Just the candidates we need

A few months ago, the ICO received a Freedom of Information request on What Do They Know from a ‘Dwayne Dibbley’, asking interesting questions about the recruitment of Ellis Parry to the post of ICO Data Ethics Adviser. As soon as the post was announced, I was interested in how it came about because in my opinion, the ICO has no business creating a wholly optional job like this at a time when it has admitted that the regular work of the office has already been affected by luxury items like the Cambridge Analytica ‘investigation’. The hallmark of Elizabeth Denham’s tenure has been vanity projects and headline-chasing at the expense of the day job, and this seemed to be the pinnacle of her approach. I was, therefore, interested to see what Mr Dibbley’s request revealed.

I knew there was a problem. I didn’t recognise the name, but it didn’t ring true. I could tell it was made up, and so could the ICO (Dwayne Dibbley transpires to be a character in Red Dwarf). Shortly after, they asked for proof of Mr Dibbley’s ID and the request went dead. Technically, the request was not valid, but still, I found their approach annoying. In the same rough period, the ICO accepted FOIs from WDTK applicants as diverse as ‘dan74’, ‘John Smith, ’Tilly P’, ’navartne’ and ‘Gogos’. It might just be the ICO dodging a request because they could, but equally, it might be that they had something to hide.

I decided to make Dibbley’s request myself, explicitly referring to the previous refusal, but adding a question about why they blocked the request, and who decided to do it. Conveniently, they claimed to hold no information about that. However, I received a detailed bundle of correspondence, tracking the post from the development of the job description all the way until the successful recruitment of Mr Parry, and the writing of a blog which was published in the name of the Executive Director for Technology Policy and Innovation Simon McDougall, but which was actually written by the ‘Group Manager, Speechwriting and External Comms’.

There were a few interesting nuggets in the pile of internal correspondence – McDougall is one of those people who works in the ICO’s stupendously expensive London offices (in another FOI, I discovered that when he visits the ICO HQ, he bills the ICO for his meals at the Coach and Four Public House, very possibly the dullest pub in Wilmslow), while Parry was one of only two people to apply for the job. One aspect of the discussions that I enjoyed was the fact that the Data Ethics Adviser’s remit was to include whether the ICO needs a Data Ethics Adviser.

Mostly, it was the kind of dry procedural back-and-forth that you would expect to see a public body go through when creating a new post. Indeed, it was all so boring that the first time I read it, I missed the amazing revelation it contained. On June 14th 2019, at the very beginning of the drafting of the job description, there was an email discussion between McDougall, Ali Shah (the Head of Technology Policy) plus the Head of Innovation, a Group Manager from the Innovation team and McDougall’s Private Secretary. The ICO released all of the emails to me unredacted, naming all of these people, but I’ve decided to leave most of the names out.

As part of the discussion, Shah expressed concern about the scope of the JD.

“Will it have enough specificity to separate out Ellis? I don’t think it does, and reading the JD neutrally, I can think of a couple of people who would be equally or more qualified.”

Note that Shah refers to ‘Ellis’ – this is a person who all of these senior people are apparently on first name terms with. He explicitly did not want to be neutral about a job the ICO is about to recruit, and wanted to change the job description to exclude possibly better qualified applicants. Moreover, when the JD was circulated, the Group Manager added a comment which suggested a change to “and” from “and/or” on one of the criteria, observing:

There will be a lot of people who have the dp background but not the ethics. Asking for both will narrow the field to just the candidates we need; thinking of Ali’s comment here.”

The meaning is clear – the job description was written deliberately to exclude other candidates so that Ellis Parry would be more likely to get the job. At £45,000, this job is better paid than most in the ICO – the effort to favour this one candidate (if that’s the right word for a job that hasn’t even been advertised) excluded many possibly qualified people from inside the ICO as well as a variety of people outside who have spent considerable careers pondering how data ethics work.

