them when they don’t. David Cameron has shown himself to be in the Blair mould, but that doesn’t constrain those who come after him.

In the meantime, one can only hope Blair stops pestering us and is eventually run out of the street, leaving only a trail of self-justification and Ambre Solaire.

Walk the walk

Chris Graham gave an impressive interview to the Guardian which is published today. It’s nice to see the Information Commissioner standing up for the principles of transparency and Freedom of Information in the face of what everyone can see is an establishment backlash. As the article says:

There are some very powerful voices saying it [the act] has all been a horrible mistake. Specifically, Tony Blair, Gus O’Donnell [the former head of the civil service] and the prime minister himself,” he said before adding the name of Simon Jenkins, the former Times editor and Guardian columnist.

To that list, we can also add Francis Maude, who imagines that he can make FOI redundant, and various slippery ministers who have allegedly been using private emails to get around legitimate scrutiny of their activities. Graham makes a compelling case, arguing that those who talk down FOI set the tone for everyone else. It cannot be a coincidence that the Cabinet Office’s record on FOI is dismal, given that it was until recently run by O’Donnell. The former Cabinet Secretary’s public antipathy towards FOI reared its head only when he decided to retire, but it’s probably a safe assumption that he wasn’t privately cheerleading for it before that.

Graham also skewered Maude’s patronising line on transparency, by arguing that “Sometimes the full story is in the background papers and minutes of meetings rather than just raw data.

Graham’s analysis is right. People don’t always pay attention to the people at the top (just look at what happened to poor Bob Diamond, an honest man undone by a tiny number of unruly minions), but if they are given any excuse to be lazy, or to misbehave by the example set higher up, they’ll do it (just look at what happened…). I know of an organisation where the head of IT complains that having to remember a password to activate their Blackberry is too onerous and makes them look daft. The person responsible for Data Security might as well quit for all the good their efforts will do. If David Cameron was the politician he claimed to be – the one who offered ‘the most open and transparent government ever‘ – then his approach to FOI would be very different. No-one would have believed Cameron if he pretended he was a big fan of the legislation, but a respectable politician would acknowledge it as an inconvenient but necessary part of an accountable democracy. Instead he whinges about FOI furring up the arteries of government while the Cabinet Office holds secret information on plans to charge for FOI requests that they at first claim does not exist.

Graham’s aplomb at dealing with the media draws a sharp and creditable contrast with his hesitant predecessor. Occasionally, there is misjudgement (as I said before, “wake up and smell the CMP” was an awful headline and whoever came up with it should be made to sit a corner for a while). Nevertheless, the Commissioner is saying the right things and anyone who supports FOI should be happy that he isn’t congratulating himself for not taking on the big targets, which is what Richard Thomas did at Leveson.

The problem for Graham is clearly not a lack of ambition or self-belief. In one sense, the problem of doing the job of championing transparency is that you have to do it in a world shrouded in bullshit and euphemism. I listened to less than an hour of of BBC Radio 4’s Today programme this morning, and as well as all the usual spin and lies, even the language was dishonest. After John Humphrys took someone to task for describing G4S as a ‘partner’ instead of a ‘contractor’, I started to hear the word everywhere, and never in a truthful context. Corporations bankrolling the Olympics were ‘partners’ rather than ‘advertisers’; TV companies screening Scottish Premiership Football were ‘partners’ rather than well, TV companies. Everyone wanted to wrap professional and commercial relationships in a blanket that implied a shared and personal endeavour, rather than each side being interested only in getting what they could out of the deal with minimum effort. The same circumlocutions infect politics and government, national and local. Doing the FOI job in these circumstances is like wading through custard.

However, one thing he can do is keep his own house in order. The Tribunal often has to criticise the ICO for their handling of FOI compliance – read paragraph 25 of this recent decision for a good example. The ICO ignores its own guidance on FOI by challenging an FOI applicant using an obvious pseudonym for no real reason, and then exemplifies the inherent flaw in that guidance by backing down the moment the fake-named applicant pushes back. More seriously, a certain blogger asked a sensible question about information notices and ended up finding out that the ICO doesn’t know how many information notices they have issued under FOI. As well as the clear implication that ICO staff are not following their own procedures (if they were, it would not exceed the FOI cost limit for the ICO to find all of the notices), there is a bigger point that whoever is corporately responsible for FOI strategy within the Office doesn’t have all of the information they need to do their job. How can they look for patterns of underlying problems (which multiple info notices would suggest) if they don’t even know how many they’ve issued?

