The Secret Seven

Last year, I wrote about the fact that Councillor Alex Ganotis, Labour leader of Stockport Council is also a group manager at the Information Commissioner’s Office. After an FOI request, the ICO admitted that he managed the teams responsible for complaints about political parties and local councils. At the time, I argued that this was an unacceptable conflict of interest, and something had to be done about it.

In May this year, shortly after being elected as Manchester’s new Mayor, Andy Burnham appointed Cllr Ganotis as his Environmental Tsar. You can watch a video of the announcement here, and ponder such fascinating questions as why Burnham’s nose is so red, or why throughout the first two minutes, the camera keeps cutting to a wide shot that captures Ganotis’ uncomfortable facial expressions while Burnham is talking. The announcement piqued my interest. If he was organising a grand summit of environmental worthies, would Cllr Ganotis really have time to work at the ICO? And if so, what effect would the review into political activities that Elizabeth Denham announced have on his role?

I made an FOI request to the ICO for the following information:

1) In 2016, the ICO confirmed to me that Alex Ganotis was manager of the team that dealt with complaints about councils and political parties, despite being Leader of Stockport Council at the time. Can you confirm whether Mr Ganotis is still a member of ICO staff, and if so, what is his current job, and what arrangements have been made to avoid any potential conflict of interest?

2) What is the current ICO policy and process for dealing with political party affiliations and potential conflicts of interest?

3) In August 2016, the Information Commissioner announced in an interview with the BBC’s Martin Rosenbaum that she had ordered a review of the involvement of ICO staff in political activities. I would like to see any report or findings arising out of the review, or other summary of the review and its findings, and details of any actions that were taken as a result of it.

4) I would like to receive all current declarations made by any member of staff of involvement in political activities

5) What specific measures have been taken in respect of each staff member who has made a declaration to ensure that there is no conflict of interest?

The response made for fascinating reading. For one thing, Cllr Ganotis remains a Group Manager at Wilmslow and although his group no longer deals with political parties, it still covers issues related to all local authorities in the UK except for those in Greater Manchester, Cheshire or Derbyshire. How politicians and others in every council outside the North West feel about complaints about their authorities still being supervised by the Leader of a Labour Council and a close ally of Andy Burnham is hard to judge. They might be thrilled. Maybe the ICO should ask them.

The report I received under item (3) of my request did contain an option to remove Cllr Ganotis from work involving local authorities altogether, but one of the reasons that this option was not recommended was the fact that “it could be seen to question the professionalism of Alex and other members of staff and their ability to apply the law without bias or political influence“. How Cllr Ganotis’ political career could possibly be seen to reflect on other people is beyond me, but it is jarring that a significant factor in the decision to keep him involved in council work might have been the effect on him, rather than the Commissioner’s ability to operate independently. To be blunt, the ICO as a whole is more important.

UPDATE: I have attached the ICO’s report into the conflict of interest here, so readers can judge whether how objective and balanced it is: Commissioner Information Note – Political Activities.pdf

Unless every team in the ICO handles complaints about local authorities (and to lesser extent, government), Cllr Ganotis should have been moved to one that doesn’t. Having decide to pursue a high-profile political career, asking him to make a sacrifice to avoid conflicts of interest and their perception would not be too much. I am surprised that Cllr Ganotis has not requested such a transfer himself. To risk even the perception of influence over decisions about politically-run organisations, and at the same time pursue a high-profile political career suggests either an enormous amount of faith in one’s ability to compartmentalise, or just old fashioned hubris.

The review identified gaps in the ICO’s Political Activities Policy, with recommended “updates” including a stipulation that staff must avoid party political activities which might impair their ability to perform their duties impartially, a requirement to inform the ICO if their activities or areas of responsibility change, and the scope to remove permission to undertake political activities if an individual’s ICO role or political activity changes. Needless to say, this means that none of this existed before.

The rest of the FOI request suggests a continuing unwillingness to face the issue of political involvement. Including Cllr Ganotis, eight staff members have made declarations of involvement in political activities, but the ICO refused to tell me who the other seven are, or what they do, claiming that the data is sensitive personal data. This is true, but it is not automatically a barrier to disclosure. For one thing, the Secret Seven could be asked for consent, and this is not the only route to disclosure.

