Backwards Momentum

To quote from their website, “Momentum is a people-powered, vibrant movement. We aim to transform the Labour Party, our communities and Britain in the interests of the many, not the few.” Founded by Jon Lansman and others in 2015, it arose out of the successful campaign to get Jeremy Corbyn elected as Labour Leader. From the beginning, as well as being evidence of a new type of politics in terms of policy and approach, Momentum exemplified the importance of personal data to modern politics.

An awful lot of bullshit has been talked about data and politics in the UK – witness the investigation into political parties’ use of personal data announced with great fanfare by the Open Rights Group, which culminated in a hilariously anti-climactic report where ORG had to admit that the worst thing they could say about political data exploitation is how ineffective it is. Ignore the Guardian headlines and Liz Denham’s interviews on Channel 4 News, Momentum is a real example of the power of data. It is a political movement built on a mailing list. After Corbyn was elected, the founders of Momentum used the lists of Corbyn supporters created during his leadership campaign as the foundation of the organisation. This isn’t my opinion – it’s what Momentum says about itself: “The company was originally incorporated at the very beginning of Jeremy Corbyn’s 2015 leadership bid to collect and manage the data collected during that election and in order to maximise the retention of data for use after the leadership campaign to benefit the movement which would arise from it.

A few days ago, the National Coordinating Committee for Momentum held elections. Lansman, who was previously chair of the organisation, didn’t stand for reelection, so Momentum is under new management. However, it is not entirely in power and its first meeting, the NCG sought to rectify that. According to Labour List, “members voted in favour of putting Momentum’s data – currently owned by Lansman, who is no longer on the ruling body – in their own hands. They are confident that this handover will take place.

Technically, the data isn’t owned by Lansman. Momentum’s website says that it is owned by ‘Jeremy for Labour Ltd’, a company that provides data services for Momentum. Strictly speaking, this isn’t true either: the company is called ‘Momentum Information’ but it’s not hard to understand why the Momentum web people are confused because the company does have a habit of changing its name. It started as ‘Jeremy Corbyn Campaign 2015 (Supporters) Ltd’, then became ‘Momentum Campaign Ltd’, then transmogrified into ‘Jeremy for Labour Ltd’ in 2016, finally blossoming into ‘Momentum Information Ltd’ on 30th December 2019. It’s like a really boring version of Doctor Who. However, when you look at the current directors of Momentum Information, there’s only one, and it’s Jon Lansman.

Momentum isn’t a company or a political party. It is an “unincorporated association of individual members” with a written constitution, run by the NCG. According to their website, the data owned by Momentum Information “cannot be shared with any organisation, including Momentum” but “the privacy policy does permit Jeremy for Labour Ltd to inform people of campaigns and activities linked to Jeremy Corbyn’s campaign aims, such as the activities of Momentum which grew out of Jeremy’s leadership bid and shares its aims and values“. Momentum is in the astonishing position of being a member organisation which – as far as I can see – does not know who all of its members are and is not allowed to contact them directly without (effectively) Lansman’s cooperation. It’s possible that by now the unincorporated association has accumulated some of its own data, but it seems clear that Lansman has kept control of the data mother lode, and while he no longer chairs Momentum, the data gives him huge power over it.

If Momentum members have access to the data held by Momentum Information and they try to use it, that would be a criminal offence unless Lansman or his representatives authorise it. This is why there needs to be a ‘handover’. Of course, Lansman may well accede to the democratic vote of the NCG and give them the data. I am an evil centrist who doesn’t really understand the internal politics of Momentum (I rejoined Labour solely to vote for whichever of Keir Starmer or Lisa Nandy looked more likely to beat Rebecca Long-Bailey), so I don’t know what Lansman’s move will be. The funny thing is, purely in Data Protection terms, it’s probably unlawful for him to disclose the data without a lot more work.

I’m basing this on the information Momentum itself has put into the public domain, so if I have this wrong, it’s because I’ve been misinformed by them. But that sentence in the company structures section of their website isn’t ambiguous: the privacy policy doesn’t allow sharing with Momentum. If that’s what the people on whatever database Momentum Information controls were told, it would be a significant breach of fairness and transparency for their data to be shared in a way that contradicts this. Never mind that many Momentum members might be fine with it, the transparency problem has to be overcome, and we’re talking about many thousands of people needing to be contacted.

