Human Wrongs

A few years ago I went to Strasbourg, home of the famous European Court of Human Rights. After admiring the building itself, I noticed a disabled man camping on the other side of the tracks that take visitors to the tram stop named, rather piously, ‘Droits De L’Homme’. He had a huge display in several languages, setting out the appalling injustice that the Court had dealt him by not upholding his case. There were several such men, who would no doubt have treated a ECHR victory as total vindication, but the loss was evidence only of the Court’s bias and corruption. I immediately thought of the notorious FOI applicant and progenitor of vexatious caselaw Alan Dransfield, and wondered if one day, he would be one of the poor souls, earnestly telling his sorry tale to tourists. This is unlikely of course, because Dransfield would spend his time shouting at every passer-by that they were a dickhead.

Nevertheless, the website ‘Amazon News Media’ chose to celebrate International Human Rights Day last month (10th December, diary fans) by publishing an open letter from Dransfield to the Justice Secretary Elizabeth Truss. Fans of Dransfield’s work will be pleased to see a number of familiar themes in the letter. Dransfield claims that the Information Commissioner’s Office is guilty of fraud and theft of public funds. There is ‘tangible evidence‘ that they, along with multiple public authorities, are involved in a conspiracy to pervert the course of justice:

The evidence of complicity between the ICO and Public Authorities seeking to avoid obligations under FOI by consistent misuse and abuse of Section 14/1 vexatious exemption is overwhelming

Dransfield doesn’t specify what the overwhelming / tangible evidence is, beyond asserting that he lost his case at the Court of Appeal, so QED: the fix is in. The letter makes a series of allegations about the ICO and demands that the Commissioner is sacked and replaced by himself. The allegations are a mixture of falsehood (he says that they don’t publish their register of interests when they do) and opinion (he claims it is a breach of an unspecified EU Trade law that the ICO usually uses 11KBW for legal services, ignoring the fact that they are the leading information law chambers in the UK). The only verifiable claim is the conflict of interest in having a council leader act as a manager of a team that deals with complaints about councils and political parties. Dransfield only knows about this because I did an FOI request about it and wrote about it here (inevitably, Dransfield spells his name wrong and the mistake slipped through Amazon News Media’s presumably robust fact checking procedures).

If you’re not familiar with it, the scale of the Dransfield conspiracy is breathtaking – construction companies including Balfour Beatty, multiple councils, the Health and Safety Executive, Dransfield’s MP Ben Bradshaw, the previous and current Information Commissioners and many of their staff, West Ham United, the Olympic Delivery Authority and various other Olympic bodies, former secretary of state Chris Grayling, myself, the Upper Tribunal, the Court of Appeal, the Supreme Court and the House of Lords, all working tirelessly to cover up the construction of a network of unsafe buildings and bridges across the UK. Only Dransfield has the insight to see the conspiracy in all its Byzantine complexity, and the entire UK legal system is ranged against him to stop his crusade.

There is, of course, another perspective, but Amazon News Media have seemingly backed Dransfield with gusto. The accompanying editorial hails “Mr Dransfield’s long experience as a social watchdog” and complains of his “extensive scapegoating” but demonstrates a slender grasp on the facts. For example, it claims that vexatiousness was planted at the second, Upper Tier Tribunal, rather than being a feature of the original refusal dealt with by the ICO. Moreover, like Dransfield, Amazon News Media make big play of the fact that it was the ICO who appealed to the Upper Tribunal and Court of Appeal, describing it as an “abuse” of the system. When Dransfield went to the First Tier Tribunal, he was appealing the ICO’s decision, not Devon’s original refusal. If the ICO disagrees with the FTT, it is they (and not Devon) who must take forward the appeal. The appeal process is not open only to the applicant – public authorities and applicants can challenge the Commissioner, but the Commissioner is entitled to challenge decisions that they think are wrong. This is how the system is designed, and Dransfield chose to use that system. Complaining about the result of a process you initiated is acting like the men outside the ECHR.

