Blast from the past

As we all endure the lockdown and the uncertainty about when and how it might end, I have been trying to avoid thinking about the past. It’s tempting to dwell on the last time I went to the cinema (Home, Manchester ironically to watch ‘The Lighthouse’), the last time I went to a pub (Tweedies in Grasmere, just hours before Johnson closed them all), the last face-to-face training course I ran (lovely people, awful drive home). But thinking back to what I had, and the uncertainty about how, when and if I will get it back, doesn’t make the interminable Groundhog Days move any faster. I’d be better off just ploughing on and working out what to do next.

So it was a strange experience to be thrown backwards in time to the heady days of 2017, when the GDPR frenzy was at its height, and the world and his dog were setting up GDPR consultancies. People still make fun of the outdated nature of my company name, but I registered 2040 Training in 2008, and I’m proud of its pre-GDPR nomenclature. The list of GDPR-themed companies that are now dissolved is a melancholy roll call – goodbye GDPR Ltd, GDPR Assist (not that one), GDPR Assistance, GDPR Certification Group (got to admire their optimism), GDPR Claims, GDPR Compliance, GDPR Compliance Consulting, GDPR Compliance Consultancy, GDPR Compliance for SMEs and GDPR Consultants International (offices in New York, Paris and Peckham). You are all with the Angels now.

I was cast into this reverie by a friend who drew my attention to GDPR Legal, a relatively new GDPR company, and a few moments on their website was like climbing into a DeLorean. It was all there. The professional design, the ability to provide all possible services related to Data Protection (you can get a DPO for as little as £100 a month), and of course “qualified DPO’s (sic)”. I was disappointed that there was no mention of them being certified and nary a hint of the IBITGQ, but you can’t have everything. They still pulled out some crowdpleasers, including flatulent business speak and the obvious fact that they are trying to sell software, sometimes in the same couple of sentences: “Our service includes a comprehensive consult to help identify gaps and opportunities, a comprehensive report that includes a project plan with timelines and milestones, a cost analysis, and a schedule. We also offer a software suite that will help you get there quickly and smoothly.” Timelines and milestones, people. This is what we want.

The lack of any detail is possibly a matter for concern. The website claims that the company’s specialists have “over 50 years of experience delivering a pragmatic consulting service with qualified DPO’s and GDPR Practitioner skills” but it is difficult to find out who any of them are. There is no ‘meet the team’ or ‘our people’ section. I might be wrong, but I don’t think there’s a single human being’s name anywhere on there. If you had all these brilliant experienced professionals, wouldn’t you want to advertise who they are – I might make fun of them, but even the folk who have blocked me on LinkedIn aren’t ashamed of saying who their consultants are. Is it 50 people with a year’s experience each? Indeed, the only name I can associate with the company (via Companies House) is the Director, a man who has no experience in Data Protection, but is also director of a shedload of software and marketing companies. Any time the site needs to get into any detail, it hyperlinks to the ICO.

So far, so what? You probably think this blog is cruel. If someone wants to set up a company selling GDPR services, why do I care? Isn’t this just sour grapes at another disruptive entrant in the vibrant GDPR market?

There are two reasons why I call these people out. The first is their privacy policy. It’s not a good sign when a privacy policy page on a GDPR company’s website begins with ‘Privacy Policy coming soon’, but as it happens, immediately below is the company’s privacy policy. Well, I say it’s their’s. It’s oddly formatted, and when you click on the links that are supposed to take you to the policy’s constituent parts, you’re in fact redirected to the log-in page for GoDaddy, with whom the site was registered. All the way through, there are lots of brackets in places that they don’t belong. It didn’t take me long to work out what was going on – I think the brackets were the elements of the template policy that GDPR Legal has used which needed to be personalised, and they’ve forgotten to remove them. 50 collective years of experience, and nobody is competent enough to write the company’s own privacy policy, they just use someone else’s template. Indeed, if you search for the first part of the policy “Important information and who we are“, it leads you to dozens of websites using the same template, from Visit Manchester to NHS Improvement. I can’t find where it originated, but it’s an indictment of the quality of work here that they took it off the shelf and didn’t even format it properly. My Privacy Policy is smart-arsery of the first order, but at least I wrote it myself.

