Every dog has its day

I had a really interesting spam email judgement in my favour last week, against Liverpool based The Football Pools (TFP).

My claim was essentially twofold – that they didn’t have consent to send marketing under Reg 22 of PECR and that therefore there was no lawful basis under the DPA1998 for the processing of my personal data. I sought damages under Reg. 30 of PECR and Section 13 of the DPA. The claim was for £3,000; my contention was that the marketing had prompted me to gamble and lose money, whilst I also sought compensation for the distress of having my data used in this manner to send unlawful marketing.

TFP were represented through my claim by Shoosmiths, who then instructed a Barrister from King Street chambers for the hearing. Shoosmiths made it clear over the last 11months that they felt the claim had no chance of success and therefore they also claimed they should have a costs award under 27.14 (g) of the CPR (essentially that I acted unreasonably in bringing it). That raised the stakes going into Court, but I was determined not to be intimidated so was content to roll the dice. No quarter was given at any stage of the dispute, with both Shoosmiths and the Barrister arguing almost every aspect of the claim, which I’ve tried to summarise below: –

Instigation

By way of background, TFP used a company called Monetise (https://www.monetise.co.uk/) to send marketing on their behalf, who then sub contracted with an affiliate network. I received 3 emails from an unidentified sender in May 2018 (pre GDPR). On the matter of whether TFP instigated the email, they claimed they weren’t the instigator, as that role fell to Monetise who instructed the actual sender. I argued we should go to the head of snake, the company whose products and services were being marketed. I quoted the Vanquis Bank ICO penalty and the judge agreed that they had instigated the marketing.

Consent
They also argued that I had consented to receive the messages by virtue of visiting a (now defunct) competition website and provided me with an IP address from which my email was allegedly provided. I explained to the judge that I wasn’t in anyway associated with the IP address and that further, even if it was held that it was me, the consent obtained was just a typical generic third party statement that had no mention of TFP.
The judge accepted my initial arguments that Id not entered my details via the stated IP address, so we didn’t really get into the generic point. She seemed to place considerable weight on the fact that I’d raised this several months ago with the TFP and they hadn’t provided any further evidence.

Reasonable care
Part of their defence was that by virtue of having a contract with Monetise, which required the latter to comply with all privacy laws, they had taken reasonable care which is a defence under Reg 30 (2).
I was able to highlight Paras 57-58 of the ICO’s enforcement notice against Vanquis as what reasonable care might consist of in terms of due diligence. It felt rather hollow to me to argue that they weren’t the instigator, felt there was valid consent but even if those 2 things weren’t the case had taken all reasonable care. Surely that falls on its own terms given they didn’t even release they were responsible?
They had no evidence of any due diligence or other controls and the Judge therefore found they had not taken all reasonable care. They hadn’t even produced the contract as evidence, relying on a witness on a Witness Statement quoting its existence.

Damages
Counsel claimed that any losses for gambling weren’t recoverable as they were a “novus actus interveniens”, ie something I had chosen to do and not directly flowing from the marketing itself.
I shared some stats from the gambling commission about how effective email marketing was and argued that the very intent of the advert was to get people to gamble and therefore quite from being unforeseeable it was the intended outcome of the message.
I’m not sure what the judge made of that point because she found that I’d failed to substantiate my losses to the required standard and therefore dismissed this part of my claim.

Awarded Damages
The judge stated she’d look at my claim under both pieces of legislation and, having found there was a breach of Regulation 22 of PECR, awarded me £750 damages. She seemed persuaded by my arguments that nobody had ever explained to me who else was in the web of data traders and therefore my distress about being targeted was enduring. She was a little vague about whether the award was under Reg 30 or Section 13 and in this regard I felt it was quite a generous judgement as it’s only really the DPA that should pay for distress.

Costs
The judge also made them pay my fixed costs of bringing the claim, the initial issue fee (£105) and hearing fees (£335).
Despite having the judgement partly in my favour, Counsel still tried to argue for costs on the basis of CPR 27 .14 (g), partly on the basis Id been to quick in bringing the case. I didn’t need to make any submissions on this point as the judge quickly dismissed this point.

 

Overall it was a bit of a rollercoaster of an experience, but one that I hope plays a role in encouraging marketers, especially in toxic industries, to be a bit more considered in their activities.

Roses are Red, Violets are Blue, If you send me spam emails, I will sue you.

A bleak and dreary Shrove Tuesday in Manchester saw my debut appearance in the Small Claims Court, an experience I found fascinating and infuriating in equal measure.
The issue was in relation to the processing of my personal data by internet
marketing company Koi Advertising, who had apparently obtained both my data and my consent to market me via a third party, The Interactive Team. Interactive tell us that they “specialize in Live Lead Generation, presenting your business with preimpulsed, preinformed, fully opted-in and ready to buy customers” – although they manage to achieve all of that without a Privacy Policy on their website.

Koi’s formal defence to my claim was that

“Interactive Results provides Koi Advertising with consumer data that has been carefully selected and processed, so that Koi Advertising may transmit consumer-focused email marketing to the data. The subjects of this data, such as Mr. Walsh, provide full consent to Interactive Results for their data to be shared with Koi Advertising for this purpose. This is covered in the privacy policy of Interactive Results”

 

When I pointed there was no such Privacy Policy, Interactive themselves then told me that my details had been collected in a face to face interview in Arbroath in June 2017 (they hadn’t, I’ve never been to Arbroath). Below is a copy of the survey I allegedly completed.

Submission – Interactive Challenge Survey Sample

My claim was therefore on the basis that Koi had been unlawfully processing my data and sent marketing in contravention of Regulation 22 of PECR. Their marketing had included, amongst others, spam on behalf of a gambling firm, along with companies called Property Rescue, 1ClickHomeLoans and some low grade credit providers.

In the hearing itself, it soon became apparent that there were some procedural errors with some of my evidential submissions, which immediately put me on the back foot, although we soon got down to business about whether they had valid consent. My argument was essentially twofold, a) I hadn’t completed the form and b) even if I had, it didn’t constitute valid consent, as required by Regulation 22 of PECR.

