I’m not the first person to point out that the current flood of Covid-19 emails are reminiscent of the Great GDPR Consent Panic of 2018. Organisations you have no memory of ever interacting with are suddenly there as well as many household names, reassuring you of their ability to keep going despite the crisis. Some of them make sense – I got one from the Post Office yesterday telling me that they’re still open, which might be useful information to some. But a lot of them use almost an identical template to say very little – everyone’s home working, they really hope I’m OK, and they look forward to seeing me again after the Apocalypse. I would like to know what difference the companies think they’re going to make, but I’m not going to name and shame the worst ones or even unsubscribe from most of them – these are panicky and uncertain times, and a bit of corporate spam isn’t the worst thing that’s happening.

One email, however, stood out. I haven’t seen anything like it, and I hope no other company is as crass as Osano, the Texas-based ‘data privacy’ outfit headed by one Arlo Gilbert, who took the trouble to email me this morning to say how amazing they are, and how untouched by the global crisis they have been.

The story of how Osano came by my email address is instructive. Last year, Gilbert was putting himself about on Twitter, trumpeting his company which had been in the Data Privacy business since the grand old year of 2018. The Osano website is the Platonic ideal of the 2018 Era Privacy Company – very well designed, cool and slick, and bristling with enthusiasm for a subject that the company’s owners had literally only just found. Some DP and Privacy practitioners are as much activist as they are practitioner (which is why they hate me), but few would have the gall to present their company as a female superhero, saving the world one file at a time. Needless to say, when you look at Osano’s team, they’re all men.

The messages on the site also provides all of the classic GDPR bullshit flavours: teeth-grindingly pious: “When Osano helps companies to comply with the law, the interest of humanity is served, and the internet becomes a better place“, evidence-free scare-mongering “In recent months, numerous groups have undertaken “DDOS Compliance Attacks” whereby they band together and submit thousands of fraudulent DSAR/SRRs in an attempt to harm businesses”, and as is traditional, BIG CLAIMS ABOUT THE BUSINESS. Osano claims to have built “the world’s first data set that objectively measures the data privacy practices for every company on the planet“, and have carried out risk assessments on the compliance capabilities of 10,000 vendors. Disappointingly, despite the alleged ongoing nature of these risk assessments, that number is the same as it was last October.

Wary of some of Osano’s claims last year, I decided to do a bit of digging. I used the contact form on their website to ask whether they had carried out a risk assessment of my company. Although it seemed unlikely, given that Osano has this dataset that can measure any company on the planet, and there were / are 10,000 vendors on their list, it was surely possible? The contact form had an opt-in box to receive information from Osano, and I made sure not to tick it.

You’ll never guess what happened then. I received no acknowledgement or reply from Osano about my enquiry. Nothing. However, I started to receive marketing emails from Osano, always in the name of Arlo, telling me of how their team were “aggressively building new capabilities” and offering “Searchable blockchain-based audit log of consents to comply with information requests and government inquiries“, as if my bullshit bingo card could not be more complete. I can’t pretend that my request would have constituted a subject access request, focussed as it was on my company, but a sensible organisation might at least have sought to check. Moreover, having explicitly gone for a consent option for their marketing, every email that Osano has sent me since is in breach of the very GDPR that they claim to uphold.

Which brings me to Arlo’s recent missive. He begins by recounting how some people were wiped out by the 1990s Dotcom bubble. Then, it was the 2009 crash that wounded many. Now the Covid-19 pandemic means that “businesses around the world are closing their doors“. But what does that mean for data privacy now, friends, what does that mean?

NOTHING!

“As recently as a few days ago, attorneys were filing class-action lawsuits against companies for violations of California Consumer Privacy Act (CCPA). Today the California Attorney General announced that they would not be delaying prosecution for breaches of CCPA. Data privacy remains a mission-critical component of any modern business, even during a global pandemic.”