The other reason is worse. GDPR Legal has a blog with three posts on it. Two are bland and short, but the most recent, published just this week, is much longer and more detailed. It reads very differently from other parts of the site, and there was something about the tone and structure that was familiar to me. It didn’t take long to remember where I had seen something like this before. The blog is about GDPR and children, and this is the second paragraph:

Because kids are less aware of the risks involved in handing over their personal data, they need greater protection when you are collecting and processing their data.Here is a guide and checklist for what you need to know about GDPR and children’s data.”

This is the first sentence of the ICO’s webpage about GDPR and children:

Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.

Coincidence, you think? This is the third line:

If a business processes children’s personal data then great care and thought should be given about the need to protect them from the outset, and any systems and processes should be designed with this in mind

This is the second line of the ICO’s page:

If you process children’s personal data then you should think about the need to protect them from the outset, and design your systems and processes with this in mind

Blog, fourth para:

Compliance with the data protection principles and in particular fairness should be central to all processing of children’s personal data. ”

ICO page, third line:

“Compliance with the data protection principles and in particular fairness should be central to all your processing of children’s personal data

They rejigged the first few elements a little, but after that, whoever was doing it evidently got bored and it’s pretty much word for word:

GDPR Legal Blog:

A business needs to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child.

ICO page

You need to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child.

GDPR Legal Blog

General Checklists

  • We comply with all the requirements of the GDPR, not just those specifically relating to children and included in this checklist. 
  • We design our processing with children in mind from the outset and use a data protection by design and by default approach. 
  • We make sure that our processing is fair and complies with the data protection principles. 
  • As a matter of good practice, we use DPIAs (data protection impact assessments) to help us assess and mitigate the risks to children. 
  • If our processing is likely to result in a high risk to the rights and freedom of children then we always do a DPIA. 
  • As a matter of good practice, we take children’s views into account when designing our processing.

ICO page: 



  • We comply with all the requirements of the GDPR, not just those specifically relating to children and included in this checklist.
  • We design our processing with children in mind from the outset, and use a data protection by design and by default approach.
  • We make sure that our processing is fair and complies with the data protection principles.
  • As a matter of good practice, we use DPIAs to help us assess and mitigate the risks to children.
  • If our processing is likely to result in a high risk to the rights and freedom of children then we always do a DPIA.
  • As a matter of good practice, we take children’s views into account when designing our processing.”

NB: I’ve screenshotted all of it.

Someone at GDPR Legal lifted the whole thing uncredited and passed it off as their own work. A company that claims to be able to provide “practical and bespoke advice”, guiding “major projects in some of the UK’s largest businesses” nicked content from the ICO’s website. This kind of cutting and pasting gives plagiarism a bad name. At least GDPR’s previous Grand Master Plagiarist did it in style with some top-drawer endorsements.

The GDPR frenzy is over. Some of the new entrants have gone from strength to strength, and some of them are now selling kitchens. The current crisis will test everyone, and I doubt that the DP landscape will look the same in a year’s time. Nevertheless, while I hope the data protection sector remains robust enough to accommodate both the slick, corporate operations, and a few maniac artisans like me, it surely doesn’t need chancers any more? I hope we can all agree that a company that can’t even design its own privacy policy, that won’t admit who its experts are, and who steals from the regulator deserves to be shamed? I hope this blog might persuade a few unwary punters to do some due diligence before handing over their cash and perhaps pick a company who writes their own material. Whatever the LinkedIn blockers think of me, and I of them, surely we’re all better than this?

Virgin Berth

If there could be anything worse than the provenance and target of a Wallasey brick spawning an industry of conspiracy theorists, then it’s probably the Burning Question of whether Virgin Trains East Coast’s release of CCTV images of Jeremy Corbyn spurning unoccupied seats to enjoy the proletarian solidarity of the vestibule floor breached Data Protection laws. If I get through today without reading The Canary’s take on the matter, I will be a happy man.

Of course, the only sensible answer to the question is “It doesn’t matter“. But let’s ignore that obvious fact in favour of the following.