 

The Judge firstly found on the balance of probabilities that I had completed the survey. She essentially said it was for me to prove that I didn’t and asked what evidence I was relying upon to support my position. I pointed out it was difficult, if not impossible, to prove such a negative, which she offered some sympathy towards but ultimately stressed it fell on me as the complainant to prove my case.

She then turned to whether the consent was valid. One of the documents I’d submitted was the ICO’s Direct Marketing guidance, which of course makes it very clear that indirect consent is almost impossible to achieve for electronic marketing. It also explains quite clearly that things like pre ticked boxes are a no no, consent doesn’t last forever and can’t be onward shared, all of which I thought were against Koi here. I also highlighted the definition of consent in this context was related to the European Directive 95/46/EC. The Judge said she wasn’t bound by that but would use the definition nevertheless. However, she also referenced that consent had a natural meaning through contractual law and I felt like I struggled to distance her from the more everyday meaning of the word. After some debate around these points she essentially concluded the wording was sufficient for an organisation like Koi to send me a range of marketing so long as it was for the sectors listed. I pointed out that the statement made no reference to Koi and that Interactive’s partners essentially could amount to any organisation, at anytime. She basically nodded that yes that was what I’d agreed to and therefore found the consent was valid. The claim was therefore dismissed.

It seemed to me that the Judge didn’t appear to be particularly knowledgeable about the rules around Direct Marketing and I definitely erred by not making enough explicit references to the legislation within my case. At one point there was a suggestion that I might have been seeking dual remedy as I’d already asked the ICO for an assessment as to whether there had been a breach. Obviously I was quick to highlight that the ICO specifically direct individuals seeking redress to the Court, but I was somewhat surprised to be having to explain that at all.

Whilst I wasn’t at all confident of being awarded damages, I hadn’t expected to lose the decision on the basis of consent, especially where such a conclusion appears to contradict both the ICO’s extensive guidance, and more worryingly, the legislation itself.
Koi seemed to genuinely believe in their position and underlying business model throughout Proceedings, which also surprised me. That said, they’ve very recently updated their website stripping away most of the content and have now added a Privacy Policy that I was previously unable to access, which is perhaps telling. They’ve also removed references on their site as to how they actually operate, but I’m aware that they’re heavily involved in affiliate marketing with a range of Gambling firms. The ICO previously spoke about a “crack down” in this area, although there’s not been any output to that rhetoric and they were fairly disinterested in my complaint and turned down my invitation to appear as a witness on the basis “it’s something we would not normally do”.

In their response to the ICO’s standard letter, Koi commented

 “As an aside, we have recently held several meetings with our lawyers to discuss the implications and action points of the incoming GDPR legislation, around which there has of course been much discussion lately. We are fundamentally committed to remaining 100% compliant to both current and future legislation”.

Hmm.

Koi also run https://uk.jobinaclick.net/, on the surface a jobs board but one that appears little more than a data harvesting model, as the terms confirm that once you’ve given them your data “you acknowledge that we will not process any job application or submit any information on your behalf to any recruiter in respect of any job”.

As can be seen, the only way of registering with them is to accept their Privacy Policy, and the associated consent to receive email from “Partners” about pretty much anything.

It’s a compliance car crash but a model they appear keen on, as they replicate it on their travel site too http://uk.fortravellers.co.uk/index.php?module=site&method=terms

If you want a holiday or a job, it might be wise to look elsewhere.

Ladbrokes Spam

I’ve written previously about the use of affiliate marketers in the Gambling sector, which I’ve come to realise is a significant issue across the industry. It seems nobody has a bigger problem than industry giant Ladbrokes, despite a commitment to “being a leader of our sector in responsible business practice”.

In a 9 month period from Nov 2014 to July 2015 , I received 3 marketing text messages and 7 emails on behalf of Ladbrokes, all sent without consent. I complained to Ladbrokes on several occasions, with Legal Counsel Stuart Reid, in a rare response to my correspondence, offering the following analysis of one example of the spam:

“The marketing email to which you refer was sent to you by one of Ladbrokes’ marketing partners, a company called Emailmovers (www.emailmovers.com).  Emailmovers acquires personal data from user activity on its own websites and from third party sources.  It is therefore Emailmovers, and not Ladbrokes, that controls the list of email addresses to which the relevant email was sent.

Emailmovers advises that you gave your consent to receiving marketing emails at 14:41 on 28 July 2009 via www.loanandgo.co.uk; and that it is for this reason your email address was captured and ‘opted in’ to receiving marketing communications from Emailmovers.  We understand, further, that your email address is included on two separate databases that are made available to Emailmovers”.

To put that another way, Ladbrokes (and their marketing partners) believe that because I apparently applied for a loan in 2009, I’m an appropriate, willing and therefore lawful target to receive marketing some 6 years later. That particular piece of marketing and comment came after several requests to Ladbrokes explaining quite clearly that I didn’t wish to receive to marketing enticing me to gamble.

As I previously highlighted, the ICO regard an organisation using affiliates as “instigating” the marketing, a natural and reasonable interpretation, which of course means in these circumstances Ladbrokes had responsibility – and liability – under the Privacy and Electronic Regulation Communications (PECR).

I therefore asserted my rights in accordance with Regulation 30 of PECR and claimed damages from Ladbrokes for these repeated contraventions of PECR. Even after one settlement in relation to the first batch of spam, subject to a confidentially agreement that was broken by Affiliate marketer Matt Jacobs, when he wrote to their partners to call me a “troublemaker”, the messages continued. I therefore submitted a further Small Claim’s Court claim.

Somewhat amusingly, they couldn’t even muster the energy to hoist the white flag on the more recent claim, completely failing to respond to the Court leading to a judgement in default. Their reluctance to open to their post continued, meaning my requests for payment were also ignored. I therefore instructed Bailiffs to collect the debt, who after 3 visits to HQ, finally managed to secure my full claim and costs, displayed below for reasons best described as tacky smugness.

 

On a more serious note, such is their lack of control of their web of affiliate marketers, that even after such a settlement, further marketing messages have continued to come in – an astonishing 20 emails in the 10 days after my cheque arrived.