It would be bad for any public sector organisation to stitch up a job for a specific candidate before it had even been advertised – posts should be given on merit, rather than to those favoured by the senior staff. For a regulator that purports to be almost a moral guardian in many contexts to do it would be even harder to swallow. Perhaps only Denham’s calamitous stewardship of the ICO could lead to this shoddy behaviour happening over a job with ‘Ethics’ in the title. I cannot claim that you couldn’t make it up, because these are the people who let a Labour Council Leader run the team that investigates complaints about political parties. Denham is the Commissioner who awarded thousands of pounds to her mates without putting it out to tender, and endorsed a book that she hadn’t read. By now, this is what I expect. None of the senior people in the email chain raised any objection to Shah’s explicit wish to stack the deck in favour of Mr Parry. As far as I can see, they just got on with it.

I have no idea if Mr Parry’s previous career working for BP or Astra Zeneca gives him insights into Data Ethics that puts him so far above the rest of the sector that his chauffeured journey to the job could be justified. I would like to be outraged, but actually, the fact that senior people at the ICO were sufficiently unethical to do this and stupid enough to write it down is exactly what I expect the people at this organisation’s overpaid and inflated top table to do. I didn’t think the ICO needed to recruit a Data Ethics Adviser, but this tawdry episode suggests that all of their work should be directed at its own activities. I fear that the ICO is in a bad place, given the grim mixture of incompetence and poor judgement that regularly tumbles out of it. I can only hope that recruitment for Denham’s successor – which cannot come too soon – is delivered more fairly than this was.

National Spam Service

During the hysteria in the run-up to May 2018, one of the ways in which it was easy to spot GDPR practitioners whose sole Data Protection experience was doing That Dreadful Course Run By Those Awful People was their lack of awareness of the Privacy and Electronic Communications Regulations 2003, known to its friends as PECR. As organisations fell over themselves to get ‘GDPR consent’, they demonstrated how much they didn’t know. The crucial elements of both as they related to marketing (and much else) weren’t changing, and the experts advising differently were just demonstrating their lack of understanding.

So it is with a garbled dog’s dinner of a story in the Mail on Sunday, combining anti-EU fear-mongering, moronic MPs, and proud ignorance of how the law works. According to Glen Owen’s feverish tale “Doctors will be banned from warning patients about the risks of coronavirus under EU rules that are set to become law in Britain despite Brexit“. None of this statement is true, and more importantly, the crucial elements on which the story is based are not new. The story claims that the Information Commissioner Elizabeth Denham “is working to put EU data protection laws into a statutory code that the Government would have no power to amend“. As a consequence, doctors would be prevented from sending messages about the corona virus, and “Council tax bills would also rise because local authorities would be forced to print leaflets to publicise services such as bin collections“. This garbage is supported by some frothing at the mouth from dim rentaquote MP Ben Bradley about “bully-boy diktats” and EU red tape.

Bradley is a proven liar whose previous misdeeds including publishing false claims about Indian call-centres, libelling Jeremy Corbyn and standing up for police brutality, so his knee-jerk nonsense should be ignored. There is an interesting quote from an unnamed Downing Street source which is presumably Dominic Cummings, describing Denham as an “unelected anti-Brexit pen-pusher“. Denham has plainly been angling for some kind of involvement in online harms, but given Dom’s disdain for QE2, I suspect she’s not going to be on anyone’s shortlist.

The origin of the story is the Information Commissioner’s draft Code of Practice on Direct Marketing, a document that the Commissioner is obliged by law to create in accordance with the Data Protection Act 2018, legislation passed by the previous Tory Government. Obviously, the current regime may take issue with their predecessors, but if Boris Johnson and his cadre of far-right headbangers don’t want Denham to do what the law requires her to do, they should amend the DPA. Obviously, the content of the code is up to the ICO and so I guess the alleged anti-Brexit conspiracy to smuggle EU red tape into UK law could happen there. The problem with this conspiracy theory is that the EU laws that the Tories and the Mail are so furious about are already on the UK statute book, and will continue to be so. Unless, of course, the Government use their majority to change things, as they have the power to do.

