Immigrant song

With the sensitivity for which they are rightly renowned, the Home Office chose to celebrate Christmas by tweeting a cheery video full of beaming millennials, promoting the new ‘settled status’ registration scheme for EU nationals who want to stay in the UK after Brexit. People who have made their home in the UK have to register and pay for the privilege. Setting aside the crass, thoughtless way in which the scheme was promoted, concerns have been expressed on social media about the Data Protection implications, especially as regards how data is used and whether it complies with GDPR and the DPA 2018. There is an interesting sentence in the documentation: “we may also share your information with other public and private organisations in the UK and overseas“. The people behind the @the3million twitter account made an FOI request about this, and the Home Office have refused to confirm the identity of the organisations in question. They relied on S31 of the FOI Act, which allows information to be withheld if (among other things) disclosure would or would be likely to prejudice “the operation of the immigration controls“.

S31 requires the Home Office to demonstrate a causal link between disclosure and prejudice, and has a public interest test that allows for disclosure if the public interest in doing so outweighs the public interest in withholding. So while the Home Office picked the right exemption, their decision to refuse could be challenged. The ICO doesn’t have a strong record of overturning these kinds of decisions, so the fate of any complaint is hard to predict.

But what’s that? Surely individuals subject to this process have GDPR rights, and can find this out for themselves via a subject access request? Two elements of GDPR would appear to assist – Article 13 requires the Home Office to specify “the recipients or categories of recipients” to which personal data will be disclosed in order to be transparent, while Article 15 gives the subject a right to the same information on request as part of a subject access request.

Except they don’t. I’m certain that the wording I have seen doesn’t comply with Article 13 because even the ‘categories’ bit would only work if it was clear what types of recipients are involved, and it’s plainly not. However, the GDPR allows for exemptions, and there is an exemption that the Home Office managed to get through Parliament in the DPA 2018 which allows them to keep the identity of the recipients secret. Schedule 2, Pt 1, (4) says that both transparency and subject access rights can be set aside if applying them would or would be likely to “undermine the maintenance of effective immigration controls“. If the Home Office don’t want to tell people going through the process who their data will be shared with, this exemption allows to do so. They have to believe that transparency will undermine effective immigration control, but this is the Home Office – they probably do believe that.

So what recourse do EU citizens have? They could, of course, challenge the Home Office approach by either taking them to court or complaining to the Information Commissioner. The Commissioner could decide that the application of the exemption was incorrect (as they could with S31 of FOI), and they have powers to enforce that decision. Aside from Elizabeth Denham’s obsession with data analytics in politics (especially when allegedly deployed by the Leave side), the ICO does not have a strong track record of taking on big organisations. Admittedly, the ICO recently took on the Metropolitan Police over their Gangs Matrix database, but the problem with that is the Gangs Matrix was a mess and the Met more or less acknowledged that.

The problem here is that if the Home Office maintain their position, the ICO would have to substitute their judgment for their’s. This wouldn’t be a mistake or a cock-up; if the Home Office use the DPA exemptions in the same way as they have the FOI ones, the only way that people can get better transparency is for the ICO to tell them that they’re wrong. This is often when Wilmslow bottles it. It’s straightforward to enforce on an organisation that has just lost thousands of people’s data (I’m sure it takes a lot of graft, but the decision to do it isn’t as hard). It’s much more difficult when the data controller hasn’t made a mistake, but is using the exemptions as described. Even if the ICO believes that the exemptions have been wrongly applied (and they might not), the Home Office is likely to ignore any recommendations and appeal any enforcement action.

The alternative is the courts, which is just as much of a roll of the dice as a complaint to the ICO, with the added complexity and cost of actually going to court. I have confidence that a court would test the Home Office’s arguments more robustly that the ICO would, but the Home Office wouldn’t be acting irrationally or unreasonably, and a judge might agree with them. These exemptions made it through Parliament and are on the statute book; the Home Office can plainly use them, and it’s not a breach of the GDPR unless the ICO or a court says that they have been applied unfairly.