I put a comment on the Amazon News Media blog, pointing out that I had made 100s* of FOI requests without ever being refused as vexatious (the issue of Alex Ganotis’ role at the ICO just being one of many), pointing out that Dransfield’s hostility and abusive character is probably part of the problem. An unnamed representative of the organisation dismissed this – apparently, when Dransfield called the Information Commissioner Elizabeth Denham a ‘useless cow’ on Twitter, this was just “colourful language [that] perhaps reflects the insult of having your name unreasonably scape-goated for half a decade“. So perhaps the insult is Denham’s fault for not giving Dransfield the face-to-face meeting he’s been demanding since July. It’s an odd perspective, because Dransfield has been calling me a prick and a dickhead for disagreeing with him ever since this mess started.

I can’t work out who runs the Amazon News Media site – it describes itself as “an evidence-based website practising freelance written and video journalism“, but the website, Twitter account and Facebook page are all somewhat anonymous. The site itself is registered to a David Hodgson in New Zealand, but the nameless person who runs the Twitter account told me that it is based in Swansea. Whoever they are,

UPDATE: I know who they are. I’ve read all 59 pages of the judgement.

They have made a fatal error in their analysis of Dransfield’s case. The editorial states that Dransfield enjoys “superior knowledge of lighting protection systems, and Health and Safety regulations” – the problem is that this is irrelevant to the case. S14 of FOI has no public interest test – it’s not about the information, but the process.

The Information Commissioner, the two Tribunals and the Court of Appeal are not supposed to decide whether Dransfield is right about the unsafe buildings. For the record, I think the conspiracy is a complete fantasy, and Dransfield’s requests are the result of a grudge against his former employer, Balfour Beatty. None of Dransfield’s blood-curdling predictions about fatal lightning strikes have come true, and I am not aware of anyone in the UK Health and Safety sector who backs his theories (I’m famously an arsehole and lots of people agree with me about Data Protection despite this impediment).

None of this matters. The question in play is not one about Health and Safety. The question is whether Dransfield’s torrent of requests, complaints and other correspondence were an abuse of the FOI system. Dransfield had every opportunity to put his case before four independent bodies – one of them agreed with him, and the others did not. It’s not impossible for Dransfield to be right about the buildings (as unlikely as this may seem) and yet, because of his hostility, his stubbornness and the sheer weight of his requests, they tip into vexatiousness.

Ironically, despite Dransfield’s antipathy towards the ICO (and his misogyny towards the new Commissioner), his demand that the ICO sort out the vexatious issue is completely wide of the mark. Even if Denham accepted that he was right, she is powerless to reverse the Dransfield decision. If Wilmslow executed a volte face tomorrow, the Court of Appeal decision would still stand. Public authorities could use the CoA judgement against the ICO in the Tribunals who would be bound by it. Only the courts can change the decision – it is out of the Commissioner’s hands. It’s tempting to believe that Dransfield knows this, and he directs his rage toward the ICO solely because he enjoys it, rather than knowing it will change the outcome.

In the end, Amazon News Media grew tired of my interventions and refused to publish my final comment unless I edited out all of the mansplaining, repetition and “snark”. Instead of being censored, you can – if you wish – read the comments on ANM, and then, by way of a conclusion to all this, I reproduce the comment that they found so objectionable.

You can twist what I have said in any direction that suits you. The decisions that the ICO makes are, obviously, about the public interest (where that applies, and with some exemptions, it doesn’t). Sometimes they get those decisions wrong, sometimes they get them right. When a decision has been tested at several levels, and then looked at subsequently by differently constituted tribunals, you have two choices. Either you can believe that there is an enormous conspiracy to subvert the FOI Act, or you can look at the particular case and decide that maybe the system got it right. There is no inner truth here – you believe what you want to believe based on your own prejudices.

