Advertising standards

This week, the great and the good and some other people descend on Cambridge for the 30th Annual Privacy Laws and Business’ three day Data Protection Conference in Cambridge. It’s a big event, with Data Protection regulators, practitioners and a large collective noun of DP lawyers all milling around St John’s College listening to each other talk. I’ve only been once – no employer I’ve ever worked for wanted to pay, so I ended up pitching PLB a talk about crap Data Protection stories so I could get in for nothing. The cheapest possible ticket is a one day option for charities and the public sector at £437.50 +VAT; for 3 days, that goes up to £1242.50 + VAT, while someone working for a company with more than 500 employees will pay £1775 + VAT, plus more for accommodation or the optional Sunday night dinner. The college bars have extended opening hours in case you have more money to burn.

As PLB’s amusingly vulgar marketing makes clear, this is no dry academic event. For attendees with the requisite funds, the conference is an opportunity to ‘take your place at the privacy top table‘ and enjoy ‘Privileged Access‘ to the various Data Protection regulators in attendance. Emails from PLB promise that DP Authorities such as Helen Dixon from Ireland, Isabelle Falque-Pierrotin from France and our very own Elizabeth Denham will be available for ‘priceless informal one-to-one discussions’ and will be ‘pleased to engage you in discussion‘. Imagine that.

The UK’s Information Commissioner is being particularly accommodating this year. As well as being listed on the conference website as a ‘Supporter’ of this commercial event, the Commissioner herself is giving a talk on Tuesday and chairing another session while no fewer than five ICO staff members will be in attendance (a fact advertised by PLB in the ‘top table’ email). Perhaps most generously of all, Mrs Denham is the star of an advert for the conference, happily plugging the relaxed atmosphere and expert PLB staff while exhorting viewers to attend. And this is where I have a problem.

There’s nothing wrong with the ICO appearing at commercial events like this – big conferences are a legitimate way to make the organisation more visible and get messages out. It’s very different if the ICO is endorsing the event in question. The PLB conference is not a charity or public sector event – it is a commercial conference run for profit. The ICO’s speaking engagement policy says explicitly that ICO officers should avoid accepting invitations where ‘our attendance can be interpreted as ICO endorsement of a commercial organisation over those of competitors‘, and yet Denham has gone further than that, by actively promoting the conference and the expertise of PLB’s staff. The same policy states that the ICO logo must not be displayed when labelled as a ‘supporter’ – which is exactly what PLB are doing with the logo on their website.

I made an FOI request to the ICO about Denham’s appearance in the advert, asking for emails and other correspondence about why she agreed to do it. In the initial response, there was no evidence of an invitation, only emails arranging the filming itself. When I queried this, I was told that the original request was made and agreed to verbally last October, and while there may have been some follow-ups by email shortly thereafter, they will have been deleted because the ICO deletes all emails from everyone’s inbox after six months. So Denham, who famously burnishes her records management credentials, didn’t think it was worth keeping a record of why she had decided to endorse a commercial event, despite breaching her own speaking engagement policy and code of conduct by doing so.

The correspondence I did get was nevertheless illuminating. When I made my request, I used the word ‘advert’ because PLB were describing it as a ‘conference video’ and I wanted to underline what it really was. However, the word ‘advert’ is used routinely by ICO staff in their emails – there is no question that Denham and her staff perceived it as being something else. The content of Denham’s turn came directly from Stewart Dresner, PLB’s Chief Executive. Even specific phrases that she uses (the sickly ‘summer school‘ for example, at which she at least has the decency to laugh while saying) come direct from one of his emails to her. After it was filmed, Denham was keen to check that Dresner thought the video was OK, and he replied with a sentence that should have pulled everyone up short: “I greatly appreciate you taking this step and so effectively endorsing several important features of our conference” (my emphasis). The ICO is an independent regulator; endorsing commercial products or events should be beyond the pale. The ICO’s code of conduct is obviously based on the Civil Service Code, but they have adapted it in a key passage. The Civil Service Code says that officers should not use information they have obtained in the course of their work to favour others, but the ICO goes further:

You should not misuse your official position, or information acquired during the course of your duties, to further your private interests or those of others

If you are a member of the senior management team, or a member of staff who is either working on a contract or dealing with issues which could raise matters of substance, you should ensure that any possible conflicts of interest are identified at an early stage and that appropriate action is taken to resolve them.

