Summit to hide?

On at least three occasions in the past year, a member of staff from the Information Commissioner’s Office has spoken at conferences organised under the banner of GDPR Conference or GDPR Summit. Garreth Cameron has appeared twice, and Lisa Atkinson was at the latest event on October 9th. Nothing odd about this, you would think – the ICO clearly wants to spread its message (such as it is) to a wide audience, and conferences are a way to do it. They should be wary about showing favouritism and they’re not very good at avoiding it – a certain Assistant Commissioner often appears at a certain training company’s courses, and appearing three times at one company’s commercial events comes close to being an endorsement.

But even if such regular support for a conference would otherwise be justified, in this case, I don’t think it is. It’s not easy to find out from the GDPR Summit website who is actually organises the conferences. A little bit of digging suggests that it is a company called Amplified Business Content. Amplified Business Content is also responsible for ‘GDPR Report’, which used to publish articles for free but has now gone to a subscriber model. Having an opaque company structure isn’t compliant with Data Protection because it’s not clear who the Data Controller is. Moreover, some of the material on their website is garbage – they have published quizzes with wrong answers, and harvested information without a privacy policy (though I noticed that after people on Twitter made a fuss of it, they stopped demanding email addresses to get scores on the quiz). Via GDPR Report, the organisation has pumped out reams of vague, badly-written stories including one titled ‘The Data Protection Apocalypse’ that claimed that organisations need consent for all processing – it was so bad that after a morning of criticism via Twitter and other sites, they had to delete it. Worst of all, Amplified Business Content has not notified the ICO under Data Protection – unless they are exempt (which for a conference organisation is hard to believe), this is a criminal offence.

Given that the ICO have given Amplified Business Content so much support, I wondered whether they had done any due diligence on the organisation before agreeing to speak at their events. Under FOI, I asked for the following:

Any information about due diligence carried out by the ICO before accepting invitations to speak at these events, including whether ICO staff checked if the company had a notification, and whether their materials and publications were accurate and reflected the ICO’s approach to the GDPR

Any procedure that requires ICO staff to carry out due diligence before accepting speaking engagements

The answer was that no information was held. The best they could offer was “We apply our speaking engagement policy here when making a decision whether or not to accept a request for a speaker“. Needless to say, the speaking engagement policy does not include any requirement to carry out due diligence. In other words, the fact that Amplified Business Content has not notified and has spread misleading and unhelpful information about a Data Protection apocalypse is irrelevant to Wilmslow. They’re not even expected to check whether the organisation has taken the most basic steps to comply with Data Protection law. This is remarkable, especially at a time when so many dodgy people have flooded into the Data Protection market.

Their answer to the first part of my request was more interesting, and more worrying. I asked for:

All correspondence between the ICO and Amplified Business Content or those purporting to represent GDPR Conference or GDPR Summit or GDPR Summit Europe (or other variations on the theme of GDPR Summit).

I’ve done this before, both with the Privacy Laws and Business Conference (which led to this blog) and True Swift, another organisation for whom the ICO has done several online courses. Both times, the ICO gave me detailed correspondence between themselves and the organisation, which allowed me to see, among other things, Stewart Dresner of PLB complaining that he doesn’t have special access to news about ICO activities. This time, however, the ICO has refused to give me any of the correspondence. The exemption they used is a prohibition on disclosure that applies when organisations supply data to the Commissioner when information “has been obtained by or furnished to the Commissioner under or for the purposes of the Information Acts”. In other words, ICO claims that when arranging their spots at the GDPR events, they were exercising their functions under the Data Protection Act. Needless to say, the refusal doesn’t say which function they were exercising – presumably I am expected to guess. I think the only function that could apply is the duty to promote the following of good practice under Section 51, but the idea that Parliament intended conference arrangements to be secret is a fairly bizarre idea.

Only two possibilities present themselves. The first is that the ICO’s policy is only to release material such as this with the consent of the organisation (which the prohibition allows), so PLB and TrueSwift consented to the disclosure and Amplified Business Content refused, which begs the question of what ABC have to hide. Their internal business arrangements are nobody’s business but theirs, but when dealing with the regulator, they should expect to be more open. I’ve made fun of Dresner following the disclosures, but the emails I received didn’t show him or his company doing anything inappropriate – the only criticism I’ve got is that the ICO should hold all organisations at arms length.