I’m writing this blog just before doing a webinar on the outbreak, and I can confirm that I am not going to be telling the beautiful people who attend that they can throw DP into the garbage and do what they like (UPDATE: I broke a piece of equipment just before starting and spent the rest of the session spiralling in panic, which bodes Very Well for my online future). Privacy and data protection are central to a just and fair society, and if we throw them out of the window in a crisis, we might not get them back. However, waving the shroud of litigation while people are dying is as low a pitch for your glossy software as it’s possible to get. It’s ugly and everyone in the privacy and data protection sectors should turn their backs on this kind of marketing.

Arlo continues.

“I debated the need to draft a COVID-19 response for our customers in the face of my own inbox overflowing with explanations of how companies are managing during this difficult time.”

Translation: Arlo wondered if this was a bandwagon I needed to jump on.

“However, thousands of companies rely on Osano, and it has become clear that we need to address any concerns that may exist.”

Translation: Arlo decided that the answer was yes.

So what message does this titan of the tech business want to send to his customers? What reassurance, what inspiring words for the future does Arlo have for us all? After gloating that Osano is better at home-working that everyone else, Gilbert has decided that what the pandemic needs to know is how much money his company has.

“Osano is well funded with many years of runway and positive gross margins. While other companies may be giving away Ducati motorcycles at conventions and buying Superbowl ads, Osano has always made capital-efficient growth s [sic] core of how we operate.

All of this is a long-winded way of saying that Osano is in great shape. This virus and the downturn in the economy have not changed our daily work habits in any way. Rest assured that there are few companies better equipped to respond to this new work-from-home lifestyle than Osano.”

Nothing about the customers and how they’re doing. Nothing about the effect on this crisis on the person reading the email, beyond a desultory “Stay safe out there” at the very end. The only message Arlo Gilbert wants to give the disease-stricken world is how brilliantly he and his company are handling it. There’s a small part of me that wonders to what extent this is protesting too much, that Arlo wants to tell people how great everything is because he himself needs to hear it. But probably not. The one group of people who are destined to come out of this well are the people at the top. The rest of us will just have to pick up the pieces.

If you want to talk to your customers at the moment, think very carefully about what you want to say. Don’t send unsolicited spam in breach of laws you claim to cherish. I have an email for my mailing list which I wrote days ago but find extremely difficult to send because getting the tone right seems so difficult in the current climate. I’m not ashamed to say that my business has been wiped out. I have no work, and apart from online courses, no prospect of work for months. I’ve made a couple of prudent financial decisions that mean I don’t have to worry for now, but reading Gilbert’s tech-bro muscle flexing must be sickening for people who have lost their jobs, their colleagues or their loved ones. A lot of people on LinkedIn are desperate to emphasise the positives, raising the possibility of founding a new Uber or writing the 21st Century King Lear, but in reality, surviving without losing your mind seems a triumph to me. Deciding that what you need to do now is boast about your positive gross margins is the act of an Osanohole.

A few months ago, the ICO received a Freedom of Information request on What Do They Know from a ‘Dwayne Dibbley’, asking interesting questions about the recruitment of Ellis Parry to the post of ICO Data Ethics Adviser. As soon as the post was announced, I was interested in how it came about because in my opinion, the ICO has no business creating a wholly optional job like this at a time when it has admitted that the regular work of the office has already been affected by luxury items like the Cambridge Analytica ‘investigation’. The hallmark of Elizabeth Denham’s tenure has been vanity projects and headline-chasing at the expense of the day job, and this seemed to be the pinnacle of her approach. I was, therefore, interested to see what Mr Dibbley’s request revealed.

I knew there was a problem. I didn’t recognise the name, but it didn’t ring true. I could tell it was made up, and so could the ICO (Dwayne Dibbley transpires to be a character in Red Dwarf). Shortly after, they asked for proof of Mr Dibbley’s ID and the request went dead. Technically, the request was not valid, but still, I found their approach annoying. In the same rough period, the ICO accepted FOIs from WDTK applicants as diverse as ‘dan74’, ‘John Smith, ’Tilly P’, ’navartne’ and ‘Gogos’. It might just be the ICO dodging a request because they could, but equally, it might be that they had something to hide.