 

Senior officers like Robert Parker, the ICO’s head of communications, and Steve Wood, recently appointed Deputy Commissioner after Rob Luke’s mysterious cameo appearance, were involved throughout this correspondence. Even if Denham didn’t think an endorsement could be problematic, her staff should have intervened. Most of the ICO’s senior management were at least copied into the emails I’ve received, and none of them identified a problem in the Commissioner personally endorsing a commercial event in breach of her own policies. There is a telling moment in the correspondence where Dresner complains that PLB were not aware of Denham giving evidence to Parliament. Dresner’s expectation is that PLB will be tipped off about such appearances: “we do suggest that you distinguish between your mass media list, who would receive some media releases, and your specialist media list, who would receive all of them“. It’s clear that Dresner expects special treatment – and why wouldn’t he? The Commissioner herself is advertising his conference.

Nobody at the ICO would ever recommend anything that I did or was involved in because I write stuff like this, so you might think this is all just sour grapes. Given that I don’t think the ICO is an effective regulator, I couldn’t seek their approval even if they would give it but in any case, I don’t want Wilmslow’s endorsement. If I have anything going for me as a itinerant jobbing consultant, it’s that I am independent and I encourage the people I deal with to think and act independently. What’s distasteful about this episode is that the Commissioner, for whom independence isn’t a bonus but a necessity, doesn’t seem to act in the same way. Using the regulator’s name to flog conference places should be inconceivable, and yet this is what Denham has done. However prestigious or expert they may appear, the Information Commissioner should not personally or corporately recommend or endorse commercial products and organisations. This shouldn’t have happened, and it must not happen again.

Analyse This

With no small amount of fanfare, the Information Commissioner Elizabeth Denham recently announced a “formal” investigation into the use of data analytics for political purposes. The use of targeted ads in political campaigns – especially those where the Right triumphed – has been much in the headlines, and the ICO clearly feels the need to react. Denham blogged on her website: “this investigation is a high priority for my office in our work to uphold the rights of individuals and ensure that political campaigners and companies providing services to political parties operate within UK law.”. The investigation was greeted with enthusiasm – the journalist Carole Cadwalladr who has made a lot of the running over analytics in the Observer was supportive and the Data Protection activist Paul-Olivier Dehaye hailed it as ‘very important’.

Saying that Facebook is probably abusing privacy rights (and acting as a conduit for the abuse of privacy rights) is a bit like saying that rain is wet. Some of Cadwalladr’s reports have drawn fascinating (if hotly disputed) links between various right-wing vampires like Nigel Farage, Dominic Cummings and Steve Bannon, and draw interesting (and hotly disputed) links between various Brexit campaigns and the tech firm Cambridge Analytica. Other of her stories are lame; a recent article complained that people Cadwalladr doesn’t approve of are outbidding people she does approve of when buying Facebook ads, which isn’t really news.

Worse than that, another article enthusiastically repeated Stephen Kinnock MP’s calls for an investigation into Tory data use, ignoring the fact that on the same day, Labour was hoovering up emails on its website without a privacy policy (which, like the marketing emails they will inevitably send) is a breach of Data Protection. The article makes the false claim that it is illegal to use data about political opinions without consent. Several people (including the chair of the National Association of Data Protection Officers) pointed this out to Cadwalladr, but the article is uncorrected at the time of writing. If you want to write about political parties and campaigns abusing data protection and privacy and you only acknowledge the dodgy things that one side gets up to, your allegations should not be taken too seriously. Politics is a swamp, and everyone is covered in slime. Given Cadwalladr’s shaky understanding of Data Protection law, it’s not hard to believe that her interest in the topic is mainly motivated by politics, and the ICO needs to be careful not to be sucked in.

It’s odd that allegations made to the ICO about data misuse by Owen Smith and Jeremy Corbyn, or candidates for the UNITE leadership have come to nothing, and yet here we have a formal investigation announced with great flourish into an issue that is largely perceived as affecting the right. I’m left-wing myself, but if Denham is going to take action over the political use of personal data, I expect her to be scrupulously even-handed.

However, I doubt very much whether action on this issue will ever happen. Just after the announcement, I made an FOI request to the Commissioner’s office about the nature of the investigation – how many people were involved and where from, what powers the ICO was using to conduct the investigation, and who the most senior person involved was. What I was trying to find out was simple – is this an investigation likely to lead to guidance or enforcement?