First, if Virgin Trains released unpixelated images of other passengers, this would be a breach of the first Data Protection principle on the basis that it would be unfair. There is no legitimate interest in doing so, and it is plainly unfair to publish images of ordinary passengers minding their own business. There is NO CHANCE ON EARTH than the Information Commissioner will take any action against Virgin for this as there is no harm to the passengers concerned, and harm is a vital threshold for any enforcement action. Individual passengers could sue, but again, they would have to demonstrate at least distress. I went from London to Edinburgh on Virgin East Coast once so I have some sympathy with this argument.

Of course, nobody would give a toss about this if it were not for the perceived slight to JC, so let’s get to that.

The first Data Protection principle requires that personal data should be processed fairly, lawfully and according to a set of conditions. Virgin’s disclosure must clear all three hurdles.

Fair – in the general sense of the word, I believe that the processing of Corbyn’s data was fair. Presumably without the company’s consent, Corbyn filmed a publicity stunt about the state of their trains. Even if the content was true, I believe Corbyn opened the door for Virgin to reply about the state of the train that Corbyn was on. Fairness does have a separate, specific meaning, which requires the organisation to tell the Data Subject who they are, what purposes the data is being used for, and anything else necessary to make the processing fair.

I can’t find the privacy notice for Virgin Trains East (if it’s not on the trains, that’s a breach), but Virgin Trains West Coast has a detailed policy on its website that includes improving customer service, monitoring operational incidents and verifying claims. If something similar is on the East Coast trains, I don’t think Corbyn has much room for complaint. I think that responding to an unauthorised publicity stunt on one of their trains is probably compatible with verifying claims and monitoring operational incidents. And besides, the Information Commissioner’s Office has invented and long tolerated a notion of ‘reasonable expectations’ – that you can do anything with personal data that the person would reasonably expect you to do. If Corbyn didn’t expect Virgin to look at their CCTV to verify his claim that the train was ‘ram-packed‘ (or even ‘rammed’ or ‘jam-packed’), he’s an idiot.

There is the nugget of an issue here – the public perception of CCTV is that it is used solely as a means of detecting and investigating crime. It isn’t – it’s used for a variety of civil, disciplinary and publicity purposes and there’s nothing in the Data Protection Act to prevent this. However, companies like the West and East Virgins tend to stress security and crime over all things when dealing with CCTV, and this creates an expectation of its own. Everything depends on the information available on the train that JC travelled on.

There is one exemption that might come to Virgin’s aid – Section 32 renders all of the First Principle void (and most of the others) if a disclosure is made for ‘journalistic purposes’ and the public interest in publication is incompatible with compliance with the principles. The language is important – one does not need to be a journalist, only to be processing for the purposes of journalism. This opens the door to widespread and enthusiastic flouting of DPA by all sorts of corporate interests, but I find it hard to dismiss the possibility altogether.

Lawful – I believe that the disclosure was lawful. A train is not a private place (except in the toilets and this probably not the time for me to raise the urban myth about CCTV in train toilets), and Corbyn’s personal data in this context is not confidential or private. I can see no other law that disclosing this data would breach, so I think they’re in the clear.

Condition – Schedule 6(2) of the Data Protection Act states that data can be processed (in this context, disclosed) if it is necessary for the purposes of a legitimate interest, as long as the processing does not prejudice the rights, freedoms or legitimate interests of the subject. Corbin made a claim about the conditions he found on a particular train – I believe that Virgin unquestionably have a legitimate interest in disclosing Corbyn’s personal data in order to comment on the accuracy of his claim. If Virgin released images of Corbyn unprompted, legitimate interests are out of the window. But Corbyn started the ball rolling, and I cannot see how the use of overt CCTV for this purpose prejudices his interests. Of course, if the images were used in a misleading way, again, legitimate interests is dead, but frankly, that’s a much bigger problem.

Other conditions might be engaged but unless Virgin have actively defamed Corbyn by photoshopping them to look like the train had seats when it didn’t (which is what I presume The Canary’s take is), I believe that the use of images was adequate, relevant, and not excessive (principle 3), and accurate (principle 4). One might question how long the images have been retained for (principle 5), but there is no statutory time period – Virgin simply have to justify that the retention period matches the purposes outlined under the first principle.