The other possibility is that the ICO is being inconsistent. They didn’t use this exemption before, but there is something awkward or embarrassing about their relationship with ABC that they want to cover up. Either way, it isn’t a good look for the transparency regulator to be hiding information about its dealings with a private company. The prohibition allows data controllers and public authorities being investigated for DP and FOI breaches to provide secret business information to the Commissioner with the confidence that it won’t be disclosed. This is entirely justifiable – otherwise, no organisation would ever give the ICO information they had withheld from an FOI or subject access applicant in case the applicant then tried to use FOI or DP to get it from Wilmslow.

This case is very different. The ICO has scant resources, and yet has regularly provided speakers to a commercial company with a spotty approach to Data Protection and is using the prohibition on disclosure to prevent legitimate scrutiny of their relationship. The prohibition does allow disclosures that are ‘necessary in the public interest’ – given ABC’s dissemination of scaremongering articles and possibly illegitimate non-notification, I am convinced that the public interest does support transparency here. Of course, the ICO might argue that if they disclose, this will deter conference organisers and others from approaching them – but who cares? This is far from a core activity for the Commissioner. If you’re not willing to be open in these circumstances, what has anyone involved in this got to hide?

The Secret Seven

Last year, I wrote about the fact that Councillor Alex Ganotis, Labour leader of Stockport Council is also a group manager at the Information Commissioner’s Office. After an FOI request, the ICO admitted that he managed the teams responsible for complaints about political parties and local councils. At the time, I argued that this was an unacceptable conflict of interest, and something had to be done about it.

In May this year, shortly after being elected as Manchester’s new Mayor, Andy Burnham appointed Cllr Ganotis as his Environmental Tsar. You can watch a video of the announcement here, and ponder such fascinating questions as why Burnham’s nose is so red, or why throughout the first two minutes, the camera keeps cutting to a wide shot that captures Ganotis’ uncomfortable facial expressions while Burnham is talking. The announcement piqued my interest. If he was organising a grand summit of environmental worthies, would Cllr Ganotis really have time to work at the ICO? And if so, what effect would the review into political activities that Elizabeth Denham announced have on his role?

I made an FOI request to the ICO for the following information:

1) In 2016, the ICO confirmed to me that Alex Ganotis was manager of the team that dealt with complaints about councils and political parties, despite being Leader of Stockport Council at the time. Can you confirm whether Mr Ganotis is still a member of ICO staff, and if so, what is his current job, and what arrangements have been made to avoid any potential conflict of interest?

2) What is the current ICO policy and process for dealing with political party affiliations and potential conflicts of interest?

3) In August 2016, the Information Commissioner announced in an interview with the BBC’s Martin Rosenbaum that she had ordered a review of the involvement of ICO staff in political activities. I would like to see any report or findings arising out of the review, or other summary of the review and its findings, and details of any actions that were taken as a result of it.

4) I would like to receive all current declarations made by any member of staff of involvement in political activities

5) What specific measures have been taken in respect of each staff member who has made a declaration to ensure that there is no conflict of interest?

The response made for fascinating reading. For one thing, Cllr Ganotis remains a Group Manager at Wilmslow and although his group no longer deals with political parties, it still covers issues related to all local authorities in the UK except for those in Greater Manchester, Cheshire or Derbyshire. How politicians and others in every council outside the North West feel about complaints about their authorities still being supervised by the Leader of a Labour Council and a close ally of Andy Burnham is hard to judge. They might be thrilled. Maybe the ICO should ask them.

The report I received under item (3) of my request did contain an option to remove Cllr Ganotis from work involving local authorities altogether, but one of the reasons that this option was not recommended was the fact that “it could be seen to question the professionalism of Alex and other members of staff and their ability to apply the law without bias or political influence“. How Cllr Ganotis’ political career could possibly be seen to reflect on other people is beyond me, but it is jarring that a significant factor in the decision to keep him involved in council work might have been the effect on him, rather than the Commissioner’s ability to operate independently. To be blunt, the ICO as a whole is more important.

