We need to talk about Ardi

This week, Private Eye reported that the publishers Kogan Page had withdraw a book about the GDPR by Ardi Kolah, after they received allegations of plagiarism from several sources. Most references to the GDPR Handbook have been scrubbed from Kolah’s online history and Kogan Page’s website is terse, to say the least. The fate of Kolah’s book is interesting not only because the high profile author is involved in both Henley Business School’s GDPR course and the British Computer Society’s Data Protection Certificate, but because Kolah has repeatedly sought to build his reputation through an association with the Information Commissioner, Elizabeth Denham.

The ‘About the Author’ section of his book describes Kolah as having “worked closely” with Denham, and there is some substance to the claim. Not only did Denham write the foreword for the book (and also for Kolah’s luxury leather-bound edition of the GDPR), she invited him to be one of the judges of her inaugural Data Protection Officer award.

Denham’s foreword describes him admiringly as a veteran of the Data Protection sector. She describes the UK’s data protection community before her arrival from Canada as a “small group of people ready to help each other out to raise standards“. She claims Kolah was someone who “flew the flag for data protection many years before it broke into the mainstream with the GDPR“. After some flannel, she returns to the theme: “Ardi and others of his generation often walked a rather lonely path in their efforts to have data protection taken seriously by the mainstream” and praises the book as “authoritative“.

I made an FOI request to the ICO asking if she wrote the foreword because I had a sneaking suspicion that Kolah himself might have been the author. The response was emphatic: “The Commissioner wrote the foreword and was the author of the Word document that was sent to Mr Kolah with the foreword in it. Mr Kolah had no input in the content of the foreword, did not ask for any input and did not ask for any copy approval of the foreword. The version sent to him on 6th April represented the Commissioner’s final wording to appear in the book unedited and unabridged.” This means that Denham is entirely responsible for the claims about Ardi Kolah’s career in Data Protection that appear in the foreword, and I think that’s a problem.

For most of his career, Kolah has been a PR guy. He worked as head of communications or PR for a variety of different organisations between 1995 and (at least) 2012. He worked for the BBC up until 1995, but after that, he did PR for Arthur Andersen, Cancer Research and Logica among others. His own CV on LinkedIn shows him as ‘Global Head of Public Relations’ for Brit Insurance until 2012. The notion that Kolah was flying the flag for Data Protection for “many years” and he was part of a generation of people who worked thanklessly in the DP mines is plainly unsustainable. Even now, his Twitter account describes him as a “Commentator on all things sales and marketing and social media“. Kolah’s own timeline doesn’t mention Data Protection until 2012, when he says founded a company called Go DPO, and even so, it’s hard to square his version with other available information.

An experienced training consultant called Darren Verrian is also on LinkedIn, and he  says that he started work on Go DPO in May 2015, three years after Kolah. This is interesting because Verrian describes himself as ‘co-founder’ of the business. Furthermore, Companies House shows that on 2nd June 2015, Kolah and Verrian registered two companies, one called Go DPO EU Recruitment (which was dissolved in February 2018), and another called Go DPO EU Compliance (which is still trading). Subsequently, they registered Go DPO EU Advisory Services in February 2016 (dissolved in March 2018), and finally Go DPO EU Consultancy Services in August 2017 (also still trading). Weirdly, despite his claim that he was running Go DPO in 2012, a company called Genworth Financial announced on 28th May 2012 that they had hired Kolah as their Director of Communications. Kolah doesn’t mention Genworth Financial anywhere on his LinkedIn CV.

I think it’s impossible to reconcile Denham’s claims about Kolah’s longstanding involvement in Data Protection with his own CV, but the contradiction between Kolah and Verrian’s respective claims and the facts on Companies House make it worse. As far as I can see, Ardi Kolah is not a Data Protection veteran: he’s just good at PR. Since I started to make mischief at his expense, several people have approached me with stories of Kolah’s error-strewn, self-promoting performances at conferences, and his now-disgraced book is an bloated mix of turgid management-speak and basic errors.

