Due to the activities of a particularly noisy blackbird, I woke at 5.15am, and so headed to the ICO’s website to see if they had published their long-awaited report into politics and data analytics. The press release was there, and the report itself was tweeted out a little while ago. Given all the noise and hype (and an enormous amount of misinformation), I have a few observations about the interim report. Given that I predicted that the ICO would do nothing, I should be delighted that Wilmslow has finally decided to respond to all of my goading by taking action, but it’s not quite that simple.

  1. Despite the headlines and strong statements from whistleblower Chris Wylie, Facebook have not been fined £500,000. They might be, but what ICO has done is issued a notice of intent, which means that Facebook has the opportunity to make representations before the fine is issued – if it is. It’s entirely possible that Facebook will pay up and move on, but equally, it’s possible that they’ll make representations that kill off the fine altogether. Finally issuing a maximum penalty after the DPA 1998 is technically dead is a very ICO move, but it hasn’t happened yet. If they pull it off, I will be thrilled to have called this one the wrong way.
  2. The much-vaunted ‘criminal prosecution’ of SCL Elections has an element of a government announcing previous spending commitments as new money. As far as I can see, the prosecution (which hasn’t happened yet) is against SCL for their alleged failure to comply with an enforcement notice served because of their alleged failure to comply with a Subject Access request made by the US academic, David Carroll. I have already made myself deeply unpopular by suggesting that a regulator with a relatively hesitant approach to enforcement should not be prioritising the DP rights of non-EU citizens. If Americans want DP rights, they should pass laws like California is doing, rather than using UK taxpayers’ money to refight the Trump election. Nevertheless, the really interesting thing is that the notice was served after SCL went into administration, which means that either ICO intends to prosecute the directors under Section 61 of the DPA (which would be a bold move indeed, given that the directors presumably are no longer in control of the company) or they’re going after the administrators, which is bullshit.
  3. There is an enforcement notice against the Canadian company AIQ – this is quite something, as it is the first time that the ICO has used its GDPR powers to place a limitation on processing (i.e. the processing of data about UK and EU votes obtained unfairly by AIQ). I have no idea how ICO intends to prosecute AIQ if they fail to comply with the notice, what with them being in Canada. It’s entirely possible that AIQ will go along with it for a quiet life. I think the notice is unenforceable if they decide to flip Mrs Denham the bird.
  4. Despite the war between Carole Cadwalladr and Aaron Arron Banks (reminder to wash my hands after typing that name) that has provided the background noise for the ICO’s investigation, it’s interesting that the ICO is not currently taking action against Leave.EU. Indeed, there’s nothing new on Cambridge Analytica either. However, the ICO confirms that they are still looking at Leave.EU, but also at Vote Leave and the Remain campaign. As someone who thinks that leaving the EU is a slow act of national Seppuku, it’s fascinating to learn that ICO seems to think the analytics issue might be more of an ‘everyone’s at it’ than ‘democracy stolen by Leave’.
  5. The most intriguing part of the report is the one getting the least headlines. As well as possibly issuing a penalty on Facebook, they’re also going after Emma’s Diary, a data broker that preys on pregnant women. Despite all of my misgivings about whether this long-running saga is a good idea when carried out at the same time as the implementation of GDPR, if the investigation finally forces the ICO to tackle the ugly underbelly of the UK’s trade in personal data, it will be a wholly good thing. ICO has avoided tackling data brokers and credit reference agencies for decades, and if they finally get dragged into the spotlight, that can only be a good thing.


  • The Directors of SCL Elections will not be prosecuted successfully.
  • Facebook will not pay a fine of £500,000 (there may be a fine).
  • AIQ will grumble and make a show of complying, even though they know the notice is unenforceable.
  • The ICO will not take enforcement action against any major political party as a result of the investigation. There will be UNDERTAKINGS.

I will be delighted to be proved wrong on any of the above.



Email sent 25/05/18, 17.29


I would like to request all personal data associated with myself held by your company, in accordance with my rights under the GDPR.

The following information should allow you to identify me:
I live at [HOME ADDRESS]. My business name is 2040 Training, and my business address is Courthill House, 60 Water Lane, Wilmslow, Cheshire SK9 5AJ, UK, Company No: 6682698

You may hold data associated with me via the following email addresses and phone numbers: [PERSONAL EMAIL WITH MY NAME IN IT], [SECOND PERSONAL EMAIL WITH MY NAME IN IT], tim@2040training.co.uk, [EMAIL WITH MY NAME AND COMPANY NAME IN IT], [LANDLINE], 07508341090 or [PERSONAL MOBILE] or the Twitter handle @tim2040

My request includes any personal data held about me, including any assumptions, characterisations, classifications or inferred data recorded about or associated with me, as well as any factual, contact or other personal data and correspondence concerning me either internally or externally.