I’ve repeatedly sought the advice of the Head of Responsible Gambling at Ladbrokes, Graham Weir, as to how I might stop these latest invasions of privacy. His initial response was for me to opt out of the latest emails, advice which I pointed out was contrary to the ICO’s own advice not to respond to unknown links (so as not to confirm a live email address). He then told me to follow the ICO’s advice, before the Legal Department wrote to tell me to follow the unsubscribe links on the two examples I’d forwarded them, whilst not taking an interest in the other 18 examples I had offered to send them. All the emails were displayed as being from Ladbrokes.

Once again, they outlined their apparent ongoing disagreement with the ICO’s views on Affifilate marketing, noting

“We did not send, and were not responsible for, either of these two messages…We strongly refuse any suggestion that our marketing activities contravene relevant legislation”.

Perhaps someone is taking upon themselves to unlawfully market Ladbrokes without any inducement? Or perhaps Ladbrokes are taking the piss.

A quick Twitter search for Ladbrokes Spam brings shows a similar attitude of distancing themselves from the affiliates who are doing their unlawful dirty work, along with examples of them spamming self excluded customers and children.

Even aside from the blatant breach of PECR, quite how that fits with Ladbrokes stated commitment to Responsible Gambling, I couldn’t tell you.

The man who could tell us that, the aforementioned Graham Weir, has repeatedly failed to give me any assurance that he can control the rabid affiliate marketers. In my case, unable to offer any advice as how they may stop their aggressive affiliate campaign, they instead served me a Trespass order from entering their shops. As well as being rather ironic, this entirely missed the point.

I briefly wondered whether Mr Weir’s position was derived from ignorance as opposed to an arrogant disregard of the rules, but then I located his following comments to a Gambling Commisison consultation on proposed tighter marketing rules to stop unwanted marketing, where he acknowledged the problem, noting:

“We do however encounter some difficulties when we acquire customer lists through normal legitimate sources e.g an existing customer may have opted into to receiving third party communications on a list that we, or one of our agencies acquire using a different email from the one associated with their Ladbrokes account. In such circumstances they might then receive a marketing communication from us.

 We believe that the way in which customers opt “in to” and “out of” sharing their information in the current context of data protection frameworks and the obvious lack of a centrally managed (by our regulator) database that people might opt into is very likely to result in frequent failures”.

His comments appear to show a remarkable level of comfort in knowing his organisation will continually fail to adhere to individuals wishes by using third party marketing consents in a manner contrary to the ICO’s Direct Marketing guidance. It’s simply a stone cold commercial decision to ignore people’s direct, express wishes, presumably on the basis they may have previously failed to (un)tick a box when applying for a loan 6 years ago.

This issue is something the ICO appear well aware of, noting on it’s website regarding spam texts 

“The top most reported category was gambling, with 155 concerns. This topic is often in the top three most reported sectors and we are continuing to work closely with the Gambling Commission on this issue”.

This referenced “close work” the Gambling Commission has been going on since at least last summer, although clearly with limited success given the number of complaints is broadly the same as the January before and likewise higher than 2 of the previous 3 months. Despite the Sector being top of the Spam text chart, and regularly being in the top 3, there hasn’t been a single piece of Enforcement action against any gambling firm. Perhaps even more surprisingly given the ongoing abuse, nor is there a gambling firm on the list of companies under monitoring. I’ve made an FOI request to better understand the lack of action, but notwithstanding that response, I’d strongly suggest some stronger action might be required here.

Meanwhile, the Gambling Commission, despite confirming that they hold Licence holders responsbile for the actions of their affiliates, have shown no interest, perhaps because they don’t act as a complaints handler and thus have a documented compliance approach that makes no mention of acting on any information they receive regarding non compliance. They look and act like an organisation funded for failure, with ambitions to match.

As a final thought, it’s not just PECR Ladbrokes seem happy to disregard. I made 2 Subject Access Requests last year, both of which were completely ignored, meaning I had to wait 40 days to then get the ICO to chase them to provide a response. A more recent SAR was met with asking me to justify why I wanted the data (I explained), followed by a further 30day wait and then a request for a fee (admittedly compliant, if unsatisfactory).

As a privacy professional it’s pretty disheartening, but not uncommon, to see an organisation completely ignore their obligations when it’s easier to, especially when they gain commercial advantage for doing so. Most organisations will make mistakes, mis SAR deadlines and generally seek to stretch the boundaries in matters of marketing – but when an organisation willfully disregards its obligations, it would be nice to see some strong regulatory action. In the meantime, I’d encourage those blighted by spam to take individual action, a route I intend to revisit in respect of the recent score of unwanted emails.

Affiliate Marketing, PECR and Betfair

Late last year I received several text messages inviting me to open accounts with several different gambling companies. I had not consented to receive such messages and none of the messages contained opt outs, meaning the messages were sent contrary to the requirements of the Privacy and Electronic Communication Regulations (PECR). As someone who has learned the hard and expensive way that it’s not a good idea to try and put one’s money where one’s mouth is, the receipt of these unsolicited text messages encouraging gambling were very much unwanted.

One such text was marketing Betfair, and as you can see from the screenshot, the text was displayed as being from the name of the company it was promoting.

In response to the text, I contacted Betfair to remind them of their responsibilities, and particularly to flag the potential for damage and distress that this kind of serious breach of PECR could conceivably cause. Betfair’s eventual response, from Rhodri Smith (Legal Counsel) noted

“The text message was not sent by Betfair – it was sent by a third party.  We did not instruct the third party to contact you, and your mobile number was not known to us.  It is likely that the third party obtained your consent for marketing (and mobile number) from another website.  We will inform the third party to stop sending marketing communications to you”.      

At this point, one may note that from that text message, Betfair (and only Betfair) were able to identify the sender of the message and able to instruct him to stop sending messages. I would assume the hyperlink within the message was a unique code allocated to the given affiliate for the purposes of tracing commission. The message also appears to contain a “Freebet” offer, which presumably was also sanctioned by Betfair.

