What do they know?

A few months ago, a dispute arose between the popular / reviled* FOI request website What Do They Know and a landlord in Bournemouth, after his address was inadvertently included in an FOI response. The landlord asked for his address to be removed, and What Do They Know refused. WDTK volunteer Richard Taylor described all this on the site, drawing attention to the fact that the address was still there. I can see no evidence that WDTK informed the landlord that they would publicise the fact that he had complained; my guess is that they did not.

The landlord complained to the ICO. Replying to the ICO on behalf of the charity, Taylor claimed that there was a legitimate interest in continued publication, but hedged his bets by stating that WDTK was exempt under DP’s S32 journalistic purposes exemption. The ICO rejected both arguments and asked WDTK to remove the original spreadsheet. Again, Taylor wrote in detail about this on the site, revealing in the process that the landlord had complained to the ICO. It’s worth noting that the ICO never reveals the identity of those who make complaints to it, and I can find no evidence that the complaint was made public anywhere else. None of my correspondence with the charity has revealed any.

A similar issue arose last year. Another council published the name of a Unison official (apparently in error) and What Do They Know refused to take it down. Again, Taylor revealed the fact that the individual had complained to the ICO, although on this occasion the ICO chose to take no action. Taylor also researched the complainant and published information about his wife on the WDTK page. Though the information Taylor gathered was clearly in the public domain, at best, it suggests an unsympathetic attitude to those who raise concerns when their data gets published on the site.

The first Data Protection principle requires Data Controllers to process data fairly, lawfully and according to a set of conditions. In this case, the data controller is UK Citizens Online Democracy, the charity which runs My Society. Data Protection requires that people must be told how their data will be used, while the only condition available to What Do They Know is legitimate interest, which must be balanced against any prejudice to the rights and freedoms of data subjects. If you complain to What Do They Know, or to the ICO about What Do They Know, they’ll make this public and a volunteer may research your family relationships and publish that too. As Taylor’s comments are always couched in terms of ‘we’ and ‘us’, I believe that that this approach is endorsed by the charity as a whole. This blows the legitimate interest argument out of the water: if a person cannot complain to either What Do They Know or the ICO without the matter being published by What Do They Know, there is clearly prejudice to their rights and freedoms.

The doomed use of S32 piqued my interest, so last month I asked What Do They Know for copies of: “any procedures or guidance available to control how personal data is obtained and published by My Society in the context of the What Do They Know website”. Of course, the charity isn’t covered by the Freedom of Information Act, but for an organisation whose public commitment to FOI and transparency verges on the obsessive, it’s not unreasonable to ask them to apply FOI standards to themselves. A month later, I received a reply:

“Personal data generally comes from users and public bodies and the site, and emails sent by it, contain lots of warnings when material is to be published online. We do our best to ensure our users, including those responding to requests at public bodies, are fully aware of what we do with the information we obtain.

NB: if you’re writing a blog post, please note how we write mySociety.”

That’s right – they didn’t give me the guidance, but Heaven Forbid I get the branding wrong. I persisted, pointing out they’d dodged the request for procedures in favour of a vague narrative answer. This time, I received a reply from Mark Cridge, the Chief Executive, setting out the decision-making process for What Do They Know (there was an opportunity for him to distance the charity from Taylor’s actions here, and he didn’t take it). On the specific request for procedures, despite the fact I’d pointed out that my request had been sidestepped, this was his reply:

We also have policies on our private internal wiki, which volunteers can refer to which provide more detailed guidance on our established policies, specific data protection guidance and key learnings from our experience of running the service for the past eight years

But he didn’t provide them, though this was what I had asked for twice. Yes, the charity is not covered by FOI and can do what it likes when annoying people like me ask them questions. No, this approach is not consistent with the values of an FOI campaigning organisation. In any case, it doesn’t matter, because I already know what the Private Wiki says about Personal Data:

Personal data in general

  1. We only consider takedown requests when we get them. We don’t pre- or post-moderate the site.
  2. The source of personal data is irrelevant, whether it is inadvertent, leaked with intent, or from someone who later develops “Google remorse”. The source of complaint/takedown request is also irrelevant, whether it comes from the data subject or a third party.
  3. Our responsibilities are therefore about deciding whether to continue to publishing or not, in line with our obligations as Data Processors, when a complaint about personal data drawn to our attention, i.e. on a case-by-case basis
  4. We have DPA Section 32 on our side, so we look at the PCC code and weigh up the public interest