UPDATE: I have attached the ICO’s report into the conflict of interest here, so readers can judge whether how objective and balanced it is: Commissioner Information Note – Political Activities.pdf

Unless every team in the ICO handles complaints about local authorities (and to lesser extent, government), Cllr Ganotis should have been moved to one that doesn’t. Having decide to pursue a high-profile political career, asking him to make a sacrifice to avoid conflicts of interest and their perception would not be too much. I am surprised that Cllr Ganotis has not requested such a transfer himself. To risk even the perception of influence over decisions about politically-run organisations, and at the same time pursue a high-profile political career suggests either an enormous amount of faith in one’s ability to compartmentalise, or just old fashioned hubris.

The review identified gaps in the ICO’s Political Activities Policy, with recommended “updates” including a stipulation that staff must avoid party political activities which might impair their ability to perform their duties impartially, a requirement to inform the ICO if their activities or areas of responsibility change, and the scope to remove permission to undertake political activities if an individual’s ICO role or political activity changes. Needless to say, this means that none of this existed before.

The rest of the FOI request suggests a continuing unwillingness to face the issue of political involvement. Including Cllr Ganotis, eight staff members have made declarations of involvement in political activities, but the ICO refused to tell me who the other seven are, or what they do, claiming that the data is sensitive personal data. This is true, but it is not automatically a barrier to disclosure. For one thing, the Secret Seven could be asked for consent, and this is not the only route to disclosure.

There is surely a legitimate interest in knowing whether people working for an independent regulator such as the Commissioner have political affiliations, especially when you consider the ICO’s involvement in political matters. Over the past few years, the ICO has fined Leave.EU, David Lammy MP over his London Mayoral Campaign, the Daily Telegraph for its pro-Tory emails during the 2015 election, and in recent months, they took no action against Virgin Trains following Jeremy Corbyn’s antics in a train vestibule. More importantly, the Commissioner herself announced a formal investigation into the use of data analytics for political purposes with no small amount of fanfare, involving 20 staff. The ICO is knee-deep in politics and transparency over the declared political activities of the staff is in the public interest.

As the data is sensitive personal data, legitimate interests would not be enough; a condition must also be met from Schedule 3 of the Data Protection Act as well. One of the conditions is that the Data Subject has put their sensitive data into the public domain. If, for example, a senior ICO staff member was to mention on their LinkedIn page that they were a Councillor for 9 years, the Campaigns and Communications Officer for an MEP for five years, listed the Liberal Democrats as one of their main interests and was recommended for ‘politics’ and ‘political campaigning’ by dozens of people, I think I can argue that at least this one has manifestly made their political views public. The ICO refusal says “our staff do not have a reasonable expectation that their declarations would be disclosed into the public domain“, but the staff member in question was a candidate for the LibDems in the 2015 General Election, so I humbly suggest that the cat is out of the bag. Either this person is one of the seven, and the ICO’s arguments are false, or they haven’t made a declaration, and the ICO’s claim to me that “the review and policies are sufficient to demonstrate that we avoid conflicts in our work” is nonsense. Again, did they consider this before refusing me?

Every national, local, or internal party election or referendum runs on personal data, and personal data is exploited, analysed, shared, lost, stolen and misused in every single one of them. If you can name a major vote in this decade that hasn’t resulted in a DP snarl-up, you’ve a better memory than me. If there is one word that shines through everything the Commissioner sent me on this topic, last time and this time, it’s  complacency. The policies and procedures that existed before and the ones that have replaced them are built on an obvious assumption that a box needs to be ticked. Of course nobody is actually going to do anything untoward, the managers are on top of it, staff will proactively declare any conflicts of interest and besides, we have a procedure. But they thought it was all fine before. If I had not written my blog last summer, Cllr Ganotis would still be responsible for managing complaints involving his council, his party and his opposition.

I don’t think the Commissioner’s Office takes this seriously. I am amazed that Alex Ganotis is still allowed any influence over the ICO’s decisions about local government, regardless of how objective or benign that influence might be. I am appalled that anyone in the ICO’s senior management could think that this is acceptable. Every time the Commissioner acts or doesn’t act on a political issue, do we always need to ask: who was involved? What bias, conscious or unconscious, did they bring to bear? What other interests do they serve? In a world dominated by fake news and internet froth, the ICO’s independence and objectivity should be their highest priority. It isn’t.