I didn’t identify the examples of apparent plagiarism or report them to Kogan Page, but I have seen them and it’s obvious to me why the publishers withdrew the book. I think Kolah owes everyone who bought the book an apology, and Kogan Page owes them a refund (I’m aware that they did offer a refund to at least one purchaser on the proviso that he returned the book). Perhaps Kolah did Data Protection work before May 2015 but I can’t find it. Maybe he can reconcile his and Verrian’s accounts and explain why no variant of a company called Go DPO was registered in 2012. But even if 2012 really is when he started, the way Denham characterises him in her foreword is at best wildly exaggerated, and a slap in the face for those of us who really have been working on UK data protection for a long time.

Moreover, unless he can refute the plagiarism allegations (and having seen what they’re based on, it would require a lot more than spin to achieve that), I think Kolah should resign from three of his current roles. There is no way that someone guilty of plagiarism should have a role on an exam board, at a prestigious business school or as Editor-in-Chief of a widely published journal. If he does not, then the BCS, Henley Business School and the editorial board of Journal of Data Protection and Privacy (many of whom are quoted in the book endorsing it) should sack him. They cannot be seen to tolerate plagiarism. Whether his friends at Amplified Business Content (who organise many of the conferences that Kolah speaks at) or Hitachi (who employ him as a part-time DPO) still think he’s an appropriate person to work with is none of my business.

A more important question than the fate of Mr Kolah is what this mess says about Elizabeth Denham. Kolah trades on his ‘close working relationship‘ with the Commissioner. Denham should have shut down this inappropriate use of her name, but instead, she promoted both Kolah’s book and the man himself by asking him to be a judge of the DPO award. When I made an FOI request to the ICO about Denham’s relationship with Kolah, they were in denial, refusing to accept that writing a foreword was an endorsement:

it may be helpful to note that we do not consider that writing a foreword in an official capacity to be an endorsement or to be otherwise advertising a commercial product. A decision to write a foreword or review is normally taken on the basis of the ICO being aware of the author’s standing as a practitioner or expert, and the value the book adds to the information rights community

ICO comments received by Private Eye suggest that while Denham definitely wrote the foreword, she may not have even read the book. Kolah sent it to her, but the ICO said she did not study the book, relying instead on her ‘prior confidence‘ in the author. Along with several other people, I have asked the ICO to show what evidence Denham relied on to make her assertions about Kolah’s long history in UK data protection. They admit that no such information is held. Denham made assertions to support her friend and help sell his book, and I don’t think she can substantiate them.

The Information Commissioner should not endorse commercial products, and this isn’t the first time she’s been willing to lend her authority when doing so. Kolah’s book has turned out to be damaged goods, but if she’d had the sense not to endorse anything, she wouldn’t have this problem. What this says about Denham’s judgement isn’t pretty, and I think it’s untenable for her to stay silent on the matter. Rather than throwing spokespersons under the bus, Denham should explain it herself. What due diligence did she do on Kolah? Did anyone even Google him? Why does she think he’s got a long and distinguished career in Data Protection when he hasn’t? And most of all, how can she assure us that she’s independent when she can be persuaded to make a mistake as big as this?

 

Cop out

On May 3rd 2018, Elizabeth Denham appeared on Channel 4 News as part of her long running commitment to generating headlines. Denham’s track record on the programme is not great – it was on the same programme in March that she adopted the interesting tactic (uniquely, as far as I can see) of informing an organisation in public and in advance that she planned to apply for a warrant to raid them, losing what might be a useful element of surprise in order to look tough in front of Jon Snow.

In the more recent interview, the Commissioner claimed that she had the power to fine directors and had done so. I made an FOI request about this, and the ICO admitted that “we do not have the power to directly fine directors“, directly contradicting what Denham said. You can tell me that ICO has the power to go after directors in limited circumstances that can result in a court issuing a fine and that must be what she meant (ICO did) but that’s not good enough. The DP regulator went on the telly and claimed to have a power she doesn’t have – it’s surely part of Denham’s job to increase understanding of Data Protection, not to muddy the waters.