What I said above is that Mr Dransfield’s letter, your publication of it and your conspiracy theories about the legal system will have no practical effect. Truss will not intervene because it isn’t her place to intervene in legal cases. The European Court of Human Rights will not intervene, because Mr Dransfield has been refused leave to appeal there. These are facts – you can put a political / paranoid spin on them if you like, but the spin doesn’t change the facts. If you want to stop vexatious decisions being made under Dransfield, someone needs to take a case all the way to the Court of Appeal and get Dransfield overturned. Alternatively, the FOI Act will have to be amended in Parliament. Given that you think the entire legal system is corrupt, I assume you’re not much keener on MPs. Which makes all of the above a monumental waste of time. But at least it gives you and Dransfield something to do.

* ANM refuse to believe that I have made 100s of FOI requests without proof. Given that they are willing to turn an abusive blowhard into a Human Rights champion without any justification, I am content to say that I have, and if they or you don’t believe me, I don’t care.

** It has been suggested to me that in my comment above, I said that the Court of Appeal can overturn Dransfield, whereas the suggestion is that actually, only the Supreme Court can do it i.e. the court *above* the Court of Appeal. If this is right (and I suspect that it is), the difficulty of reversing Dransfield is greater.

Fair Cop

The bedrock of Data Protection is fairness. You cannot gain consent without fairness. Your interests are not legitimate interests if they are secret interests. Unless you have an exemption or you claim that telling the person represents disproportionate effort (i.e. the effort of telling outweighs the actual impact), you have to tell the person whose data you are using the purposes for which their data will be used, and any other information necessary to make the processing fair.

The ICO’s Privacy Notices Code of Practice is not ambiguous, nor was its predecessor. It is impossible to read the ICO’s published guidance on fair processing without taking away the key message, consistently repeated for more than a decade: if something is surprising or objectionable, especially if it involves some kind of impact or sharing outside the organisation, it should be spelt out. New-ish Information Commissioner Elizabeth Denham seems to have chosen to reverse the ICO’s previously timid, unimaginative approach to the first principle with a pair of civil monetary penalties against charities. We have one each for the Royal Society for the Prevention of Cruelty to Animals, and the British Heart Foundation, with the promise of more to come. You might say it was unfortunate that charities are first in line rather than, say, credit reference agencies or list brokers (to be a touch tautological). It was the charity sector’s misfortune to fall under the Daily Mail’s Basilisk gaze, and they have to accept that we are where we are.

To issue a civil monetary penalty, there are three hurdles for the ICO to clear. Firstly, there must be a serious breach. Both charities used commercial companies to profile thousands (and in one case, millions) of donors, buying up data from publicly available sources* to assess their wealth and resources, they shared data with other charities whose identity they did not know via a commercial company, and in the case of the RSPCA, they bought contact details to fill in data that donors had provided. The average donor did not have any idea that this was happening. I can see there’s a problem that when everyone in the charity sector knows that wealth screening goes on, it seems normal. But I’ve been using it as an example on my training courses ever since the Mail revealed it, and bear in mind that these are often seasoned data protection professionals who know about data sharing and disclosure, attendees are invariably shocked and some cases revolted by what I tell them.

There is no doubt in my mind that this processing needed to be spelt out, and there is no doubt from the notices that it was not. Carefully selected third parties or partners has been a stupid lie in marketing for years, but not even knowing where the data goes is much worse than the usual flogging it to all comers. At least the list broker knows who he’s flogging it to, even though the only careful selection is the ability to pay.

The second hurdle is the need to show that the breach is likely to cause damage or distress to the affected data subjects. It’s been known for quite some time that the ICO was planning to take enforcement action over the Mail stories, and the gossip I heard from charities was that fines were likely. I’ll be honest, I wasn’t convinced. The Information Commissioner lost a Data Protection Tribunal appeal from Scottish Borders Council because they bungled the damage / distress element of a £250000 CMP over pension records found in recycling bins. ICO made a flawed claim that the loss of paper pension records was likely to result in identity theft, but Borders had an expert witness who could argue convincingly that this was not true. The link between the breach (the absence of a contract with the company processing the data) and the damage was broken, and the ICO lost.