PECR is UK law, so the rules that require marketing emails to be sent to individual subscribers only with their consent are already there. EU GDPR is currently the law in the UK until the end of the transitional period, and after that, specific regulations will automatically convert the EU GDPR into the UK GDPR. The idea that Denham is sneaking anything into UK law in her Direct Marketing code is nonsense. Anyone who claims otherwise is either a liar or a moron. In Ben Bradley’s case, it’s plainly the latter (this is a person who argued for benefit claimants to have enforced vasectomies), but as far as Downing Street is concerned, it’s likely that Cummings is using Data Protection as part of his ongoing game of 3D chess with reality. The Government doesn’t care that the story isn’t true, they just want to keep Brexiters in a heightened state of annoyance and frustration.

The one thing that the ICO does have control over – and this has nothing to do with the EU – is the definition of direct marketing. Unless the government passes legislation that specifically defines what constitutes marketing (something neither Labour or the Tories have ever done), and until a court gives some definitive judgment on a definition, the meaning of ‘direct marketing’ and therefore the type of message you need consent for, has to be determined by someone. The current someone is the Information Commissioner. The ICO definition includes “the promotion of aims and ideals as well as advertising goods or services“. On this, the ICO has been consistent for more than a decade. Richard Thomas took action against all major political parties in the mid-2000s and won a Tribunal case against the Scottish National Party on the basis of this definition, so the idea that somehow Denham’s interpretation is some of kind of plot to undermine Brexit is just evidence of Cummings’ addiction to fake news and lack of attention to detail.

If you drill right down, the seed of the Mail story is on pages 22 and 23 of the draft code, where an example contrasts two different kinds of message from a GP practice. A neutrally-worded message about screening is not marketing, but a text advertising a flu jab clinic would be. To be honest, if I received texts from my GP practice telling me I was due for a cardio-vascular risk check, I would think of it as marketing and expect only to receive such texts with consent, but that’s an argument for a different blog. What the draft Direct Marketing Code is saying is what the ICO has been saying consistently for many years, but unlike the old Direct Marketing guidance, this time they have included public sector examples, of which the GP case is one.

I don’t know how we get from this example in the code to the government propaganda in the Mail – perhaps Downing Street is constantly scanning for opportunities to wind people up over Brexit and the EU. Given that the ICO fined Vote Leave, it’s possible that Cummings nurses a personal grudge against Denham, and so this might simply be a symptom of his wounded ego. It’s equally possible that the NHS isn’t happy that the ICO is turning its attention – at least in principle – to the large amount of marketing that it does under the false guise of public health messages. This could be NHS folk briefing the Mail to defend their ability to spam people about purely optional services.

My point is that the story is wholly without foundation. This isn’t an anti-Brexit plot, and the message that the ICO is sending shouldn’t be controversial. I don’t know about you, but the only messages I receive from my council about bin collection are an annual leaflet explaining how they work – an email would be useless as I would easily delete it, whereas I can put the leaflet on the fridge. Unlike Ben Bradley, I can’t get outraged about the cost of printing a leaflet that I actually need (but which wouldn’t meet the ICO definition of marketing if it was sent electronically). If you want the NHS to have carte blanche to send whatever messages they think we need to hear, get ready for an onslaught of digitised nanny state lectures about drinking, diet and exercise, your phone pinging like a pinball machine.