Being a member of Momentum plainly reflects your political opinion, so Momentum Information needs a special categories exemption to disclose the data. The most obvious one would be “processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects“. If you read all the way to the end, you can see the problem – it explicitly rules out disclosure. There are only two other possibilities – substantial public interest or explicit consent. I don’t think that there’s a *public* interest here, just a significant private one, but if you disagree, a controller can only use substantial public interest if they can meet a condition from Schedule 1 of the Data Protection Act 2018. Feel free to read them if you want to, but I can tell you that none of them apply. The NCG vote is irrelevant – unless the relevant people consent to the disclosure, it’s unlawful even if Lansman wants it to happen.

I said I don’t know Lansman’s motives here, but surely none of this is an accident. Whether or not he chairs the unincorporated association, it strikes me that Lansman still holds the reins. Momentum is probably nothing unless it can talk to its members, and right now, only a mass consent gathering exercise will allow that. Of course, Momentum’s account of the company structures may be incorrect and there’s a loophole somewhere. But forget the guff about micro targeting and brainwashing by Facebook, if there is a standoff between the NCG and Lansman, it’s about who controls a major political movement, and it’s based solely on access to personal data. The Information Commissioner will run a mile from intervening, as they always do when faced with issues in Labour and Left politics, but it’s an awesome demonstration of the power of data.

Two pints of FUD and a packet of pork scratchings please

As the pubs open, a huge amount of fuss has been made about the requirement placed on pubs to collect personal data for the purposes of the track and trace system. Local papers and websites buzz with articles that are plainly just law firm press releases, and the LinkedIn Snake Oil Salesmen awoke from their slumber to offer advice to unwary publicans. Some even wondered aloud how pubs would cope with being data controllers for the first time, despite all of them having employees, and most taking bookings and doing marketing.

Guidance from the government sets out what is expected:

“You should assist this service by keeping a temporary record of your customers and visitors for 21 days, in a way that is manageable for your business, and assist NHS Test and Trace with requests for that data if needed. This could help contain clusters or outbreaks.”

The data pubs and restaurants should collect is as follows:

“customers and visitors:

  • the name of the customer or visitor. If there is more than one person, then you can record the name of the ‘lead member’ of the group and the number of people in the group
  • a contact phone number for each customer or visitor, or for the lead member of a group of people
  • date of visit, arrival time and, where possible, departure time
  • if a customer will interact with only one member of staff (e.g. a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer”

A few interesting questions do arise. The first, which doesn’t seem to have provoked much debate, is whether GDPR applies at all in this situation. if a pub or restaurant stores the data in a spreadsheet or other electronic system, GDPR applies because in the words of Article 2, it is processed by automated means. But what if the pub uses a notebook or index cards to store the data? There’s a strong argument to do that, because it would make it much easier to keep the data separate from other customer data that the pub might have. Moreover, it’s possible that a notebook structured solely in date order doesn’t meet the definition of a filing system, which is a “structured set of personal data which are accessible according to specific criteria“. Certainly, if the Data Protection Act 1998 was still in force, the answer would be no. A date-ordered notebook would fail the ICO’s famous ‘temp test’ (can a temporary member of staff find personal data without searching every page?), and there is out-of-date guidance on the ICO’s website that confirms that chronological storage isn’t a relevant filing system. However, this is the DPA 1998, although the definition of a filing system is very similar in the 1995 Directive and the GDPR. Would date order meet the requirement for “accessible according to specific criteria“? I can’t find the data about Tim Turner without searching every page, but I can see all the named individuals who were in the pub on July 4th, so is that enough?

Given that the ICO isn’t going to touch this with a bargepole, the only way that this might be tested is in the courts. The European Court of Justice has looked at filing systems before in the Finnish Jehovah’s Witnesses case. This was under the old Directive, but they found that the ‘specific criteria’ by which the data are accessed should relate to people. I can’t find the phrase anywhere, but the ICO shorthand used to be ‘structured by reference to individuals’. The Jehovah’s Witnesses’ manual records were structured to keep track of specific people and organise subsequent visits, and so were found to be a filing system. I’m probably unduly influenced by having worked with the DPA 1998 for so long, but my instinct is that if a handwritten record is kept in date order, and not structured to provide easy access to identifiable people, it’s not personal data in the first place, and so no GDPR obligations arise to the publican armed only with a pad and pen (my advice is a nice Lamy or Pilot pen; only barbarians use freebie biros).