At its absolute worst, the release of Corbyn’s images might be unfair if the privacy notices on the train do not reasonably envisage the possibility of something like this happening. If Mr Corbyn was damaged in some way by this, the seriousness of the breach is increased, but not by much. It would be unlawful, but I see no public interest in taking action. Politics is a dirty business. Corbyn’s party breaches Data Protection all the time, so if he wants to take this up, he should do some digging in his own backyard.

And reserve a bloody seat next time.

UPDATE (24/8/16): The Information Commissioner has stated that they are “making enquiries” into Virgin’s disclosure of the CCTV images. The two possible enforcement routes available are a monetary penalty or an enforcement notice. The penalty requires the ICO to establish that there has been a serious breach of the Data Protection Act, likely to cause substantial damage or distress, and the data controller (Virgin Trains East Coast) either deliberately set out to breach the DPA, or knew (or ought to have known) that the breach would occur, and that the damage / distress would follow as a consequence. If you think that this incident meets that threshold, would you be interested in buying a used car?

The alternative is an enforcement notice. The enforcement notice can only apply if there is an ongoing breach that the data controller cannot or will not remedy. In other words, if Virgin promised never to disclose CCTV for publicity purposes again, it would be very difficult for the ICO to issue an enforcement notice. It would be disproportionate to take such significant action if it was clear that Virgin would not do the same thing again.

All this may be disappointing to those who wish to see Virgin, and its bearded figurehead, chastised for their assault on the integrity of JC, but this is not a serious breach. The NHS ignored opt-outs from the sharing of medical data for thousands of people over a prolonged period of time, and the worst that happened is that they were asked to sign an undertaking (an unenforceable public promise to behave better) at a time which best suited them in publicity terms. If you think that embarrassing Corbyn is worse than that, you ought to be ashamed of yourself.

The one good thing is that I don’t think the Labour Leader of Stockport Council, who moonlights as a Group Manager at the ICO, will end up dealing with the case. But who knows?

How to succeed in backlogs without really trying

First, two disclaimers.

1) The ICO’s previous FOI backlog was disgraceful, and it developed on Richard Thomas’s watch. Chris Graham and his staff deserve great credit for trying to kill it off. The fact that an organisation can no longer make a decision knowing that they won’t answer for it for two years is a success, and a shorter distance between request and decision is A Good Thing.

2) I am not the first person to complain about the Information Commissioner’s approach to late requests – @FOIMonkey, an applicant called Gordon Spitze and What Do They Know’s Ganesh Sittampalam got there before me.

And now to business. In September 2011, I made an FOI request to a government department. I have not received a response. In November, I requested an internal review on the basis that my original request had not been dealt with. I have not received a response. The department has gone through phases of sending me polite reassurance, promising that they’ll deal with my request soon, but mainly, when I contact them, they ignore me.

If anyone in the department happens to be reading this, can I just pass this on: section 77 of the Freedom of Information Act states that where a record has been requested: “Any person to whom this subsection applies is guilty of an offence if he alters, defaces, blocks, erases, destroys or conceals any record held by the public authority, with the intention of preventing the disclosure by that authority of all, or any part, of the information to the communication of which the applicant would have been entitled.”


Moving swiftly on, it’s pretty obvious that they are not going to respond to my request. Even a refusal would oblige them to move up to the formal internal review, getting my request closer to the Information Commissioner’s Office on a matter of substance. So eventually, I tired of waiting, and made a complaint to the Information Commissioner’s Office at the end of February about the absence of a response.

And here’s where we get to the problem (well, the other problem). After a short interlude, I received a response telling me that my complaint was not going to be investigated. They promised to write to the Department asking them to respond to my request. They ended by saying “This case has now been closed with the delayed response element showing as ‘withdrawn’ on our records.” Which the more eagle-eyed of my readers will recognise as, to use the technical term, bullshit.

