Analyse This

With no small amount of fanfare, the Information Commissioner Elizabeth Denham recently announced a “formal” investigation into the use of data analytics for political purposes. The use of targeted ads in political campaigns – especially those where the Right triumphed – has been much in the headlines, and the ICO clearly feels the need to react. Denham blogged on her website: “this investigation is a high priority for my office in our work to uphold the rights of individuals and ensure that political campaigners and companies providing services to political parties operate within UK law.”. The investigation was greeted with enthusiasm – the journalist Carole Cadwalladr who has made a lot of the running over analytics in the Observer was supportive and the Data Protection activist Paul-Olivier Dehaye hailed it as ‘very important’.

Saying that Facebook is probably abusing privacy rights (and acting as a conduit for the abuse of privacy rights) is a bit like saying that rain is wet. Some of Cadwalladr’s reports have drawn fascinating (if hotly disputed) links between various right-wing vampires like Nigel Farage, Dominic Cummings and Steve Bannon, and draw interesting (and hotly disputed) links between various Brexit campaigns and the tech firm Cambridge Analytica. Other of her stories are lame; a recent article complained that people Cadwalladr doesn’t approve of are outbidding people she does approve of when buying Facebook ads, which isn’t really news.

Worse than that, another article enthusiastically repeated Stephen Kinnock MP’s calls for an investigation into Tory data use, ignoring the fact that on the same day, Labour was hoovering up emails on its website without a privacy policy (which, like the marketing emails they will inevitably send) is a breach of Data Protection. The article makes the false claim that it is illegal to use data about political opinions without consent. Several people (including the chair of the National Association of Data Protection Officers) pointed this out to Cadwalladr, but the article is uncorrected at the time of writing. If you want to write about political parties and campaigns abusing data protection and privacy and you only acknowledge the dodgy things that one side gets up to, your allegations should not be taken too seriously. Politics is a swamp, and everyone is covered in slime. Given Cadwalladr’s shaky understanding of Data Protection law, it’s not hard to believe that her interest in the topic is mainly motivated by politics, and the ICO needs to be careful not to be sucked in.

It’s odd that allegations made to the ICO about data misuse by Owen Smith and Jeremy Corbyn, or candidates for the UNITE leadership have come to nothing, and yet here we have a formal investigation announced with great flourish into an issue that is largely perceived as affecting the right. I’m left-wing myself, but if Denham is going to take action over the political use of personal data, I expect her to be scrupulously even-handed.

However, I doubt very much whether action on this issue will ever happen. Just after the announcement, I made an FOI request to the Commissioner’s office about the nature of the investigation – how many people were involved and where from, what powers the ICO was using to conduct the investigation, and who the most senior person involved was. What I was trying to find out was simple – is this an investigation likely to lead to guidance or enforcement?

Here is what my FOI revealed (questions in bold, ICO answers below)

1) Under what specific powers is the investigation being carried out?

Initial intelligence gathering would fall under the general duties of the Commissioner to promote good practice (section 51) of the DPA. This may lead to use of investigatory powers and enforcement where necessary, under the provisions set out in Part V of the DPA, as well as the CMP powers at section 55A.  The Commissioner also has powers of entry and inspection under schedule 9 of the DPA.

2) How many members of staff are involved in the investigation?

It’s difficult to give an exact number, the ‘group’ involved will need to be established and documented in terms of reference which will be done shortly. At this stage, from the information we hold, we can say that 16 member of staff have been involved and another 4 members of staff are also expected to be involved as the investigation progresses.

3, 4 and 5-
 
What are the job titles of the staff involved?
What is the name of the most senior person involved in the investigation?
Which department and team do these staff belong to?