When I chased further details of the alleged consent that it was “likely” I had provided, Betfair informed me the third party was insistent he had consent to contact me, although they would not expand upon this. They subsequently did provide the details of the third party, who transpired to be a gentleman in Israel. Betfair also provided me his address and Gmail email address, inviting me to take the matter up directly with him and essentially saying it was nothing more to do with them.

Having google’d  the third party’s details, there appeared to be an individual with the same distinctive name who was employed as “Head of Affiliate” for one of Betfair’s major rivals. I had previously held an account with the rival company, so it crossed my mind that the individual may have obtained my details from the Competitor database for his own ends. That would of course constitute a criminal offence under Section 55 of the DPA.

I thus flagged to  Betfair that there was the potential that the third party could have obtained a customer list from his employers but they did not acknowledge my comments. After discovering the same third party was responsible for the other marketing messages I had received, I eventually reached an agreement not to pursue a claim against him personally for any impropriety or unlawful processing of my data.

Notwithstanding that agreement, I continued to maintain that as the Affiliate was marketing Betfair, Betfair were morally and lawfully responsible for the text message. I reminded Betfair of the wording of Regulation 22 of PECR, which states

“a person shall neither transmit, nor instigate the transmission of unsolicited communications for the purposes of direct marketing…”

The third party who sent the message was an accredited Affiliate partner of Betfair’s, who was being financially incentivised to encourage people to open accounts with Betfair. The Betfair Affiliate terms required the individual to comply with PECR, which implies that Betfair were happy for their affiliate marketers to market their product electronically.

When I challenged Betfair on this point, their Legal Counsel confirmed this was the case, by noting

If a third party wants to send a text message about a Betfair promotion, the third party must make it clear that the text message is being sent by a third party (not Betfair).  The third party is also responsible for ensuring that they have relevant consent and comply with all applicable laws on direct marketing.  On this occasion, the person who marketed to you gave the impression that they were Betfair, and they didn’t make clear that the message was sent by a third party.  As mentioned above, this is a breach of our Affiliate Affiliate Programme Terms and Conditions where it states at Clause 3.1(n):- “you will ensure that all communications originating from you relating to Betfair make it clear that such communications are sent by and on behalf of you (and not from or on behalf of Betfair)”.  Following your email, we have reminded the third party about the rules set out in the Affiliate Programme Terms and Conditions. 

I do recognise that the third party has acted outside of the requirements of their affiliate Terms, but I believe that a breach of the Affiliate Terms is between Betfair and their third party. It almost feels like Betfair are saying that precisely because of their lack of controls and due diligence, they are not liable. However,  you cannot simply outsource your liability to comply with PECR. You must not allow your line to be used in unlawful marketing.

In anycase, it is apparent that Betfair have been benefitting from the arrangement in the form of customer referrals and the third party has been financially rewarded for this. The individuals such as myself who have suffered the breach of privacy and unlawful marketing do not seem to interest Betfair. Indeed, despite the breach of the Affiliate Terms it seems Betfair simply reminded him of his responsibilities.

If a gaming company allow an affiliate to send messages without consent, and without an opt out, this very much the kind of breach of a kind likely to cause both damage and distress. Given the intention of the message is clearly to encourage individual to gamble, it does not take any intellectual gymnastics to construct a set of circumstances whereby financial damage would occur. The distress of receiving repeated texts, even from organisations whom you may have self-excluded yourself from is also hopefully equally clear.

The ICO’s guidance on Direct Marketing doesn’t directly address affiliate marketing, although their guidance around so called viral marketing draws some interesting parallels. I therefore sought a view from the ICO on the meaning of the phrase “to instigate” a message under PECR, and they confirmed

“you would be instigating if you encourage [emphasis added], incite, or ask someone else to send your marketing message”.

In response, Betfair maintained that they have not instigated the message, because

“The affiliate’s marketing is separate from the merchant’s own marketing.  We do not ask or instruct third party affiliates to provide affiliate marketing services.  Where third parties wish to provide affiliate marketing for Betfair, they must comply with Betfair’s Affiliate Programme Terms and Conditions…”

 

I interpret Betfair’s position to be that they don’t encourage affiliate marketers on the basis that they don’t directly instruct them to market Betfair. Rather, Affiliate marketers may take it up themselves to market Betfair (at which point Betfair will be of course reward the Affiliate) . I find that an exceptionally weak position and contend that they have encouraged the sending of the message by incentivising their affiliates to send messages. If there was no Affiliate scheme instructing people what they should do if they “wish” to send text message promoting Betfair, there would be no text message.

If I’m wrong and Betfair successfully argue they didn’t instigate the message, then the marketing industry will have discovered a very easy route around complying with PECR – just use affiliate marketers (ideally individuals outside of the EEA) to do your dirty work.

A further defence offered by Betfair was they had my consent to market me because I agreed to receive marketing when I opened my account with Betfair. I have no reason to doubt that was my marketing preference, but as Betfair themselves explained, I opened my account in 2003, so to rely on that consent would also be a particularly expansive interpretation of PECR’s description of consent “for the time being”. In anycase, as Betfair confirmed previously, my current telephone number was not known to them, so they do not have consent to market the telephone number I received the marketing on.

At no point did Betfair directly address the additional breach of a lack of opt out within the message, but they did also present a further contradictory argument that if I wanted to opt out of marketing, all I needed to do was log into my Betfair account (from 2003) and amend my marketing preferences. So Betfair, a company who are supposed to promote responsible gambling, think it is a reasonable (and lawful) policy to require former customers, presumably including problem gamblers, to log into their accounts. Quite aside from wildly misunderstanding their requirements under PECR, that is a revealing insight into their attitude to responsible gambling and general customer service.

In light of Betfair’s refusal to accept any liability for the message sent in their name, marketing their product, I have commenced action in the Smalls Claims Court. Betfair told me their large internal team of lawyers wouldn’t be handling the matter and that

“any proceedings will be handled by external lawyers and we will seek to recover those legal costs, in full, from you”.

As a matter of principle, that’s one gamble I’m willing to take.

Anyway the wind blows, doesn’t really matter to me

The ICO’s recent(ish) Data Controller (DC) and Data Processor (DP) guidance has received alot of unfavourable attention and I’m afraid the Policy Department will have to also me to their vodoo doll collection, as I find it a really strange piece  of guidance. What’s been presented as a clarification of an area organisations struggle with, infact appears be a significant change to the working understanding of some notable experts within the field.