Analyse This

With no small amount of fanfare, the Information Commissioner Elizabeth Denham recently announced a “formal” investigation into the use of data analytics for political purposes. The use of targeted ads in political campaigns – especially those where the Right triumphed – has been much in the headlines, and the ICO clearly feels the need to react. Denham blogged on her website: “this investigation is a high priority for my office in our work to uphold the rights of individuals and ensure that political campaigners and companies providing services to political parties operate within UK law.”. The investigation was greeted with enthusiasm – the journalist Carole Cadwalladr who has made a lot of the running over analytics in the Observer was supportive and the Data Protection activist Paul-Olivier Dehaye hailed it as ‘very important’.

Saying that Facebook is probably abusing privacy rights (and acting as a conduit for the abuse of privacy rights) is a bit like saying that rain is wet. Some of Cadwalladr’s reports have drawn fascinating (if hotly disputed) links between various right-wing vampires like Nigel Farage, Dominic Cummings and Steve Bannon, and draw interesting (and hotly disputed) links between various Brexit campaigns and the tech firm Cambridge Analytica. Other of her stories are lame; a recent article complained that people Cadwalladr doesn’t approve of are outbidding people she does approve of when buying Facebook ads, which isn’t really news.

Worse than that, another article enthusiastically repeated Stephen Kinnock MP’s calls for an investigation into Tory data use, ignoring the fact that on the same day, Labour was hoovering up emails on its website without a privacy policy (which, like the marketing emails they will inevitably send) is a breach of Data Protection. The article makes the false claim that it is illegal to use data about political opinions without consent. Several people (including the chair of the National Association of Data Protection Officers) pointed this out to Cadwalladr, but the article is uncorrected at the time of writing. If you want to write about political parties and campaigns abusing data protection and privacy and you only acknowledge the dodgy things that one side gets up to, your allegations should not be taken too seriously. Politics is a swamp, and everyone is covered in slime. Given Cadwalladr’s shaky understanding of Data Protection law, it’s not hard to believe that her interest in the topic is mainly motivated by politics, and the ICO needs to be careful not to be sucked in.

It’s odd that allegations made to the ICO about data misuse by Owen Smith and Jeremy Corbyn, or candidates for the UNITE leadership have come to nothing, and yet here we have a formal investigation announced with great flourish into an issue that is largely perceived as affecting the right. I’m left-wing myself, but if Denham is going to take action over the political use of personal data, I expect her to be scrupulously even-handed.

However, I doubt very much whether action on this issue will ever happen. Just after the announcement, I made an FOI request to the Commissioner’s office about the nature of the investigation – how many people were involved and where from, what powers the ICO was using to conduct the investigation, and who the most senior person involved was. What I was trying to find out was simple – is this an investigation likely to lead to guidance or enforcement?

Here is what my FOI revealed (questions in bold, ICO answers below)

1) Under what specific powers is the investigation being carried out?

Initial intelligence gathering would fall under the general duties of the Commissioner to promote good practice (section 51) of the DPA. This may lead to use of investigatory powers and enforcement where necessary, under the provisions set out in Part V of the DPA, as well as the CMP powers at section 55A.  The Commissioner also has powers of entry and inspection under schedule 9 of the DPA.

2) How many members of staff are involved in the investigation?

It’s difficult to give an exact number, the ‘group’ involved will need to be established and documented in terms of reference which will be done shortly. At this stage, from the information we hold, we can say that 16 member of staff have been involved and another 4 members of staff are also expected to be involved as the investigation progresses.

3, 4 and 5-
 
What are the job titles of the staff involved?
What is the name of the most senior person involved in the investigation?
Which department and team do these staff belong to?

Senior Policy Officer – Private Sector Engagement
Group Manager – Private Sector Engagement
Policy Officer – Private Sector Engagement
Lead Communications Officer – Communication Planning
Senior Policy Officer – Public Policy and Parliament
Intelligence and Research Officer – Intelligence Team
Team Manager (Intelligence) – Intelligence Team
Lead Intelligence and research Officer – Intelligence Team
Team Manager – Enforcement (PECR) – Investigations
Group Manager (Public Policy & Parliament) – Public Policy and Parliament
Senior Policy Officer (Public Policy & Parliament) – Public Policy and Parliament
Team Manager (Enforcement Team 2) – Enforcement
Team Manager – Communications – Communications Planning
Head of Corporate Affairs – Communications Planning
Group Manager – Public Sector Engagement – Public Sector Engagement

The most senior person is Steve Wood – Head of International Strategy & Intelligence – International & Intelligence Management

*************************************************************************************

What does this tell us?