This should also include a clear indication of the source for all information held about me, and the names of any data controllers to whom my personal data has been passed. If you require any further information, please do not hesitate to contact me. Please note that all personal data including in this request has been supplied solely for the purpose of identifying data already held by your organisation, and none of it should be retained or added to records you hold for any other purpose.


Tim Turner


Email sent 25/05/2018, 21.27


Thanks for reaching out to us. I am glad to see that some are not wasting any time in exercising their rights!

Here are the definite answers I can provide at this stage:
* I have not found the email address tim@2040training.co.uk in our systems.
* I am not sure under what basis you are making your request for business information we might hold concerning the “2040 Training” business. The GDPR would not be applicable to that situation. If there is something I am missing, please let me know.

Otherwise, a constant concern with Subject Access Request is to confirm the identity of the person making the request. For this reason, before responding to any request concerning the other identifiers, I first need to confirm that the owner of those accounts actually did wish to formulate such a request. Therefore…
* for each of the other email addresses, please resend a direct request from that email address, so we can confirm they are yours.
* for each of the phone numbers, please send a copy of a recent phone bill in your name to confirm that you hold this phone number.
* for the Twitter account @tim2040, please contact us directly at @PersonalDataIO, and we can take it from there.

Finally, for the request concerning your home address, I will need some type of proof to confirm you live at that address. A utility bill in your name would do.


Paul-Olivier Dehaye



Thanks very much for this.
You’ve given me everything I need here.
Best wishes


Great. Happy to help. Thanks for making our service better.





There’s a very long way to go on that.




Baby steps!




Under Article 17 of the General Data Protection Regulation, I would like to request that you erase any personal data held by your company or any of its employees or volunteers in relation to myself. Specifically, I request that you erase any reference to any of the emails or phone numbers provided in my email to you from this address on 25th May 2018, including the email itself.
If you held any of the information before 25th of May, I expect you to erase it.
If you refuse to erase any personal data connected to any of the identifiers specified in my request of 25th May 2018 without proofs of ID, please let me know.
Best wishes
Tim Turner

A brief word from our sponsors

I haven’t blogged in a while because of a heavy workload, inspired by the oncoming train / Sword of Damocles / impending apocalypse that May 25th represents. In the meantime, permit me to do a bit of advertising.

Believe it or not, GDPR is for life, not just the 25th May 2018.

So if you intend to run a business, charity, public authority or other organisation, and what to know about GDPR Rights like the Right to be Forgotten, Subject Access or Portability, if you want to know what PECR means for marketing or fundraising, or if you just want to know how GDPR works, I am running courses in May that can help you. I’ve been a DP Officer, I have 17 years of data protection experience, and I use my DP rights to track down and control my data, so I can show you what’s good and bad across the DP world.

The courses are GDPR Rights in London and Manchester, GDPR and Marketing in London, and GDPR SOS for the second time in London – all at the end of May, all £250 + VAT. I’m not doing any courses on the 25th May itself as I will be using my Data Protection rights for wholly mischievous purposes against people who deserve it. Expect to read blogs about that in the future.

Find out more about the courses here: http://2040training.co.uk/gdprcourses/

Book here: http://2040training.co.uk/booking-form/

SARpocalypse Now

As expected, the Information Commissioner has announced that her office will be running a campaign promoting GDPR rights to members of the public. As anyone could have predicted, some of the excitable GDPR community on LinkedIn are now working themselves up into a lather about the ensuing SARmageddon that will ensue from this development. Previously, the same people were complaining that the ICO hadn’t launched a massive campaign, as if it was the regulator’s duty to whip up the public mood to help them sell their software.

The idea of GDPR prompting an avalanche of Subject Access requests isn’t new – Certified GDPR Practitioners and other salesmen have been confidently predicting it for a while, building the fantasy on rather shaky foundations. One false notion is that GDPR abolishes the fee for SARs and other data protection rights. It does, but many organisations do not charge the fee now so it’s unlikely it will make a difference to the number of requests they receive. Someone I trained this week gets 4000 a year, so the idea that receiving lots of requests will be new to many organisations is either ill-informed nonsense or a sales pitch. It’s only people who have no experience of Data Protection who think that a high volume of requests is novel.