Senior Policy Officer – Private Sector Engagement
Group Manager – Private Sector Engagement
Policy Officer – Private Sector Engagement
Lead Communications Officer – Communication Planning
Senior Policy Officer – Public Policy and Parliament
Intelligence and Research Officer – Intelligence Team
Team Manager (Intelligence) – Intelligence Team
Lead Intelligence and research Officer – Intelligence Team
Team Manager – Enforcement (PECR) – Investigations
Group Manager (Public Policy & Parliament) – Public Policy and Parliament
Senior Policy Officer (Public Policy & Parliament) – Public Policy and Parliament
Team Manager (Enforcement Team 2) – Enforcement
Team Manager – Communications – Communications Planning
Head of Corporate Affairs – Communications Planning
Group Manager – Public Sector Engagement – Public Sector Engagement

The most senior person is Steve Wood – Head of International Strategy & Intelligence – International & Intelligence Management

*************************************************************************************

What does this tell us?

The main contributors are Engagement (which is presumably the successor to the old Strategic Liaison department whose chief role was holding hands with stakeholders), and policy (whose main contribution to the debate on big data is this endless and almost unreadable discussion paper). The most senior person involved is Steve Wood, who has an academic background. Of the 16 involved, just two are from Enforcement, outnumbered even by the comms staff. Apologists for Wilmslow will leap on that bit that says “This may lead to use of investigatory powers and enforcement where necessary“, but my response to that is an armpit fart. The ICO is starting from the perspective of promoting good practice run by an academic, which is just about the silliest response to this issue that I can think of.

Some areas that the ICO regulates are prime candidates for guidance. The public sector, charities and regulated industries are likely to be influenced by what the ICO says. Other areas – list broking and compensation claims spring to mind – are immune to policy and guidance, but politics is the best example. Politics is about power – if a party, campaign or individual can take power while breaching DP law, they will. It isn’t that they don’t understand the law, it is that they don’t care. No political party or campaign will be influenced by ICO guidance, and to pretend otherwise is childish. All major political parties (Labour, LibDems, SNP, Tory) have received a PECR Enforcement Notice over automated calls, and yet they flout PECR all the time with emails and yet more calls, as anyone who heard from David Lammy knows only too well. Even when the ICO fined Leave.EU during the referendum, the campaign’s reaction (“Whatever”) could not have been more derisive because they could afford to pay the fine. Either the ICO comes into politics using its powers to the maximum possible extent against everyone (£500,000 penalties, or more useful, enforcement notices that are backed up by prosecution), or they should leave the field.

We already know that the outcome of this investigation will be revealed long after the election is over, when anything that the Commissioner says or does will have no effect on the real world. On the evidence of my FOI, I predict there will be no fines, no enforcement notices, no action. There will be a long, thorough and thoughtful report that nobody in politics will pay attention to, and only people like me will read. The first task of the Supervisory Authority under GDPR is to ‘monitor and enforce’. Long ago, when I worked there, the joke went around the ICO that senior officers operated under the mantra ‘thinking is doing’, as an excuse to avoid taking any action. I don’t care if no senior officer ever actually said this – on big strategic issues, the ICO has always laboured under this approach. Denham’s first big splash was to follow through on charity enforcement when the easy choice was to back down. She deserves praise for that decision. However, If there is an international right-wing conspiracy to hijack democracy across the world, I don’t think a thought symposium is going to save us.

Catch the Pidgeon

Even before the fundraising sector met its Data Protection nemesis in December, with two charities cruelly hung out on the rack, forbidden ever to raise funds again (CORRECTION: given two of the smallest fines in Data Protection history and not forbidden from doing anything), various blogs, and tweets showed that anguished tin-rattlers were confused about what they were accused of.

A classic of the genre was published just over a week ago by Third Sector, penned by Stephen Pidgeon, a “consultant and teacher” (one assumes modesty prevented the publication from mentioning that until recently he chaired the Institute of Fundraising’s Standards Committee, responsible for the until-recently legally incorrect Code of Fundraising Practice). Pidgeon made a series of assertions in his article, and the most important of them is wrong.

Pidgeon describes profiling as a serendipitous activity – a fundraiser innocently planning some door-drops (not a hint of pestering spam in this charming scenario, nor any resort to a data-mining outfit like Prospecting for Gold) happens to notice that a donor has sold a business, and so decides to add his details to an existing campaign. The scheme is ruined by the ICO who says: “That’s not allowed – it’s against the Data Protection Act without express permission“. As Pidgeon points out, the DPA is much vaguer than that. If the Commissioner had indeed said this, it would be nonsense. The problem is, they didn’t.