I contacted them to point out that I had not withdrawn my request. The next email came from a manager (always an interesting sign, especially when you haven’t asked for it). In the email, the manager stated that the initial response was incorrect: “we stopped using the phrase ‘withdrawn’ in our correspondence some time ago as we felt it was a term which potentially lacked clarity”. It didn’t lack clarity at all. It was completely clear and totally untrue, and I might add, a potential breach of the Data Protection Act’s fourth data protection principle, which states that personal data should be accurate. It’s inaccurate to say that I have withdrawn my complaint when the ICO has closed it. Those still wanting I-Spy points will notice a subtle distinction in that sentence as well. They stopped using the phrase ‘withdrawn’ in their correspondence, but they didn’t stop marking them as withdrawn. Only when I pressed them did the manager finally confirm that my request was now marked as ‘closed’.

A What Do They Know applicant asked for the withdrawn FOI requests at the end of 2011. Between 2009 and 2011, 2136 requests were ‘Closed – withdrawn informally resolved’ and 2273 were ‘Closed – withdrawn robust’. These internal figures imply that thousands of requests were withdrawn, when my case strongly suggests that they weren’t, possibly across both categories. Was someone trying to create the impression that far more requests are withdrawn than is actually the case? And if so, why? And if I was being paranoid, does the fact that all requests seem to be marked ‘Closed’ affect what I’ve been told?

To complicate matters further, despite the internal figures released under FOI suggesting that 554 were ‘withdrawn robust’, and 652 were ‘withdrawn informally resolved’ in 2011, the Information Commissioner’s Annual Report for 2011 states that of the 4000+ FOI complaints received in 2011, only 2% were ‘withdrawn’. The Annual Report has to be correct as it is submitted to Parliament, and yet when it’s hard to square with the figures released figures under FOI. So what’s going on?

The recipient of my request is not going to answer my request unless someone makes them – it’s obvious that they’re sitting on my request until other matters are resolved. In 2006, when the ICO’s backlog was as long as your arm and contacting them was pointless, I had to write to the Permanent Secretary of the Home Office in similar circumstances to get an endlessly delayed FOI response on ID Cards (full credit to him – he wrote back to me to apologise and I got my response in days, albeit in the negative). Those days are supposed to be gone.

One purpose of killing the backlog is surely to give the Commissioner the ability to intervene quickly and effectively when things are going wrong. But polite letters are useless when dealing with a recalcitrant body and the ICO should stop acting like a shy maiden aunt in such situations. Given that the facts are not in dispute – my antagonists don’t say that my request is invalid, or that they have responded – a decision notice is the only step. To any readers in Wilmslow (some have already outed themselves) – with DP and FOI being the law, you don’t have to ask people to comply with it, you can tell them to. With your powers. Which is what they’re for. Which makes it easier for all the people who are complying already to justify keeping up the good work. Which benefits everyone.

A certain amount of triage is necessary – for example, a complainant might go to the ICO when they haven’t made a valid request, or when they’ve been refused and don’t want to bother with an internal review. The ICO has the power to refuse to deal with FOI complaints if they are frivolous or vexatious. Rather than refusing to deal with entirely legitimate and fundamental complaints about non-response – which flouts the very basis of the Act – maybe they can strike down some of the daft complaints (I’ll write them a list, pro bono, based on the last year’s decisions).

The ICO’s annual report proudly states that 31% of the FOI casework was closed in 30 days or less – but it’s legitimate to wonder how they achieve this. The polite, effectively unofficial letter they sent to my public authority didn’t work and I effectively had to make a second complaint. This is actually a good sign – they didn’t mess me about and because my case was reopened. I know a lot of other applicants who have struggled to get a case reopened so quickly, if at all.

The majority of public authorities don’t need attention from the Commissioner in the first place and it is massively unfair to them for the ICO to molly-coddle the minority. I refer you to the ICO’s feeble strategy towards the Cabinet Office in a huge number of decisions outlined here if you want evidence. Chris Graham talks a good game – he sounds much more convincing than his predecessor when he talks about taking strong action. But recent decision notices show that the hand wringing hasn’t stopped, even with the Cabinet Office (see last paragraph).