There will be a lot more of this. The pro-Brexit media / government cabal have to keep the pot boiling and Data Protection is something that many journalists and politicians are too stubborn to get to grips with, so it will be a handy target. It would be nice if there was a competent Commissioner who could put the case for sensible Data Protection. Instead we have Disaster Denham, with her record of one-sided enforcement against pro-Brexit campaigns and her obsession with Facebook and Cambridge Analytica which even her own office has had to admit had nothing to do with Brexit. The Mail gleefully picked on her huge salary, and they could just as easily focus on her expensive tastes in international travel and extending the ICO top table. If the government really does have Data Protection in its sights as Bradley suggests, it’s hard to imagine a worse defender than a profligate absentee who has cocked up nearly every big enforcement case she has touched. I’m not famed for being an optimist, but we have a government stupid and ideological enough to ruin Data Protection, and a Commissioner without the moral authority to stop them. Indeed, I’ll make a prediction – the GP examples are correct, and the ICO will cut them from the final version of the code in hopes of appeasing No 10.

Nevertheless, when you read this kind of nonsense in the Mail, remember to take it with a pinch of salt that definitely exceeds NHS guidelines.

Second Class

The Times published an interesting story on Saturday about businesses being approached by the Information Commissioner’s Office. According to the story, thousands of small business owners and landlords have received “heavy-handed” letters about the annual fee which many organisations are liable to pay under the Data Protection Act 2018. The GDPR abolished the requirement for controllers to register with their supervisory authority, but the bureaucracy has been maintained to provide funding for the ICO’s Data Protection activities. Ostensibly, the ICO chasing up people who by law owe them money should be uncontroversial, but like most things that Wilmslow gets involved in, it isn’t that simple. For one thing, I don’t know how the ICO is selecting their targets, but as the Times reports, a lot of recipients are actually exempt. Half of the clients of a tax advisor quoted are exempt, and I’ve been approached by a number of people being chased over dormant or dead companies. It would be interesting to know what criteria is being used.

A bigger concern is what the ICO is going to spend the money on. Small businesses have to pay the ICO at least £35 per year, but their spokesperson said in the article that “The fees are used to provide services to help organisations process and manage the personal data they are responsible for in line with their legal obligations and in ways that may inspire public confidence“. I’d question whether the ICO will itself inspire much public confidence, and whether businesses will be as keen to pay up, when they find out what the ICO has been spending their money on. A series of fascinating FOI requests on What Do They Know, as well as requests I have made, demonstrate that services to help organisations aren’t the only essentials on which the ICO budget is spent.

In the 12 months leading up to the end of November 2019, the ICO spent £49,043.16 on first and business class flights, luxury enjoyed by eight senior ICO officials on just 20 occasions. Elizabeth Denham CBE turned left most often, with 7 of the flights at a cost of £15,793.88, closely followed by her deputy James Dipple-Johnstone, who was lucky enough to escape the indignity of economy class on five occasions, for the bargain price of £10,612.70. Fans of Mr Dipple-Johnstone’s idiosyncratic stewardship of the ICO budget will remember his expenses claim while caught out while on a jolly to conferences in Asia and New Zealand. When his flight from Doha was diverted to chilly Vienna, he was prevailed upon to buy a jumper and some warm trousers, but thankfully the ICO was able to pick up the tab. Other Wilmslow luminaries taking advantage of the ICO’s seemingly generous travel policies included the Director of Freedom of Information Gill Bull, the Director of Investigations Stephen Eckersley, one of Denham’s other deputies Steve Wood and Simon McDougall, friend of the advertising industry (he does have a job of some kind, but I have no idea what it is). The most expensive single booking was for the Director of Strategic Policy Amanda Williams, whose airmiles came at a cost of £4419.32. Williams took only one luxury trip, so it’s nice to know that it counts.

To put this already profligate spending into perspective, Denham’s flights accounted for the fees of 450 small businesses, while Dipple-Johnstone’s swallowed 303. Williams’ chart-topping trip gobbled up 126 small business fees by itself. In total, the cost of first and business class flights for the pampered elite at the ICO’s top table ate up 1400 small business fees. So much for services to help them, all of these companies paid for Mrs Denham and her courtiers to get extra legroom and hopefully some bubbles as they wait to take off. I’m sure that whichever three small businesses stepped in to fund Dipple-Johnstone’s cold weather ensemble are glad he didn’t get a chill.