In the same interview, Denham cheerily announced that she saw herself as a Sheriff of the internet. Arguably, she should be a Mountie but let’s leave that to one side. I assumed that the statement was a throwaway, not a serious statement of how Denham sees herself and her office. I was wrong. There’s a pattern. In a fawning profile by the Observer’s Carole Cadwalladr a few weeks ago, the Commissioner delivered a soundbite that I suspect is intended to epitomise the Denham Era: “Data crimes are real crimes“. And in the recently leaked DCMS Committee report into Fake News, she was at it again:

For the public, we need to be able to understand why an individual sees a certain ad. Why does an individual see a message in their newsfeed that somebody else does not see? We are really the data cops here. We are doing a data audit to be able to understand and to pull back the curtain on the advertising model around political campaigning and election

I think the misleading impression being created here could attract the label ‘fake news’ just as much as any of the internet nonsense Denham and her fanbase are supposedly against. Data crimes are usually not real crimes, and in most cases, the ICO are not the cops. The GDPR doesn’t make anything a criminal offence, and the offences under the Data Protection Act 2018, like those in its predecessor the 1998 Act, are specific. It’s a criminal offence to take, procure or sell personal data without the permission of the data controller; it’s an offence to re-identify depersonalised data (in circumstances so tightly defined I doubt there will be a successful prosecution), and it can be an offence to oblige someone to make a subject access request. Admittedly, the DPA 2018 is stricter in this area – offences under the DPA 1998 were not recordable so you wouldn’t get a criminal record if you committed them, a position that is sensibly reversed in the new version.

However, in some circumstances, the DPA 2018 is less oriented towards offences than the  DPA 1998. A breach of an Enforcement or Information Notice is no longer subject to prosecution, being punishable by a penalty instead. That might result in stricter punishments, but that depends on Wilmslow showing a willingness to use the powers, and in any case, it’s not a criminal sanction. The much-vaunted criminal prosecution of SCL by the Commissioner over David Carroll’s subject access request is doomed in my opinion, but if it goes ahead, it will almost certainly be the last prosecution for a breach of a notice. None of the DP offences are punishable with prison, and for all Denham’s bluster about being a data cop, she never publicly applies the pressure for custodial sentences. For all his faults, her predecessor Christopher Graham never missed an opportunity to do so.

If Facebook willingly shared its customers personal data with Cambridge Analytica, it would not be a criminal offence. If they reused their customers’ data and sold it to list brokers, it would not be a criminal offence. As drafted, the ‘victim’ of most data protection offences would be the data controller, not the person whose data is misappropriated, sold or misused. Denham wants to conjure up images of cops and robbers, but she’s misleading the public. Who knows, maybe she doesn’t want people to realise that the only sanction for the majority of data transgressions are monetary penalty that she has the power to approve. Maybe she means ‘data crimes should be real crimes‘, but if that’s the case, that what she should say instead of giving the wrong impression.

There’s another problem. By setting herself up as the Internet Sheriff, Denham is creating expectations I don’t believe she’s prepared to meet. In all her public appearances, the Commissioner is clearly trying to mark out the internet and new technology as her manor. Supporters like Cadwalladr are only too happy to play along. The Observer piece contains a brief but devastating verdict on thirty or so years of ICO work and four previous Commissioners: “a somewhat dusty regulator dealing in a niche topic“. I’m the last person to defend the ICO, but this writes off Wilmslow’s endeavours on phone hacking, union blacklisting, the lost HMRC data disks and many DP and PECR fines which even I can’t deny have changed behaviour for the better in many sectors. I can’t say that Denham endorses this trashing of her predecessors’ efforts, but she hasn’t repudiated it either. What must her staff think of it?

Strip away the recent headlines for prosecutions and £500,000 fines that haven’t actually happened yet, and Denham’s record is hardly the Data Protection equivalent of Wyatt Earp taking on the Clantons. When dealing with the misuse of 1.6 million people’s data by the Royal Free Hospital and the AI company owned by Google (exactly the kind of tech territory we’re supposed to believe she wants to police), Denham’s ICO asked the Royal Free to sign an undertaking. There is no automatic sanction if they go back on it. Faced with multiple instances of charities profiling potential donors in secret (not a million miles away from the kind of surreptitious data gathering that attracts her current ire), Denham’s response was reportedly to cut the originally proposed fines, such that Oxfam was fined just £6000. Late in 2017, Sheriff Denham issued an enforcement notice against the Ministry of Justice over shameful and long-running subject access backlogs that doubtlessly affected many people in desperate legal circumstances. She gave them eight months to comply and sneaked the notice out on the last working day before Christmas without a press release.