But let’s assume that I’m wrong, and the data is personal data captured by the GDPR. I had a conversation with someone on Twitter yesterday who believed that the Data Controller was Public Health England, and that pubs, restaurants and other businesses are data processors on behalf of PHE. He made the point that if this was correct, then none of them would have a contract with PHE, and so there would automatically be a massive data protection infringement. I disagree. The pub owners are under no obligation to process the data – if they participate, they are choosing to do so. If you decide whether and how to gather the data, it strikes me that you have at least some involvement in determining the purposes for which the data is processed. PHE have issued no instructions about the means of the processing (hence pubs and restaurants being able to choose between automated and manual processing). If every venue was a processor, it’s true that PHE would be under an obligation to issue contracts to them all, and they would be liable for every infringement that occurred in an establishment who hadn’t signed up. I’m not saying that this is impossible (the NHS is no stranger to pretending that organisations who have zero choice or input into the purposes and means of processing are data controllers), but I’m more comfortable with the idea that hospitality venues are joint data controllers with PHE. If a pub does something daft with data they have chosen to process, it seems an odd interpretation of the law to hold PHE responsible.

Someone’s going to say vicarious liability, and I’m going to wait for the court case.

Depending on the context, the data collected might look like contact details, but it could easily lead to inferences and risks that the venue needs to take seriously. If I went to the Old Man Pub down the road from me, you wouldn’t infer much about my presence there other than a liking for darts and bright lighting. But if I went to G-A-Y in Manchester, you might reasonably draw conclusions about my sexuality. The venues ought to look after this information very carefully, assuming they didn’t already collect data about these customers. But those people determined to predict a datapocalypse as a result of these measures are leaping several steps ahead. Most venues will take sensible measures to keep this data safe because most people aren’t stupid, and venues that cater to vulnerable clients or those who have heightened concerns about privacy are almost certainly aware of these issues already. The chances that data will be lost or stolen are probably low (especially if they go for a simple spreadsheet or manual record that is stored somewhere safe).

But if something does go wrong, unless it involves significant risk to the customers, the chances of a big data protection enforcement case from the ICO are virtually nil, and despite the lip-smacking enthusiasm of some lawyers, the prospects of lucrative litigation are fairly dry. And with that, I am going to do my civic duty by walking through the rain to the Old Man Pub, getting blind drunk and catching Covid-19 like all patriotic Englishmen should*.

 

 

 

* SPOILER ALERT: I am going to wait for John Lewis to deliver my new Fridge Freezer.

A load of Balls

On Tuesday, the self-styled “Private Prosecutor” Marcus J Ball announced to the world that he had Done An FOI.

I have sent an FOI request to St Thomas’s NHS Trust requesting confirmation/proof that Boris Johnson wasn’t lying about being admitted there or the severity of his condition. The PR timing is just too perfect. I fear that he may be dodging responsibility by becoming a victim.

When challenged on the wisdom of his request, he claimed that it was his ‘duty’ to ask:

We have a duty to ask, even if we suspect they’ll blank us. It only took me 5 minutes to do that tiny bit of civilian side scrutiny. It’ll be on the record that he was doubted“.

My first instinct was that the Trust should refuse the request as vexatious. As is often noted, S14 of the FOI Act doesn’t define ‘vexatious’ so the meaning of the word has been scrutinised in multiple ICO decisions and Tribunal cases. The notorious Dransfield case resulted in useful guidance on what might constitute a vexatious request. One possibility is that the request lacks a serious purpose or value, and I think this could fairly be applied to Ball’s request. He is plainly aware that his request is unlikely to receive an answer (“even if we suspect they’ll blank us” and “We have a duty to ask the question regardless of whether or not we think they’ll allow it to be answered.” He is also happy to impugn the integrity of the thousands of people who handle FOIs, saying in another tweet that “Also, in my experience some people working in FOI offices have a moral compass. Occasionally.

Ball’s purpose is to put “on the record” his doubts about Johnson’s version of events. The FOI Act lacks a purpose clause that explains what it is for, but sending an FOI request is plainly not an appropriate way to make a point. Either you want the information or you don’t – making performative FOIs like this one undermine the system, especially at a time of national emergency. When politicians want examples of stupid FOIs to attack the whole system (they’ve done it before, and they’ll do it again), I guarantee that Ball’s effort will be chosen.