The guidance proves that Taylor’s use of S32 isn’t just a randomly clutched straw. S32 is an immense exemption – it removes more or less every Data Protection requirement except security. The fact that it doesn’t apply to What Do They Know (and we know that this is the ICO’s position) isn’t the only problem. The reference to What Do They Know being ‘Data Processors’ is even more stupid. Data Processors have no data protection responsibilities – they are merely agents of someone else. There are two problems here. First, it’s impossible for the charity to be simultaneously a data controller using S32 and a data processor – they’re either one or the other. Second, the subtext of both positions is that the operation of What Do They Know exists in a vacuum – whether it’s because they’re journalists or data processors, they’re not answerable for DP issues.

The absurdity of the charity thinking it’s a data processor is plain as soon as you try to work out on whose behalf they would be operating. They’re definitely not data processors for the public authorities, who have no option but to send data to the website. It’s equally ridiculous for the charity to think that they’re Data Processors for the applicants. If this was true, UKCOD wouldn’t be allowed to remove material from requests without the applicants’ permission, applicants would be the ones dealing with the ICO over complaints, and every What Do They Know user would need a binding legal contract with the charity, or find themselves in breach of the Data Protection Act’s seventh principle.

Guidance like this could easily create a sense of immunity and entitlement – whatever happens, we’re not covered. Worse that that, the volunteer who seems to take the lead on Data Protection issues is Taylor, an anti-privacy zealot who films people without their permission, without properly identifying himself and publishing the results despite their explicit requests for him not to. When I contacted him about this intrusive behaviour earlier this year, he justified his antics with similarly vague S32 arguments. He also compared himself to Channel 4 News and Roger Cook, although I don’t think they ever stood in the rain filming a meeting through a window despite being invited inside. He also told me that he didn’t need to provide a Data Protection notification for his website because he claims the ICO says that ‘personal websites’ are exempt. They’re not, and the ICO doesn’t say so. I can’t prove that Taylor wrote the WDTK guidance, but I think it’s a safe assumption.

Whenever I write a blog like this about people who perceive themselves to be doing the right thing for the right reasons, one of the criticisms that is thrown back at me is that I am being deliberately negative. Why can’t I offer something constructive? Indeed, the last time I criticised What Do They Know, this is exactly what the former Director of My Society Tom Steinberg said. I did write a blog with some helpful suggestions of how What Do They Know could be improved, but none of my suggestions were taken up. This time around, I put my money where my mouth is. Last year, long before I corresponded with UKCOD or Taylor about these matters, I offered free Data Protection training to the volunteers at a time and venue of their convenience. I didn’t want any PR; indeed, I would have asked them to keep it a secret. Of course, I am not a cheerleader for What Do They Know – I think it can be an unhelpfully ideological enterprise, sometimes showcasing the worst aspects of FOI – but the offer was genuine and it fell by the wayside for reasons that were never explained.

So here we are. Cridge told me that the policies and procedures he didn’t want to show me will be reviewed, but how long has the above-quoted nonsense held sway? A What Do They Know volunteers can shame complainants and dig into their backgrounds, while the organisation fails to be transparent over its flawed guidance. Of course, I didn’t tell anyone at What Do They Know that I knew what the guidance said, but if transparency is such an unalloyed positive, why couldn’t I prise it out of them?

It’s impossible to blame UKCOD for the fact that public authorities sometimes inadvertently disclose information in response to FOI requests. It would be unacceptable if data was accidentally sent to a single applicant. Nevertheless, What Do They Know magnifies the problem by publishing all responses and failing to moderate what goes onto the site. I’m not convinced Richard Taylor is qualified to be involved in complex decisions about the publication or removal of personal data on behalf of a charity. I certainly don’t have confidence in a system based on wildly illogical guidance, and which allows volunteers to publish information about complainants and research their backgrounds. Complainants must be treated with respect, even if their complaints fail.

UKCOD’s management and trustees cannot hide behind the volunteer nature of What Do They Know – the website is not a naturally occurring phenomenon, and it needs to be managed and controlled. They created it, they run it, knowing that they lack the resources to proactively moderate it. In the light of this, if it is in the public interest for FOI requests to be broadcast, exactly the same approach should be taken for how What Do They Know is run.

 

(*delete as appropriate)


 

Thinking is doing

I have been writing this blog for two years. It started as a project in my first summer of being a full-time freelance. August is always quiet for training, and in 2011, it was the first time I didn’t have a 9-5 job and I needed something to do. I didn’t set out to spend the majority of my blogging criticising the Information Commissioner, but you’re supposed to write what you know. My time at the ICO is now ancient history, but I remain a keen observer of their work.