I decided to make Dibbley’s request myself, explicitly referring to the previous refusal, but adding a question about why they blocked the request, and who decided to do it. Conveniently, they claimed to hold no information about that. However, I received a detailed bundle of correspondence, tracking the post from the development of the job description all the way until the successful recruitment of Mr Parry, and the writing of a blog which was published in the name of the Executive Director for Technology Policy and Innovation Simon McDougall, but which was actually written by the ‘Group Manager, Speechwriting and External Comms’.

There were a few interesting nuggets in the pile of internal correspondence – McDougall is one of those people who works in the ICO’s stupendously expensive London offices (in another FOI, I discovered that when he visits the ICO HQ, he bills the ICO for his meals at the Coach and Four Public House, very possibly the dullest pub in Wilmslow), while Parry was one of only two people to apply for the job. One aspect of the discussions that I enjoyed was the fact that the Data Ethics Adviser’s remit was to include whether the ICO needs a Data Ethics Adviser.

Mostly, it was the kind of dry procedural back-and-forth that you would expect to see a public body go through when creating a new post. Indeed, it was all so boring that the first time I read it, I missed the amazing revelation it contained. On June 14th 2019, at the very beginning of the drafting of the job description, there was an email discussion between McDougall, Ali Shah (the Head of Technology Policy) plus the Head of Innovation, a Group Manager from the Innovation team and McDougall’s Private Secretary. The ICO released all of the emails to me unredacted, naming all of these people, but I’ve decided to leave most of the names out.

As part of the discussion, Shah expressed concern about the scope of the JD.

“Will it have enough specificity to separate out Ellis? I don’t think it does, and reading the JD neutrally, I can think of a couple of people who would be equally or more qualified.”

Note that Shah refers to ‘Ellis’ – this is a person who all of these senior people are apparently on first name terms with. He explicitly did not want to be neutral about a job the ICO is about to recruit, and wanted to change the job description to exclude possibly better qualified applicants. Moreover, when the JD was circulated, the Group Manager added a comment which suggested a change to “and” from “and/or” on one of the criteria, observing:

“There will be a lot of people who have the dp background but not the ethics. Asking for both will narrow the field to just the candidates we need; thinking of Ali’s comment here.”

The meaning is clear – the job description was written deliberately to exclude other candidates so that Ellis Parry would be more likely to get the job. At £45,000, this job is better paid than most in the ICO – the effort to favour this one candidate (if that’s the right word for a job that hasn’t even been advertised) excluded many possibly qualified people from inside the ICO as well as a variety of people outside who have spent considerable careers pondering how data ethics work.

It would be bad for any public sector organisation to stitch up a job for a specific candidate before it had even been advertised – posts should be given on merit, rather than to those favoured by the senior staff. For a regulator that purports to be almost a moral guardian in many contexts to do it would be even harder to swallow. Perhaps only Denham’s calamitous stewardship of the ICO could lead to this shoddy behaviour happening over a job with ‘Ethics’ in the title. I cannot claim that you couldn’t make it up, because these are the people who let a Labour Council Leader run the team that investigates complaints about political parties. Denham is the Commissioner who awarded thousands of pounds to her mates without putting it out to tender, and endorsed a book that she hadn’t read. By now, this is what I expect. None of the senior people in the email chain raised any objection to Shah’s explicit wish to stack the deck in favour of Mr Parry. As far as I can see, they just got on with it.

I have no idea if Mr Parry’s previous career working for BP or Astra Zeneca gives him insights into Data Ethics that puts him so far above the rest of the sector that his chauffeured journey to the job could be justified. I would like to be outraged, but actually, the fact that senior people at the ICO were sufficiently unethical to do this and stupid enough to write it down is exactly what I expect the people at this organisation’s overpaid and inflated top table to do. I didn’t think the ICO needed to recruit a Data Ethics Adviser, but this tawdry episode suggests that all of their work should be directed at its own activities. I fear that the ICO is in a bad place, given the grim mixture of incompetence and poor judgement that regularly tumbles out of it. I can only hope that recruitment for Denham’s successor – which cannot come too soon – is delivered more fairly than this was.