The main contributors are Engagement (which is presumably the successor to the old Strategic Liaison department whose chief role was holding hands with stakeholders), and policy (whose main contribution to the debate on big data is this endless and almost unreadable discussion paper). The most senior person involved is Steve Wood, who has an academic background. Of the 16 involved, just two are from Enforcement, outnumbered even by the comms staff. Apologists for Wilmslow will leap on that bit that says “This may lead to use of investigatory powers and enforcement where necessary“, but my response to that is an armpit fart. The ICO is starting from the perspective of promoting good practice run by an academic, which is just about the silliest response to this issue that I can think of.

Some areas that the ICO regulates are prime candidates for guidance. The public sector, charities and regulated industries are likely to be influenced by what the ICO says. Other areas – list broking and compensation claims spring to mind – are immune to policy and guidance, but politics is the best example. Politics is about power – if a party, campaign or individual can take power while breaching DP law, they will. It isn’t that they don’t understand the law, it is that they don’t care. No political party or campaign will be influenced by ICO guidance, and to pretend otherwise is childish. All major political parties (Labour, LibDems, SNP, Tory) have received a PECR Enforcement Notice over automated calls, and yet they flout PECR all the time with emails and yet more calls, as anyone who heard from David Lammy knows only too well. Even when the ICO fined Leave.EU during the referendum, the campaign’s reaction (“Whatever”) could not have been more derisive because they could afford to pay the fine. Either the ICO comes into politics using its powers to the maximum possible extent against everyone (£500,000 penalties, or more useful, enforcement notices that are backed up by prosecution), or they should leave the field.

We already know that the outcome of this investigation will be revealed long after the election is over, when anything that the Commissioner says or does will have no effect on the real world. On the evidence of my FOI, I predict there will be no fines, no enforcement notices, no action. There will be a long, thorough and thoughtful report that nobody in politics will pay attention to, and only people like me will read. The first task of the Supervisory Authority under GDPR is to ‘monitor and enforce’. Long ago, when I worked there, the joke went around the ICO that senior officers operated under the mantra ‘thinking is doing’, as an excuse to avoid taking any action. I don’t care if no senior officer ever actually said this – on big strategic issues, the ICO has always laboured under this approach. Denham’s first big splash was to follow through on charity enforcement when the easy choice was to back down. She deserves praise for that decision. However, If there is an international right-wing conspiracy to hijack democracy across the world, I don’t think a thought symposium is going to save us.

Another fine mess

For those working in Data Protection, there are many interesting things to note about the forthcoming General Data Protection Regulation. There is the clarification of consent, which may send tawdry marketers into a spin. There is the tightening of the rules over criminal records. There is the helpful emphasis on risk. My current favourite thing is a sly anti-establishment streak – here and there, the GDPR returns to the theme of the power imbalance between the data subject and the big public institution, and seeks to even up the score.

For some, however, there is only one thing to talk about. All that matters is the fines. Fines fines fines, all day long. A conference held in London last week was Fine City as far as the tweets were concerned. COMPANIES MIGHT GO BUST, apparently. Meanwhile, the Register breathlessly reheated a press release from cyber security outfit NCC Group, featuring a magical GDPR calculator that claims ICO’s 2016 penalties would have been either £59 million or £69 million under GDPR (the figure is different in the Register’s headline and story, and I can’t be bothered to find the original because it’s all bullshit).

This is my prediction. There will never be a maximum GDPR penalty in the UK. Nobody will ever be fined €20 million (however we calculate it in diminishing Brexit Pounds), or 4% of annual turnover. There will be a mild swelling in the amount of fines, but the dizzy heights so beloved of the phalanx of new GDPR experts (TRANSLATION: people in shiny suits who were in sales and IT in 2015) will never be scaled. It’s a nonsense myth from people with kit to sell. I have something to sell, friends, and I’m not going to sell it like this.