Both charity notices set out the ICO’s position on charity profiling – it cannot be secret. The same is true for data sharing and appending new data to records that the subject didn’t provide. Neither notice finds profiling without consent to be a breach. Admittedly, of the Data Protection only offers one other option to justify profiling in these circumstances (legitimate interests), but either Pidgeon doesn’t know what the notice says, or he is deliberately misleading his audience. The word ‘permission’ does not appear in either notice, and the word ‘consent’ isn’t mentioned either.

Pidgeon also asserts that wealth profiling is not confined to charities:

This issue is not confined to charities. Yet, in all the 100-plus ICO adjudications in 2016, I could not find a single commercial firm censured for wealth screening.

To be pedantic, they’re not unenforceable ‘adjudications’, they’re formal legal notices, and if you add up all of the DP and PECR monetary penalty and enforcement notices in 2016, you don’t get to 100. He might be including the undertakings, which could be compared to the blancmange adjudications that charities have grown used to, but they’re irrelevant in a conversation about enforcement. The more important point is that like others, including the fundraising apologist academic Ian McQuillin and the researcher Matt Ide, Pidgeon claims that everyone does wealth screening but only the charities are getting punished for it. The Daily Mail hasn’t exposed Marks and Spencers or Greggs for wealth screening – possibly because they’re good at keeping it secret, but a more likely explanation is that they don’t do it. Until someone in the charity sector shows evidence of another organisation doing secret profiling, it’s just a distraction from the fact that – as Pidgeon claims – most of the charity sector have been doing it unlawfully for years.

Many in the sector also seem persuaded that the ICO action is a weird anti-charity vendetta. MacQuillin’s contributions to the Critical Fundraising Blog pondered the mystifying question of why the data protection regulator has taken action when household name organisations have been exposed for breaching data protection. The ICO takes action for three reasons – an organisation reports itself for something, ICO gets lots of complaints about something, or something makes a big splash in the press. There were thousands of complaints about charity fundraising, but all went to the toothless Fundraising Standards Board, who hardly ever passed them on to ICO. So it was the Daily Mail’s headlines that did the trick – the heartbreaking story of Olive Cooke but more importantly for the ICO’s purposes, the flamboyantly unlawful way in which charities treated Samuel Rae, trading his data relentlessly with anyone who wanted it.

In pursuing his false claim about consent, Pidgeon derisively summarised what charities might have to say to prospective donors: “We want to find out how rich you are; tick here to agree”! As a first draft, this has some merit, but a charity involved in wealth screening should also add ‘We want to know whether you are worth more alive or dead‘. The consent claim is a red herring, but perhaps unwittingly, Pidgeon has hit on the real problem for fundraisers: daylight. The foundation of Data Protection is fairness, and the only way to achieve it, regardless of whether consent is part of the mix, is to tell the subject the purposes for which their data will be used. Stretching the law as far as they can, the ICO has invented the concept of ‘reasonable expectations’. Reasonable expectations doesn’t appear in the Data Protection Act, but the ICO’s idea is that if you are only doing something that the person would expect, you don’t have to spell it out. One might take issue with this because it’s not in the Act, but it’s a sensible idea. The ICO’s emphasis has always been on being transparent over unexpected or objectionable processing.

Tesco’s Clubcard scheme is a useful example. Clubcard is a loyalty scheme, clearly based on profiling. The user knows that when they swipe their card, their purchases are analysed so that tailored offers and vouchers can be provided. Needless to say, Tesco also use the data for their sales and marketing strategy. If you look at the T&Cs for the Clubcard scheme, you will not find references to data sharing with third parties for wealth screening. They don’t need to – they can analyse your purchases instead. The user knows that profiling is inherent to the scheme, and they are not required to participate when shopping at Tesco. I have a Clubcard because I understand the system and I don’t believe that Tesco flogs my data. The profiling is the basis on which the whole thing operates. I have a choice about whether to shop at Tesco, and separately, whether to have a Clubcard when I do.