During the hysteria in the run-up to May 2018, one of the ways in which it was easy to spot GDPR practitioners whose sole Data Protection experience was doing That Dreadful Course Run By Those Awful People was their lack of awareness of the Privacy and Electronic Communications Regulations 2003, known to its friends as PECR. As organisations fell over themselves to get ‘GDPR consent’, they demonstrated how much they didn’t know. The crucial elements of both as they related to marketing (and much else) weren’t changing, and the experts advising differently were just demonstrating their lack of understanding.

So it is with a garbled dog’s dinner of a story in the Mail on Sunday, combining anti-EU fear-mongering, moronic MPs, and proud ignorance of how the law works. According to Glen Owen’s feverish tale “Doctors will be banned from warning patients about the risks of coronavirus under EU rules that are set to become law in Britain despite Brexit“. None of this statement is true, and more importantly, the crucial elements on which the story is based are not new. The story claims that the Information Commissioner Elizabeth Denham “is working to put EU data protection laws into a statutory code that the Government would have no power to amend“. As a consequence, doctors would be prevented from sending messages about the corona virus, and “Council tax bills would also rise because local authorities would be forced to print leaflets to publicise services such as bin collections“. This garbage is supported by some frothing at the mouth from dim rentaquote MP Ben Bradley about “bully-boy diktats” and EU red tape.

Bradley is a proven liar whose previous misdeeds including publishing false claims about Indian call-centres, libelling Jeremy Corbyn and standing up for police brutality, so his knee-jerk nonsense should be ignored. There is an interesting quote from an unnamed Downing Street source which is presumably Dominic Cummings, describing Denham as an “unelected anti-Brexit pen-pusher“. Denham has plainly been angling for some kind of involvement in online harms, but given Dom’s disdain for QE2, I suspect she’s not going to be on anyone’s shortlist.

The origin of the story is the Information Commissioner’s draft Code of Practice on Direct Marketing, a document that the Commissioner is obliged by law to create in accordance with the Data Protection Act 2018, legislation passed by the previous Tory Government. Obviously, the current regime may take issue with their predecessors, but if Boris Johnson and his cadre of far-right headbangers don’t want Denham to do what the law requires her to do, they should amend the DPA. Obviously, the content of the code is up to the ICO and so I guess the alleged anti-Brexit conspiracy to smuggle EU red tape into UK law could happen there. The problem with this conspiracy theory is that the EU laws that the Tories and the Mail are so furious about are already on the UK statute book, and will continue to be so. Unless, of course, the Government use their majority to change things, as they have the power to do.

PECR is UK law, so the rules that require marketing emails to be sent to individual subscribers only with their consent are already there. EU GDPR is currently the law in the UK until the end of the transitional period, and after that, specific regulations will automatically convert the EU GDPR into the UK GDPR. The idea that Denham is sneaking anything into UK law in her Direct Marketing code is nonsense. Anyone who claims otherwise is either a liar or a moron. In Ben Bradley’s case, it’s plainly the latter (this is a person who argued for benefit claimants to have enforced vasectomies), but as far as Downing Street is concerned, it’s likely that Cummings is using Data Protection as part of his ongoing game of 3D chess with reality. The Government doesn’t care that the story isn’t true, they just want to keep Brexiters in a heightened state of annoyance and frustration.

The one thing that the ICO does have control over – and this has nothing to do with the EU – is the definition of direct marketing. Unless the government passes legislation that specifically defines what constitutes marketing (something neither Labour or the Tories have ever done), and until a court gives some definitive judgment on a definition, the meaning of ‘direct marketing’ and therefore the type of message you need consent for, has to be determined by someone. The current someone is the Information Commissioner. The ICO definition includes “the promotion of aims and ideals as well as advertising goods or services“. On this, the ICO has been consistent for more than a decade. Richard Thomas took action against all major political parties in the mid-2000s and won a Tribunal case against the Scottish National Party on the basis of this definition, so the idea that somehow Denham’s interpretation is some of kind of plot to undermine Brexit is just evidence of Cummings’ addiction to fake news and lack of attention to detail.

If you drill right down, the seed of the Mail story is on pages 22 and 23 of the draft code, where an example contrasts two different kinds of message from a GP practice. A neutrally-worded message about screening is not marketing, but a text advertising a flu jab clinic would be. To be honest, if I received texts from my GP practice telling me I was due for a cardio-vascular risk check, I would think of it as marketing and expect only to receive such texts with consent, but that’s an argument for a different blog. What the draft Direct Marketing Code is saying is what the ICO has been saying consistently for many years, but unlike the old Direct Marketing guidance, this time they have included public sector examples, of which the GP case is one.