Here is what my FOI revealed (questions in bold, ICO answers below)

1) Under what specific powers is the investigation being carried out?

Initial intelligence gathering would fall under the general duties of the Commissioner to promote good practice (section 51) of the DPA. This may lead to use of investigatory powers and enforcement where necessary, under the provisions set out in Part V of the DPA, as well as the CMP powers at section 55A.  The Commissioner also has powers of entry and inspection under schedule 9 of the DPA.

2) How many members of staff are involved in the investigation?

It’s difficult to give an exact number, the ‘group’ involved will need to be established and documented in terms of reference which will be done shortly. At this stage, from the information we hold, we can say that 16 member of staff have been involved and another 4 members of staff are also expected to be involved as the investigation progresses.

3, 4 and 5-
 
What are the job titles of the staff involved?
What is the name of the most senior person involved in the investigation?
Which department and team do these staff belong to?

Senior Policy Officer – Private Sector Engagement
Group Manager – Private Sector Engagement
Policy Officer – Private Sector Engagement
Lead Communications Officer – Communication Planning
Senior Policy Officer – Public Policy and Parliament
Intelligence and Research Officer – Intelligence Team
Team Manager (Intelligence) – Intelligence Team
Lead Intelligence and research Officer – Intelligence Team
Team Manager – Enforcement (PECR) – Investigations
Group Manager (Public Policy & Parliament) – Public Policy and Parliament
Senior Policy Officer (Public Policy & Parliament) – Public Policy and Parliament
Team Manager (Enforcement Team 2) – Enforcement
Team Manager – Communications – Communications Planning
Head of Corporate Affairs – Communications Planning
Group Manager – Public Sector Engagement – Public Sector Engagement

The most senior person is Steve Wood – Head of International Strategy & Intelligence – International & Intelligence Management

*************************************************************************************

What does this tell us?

The main contributors are Engagement (which is presumably the successor to the old Strategic Liaison department whose chief role was holding hands with stakeholders), and policy (whose main contribution to the debate on big data is this endless and almost unreadable discussion paper). The most senior person involved is Steve Wood, who has an academic background. Of the 16 involved, just two are from Enforcement, outnumbered even by the comms staff. Apologists for Wilmslow will leap on that bit that says “This may lead to use of investigatory powers and enforcement where necessary“, but my response to that is an armpit fart. The ICO is starting from the perspective of promoting good practice run by an academic, which is just about the silliest response to this issue that I can think of.

Some areas that the ICO regulates are prime candidates for guidance. The public sector, charities and regulated industries are likely to be influenced by what the ICO says. Other areas – list broking and compensation claims spring to mind – are immune to policy and guidance, but politics is the best example. Politics is about power – if a party, campaign or individual can take power while breaching DP law, they will. It isn’t that they don’t understand the law, it is that they don’t care. No political party or campaign will be influenced by ICO guidance, and to pretend otherwise is childish. All major political parties (Labour, LibDems, SNP, Tory) have received a PECR Enforcement Notice over automated calls, and yet they flout PECR all the time with emails and yet more calls, as anyone who heard from David Lammy knows only too well. Even when the ICO fined Leave.EU during the referendum, the campaign’s reaction (“Whatever”) could not have been more derisive because they could afford to pay the fine. Either the ICO comes into politics using its powers to the maximum possible extent against everyone (£500,000 penalties, or more useful, enforcement notices that are backed up by prosecution), or they should leave the field.

We already know that the outcome of this investigation will be revealed long after the election is over, when anything that the Commissioner says or does will have no effect on the real world. On the evidence of my FOI, I predict there will be no fines, no enforcement notices, no action. There will be a long, thorough and thoughtful report that nobody in politics will pay attention to, and only people like me will read. The first task of the Supervisory Authority under GDPR is to ‘monitor and enforce’. Long ago, when I worked there, the joke went around the ICO that senior officers operated under the mantra ‘thinking is doing’, as an excuse to avoid taking any action. I don’t care if no senior officer ever actually said this – on big strategic issues, the ICO has always laboured under this approach. Denham’s first big splash was to follow through on charity enforcement when the easy choice was to back down. She deserves praise for that decision. However, If there is an international right-wing conspiracy to hijack democracy across the world, I don’t think a thought symposium is going to save us.