On the other hand, the RSPCA profiled seven million donors after they donated; presumably the lion’s share of all people who donated to the charity. The RSPCA did not tell people that this was the purpose for which their data will be used, and nobody outside the charity sector was aware of what was happening. Unlike Clubcard, donors could not participate without being screened and analysed by the charity. I have used the wealth-screening example on many of my training courses. The reaction is always surprise, and often revulsion.  Nobody ever leaps to the charity’s defence because secret profiling is a dodgy way to do business.

Pidgeon’s squeamishness about describing the process – the daft example of the story in the newspaper, his emphasis on data being gathered from the public domain – suggests that fundraisers are more ambivalent about their methods than they might like to admit. The existence of five facts in five separate publicly accessible places is different to the combination of those facts in one place, gathered with the intention of tailored marketing. A profile is greater than the sum of its parts, and people should be told that it exists. Pidgeon isn’t alone in his approach – Chris Carnie, the founder of ‘prospect research’ company Factary erroneously characterised myself and others as saying that using public domain data is “an intrusion into an individual’s privacy. That searching for a named individual in Companies House fundamentally affects the rights of that person“. All I said was that such research should be transparent, but this isn’t news that Carnie and his colleagues find palatable. Ide’s company goes as far as to assess the ‘ethical credentials‘ of a donor, which sounds a world away from noticing a story in a paper.

The Daily Mail is a revolting newspaper – the worst combination of small-minded, petty conservatism and curtain-twitching prurience. It is a matter of ongoing annoyance to me that the Mail is one of the very few national news outlets that covers Data Protection issues with any enthusiasm. I really wish the Guardian or the Times had exposed the ghastly exploitation of vulnerable people like Samuel Rae, or their hunger for information about possible donors. I wish Dispatches’ fine work on the shameful state of some fundraising call centres had got more attention. Nevertheless, none of this is the Mail’s fault, and fundraisers’ relentless blame-shifting needs to be called out for the cant that it is. Everyone knows whose fault this is.

The charity and fundraising sector isn’t in a mess over data protection because of the Daily Mail, and it isn’t there because of the Information Commissioner. This problem is the fault of some fundraisers and their agents not obeying the law, and trustees who didn’t ask them enough questions. MacQuillin claims that almost everything that has happened to the fundraising sector over the past two years is because of ‘fake news‘; Olive Cooke’s death wasn’t, her family says, the result of the spam tsunami that charities subjected her to. For one thing, this claim disgracefully ignores Samuel Rae, whose story would have caused the same interest even if it wasn’t the sequel to Olive Cooke. Moreover, it is itself fake news. If some of Pidgeon and MacQuillin’s compadres had done their job with a greater interest in the law, they wouldn’t be here now. This is the second or third time I have written this blog. With 11 more possible fines, and fundraisers still in denial about what they have done, I’ll probably have to write it again before long.

Caesar’s Wife

In May 2016, the Labour member for Heatons North, Alex Ganotis, became Leader of Stockport Council, having been a councillor for some years. A month or so later, I read a story mentioning him in the Manchester Evening News, and his name rang a bell. Alex Ganotis is also a Group Manager at the Information Commissioner’s Office – I know this because he has signed hundreds of FOI Decision Notices on behalf of the Commissioner.

I made an FOI request to the ICO to find out more about Mr Ganotis’ role – in particular, I wanted to know how likely it was that a professional politician might be involved in complaints to the ICO involving political parties or local government. If Mr Ganotis worked on financial services or health, for example, he would need to maintain a high degree of professionalism and neutrality, but there would be no immediate conflict of interest. So I asked the ICO what team he manages. The answer:

Mr Ganotis manages a team of staff who deal with complaints and concerns about councils and political parties

I had to read this several times before I could take it in.