I don’t know how we get from this example in the code to the government propaganda in the Mail – perhaps Downing Street is constantly scanning for opportunities to wind people up over Brexit and the EU. Given that the ICO fined Vote Leave, it’s possible that Cummings nurses a personal grudge against Denham, and so this might simply be a symptom of his wounded ego. It’s equally possible that the NHS isn’t happy that the ICO is turning its attention – at least in principle – to the large amount of marketing that it does under the false guise of public health messages. This could be NHS folk briefing the Mail to defend their ability to spam people about purely optional services.

My point is that the story is wholly without foundation. This isn’t an anti-Brexit plot, and the message that the ICO is sending shouldn’t be controversial. I don’t know about you, but the only messages I receive from my council about bin collection are an annual leaflet explaining how they work – an email would be useless as I would easily delete it, whereas I can put the leaflet on the fridge. Unlike Ben Bradley, I can’t get outraged about the cost of printing a leaflet that I actually need (but which wouldn’t meet the ICO definition of marketing if it was sent electronically). If you want the NHS to have carte blanche to send whatever messages they think we need to hear, get ready for an onslaught of digitised nanny state lectures about drinking, diet and exercise, your phone pinging like a pinball machine.

There will be a lot more of this. The pro-Brexit media / government cabal have to keep the pot boiling and Data Protection is something that many journalists and politicians are too stubborn to get to grips with, so it will be a handy target. It would be nice if there was a competent Commissioner who could put the case for sensible Data Protection. Instead we have Disaster Denham, with her record of one-sided enforcement against pro-Brexit campaigns and her obsession with Facebook and Cambridge Analytica which even her own office has had to admit had nothing to do with Brexit. The Mail gleefully picked on her huge salary, and they could just as easily focus on her expensive tastes in international travel and extending the ICO top table. If the government really does have Data Protection in its sights as Bradley suggests, it’s hard to imagine a worse defender than a profligate absentee who has cocked up nearly every big enforcement case she has touched. I’m not famed for being an optimist, but we have a government stupid and ideological enough to ruin Data Protection, and a Commissioner without the moral authority to stop them. Indeed, I’ll make a prediction – the GP examples are correct, and the ICO will cut them from the final version of the code in hopes of appeasing No 10.

Nevertheless, when you read this kind of nonsense in the Mail, remember to take it with a pinch of salt that definitely exceeds NHS guidelines.

The Times published an interesting story on Saturday about businesses being approached by the Information Commissioner’s Office. According to the story, thousands of small business owners and landlords have received “heavy-handed” letters about the annual fee which many organisations are liable to pay under the Data Protection Act 2018. The GDPR abolished the requirement for controllers to register with their supervisory authority, but the bureaucracy has been maintained to provide funding for the ICO’s Data Protection activities. Ostensibly, the ICO chasing up people who by law owe them money should be uncontroversial, but like most things that Wilmslow gets involved in, it isn’t that simple. For one thing, I don’t know how the ICO is selecting their targets, but as the Times reports, a lot of recipients are actually exempt. Half of the clients of a tax advisor quoted are exempt, and I’ve been approached by a number of people being chased over dormant or dead companies. It would be interesting to know what criteria is being used.

A bigger concern is what the ICO is going to spend the money on. Small businesses have to pay the ICO at least £35 per year, but their spokesperson said in the article that “The fees are used to provide services to help organisations process and manage the personal data they are responsible for in line with their legal obligations and in ways that may inspire public confidence“. I’d question whether the ICO will itself inspire much public confidence, and whether businesses will be as keen to pay up, when they find out what the ICO has been spending their money on. A series of fascinating FOI requests on What Do They Know, as well as requests I have made, demonstrate that services to help organisations aren’t the only essentials on which the ICO budget is spent.