I have no quibble with DP officers and IG managers hurling a blood-curdling depiction of the penalties at senior management when they’re trying to get more / some resources to deal with the GDPR onslaught – I would have done it. There is probably a proper term for the mistake NCC made with their calculation, but I’m calling it the Forgetting The ICO Has To Do It Syndrome. NCC say Pharmacy2U’s penalty would inflate from £130,000 to £4.4 million, ignoring the fact that the decision would not be made by a robot. Pharmacy2U flogged the data of elderly and vulnerable people to dodgy health supplement merchants, and ICO *only* fined them £130,000, despite having a maximum of £500,000. Of course, some penalties have caused genuine pain for cash-strapped public authorities, but when NCC say that their adjusted-for-GDPR Pharmacy2U fine represented “a significant proportion of its revenues and potentially enough to put it out of business“, they’re not adjusting their hot air for reality.

Take the example of a monetary penalty issued by the ICO in March against a barrister. The barrister was involved in proceedings at the Family Court and the Court of Protection, so her files contained sensitive information about children and vulnerable adults. Despite guidance issued by the Law Society in 2013, they were stored unencrypted on her home computer. While upgrading the software on the machine, her husband backed up the files to online storage. Some of the files were indexed by search engines, and were subsequently found by a local authority lawyer.

The ICO fined the barrister £1000, reduced to £800 if they paid on time. I don’t think all barristers are loaded, but most could pay a penalty of £800 without going bankrupt. £800 isn’t remotely enough for a breach as basic and avoidable as this. The aggravating factors are everywhere – the Law Society guidance, the lack of encryption, the fact that the husband had access to the data. If the ICO was capable of issuing a £4.4 million penalty, they’d fine a barrister more than £800 for this mess. And what’s worse, they redacted the barrister’s name from the notice. The ICO offered no explanation for this, so I made an FOI request for the barrister’s name and for information about why the name was redacted.

They refused to give me the name, but disclosed internal correspondence about their decision to redact. There is a lot in the response to be concerned about. For one thing, in refusing to give me the name, the ICO contradicts its own penalty notice. The notice describes an ongoing contravention from 2013 (when the Law Society guidance was issued) to 2016 (when the data was discovered). Nevertheless, the FOI response states that “this data breach was considered a one off error“, and a reference to this characterisation is also made in the notes they disclosed to me.

If it was a one-off error, ICO couldn’t have issued the penalty, because they don’t have the power to fine people for incidents, only for breaches (in this case, the absence of appropriate technical and organisation security measures required by the Seventh Data Protection principle). Given that the notice states explicitly that the breach lasted for years, the ICO’s response isn’t true. It’s bad enough that the ICO is still mixing up incidents and breaches four years after this confusion lost them the Scottish Borders Tribunal appeal, it’s even worse that they seem not to understand the point of fining Data Controllers.

In the notes disclosed to me about the decision to redact the notice, ICO officials discuss the “negative impact” of the fine on the barrister, especially as she is a “professional person who is completely reliant on referrals from external clients“. Despite the Head of Enforcement putting a succinct and pragmatic case for disclosure: “it is easier to explain why we did (proportionate, deterrent effect) rather than why we didn’t“, he is unfortunately persuaded that the most important thing is to “avoid any damage to reputation”. Bizarrely, one person claimed that they could “get the deterrent message across” despite not naming the barrister.

The GDPR requires that fines be “effective, proportionate and dissuasive” – an anonymous £800 fine fails on each point. Anyone who takes their professional obligations seriously needs no horror stories to persuade them. For those who do not, an effective, proportionate and dissuasive penalty is either a stinging fine or naming and shaming. The ICO had no appetite for either option, and effectively let the barrister get away with it. They valued her professional reputation above the privacy of people whose data she put at risk, and future clients who will innocently give their confidential and private information to someone with this shoddy track record.

If the NCC Group, and all the various vendors and GDPR carpetbaggers are to be believed, within a year, the UK will operate under a regime of colossal, multi-million pound fines that will bring errant businesses to their knees. In reality, the ICO cut the fines on charities by 90% to avoid upsetting donors, and rendered their enforcement against an irresponsible data controller pointless for fear of putting her out of business.