The ICO’s Policy on party political activities is helpfully published on its website. It makes reassuring reading:

The ICO is an independent body and it is important for it to be free from party political bias, and to be clearly seen and acknowledged as being free from such bias……. It is of paramount importance that the ICO is acknowledged as being free from party political bias and influence. The work that we do can often be of a politically sensitive nature and any substantiated allegations of bias would have serious repercussions for the future of the ICO.

The policy sets out a process through which an ICO employee can gain approval for party political activities. I asked when Ganotis went through this process, and the ICO revealed that he was approved in October 2008, which means that his dual ICO / councillor role went on for nearly eight years before he became Leader – he did not seek re-approval when he became Leader, so it seems that the ICO has not reassessed his role now he is a council leader, nor has he asked for this to happen.

I asked for recorded information about the approval process for his role. The ICO has nothing. I asked for any recorded information about measures taken to ensure, in the Policy’s words, that ‘potential for conflicts of interest’ have been minimised with regard to Mr Ganotis’ role. Nothing is held. The ICO added “Mr Ganotis’ line manager and his peers are responsible for assigning decision notices and make a judgement on a case-by-case basis as to what he is assigned, taking into account whether individual cases could pose a potential conflict of interest.” There are no formal arrangements, no written criteria or parameters, nothing to measure or audit against. The ICO enthusiastically fines organisations hundreds of thousands of pounds for failing to maintain properly documented processes, but in the case of having a professional politician managing a team that deals with hundreds of complaints about political parties and councils, the ICO itself sees no need for rigour. Trust whoever decided that this is OK, Wilmslow says, because we have nothing else to offer.

Mr Ganotis is a Group Manager, answering to a Head of Department, but the ICO’s response makes clear that the former Information Commissioner himself, Richard Thomas, approved of the arrangement: “the Commissioner at that time was made aware of his standing and subsequent election“. When I wrote this blog originally, I assumed it was Christopher Graham who was Commissioner, but he did not take over until 2009. ICO trivia fans may remember that Graham was himself once a councillor (for the Liberal Party) and a twice-unsuccessful parliamentary candidate – one wonders if he knew about Ganotis’ status, and if he did not, why nobody told him.

Anyone who has political beliefs or leanings and works in local or central government knows the awkward but vital requirement to set those beliefs aside and act neutrally in the public interest. As a Labour voter in every election since 1992, I have done it myself. It is not easy, but you don’t need to be a saint to achieve it. I cast no doubt on Mr Ganotis’ personal integrity, or ability to do the same. But anyone who thinks that’s the point just needs to Google the title of this blog.

Mr Ganotis has signed hundreds of FOI decision notices on behalf of the Information Commissioner, exercising the Commissioner’s statutory powers. Those notices include  councils across the UK, and government departments run by ministers who, in his other role, Mr Ganotis publicly opposes, and he has been doing so for years. The ICO disclosed to me a spreadsheet of the cases that Ganotis’ team has dealt with since January 2014 (records before that are routinely destroyed). A quick glance at the organisations concerned give a flavour of the issues that pass across the team’s desk in just one month. In July 2016, I can see the Labour Party (8 times), Momentum, Saving Labour, and Progress. It is hard to imagine any team would be more steeped in politics and arguments about political activity than this one, and the (former) Information Commissioner decided that a professional politician was the right person to manage it.

Over the past few years, the Labour Party has carried out its obnoxious and unfair purge, struggled with allegations of member data misuse on all sides (Corbyn, Momentum and Owen Smith), and demonstrated the traditional party blindness to PECR. I have myself blogged sorrowfully but repeatedly about Labour’s Data Protection and privacy woes for several years. In all of that time, only David Lammy’s doomed automated calls have faced any enforcement action (and he wasn’t even an official Labour candidate in the election concerned). To be clear, I have no evidence of any influence being brought to bear on this. But, as the ICO’s own policy states explicitly, “the organisation does seek to ensure that the potential for conflicts of interest is minimised as is the possibility of the ICO being accused of being politically biased“. In this, Mr Ganotis, his line manager and the former Commissioner have failed, and failed spectacularly. How can anyone in politics have confidence in the ICO’s decisions?