Another claim is the PPI-style onslaught of compensation claims that the SARnami will supposedly serve. The problem with this is the flawed comparison between PPI and Data Protection. I’ve said this dozens of times, and I’ll say it again: PPI was widely and aggressively mis-sold. Most PPI claims were valid, and if the banks / financial institutions fought the claims, they would usually have lost. The process for a DP claim is first, establish that there has been a breach of GDPR / DP; second, establish evidence of some adverse effect; third, sue and hope to persuade a judge that the adverse effect is worth compensation. That’s a tall order.

Of course, many businesses may choose not to contest these claims, and that may fuel SARs and other rights requests. In my opinion, if a business gets bogus DP claims and settles them because it’s easier or cheaper, they’re contributing to an unhealthy culture and making it harder to implement DP sensibly for everyone. It’s instructive to see what happens when claimants actually get into court and what a balls-up they make of it: this should happen more often. If data controllers take a robust approach with cack requests and dare the Commissioner to do something about it, it’s not hard to imagine what would happen (and if you think it’s FINEmageddon, you’re reading the wrong blog, friend).

The worst example of this scaremongering is the SAR as DDoS attack. I remember this bollocks from the days when I worked at the Information Commissioner’s Office and the rumour spread that FOI would be used as a tool to disable public authorities. Admittedly, Walberswick Parish Council was temporarily knocked over by a persistent FOI campaign, but what happens in Parish Councils is not a reliable guide to anywhere except Parish Councils. Now, a variety of IT and risk management companies have returned to the theme. Only this weekend, Matt Hodges-Long was predicting SAR DDoS attacks as soon as May comes. In a coincidence that no screenwriter would accept as plausible, Mr Hodges-Long happens to be CEO of a company that sells risk management software that might help businesses cope with such attacks.

I know, right?

Think for a moment about how a SAR DDoS would work. In Mr Hodges-Long’s scenario, imagine thousands of data subjects deciding to submit a ‘single’ request to a company on the same day. How would this work? Firstly, someone would need to organise it. They would have to find thousands of people with the same grievance against the same organisation. Making a SAR isn’t the same as signing a 38 Degrees petition – you have to contact the data controller directly and ask for your information, so it’s a lot more than just filling in a form. The organiser would either have to coordinate the activity themselves, which would require obtaining proof of consent and proof of ID from every applicant (otherwise they would likely be breaching GDPR themselves), and then send the 1000s of requests, or they would have to issue clear instructions to all of the 1000s of people to ensure that they all did it at the same time.

GDPR requires the data controller to check ID when dealing with a request, so if suddenly 1000s of requests arrive en masse, if the data controller just BCCs them all asking for proof of ID, every single request is automatically invalid. GDPR also allows the data controller either to charge or refuse a request if it is manifestly unfounded or excessive. Imagine the amount of time and organisation it would require to either make all requests on behalf of 1000s of people, or coordinate the making of these requests at the same time on the same day. Imagine doing so in secret, leaving no trace for the data controller to find online. If a request has only been made for the purpose of attacking the organisation, and the controller can show evidence for this, what possible foundation could the request have?

I believe that if a campaigning organisation decided to use SARs as a method of DDoS, the data controller could refuse them all as excessive or unfounded (or both) and dare the Information Commissioner to do anything about it. Bear in mind that this is the same Commissioner who found systematic failure to answer subject access requests in the Ministry of Justice, and gave them almost a year to clear them up. They also sneaked the notice out just before Christmas without a press release, in one of the more shameful episodes of this generally unedifying period for Data Protection. If you think this same regulator is going to take the side of anyone using GDPR rights as way to attack data controllers for the sake of it, you are either an idiot or you’re selling something.

GDPR will change things. There will be more requests of the type we already get, and requests that we don’t currently get. For the mischievous, there is ample scope to use GDPR to take pot-shots at organisations. I’m going to do it myself. But the idea that we’re teetering on the brink of a World War SAR is hype to sell software. Anyone who tries it deserves to get called out and right-thinking people should shun their products in favour of a sensible, measured approach of deleting irrelevant data, improving retention policies, and developing / embedding / sustaining slick and robust rights procedures. Knowing where your data is, who will look for it when asked to and how they will look will pay off much more than a tool that you probably don’t need.


Checks and balances

A while ago, I was asked by a prospective client to provide a criminal records check before getting a big piece of work. Given that I wouldn’t be handling any personal data or getting access to children or other vulnerable people, it seemed like overkill. The awkward part of me wanted to suggest that the requirement was close to being an enforced subject access request, which would be a criminal breach of Data Protection law. Enforced subject access requests occur where a person is obliged to provide a data controller with the result of a subject access request for criminal records in return for employment or a service.