There is surely a legitimate interest in knowing whether people working for an independent regulator such as the Commissioner have political affiliations, especially when you consider the ICO’s involvement in political matters. Over the past few years, the ICO has fined Leave.EU, David Lammy MP over his London Mayoral Campaign, the Daily Telegraph for its pro-Tory emails during the 2015 election, and in recent months, they took no action against Virgin Trains following Jeremy Corbyn’s antics in a train vestibule. More importantly, the Commissioner herself announced a formal investigation into the use of data analytics for political purposes with no small amount of fanfare, involving 20 staff. The ICO is knee-deep in politics and transparency over the declared political activities of the staff is in the public interest.

As the data is sensitive personal data, legitimate interests would not be enough; a condition must also be met from Schedule 3 of the Data Protection Act as well. One of the conditions is that the Data Subject has put their sensitive data into the public domain. If, for example, a senior ICO staff member was to mention on their LinkedIn page that they were a Councillor for 9 years, the Campaigns and Communications Officer for an MEP for five years, listed the Liberal Democrats as one of their main interests and was recommended for ‘politics’ and ‘political campaigning’ by dozens of people, I think I can argue that at least this one has manifestly made their political views public. The ICO refusal says “our staff do not have a reasonable expectation that their declarations would be disclosed into the public domain“, but the staff member in question was a candidate for the LibDems in the 2015 General Election, so I humbly suggest that the cat is out of the bag. Either this person is one of the seven, and the ICO’s arguments are false, or they haven’t made a declaration, and the ICO’s claim to me that “the review and policies are sufficient to demonstrate that we avoid conflicts in our work” is nonsense. Again, did they consider this before refusing me?

Every national, local, or internal party election or referendum runs on personal data, and personal data is exploited, analysed, shared, lost, stolen and misused in every single one of them. If you can name a major vote in this decade that hasn’t resulted in a DP snarl-up, you’ve a better memory than me. If there is one word that shines through everything the Commissioner sent me on this topic, last time and this time, it’s  complacency. The policies and procedures that existed before and the ones that have replaced them are built on an obvious assumption that a box needs to be ticked. Of course nobody is actually going to do anything untoward, the managers are on top of it, staff will proactively declare any conflicts of interest and besides, we have a procedure. But they thought it was all fine before. If I had not written my blog last summer, Cllr Ganotis would still be responsible for managing complaints involving his council, his party and his opposition.

I don’t think the Commissioner’s Office takes this seriously. I am amazed that Alex Ganotis is still allowed any influence over the ICO’s decisions about local government, regardless of how objective or benign that influence might be. I am appalled that anyone in the ICO’s senior management could think that this is acceptable. Every time the Commissioner acts or doesn’t act on a political issue, do we always need to ask: who was involved? What bias, conscious or unconscious, did they bring to bear? What other interests do they serve? In a world dominated by fake news and internet froth, the ICO’s independence and objectivity should be their highest priority. It isn’t.

A bunch of Tw*ts

The Englishman who wades into Scottish politics on either side, especially if he lives in England, is probably taking a huge risk of being disagreed with vehemently, no matter what he says. Nevertheless, the explosion of interest into the so-called ‘Clypegate‘ list has a Data Protection angle that I cannot resist.

To summarise, it seems that the Scottish Labour Party have assembled a list of supporters of the Scottish National Party who have said things on Twitter and Facebook that the Scottish Labour Party do not like. The list – inevitably tagged a dossier – has been passed to the tabloids to stir up some kind of frenzy about the so-called ‘Cybernats’. Some of the statements are fairly strong, but I doubt they are worse than anything said in the average pub conversation about politicians. I’m certain every term applied to Gordon Brown and Donald Dewar has been said of Alex Salmond by Labour supporters. As someone who voted Labour in the recent election, I can think of a few more constructive things that the smouldering remnants of Labour in Scotland could be doing with their time, but this is what they decided to do, so we are where we are.

Now, if you were hoping for anything more in the way of politics, you’re going to be disappointed. From here on in, it’s ANORAK TIME!