In the 12 months leading up to the end of November 2019, the ICO spent £49,043.16 on first and business class flights, luxury enjoyed by eight senior ICO officials on just 20 occasions. Elizabeth Denham CBE turned left most often, with 7 of the flights at a cost of £15,793.88, closely followed by her deputy James Dipple-Johnstone, who was lucky enough to escape the indignity of economy class on five occasions, for the bargain price of £10,612.70. Fans of Mr Dipple-Johnstone’s idiosyncratic stewardship of the ICO budget will remember his expenses claim while caught out while on a jolly to conferences in Asia and New Zealand. When his flight from Doha was diverted to chilly Vienna, he was prevailed upon to buy a jumper and some warm trousers, but thankfully the ICO was able to pick up the tab. Other Wilmslow luminaries taking advantage of the ICO’s seemingly generous travel policies included the Director of Freedom of Information Gill Bull, the Director of Investigations Stephen Eckersley, one of Denham’s other deputies Steve Wood and Simon McDougall, friend of the advertising industry (he does have a job of some kind, but I have no idea what it is). The most expensive single booking was for the Director of Strategic Policy Amanda Williams, whose airmiles came at a cost of £4419.32. Williams took only one luxury trip, so it’s nice to know that it counts.

To put this already profligate spending into perspective, Denham’s flights accounted for the fees of 450 small businesses, while Dipple-Johnstone’s swallowed 303. Williams’ chart-topping trip gobbled up 126 small business fees by itself. In total, the cost of first and business class flights for the pampered elite at the ICO’s top table ate up 1400 small business fees. So much for services to help them, all of these companies paid for Mrs Denham and her courtiers to get extra legroom and hopefully some bubbles as they wait to take off. I’m sure that whichever three small businesses stepped in to fund Dipple-Johnstone’s cold weather ensemble are glad he didn’t get a chill.

But that is not all. The only place I ever seen Denham in the real world is the First Class Lounge at Euston Station, but this is unlikely to have been a one-off visit for the Commissioner. Of the 43 first class rail journeys made in the same period by ICO staff, 32 were claimed by Denham, with the other eleven split between the usual suspects (JDJ managed only three, with Steve Wood nabbing 5). The costs of the first class trips were obviously lower than the flights (£5777.75, with £3806.65 accounted for by Denham) but nevertheless, I’m sure the 108 small businesses who kept the Commissioner and her colleagues away from the indignity of standard class will feel that their contribution to the work of the ICO was not wasted. We cannot expect the leaders of the UK’s Data Protection hub to go without free tea and coffee and those lumpy chocolate biscuits that people pretend they are taking for their children.

Of course, you might accuse me of hypocrisy as I unashamedly go first class on a regular basis. I write this on a Sunday afternoon, knowing that I will be in First Class tomorrow morning. The point is whose money I am spending. When I charge expenses to clients, I only ever invoice for standard class prices, and 2040 Training Ltd is a private company of which I am the sole shareholder. I’m not spending your money, or that of millions of businesses that I am cajoling to pay up. Moreover, doing less than half of my work journeys in First Class is about the only corporate expense that has any direct benefit to me personally. The same cannot be said for the ICO and Elizabeth Denham. As I wrote about last year, the ICO spent just shy of £18,000 on executive coaching for Denham. As revealed in another WDTK FOI request that the ICO answered 4 months late, the former Canadian Minister for Trees Philip Halkett was hired without any external advert or tender process. I followed up this request with one of my own for recorded information about some of the contracts. I asked what qualified Halkett for such special treatment, and ICO explained that as her former executive coach, he was “uniquely placed to deliver the service“. The only recorded information they could give me about what he provided was a single line in the contract (the rest of which was withheld). 514 small businesses paid their fees so that Halkett, a retired Canadian with no experience in Data Protection, could provide “coaching and strategic advice as required by the Commissioner from time to time“.