You can tell me that the ICO has consistently issued monetary penalties on Denham’s watch but so did Graham, though the double whammy of £400,000 CMPs on both TalkTalk and Carphone Warehouse weigh against my argument to some extent. But beyond those, Denham has done nothing revolutionary or interesting in enforcement. There has been no action on accuracy or retention, and little on the vital first principle beyond the charity cases that were obviously started under Graham.

Outwardly, Denham seems poised and plausible. Fate has dealt her the biggest data protection story in a decade and some overly sympathetic press coverage, so maybe she’s right to milk it and build up her part. There’s no question that she has a higher public profile than any of the Commissioners who have gone before her, and I know a lot of people in the DP world who think that this is automatically a good thing. I’m not convinced. I think ‘data crimes are real crimes’ could become as unhelpful a distraction as the pervasive ‘GDPR = consent’ myth, and nothing about the past two years convinces me that Denham really has what it takes to round up the internet’s outlaws. As always, I will delighted to be proved wrong; some eyecatching monster scalps is what I have spent years of blogging asking for, and it will make my job easier for the next few years. But unless she really pulls out the big guns, the Commissioner’s legacy may be less Gunfight at the IT Corral, and more Denham’s Last Stand.

 

The Secret Seven

Last year, I wrote about the fact that Councillor Alex Ganotis, Labour leader of Stockport Council is also a group manager at the Information Commissioner’s Office. After an FOI request, the ICO admitted that he managed the teams responsible for complaints about political parties and local councils. At the time, I argued that this was an unacceptable conflict of interest, and something had to be done about it.

In May this year, shortly after being elected as Manchester’s new Mayor, Andy Burnham appointed Cllr Ganotis as his Environmental Tsar. You can watch a video of the announcement here, and ponder such fascinating questions as why Burnham’s nose is so red, or why throughout the first two minutes, the camera keeps cutting to a wide shot that captures Ganotis’ uncomfortable facial expressions while Burnham is talking. The announcement piqued my interest. If he was organising a grand summit of environmental worthies, would Cllr Ganotis really have time to work at the ICO? And if so, what effect would the review into political activities that Elizabeth Denham announced have on his role?

I made an FOI request to the ICO for the following information:

1) In 2016, the ICO confirmed to me that Alex Ganotis was manager of the team that dealt with complaints about councils and political parties, despite being Leader of Stockport Council at the time. Can you confirm whether Mr Ganotis is still a member of ICO staff, and if so, what is his current job, and what arrangements have been made to avoid any potential conflict of interest?

2) What is the current ICO policy and process for dealing with political party affiliations and potential conflicts of interest?

3) In August 2016, the Information Commissioner announced in an interview with the BBC’s Martin Rosenbaum that she had ordered a review of the involvement of ICO staff in political activities. I would like to see any report or findings arising out of the review, or other summary of the review and its findings, and details of any actions that were taken as a result of it.

4) I would like to receive all current declarations made by any member of staff of involvement in political activities

5) What specific measures have been taken in respect of each staff member who has made a declaration to ensure that there is no conflict of interest?

The response made for fascinating reading. For one thing, Cllr Ganotis remains a Group Manager at Wilmslow and although his group no longer deals with political parties, it still covers issues related to all local authorities in the UK except for those in Greater Manchester, Cheshire or Derbyshire. How politicians and others in every council outside the North West feel about complaints about their authorities still being supervised by the Leader of a Labour Council and a close ally of Andy Burnham is hard to judge. They might be thrilled. Maybe the ICO should ask them.

The report I received under item (3) of my request did contain an option to remove Cllr Ganotis from work involving local authorities altogether, but one of the reasons that this option was not recommended was the fact that “it could be seen to question the professionalism of Alex and other members of staff and their ability to apply the law without bias or political influence“. How Cllr Ganotis’ political career could possibly be seen to reflect on other people is beyond me, but it is jarring that a significant factor in the decision to keep him involved in council work might have been the effect on him, rather than the Commissioner’s ability to operate independently. To be blunt, the ICO as a whole is more important.