Personally, I doubt that knowing who is receiving your data will undermine this process sufficiently justify the secrecy that the Home Office has already imposed using FOI, and which I expect they will use under DP, but it doesn’t matter what I think. This is where the hype around the GDPR runs into the brick wall of reality. The Home Office doesn’t need consent to gather, use and disclose personal data in this process, as long as it has another lawful basis to do so (legal obligation or official authority will certainly kick in here). The DPA gives them exemptions to keep the nature of that processing opaque, and if they choose to use them, challenging that decision is difficult and the outcome is uncertain. This leaves an odd situation but a lawful one – if they wish to live in a country they have already made their home, it seems that EU citizens have to submit to a closed, secretive process and they cannot find out what happens to their data during that process, who gets to see it, and for what purpose.

Compensation culture

We’ve had years of headlines about Cambridge Analytica and Facebook which have captured the public’s imagination like never before, and generated huge publicity for the Information Commissioner’s Office and their army of blue-jacketed enforcers. Action, on the other hand, has been slightly less forthcoming. No action has been taken against Cambridge Analytica itself – there is the prosecution of SCL Elections over a subject access request made by an American (David Carroll), but if anyone can explain why prosecuting the now defunct company when the best outcome is a fine that will never be paid because it will be buried at the bottom of the pile of creditors, comment below. The ICO issued their first GDPR enforcement notice against AIQ, and it was so clumsy it had to be withdrawn and replaced (it’s astonishing that the ICO’s mishandling of this landmark action has gone virtually unnoticed). There is the famous Facebook fine of course, but that is already under appeal. Given that the Commissioner’s case changed radically from the Notice of Intent (published against all normal ICO practice) to final penalty, I don’t think that the ICO should count any chickens on the outcome.

The other issue haunting the case is a number of legal firms mounting ambitious compensation claims on behalf of those who believe themselves to be affected. Just as I am sceptical about the ICO’s track record, some odd assertions in a story in the Independent about David Carroll’s own attempt to sue Cambridge Analytica make me wonder whether the compensation road will be any less rocky. The claim is happening under the old Data Protection Act, and so Carroll and his solicitors will have to prove some kind of damage. Carroll’s solicitor Ravi Naik from ITN Solicitors is quoted as saying payouts could spiral to as much as £43 billion if only 10% of the possible affected pool of people claimed successfully.

Even if one conservatively uses the lowest end of the range, both in number and value of each claim, and calculates on the basis of 10 per cent of the estimated 87 million affected Facebook users only, with claims of £5,000 each against Cambridge Analytica, that still implies a total potential claim value of £43.5bn

I think his claims are optimistic at best, and at worst, comically exaggerated. Facebook did claim that up to 87 million people’s data may have been affected, but they’ve wavered since – to the extent that the ICO now admit that UK data wasn’t used by Cambridge Analytica in their final penalty on Facebook, despite building their NOI around that very claim. Carroll is claiming between £5000 and £20000, but he won’t get a penny unless he can show evidence of the breach in the first place, and then evidence of the damage. Claiming compensation for non-material damage is tricky. You can’t show something concrete like lost wages or business – the money won’t be awarded just because Carroll says he’s upset or annoyed, and the courts have shown scepticism in the past about claims of damage or distress (look at the Tetrus case that ICO lost on the issue of distress a few years back).

That 87 million number is a maximum, not a certainty, and the UK courts have shown themselves to be unmoved by generic class action claims of damage. Look at Richard Lloyd’s failed claim against Google, where the court said that different people will react to the use of their data in different ways. Perhaps Carroll has made a good case about the harm he says was done to him, but even if he has, that is not to say that all claimants are in the same position. If my data was abused by Facebook, my reaction would be numb resignation at worst. I can’t get outraged about Facebook abusing my data, any more than I can get upset by rain being wet. This is why I don’t use Facebook.