It’s obvious that decisions get made must faster than before, and I don’t detect any issue of the quality of decisions getting worse. If anything, it’s the opposite. But nevertheless, the ICO cannot ultimately say that it has slayed the backlog if it doesn’t tackle the most fundamental FOI issue properly, or if there is any suspicion of books being cooked. Preventing big and small public authorities from simply ignoring requests is important. Many of the organisations I train have superb FOI response rates that would shame most Government departments – a more courageous and effective response to the heavy FOI complaints workload would be to dish out some Enforcement Notices to the worst offenders. No Minister or Permanent Secretary wants their department to labour under the discipline of knowing that FOI failures might end in prosecution. As the Commissioner’s own introduction to the ICO Plan says “when we need to enforce, enforce we shall” (his emphasis). Rather than outsourcing bits of their complaints-handling process to complainants, some action to match the rhetoric would be reassuring. An enforcement power is not a toy.

In the absence of a blog post, here’s my spam

I get a lot of 419 spam-hawking people emailing my various accounts, and in the absence of three blog posts I can’t seem to get right (one about Network Rail, a second about the ICO which I really want to make worthy of the title ‘How to Succeed in Backlogs Without Really Trying’, and a third about David Cameron & FOI), I thought I would share this one. In terms of sheer detail and immediacy, I think it’s unsurpassable. If you get better ones, tweet me.

Las Vegas, Nevada
Airport Shuttle Keeper

Good Day,

Sorry for the delay in this message, On Friday we were checking over some files and packages in the office and we discover an ATM CARD which was addressed to your name, Home address and email (I think it is a winning funds) I believe you can remember a dealing that has to do with some cooperate body or individual about this said funds to be delivered to you through an (ATM CARD) but I do not have idea why it was on hold at our Airport up-to-date.

So we contacted the Authorities and they asked us to get in contact with Senator David Mark, to get an approval to figure out what was in the package, After checking over the ATM CARD, we discovered a total sum of $10,000,000.00 ($10 Million USD) through the router figurative machine who check on balance through the number on the ATM CARD, so we reported back to the Senator David Mark and we were asked to deliver the package to you from this office. (Senator David Mark, Senate President of Federal Republic of Nigeria)

We need you to reconfirm your full name and  Home address if shown as it is on the package we have here.

If you want it to be delivered to you immediately, it will cost you just $225 which is the charges for the insurance certificate and delivery of the ATM CARD meanwhile your funds is safe with our securities service so please have that in mind.

Below is the payment information, payment should be made via money gram or western union and also send us your address as well for the delivery so that it won’t be delivered to the wrong address and someone else will receive a miracle he or she never worked so hard for to get.

Amount:  $225

The information above is where the ATM CARD was stopped at McCARRAN INTERNATIONAL AIRPORT in Las Vegas, Nevada.


Supervisor Manager
MY SSN NUMBER: 016-38-1497
For:  Airport Shuttle Keeper

Goodbye Blogger

I have three inflammatory blog posts on the go at the moment and for various reasons I either cannot finish them or cannot post them (if you know me, you will be able to guess why not). So in the meantime, I have decided to jump on the bandwagon leaving Blogger in droves because of Google’s privacy policy.

I’m still not entirely sure how I feel about the Google policy itself, but I don’t want to alienate those who read my blog, and who do feel strongly about it.

I should also apologise for the fact that I am using the same blog theme as Paul Bernal, another fine blogger who made the same journey before I did ( I didn’t know that when I switched to WordPress there would be so few themes I like, and it was either this one, the Chunk one being used by Save FOI ( or the fantastic Saul Bass-inflected ‘Vertigo’ one, which really would go with a movie blog, but is irrelevant to this one. I can’t get the Chunk one to do what I want it to, and this one seems easier. I doubt anyone will think I am passing off, but if you think you’re in the wrong place and wanted to read about privacy, human rights and internet issues written with a sense of humour, you’re in the wrong place. Click on the link for Paul’s blog above. Round here, we take the piss out of the Information Commissioner even when it isn’t called for (it usually is), mouth off without much evidence when privacy and transparency are threatened, and occasionally launch quixotic broadsides against innocent parties like which turn out to be a lot less fun than was expected. Generally it’s an outlet for those days when I am working from home and putting something off.

So while I resolve my fact-checking / defamation issues, why not enjoy some old gold from the 2040 info law blog annals…