The guidance starts sensibly enough, noting

“The data controller must exercise overall control over the purpose for which, and the manner in which, personal data are processed. However, in reality a data processor can itself exercise some control over the manner of processing – e.g. over the technical aspects of how a particular service is delivered”

And similarly clarifying

“The fact that one organisation provides a service to another organisation does not necessarily mean that it is acting as a data processor. It could be a data controller in its own right, depending on the degree of control it exercises over the processing operation”

 I think that was the general understanding people would have previously worked towards. However, the guidance then headed off in another, perhaps contradictory direction when later explaining that

“activities such as interpretation, the exercise of professional judgement or significant decision making in relation to personal data must be carried out by a data controller”.

The Guidance also helpfully provides a number of examples, but specifically one that I can’t agree with, albeit I’m late to the party on this one

 

Market research company

9. A bank contracts a market research company to carry out some research. The bank’s brief specifies its budget and that it requires a satisfaction survey of its main retail services based on the views of a sample of its customers across the UK. The bank leaves it to the research company to determine sample sizes, interview methods and presentation of results.

10. The research company is processing personal data on the bank’s behalf, but it is also determining the information that is collected (what to ask the bank’s customers) and the manner in which the processing (the survey) will be carried out. It has the freedom to decide such matters as which customers to select for interview, what form the interview should take, what information to collect from customers and how to present the results. This means that the market research company is a data controller in its own right in respect of the processing of personal data done to carry out the survey, even though the bank retains overall control of the data in terms of commissioning the research and determining the purpose the data will be used for.

 

So, the ICO’s clear conclusion in this example is that the Market research company is a data controller. I don’t contest that they are to a large extent determining the specific manner in which the data is processed, but I cannot see how they are said to be determining the purpose? The purpose is market research and will presumably listed as such in a fair processing notice on the banks original application forms. It’s important to recall that the DPA itself defines a DC as an organisation that

“determines the purposes for which and the manner in which…”.

I’ve added the emphasis because I think this is basically where the ICO have lost their way.

Most outsourcing relationships will rely on the contractor using their expertise to determine the manner in which the data is processed. To me, a Data Controller will always concede some element of the manner of processing when outsourcing, after all you outsource certain functions (and consequently personal data) specifically because of the technical expertise of an outsourcer. Yet the ICO’s guidance appears to lean towards an either/or scenario in terms of the purpose and manner, because even according to their own logic, the bank

“retains overall control of the data in terms of…determining the purpose the data will be used for”.

They recognise the market research company is not determining the purpose for which personal data is processed. They are, as the guidance notes, making some decisions on the specifics of which data is collected in the sense that they are being allowed to use their technical experience (or is professional judgement?) in setting the questions and selecting the sample size etc.

As I understand the guidance, it’s precisely the action of granting this freedom to the market research company to have some control over the manner of the processing that makes the market research company a data controller. The less prescribed the instructions, the more control is exercised by the market research company. However, if one follows that through to it’s logical conclusion, then how would you assess a relationship where there is no written instructions/contract at all? If you don’t tell a contractor exactly what to do and he solely makes decisions on, for example, the deletion of the data, is he not more likely to be considered a data controller? It’s not like loss or misuse of the data would be a breach of contract (only of the DPA).

A final word on that market research company. If they lost the customer dataset providing to them by the bank, does anyone actually think the ICO would turn to the market research company as opposed to the bank who commissioned them on the basis it was the former who had been deciding the same size and were therefore the Data Controller? Even I’d fancy my chances of arguing on behalf of the market research company that the charge falls at the first hurdle because they are not determining the purpose for which the data is processed in accordance with the definitions of the DPA.

The motivation for this blog was my own difficultly in understanding where contractors/partners are DC/DP’s. For example, if I worked for a moneysupermarket type platform and was advising on a contract with a number of insurers who were on a panel to quote for insurance, my biggest concerns when passing them data would be to ensure the data would be kept secure and not processed for additional purposes. I’d look to complete some due diligence around their processes. Id also ensure contractually they were limited to processing data for a specific and limited purpose – i.e. the provision of a quote. To my mind, they have, and always have been, Data Processors because only my organisation decides the purposes for which the data is processed. It’s solely and specifically for providing a quote. Of course they will primarily decide the manner in which it’s done because it’s their own professional judgement technical expertise that will make a decision about the risk and determine the quote. However, in crude terms, they do as I tell them with the information I give to them. I’m only discussing the provision of the quote – obviously if/when a customer wants to take that up, that’s between them and the provider, at which point they will of course become a controller.

I collect the data, I’m responsible for a fair processing notice and liable for any loss of the data. Well, that’s what I think and although it also seems to be what the Enforcement department think, the policy guys appear to be swimming against the tide. That’s not to say they are wrong, but if they are making significant changes to the ICO’s position, they should perhaps flag that more clearly.

To be honest, when debating some of the above points with partner organisations who were adamant they were Data Controllers in a similar scenario to the above, I quickly reached the point of complete indifference. If I’ve got a contract getting them agree they will process data for the single specified reason I’m giving it to them and I’m happy with their security (et al) processes then what’s left to squabble about? If they lose the data then at worst the ICO regard me as the DC – if the partner company insist they’re a DC then they are simply putting their hand up to the liability. The reputational damage will nearly always sit with the source organisation, but that’s the case irrespective of who is the DC/DP in the ICO’s eyes.

So, whichever way the ICO guidance wind might be blowing, it’s business as usual for me.  

Costs, Opportunity Costs and plain Hypocrisy

The cost of FOI, something which has previously caught my eye, has once again reared it’s head on account of SCC’s decision to publish what they hold to be the cost of requests. Let me try firstly to calm the sensitivities of the transparency lobby by repeating that I believe in FOI as a legitimate cost of democracy. But let ourselves be open, honest and transparent about that cost – it’s not an Act that needs rely on the crutch of capitalism, rather it is a legitimate price of a modern society. Equally, what a Council spends on FOI must be considered against what it spends on other services it provides.