The consensus on LinkedIn seems to be that a possible breach is automatically accompanied by a ringing cash register – but that’s not a safe assumption, backed by any evidence. Lloyd lost his Google claim. Everyone who wrote excited Tweets and LinkedIn posts about the outcome of the recent Morrisons case – where the supermarket was found vicariously liable for a breach committed by an employee – ignored the fact that even if Morrisons lose their planned appeal to the Supreme Court, the issue of how much each claimant gets hasn’t been considered yet. Admittedly, Morrisons is a claim for misuse of private information and breach of confidence, but even so, we haven’t got to the bit about the money yet. The claimants may each get a big payout; they may get bus fare. There hasn’t been a case in the UK where multiple people received a big payout because their personal data was abused.

Naik’s extravagant claims and ambitious maths make for an impressive headline, but it’s speculation. I’m uncomfortable about the idea of tempting people into joining litigation (which is presumably the point of Naik’s claim) using hyped-up numbers in this way. The words sound sensible, and Naik effectively describes his estimate as conservative, but it’s a fantasy. Carroll will lose unless he can persuade the court that a breach occurred, that he experienced damage, and that there is a figure that will compensate him for that harm. We have had a few interesting and successful compensation claims in the past, but the idea that we’re looking at lottery jackpots for DP claimants is, so far, Fake News.

 

Regulating the FOIA into obscurity?

This is a guest post from the redoubtable John Slater, whose tireless efforts to hold DWP to account are a lesson in how FOI should be used. John has had real success in wrestling information out of a stubborn and secretive system, but the post describes the hurdles in the way of the applicant, and the shameful way in which the ICO makes things worse. It’s not a quick read but there’s a lot to say. I think anyone with an interest in how the benefits system operates, or how healthy the FOI system is at the moment should give it the time it deserves. I’m very grateful to John for writing it and letting me host it.

I suspect that most people reading this have experience of submitting a request for information (“RFI”) under the FOIA and all the frustrations that can come with it. Some people may have complained to the office of the Information Commissioner (“ICO”) while others may have just given up when their RFI was refused. I suspect that a smaller number of people, who had the time, appealed ICO decisions to the First-Tier and Upper Tribunals.

Via my involvement with the FOIA I have been dealing with the ICO for approximately 6 years. My interaction has ranged from normal FOIA complaints through to appeals to the First-Tier and Upper Tribunals.

Setting aside the minor issues one typically experiences with any large organization I have to say that my experience of dealing with the ICO has been very positive. Even when a decision notice (“DN”) went against me I could understand why and how that decision was reached. In respect of appeals to the First-Tier and Upper Tribunals I have nothing but praise for the people involved, even when I was appealing an ICO decision.

However, approximately 18 months ago things started to change for the worse. The time taken to respond to complaints seems to be inexorably increasing and the quality of the case work is deteriorating. I’ll use 3 of my current complaints to illustrate the problems that I and others are experiencing on a regular basis.

Case 1 – Universal Credit Programme Board Information Packs

In July 2017 I asked the DWP for the 3 most recent packs of information that were given to the Universal Credit (“UC”) Programme Board members at each monthly meeting. Given how controversial UC is and the history of the DWP being less than honest about it, this seemed to be a good route to try to find out what the senior people responsible for UC actually know and what they are doing about it.

For those not familiar with programme management terminology the programme board consists of senior people who are accountable and responsible for the UC programme, defining the direction of the programme and establishing frameworks to achieve its objectives. So apart from Neil Couling (senior responsible owner) and the secretary of state they are about as senior as it gets. The membership of the programme board can be found here:

https://www.whatdotheyknow.com/request/419990/response/1090823/attach/html/2/3044%20IR%20516%20IR%20604%20reply.pdf.html

Unsurprisingly the DWP refused my RFI on 16 August 2017 citing S.36. However it explained that it needed an extension to carry out the public interest test (“PIT”). On 14 September 2017 the DWP did exactly the same thing. This is a tactic that the DWP uses regularly and often issues monthly PIT extensions until the ICO becomes involved.