But that is not all. The only place I ever seen Denham in the real world is the First Class Lounge at Euston Station, but this is unlikely to have been a one-off visit for the Commissioner. Of the 43 first class rail journeys made in the same period by ICO staff, 32 were claimed by Denham, with the other eleven split between the usual suspects (JDJ managed only three, with Steve Wood nabbing 5). The costs of the first class trips were obviously lower than the flights (£5777.75, with £3806.65 accounted for by Denham) but nevertheless, I’m sure the 108 small businesses who kept the Commissioner and her colleagues away from the indignity of standard class will feel that their contribution to the work of the ICO was not wasted. We cannot expect the leaders of the UK’s Data Protection hub to go without free tea and coffee and those lumpy chocolate biscuits that people pretend they are taking for their children.

Of course, you might accuse me of hypocrisy as I unashamedly go first class on a regular basis. I write this on a Sunday afternoon, knowing that I will be in First Class tomorrow morning. The point is whose money I am spending. When I charge expenses to clients, I only ever invoice for standard class prices, and 2040 Training Ltd is a private company of which I am the sole shareholder. I’m not spending your money, or that of millions of businesses that I am cajoling to pay up. Moreover, doing less than half of my work journeys in First Class is about the only corporate expense that has any direct benefit to me personally. The same cannot be said for the ICO and Elizabeth Denham. As I wrote about last year, the ICO spent just shy of £18,000 on executive coaching for Denham. As revealed in another WDTK FOI request that the ICO answered 4 months late, the former Canadian Minister for Trees Philip Halkett was hired without any external advert or tender process. I followed up this request with one of my own for recorded information about some of the contracts. I asked what qualified Halkett for such special treatment, and ICO explained that as her former executive coach, he was “uniquely placed to deliver the service“. The only recorded information they could give me about what he provided was a single line in the contract (the rest of which was withheld). 514 small businesses paid their fees so that Halkett, a retired Canadian with no experience in Data Protection, could provide “coaching and strategic advice as required by the Commissioner from time to time“.

Needless to say, none of the UK fee paying businesses were permitted to put themselves forward for the coaching work, or for the £20,000 ‘service excellence’ consultancy (571 small business fees) awarded without a tender process to an academic in Canada. The ICO’s own lawyers questioned whether that contract had been awarded lawfully, only to be told by Director of Resources Andrew Hubert that “The ICO appointed Mark Colgate as he is the author of the methodology we wanted to use so uniquely placed to present that methodology to our staff. Basically he is sole author and sole supplier. We are happy to accept the procurement risk on that basis.” The emails show that neither Procurement or the ICO’s Commercial Legal team were involved in the process of hiring Colgate. Whether ICO staff actually needed his TOFU-based customer service guff is debatable, but the idea that none of the hundreds, if not thousands of UK-based customer service experts who have to fund the ICO were even worth considering, but this bloke from Denham’s home town was the only possible candidate is fanciful. That no proper processes were followed and the ICO hired Colgate on the basis of a one-page emailed proposal that boils down to ‘I’ll do some training and give your team managers my book’ ought to concern everyone.

Taken together, these FOI requests paint an odd picture. Senior officers travel the world in first class to attend conferences that build their profiles, but offer scant benefits to UK-based businesses. Friends of the Commissioner are paid thousands of pounds without any due process. The most charitable way I can describe this is self-indulgent and lacking in oversight, but the problem is that Denham’s tenure is characterised by poor judgment. The Information Commissioner’s Office has spent millions of pounds investigating the Cambridge Analytica / Facebook ‘scandal’ only to find that it didn’t involve UK Facebook users. That investigation culminated in a bizarre humiliation, with Facebook invited to repudiate the whole thing on the ICO’s own website, and commended by the Commissioner for their sterling privacy work. The massive BA and Marriott fines, wildly out of proportion when compared to the rest of Europe, appear to be in disarray, delayed for three months without any explanation. Confirmation that this had happened had to be dragged out of Wilmslow by lawyers and journalists who realised that the time limit to complete them was running out. There is still no formal statement on the ICO’s website about this massive development. Journalists attending appeals against enforcement action against Leave.EU and Eldon Insurance tell of the ICO’s own barrister admitting that the ICO’s decision-making process fell short of what should be expected, with no internal records of the decision to act available. The outcome of that case is coming in February.

