A poor lookout

I doubt I will ever wholly approve of anyone in the role of Information Commissioner until the Ministry of Justice comes to its senses and gives the job to me. However, I have always much preferred the verve and acerbity of Christopher Graham to the overcautious lawyerly approach of his predecessor, Richard Thomas. I don’t believe that Thomas would have been willing to enforce in the way Graham has managed (albeit that Mr Graham’s approach is fixated on one part of the public sector, and one part of one data protection principle), and he was nowhere near as good on the media stage – important for anyone in the role.

However, Graham’s interview with the Independent – timed presumably to coincide with the extension of his tenure to the legal maximum of 7 years –   was dispiriting.

Some of the flaws in the article are not attributed directly to Graham – the text describes action taken under PECR as an attempt to ‘prosecute’, which is incorrect because it was a civil action. It’s entirely possible that this was the Indie’s mistake but it doesn’t help anyone to understand what the ICO does (presumably one aim of doing the interview) and it should have been corrected. But when the text later describes the Commissioner as having a ‘right to compulsory audit’ local government, this is also wrong. The ICO can do mandatory audits of Government and there was a consultation to give it powers to do the same for the NHS. Compulsory audits for local government aren’t on the table. This is a mistake that Christopher Graham has made before, so I suspect it came from him, but it’s also a sign of the limit on the current Commissioner’s ambitions. Where is the evidence that he wants such powers?

Something that can definitely be attributed to Mr Graham is his crass, discourteous description of local government as ‘hopeless’. Every council delegate at next week’s ICO Data Protection Officer’s Conference should make it their business to challenge him on it, and frankly, councils should stop cowering in front of the ICO, stop reporting incidents to his office and stop cooperating with its entirely voluntary audits unless they actively want one. The weekend’s big data protection story was the theft of data from Aviva and subsequent sale to claims management companies. Graham has done an admirable job of agitating for bigger fines for data theft, but part of the ICO’s beloved seventh principle requires organisations to take steps to prevent ‘unlawful processing’. It’s not just about catching the thieves afterwards, but attempting to thwart them in advance. I am certain that the ICO doesn’t have a clue whether the financial services industry is exemplary or hopeless in this regard. Mr Graham hasn’t even asked for the mandatory audit powers to find out. Councils are an easy target because they constantly move data around and FOI means that, unlike the private sector, they can’t keep their dirty laundry hidden. The ‘hopeless’ remark may have been off-the-cuff, but it suggests knowledge that his office hasn’t put the hours in to possess. Besides, Mr Graham is a journalist and would know that such a remark would make the final edit, so it’s an insulting message he wanted to send. I’d love to know what word he uses to describe the ICO’s non-existent enforcement of the FOI Act, to the extent that some government departments openly thumb their noses at his office, and thus at him.

More of a concern is Graham’s remark that ““People have been challenging me on the bus about care.data. That’s the talking point but Snowden hasn’t been, which is kind of a surprise.” There are two things that bother me about this. Firstly, it suggests that Graham is out of touch with the public. It is not the ICO’s job to represent the public, it is their job to ensure that data controllers comply with the law (technically, the courts have more of a role in upholding individual rights than the ICO does). But nevertheless, Graham’s expectation that people would be button-holing him about the security services rather than the NHS is a tad elitist. The NSA’s spying on us all is obnoxious, but care.data is much more likely to have a direct effect on the man on the 130 bus to Wilmslow. More crucially, however, Snowden is not really on Graham’s territory. There is a very broad exemption in the DPA that you may not agree with, but which puts any activity ‘necessary’ for national security completely outside the DPA, and off the ICO’s radar. If the Commissioner was more concerned with matters that are more directly covered by his legislation, he might have avoided giving such inaccurate advice on care.data and pseudonymisation when on the BBC Breakfast sofa. It’s interesting that the Commissioner admits that his office failed to persuade NHS England to write to all citizens about care.data, which suggests that the stakeholder engagement approach doesn’t bear fruit.

Most depressing of all, however, is Graham’s complaint about the loss of the Scottish Borders appeal. Borders won their appeal because the ICO failed to establish a crucial part of the test that the law has set for them. The ICO has to show that it is “likely” that the breach – in this case, the failure to have a proper contract in place with a company scanning and disposing of records – would cause damage or distress. The ICO’s approach in Borders (and others) was to assume.  For the ICO, lost records = identity theft. The civil burden of proof is lower than the criminal one, but it should not simply be what a clever man reckons. I made an FOI request for any evidence of the ICO’s claim that a lost passport number leads to identity theft, and they admitted that they don’t have any. If they propose to fine an organisation £250,000, the ICO ought to have more than an assumption and crucially, the law requires that they have more. But Mr Graham doesn’t appear to understand that: he complains: “I couldn’t prove that someone of malicious intent had picked up all this personal information and was going to be doing people down”. This is not why the case was lost (although it’s true that he couldn’t prove that).

The Information Commissioner is a single appointee helped by hundreds of staff, but nevertheless, a single appointee who is given all of the powers and obligations. Mr Graham must understand how his powers work. Papers spilling out of a bin isn’t a breach. It’s an incident. The Commissioner cannot issue a CMP for papers spilling out of a bin, or any other incident in itself. In Borders, he had to establish that there was a breach: there was no contract, so job done. Then he had to show that incidents like the papers in the bin were foreseeable and likely to cause damage or distress. People sometimes don’t have proper contracts with long-standing and trusted suppliers. Is it likely that this will lead to the supplier dumping paper records in a recycling bin? Will this lead to damage and distress? Honestly, I don’t know, but that’s what Mr Graham couldn’t prove to the satisfaction of the Tribunal and frankly, I think the test should be rigorous if the stakes are as high as a quarter of a million pounds. The Deputy Commissioner David Smith was chided by the Tribunal at the time for focussing too much on the incident, and here the Commissioner makes the same fundamental mistake.