But this case is different. The ICO does not need to make a link between an incident and a breach, because they are bound up together here. Both notices show that the ICO has given considerable thought to the distress angle. There is no question that the charities breached the first principle, and their only hope for an appeal is to convince the Tribunal that people would not be caused substantial distress by secret profiling and data sharing after an act of generosity. This is not science, and all I can say is that I am persuaded. But for an appeal to be successful, the charities will need to persuade a Tribunal with strong experience and knowledge of DP and PECR from the numerous (and almost exclusively doomed) marketing appeals.

The third element requires the breach to be deliberate or a situation where the charities ought reasonably to have known about the breach. As I have already said, the ICO’s position on fair processing is well known in my sector and available to anyone who can type the ICO’s web address. I think it’s possible that the charities didn’t know what they were doing was a breach, but in my opinion, this is because the Institute of Fundraising and the Fundraising Standards Board effectively acted as a firewall between charities and reality. The advice (often inaccurate and out of date) came from the IoF, and complaints about charities went to the FRSB and no further. When your code of practice is written by the people who earn their living from fundraising and most in your sector are doing the same thing as you are, it’s not hard to fool yourself into thinking it’s OK. But ‘everybody does it’ will cut no ice with the Tribunal. The RSPCA and the BHF are not tiny charities flailing in the dark – they are massive, multi-million pound operations with vastly greater resources than many of my clients.

Daniel Fluskey, head of Policy for the Institute of Fundraising, whose apparent lack of experience or qualifications in Data Protection does not prevent him from writing inaccurate articles for the charity sector on GDPR, has already weighed in, saying that the ICO should be providing the specific wording that charities require: “Charities need more detail on the ICO’s view of what lawful practice looks like: what form of words would have passed the test?” The Information Commissioner is the regulator for every organisation, of every size and shape, that processes personal data. If they start writing tailored wording for charities, they will have to do it for everyone else as well. It is a ridiculous demand. I think the ICO should move on to the data pools, wealth screeners and list brokers, but if she could find the time to issue an enforcement notice on the Institute of Fundraising, forbidding them ever to speak or write on Data Protection matters again, the third sector would have a fighting chance of complying.

Besides, how hard is it to find compliant wording? Nobody – especially not the trade association for fundraisers – should be allowed to present this as a byzantine and complex task. The individual doesn’t need to know what software you’re using, or whether cookies are involved. They need to understand the purpose – what are you collecting, what are you going to do with it, who are you going to give it to? This should be presented without euphemism or waffle, but it’s when you strip out the legalistic nonsense, you see the problem. It isn’t that the poor charities were labouring under the burden of complex data protection rules. They could not comply with the Data Protection Act because what they were doing (and in RSPCA’s case, are apparently still doing) is so unattractive:

  • We will share your details with unspecified charities via a commercial company. We don’t know who they are.
  • We will buy your phone number, postal or email address from a commercial company if you have not given it to us.
  • We will use commercial companies to compile a profile of your wealth and property to work out whether to ask you for further donations. If you are likely to be worth a lot when you die, we will use this information to ask you for a bequest.

When Reactiv Media appealed their PECR penalty, the Tribunal rejected their appeal and increased the penalty. Like a lot of the spammers, they put themselves into administration to avoid paying up, but this option is not available to household name charities. If either the RSPCA or BHF appeal, they are dragging themselves deeper into the mud, and very possibly spending thousands more of donors’ money to do so. If they say that what they did wasn’t a breach, or that they couldn’t have been expected to know that it was, their officers, advice and business model will be scrutinised to a doubtlessly painful extent. The claims management company Quigley and Carter found themselves described as “feckless” and “most unimpressive” in the course of being filleted during a recent failed appeal. Do charities really want that? Even if they decide to roll the dice solely on distress, does either charity really want to acknowledge a serious breach that they knew or ought to have know about in the hope of getting the fine overturned on a technicality? Do they want ICO to call donors as witnesses?