I genuinely think that Freedom of Information and Data Protection are important to a functioning and fair democracy, and I honestly believe that the ICO is an ineffective regulator of both. The fact that Chris Graham is a much more energetic and convincing figure than his predecessor hasn’t done much to improve the FOI side of the business (if anything, the quality of the decisions is getting worse), and while public sector data security has certainly been a priority, a lot of other (more) important things have not. The private sector is barely touched by the ICO’s work, and issues like subject access and accuracy – the element of DP most likely to cause real damage – seem more or less untouched.

Many people who hear my views about Wilmslow assume I am showing off, and that underneath it all, I respect the Commissioner’s Office and the quality of its work. No matter how many times I point out real examples of the ICO’s failings, I think a lot of people want to believe that the folk in Wilmslow really know what they’re doing. It’s unlikely that my efforts to convince the world otherwise have made any difference, and if I spend another two years banging on about it, I doubt anything will change. Albert Einstein did not say that insanity is doing the same thing over and over and expecting different results, but it’s a valid point. Sometimes, you have to look in the mirror and ask yourself what the point is. Coupled with some other things going on in my life (some now resolved, some that just aren’t going away), I was tempted to abandon tweeting and blogging and do something more constructive with my time.

And then stuff like this happens.

On June 28th, just around the time I was starting to wonder whether I should give this up, the ICO published their own thoughts on the issue of accidentally sharing data via FOI requests. The blog makes a very important point – FOI disclosures are a significant risk for data security, as they involve a regular flow of information out of the organisation. Often, the person sending the information isn’t the person responsible for its day-to-day use, and they may not necessarily know what’s in what they’re sending, or what the implications are. There have been some egregious examples of very sensitive data leaking very publicly in this way. It is, therefore, probably something that the ICO should be warning data controllers about.

I tried to remember the first time I heard about this being a problem. It never happened to me when I was actually doing FOI disclosures – I remember some very long conversations with increasingly annoyed IT people as they reassured me that, no, there wasn’t anything in the spreadsheet that we didn’t intend to be there. I think I first became aware that FOI had actually resulted in security breaches when I met some of the What Do They Know volunteers, and they told me that accidental disclosures were becoming a problem. Since then, it’s been something I’ve mentioned on most of the DP courses I have run. I always recommend training as an important DP protective measure, but not in the self-serving way you might think. Training in the systems that people use every day is at least as important as training on DP.

What irritated me about the ICO blog is the fact that – even though this is a straightforward problem which all FOI bodies ought to be aware of – the ICO only seemed to have bothered to do it because What Do They Know had prompted them. Indeed, the most useful part of the blog is the bit they lifted from WDTK’s own work on the question. I wondered how long it had taken them to get around to saying something about it, when they first became aware of the problem. So I made an FOI request. When did the ICO first become aware of the issue?

October 29th 2010.

For nearly three years, the ICO has known that this is a problem, and as far as I can see, has said nothing about it. Even now, they have squeaked out a blog about it, rather than shouting it from the rooftops. How much information has ended up in the wrong hands in the last three years? How many incidents could have been prevented if the ICO had bothered to mention it? There are two departments in the ICO – Policy Delivery and the abysmally named Strategic Liaison – that exist solely to come up with guidance and disseminate messages. I’m not sure how many of them would have known the former ICO senior officer who said, in response to a claim that we weren’t doing something that ‘thinking is doing’, but they’re certainly keeping his spirit alive.

Precisely because everyone else in the information rights world doesn’t think that they’re all idiots, the ICO have a responsibility to use their position to get these messages out. Here is a significant risk and the ICO has apparently been sitting on it. Even if they’re investigating enforcement cases as the blog claims, they could have highlighted this much earlier – and if mentioning it would prejudice any cases, they’ve done that now anyway.

I am not a supporter of the ICO’s approach. I am not a critical friend. I am not the only one wanting to give them a kick up the arse, and I am far from being the most significant critic (hello, The Financial Times), but the last thing that the ICO needs is reassurance, praise, a warm pat on the back. They need to be challenged relentlessly, under constant pressure. Enforcing the law is not a comfortable, or an easy business. A popular regulator isn’t doing its job properly.

So the blog about learning the ukulele or Belgian Beer is postponed. Normal service is resumed.