UPDATE: I have attached the ICO’s report into the conflict of interest here, so readers can judge whether how objective and balanced it is: Commissioner Information Note – Political Activities.pdf

Unless every team in the ICO handles complaints about local authorities (and to lesser extent, government), Cllr Ganotis should have been moved to one that doesn’t. Having decide to pursue a high-profile political career, asking him to make a sacrifice to avoid conflicts of interest and their perception would not be too much. I am surprised that Cllr Ganotis has not requested such a transfer himself. To risk even the perception of influence over decisions about politically-run organisations, and at the same time pursue a high-profile political career suggests either an enormous amount of faith in one’s ability to compartmentalise, or just old fashioned hubris.

The review identified gaps in the ICO’s Political Activities Policy, with recommended “updates” including a stipulation that staff must avoid party political activities which might impair their ability to perform their duties impartially, a requirement to inform the ICO if their activities or areas of responsibility change, and the scope to remove permission to undertake political activities if an individual’s ICO role or political activity changes. Needless to say, this means that none of this existed before.

The rest of the FOI request suggests a continuing unwillingness to face the issue of political involvement. Including Cllr Ganotis, eight staff members have made declarations of involvement in political activities, but the ICO refused to tell me who the other seven are, or what they do, claiming that the data is sensitive personal data. This is true, but it is not automatically a barrier to disclosure. For one thing, the Secret Seven could be asked for consent, and this is not the only route to disclosure.

There is surely a legitimate interest in knowing whether people working for an independent regulator such as the Commissioner have political affiliations, especially when you consider the ICO’s involvement in political matters. Over the past few years, the ICO has fined Leave.EU, David Lammy MP over his London Mayoral Campaign, the Daily Telegraph for its pro-Tory emails during the 2015 election, and in recent months, they took no action against Virgin Trains following Jeremy Corbyn’s antics in a train vestibule. More importantly, the Commissioner herself announced a formal investigation into the use of data analytics for political purposes with no small amount of fanfare, involving 20 staff. The ICO is knee-deep in politics and transparency over the declared political activities of the staff is in the public interest.

As the data is sensitive personal data, legitimate interests would not be enough; a condition must also be met from Schedule 3 of the Data Protection Act as well. One of the conditions is that the Data Subject has put their sensitive data into the public domain. If, for example, a senior ICO staff member was to mention on their LinkedIn page that they were a Councillor for 9 years, the Campaigns and Communications Officer for an MEP for five years, listed the Liberal Democrats as one of their main interests and was recommended for ‘politics’ and ‘political campaigning’ by dozens of people, I think I can argue that at least this one has manifestly made their political views public. The ICO refusal says “our staff do not have a reasonable expectation that their declarations would be disclosed into the public domain“, but the staff member in question was a candidate for the LibDems in the 2015 General Election, so I humbly suggest that the cat is out of the bag. Either this person is one of the seven, and the ICO’s arguments are false, or they haven’t made a declaration, and the ICO’s claim to me that “the review and policies are sufficient to demonstrate that we avoid conflicts in our work” is nonsense. Again, did they consider this before refusing me?

Every national, local, or internal party election or referendum runs on personal data, and personal data is exploited, analysed, shared, lost, stolen and misused in every single one of them. If you can name a major vote in this decade that hasn’t resulted in a DP snarl-up, you’ve a better memory than me. If there is one word that shines through everything the Commissioner sent me on this topic, last time and this time, it’s  complacency. The policies and procedures that existed before and the ones that have replaced them are built on an obvious assumption that a box needs to be ticked. Of course nobody is actually going to do anything untoward, the managers are on top of it, staff will proactively declare any conflicts of interest and besides, we have a procedure. But they thought it was all fine before. If I had not written my blog last summer, Cllr Ganotis would still be responsible for managing complaints involving his council, his party and his opposition.

I don’t think the Commissioner’s Office takes this seriously. I am amazed that Alex Ganotis is still allowed any influence over the ICO’s decisions about local government, regardless of how objective or benign that influence might be. I am appalled that anyone in the ICO’s senior management could think that this is acceptable. Every time the Commissioner acts or doesn’t act on a political issue, do we always need to ask: who was involved? What bias, conscious or unconscious, did they bring to bear? What other interests do they serve? In a world dominated by fake news and internet froth, the ICO’s independence and objectivity should be their highest priority. It isn’t.