These two pictures cannot be reconciled. It is entirely possible for the ICO to put someone out of business – indeed, many recipients of their PECR penalties are forced into liquidation (this may be a ploy to avoid the fines, but nevertheless, the businesses close). But the majority of PECR penalties are issued against businesses operating on the very fringe of legality – they are not mainstream data controllers. They are not nice, professional barristers. They are not the audience for the Great GDPR Fine Hysteria. If the ICO cannot stomach the risk of putting a single barrister out of business pour encourager les autres, it is disingenuous to pretend that they will rain down fire on mainstream data controllers after May 2018. We’ll get more of the same – cautious, reactive, distracted by the incident, and unwilling to take aim at hard targets. Plus ça change.

Fair Cop

The bedrock of Data Protection is fairness. You cannot gain consent without fairness. Your interests are not legitimate interests if they are secret interests. Unless you have an exemption or you claim that telling the person represents disproportionate effort (i.e. the effort of telling outweighs the actual impact), you have to tell the person whose data you are using the purposes for which their data will be used, and any other information necessary to make the processing fair.

The ICO’s Privacy Notices Code of Practice is not ambiguous, nor was its predecessor. It is impossible to read the ICO’s published guidance on fair processing without taking away the key message, consistently repeated for more than a decade: if something is surprising or objectionable, especially if it involves some kind of impact or sharing outside the organisation, it should be spelt out. New-ish Information Commissioner Elizabeth Denham seems to have chosen to reverse the ICO’s previously timid, unimaginative approach to the first principle with a pair of civil monetary penalties against charities. We have one each for the Royal Society for the Prevention of Cruelty to Animals, and the British Heart Foundation, with the promise of more to come. You might say it was unfortunate that charities are first in line rather than, say, credit reference agencies or list brokers (to be a touch tautological). It was the charity sector’s misfortune to fall under the Daily Mail’s Basilisk gaze, and they have to accept that we are where we are.

To issue a civil monetary penalty, there are three hurdles for the ICO to clear. Firstly, there must be a serious breach. Both charities used commercial companies to profile thousands (and in one case, millions) of donors, buying up data from publicly available sources* to assess their wealth and resources, they shared data with other charities whose identity they did not know via a commercial company, and in the case of the RSPCA, they bought contact details to fill in data that donors had provided. The average donor did not have any idea that this was happening. I can see there’s a problem that when everyone in the charity sector knows that wealth screening goes on, it seems normal. But I’ve been using it as an example on my training courses ever since the Mail revealed it, and bear in mind that these are often seasoned data protection professionals who know about data sharing and disclosure, attendees are invariably shocked and some cases revolted by what I tell them.

There is no doubt in my mind that this processing needed to be spelt out, and there is no doubt from the notices that it was not. Carefully selected third parties or partners has been a stupid lie in marketing for years, but not even knowing where the data goes is much worse than the usual flogging it to all comers. At least the list broker knows who he’s flogging it to, even though the only careful selection is the ability to pay.

The second hurdle is the need to show that the breach is likely to cause damage or distress to the affected data subjects. It’s been known for quite some time that the ICO was planning to take enforcement action over the Mail stories, and the gossip I heard from charities was that fines were likely. I’ll be honest, I wasn’t convinced. The Information Commissioner lost a Data Protection Tribunal appeal from Scottish Borders Council because they bungled the damage / distress element of a £250000 CMP over pension records found in recycling bins. ICO made a flawed claim that the loss of paper pension records was likely to result in identity theft, but Borders had an expert witness who could argue convincingly that this was not true. The link between the breach (the absence of a contract with the company processing the data) and the damage was broken, and the ICO lost.

But this case is different. The ICO does not need to make a link between an incident and a breach, because they are bound up together here. Both notices show that the ICO has given considerable thought to the distress angle. There is no question that the charities breached the first principle, and their only hope for an appeal is to convince the Tribunal that people would not be caused substantial distress by secret profiling and data sharing after an act of generosity. This is not science, and all I can say is that I am persuaded. But for an appeal to be successful, the charities will need to persuade a Tribunal with strong experience and knowledge of DP and PECR from the numerous (and almost exclusively doomed) marketing appeals.