I complained to the ICO on 14 September 2017. On 22 November a DN was issued giving the DWP 35 calendar days to issue its response. On 3 January 2018 the DWP finally confirmed that it was engaging S.36 and that the public interest did not favour disclosure (I’ve yet to see a public interest test from the DWP that does favour disclosure). I submitted a revised complaint to the ICO on 9 January 2018 challenging S.36 and the public interest decision.

Despite the 5 month delay by the DWP the ICO bizarrely told me that I still had to exhaust the DWP internal review procedure before my complaint could be investigated. I had submitted 4 internal review requests (“IRR”) during the 5 months that the DWP treated the FOIA with such contempt. I know from previous experience that the DWP would use the same PIT ‘trick’ to delay answering my IRR. I explained this to the ICO and asserted that it has the authority to proceed without me having to submit another IRR. On 30 January the ICO accepted my complaint. I know about this from experience but I assume most people would have followed the ICO instruction and been stuck in another loop of 5 months until the DWP was told to issue its response to the IRR.

On 26 April my case was assigned to a case officer, just 3 months short of a year since I submitted my request to the DWP. Despite the DWP clearly citing S.36 the ICO allowed the DWP to get away with numerous delaying tactics and nothing happened for many months. Despite chasing the ICO on a number of occasions there appeared to be no progress. My patience ran out in October 2018 and I complained to the ICO about this and two other cases. On the face of it this appeared to have got things moving.

However, on 18 October 2018 I was told by the ICO that an information notice had been served on the DWP to obtain copies of the information I had requested. The DWP has 30 days to respond to these notices.

Whilst I’m not surprised by this (in fact I even suggested this was the case in my complaint) I struggle to understand how any organisation can investigate a complaint for almost 6 months without having a copy of the requested information. I can only hope that the DN I have been seeking for so long will appear at some point in 2018!

The delay has been so long that I have actually submitted another request for more current programme board packs. At the time of writing the DWP hasn’t provided a response within 20 days so that’s another complaint that I need to send to the ICO!

Case 2 – Aggregation of various RFIs

Between 4 February and 23 April 2018 the DWP aggregated 9 of my requests for information claiming that they were for the “same or similar” information. Well, what it actually said was:

We consider each of the seven requests to be of a similar nature as they all relate to either decision making or performance delivery of disability assessments on behalf of the Department for Work and Pensions.  In particular, all of the requests would be allocated to the same team for response as it falls within their specialised area. 

Under Section 12 of the FOI Act the Department is not therefore obliged to comply with your request and we will not be processing it further.

This seems to suggest that the DWP believes the requested information is the same or similar because they relate to activities it carries out and the teams that do them. This is a crude attempt to rely on the discredited concept of ‘overarching themes’ that was attempted in Benson v IC and the Governing Body of Buckinghamshire New University (EA20110016).  At [29] the Tribunal stated:

Whilst the Tribunal understood the Commissioner’s analysis the Tribunal felt that it was not compelling and relied on concepts that were not actually within the legislation – e.g. ‘overarching theme’. The Tribunal felt that any consequent uncertainty should, on balance, be resolved in the Appellant’s favour.

On 30 March I submitted a complaint to the ICO. My complaint involves 9 requests and deals with an important area of the FOIA, where there is very little precedent. A reasonable person might conclude that the ICO would be keen to act swiftly. On 27 April 2018 my complaint was assigned to a case officer so things were looking good. It is now coming towards the end of October and I have not had a single piece of correspondence from the ICO.

The requests that have been aggregated cover management information about how the DWP runs large controversial contracts that assess the eligibility for employment support allowance and personal independence payment (“PIP”). A previous RFI uncovered numerous problems with the quality of medical reports being produced for PIP assessments. This might explain why the DWP is so keen not to let me have the current information but not why there has been no progress by the ICO.

Case 3 – Datasets & Type of Data Held for Various Benefits About Claimants

On 26 February 2018 I asked the DWP to disclose the datasets and type of data it holds about various social security benefits. I am not asking for the actual data just the type of data and the “groups” or “sets” of data that it holds.