The business model of pressure selling, TPS-busting, heavy texting, data sharing and donor-swapping adopted by some of the UK’s most celebrated charities resembles nothing so much as the activities of the claims management, PPI spammers (i.e. the scum of the earth). For all the noise and bluster on Twitter and in the charity press this week, there is an uncomfortable truth that has to be faced. The hated Daily Mail unearthed it, and the ICO has rightly acted on it. Some big charities have run an end-justifies-the-means approach to marketing and they have got away with it for a decade. Fundraisers ruled the roost, and compliance has been sidelined or ignored. Given how much money the RSPCA and the BHF have raised from fundamentally unlawful practices, they should pull back and rethink how they get donations in the future. They should ignore the Institute of Fundraising’s every word on Data Protection and PECR, and like every other charity, concentrate on reading and applying the ICO’s Code on Privacy Notices and guidance on Direct Marketing.

And right now, if there is a fundraiser sitting with the two CMP notices working out how to at the same time devise a method to raise loads of cash for their cause while complying with Data Protection and PECR, I hope they wipe the floor with everyone else.

*citation needed

Actually asked questions

One of the annoying things about working on documents or advice for the public is the inevitable moment where someone asks “shouldn’t we have some FAQs?”. And then someone proceeds to write a series of questions that the organisation wants the public to know the answers to, rather than the answers to questions the public have actually asked. Frequently asked by who, is what I frequently want to know.

I am currently working on a product aimed giving data protection advice to charities. It will be free to access, and should hopefully be ready by the end of the year (early in January is equally likely). It will take into account the current DP and PECR law, the Fundraising Preference Service and associated Regulator, as well as anticipating the GDPR in several key aspects. As part of this, I would like to include an ‘actually asked questions’ section, in which people working on DP or IG for charities ask questions, and I provide the answers.

This is where you (hopefully) come in.

I want to get real questions from practitioners and volunteers working in the charity sector. There are a whole bunch of things I want to say about the topic, but questions from the intended audience are vital to make the guidance meaningful. If you have any questions about Data Protection, PECR, marketing, volunteers, security or other related matters, please send them to the following email address:

mail@2040training.co.uk

You can be specific or general. You can ask about the detail, the background, individual scenarios relevant to your work or issues that cover the whole sector. I would be happy with 5 questions, or 500. You can also tell me things you think DP guidance for charities should include. I have the content more or less planned out, but I might have missed something.

There are a few things you need to know before sending a question in.

1. You will not receive an individual answer to your question. Your question, if at all possible, will be answered in the FAQ section of the product. It may be that your question is answered in the main body of the text, in which case, your question will not feature specifically but the answer will still be there. If it is impossible to answer your question – time permitting – I will reply direct to you to explain why and give some advice if I possibly can.

2. You will not be added to any mailing list, or receive any marketing as a result of participating. If you indicate in your email that you want to know when the product is available (it will be free, and getting access to it will not involve any obligations or commitments), then I will send you a single email to let you know. You will receive nothing else and your details will not be retained for any other purpose.

3. All questions will be treated anonymously. You, and the charity you are associated with, will not be identified or alluded to in the product, no matter what the nature of the question is. Even if the question is “can we sell our donors’ data to a claims management company?’ or “can we buy data even if we think it might have been stolen?”, you will not be identified. The sole purpose of this is to make the product more useful and lively by getting direct input from the intended audience. By the way, the answer to both of the above questions is no.

4. Questions sent in after 15 December probably won’t make the cut (although I will do my best to read anything received after that)

The final shape of the product may go one of several ways, so I am being vague about what it actually is – one option is easy but less interesting, the other is better but more time consuming. Nevertheless, to emphasise the point again, it will be free, and you will receive no marketing or further contact if you choose to participate.