Needless to say, none of the UK fee paying businesses were permitted to put themselves forward for the coaching work, or for the £20,000 ‘service excellence’ consultancy (571 small business fees) awarded without a tender process to an academic in Canada. The ICO’s own lawyers questioned whether that contract had been awarded lawfully, only to be told by Director of Resources Andrew Hubert that “The ICO appointed Mark Colgate as he is the author of the methodology we wanted to use so uniquely placed to present that methodology to our staff. Basically he is sole author and sole supplier. We are happy to accept the procurement risk on that basis.” The emails show that neither Procurement or the ICO’s Commercial Legal team were involved in the process of hiring Colgate. Whether ICO staff actually needed his TOFU-based customer service guff is debatable, but the idea that none of the hundreds, if not thousands of UK-based customer service experts who have to fund the ICO were even worth considering, but this bloke from Denham’s home town was the only possible candidate is fanciful. That no proper processes were followed and the ICO hired Colgate on the basis of a one-page emailed proposal that boils down to ‘I’ll do some training and give your team managers my book’ ought to concern everyone.

Taken together, these FOI requests paint an odd picture. Senior officers travel the world in first class to attend conferences that build their profiles, but offer scant benefits to UK-based businesses. Friends of the Commissioner are paid thousands of pounds without any due process. The most charitable way I can describe this is self-indulgent and lacking in oversight, but the problem is that Denham’s tenure is characterised by poor judgment. The Information Commissioner’s Office has spent millions of pounds investigating the Cambridge Analytica / Facebook ‘scandal’ only to find that it didn’t involve UK Facebook users. That investigation culminated in a bizarre humiliation, with Facebook invited to repudiate the whole thing on the ICO’s own website, and commended by the Commissioner for their sterling privacy work. The massive BA and Marriott fines, wildly out of proportion when compared to the rest of Europe, appear to be in disarray, delayed for three months without any explanation. Confirmation that this had happened had to be dragged out of Wilmslow by lawyers and journalists who realised that the time limit to complete them was running out. There is still no formal statement on the ICO’s website about this massive development. Journalists attending appeals against enforcement action against Leave.EU and Eldon Insurance tell of the ICO’s own barrister admitting that the ICO’s decision-making process fell short of what should be expected, with no internal records of the decision to act available. The outcome of that case is coming in February.

A regular reader of this blog complains that every other entry is just me moaning about Liz Denham, and it’s true that I am a long-standing driver of negative sentiment (as I was once delightfully labelled by the ICO’s PR people). But this isn’t just the random potshots of a disaffected show-off. The ICO’s staff (i.e. the people who actually do the work rather than chase the headlines) are famously paid well below the market rate, and yet the ‘Leadership Team’ are circling the world in First Class, hiring their mates and botching high profile investigations that probably never should have started. 2040 Training has paid its fee for 2019/20, but I wonder what I’m getting for my money. According to the ICO Annual Report, Elizabeth Denham is paid £160,000 per annum, plus a “non-consolidated, non-pensionable annual allowance of £20,000“. If she wants coaching, she can afford to pay for it herself. If she needs coaching (and the meltdown I describe above suggests that she might), she is in the wrong job. At the very least, she should pay back the £18000 paid to Halkett and stop expecting the fee-paying organisations of the UK to fund her taste for luxury travel. The rumours circulating government suggest that the ICO’s sponsor department, the DCMS, is for the chop. If that is true, before their time runs out, they must dig into Denham’s chaotic, self-indulgent regime and ensure that the thousands of businesses who keep the ICO afloat are not being taken for a ride.

 

 

There’s never a good time to accidentally publish a huge batch of personal data online, but the interregnum between Christmas and New Year, when nothing happens and most people are bored is a particularly unfortunate moment to choose. The Cabinet Office’s foul-up in publishing the home addresses of the thousand or so people in receipt of a gong as part of the New Year’s Honours was particularly ill-timed, but given the diverse nature of those affected, it’s hard to imagine that there would ever be a time where it wouldn’t hit the headlines. The location of Elton John’s mansion is probably not a secret, but many honours recipients are not celebrities, and some might be put at risk by their addresses being known.

In many ways, the story is familiar. The Cabinet Office say it’s an accident, the BBC dig up a Data Protection ‘expert’ I’ve never heard of to say nothing in particular about it, and everyone on LinkedIn has made their mind up. But there is one interesting aspect that recent changes to legislation has significantly altered. One of the other people enjoying a moment in the spotlight was the CEO of a software company. He downloaded the spreadsheet on Friday night, and regaled Radio 4’s PM programme with the details of the diligent research he had done into the homes of some of the people on the list.