Caesar’s Wife

In May 2016, the Labour member for Heatons North, Alex Ganotis, became Leader of Stockport Council, having been a councillor for some years. A month or so later, I read a story mentioning him in the Manchester Evening News, and his name rang a bell. Alex Ganotis is also a Group Manager at the Information Commissioner’s Office – I know this because he has signed hundreds of FOI Decision Notices on behalf of the Commissioner.

I made an FOI request to the ICO to find out more about Mr Ganotis’ role – in particular, I wanted to know how likely it was that a professional politician might be involved in complaints to the ICO involving political parties or local government. If Mr Ganotis worked on financial services or health, for example, he would need to maintain a high degree of professionalism and neutrality, but there would be no immediate conflict of interest. So I asked the ICO what team he manages. The answer:

Mr Ganotis manages a team of staff who deal with complaints and concerns about councils and political parties

I had to read this several times before I could take it in.

The ICO’s Policy on party political activities is helpfully published on its website. It makes reassuring reading:

The ICO is an independent body and it is important for it to be free from party political bias, and to be clearly seen and acknowledged as being free from such bias……. It is of paramount importance that the ICO is acknowledged as being free from party political bias and influence. The work that we do can often be of a politically sensitive nature and any substantiated allegations of bias would have serious repercussions for the future of the ICO.

The policy sets out a process through which an ICO employee can gain approval for party political activities. I asked when Ganotis went through this process, and the ICO revealed that he was approved in October 2008, which means that his dual ICO / councillor role went on for nearly eight years before he became Leader – he did not seek re-approval when he became Leader, so it seems that the ICO has not reassessed his role now he is a council leader, nor has he asked for this to happen.

I asked for recorded information about the approval process for his role. The ICO has nothing. I asked for any recorded information about measures taken to ensure, in the Policy’s words, that ‘potential for conflicts of interest’ have been minimised with regard to Mr Ganotis’ role. Nothing is held. The ICO added “Mr Ganotis’ line manager and his peers are responsible for assigning decision notices and make a judgement on a case-by-case basis as to what he is assigned, taking into account whether individual cases could pose a potential conflict of interest.” There are no formal arrangements, no written criteria or parameters, nothing to measure or audit against. The ICO enthusiastically fines organisations hundreds of thousands of pounds for failing to maintain properly documented processes, but in the case of having a professional politician managing a team that deals with hundreds of complaints about political parties and councils, the ICO itself sees no need for rigour. Trust whoever decided that this is OK, Wilmslow says, because we have nothing else to offer.

Mr Ganotis is a Group Manager, answering to a Head of Department, but the ICO’s response makes clear that the former Information Commissioner himself, Richard Thomas, approved of the arrangement: “the Commissioner at that time was made aware of his standing and subsequent election“. When I wrote this blog originally, I assumed it was Christopher Graham who was Commissioner, but he did not take over until 2009. ICO trivia fans may remember that Graham was himself once a councillor (for the Liberal Party) and a twice-unsuccessful parliamentary candidate – one wonders if he knew about Ganotis’ status, and if he did not, why nobody told him.

Anyone who has political beliefs or leanings and works in local or central government knows the awkward but vital requirement to set those beliefs aside and act neutrally in the public interest. As a Labour voter in every election since 1992, I have done it myself. It is not easy, but you don’t need to be a saint to achieve it. I cast no doubt on Mr Ganotis’ personal integrity, or ability to do the same. But anyone who thinks that’s the point just needs to Google the title of this blog.

Mr Ganotis has signed hundreds of FOI decision notices on behalf of the Information Commissioner, exercising the Commissioner’s statutory powers. Those notices include  councils across the UK, and government departments run by ministers who, in his other role, Mr Ganotis publicly opposes, and he has been doing so for years. The ICO disclosed to me a spreadsheet of the cases that Ganotis’ team has dealt with since January 2014 (records before that are routinely destroyed). A quick glance at the organisations concerned give a flavour of the issues that pass across the team’s desk in just one month. In July 2016, I can see the Labour Party (8 times), Momentum, Saving Labour, and Progress. It is hard to imagine any team would be more steeped in politics and arguments about political activity than this one, and the (former) Information Commissioner decided that a professional politician was the right person to manage it.