Most of the other matters I’ve raised here are presentational and you might say trivial; this final one isn’t. The role of the Commissioner is to be a figurehead, a public face to play up the big picture, but if Mr Graham wants to complain about losing Tribunal cases, he has to know why he lost, and I’m not sure from the evidence that he does. If he, and the office as a whole don’t learn the lessons, the important powers they were given under the tenure of his hesitant predecessor will become worthless. He’s still a more impressive figure than his predecessor, and almost certainly the most successful holder of the office so far. But this interview shows a Commissioner sniping at everyone but unsure of the details: not hopeless, but equally, not inspiring.

Walk the walk

Chris Graham gave an impressive interview to the Guardian which is published today. It’s nice to see the Information Commissioner standing up for the principles of transparency and Freedom of Information in the face of what everyone can see is an establishment backlash. As the article says:

There are some very powerful voices saying it [the act] has all been a horrible mistake. Specifically, Tony Blair, Gus O’Donnell [the former head of the civil service] and the prime minister himself,” he said before adding the name of Simon Jenkins, the former Times editor and Guardian columnist.

To that list, we can also add Francis Maude, who imagines that he can make FOI redundant, and various slippery ministers who have allegedly been using private emails to get around legitimate scrutiny of their activities. Graham makes a compelling case, arguing that those who talk down FOI set the tone for everyone else. It cannot be a coincidence that the Cabinet Office’s record on FOI is dismal, given that it was until recently run by O’Donnell. The former Cabinet Secretary’s public antipathy towards FOI reared its head only when he decided to retire, but it’s probably a safe assumption that he wasn’t privately cheerleading for it before that.

Graham also skewered Maude’s patronising line on transparency, by arguing that “Sometimes the full story is in the background papers and minutes of meetings rather than just raw data.

Graham’s analysis is right. People don’t always pay attention to the people at the top (just look at what happened to poor Bob Diamond, an honest man undone by a tiny number of unruly minions), but if they are given any excuse to be lazy, or to misbehave by the example set higher up, they’ll do it (just look at what happened…). I know of an organisation where the head of IT complains that having to remember a password to activate their Blackberry is too onerous and makes them look daft. The person responsible for Data Security might as well quit for all the good their efforts will do. If David Cameron was the politician he claimed to be – the one who offered ‘the most open and transparent government ever‘ – then his approach to FOI would be very different. No-one would have believed Cameron if he pretended he was a big fan of the legislation, but a respectable politician would acknowledge it as an inconvenient but necessary part of an accountable democracy. Instead he whinges about FOI furring up the arteries of government while the Cabinet Office holds secret information on plans to charge for FOI requests that they at first claim does not exist.

Graham’s aplomb at dealing with the media draws a sharp and creditable contrast with his hesitant predecessor. Occasionally, there is misjudgement (as I said before, “wake up and smell the CMP” was an awful headline and whoever came up with it should be made to sit a corner for a while). Nevertheless, the Commissioner is saying the right things and anyone who supports FOI should be happy that he isn’t congratulating himself for not taking on the big targets, which is what Richard Thomas did at Leveson.

The problem for Graham is clearly not a lack of ambition or self-belief. In one sense, the problem of doing the job of championing transparency is that you have to do it in a world shrouded in bullshit and euphemism. I listened to less than an hour of of BBC Radio 4’s Today programme this morning, and as well as all the usual spin and lies, even the language was dishonest. After John Humphrys took someone to task for describing G4S as a ‘partner’ instead of a ‘contractor’, I started to hear the word everywhere, and never in a truthful context. Corporations bankrolling the Olympics were ‘partners’ rather than ‘advertisers’; TV companies screening Scottish Premiership Football were ‘partners’ rather than well, TV companies. Everyone wanted to wrap professional and commercial relationships in a blanket that implied a shared and personal endeavour, rather than each side being interested only in getting what they could out of the deal with minimum effort. The same circumlocutions infect politics and government, national and local. Doing the FOI job in these circumstances is like wading through custard.

However, one thing he can do is keep his own house in order. The Tribunal often has to criticise the ICO for their handling of FOI compliance – read paragraph 25 of this recent decision for a good example. The ICO ignores its own guidance on FOI by challenging an FOI applicant using an obvious pseudonym for no real reason, and then exemplifies the inherent flaw in that guidance by backing down the moment the fake-named applicant pushes back. More seriously, a certain blogger asked a sensible question about information notices and ended up finding out that the ICO doesn’t know how many information notices they have issued under FOI. As well as the clear implication that ICO staff are not following their own procedures (if they were, it would not exceed the FOI cost limit for the ICO to find all of the notices), there is a bigger point that whoever is corporately responsible for FOI strategy within the Office doesn’t have all of the information they need to do their job. How can they look for patterns of underlying problems (which multiple info notices would suggest) if they don’t even know how many they’ve issued?

I am, of course, assuming that someone is doing this, rather than everyone frenetically trying to keep the backlog on a leash. If they’re not, Graham’s words turn to ash in his mouth. Things are better than they were. Graham’s profile is bigger. The frenetic backlog bashing does at least mean that organisations cannot rely simply on the passage of time to escape accountability. I don’t imagine ministers slept easy in their beds when the ICO stood its ground on private email (and ministers should never sleep easy). For all of these things, Chris Graham deserves credit. But talk is cheap. Until the ICO can show that its own FOI and records management practice is exemplary, it cannot lecture anyone else. Until it shows that the most recalcitrant government departments will be brought to heel on FOI, every council and NHS trust will be justified in saying that they’re busy and under-resourced, and FOI is a burden they don’t need.

So two cheers for being a great advocate – the third is reserved for delivery.