I am, of course, assuming that someone is doing this, rather than everyone frenetically trying to keep the backlog on a leash. If they’re not, Graham’s words turn to ash in his mouth. Things are better than they were. Graham’s profile is bigger. The frenetic backlog bashing does at least mean that organisations cannot rely simply on the passage of time to escape accountability. I don’t imagine ministers slept easy in their beds when the ICO stood its ground on private email (and ministers should never sleep easy). For all of these things, Chris Graham deserves credit. But talk is cheap. Until the ICO can show that its own FOI and records management practice is exemplary, it cannot lecture anyone else. Until it shows that the most recalcitrant government departments will be brought to heel on FOI, every council and NHS trust will be justified in saying that they’re busy and under-resourced, and FOI is a burden they don’t need.

So two cheers for being a great advocate – the third is reserved for delivery.

We can’t take them on, they’re too big for us

I watched Richard Thomas’ appearance at the Leveson Inquiry this time list week in sub-optimal conditions. Having arranged a £1000 car repair on the same morning as a dentist appointment, I was wiling away the time using the free WiFi at a Wetherspoons, surrounded by grim-faced men who see 9am as Guinness O’Clock. Normally, I like a drink as much as the next man, but when the next man sinks three pints before Lorraine Kelly has left the building, even I feel like an amateur. Not even the absurd £4.00 breakfast and cheaper-than-Starbucks tea cheered me up. Even so, Thomas’s performance (if that’s the right word) was the most depressing spectacle I have seen since the last time James Murdoch stared through his Joke Shop specs and denied he knew that the News of the World existed.

To paraphrase, Thomas’ case is that the legal advice he received contained a clear message that pursuing rogue journalists would be too costly and / or difficult. But his view on whether the ICO should have done so – despite insisting that he did not develop a policy of leaving them be – is as follows:
I have to say, and maybe this is with hindsight, but perhaps thank goodness we did not prosecute the journalists. The impact for the office would have been very, very demanding indeed. I don’t know when this was or at what point this was, but probably around about 2007, I can recall a conversation along the lines of somebody saying, “Thank God we didn’t take the journalists to court. They’d have gone all the way to Strasbourg.” In other words, they would have challenged any action we would have taken, we would have gone right to Strasbourg, the Court of Human Rights, Article issues coming in.
Mr Thomas was keen to refute former investigator Alec Owens’ claim that his deputy, Francis Aldhouse, said “We can’t take them [the press] on, they’re too big for us.” Neither Thomas or Aldhouse remembered this statement being uttered (equally neither stated for certain that it had not been said). However, how else might one fairly paraphrase that big quote above? Isn’t “We can’t take them on, they’re too big for us” a pretty fair summary of Thomas’s position? Thomas went to the Press Complaints Commission and asked them to deal with it. The ICO reported diligently to Parliament and asked them to deal with it. Under Richard Thomas’ Information Commissioner’s Office did not take the rogue journalists on directly.
Regardless of whether Owens’ account of what Francis Aldhouse said is accurate or not, it encapsulates a truth about Thomas’ approach to taking action on press misbehaviour. Incidentally, Thomas’ ungallant efforts to bring personal data about Owens’ disciplinary record and unhappy departure into both his witness statements and his evidence doesn’t in itself make the ex-cop’s forthright testimony untrue. One can only assume he had a Data Protection justification for using the data in this way. Fundamentally, those of us who weren’t in the room have to listen to the testimony of the three men, and decide whom we find more convincing.
Enforcement action should not only be taken against data controllers who lack the inclination or resources to push back – the mighty are not looking on with despair at the current run of fines against local councils. Even the admirable and valuable Consulting Association case had at its centre one man running a wholly indefensible and surreptitious blacklist; the construction companies who used it were collateral damage. Richard Thomas went to Leveson last week and said “thank goodness” that he didn’t go after a sector that would have fought him. Instead, he set out his belief that the ICO should primarily exist to promote good practice.
That’s just not enough for a small number of data controllers. The phone hacking scandal shows that commercial imperatives can sometimes trump not only the law, but also basic morality. If you want evidence for this, look no further than Kelvin McKenzie (http://tinyurl.com/84hy8uc), who wants an apology for Rupert Murdoch because although the NOTW hacked into a murdered girl’s phone messages, they may not have deleted them. Most organisations, in every sector, will follow good practice. Some will need a hand, and others will need a nudge. A few will need a kick. I’ve previously blogged that we probably don’t want a Commissioner who tilts at every windmill; watching Thomas’ rather hesitant, diffident evidence, we equally don’t want someone so relieved he didn’t do something so important.