Over the past few years, the Labour Party has carried out its obnoxious and unfair purge, struggled with allegations of member data misuse on all sides (Corbyn, Momentum and Owen Smith), and demonstrated the traditional party blindness to PECR. I have myself blogged sorrowfully but repeatedly about Labour’s Data Protection and privacy woes for several years. In all of that time, only David Lammy’s doomed automated calls have faced any enforcement action (and he wasn’t even an official Labour candidate in the election concerned). To be clear, I have no evidence of any influence being brought to bear on this. But, as the ICO’s own policy states explicitly, “the organisation does seek to ensure that the potential for conflicts of interest is minimised as is the possibility of the ICO being accused of being politically biased“. In this, Mr Ganotis, his line manager and the former Commissioner have failed, and failed spectacularly. How can anyone in politics have confidence in the ICO’s decisions?

Any FOI decision notice involving a council or a government department signed by Mr Ganotis could be tainted, and there are hundreds of them. The ICO’s failure to take action against the Labour Party for a consistently terrible approach to Data Protection and privacy issues is no longer just over-caution, but potentially something far more objectionable. Every case Mr Ganotis has been involved in could be perfect, but the ICO cannot guarantee this with a straight face; their own policy recognises the problem of perception, but their practice is blind to it. They could have moved Ganotis at any point since 2008 to another job of equal standing, and the problem would have evaporated. He is still in place.

That Mr Ganotis could not see that continuing to manage a team responsible for complaints about political parties and councils was incompatible with his role first as councillor and then as Council Leader raises a question about his judgement. That the ICO’s management was either unwilling or incapable of identifying and remedying the potential conflict of interest is a matter of serious public concern.

I have spent a decade and a half criticising, satirising and annoying the ICO in the hope that for no other reason than to spite me, they will become a more effective, more enthusiastic regulator of Data Protection. But this is too much. This is a genuine failure of governance. It could pollute a host of formal decisions (and indecisions) stretching back for years. It has to be dealt with.

I don’t understand how Mr Ganotis could ever sensibly manage the team responsible for political parties and enjoy the confidence of the public. Richard Thomas and Chris Graham should have stopped it, and I hope that the new Commissioner will ask questions about how her managers and Human Resources team could allow such a shocking situation to occur. But if all this isn’t put right, if this bizarre conflict of interest continues acknowledged but unaddressed, we should all look very closely at every decision that emerges from Wilmslow with a more sceptical eye than even I thought possible.

A bridge too far

June is a significant time for Data Protection in the UK. At the end the month, we have the EU vote (where a vote to leave will throw at least the timetable for implementation of the new General Data Protection Regulation into disarray) and Christopher Graham steps down as Information Commissioner, to be replaced by Elizabeth Denham. There are several reasons to be optimistic about Denham’s appointment – she is the first Information Commissioner to have previous experience of privacy and FOI work, she has already taken on big corporate interests in Canada, and she isn’t Richard Thomas.

However, Denham inherits a series of headaches as she begins her reign as Elizabeth II, and it’s difficult to know which of them will be the hardest to shake off. There is the GDPR implementation, which would be a challenge even without the uncertainty that Brexit will create. She also has to tackle the ICO’s lack of independence from Government, which results in scandalous outcomes like the admission in an FOI response that Wilmslow takes orders from its sponsor department (see answer 3 here). But perhaps biggest of all is the ICO’s approach to enforcement.

On FOI, the ICO doesn’t approach enforcement – it does pointless monitoring and audits without any evidence of success, and the major government departments use the ICO as their internal review, sometimes not bothering to answer requests unless ordered to do so by an ICO case officer. The sole enforcement notice in the past five years wasn’t even promoted by the office because the now departed Deputy Commissioner Graham Smith didn’t want to draw attention to the failure to tackle Whitehall’s FOI abuses.

On Data Protection, the approach is to enforce against self-reported security breaches. There is nothing wrong with lots of enforcement on security – it’s a significant requirement of the legislation and many people are concerned about it. The problem is that Wilmslow doesn’t enforce on anything else, despite breaches of the other principles being widespread and obvious. Unless I missed one, the ICO has issued 61 Data Protection monetary penalties since getting the power to do so. Two have been for non-security breaches: Pharmacy 2U (1st principle data sharing without consent) and Prudential Insurance (accuracy). The overwhelming majority of enforcement notices (and undertakings, if you count them, which you shouldn’t) are on security matters. This is despite the fact that the UK has a massive culture of unlawful data sharing, over-retention, flouted subject access and perhaps most obvious, rampant, damaging inaccuracy. The ICO does nothing about it.