I don’t doubt for a minute SCC’s release is an attempt to dissuade people from making requests, and nor do I doubt it will only provoke those outraged by a public authority trying to save money/reduce scrutiny (we’ll show you to question us).  However, I do absolutely dispute that their cost of handling FOI is 0.00003% of the council’s budget, based on the fact the cost of FOI is £31,700 of the £975 Million budget.

I also find a wider irony in the criticism  of the (admittedly loaded) transparency of SCC in this regard. For example, FOI commentator  Matthew Burgess notes that

 The council has also been widely criticised on social media today for publishing how much it costs to respond to the requests.

 

Why would a Council be widely criticised for publishing their costs? Who do we think has criticised this particular piece of transparency? Well, mainly those who argue most passionately about transparency.

I also note the following comment from Matthew that

Publishing the estimated costs of requests from certain groups/campaigners is, at very least, not in the spirit of the Act, which is intended to be motive and applicant blind. Aside of any data protection issues, publishing the names of organisations that are frequently asking for information may deter others from making requests. It also creates the inference the organisations are wasting public money by asking for information.

Firstly, I don’t think the motive and applicant blind principle needs to extend to not revealing how many local newspapers have made requests. There’s definitely a wider potential issue around the release of personal data, albeit with the caveat that nobody cared till the Council implied a problem with FOI, but that’s another blog altogether.

But what is truly astonishing is the comment that by providing the names of organisations that are frequently making requests, it

“also creates the inference the organisations are wasting public money by asking for information”.

 

Along with a further comment from another Tweeter that

spending money on just publishing that (FOI costs), to discourage and demonise FOI, isn’t a good use of funds

 

There is irony, but there is also hypocrisy, and I’m afraid the above statements wade into the latter. Is it really the case that if the public know which organisations are costing the most money by making FOI’s that they (the public) will infer that these organisations are wasting money in doing so? And demonise them for doing so?

Yes/no/maybe is my answer. But let the public decide for themselves, isn’t that the whole idea? Would/should the same information be released under FOI? I respectfully suggest Matthew et al would be arguing it should be.

I do absolutely accept that a public authority shouldn’t be able to provide skewed data to provide a point (or save money), but do the critics really believe that the cost of FOI for SCC was £32k over 2 years. I don’t necessarily expect pressure group activists to make an argument for their opponents, but there is a further irony in transparency campaigners, accepting (and using) figure that a Council manage to spend circa £16k a year handling FOI without question. Add a decimal point and I suspect sure you will be closer to the truth. If you disagree, then please consider they handled 1320 requests in a single year. Did one person do them all, without training, staff time, printing, postage etc? If you want to handle 1320 requests for £16k as an outsourcer I’m sure you get the gig – especially if you agree to cover internal review and information tribunal costs. As a guide I did circa 200 requests a year whilst being paid £25,000.

I recall the fuss about Nick Griffin being included on Question Time. I felt then, as I do now, that the facts should speak for themselves. If you can’t make Nick Griffin look like a clown then that’s on you. And if you can’t make FOI a worthy proposition then that’s also on you. I admire the impact and principle of one, and not the other, but strongly believe that one should be able to win, not suppress, the facts of a debate.

Applicant blind?

David Higginson has recently blogged about the accidental release of information from Hackney Council, in which it revealed that

Internal briefing notes are drafted by some teams within the Council to record progress when responding to the request, and provide context on the request, for the benefit of colleagues assisting with the retrieval of information. In such a circumstance, information may be gathered from the public domain, for example an internet search of the requester’s name and whatdotheyknow.com; ascertaining research interests of the requester can assist the Council in providing additional context to an FOI response, hopefully adding to its intrinsic value.

 

This process has been termed ‘profiling’ and David has also provided a further piece for the Guardian here. Tim Turner also wrote an interesting piece examining the basis for the profiling under the DPA.

David has taken an example of an FOI officer producing a brief, publically sourced summary of the interests of the requester (and by implication the context of their request) and suggested it highlights a wider problem of a lack of engagement within public authorities with FOI.

His piece for the Guardian  went further still , straying into inaccuracy when claiming applicant blind “is the principle that anyone who puts in a freedom of information (FOI) request can expect his or her identity not to be released or examined”. Without wishing to be overly pedantic, I think that’s a slightly inaccurate summary of the principle, which in my opinion is being taken a little too literally by a number of commentators. In anycase, those who don’t wish for their identity to be released would probably be advised not to use a public forum such as whatdotheyknow to make their request, as the delightful Rebecca (“don’t kind regards me”) Hamsley did here.

The principle, in my view, is infact that identity and motives of a requestor should have no bearings on the information disclosed under FOI. Basically, you can’t refuse a request from a journalist because you think they want to write a negative story about you. I honestly don’t think that extends to saying that the format, language and tone of a response should be the same irrespective of whether it’s received from the local crank or the Prime Minister.

The legislation is clear about what is expected in a FOI response, a refusal notice in particular is very prescriptive and surely it’s the end result that we should look at to see a request has been handled correctly. I thus think David misses the mark – widely – by claiming “if ever there’s an example of ignoring applicant blind, it’s this”. As David himself quotes from the ICO guidance “the information someone can get under the Act should not be affected by who they are”.

In this case, Rebecca Hemsley received the exact same information that a journalist, student, foreign individual or local crank principled campaigner would have received – nothing. To come up with an applicable example of ignoring the applicant blind principle, surely one would be better sourcing an example of how a different level of information was provided because of the identity, or motives of the requestor. The example of a tfl response/handling of a request was also raised on Twitter, but from what I can see, the majority of the discussion was around what additional information to provide outside of the requirements of FOI.

David also implies a breach of the principle by virtue of the fact that requests from the press might be shared with the press office, commenting “in recent years, it’s become commonplace to hear stories of councils briefing press offices about requests from journalists”. I can confirm that request handlers at the ICO were infact asked to let the External Communications team know of any request that might be high profile and/or those from the Press. That wasn’t so they could overrule a decision on what to release, but rather so they could be aware of the potential fallout and be well placed to handle potential queries, the majority of which would of course be from the Press. In short, they needed this information to their job. On at least one occasion I personally also shared the identity of a requestor outside of the ICO when I was consulting with another organisation, where the requestor themselves had placed their request in the public domain.