But on reflection, there is a cleaner answer. Section 40 of FOI applies to any disclosure of personal data which would breach the GDPR. The data that Ball has requested is confirmation / proof of Johnson being admitted to hospital and information confirming the severity of his condition. This data is “data concerning health“, meaning that it is special categories data (SCD). Article 9 of the GDPR prohibits any processing of SCD unless an exemption applies.

In order for Johnson’s SCD to be disclosed, the disclosure of data would have to satisfy the first data protection principle, meaning that the disclosure has to be lawful, fair and transparent. The third element is easy enough – the Trust could simply tell Johnson his data was being disclosed. The middle element is a bit subjective; if you think that Johnson deserves to have his health records disclosed because he’s a lying racist, then you’ll probably think it’s fair. However, if you think that even lying racists deserve to have their health records protected, you’ll probably think that it isn’t. The clincher is the first part – lawful. The disclosure of Johnson’s data must be lawful, so an SCD exemption would have to apply. There are a number of such exemptions, but only two apply in this situation – the data subject (Johnson) gives their explicit consent, or the data has manifestly been put into the public domain by the data subject. You don’t have to take my word for this – the Information Commissioner’s Office’s personal data FOI flowchart says the same.

Ball argues that there is a public interest in the disclosure – it doesn’t matter whether you agree with him because public interest is irrelevant to these exemptions. For ordinary data, legitimate interests can make a disclosure lawful, and over the years, the ICO has developed an approach of a legitimate interest being disclosures of personal data when it is in the public interest. But legitimate interests isn’t an SCD exemption.  Of course, you might argue that because Johnson has commented on his illness, that means he has manifestly put his data into the public domain and Ball’s request should be answered. I disagree. All it means is that the Trust can say again what Johnson has already said – and we already know that Ball and his acolytes don’t believe what Johnson has said. The Trust can’t lawfully add any additional details to what is already in the public domain.

Of course, Johnson could give consent. The argument has been made many times: what does he have to hide? By saying this, the doubters themselves have taken consent off the table. If you’re saying that unless a person consents to the disclosure of their medical records, you’ll accuse them of lying (or at best, doubt that they’re telling the truth), you’re applying pressure to the data subject. This undermines the possibility of the consent being freely given, and consent that isn’t freely given isn’t consent. Even if Johnson was pressured into giving consent, the Trust should decide that his consent was invalid, and set it aside.

But what if the Trust have data that demonstrates that he wasn’t as sick as he claimed? Ironically, the exemption would still apply. If they have any data concerning Johnson’s health, even if it showed he wasn’t as ill as he claimed to be, the exemption would still apply because data that shows you’re anything from in the peak of physical fitness to being at death’s door is still ‘data concerning health’. The exemption applies. You might argue that the hospital would be under a moral duty to reveal the truth, but that would be to undermine one of the foundations of medical practice: doctor / patient confidentiality. Even if Johnson was exaggerating his condition for political purposes, to decide not to use the exemption and disclose his medical data would violate doctor / patient confidentiality. It would set a dangerous precedent. If you ask me which I would prefer – letting Johnson get away with spin or watering down the assumption that what your doctors know about you should remain secret, I have no hesitation in siding with patient confidentiality. There’s an old line about how you judge a society by the state of its prisons – I think you judge a person’s true commitment to human rights by how keen they are for scumbags to have them. If you don’t think Johnson has a right to confidentiality over his health, you don’t really believe in confidentiality or privacy.

Suggesting that Johnson wasn’t admitted at all (as Ball does in his FOI) is to say that Johnson wasn’t sick. I’m not sure Ball and his supporters thought through the implications of this originally and following criticism, he was forced to acknowledge the problem:

Just to be 100% clear, I am not calling any NHS personnel dishonest. It seems that fans of Johnson want to twist my words in order to defend him. Instead, I am calling Johnson a liar. He is a known liar. And I want to know if he lied to public or the NHS about his condition.”