Advertising standards

This week, the great and the good and some other people descend on Cambridge for the 30th Annual Privacy Laws and Business’ three day Data Protection Conference in Cambridge. It’s a big event, with Data Protection regulators, practitioners and a large collective noun of DP lawyers all milling around St John’s College listening to each other talk. I’ve only been once – no employer I’ve ever worked for wanted to pay, so I ended up pitching PLB a talk about crap Data Protection stories so I could get in for nothing. The cheapest possible ticket is a one day option for charities and the public sector at £437.50 +VAT; for 3 days, that goes up to £1242.50 + VAT, while someone working for a company with more than 500 employees will pay £1775 + VAT, plus more for accommodation or the optional Sunday night dinner. The college bars have extended opening hours in case you have more money to burn.

As PLB’s amusingly vulgar marketing makes clear, this is no dry academic event. For attendees with the requisite funds, the conference is an opportunity to ‘take your place at the privacy top table‘ and enjoy ‘Privileged Access‘ to the various Data Protection regulators in attendance. Emails from PLB promise that DP Authorities such as Helen Dixon from Ireland, Isabelle Falque-Pierrotin from France and our very own Elizabeth Denham will be available for ‘priceless informal one-to-one discussions’ and will be ‘pleased to engage you in discussion‘. Imagine that.

The UK’s Information Commissioner is being particularly accommodating this year. As well as being listed on the conference website as a ‘Supporter’ of this commercial event, the Commissioner herself is giving a talk on Tuesday and chairing another session while no fewer than five ICO staff members will be in attendance (a fact advertised by PLB in the ‘top table’ email). Perhaps most generously of all, Mrs Denham is the star of an advert for the conference, happily plugging the relaxed atmosphere and expert PLB staff while exhorting viewers to attend. And this is where I have a problem.

There’s nothing wrong with the ICO appearing at commercial events like this – big conferences are a legitimate way to make the organisation more visible and get messages out. It’s very different if the ICO is endorsing the event in question. The PLB conference is not a charity or public sector event – it is a commercial conference run for profit. The ICO’s speaking engagement policy says explicitly that ICO officers should avoid accepting invitations where ‘our attendance can be interpreted as ICO endorsement of a commercial organisation over those of competitors‘, and yet Denham has gone further than that, by actively promoting the conference and the expertise of PLB’s staff. The same policy states that the ICO logo must not be displayed when labelled as a ‘supporter’ – which is exactly what PLB are doing with the logo on their website.

I made an FOI request to the ICO about Denham’s appearance in the advert, asking for emails and other correspondence about why she agreed to do it. In the initial response, there was no evidence of an invitation, only emails arranging the filming itself. When I queried this, I was told that the original request was made and agreed to verbally last October, and while there may have been some follow-ups by email shortly thereafter, they will have been deleted because the ICO deletes all emails from everyone’s inbox after six months. So Denham, who famously burnishes her records management credentials, didn’t think it was worth keeping a record of why she had decided to endorse a commercial event, despite breaching her own speaking engagement policy and code of conduct by doing so.

The correspondence I did get was nevertheless illuminating. When I made my request, I used the word ‘advert’ because PLB were describing it as a ‘conference video’ and I wanted to underline what it really was. However, the word ‘advert’ is used routinely by ICO staff in their emails – there is no question that Denham and her staff perceived it as being something else. The content of Denham’s turn came directly from Stewart Dresner, PLB’s Chief Executive. Even specific phrases that she uses (the sickly ‘summer school‘ for example, at which she at least has the decency to laugh while saying) come direct from one of his emails to her. After it was filmed, Denham was keen to check that Dresner thought the video was OK, and he replied with a sentence that should have pulled everyone up short: “I greatly appreciate you taking this step and so effectively endorsing several important features of our conference” (my emphasis). The ICO is an independent regulator; endorsing commercial products or events should be beyond the pale. The ICO’s code of conduct is obviously based on the Civil Service Code, but they have adapted it in a key passage. The Civil Service Code says that officers should not use information they have obtained in the course of their work to favour others, but the ICO goes further:

You should not misuse your official position, or information acquired during the course of your duties, to further your private interests or those of others

If you are a member of the senior management team, or a member of staff who is either working on a contract or dealing with issues which could raise matters of substance, you should ensure that any possible conflicts of interest are identified at an early stage and that appropriate action is taken to resolve them.