The Data Protection Act has many requirements for the processing of data, but the chief hurdle is the first DP principle, which requires three things. The processing of personal data must be fair, lawful, and conditions must be met. Regular readers will know that consent is not required, as there are alternatives to consent in the lists of conditions. Let’s consider the three elements in turn;

FAIR: fair has two meanings. The use of data has to be fair in the dictionary sense of the word and it also has to be fair in the DP sense, which means the Data Controller (Labour) has to tell the subject (the SNP tweeter) how their data will be used unless an exemption applies. Many organisations believe that because personal data is in the public domain, it is fair game. The Information Commissioner’s own guidance on personal data online stated in 2010 that this was not the case, and we have a very recent example (Samaritans Radar, which also focused on tweets) where the ICO stated that tweets were personal data (depending on their content), and so DP applied.

Labour fail on both counts. Gathering together tweets and providing them to a newspaper to name and shame the individuals is not fair in my opinion. But more importantly, Labour did not tell the subjects that their data would be used in this way. Clearly members of the Scottish Labour Party will look at what is being tweeted; they may analyse and try to counteract it. If you don’t like the idea of people you don’t like reading your tweets, go private or stop tweeting. However, the conscious selection and specific analysis of a person’s tweets is processing personal data as is passing it to a newspaper, and none of the DP exemptions allows Labour to do this in secret.

The use of the data was not fair.

LAWFUL: this is a tricky one where I expect I will get little agreement, especially from people who might read this hoping to see Labour eviscerated. DP requires that data processing should not breach other relevant laws e.g. Human Rights privacy or confidentiality. I do not believe that Labour’s use of the data was unlawful – Carina Trimingham’s Facebook account was pruriently raided by the Daily Mail so that they could make cheap jibes about her, but she still lost her Human Rights privacy case. Twitter and Facebook are not private places unless you lock your account. Get used to that.

CONDITIONS: DP requires that one of a prescribed set of conditions is met to justify the use of personal data, and one from a second list if the data is defined as ‘sensitive’. A person’s political opinions are sensitive data, so this means that Scottish Labour needed not one condition, but two. The tricky part is usually the sensitive data condition, but as it happens, I don’t think Labour have a problem here. One of the conditions for processing sensitive personal data is that the sensitive data has “been made public as a result of steps deliberately taken by the data subject‘. I think this box is ticked – the political opinions were tweeted out into a public forum by the subject.

But that’s not the problem. The problem is that a condition is also required from the first set, and here Labour are stuffed. They don’t have consent, a contract, a legal power or obligation, and they are not protecting anyone’s vital interests. The only condition left is ‘legitimate interests‘, where they have to claim that their legitimate interest in monitoring and publicising rude tweetersis not ‘unwarranted’ because of ‘prejudice to the rights and freedoms or legitimate interests of the data subject’. I am not remotely convinced that monitoring of ordinary folk – even if they are supporters or members of a party – is a legitimate interest in this context.

I have registered to vote in the Labour leadership elections, and had to declare that I support the aims and values of the Labour Party. That was not an easy declaration to make, but I definitely don’t support any other party and I never have. If Labour wanted to find out whether I was in fact a Conservative or SNP supporter pretending to be Labour, and looked at my Twitter account to find out, I believe that would be a legitimate interest. They would still have a problem with fairness, and would have to tell me that this was going to happen (they didn’t).

I don’t believe the two situations are comparable however. But even if I did, even if Scottish Labour monitored their opponents legitimately, it’s impossible to argue that legitimate monitoring is not undermined by passing the data to journalists, especially as journalists are (under Section 32) virtually exempt from the Data Protection Act. If the monitoring was done to identify genuine abuse and report it to Twitter or Facebook, I believe that would be legitimate and would not be unwarranted. But this all seems to be for PR and political points scoring. I cannot read this as legitimate interests with no unwarranted harm.

There are other questions – does the dossier breach the DP requirement for accuracy for example? But we don’t need to get into that. Two significant breaches of the first principle are sufficient to say that Labour has breached the Act. That’s it.