You don’t have to be a fan of Johnson to follow Ball’s words to their logical conclusion (I think Johnson is a lying racist). If you’re suggesting he lied to the NHS, you’re saying that they’re too incompetent to diagnose coronavirus. If you ask for confirmation of his being admitted to hospital, you’re raising the possibility that he wasn’t. If he wasn’t admitted to hospital, you’re accusing those at the hospital who dealt with him of either lying or deliberately covering this up. Ball isn’t shy about smearing people (his complaint about the judges was full of guilt by association, and he happily maligned the majority of FOI officers), so the reputations of everyone involved in Johnson’s care are apparently just collateral damage in his crusade. Much has been made of the claim that medical practitioners at the hospital were asked to sign the Official Secrets Act (I don’t actually know if this happened). If it *did* happen, is Ball seriously suggesting that the OSA is now being used to cover up a conspiracy involving the Government and numerous health professionals and NHS staff, but despite this, they’ll be obliged to admit all in reply to his FOI?

I believe Ball doesn’t just know he’s going to get refused, he probably wants to be. Whether they pick vexatious, or Data Protection, or confidentiality, he can use it for publicity (one of his companies is a PR company, so it’s clearly something he’s interested in). Then he can hype his request for an internal review. Then there’s the appeal to the ICO. And then the Lower Tribunal. And then the Upper Tribunal. And then, if the inevitable crowd-finding allows, the Court of Appeal. Marcus can put on a smart suit for the Metro photographer and go to the Court of Appeal. Whatever the outcome, it can be spun as an achievement. For someone who wants to raise their profile, FOI is a long and protracted process with plentiful opportunities for publicity-inducing setbacks. It’s just another crusade to be spun as fighting for truth and please donate here.

I think Marcus J Ball is a chancer; he’s obviously entitled to make this request, but I’m entitled to say that it’s an attention-seeking waste of time and NHS staff could better spend their time on other things. Any other things. Ball poses as a campaigner for truth but he promotes himself using misdirection and bullshit. He says he “prosecuted Boris Johnson for lying about £5 billion of public spending” and the website for his company ‘Stop Lying in Politics’ lists a number of “achievements” including the above mentioned prosecution, a High Court Judge being “held to account” and £700,000 raised by crowdfunding. The truth is that his prosecution of Johnson failed, the “holding to account” bit was Ball petulantly complaining to a regulator after he lost, and at least some of the £700,000 went on cupcakes, self-defence lessons, and Ball’s salary. ‘Stop Lying in Politics’ is described as not for profit and a ‘social enterprise’, but according to Companies House, it’s a company with one shareholder (Ball). His use of FOI in this case is primarily to promote Marcus J Ball, and can only contaminate the legislation in the eyes of people who are always looking for excuses to water it down.

Whatever the Trust do with his request, they can’t win. Ignoring it will be proof of the conspiracy. Refusing it will be proof of the conspiracy. Answering it would be a breach of confidentiality and data protection. The best they can do is answer it as quickly as possible, give Ball the refusal he’s probably desperate for, and hope that his noise gets lost in all the other nonsense our beleaguered society is drowning in.

Labour Pains

As the pandemic takes hold, an unwelcome distraction comes with news that an internal Labour Party report into how it dealt with antisemitism has been leaked, showing up in the hands of some of the dumbest people in left-wing politics. The document was unredacted, and contains the personal data of multiple complainants to the party. Some of them have already reported that as result, their data is being circulated in the most unpleasant corners of the internet and Comrade Leaker might have put them at direct risk. The new leadership team of Sir Keir Starmer and Angela Rayner have announced an investigation into how the report came to commissioned, how it came to be leaked and other related matters. It is embarrassing that the Socialist Campaign Group of Labour MPs have signed a statement demanding that the report is published “in full”, meaning that the former Shadow Justice Secretary and former Shadow Home Secretary among many other Labour MPs want the confidentiality of complainants to be breached solely to facilitate internal faction fighting. As a humble Labour Party member, I call upon the Campaign Group to withdraw their knuckle-headed demand, acknowledge that what they’re asking for would be a breach of GDPR and confidentiality, and apologise to the innocent people they wanted to throw under the bus.

The MP and Campaign Group member Lloyd Russell-Moyle tweeted on Sunday that those interested in the Data Protection aspects of the leak were missing the point, preferring to concentrate on the political implications. In any case, he pointed to the public interest defence available in the GDPR for the circulation of such data. He has since deleted that tweet, and has now admitted sharing a link to the unredacted report with a private Facebook group of party members. Mr Russell-Moyle’s (albeit temporary) confidence in the public interest nature of disclosure caught my eye, especially as his depiction of how the law works in this context was a bit of a dog’s breakfast.