An FOI handler needs to be independently minded, but that doesn’t mean they can’t consider the consequences of FOI and still safeguard the reputation of their organisation. Effective FOI is rarely about the strict provision of information, without adding some supplementary explanation.

I’d much prefer to see an FOI request where time is taken to provide context at the time of the request. A recent example was the release of Council spending on an IPAD that ended up in the MEN. Stockport Council spent £26,000 on IPAD but later provided the context that it saved them £20,000 in printing costs, so straight away their apparently profligate spending was firmly rebutted and taxpayers could breathe a sigh of relief and aim their anger artillery in a different direction.

A public authority who recognises the motives of someone making the request has the potential to add great value to the process. Recognising that the MEN were gathering information about profligate spending on IPAD’s by Councils, would have allowed Stockport Council to add a context to the request at the time it was made. I do take the point that arguably that context should be provided to all requestors, but if you know the request is from a student who is interested in the use of IPAD’s compared to other tablets, then I’d suggest the specific supplementary explanation quoted above is redundant. As with so many things, context is key.

As I say, information is isolation is less likely to be productive. I’m fairly sure when handled this request for the ICO’s (in)action to the non notification of MP’s that I will have flagged to the relevant department the context of the requestor’s previous posts on the same topic, where he articulated his concerns. I didn’t really know a lot about the thought processes behind my colleagues processes, so by sharing Jonathan’s earlier comments they could at the very least provide me with a supplementary explanation that went to the heart of his concerns. On the back of this scrutiny they might even have decided to do a bit more in their work in this area. I regarded all of this as a healthy outcome, much more positive than ignoring the underlying basis of his concern. I can further share that I will have been allocated Jonathan’s request on the basis that I had previously dealt with a request on non-notification by the same requestor. Strictly this would also run contrary to David’s literal interpreration of applicant/purpose blind, given it was precisely the identitiy and motive that led him to drawing the short straw and having me handle the request.

Crossing the information rights boundary, was this ‘profiling’ of Jonathan a breach of Data Protection, did I have a condition for processing his data? As Tim correctly states in his piece, in the absence of any other condition, I’d agree I would be left to rely upon the condition that

“the processing is necessary for the purposes of legitimate interest pursued by the data controller…except where the processing is unwarranted in any particularly case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject”.

I take a subtly different view to Tim, who in the case of Hackney Borough Council, felt that the Council must demonstrate a) that the profiling is necessary, b) its legitimate and c) that it doesn’t cause unwarranted harm.

I feel that a) the profiling is a legitimate interest b) that the processing of data is necessary for the purposes of that legitimate interest – and we both agree on c). I might be wrong on this, but I feel the legitimate interest is in explaining the context of JB’s request was to help me provide a better response. The processing of his data was necessary to do that. It’s the act of processing, not the legitimate interest, that has to be necessary.

Some have raised the cost involved of the profiling as an additional reason for concern. I think in both the example given by David and in my experience, we aren’t talking about significant work. Even if one dismisses the potential benefits of providing additional context, on the known facts, it still seems difficult to suggest that profiling is something that weighs heavily on the taxpayer.

It seems an accurate but regretful reflection of the adversarial nature of FOI that, in the absence of any evidence and despite the explanation directly to the contrary, the Hackney case is automatically assumed to be an example of not embracing FOI. I’m not naive enough to swallow everything a public authority says, but on the basis of the evidence here I hold considerable sympathy with Hackney for ending up named in the Guardian as an authority who don’t embrace FOI.

A Public (dis)Service

When I started this blog I had no idea what direction it would take me in, but I held a desire to be able to speak freely about my opinion of DPA and FOI – a freedom that my previous role within the institutionally conservative ICO did not afford me. I’m an opinionated and perhaps contrary character so much of what I write will probably reflect those traits and follow a pattern of challenging those whose positions I disagree with. With all that in mind, I offer no apology for a strong focus and reaction to the latest offerings of those who have again rallied against the ICO’s criticism of the Local Government and/or wider public sector.

Much of the excitement came from Chris Graham’s reported remark that the Local Government sector was “hopeless” at DP. Unfortunately no context of the remark was given, although with predictable relish some choose to take that as an attack on the DP officers themselves whilst another anonymous public sector employee barked their laughable belief that Chris Graham should resign and again took the statement to be aimed at “all” Councils.

Previous to that comment, Tim Turner recently wrote about his “belief in the ICO’s anti-public sector bias”, and anyone who had a different view was “weirdly biased”. He further argued that the ICO was “arbitrarily going after the whole local government sector”, so some of my analysis will look at these bold assertions.

As a starting proposition, I certainly agree that the public sector report more security incidents to the ICO, undoubtedly partly due to certain mandatory reporting in the NHS and possibly more generally due to  a sense of civic duty.

I don’t have (the energy to find) more up to date figures, but of 730 self reported incidents from 2012-2013, 263 were from the private sector, yet only 1 private sector fine was issued during that period. So, is the alleged anti local government and public sector bias proven by these figures showing that the ICO takes more action against the public sector? Well, that’s certainly one conclusion but a more logical one however, is that the Public Sector – and specifically the Health and Local Government sectors – process more data that is of a kind likely to cause damage/distress and thus its more likely they will be the recipients of CMP’s.

This rhetoric is backed up by the following comments by the ICO’s Simon Rice, who argued that

by its very nature, the public sector processes more sensitive data than the majority of the private sector, and our framework says that the penalty must be for the most serious cases – that you can only fine in the most serious cases

He went on to speculate elsewhere that

the failings in public and private sector organisation may be as great, but the impact of breaches by public sector organisations tends to be much greater

Generalisations can be dangerous, but they can also be applicable, and in this case it appears a reasonable statement, not least because it’s a position even the public sector bias critics subscribe to – note Tum Turner’s Local Government observations that “the likelihood of their data going missing is considerably greater than any other sector”.