On 17 April 2018 the DWP refused my request citing S.31 (it eventually confirmed it meant section 31(1)(a))  and  S.24. After a further IRR the DWP reconfirmed its position and I complained to the ICO on 15 July. Some 3 months later on 11 October I was finally told that my case had been assigned to a case officer. Does this now mean I wait for a further 6 months before anything actually happens?

Conclusion

I know the ICO is very busy, partially due to the new Data Protection legislation, but the problems that I and others are experiencing can’t just be explained by “being busy”. Based on my previous experience of dealing with them I also don’t believe it is the fault of the case officers. These problems are due to serious organisational failings within the ICO. There doesn’t seem to be the type of business processes / workflow that one would expect to see in an organisation of this size. The line management oversight of case officers appears to be absent. Based on my own experience it seems to be that the line managers focus solely on protecting case officers while actually making matters worse for them as their workloads probably grow faster than they can cope with.

The ICO should have a small set of metrics about how it is dealing with cases. Surely line managers should be looking at cases where nothing has actually happened for 6 months and do something about it? The idea of management by exception has been around for a long time and yet I’m left with the impression that there are no exceptions set within the ICO and senior management have no impartial way of knowing what is actually going on at the case level.

People might wonder why this matters and that in these times of constrained budgets we should expect cases to take longer. I can’t accept this as one of the key drivers for the FOIA is that we get a chance to hold public authorities to account for their actions. For that to happen we need access to information while it is still relatively current.

It is generally known that there are certain large government departments that have very poor history in respect of FOIA. If someone requests information that these departments suspect will be embarrassing they will deliberately play the system to delay disclosure. From personal experience it’s all far too easy to do:

  1. Ignore the request completely until the ICO tells the department to respond (3+ months).
  2. Use the public interest test with impunity to introduce a 5 to 6 month delay before the requester can complain to the ICO about the exemption cited.
  3. 3 months before a case officer is assigned.
  4. At least 3 to 6 months before a DN is issued.

Total possible delay = 14 to 18 months.

The department can then appeal the DN to the First-Tier Tribunal (“FTT”), even if there is little chance of success. I’ve had 2 cases recently that have been appealed and then withdrawn just before the FTT hearing was due to take place. This added another 6 month delay let alone the cost to the public purse. If the DWP had actually gone through with the appeals and lost then that delay would probably be closer to 9 to 12 months.

This means that “playing the system” allows disreputable government departments to delay disclosure of embarrassing information by at least 2 years. Any media interest in the information can then be met with the claim that it is now ‘historical’ and things are better now.

A good example of this is the Project Assessment Review Reports (“PARs”) for the Universal Credit programme. I asked the DWP for these in April 2016 (see URL below):

https://www.whatdotheyknow.com/request/universal_credit_programme_proje#comment-82746

Using the delaying tactics described above and making the ICO issue an information notice to compel the DWP to release the PARs to them, they weren’t disclosed until March 2018. That’s a 2 year delay.

The ICO needs to sort out the internal delays that these government departments seem to be relying on. They also need to make sure there are meaningful consequences for public authorities that “play the system”. Writing strongly worded DNs telling public authorities off for abusing the system is meaningless. The ICO was highly critical of the DWP in its DN for the PARs case. A link to the DN is given below and the criticisms start at [62].

https://ico.org.uk/media/action-weve-taken/decision-notices/2017/2014762/fs50640285.pdf

The criticism has had absolutely no impact on the DWP.  It still regularly doesn’t reply in time and still produces “boilerplate” responses that have little bearing on the case in question.

As a result of the new GDPR and Facebook the Information Commissioner regularly seems to be in the media and was recently named as the most influential person in data-driven business in the updated DataIQ 100 list. I hear talk of the Commissioner being able to issue huge fines for data breaches and serving enforcement notices on organisations that are not complying with the FOIA.

The original white paper “your right to know” stated at [1.1]:

Unnecessary secrecy in Government leads to arrogance in government and defective decision-making. The perception of excess secrecy has become a corrosive influence in the decline of public confidence. Moreover, the climate of public opinion has changed; people expect much greater openness and accountability from government than they used to.”