All things being equal, GDPR would have something to say about the unauthorised dissemination of personal data, but despite Mr Russell-Moyle’s claim, it does not contain an explicit public interest defence, and in any case is not the most relevant law. The Data Protection Act 2018 contains a series of offences covering the misuse of personal data, retaining what was criminal under the DPA 1998 but adding some new ones. The offences aren’t strictly required to comply with the GDPR and go further than what it requires. However, they allow the Information Commissioner’s Office to pursue individuals who deliberately or recklessly misuse data more neatly than GDPR does. I spend a lot of time kicking the ICO, so it is only right that I say that this prosecution work is one of those things that they generally do well and for the right reasons.

Section 170 of the DPA 2018 makes it an offence knowingly or recklessly to obtain or disclose personal data without the consent of the data controller, to procure such a disclosure to another person, or to retain data without the controller’s consent. Selling or offering to sell unlawfully obtained data is also an offence. Incidents that lead to ICO prosecutions are often connected with employment – the person gets legitimate access to data as part of their job, and then they look at records they have no reason to, or they share data with others, or they sell it. My favourite recent prosecution is the spectacular case where a senior council manager declared an interest in a recruitment exercise in which his wife was a candidate. Despite this, he then gave her data about the other candidates. After she got the job, the incident was discovered; she lost the job, her husband was sacked and he was subsequently prosecuted. It took a global pandemic to make me essentially unemployed, so I admire someone with the determination to do it to themselves with such panache. The crucial issue isn’t necessarily how you got access, it’s whether what you did with the data was authorised by the controller. People often make the mistake of thinking that the person who has to authorise the use is the data subject, but the law is clear. If I as the controller deliberately give you the data – even if I do so insecurely or without proper transparency – it’s not an offence (it might be a GDPR infringement). If you take a copy and share or sell it without the controller’s permission, the offences may be in play.

There can be tension over who gets the blame – years ago, one of my former employers discovered that an ex-member of staff had sent data about multiple staff members to their personal email account. While it was obviously disclosed without my employer’s authorisation, the ICO case officer who investigated asked us a lot of smart questions about security and access arrangements in the team where the culprit worked. It was plain to me that they were trying to work out whether it would be better to pursue the individual for copying the data, or my employer for not better preventing them from doing so. Fortunately for us, a splendid team manager was able to satisfy the ICO that we’d done everything one could reasonably expect. For Labour, this could be a problem. It’s impossible to know where the report was obtained from or how it came to be leaked, but if Wilmslow investigates this (and in my opinion, they have to), it will be just as legitimate to for them to probe Labour’s internal data management as the actions of the leaker. It must, however, be both.

Although he thought it was in the GDPR, Russell-Moyle was right that the public interest can be a defence for otherwise unlawful misuses of data. The person accused of an offence can put forward a defence of prevention or detection of crime, a legal obligation or statutory requirement to use the data or they can seek to prove in the particular circumstances that obtaining, disclosing, procuring or retaining was justified as being in the public interest. They can also try to prove that they reasonably believed that they had a right to use the data, that had they asked, the controller would have agreed, or finally, in using the data for the special purposes (which include journalism), “in the particular circumstances the obtaining, disclosing, procuring or retaining was justified as being in the public interest.

It’s worth thinking carefully about that group of defences. Under the old 1998 Act, they were drafted differently, allowing a person to argue that they had a ‘reasonable belief’ that their actions were justified in the public interest. The ‘reasonable belief’ element is gone – the defence only works if the person can prove objectively that the disclosure was in the public interest, rather than that they thought it was. There’s an excellent and detailed explanation of this change in Shepherd vs ICO, a data misuse case that the ICO lost a year or so ago. More importantly, all of this applies to the personal data itself, not to a document in which it might be found. Russell-Moyle’s deleted claim was that “there’s a public interest defence which will be strong in this case“, but is that true? There might be a public interest in disclosing the document or whatever revelations can be gleaned from it, either for journalistic purposes or the wider public interest. But is there really a public interest in the disclosure of the complainants’ personal data? I doubt it and it seems that Russell-Moyle now agrees, having acknowledged that “I wanted to make it clear that the report that has been leaked contains important information but it also contains the personal details of minors and those who deserve confidentiality after they made complaints“. If a person seeks to defend themselves from an allegation of a criminal disclosure of personal data, the public interest in revealing internal party machinations is irrelevant. What matters is whether disclosure or retention of the specific personal data is in the public interest.