Then I looked at the number of days’ work they were offering and the pragmatic part of me kicked in. I don’t have a criminal record, so I applied for and sent them a disclosure certificate saying so. It occurred to me that if I tried to make an issue of principle out of it, it might look like I had something to hide. I imagine it’s a terrible situation to be in if you have got a record and are trying to move on, but to be selfish, I don’t and it seemed odd to create the impression that I might have. And I wanted the work.

Last week, a prosecution by the Information Commissioner against the insurance company Hiscox for the enforced subject access offence collapsed. A customer, Irfan Hussain, was attempting to claim on a £30,000 watch he had lost, and Hiscox wanted to see his criminal record before paying out. He refused, and complained to the ICO. The case collapsed when the unlucky horologist was too unwell to give evidence.

I can’t help thinking that this was an odd choice for a prosecution. Even if Hiscox tried to force their customer to provide his information, was this unreasonable? He had already stated that he had no criminal record (according to the FT), so all Hiscox were apparently asking him to do was prove that what he had said was true in the light of his claim. The means by which they proposed to do it might technically have been an enforced subject access request, but there’s surely a difference between something technically being an offence and it being worth mounting a prosecution on it. The provisions contain a public interest defence, and Hiscox’s public comments after the trial suggest that this was their strategy. I suspect it might have worked. Especially as this seems to be the ICO’s first attempt at an enforced subject access case, was this really the best place to start?

The business of criminal records checks overall works in mysterious ways. Hiscox are reported to have asked Mr Hussain to make a subject access request to the Criminal Records Office, which is run by the National Police Chief’s Council. This is not the same as applying to the Disclosure and Barring Service or Disclosure Scotland for a certificate or a disclosure, but having been through the process, I have to admit that I am somewhat confused at the difference.

To get my disclosure, I made a written application, proved my identity and then paid a fee to receive a copy of personal data that related to me, or confirmation that no such information was held. The basic check comes through faster than a subject access request (about 2 weeks, although mine came in matter of a few days) but it’s also more expensive (£25). In my case, nothing was held but that’s neither here or there. There is statutory provision for access to this information via the Criminal Records Bureau set out in the Police Act 1997, replaced by the Disclosure and Barring Service in 2006 via the Safeguarding Vulnerable Groups Act 2006. Someone is going to tell me that applying for a certificate is different to applying for subject access, but that raises some questions. If Hiscox had told Mr Hussain to apply for a certificate like I did, it’s exactly the same outcome – a person is obliged by a data controller to obtain information about their criminal history and then cough it up – but if it’s not subject access, no prosecution could be possible.

An individual can obtain a basic check that shows their unspent convictions and cautions, both of which are listed as a relevant record in the DPA section that creates enforced subject access. The ICO’s guidance doesn’t explain the position if a person was forced to ask for a basic check. That check might not give everything that a data controller might want, but it’s full information about a person’s recent criminal history. If obliging someone to ask for a basic check isn’t enforced subject access, it’s a loophole. But if a basic check is essentially a subject access request by another name, it shouldn’t be £25 now, and it should be free after May 25th.

It’s clear that the DBS doesn’t think that forcing an individual to ask for a basic check would be enforced subject access or illegal in some other way because their website says this:

You can’t carry out a basic check as an organisation – you must ask the person to request their own basic DBS check. A basic check shows unspent convictions and cautions.

This implies that asking a person to carry out a basic check when you can’t make an application yourself is acceptable, even though these are very likely to be circumstances where a person can’t meaningfully refuse. There are no warnings about compulsion during the application process via the DBS website. So why is a subject access request to ACRO magic, acceptable only when uncontaminated by duress, but a basic check isn’t? The amount of data disclosed isn’t exactly the same, but the outcome – being forced to disclose your criminal history when it might be unnecessary or excessive to do so – might be identical.

It took a long time (from 1998 to 2015) for enforced subject access to be fully enacted. Now it’s in force, the Hiscox case doesn’t give cause for optimism that anything will change. I have doubts about whether it was a good idea to prosecute Hiscox, but I have heard first hand terrible stories over the years about data being demanded when it should not have been. Having used the system, the way in which criminal records are made available gives me little confidence that such unnecessary and unfair demands for personal data are properly prevented. After the failure of the Hiscox case, even if only because of an ill-timed illness, the ICO needs to go in again and draw a line somewhere.