If public authorities continue to be allowed to easily introduce delays of 2 years before disclosure then the regulator of the FOIA is failing in her role.  Before the FOIA we only had the thirty-year rule (now moving to the twenty-year rule) controlling when information was released to the public.

I suggest that we are rapidly approaching the situation where by default we have the “two-year rule” for information government departments do not want released. Unless the Commissioner does something about it that will slowly increase to the “three-year rule” and then the “four-year rule”. From my perspective its time the Commissioner stopped boasting about all the powers she has and started using them.

Secret Service

A little while ago, I noticed an interesting story on the website of the Fundraising Regulator. They reported a case where a woman had applied for a job with a charity and subsequently, she started to receive marketing from them. She asked for her details to be removed from their donor list, and the request was ignored. The story was still there when they reworked their website recently, but it now appears to have vanished.

This is a breach of Data Protection and (potentially) PECR – the charity would not have informed the person that their data was being used for marketing which is a breach of the first DP principle, they breached the second principle by re-using the data for an incompatible purpose. By ignoring her request for the marketing to stop, they breached her rights under Section 11 of the old DPA and if they sent emails, they breached PECR as well.

Given that this is a quite a serious breach of DP fundamentals, you might think that the Fundraising Regulator isn’t really the right person to deal with it. Although direct marketing forms part of the Code of Fundraising Practice, the proper regulator for both DP and PECR is the Information Commissioner. For both possible breaches, the issue of fundraising is probably the least important aspect – a charity that misuses personal data in such a profound way should be investigated by the Information Commissioner, not a non-statutory body with a relatively narrow focus.

I asked the Fundraising Regulator whether they had passed the complaint to the Information Commissioner’s Office. After a little while, I received a reply from a senior officer asking why I wanted to know. I said that I thought this was a relatively serious breach of data protection, and I wanted to know whether it had been shared with the right people. Shortly after that, I received a reply saying that they couldn’t tell me. This is an anonymised case study – the description of the case did not name the charity, or give any identifying information about the donor. The Fundraising Regulator has already decided to use the story to promote their work, and so asking whether they have shared it with the appropriate regulator (a question that has a Yes / No answer) seems entirely reasonable to me. I pushed a little, and apparently my request went up to Gerald Oppenheim, the FR’s eminently sensible Chief Executive. He also said no.

So I made an FOI request to the ICO, asking for the number of complaints the Fundraising Regulator has passed on to them, and a summary of each complaint. The ICO replied, saying that 100 complaints have been passed from the FR, and in response to my request for a summary of each complaint, they gave me whatever this is:

Charities who have failed to on-board onto the Fundraising Preference Service (FPS) portal despite receiving a request to stop communications from a member of the public.”

Weirdly they claimed that “We do not hold information in regard to the details of each complaint” but in reply to my question about what action they have taken as a result of these complaints, the answer was: “No further action, logged for future intelligence purposes”. This means that they don’t hold any information about complaints that they have logged for future intelligence purposes.

Leaving that aside, the ICO’s response doesn’t suggest that the complaint I am interested in was shared, and so I am going out on a limb to say that I think the reason that the Fundraising Regulator didn’t want to tell me whether they had shared the complaint is because they hadn’t and didn’t want to admit it.

Why does this matter? The Fundraising Regulator’s predecessor, the Fundraising Standards Board, was an inherent part of the Data Protection problems in the charity sector that exploded spectacularly with stories in the Daily Mail. Thousands of complaints were soaked up by the FRSB and never passed on, meaning that the ICO was largely unaware of marketing problems in the sector. The last thing that the FR should be doing is sitting on serious data protection issues in the same way. The ICO and the FR have signed a memorandum of understanding agreeing to share information to assist each other in carrying out their functions, and so there is a clear gateway for the FR to inform the Commissioner of complaints like this.

The problem is, I only know about this complaint because the FR was incautious enough to try to get some PR out of it. Who knows how many more complaints they have dealt with that reveal genuine data protection problems – it may be an isolated case, or there may be loads of them. The organisation’s refusal to be open about the fate of this case means it’s unlikely they’d be forthcoming if it wasn’t a one-off. The FR’s role in operating a glorified opt-out service which is arguably not really required has already attracted some justifiable criticism from the charity sector, but this issue also deserves scrutiny.