Any FOI decision notice involving a council or a government department signed by Mr Ganotis could be tainted, and there are hundreds of them. The ICO’s failure to take action against the Labour Party for a consistently terrible approach to Data Protection and privacy issues is no longer just over-caution, but potentially something far more objectionable. Every case Mr Ganotis has been involved in could be perfect, but the ICO cannot guarantee this with a straight face; their own policy recognises the problem of perception, but their practice is blind to it. They could have moved Ganotis at any point since 2008 to another job of equal standing, and the problem would have evaporated. He is still in place.

That Mr Ganotis could not see that continuing to manage a team responsible for complaints about political parties and councils was incompatible with his role first as councillor and then as Council Leader raises a question about his judgement. That the ICO’s management was either unwilling or incapable of identifying and remedying the potential conflict of interest is a matter of serious public concern.

I have spent a decade and a half criticising, satirising and annoying the ICO in the hope that for no other reason than to spite me, they will become a more effective, more enthusiastic regulator of Data Protection. But this is too much. This is a genuine failure of governance. It could pollute a host of formal decisions (and indecisions) stretching back for years. It has to be dealt with.

I don’t understand how Mr Ganotis could ever sensibly manage the team responsible for political parties and enjoy the confidence of the public. Richard Thomas and Chris Graham should have stopped it, and I hope that the new Commissioner will ask questions about how her managers and Human Resources team could allow such a shocking situation to occur. But if all this isn’t put right, if this bizarre conflict of interest continues acknowledged but unaddressed, we should all look very closely at every decision that emerges from Wilmslow with a more sceptical eye than even I thought possible.

Culture, Media and Spam

Most of the news and comment I heard about the Queen’s Speech suggested that it was a hole in the air, with the Government wanting to avoid doing anything of any consequence before the resolution of the EU vote in June. It was a surprise, therefore, to see provisions in the proposed Digital Economy Bill that will change the face of direct marketing.

At the moment, the rules for direct marketing are a mixture of Data Protection (for postal marketing) and PECR (for email & texts, live calls, automated calls and fax). PECR breaks down into subsets, with some forms of marketing requiring consent (email & text, automated calls, fax) and some done without consent and with opt-out (live calls, with the ability to opt-out of all calls via the Telephone Preference Service.

But consider this line from the full version of the Queen’s Speech:

Protection for consumers from spam email and nuisance calls by ensuring consent is obtained for direct marketing, and that the Information Commissioner is empowered to impose fines on those who break the rules.

My first reaction to this was that the Department for Culture, Media and Sport were incompetent: PECR already requires consent for email, and the Information Commissioner already has the power to impose fines for breaches of consent. Whatever else, this is still true, and DCMS should explain why they are announcing things that have been in place since 2003 (consent for email) and 2011 (fines) respectively. Nevertheless, it’s impossible to interpret this sentence as meaning anything other than a change in the rules for live calls. It’s not earth-shattering: it’s only lawful to cold-call people who aren’t on TPS and who haven’t directly opted out, which is probably a minority of the overall population. But nevertheless, the proposal as written abolishes the need for the Telephone Preference Service and inverts current practice.

It certainly has the merit of neatness: PECR would make more sense if all electronic direct marketing had to be opt-in. However, it will have consequences far and wide. There are plenty of lead generators and telemarketing companies who still make cold-calls, and they would be dead in the water. I would shed no tears over this (I think the lead generation and list broking industry is fundamentally unlawful, and most of the folk in the call centres would just end up in hopefully less rancid call centres). However, killing off the telemarketing industry is bold.

It will also create an even more stark contrast with the Fundraising Preference Service, which in its current form allows someone to stop all contact with all charities. It’s not even clear whether a person will technically be able to opt-in to individual charities that they do want to hear from if they’re on the FPS. It would be moronic if this situation wasn’t clarified, but people who do moronic things tend to be good at maintaining their standards. Given that the Digital Economy Bill apparently puts all* electronic marketing on an opt-in basis, charities might legitimately argue that the FPS is unnecessary, and they would have a point.