A classic example is a story reported in the Observer about the Dartford Crossing between Kent and Essex. Automatic Number Plate Recognition is used by Highways England to issue penalty charges to drivers who use the crossings without paying by phone or web within a fixed period of time. The only problem is that drivers who have never used the crossing are getting the penalties, but it is more or less inconceivable that the ICO will take action.

Having used the crossing myself, I can confirm that there are some Data Protection issues with the signage around the bridge / tunnel – the Observer article explains well how the signs can easily be confused with those for the London congestion charge, which works entirely differently. This is, in itself, a potential data protection breach, as personal data needs to be obtained fairly, especially when the data being obtained (the license plate) will not only be used to levy a charge, but because court action may result for non-payment.

One person is quoted in the article as having being charged  because the system misread a ‘C’ as a ‘G’. The Observer also reports that hire car users sometimes find penalties aimed at the wrong person because Highways England don’t specify a date that the charge applies to. In another case, the person receiving the charge had sold the car in question, and had a letter from DVLA to prove it. As with most of these situations, terrible customer service and inflexible processes mean that even when a charge is applied to the wrong person, nobody in the food chain has the authority or the inclination to sort things out. Both of the individuals cited in detail by the Observer were headed for the baliffs until the Observer got involved, and all action was terminated. Research by Auto Express notes that only 1 in 25 people appeal their penalty, but 80% of those that do are successful.

Every time Highways England / Dart Charge issues a penalty against the wrong person, it is a breach of the fourth Data Protection principle, which states that “Personal data shall be accurate, and where necessary, up to date”. Note the lack of any qualification or context here – data is accurate, or it’s a breach. Clearly, this means that most organisations are breach DP every minute of every day simply because of typos, but even adopting a flexible approach, there can be no doubt that demanding money and threatening court action is a situation where the Data Controller must be certain that the data is accurate, and if they get the wrong person, it’s a breach. The security principle talks about “appropriate measures” to prevent incidents, but the fourth principle doesn’t: it’s absolute.

Highways England / Dart Charge have breached the DPA, but would it be possible for the ICO to take action? In order to issue a monetary penalty, the ICO has to meet a series of tests.

1. The breach is serious

Dart Charge are pursuing people for debts they don’t owe. It’s serious.

2. The breach is deliberate

This one is potentially tricky, as we would need evidence that Highways England know that they are operating on the basis of inaccurate information in order for the breach to be deliberate. I can’t prove that Highways England are deliberately pursuing people, knowing that they are the wrong targets, although one of the Observer readers quoted gives clear evidence that they might be: “I spent 20 minutes trying to get through to someone who kept telling me I had to pay, even though he could see the problem”. However, we don’t need deliberate if we have:

3. The Data Controller knew or ought to have known about the risk and failed to take steps to prevent it

This test is clearly met – Highways England know that most of their penalty charges are overturned on appeal, they know that their system misreads licence plate characters, that it fails to properly distinguish dates, and they know that people contact them multiple times with evidence that the charge is wrong, but they ignore this evidence until they are embarrassed into action by a national newspaper. The breaches are still happening.

4. The breach is likely to cause damage or distress

Innocent individuals who have not used the Dartford Crossing are being pursued and threatened with legal action if they do not pay money that they do not owe. The breach is causing damage and distress and is highly likely to do so.

The ICO does not enforce on accuracy and they won’t touch this case. If I tried to report it to them, they would ignore my complaint because I have not been affected (if an affected person complained, they would do an unenforceable assessment). They do not ask Data Controllers to report incidents of damaging inaccuracy, and they do not even advocate investigating incidents of inaccuracy in the way that they do for security. This despite that fact that inaccuracy leads to the wrong medical treatment being given, innocent people’s houses being raided by the police, and old men nearly drowning in canals. The ICO took no enforcement action in any of these cases, despite them being in the public domain. I have dozens of others. Meanwhile, the Commissioner chunters on about a series of accidents and mishaps without any direct evidence of harm (ironically, even the pace of security enforcement has slowed, with only three DP monetary penalties at all so far this year).

Whatever Ms Denham’s priorities might be, she cannot ignore this. The ICO has shirked its responsibilities on the other principles for too long. A quick glance at the articles relevant to enforcement show that the GDPR is specifically designed to give breaches of the principles the higher maximum penalty. It’s a riposte to the ICO’s enforcement priorities since the HMRC lost discs incident in 2007, and it’s a bridge that the new Commissioner must be willing to cross.