Charities have had a torrid time over the way in which some of them handled personal data – as unpopular as this will make me (again), I think much of the flack was deserved. But it isn’t helping the sector for cases like this to be buried – bad practice should be rooted out publicly and by the right people, so all can learn by example. I can’t make Freedom of Information requests to the Fundraising Regulator because they’re not covered, and given the track record of the FRSB, being told rather haughtily that “it is for our organisation and the ICO to discuss and agree what issues we should and shouldn’t be investigating” doesn’t fill me with very much confidence that the right lessons have been learned. The Fundraising Regulator should be transparent about what cases are passing through their doors, which get passed on, and which don’t. Otherwise, perhaps the Mail should start digging again.

We need to talk about Ardi

This week, Private Eye reported that the publishers Kogan Page had withdraw a book about the GDPR by Ardi Kolah, after they received allegations of plagiarism from several sources. Most references to the GDPR Handbook have been scrubbed from Kolah’s online history and Kogan Page’s website is terse, to say the least. The fate of Kolah’s book is interesting not only because the high profile author is involved in both Henley Business School’s GDPR course and the British Computer Society’s Data Protection Certificate, but because Kolah has repeatedly sought to build his reputation through an association with the Information Commissioner, Elizabeth Denham.

The ‘About the Author’ section of his book describes Kolah as having “worked closely” with Denham, and there is some substance to the claim. Not only did Denham write the foreword for the book (and also for Kolah’s luxury leather-bound edition of the GDPR), she invited him to be one of the judges of her inaugural Data Protection Officer award.

Denham’s foreword describes him admiringly as a veteran of the Data Protection sector. She describes the UK’s data protection community before her arrival from Canada as a “small group of people ready to help each other out to raise standards“. She claims Kolah was someone who “flew the flag for data protection many years before it broke into the mainstream with the GDPR“. After some flannel, she returns to the theme: “Ardi and others of his generation often walked a rather lonely path in their efforts to have data protection taken seriously by the mainstream” and praises the book as “authoritative“.

I made an FOI request to the ICO asking if she wrote the foreword because I had a sneaking suspicion that Kolah himself might have been the author. The response was emphatic: “The Commissioner wrote the foreword and was the author of the Word document that was sent to Mr Kolah with the foreword in it. Mr Kolah had no input in the content of the foreword, did not ask for any input and did not ask for any copy approval of the foreword. The version sent to him on 6th April represented the Commissioner’s final wording to appear in the book unedited and unabridged.” This means that Denham is entirely responsible for the claims about Ardi Kolah’s career in Data Protection that appear in the foreword, and I think that’s a problem.

For most of his career, Kolah has been a PR guy. He worked as head of communications or PR for a variety of different organisations between 1995 and (at least) 2012. He worked for the BBC up until 1995, but after that, he did PR for Arthur Andersen, Cancer Research and Logica among others. His own CV on LinkedIn shows him as ‘Global Head of Public Relations’ for Brit Insurance until 2012. The notion that Kolah was flying the flag for Data Protection for “many years” and he was part of a generation of people who worked thanklessly in the DP mines is plainly unsustainable. Even now, his Twitter account describes him as a “Commentator on all things sales and marketing and social media“. Kolah’s own timeline doesn’t mention Data Protection until 2012, when he says founded a company called Go DPO, and even so, it’s hard to square his version with other available information.

An experienced training consultant called Darren Verrian is also on LinkedIn, and he  says that he started work on Go DPO in May 2015, three years after Kolah. This is interesting because Verrian describes himself as ‘co-founder’ of the business. Furthermore, Companies House shows that on 2nd June 2015, Kolah and Verrian registered two companies, one called Go DPO EU Recruitment (which was dissolved in February 2018), and another called Go DPO EU Compliance (which is still trading). Subsequently, they registered Go DPO EU Advisory Services in February 2016 (dissolved in March 2018), and finally Go DPO EU Consultancy Services in August 2017 (also still trading). Weirdly, despite his claim that he was running Go DPO in 2012, a company called Genworth Financial announced on 28th May 2012 that they had hired Kolah as their Director of Communications. Kolah doesn’t mention Genworth Financial anywhere on his LinkedIn CV.