 

Senior officers like Robert Parker, the ICO’s head of communications, and Steve Wood, recently appointed Deputy Commissioner after Rob Luke’s mysterious cameo appearance, were involved throughout this correspondence. Even if Denham didn’t think an endorsement could be problematic, her staff should have intervened. Most of the ICO’s senior management were at least copied into the emails I’ve received, and none of them identified a problem in the Commissioner personally endorsing a commercial event in breach of her own policies. There is a telling moment in the correspondence where Dresner complains that PLB were not aware of Denham giving evidence to Parliament. Dresner’s expectation is that PLB will be tipped off about such appearances: “we do suggest that you distinguish between your mass media list, who would receive some media releases, and your specialist media list, who would receive all of them“. It’s clear that Dresner expects special treatment – and why wouldn’t he? The Commissioner herself is advertising his conference.

Nobody at the ICO would ever recommend anything that I did or was involved in because I write stuff like this, so you might think this is all just sour grapes. Given that I don’t think the ICO is an effective regulator, I couldn’t seek their approval even if they would give it but in any case, I don’t want Wilmslow’s endorsement. If I have anything going for me as a itinerant jobbing consultant, it’s that I am independent and I encourage the people I deal with to think and act independently. What’s distasteful about this episode is that the Commissioner, for whom independence isn’t a bonus but a necessity, doesn’t seem to act in the same way. Using the regulator’s name to flog conference places should be inconceivable, and yet this is what Denham has done. However prestigious or expert they may appear, the Information Commissioner should not personally or corporately recommend or endorse commercial products and organisations. This shouldn’t have happened, and it must not happen again.

Analyse This

With no small amount of fanfare, the Information Commissioner Elizabeth Denham recently announced a “formal” investigation into the use of data analytics for political purposes. The use of targeted ads in political campaigns – especially those where the Right triumphed – has been much in the headlines, and the ICO clearly feels the need to react. Denham blogged on her website: “this investigation is a high priority for my office in our work to uphold the rights of individuals and ensure that political campaigners and companies providing services to political parties operate within UK law.”. The investigation was greeted with enthusiasm – the journalist Carole Cadwalladr who has made a lot of the running over analytics in the Observer was supportive and the Data Protection activist Paul-Olivier Dehaye hailed it as ‘very important’.

Saying that Facebook is probably abusing privacy rights (and acting as a conduit for the abuse of privacy rights) is a bit like saying that rain is wet. Some of Cadwalladr’s reports have drawn fascinating (if hotly disputed) links between various right-wing vampires like Nigel Farage, Dominic Cummings and Steve Bannon, and draw interesting (and hotly disputed) links between various Brexit campaigns and the tech firm Cambridge Analytica. Other of her stories are lame; a recent article complained that people Cadwalladr doesn’t approve of are outbidding people she does approve of when buying Facebook ads, which isn’t really news.

Worse than that, another article enthusiastically repeated Stephen Kinnock MP’s calls for an investigation into Tory data use, ignoring the fact that on the same day, Labour was hoovering up emails on its website without a privacy policy (which, like the marketing emails they will inevitably send) is a breach of Data Protection. The article makes the false claim that it is illegal to use data about political opinions without consent. Several people (including the chair of the National Association of Data Protection Officers) pointed this out to Cadwalladr, but the article is uncorrected at the time of writing. If you want to write about political parties and campaigns abusing data protection and privacy and you only acknowledge the dodgy things that one side gets up to, your allegations should not be taken too seriously. Politics is a swamp, and everyone is covered in slime. Given Cadwalladr’s shaky understanding of Data Protection law, it’s not hard to believe that her interest in the topic is mainly motivated by politics, and the ICO needs to be careful not to be sucked in.

It’s odd that allegations made to the ICO about data misuse by Owen Smith and Jeremy Corbyn, or candidates for the UNITE leadership have come to nothing, and yet here we have a formal investigation announced with great flourish into an issue that is largely perceived as affecting the right. I’m left-wing myself, but if Denham is going to take action over the political use of personal data, I expect her to be scrupulously even-handed.

However, I doubt very much whether action on this issue will ever happen. Just after the announcement, I made an FOI request to the Commissioner’s office about the nature of the investigation – how many people were involved and where from, what powers the ICO was using to conduct the investigation, and who the most senior person involved was. What I was trying to find out was simple – is this an investigation likely to lead to guidance or enforcement?