A regular reader of this blog complains that every other entry is just me moaning about Liz Denham, and it’s true that I am a long-standing driver of negative sentiment (as I was once delightfully labelled by the ICO’s PR people). But this isn’t just the random potshots of a disaffected show-off. The ICO’s staff (i.e. the people who actually do the work rather than chase the headlines) are famously paid well below the market rate, and yet the ‘Leadership Team’ are circling the world in First Class, hiring their mates and botching high profile investigations that probably never should have started. 2040 Training has paid its fee for 2019/20, but I wonder what I’m getting for my money. According to the ICO Annual Report, Elizabeth Denham is paid £160,000 per annum, plus a “non-consolidated, non-pensionable annual allowance of £20,000“. If she wants coaching, she can afford to pay for it herself. If she needs coaching (and the meltdown I describe above suggests that she might), she is in the wrong job. At the very least, she should pay back the £18000 paid to Halkett and stop expecting the fee-paying organisations of the UK to fund her taste for luxury travel. The rumours circulating government suggest that the ICO’s sponsor department, the DCMS, is for the chop. If that is true, before their time runs out, they must dig into Denham’s chaotic, self-indulgent regime and ensure that the thousands of businesses who keep the ICO afloat are not being taken for a ride.

 

 

New Year Dishonours

There’s never a good time to accidentally publish a huge batch of personal data online, but the interregnum between Christmas and New Year, when nothing happens and most people are bored is a particularly unfortunate moment to choose. The Cabinet Office’s foul-up in publishing the home addresses of the thousand or so people in receipt of a gong as part of the New Year’s Honours was particularly ill-timed, but given the diverse nature of those affected, it’s hard to imagine that there would ever be a time where it wouldn’t hit the headlines. The location of Elton John’s mansion is probably not a secret, but many honours recipients are not celebrities, and some might be put at risk by their addresses being known.

In many ways, the story is familiar. The Cabinet Office say it’s an accident, the BBC dig up a Data Protection ‘expert’ I’ve never heard of to say nothing in particular about it, and everyone on LinkedIn has made their mind up. But there is one interesting aspect that recent changes to legislation has significantly altered. One of the other people enjoying a moment in the spotlight was the CEO of a software company. He downloaded the spreadsheet on Friday night, and regaled Radio 4’s PM programme with the details of the diligent research he had done into the homes of some of the people on the list.

The GDPR does not apply to the data processing activities of “a natural person in the course of a purely personal or household activity“, but the Data Protection Act 2018 (like its predecessor the DPA 1998) works differently, and significantly differently for situations like this. Section 170 makes it an offence for a person knowingly or recklessly to “obtain or disclose personal data without the consent of the controller“, to procure such an unauthorised disclosure and finally “after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained“. The obtaining, procuring and disclosing elements were there before, but the offence of retaining data is new. A legal entity could clearly be charged with any of these offences, but the majority of prosecutions (mounted unusually by the ICO rather than the CPS) for the old S55 and the new S170 offences are individuals.

And here’s the punchline. It’s quite possible that the Cabinet Office’s procedures and controls are flawed, or their training is deficient (or both). In such circumstances, the organisation would have infringed the GDPR and potentially face a fine as a result. Given the Information Commissioner’s obsession with headlines and over-reaction to high profile events, I suspect a fine in this case is quite possible. It’s also possible that everything inside the Cabinet Office is absolutely mint and this is just a monumental cock-up. I don’t know, and I’m prepared to wait and see what the ICO finds out when they investigate. I might relentlessly take the piss out of the Commissioner’s Office, but one of the things I’m happy to acknowledge that they’re good at is getting to the bottom of security incidents and why they happened.