There are other issues. If all email marketing has to be done on the basis on consent, this also presumably kills off the ‘soft opt-in’. The ‘soft opt-in’ allows a company to send email marketing on an opt-out basis, as long as the email address in question has been obtained in the course of a sale, and as long as the products being marketed are their own, and are similar to the one that was originally purchased. Requiring all email marketing to be done on the basis of consent would remove this option (NB: if you think the absence of an opt-out can be interpreted as consent, you are a moron).

Finally, the proposal doesn’t mention texts, hence my * above. Texts are as much of a nuisance for people as live calls or emails, and have been the subject of routine enforcement action by the Information Commissioner since 2011. PECR treats email and text as the same, so it’s entirely possible that the Government are treating them so. It’s equally possible that this is a back of a fag packet proposal to bulk out a weak bill in a thin speech. One indicator that this might be the case is that the Information Commissioner, explicitly mentioned in the proposal, has not reacted to it in any way. There is no press release, and not a single tweet, despite a run of tweets this week about nuisance calls and other PECR related action. One could be forgiven for thinking that they didn’t know about it (I will be doing an FOI to find out).

You might think that spinning 833 words out of a single sentence is overkill, but on the face of it, the proposed change will have a considerable impact. Like me, I hope you will be watching the progress of the Digital Economy Bill with interest.

A bridge too far

June is a significant time for Data Protection in the UK. At the end the month, we have the EU vote (where a vote to leave will throw at least the timetable for implementation of the new General Data Protection Regulation into disarray) and Christopher Graham steps down as Information Commissioner, to be replaced by Elizabeth Denham. There are several reasons to be optimistic about Denham’s appointment – she is the first Information Commissioner to have previous experience of privacy and FOI work, she has already taken on big corporate interests in Canada, and she isn’t Richard Thomas.

However, Denham inherits a series of headaches as she begins her reign as Elizabeth II, and it’s difficult to know which of them will be the hardest to shake off. There is the GDPR implementation, which would be a challenge even without the uncertainty that Brexit will create. She also has to tackle the ICO’s lack of independence from Government, which results in scandalous outcomes like the admission in an FOI response that Wilmslow takes orders from its sponsor department (see answer 3 here). But perhaps biggest of all is the ICO’s approach to enforcement.

On FOI, the ICO doesn’t approach enforcement – it does pointless monitoring and audits without any evidence of success, and the major government departments use the ICO as their internal review, sometimes not bothering to answer requests unless ordered to do so by an ICO case officer. The sole enforcement notice in the past five years wasn’t even promoted by the office because the now departed Deputy Commissioner Graham Smith didn’t want to draw attention to the failure to tackle Whitehall’s FOI abuses.

On Data Protection, the approach is to enforce against self-reported security breaches. There is nothing wrong with lots of enforcement on security – it’s a significant requirement of the legislation and many people are concerned about it. The problem is that Wilmslow doesn’t enforce on anything else, despite breaches of the other principles being widespread and obvious. Unless I missed one, the ICO has issued 61 Data Protection monetary penalties since getting the power to do so. Two have been for non-security breaches: Pharmacy 2U (1st principle data sharing without consent) and Prudential Insurance (accuracy). The overwhelming majority of enforcement notices (and undertakings, if you count them, which you shouldn’t) are on security matters. This is despite the fact that the UK has a massive culture of unlawful data sharing, over-retention, flouted subject access and perhaps most obvious, rampant, damaging inaccuracy. The ICO does nothing about it.

A classic example is a story reported in the Observer about the Dartford Crossing between Kent and Essex. Automatic Number Plate Recognition is used by Highways England to issue penalty charges to drivers who use the crossings without paying by phone or web within a fixed period of time. The only problem is that drivers who have never used the crossing are getting the penalties, but it is more or less inconceivable that the ICO will take action.