The only remaining question is what should happen now. I believe Scottish Labour should stop in their tracks, grow up and apologise. If that doesn’t happen (and even if it does), this is a gift to their opponents that will undoubtedly result in complaints to the ICO. Regular readers will know that I am always sceptical that the ICO will stray outside their comfort zone of security fines, but it is open to them to issue either an enforcement notice stopping Labour from doing this, or (very unlikely) issue a penalty. It is worth noting that by the time the ICO quietly disposed of complaints about the Samaritans, the charity had stopped their Radar project and may never restart it. Political parties are rarely so intelligent, and if the ICO are faced with an intransigent Labour response, not admitting that they have done wrong, anything is possible. Much as I would like to see Labour pick themselves up and offer something more optimistic, it seems that they have instead blundered into another bruising debacle of their own design.

Insert knob gag here

Last night, I received a charming email message from Theresa May, revelling in all the foreigners she has kept out of the country before asking me for money. I’m paraphrasing slightly. I regret that politicians don’t have the time to keep me in the loop as much as I’m sure they’d like – I’d really like to know more about Michael Gove’s crusade to keep rudeness out of politics (presumably, he just wants it directed at his civil servants). So perhaps I should not be churlish when one of them gets in touch.

But as Theresa is supposed to be responsible for law and order, I find myself pedantically drawn to point out that her email was almost certainly illegal.

The Privacy and Electronic Communications (EC Directive) Regulations – universally and hilariously known by the acronym PECR (say it out loud) – require organisations wanting to send direct marketing emails to obtain prior consent before doing so. Much as politicians would like to think different, exhorting a member of the public to vote, to donate or support a campaign is direct marketing – both the Information Commissioner and the Tribunal have said this, and the four major political parties in the UK (Conservatives, Labour, LibDems and the Scottish Nationalists) have all received enforcement notices under PECR as a result. So unless the Conservatives have obtained my direct consent to send me these marketing emails, they’ve breached PECR and possibly Data Protection as well.

I have three email addresses – one I use for business purposes which is published on the internet. In PECR terms, I am a corporate subscriber for this address, and cannot complain about spam if I receive it. My other two email addresses are personal ones – in PECR terms, I am an individual subscriber for both. One I use for a lot of general correspondence, the other I use for competitions, surveys and other situations where I think that the person I am giving it to might send me spam emails. If I was to fill in a survey or a petition – the only place I can imagine the Tories might have obtained my email address from – I would always use the third spammy one. What’s interesting about Theresa’s email is that it was sent to the middle one – the personal address that I am more likely to read, but which is not published on the internet like my business one, but is not on all the dodgy databases that list brokers hawk, often illegitimately, as ‘opted-in data’.

In short, the Conservative Party must be able to explain how they fairly obtained an email address that I am 99% certain I would not have ever given to them, or anyone affiliated to them. This is not because I am particularly anti-Tory – I am left-wing, but I have equal contempt for all parties and politicians and avoid them all with the same diligence. Unless they can show me clearly where they got my email from and that they did so fairly (as opposed to scraping it from somewhere or buying a shonky database), they may well have breached the First Data Protection principle.

And that’s the sideshow. PECR is engagingly blunt – even if I have answered a petition or survey and unintentionally used this email address, the Conservative Party would still need my consent before sending me emails. The so-called ‘soft opt-in’ – which allows an opt-out in prescribed circumstances – applies only to sales or negotiation for a sale, conditions which would not apply to a political party.

I’ve written to the Conservatives to ask for the following information:

  • Where they obtained my email address from
  • How they obtained my consent, and a copy of the web page or document on which I indicated my consent to receive emails from them

Under Section 7 of the Data Protection Act, the Conservatives are obliged to provide me with any personal data they hold about me, and also to confirm the source from which they obtained my personal data (in this case, my personal email address). They could, of course, charge me £10 for this information, but given that the person responsible for maintaining law and order in this country has put their name on  correspondence that I am pretty certain breaks the law, I think it would be polite of them to waive the fee.

Nothing is certain – I’m not going to complain to the Information Commissioner until the Conservatives show me what they did / did not do around consent. However, the current Parliament is past the halfway point, and we’re heading down a long, relentless slope towards a general election which will no doubt inspire a marketing frenzy, especially on social media, email, text and phone. It is very important that all politicians remember that PECR gives us all something very valuable for the latter three channels – easy and straightforward rights to be LEFT ALONE. The law applies to them, just as much as it does to anyone else. If you are bothered by unwelcome marketing from politicians, why not ask them the same questions I have above?