Anyone who copied and disclosed an unredacted copy of the  report without clear permission from the Labour Party may have committed an offence under S170. Anyone who similarly possesses a copy of it may also have committed an offence. This latter issue might be of particular interest to the ICO as the retention offence is new, and I’m sure there will be some in Wilmslow who want to show that it has teeth. This is especially the case after the ICO investigated the retention of notebooks by ex-Met Police officers and found that they couldn’t taken action because retention wasn’t an offence under the 1998 Act.

The public interest has been badly served here. By redacting the data of complainants, whoever obtained and leaked this data could have built the foundations of a solid public interest defence, and more importantly, shown some care for people who do not deserve to be victims of Labour’s interminable civil war. The leakers could have protected those caught up in this mess, and whatever internecine battles Labour’s factions want to fight could have played out without collateral damage. But whoever these idiots are, they didn’t care about the damage their actions might cause. Blameless individuals have been put at further risk having already suffered abuses and indignities at the party’s hands. The Campaign Group’s moronic statement and Russell-Moyle’s humiliating climbdown from confident defence to mealy-mouthed apology are hallmarks of the thoughtlessness that underpins this sorry episode, but the real blame should be directed towards the snakes who circulated the unredacted report. It is a betrayal of everything that Labour ought to stand for, and a line must be drawn. Between Labour’s internal investigation and what should be the ICO’s inevitable involvement, the people responsible for this leak should face nothing less than the same public exposure as their victims, with a punishment to match.

My Corona

I’m not the first person to point out that the current flood of Covid-19 emails are reminiscent of the Great GDPR Consent Panic of 2018. Organisations you have no memory of ever interacting with are suddenly there as well as many household names, reassuring you of their ability to keep going despite the crisis. Some of them make sense – I got one from the Post Office yesterday telling me that they’re still open, which might be useful information to some. But a lot of them use almost an identical template to say very little – everyone’s home working, they really hope I’m OK, and they look forward to seeing me again after the Apocalypse. I would like to know what difference the companies think they’re going to make, but I’m not going to name and shame the worst ones or even unsubscribe from most of them – these are panicky and uncertain times, and a bit of corporate spam isn’t the worst thing that’s happening.

One email, however, stood out. I haven’t seen anything like it, and I hope no other company is as crass as Osano, the Texas-based ‘data privacy’ outfit headed by one Arlo Gilbert, who took the trouble to email me this morning to say how amazing they are, and how untouched by the global crisis they have been.

The story of how Osano came by my email address is instructive. Last year, Gilbert was putting himself about on Twitter, trumpeting his company which had been in the Data Privacy business since the grand old year of 2018. The Osano website is the Platonic ideal of the 2018 Era Privacy Company – very well designed, cool and slick, and bristling with enthusiasm for a subject that the company’s owners had literally only just found. Some DP and Privacy practitioners are as much activist as they are practitioner (which is why they hate me), but few would have the gall to present their company as a female superhero, saving the world one file at a time. Needless to say, when you look at Osano’s team, they’re all men.

The messages on the site also provides all of the classic GDPR bullshit flavours: teeth-grindingly pious: “When Osano helps companies to comply with the law, the interest of humanity is served, and the internet becomes a better place“, evidence-free scare-mongering “In recent months, numerous groups have undertaken “DDOS Compliance Attacks” whereby they band together and submit thousands of fraudulent DSAR/SRRs in an attempt to harm businesses”, and as is traditional, BIG CLAIMS ABOUT THE BUSINESS. Osano claims to have built “the world’s first data set that objectively measures the data privacy practices for every company on the planet“, and have carried out risk assessments on the compliance capabilities of 10,000 vendors. Disappointingly, despite the alleged ongoing nature of these risk assessments, that number is the same as it was last October.

Wary of some of Osano’s claims last year, I decided to do a bit of digging. I used the contact form on their website to ask whether they had carried out a risk assessment of my company. Although it seemed unlikely, given that Osano has this dataset that can measure any company on the planet, and there were / are 10,000 vendors on their list, it was surely possible? The contact form had an opt-in box to receive information from Osano, and I made sure not to tick it.