However, none of that makes any difference to anyone who accesses the honours spreadsheet. An organisation may significantly infringe GDPR and breach confidentiality by sending personal data to the wrong place or making it available online, but that does not give a free hand to the recipient. Anyone who innocently accessed the spreadsheet cannot be held responsible for the fact that they are now aware of personal data to which they were not entitled, but the moment you download the data, there’s an argument that you have obtained it without the consent of the data controller. Sometimes this might not be obvious, but in this case, there can be no doubt that the Cabinet Office did not intend for the data to be disclosed, and so anyone accessing it is doing so without the controller’s consent.

Of course, you might not have realised what you were downloading, so you’re almost certainly not acting knowingly or recklessly at that point. However, it’s probably a safe assumption that in the hour or so that the spreadsheet was available, it was downloaded multiple times. So what of the people who still have a copy? Nobody can be in any doubt about the fact that it was published by mistake, so its continued retention is without the Cabinet Office’s consent.

It would be a bold claim to accuse everyone who still has a copy of committing a criminal offence, but under the 1998 Act, it would be impossible to do so. I’ve been directly involved in multiple incidents where a controller mistakenly sent data to the wrong person and had huge difficulties in recovering the data or securing its destruction. The person hadn’t deliberately stolen a copy of the data or sought to access it, so what do you do if they refuse to hand it back or delete it? Those with long memories might remember the huge bill racked up by Belfast City Council in their ultimately successful attempt to prevent the misuse of data about elected members that they inadvertently sent to a woman in England. The new offence changes the rules. Merely possessing the data is potentially an offence, and I think this should give pause for thought to anyone who still has a copy.

There are some defences that a person can mount – you can argue that retention is necessary to prevent or detect crime, is legally authorised or because of the particular circumstances, is in the public interest. For example, if you retained data because you wanted to blow the whistle or report it to the Information Commissioner, especially if the controller wasn’t going to and you thought they should, I would guess that this would be a solid defence against prosecution. But in this case, it’s clear that the Cabinet Office has already notified the Commissioner, the nature of the compromised data is not in doubt, and it’s difficult to see what public interest there would be in keeping the personal data of innocent people, however badly the Cabinet Office may turn out to have handled it.

There have been, as far as I know, no prosecutions for the retaining offence so far – the only action has been a rather insipid press release from the ICO about a case that they might have been able to prosecute under the new legislation. It’s entirely possible, even likely, that the ICO won’t seek to criminalise people solely for having data in their possession unless they do something nefarious with it or refuse to get rid of it when asked to. Nevertheless, if you have a copy of the honours data on your laptop right now, my very strong advice as your friend and unappointed DPO is to delete it forthwith, and await the outcome of the ICO’s investigation sometime in 2021.

The Hangover

Another day, another story in the Observer about Dominic Cummings and the Brexit vote, inspired (if that is ever the right word in this context) by revelations from Ian Lucas, the former MP for Wrexham. Lucas did not stand in the 2019 General Election and his former seat went to the Tories. Notwithstanding his decision to step down from politics, his determination to re-fight the 2016 Brexit Vote is undiminished, despite the fact that Boris Johnson’s victory means that Brexit is now a certainty, and any hope of going back in time is dead and gone.

Lucas has now passed correspondence he obtained when an MP to the Observer. Inevitably written up by the paper’s Cummings Conspiracy Correspondent Carole Cadwalladr, the revelation is that in correspondence with the Information Commissioner, Cummings said that had the referendum been won narrowly by the Remain side, he would have contested its legitimacy. Cummings claimed that the electoral process is compromised and nobody has done anything about it. I guess there might be some minor interest in seeing Cummings’ hypocrisy exposed – the man who lectures Remainers about picking which votes to respect turns out to be unprincipled and two-faced. Given the Leave campaign’s now total victory in the Brexit debate, I’m not sure what the point really is.