The third element requires the breach to be deliberate or a situation where the charities ought reasonably to have known about the breach. As I have already said, the ICO’s position on fair processing is well known in my sector and available to anyone who can type the ICO’s web address. I think it’s possible that the charities didn’t know what they were doing was a breach, but in my opinion, this is because the Institute of Fundraising and the Fundraising Standards Board effectively acted as a firewall between charities and reality. The advice (often inaccurate and out of date) came from the IoF, and complaints about charities went to the FRSB and no further. When your code of practice is written by the people who earn their living from fundraising and most in your sector are doing the same thing as you are, it’s not hard to fool yourself into thinking it’s OK. But ‘everybody does it’ will cut no ice with the Tribunal. The RSPCA and the BHF are not tiny charities flailing in the dark – they are massive, multi-million pound operations with vastly greater resources than many of my clients.

Daniel Fluskey, head of Policy for the Institute of Fundraising, whose apparent lack of experience or qualifications in Data Protection does not prevent him from writing inaccurate articles for the charity sector on GDPR, has already weighed in, saying that the ICO should be providing the specific wording that charities require: “Charities need more detail on the ICO’s view of what lawful practice looks like: what form of words would have passed the test?” The Information Commissioner is the regulator for every organisation, of every size and shape, that processes personal data. If they start writing tailored wording for charities, they will have to do it for everyone else as well. It is a ridiculous demand. I think the ICO should move on to the data pools, wealth screeners and list brokers, but if she could find the time to issue an enforcement notice on the Institute of Fundraising, forbidding them ever to speak or write on Data Protection matters again, the third sector would have a fighting chance of complying.

Besides, how hard is it to find compliant wording? Nobody – especially not the trade association for fundraisers – should be allowed to present this as a byzantine and complex task. The individual doesn’t need to know what software you’re using, or whether cookies are involved. They need to understand the purpose – what are you collecting, what are you going to do with it, who are you going to give it to? This should be presented without euphemism or waffle, but it’s when you strip out the legalistic nonsense, you see the problem. It isn’t that the poor charities were labouring under the burden of complex data protection rules. They could not comply with the Data Protection Act because what they were doing (and in RSPCA’s case, are apparently still doing) is so unattractive:

  • We will share your details with unspecified charities via a commercial company. We don’t know who they are.
  • We will buy your phone number, postal or email address from a commercial company if you have not given it to us.
  • We will use commercial companies to compile a profile of your wealth and property to work out whether to ask you for further donations. If you are likely to be worth a lot when you die, we will use this information to ask you for a bequest.

When Reactiv Media appealed their PECR penalty, the Tribunal rejected their appeal and increased the penalty. Like a lot of the spammers, they put themselves into administration to avoid paying up, but this option is not available to household name charities. If either the RSPCA or BHF appeal, they are dragging themselves deeper into the mud, and very possibly spending thousands more of donors’ money to do so. If they say that what they did wasn’t a breach, or that they couldn’t have been expected to know that it was, their officers, advice and business model will be scrutinised to a doubtlessly painful extent. The claims management company Quigley and Carter found themselves described as “feckless” and “most unimpressive” in the course of being filleted during a recent failed appeal. Do charities really want that? Even if they decide to roll the dice solely on distress, does either charity really want to acknowledge a serious breach that they knew or ought to have know about in the hope of getting the fine overturned on a technicality? Do they want ICO to call donors as witnesses?

The business model of pressure selling, TPS-busting, heavy texting, data sharing and donor-swapping adopted by some of the UK’s most celebrated charities resembles nothing so much as the activities of the claims management, PPI spammers (i.e. the scum of the earth). For all the noise and bluster on Twitter and in the charity press this week, there is an uncomfortable truth that has to be faced. The hated Daily Mail unearthed it, and the ICO has rightly acted on it. Some big charities have run an end-justifies-the-means approach to marketing and they have got away with it for a decade. Fundraisers ruled the roost, and compliance has been sidelined or ignored. Given how much money the RSPCA and the BHF have raised from fundamentally unlawful practices, they should pull back and rethink how they get donations in the future. They should ignore the Institute of Fundraising’s every word on Data Protection and PECR, and like every other charity, concentrate on reading and applying the ICO’s Code on Privacy Notices and guidance on Direct Marketing.

And right now, if there is a fundraiser sitting with the two CMP notices working out how to at the same time devise a method to raise loads of cash for their cause while complying with Data Protection and PECR, I hope they wipe the floor with everyone else.

*citation needed