I very much hope that if you have any questions or queries, or other issues you would like to raise, you will send them in. Thanks for reading – if you have the opportunity to tweet or circulate this to people in the charity sector who might have questions they want to ask, I would be very grateful if you would. I cannot promise that anyone who necessarily like what I have to say, but I’m very keen to find out what you’d like to know.

Specific Heights

One of the most annoying things about interactions with organisations is the endless refrain from customer services is that you must do something for ‘Data Protection reasons’ or ‘for Data Protection’. You see it from company accounts on Twitter, from call centres, even in person. Tweak the script slightly, and suddenly it’s fine – ‘for security reasons’ or ‘to make sure I’m speaking to the right person’ are more helpful and more specific.

It’s this clunky, inelegant approach to Data Protection (alongside habitually uncritical tabloid reporting when organisations use DP as an excuse) that gives it such a bad reputation, and leads to the problem reported by the BBC today. Nobody knows what organisations are doing because the information available is turgid, legalistic and misleading.

With this in mind, permit me to provide some advice on how to write / not write privacy policies

  1. If your privacy policy mentions the phrases ‘Data Protection Act’ or “Data Subject’, you’re doing it wrong. The person doesn’t need to be told what the eight principles are or what the IG jargon is. They don’t care, nor should they. If they are reading the text, it’s because you’ve told them to or because they want to know what you’re up to.
  2. If it says how important DP or privacy is to your organisation, you’re wasting the reader’s time – this is something you demonstrate by actions, not assertions
  3. If it contains any jargon or technical language, remove it (with apologies to George Orwell)
  4. If it is written in a legal style, especially in the style of a contract, it’s rubbish. Delete it and start again.
  5. If it is a one-size-fits-all that covers all users of your services or website, it’s unfair. Again, you are wasting the reader’s time telling them about something that may never affect them. If you are telling me about exceptional or unlikely uses of my data, you’re doing it wrong. If you are telling me about things that just won’t happen because I am not that sort of client or customer, you’re doing it wrong. If it might happen but might not, tell me when it does. Fair processing is a processing, not a hurdle you clear once and never again.
  6. If you tell yourself that something is so complicated that you cannot explain it to your customers or clients, you either don’t understand it yourself, or in fact you just don’t want to explain it because people won’t like it. Either way, you’re doing it wrong.

A privacy policy / privacy notice / fair processing statement (call it what you like) has a single, real purpose. It might seem like you’re writing it to tick a legal box, but if that’s what you think you’re doing, you’re doing it wrong. The purpose of the fair processing statement is to tell the client or customer in simple, everyday language how their data will be used. Anything that does not assist in that specific job is irrelevant, and should be cut out. I don’t care about your security or the fact that you have ISO 10069. I don’t care that you use biodegradable laptops. You can shove your corporate social responsibility aspirations up your carbon footprint: tell me what you’re doing with my data.

Lawyers get a lot of stick for privacy policies (and one or two absolutely deserve it), but the occupation of the person who writes the words is irrelevant – all that matters is their intent. I’ve read many tedious legalistic fair processing statements that were written by Data Protection professionals, while I have read T&Cs written by lawyers that are a model of economy and clarity. Many of the privacy policies I see could be cut to at least 50% of their length without losing any of their meaning. This cannot be tolerated.

Organisations wrap up what they plan to do in waffling, passive-voice, corporate double-speaking Mother-Knows-Best bullshit. This is who we are. When you give us your data, this is what we plan to do with it. The fair processing statement should be short, straightforward and surprising. It should focus on those things that the punter does not expect. We are going to sell your data. We are going to use a data pool to exchange your data with other people who can probably squeeze a few pennies out of you now we’re done with you. We are going to work out what to sell to you based on what kind of person we think you are, based on data we bought from Experian and some Bulgarians we met on Fiverrr. We are going to work out whether it’s worth having you as a customer.