Here is what my FOI revealed (questions in bold, ICO answers below)

1) Under what specific powers is the investigation being carried out?

Initial intelligence gathering would fall under the general duties of the Commissioner to promote good practice (section 51) of the DPA. This may lead to use of investigatory powers and enforcement where necessary, under the provisions set out in Part V of the DPA, as well as the CMP powers at section 55A.  The Commissioner also has powers of entry and inspection under schedule 9 of the DPA.

2) How many members of staff are involved in the investigation?

It’s difficult to give an exact number, the ‘group’ involved will need to be established and documented in terms of reference which will be done shortly. At this stage, from the information we hold, we can say that 16 member of staff have been involved and another 4 members of staff are also expected to be involved as the investigation progresses.

3, 4 and 5-
 
What are the job titles of the staff involved?
What is the name of the most senior person involved in the investigation?
Which department and team do these staff belong to?

Senior Policy Officer – Private Sector Engagement
Group Manager – Private Sector Engagement
Policy Officer – Private Sector Engagement
Lead Communications Officer – Communication Planning
Senior Policy Officer – Public Policy and Parliament
Intelligence and Research Officer – Intelligence Team
Team Manager (Intelligence) – Intelligence Team
Lead Intelligence and research Officer – Intelligence Team
Team Manager – Enforcement (PECR) – Investigations
Group Manager (Public Policy & Parliament) – Public Policy and Parliament
Senior Policy Officer (Public Policy & Parliament) – Public Policy and Parliament
Team Manager (Enforcement Team 2) – Enforcement
Team Manager – Communications – Communications Planning
Head of Corporate Affairs – Communications Planning
Group Manager – Public Sector Engagement – Public Sector Engagement

The most senior person is Steve Wood – Head of International Strategy & Intelligence – International & Intelligence Management

*************************************************************************************

What does this tell us?

The main contributors are Engagement (which is presumably the successor to the old Strategic Liaison department whose chief role was holding hands with stakeholders), and policy (whose main contribution to the debate on big data is this endless and almost unreadable discussion paper). The most senior person involved is Steve Wood, who has an academic background. Of the 16 involved, just two are from Enforcement, outnumbered even by the comms staff. Apologists for Wilmslow will leap on that bit that says “This may lead to use of investigatory powers and enforcement where necessary“, but my response to that is an armpit fart. The ICO is starting from the perspective of promoting good practice run by an academic, which is just about the silliest response to this issue that I can think of.

Some areas that the ICO regulates are prime candidates for guidance. The public sector, charities and regulated industries are likely to be influenced by what the ICO says. Other areas – list broking and compensation claims spring to mind – are immune to policy and guidance, but politics is the best example. Politics is about power – if a party, campaign or individual can take power while breaching DP law, they will. It isn’t that they don’t understand the law, it is that they don’t care. No political party or campaign will be influenced by ICO guidance, and to pretend otherwise is childish. All major political parties (Labour, LibDems, SNP, Tory) have received a PECR Enforcement Notice over automated calls, and yet they flout PECR all the time with emails and yet more calls, as anyone who heard from David Lammy knows only too well. Even when the ICO fined Leave.EU during the referendum, the campaign’s reaction (“Whatever”) could not have been more derisive because they could afford to pay the fine. Either the ICO comes into politics using its powers to the maximum possible extent against everyone (£500,000 penalties, or more useful, enforcement notices that are backed up by prosecution), or they should leave the field.

We already know that the outcome of this investigation will be revealed long after the election is over, when anything that the Commissioner says or does will have no effect on the real world. On the evidence of my FOI, I predict there will be no fines, no enforcement notices, no action. There will be a long, thorough and thoughtful report that nobody in politics will pay attention to, and only people like me will read. The first task of the Supervisory Authority under GDPR is to ‘monitor and enforce’. Long ago, when I worked there, the joke went around the ICO that senior officers operated under the mantra ‘thinking is doing’, as an excuse to avoid taking any action. I don’t care if no senior officer ever actually said this – on big strategic issues, the ICO has always laboured under this approach. Denham’s first big splash was to follow through on charity enforcement when the easy choice was to back down. She deserves praise for that decision. However, If there is an international right-wing conspiracy to hijack democracy across the world, I don’t think a thought symposium is going to save us.