You’ll never guess what happened then. I received no acknowledgement or reply from Osano about my enquiry. Nothing. However, I started to receive marketing emails from Osano, always in the name of Arlo, telling me of how their team were “aggressively building new capabilities” and offering “Searchable blockchain-based audit log of consents to comply with information requests and government inquiries“, as if my bullshit bingo card could not be more complete. I can’t pretend that my request would have constituted a subject access request, focussed as it was on my company, but a sensible organisation might at least have sought to check. Moreover, having explicitly gone for a consent option for their marketing, every email that Osano has sent me since is in breach of the very GDPR that they claim to uphold.

Which brings me to Arlo’s recent missive. He begins by recounting how some people were wiped out by the 1990s Dotcom bubble. Then, it was the 2009 crash that wounded many. Now the Covid-19 pandemic means that “businesses around the world are closing their doors“. But what does that mean for data privacy now, friends, what does that mean?

NOTHING!

As recently as a few days ago, attorneys were filing class-action lawsuits against companies for violations of California Consumer Privacy Act (CCPA). Today the California Attorney General announced that they would not be delaying prosecution for breaches of CCPA. Data privacy remains a mission-critical component of any modern business, even during a global pandemic.

I’m writing this blog just before doing a webinar on the outbreak, and I can confirm that I am not going to be telling the beautiful people who attend that they can throw DP into the garbage and do what they like (UPDATE: I broke a piece of equipment just before starting and spent the rest of the session spiralling in panic, which bodes Very Well for my online future). Privacy and data protection are central to a just and fair society, and if we throw them out of the window in a crisis, we might not get them back. However, waving the shroud of litigation while people are dying is as low a pitch for your glossy software as it’s possible to get. It’s ugly and everyone in the privacy and data protection sectors should turn their backs on this kind of marketing.

Arlo continues.

“I debated the need to draft a COVID-19 response for our customers in the face of my own inbox overflowing with explanations of how companies are managing during this difficult time.”

Translation: Arlo wondered if this was a bandwagon I needed to jump on.

“However, thousands of companies rely on Osano, and it has become clear that we need to address any concerns that may exist.”

Translation: Arlo decided that the answer was yes.

So what message does this titan of the tech business want to send to his customers? What reassurance, what inspiring words for the future does Arlo have for us all? After gloating that Osano is better at home-working that everyone else, Gilbert has decided that what the pandemic needs to know is how much money his company has.

Osano is well funded with many years of runway and positive gross margins. While other companies may be giving away Ducati motorcycles at conventions and buying Superbowl ads, Osano has always made capital-efficient growth s [sic] core of how we operate.

All of this is a long-winded way of saying that Osano is in great shape. This virus and the downturn in the economy have not changed our daily work habits in any way. Rest assured that there are few companies better equipped to respond to this new work-from-home lifestyle than Osano.”

Nothing about the customers and how they’re doing. Nothing about the effect on this crisis on the person reading the email, beyond a desultory “Stay safe out there” at the very end. The only message Arlo Gilbert wants to give the disease-stricken world is how brilliantly he and his company are handling it. There’s a small part of me that wonders to what extent this is protesting too much, that Arlo wants to tell people how great everything is because he himself needs to hear it. But probably not. The one group of people who are destined to come out of this well are the people at the top. The rest of us will just have to pick up the pieces.

If you want to talk to your customers at the moment, think very carefully about what you want to say. Don’t send unsolicited spam in breach of laws you claim to cherish. I have an email for my mailing list which I wrote days ago but find extremely difficult to send because getting the tone right seems so difficult in the current climate. I’m not ashamed to say that my business has been wiped out. I have no work, and apart from online courses, no prospect of work for months. I’ve made a couple of prudent financial decisions that mean I don’t have to worry for now, but reading Gilbert’s tech-bro muscle flexing must be sickening for people who have lost their jobs, their colleagues or their loved ones. A lot of people on LinkedIn are desperate to emphasise the positives, raising the possibility of founding a new Uber or writing the 21st Century King Lear, but in reality, surviving without losing your mind seems a triumph to me. Deciding that what you need to do now is boast about your positive gross margins is the act of an Osanohole.