The GDPR does not apply to the data processing activities of “a natural person in the course of a purely personal or household activity“, but the Data Protection Act 2018 (like its predecessor the DPA 1998) works differently, and significantly differently for situations like this. Section 170 makes it an offence for a person knowingly or recklessly to “obtain or disclose personal data without the consent of the controller“, to procure such an unauthorised disclosure and finally “after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained“. The obtaining, procuring and disclosing elements were there before, but the offence of retaining data is new. A legal entity could clearly be charged with any of these offences, but the majority of prosecutions (mounted unusually by the ICO rather than the CPS) for the old S55 and the new S170 offences are individuals.

And here’s the punchline. It’s quite possible that the Cabinet Office’s procedures and controls are flawed, or their training is deficient (or both). In such circumstances, the organisation would have infringed the GDPR and potentially face a fine as a result. Given the Information Commissioner’s obsession with headlines and over-reaction to high profile events, I suspect a fine in this case is quite possible. It’s also possible that everything inside the Cabinet Office is absolutely mint and this is just a monumental cock-up. I don’t know, and I’m prepared to wait and see what the ICO finds out when they investigate. I might relentlessly take the piss out of the Commissioner’s Office, but one of the things I’m happy to acknowledge that they’re good at is getting to the bottom of security incidents and why they happened.

However, none of that makes any difference to anyone who accesses the honours spreadsheet. An organisation may significantly infringe GDPR and breach confidentiality by sending personal data to the wrong place or making it available online, but that does not give a free hand to the recipient. Anyone who innocently accessed the spreadsheet cannot be held responsible for the fact that they are now aware of personal data to which they were not entitled, but the moment you download the data, there’s an argument that you have obtained it without the consent of the data controller. Sometimes this might not be obvious, but in this case, there can be no doubt that the Cabinet Office did not intend for the data to be disclosed, and so anyone accessing it is doing so without the controller’s consent.

Of course, you might not have realised what you were downloading, so you’re almost certainly not acting knowingly or recklessly at that point. However, it’s probably a safe assumption that in the hour or so that the spreadsheet was available, it was downloaded multiple times. So what of the people who still have a copy? Nobody can be in any doubt about the fact that it was published by mistake, so its continued retention is without the Cabinet Office’s consent.

It would be a bold claim to accuse everyone who still has a copy of committing a criminal offence, but under the 1998 Act, it would be impossible to do so. I’ve been directly involved in multiple incidents where a controller mistakenly sent data to the wrong person and had huge difficulties in recovering the data or securing its destruction. The person hadn’t deliberately stolen a copy of the data or sought to access it, so what do you do if they refuse to hand it back or delete it? Those with long memories might remember the huge bill racked up by Belfast City Council in their ultimately successful attempt to prevent the misuse of data about elected members that they inadvertently sent to a woman in England. The new offence changes the rules. Merely possessing the data is potentially an offence, and I think this should give pause for thought to anyone who still has a copy.

There are some defences that a person can mount – you can argue that retention is necessary to prevent or detect crime, is legally authorised or because of the particular circumstances, is in the public interest. For example, if you retained data because you wanted to blow the whistle or report it to the Information Commissioner, especially if the controller wasn’t going to and you thought they should, I would guess that this would be a solid defence against prosecution. But in this case, it’s clear that the Cabinet Office has already notified the Commissioner, the nature of the compromised data is not in doubt, and it’s difficult to see what public interest there would be in keeping the personal data of innocent people, however badly the Cabinet Office may turn out to have handled it.

There have been, as far as I know, no prosecutions for the retaining offence so far – the only action has been a rather insipid press release from the ICO about a case that they might have been able to prosecute under the new legislation. It’s entirely possible, even likely, that the ICO won’t seek to criminalise people solely for having data in their possession unless they do something nefarious with it or refuse to get rid of it when asked to. Nevertheless, if you have a copy of the honours data on your laptop right now, my very strong advice as your friend and unappointed DPO is to delete it forthwith, and await the outcome of the ICO’s investigation sometime in 2021.