There is, however, an interesting angle to the story which is very relevant to today, especially given the large numbers of MPs on all sides who were either vanquished on Thursday night or decided like Lucas that their time was done. In Data Protection terms, politicians have a complicated identity, being associated with a number of different data controllers. As a party representative, an MP is likely to receive or have access to data from their party, and so must answer to them. Separately, as an MP, MSP, AM or councillor, a politician may well have a committee or other official role that gives them access to personal data for which the Parliament, Assembly or Council will be controller. Finally, as a representative of constituents and for other specific purposes, a politician will be a controller in their own right, liable directly for the way in which they use personal data.

When they cease to be an elected representative, much of this falls away. There isn’t much personal data in Cummings’ correspondence with Wood, but there is some, and Lucas isn’t the data controller for that data – Parliament is. Lucas’ role on the Culture, Media and Sport Committee will undoubtedly have given him access to private, possibly confidential data and some of it would have been personal data. Considering the scope of other Committees – health, security, and other sensitive matters – other ex-MPs will have significant data in their possession which should be in the control of Parliament. The same goes for lists of supporters or volunteers which are the responsibility of the party, not the ex-MP. Even the constituency casework data, for which the ex-MP would be responsible should arguably be disposed of or passed on to either the new MP or the local party. The purpose of providing sensitive personal data to your MP is for your MP to represent you – if that person is no longer doing that job, it’s arguably a breach of the first principle (fairness), the second principle (purpose limitation), and the third principle (relevance) for a former politician to retain their casework data once they have left office.

There are two serious issues here. The institutions must have clear processes to secure and recover personal data held by their former representatives. Once an MP has left Parliament by whatever route, if the Parliamentary authorities do not have processes to ensure that data is handed back and devices erased, this is very likely to be a breach of the GDPR’s security requirements to have appropriate organisational measures in place. I don’t underestimate the difficulty of this exercise with ex-MPs and their staff literally scattered across the UK, but if Parliament is the controller, they are required to recover the data. The same is true for the parties – if (for example) Jo Swinson remains an active member of the Liberal Democrats, it might well be reasonable for her to retain personal data she held as a LibDem MP, but if she walks away, the party needs to obtain any data she used as a LibDem representative or see it that it has been deleted. This is particularly important in a world where politicians will jump from one party to another.

The flipside of this is that the Data Protection Act 2018 makes it a criminal offence for a person to retain personal data without the authorisation of the data controller. If Parliament is the controller for the Cummings correspondence, Lucas has by his own admission retained and disclosed it without Parliamentary approval: “I used every means possible to secure the publication of them by parliament but ultimately was blocked from doing so, so I have chosen to make them public myself“. I wondered whether there could be an argument that MPs are joint controllers for all the data they access from Parliament or Party, but Lucas was an MP for 18 years and knows a lot more about it than I do. He doesn’t seem to think he was controller of the data, so I think that’s very persuasive. Any ex-MP who merely keeps data for which Parliament or Party is controller is likely to be committing a criminal offence, and any disclosure or other use of the data only multiplies the possible offences. There is, of course, a public interest defence to an allegation of these DP offences, but I believe that this should be tested.

The irony of Lucas’ claims to be valiantly exposing the truth about Cummings’ hypocrisy (and Cadwalladr’s enthusiastic reporting of it) is that the correspondence in question has apparently been on Parliament’s website since March 2019, made available following contempt proceedings against Johnson’s goblin advisor. I’ve never been a fan of Lucas’ self-promoting antics or Cadwalladr’s wayward approach to fact-checking, but this particular story is a joke. It does inadvertently raise a serious point about the conduct of Lucas and other ex-MPs; if Cadwalladr and the Observer are as concerned about data protection as they claim, looking at misuse by ex-politicos would be a more fertile area of research than old news from 2017 that was already in the public domain.