I think it’s impossible to reconcile Denham’s claims about Kolah’s longstanding involvement in Data Protection with his own CV, but the contradiction between Kolah and Verrian’s respective claims and the facts on Companies House make it worse. As far as I can see, Ardi Kolah is not a Data Protection veteran: he’s just good at PR. Since I started to make mischief at his expense, several people have approached me with stories of Kolah’s error-strewn, self-promoting performances at conferences, and his now-disgraced book is an bloated mix of turgid management-speak and basic errors.

I didn’t identify the examples of apparent plagiarism or report them to Kogan Page, but I have seen them and it’s obvious to me why the publishers withdrew the book. I think Kolah owes everyone who bought the book an apology, and Kogan Page owes them a refund (I’m aware that they did offer a refund to at least one purchaser on the proviso that he returned the book). Perhaps Kolah did Data Protection work before May 2015 but I can’t find it. Maybe he can reconcile his and Verrian’s accounts and explain why no variant of a company called Go DPO was registered in 2012. But even if 2012 really is when he started, the way Denham characterises him in her foreword is at best wildly exaggerated, and a slap in the face for those of us who really have been working on UK data protection for a long time.

Moreover, unless he can refute the plagiarism allegations (and having seen what they’re based on, it would require a lot more than spin to achieve that), I think Kolah should resign from three of his current roles. There is no way that someone guilty of plagiarism should have a role on an exam board, at a prestigious business school or as Editor-in-Chief of a widely published journal. If he does not, then the BCS, Henley Business School and the editorial board of Journal of Data Protection and Privacy (many of whom are quoted in the book endorsing it) should sack him. They cannot be seen to tolerate plagiarism. Whether his friends at Amplified Business Content (who organise many of the conferences that Kolah speaks at) or Hitachi (who employ him as a part-time DPO) still think he’s an appropriate person to work with is none of my business.

A more important question than the fate of Mr Kolah is what this mess says about Elizabeth Denham. Kolah trades on his ‘close working relationship‘ with the Commissioner. Denham should have shut down this inappropriate use of her name, but instead, she promoted both Kolah’s book and the man himself by asking him to be a judge of the DPO award. When I made an FOI request to the ICO about Denham’s relationship with Kolah, they were in denial, refusing to accept that writing a foreword was an endorsement:

it may be helpful to note that we do not consider that writing a foreword in an official capacity to be an endorsement or to be otherwise advertising a commercial product. A decision to write a foreword or review is normally taken on the basis of the ICO being aware of the author’s standing as a practitioner or expert, and the value the book adds to the information rights community

ICO comments received by Private Eye suggest that while Denham definitely wrote the foreword, she may not have even read the book. Kolah sent it to her, but the ICO said she did not study the book, relying instead on her ‘prior confidence‘ in the author. Along with several other people, I have asked the ICO to show what evidence Denham relied on to make her assertions about Kolah’s long history in UK data protection. They admit that no such information is held. Denham made assertions to support her friend and help sell his book, and I don’t think she can substantiate them.

The Information Commissioner should not endorse commercial products, and this isn’t the first time she’s been willing to lend her authority when doing so. Kolah’s book has turned out to be damaged goods, but if she’d had the sense not to endorse anything, she wouldn’t have this problem. What this says about Denham’s judgement isn’t pretty, and I think it’s untenable for her to stay silent on the matter. Rather than throwing spokespersons under the bus, Denham should explain it herself. What due diligence did she do on Kolah? Did anyone even Google him? Why does she think he’s got a long and distinguished career in Data Protection when he hasn’t? And most of all, how can she assure us that she’s independent when she can be persuaded to make a mistake as big as this?