The limits of what you can do with personal data – unless you have an exemption – is what you can explain. In a commercial, charitable or voluntary sector environment, you won’t have an exemption most of the time. Boil the purpose down to its bare essentials and be blunt. If you can’t explain it, you can’t do it.

Any last requests?

A month ago, the redoubtable information rights expert and blogger Jon Baines wrote about an odd change on the ICO’s website. Just after the EU referendum vote, the ICO published a bold statement, calling for Data Protection standards in the UK to be equivalent to those in the EU. Shortly after, the statement disappeared. Around a week later, it was replaced by something more bland. Jon wondered why the ICO had resiled from their original position. He was, however, fortunate to receive a comment from an ICO spokesman:

“We noted the debates about different options that emerged following the referendum result and we decided to move to a simpler statement to avoid being too closely associated to any one particular position”

I believe that this statement is untrue.

After a conversation with Jon, I made an FOI request to the ICO for “Any recorded information on the decision to remove the statement, including who made the decision to remove it, and why it was removed“. Remarkably, the ICO claims to hold just one email that is relevant to my request (I’m not convinced, so I am following this up), but I think it’s reasonable to conclude that the ICO did not change the statement because they “noted the debates“. They changed the statement because the Department for Culture, Media and Sport, the government department responsible for Data Protection, asked them to.

A DCMS official emailed Christopher Graham, the former Information Commissioner, directly on 28th June:

Screen Shot 2016-08-26 at 09.07.02

The revised version is identical to the statement that you’ll find here on the ICO website.

The DCMS position is understandable – a few days after an unexpected vote, it’s not hard to imagine that they hadn’t reached a final position on GDPR. I’d be surprised if they were certain now, frustrating as that might be for the likes of me. But when the DCMS talks about it being far to early for “us” to be so definitive, they are not talking about the ICO, which is legally separate from and independent of Government. If the former Commissioner and his staff believed that the DPA is out of date and not fit for purpose, they were right to say so. Bear in mind that the statement in question was made after the vote, not when the ICO view could in any way have influenced its outcome (or when such an allegation could be made). DCMS are free to disagree with them, and indeed to ignore them if they so choose. I think GDPR-lite is a terrible idea, but they can pursue if they think it’s right. I’m not even sure I want to criticise the DCMS request – it’s quite clearly not an instruction.

However, for the ICO to change their statement (and by default, their official position on the GDPR) is a significant and worrying step. The ICO’s position can be identical to the DCMS one, but only if that’s because the ICO thinks DCMS is correct. It would be in no-one’s interests for the ICO to challenge and contradict DCMS merely to show that they’re nobody’s poodle. But Wilmslow’s reaction to the Brexit vote was clear, and now it’s not. Was the original position wrong? Is there any reason why the ICO cannot be allied to one particular position if they think it’s the right one?

Equally, if the ICO is going to change its public position, it should be honest with the public about why it is doing so. The statement on the ICO website says

At the annual report launch on 28 June 2016, Information Commissioner Christopher Graham updated the ICO statement

Whereas, what it should say is:

At the request of the DCMS, at the annual report launch on 28 June 2016, Information Commissioner Christopher Graham updated the ICO statement

As embarrassing as this might be, if the ICO is content to follow the debate about the future of the GDPR in the UK rather than leading it, it should be honest enough to admit that this is their position. I’ve already blogged about the bizarre situation that the ICO team that deals with complaints about political parties and councils are managed by a serving Labour Council leader. Here is another situation where the ICO’s ability to make robust, independent decisions appears to be compromised.

This depressing episode happened in the dying days of the previous Commissioner’s tenure; more than ever, I am glad that he is gone. We have a new Commissioner about whom I have seen and heard nothing but encouraging things. I can only hope that when faced with decisions like this in the future, Elizabeth Denham takes an more independent approach.