Having used the crossing myself, I can confirm that there are some Data Protection issues with the signage around the bridge / tunnel – the Observer article explains well how the signs can easily be confused with those for the London congestion charge, which works entirely differently. This is, in itself, a potential data protection breach, as personal data needs to be obtained fairly, especially when the data being obtained (the license plate) will not only be used to levy a charge, but because court action may result for non-payment.

One person is quoted in the article as having being charged  because the system misread a ‘C’ as a ‘G’. The Observer also reports that hire car users sometimes find penalties aimed at the wrong person because Highways England don’t specify a date that the charge applies to. In another case, the person receiving the charge had sold the car in question, and had a letter from DVLA to prove it. As with most of these situations, terrible customer service and inflexible processes mean that even when a charge is applied to the wrong person, nobody in the food chain has the authority or the inclination to sort things out. Both of the individuals cited in detail by the Observer were headed for the baliffs until the Observer got involved, and all action was terminated. Research by Auto Express notes that only 1 in 25 people appeal their penalty, but 80% of those that do are successful.

Every time Highways England / Dart Charge issues a penalty against the wrong person, it is a breach of the fourth Data Protection principle, which states that “Personal data shall be accurate, and where necessary, up to date”. Note the lack of any qualification or context here – data is accurate, or it’s a breach. Clearly, this means that most organisations are breach DP every minute of every day simply because of typos, but even adopting a flexible approach, there can be no doubt that demanding money and threatening court action is a situation where the Data Controller must be certain that the data is accurate, and if they get the wrong person, it’s a breach. The security principle talks about “appropriate measures” to prevent incidents, but the fourth principle doesn’t: it’s absolute.

Highways England / Dart Charge have breached the DPA, but would it be possible for the ICO to take action? In order to issue a monetary penalty, the ICO has to meet a series of tests.

1. The breach is serious

Dart Charge are pursuing people for debts they don’t owe. It’s serious.

2. The breach is deliberate

This one is potentially tricky, as we would need evidence that Highways England know that they are operating on the basis of inaccurate information in order for the breach to be deliberate. I can’t prove that Highways England are deliberately pursuing people, knowing that they are the wrong targets, although one of the Observer readers quoted gives clear evidence that they might be: “I spent 20 minutes trying to get through to someone who kept telling me I had to pay, even though he could see the problem”. However, we don’t need deliberate if we have:

3. The Data Controller knew or ought to have known about the risk and failed to take steps to prevent it

This test is clearly met – Highways England know that most of their penalty charges are overturned on appeal, they know that their system misreads licence plate characters, that it fails to properly distinguish dates, and they know that people contact them multiple times with evidence that the charge is wrong, but they ignore this evidence until they are embarrassed into action by a national newspaper. The breaches are still happening.

4. The breach is likely to cause damage or distress

Innocent individuals who have not used the Dartford Crossing are being pursued and threatened with legal action if they do not pay money that they do not owe. The breach is causing damage and distress and is highly likely to do so.

The ICO does not enforce on accuracy and they won’t touch this case. If I tried to report it to them, they would ignore my complaint because I have not been affected (if an affected person complained, they would do an unenforceable assessment). They do not ask Data Controllers to report incidents of damaging inaccuracy, and they do not even advocate investigating incidents of inaccuracy in the way that they do for security. This despite that fact that inaccuracy leads to the wrong medical treatment being given, innocent people’s houses being raided by the police, and old men nearly drowning in canals. The ICO took no enforcement action in any of these cases, despite them being in the public domain. I have dozens of others. Meanwhile, the Commissioner chunters on about a series of accidents and mishaps without any direct evidence of harm (ironically, even the pace of security enforcement has slowed, with only three DP monetary penalties at all so far this year).

Whatever Ms Denham’s priorities might be, she cannot ignore this. The ICO has shirked its responsibilities on the other principles for too long. A quick glance at the articles relevant to enforcement show that the GDPR is specifically designed to give breaches of the principles the higher maximum penalty. It’s a riposte to the ICO’s enforcement priorities since the HMRC lost discs incident in 2007, and it’s a bridge that the new Commissioner must be willing to cross.