Further evidence comes from Jonathan Baines, who notes “Local authorities, by their nature, handle large amounts of particularly sensitive data, but so do most, if not all, NHS bodies” along with further comments on the risk of accidentally releasing data that “councils and NHS bodies …are probably the highest risk ones”.

So, all the analysis of the numbers of breaches is built on the shaky foundations that it’s a level playing field, when we all appear to agree that its anything but. The public sector and particularly local government and health are processing more sensitive data and are more likely to face problems, so its a logical conclusion that they will be more likely to have serious breaches of a kind likely to cause damage etc. There is a slightly different debate we could have about the underlying purpose of a CMP and indeed the wider effectiveness, but that’s for another day.

A bias, to me, would be prevalent if the ICO looked the same issue in different ways on the basis of the sector involved. There is no evidence the ICO do this, although there evidence Tim does believe different sectors differently, as he told us so as a footnote to his own blog that he “would prefer to see more CMPs levied on the private sector, whose attention is more focussed on the bottom line”.

The public sector generally is certainly very underesourced and I’m not immune to that, but Data Controllers processing the most sensitive data in the most complex ways are the very first people one would expect to have basic measures in place like home working policies and mandatory staff training. Nobody is asking a small local authority to have the same measures to protect their website as Sony, but surely they have the capacity and certainly a duty to do the very basics? And yes, incidents would still happen, but you must do your best to prevent them – that’s the fundamental point of the 7^th principle, your measures must essentially be proportionate to the risk (and your resources).

The public authorities who have been fined have, on the whole, shown a significant shortfall of their responsibilities – in many cases “hopeless” seems entirely apt. However, calling a sector “hopeless” might well be an over generalisation and I agree the lack of context makes it a clumsy and unhelpful comment.That said, I don’t think that by focusing a press statement or indeed CMP’s against the public sector that the private sector will become complacent, not least because there is evidence that the publicity surrounding the fines to public authorities for their data handling practices has led to an increasing number of private companies seeking independent assurance of their internal data protection standards.

If it was the case that the ICO did indeed believe the public sector should be held to higher standards then that would be an evidence of bias – and totally perverse. I do struggle to accept the unsupported assertion that market forces will lead to higher standards – if I was going out of my way to defend the statement I would assume it is a nod towards the fact that you have no choice about much of the processing carried out by the public sector, whereas if RBS routinely lose my data I can upsticks to Barclays. As an amusing aside, the former lost a copy of my passport when opening an account, although creatively told me they hadn’t lost it, and the reason they needed another copy was because they must have sent it the wrong processing centre and anything sent to the wrong place gets securely shredded. They didn’t lose my custom, merely £60 in compensation –but that choice was mine, a luxury I don’t enjoy with my Doctor, Social Worker or Teacher.

For the life of me I can’t understand why the ICO would be biased against public sector. Their wider enforcement is pitiful on FOIA (solely dealing with the public sector) yet plentiful for PECR (almost entirely only applicable the private sector) so the idea they are routinely scared of the private sector doesn’t appear well founded or consistent across their other functions. The closest I can get for thinking why the ICO might hesitate against the private sector is a fear of taking on a sector who might initially be considered more likely to contest the ICO’s findings through costly and potentially embarrassing Appeals. However, both of the Appeals against DP CMP’s have come from public sector bodies. It’s thus an incredibly self serving argument to highlight

“The only CMP successfully overturned was on a public sector organisation (£250,000 on Scottish Borders Council”, because the only CMP challenged was from a public sector organisation. That particular analysis also neglects to mention that the CMP’s served to Sony, Welcome Finance and the Bank of Scotland were served on a similar (apparently flawed) reliance on the compromised data putting the data subjects at risk of identity fraud/financial loss. In hindsight, they look like very dubious CMP’s against the private sector.

Further, if the ICO really was into going after perceived soft targets, then surely they wouldn’t be looking at a sector such as the NHS, with all of the emotive arguments that can be made about the money coming at the expense of the patient care.

Infact, from working in the office at the time of the first wave of CMP’s, there was actually something of a relief when the first appeal was made because it offered a broad reassurance that the ICO approach was reasonable. I can also assure those who suspect otherwise that when fining underresourced schools, hospitals and police forces, it isnt done with any relish. Likewise, a CMP of £200,000 for a Charity doesn’t feel great, but the idea is surely to protect the data of the individuals more than to make moral judgments about the raison d’etre of the Data Controller. I therefore cannot agree that Charities should be subject to lower penalties, as I feel it carries an implication is that they should be allowed to have lower standards because they are pursuing altruistic goals – and in this case even that statement assume you support the work of the BCAS.

I worked at the ICO and now I work in the private sector and have straddled the sectorial divide with complete indifference. I didn’t regard myself as a beleaguered public sector worker anymore than I now think I’m on the other side of the coin, lay awake at night wondering how to exploit consumers. I’m paid to do a similar job and it just so happens that my employer is in the business of making money for providing a service, not taking it to provide a service. If the ICO criticized the financial sector for poor compliance I certainly wouldn’t take offence, personally I’d probably enjoy the fact that competitors were not hitting high standards. I acknowledge those within Local Government may regards themselves a little differently and more collectively than that, but the spikiness of a sector to criticism within the sector seems disproportionate and I do wonder whether it’s linked the increasingly polarised political sphere.

Nevertheless, it was with considerable astonishment I read these reported comments from public sector governance officers. Seemingly, on the back of some mildly unflattering press releases from the ICO about public sector audit results, they would no longer volunteer for a free audit. Simultaneously making arguments about budgetary constraints whilst turning down a free audit on the basis that the results might be used to make generalisations about ones sector seems perverse. The loyalty should surely be to your employers (and customers), not to safeguard the reputation of your wider sector?

David Smith recently answered a question at the ICO conference by giving his opinion that the private sector is better than the private sector at DPA. His thought process (11m 55s) was that as customer data is a key asset of  business, business will take that the security of that data more seriously

I doubt there will be any specific information held in the form requested to prove this point, but I think it’s a reasonable and well placed opinion based on anecdotal experience of being a Deputy Commissioner for Data Protection who signs off the Civil Monetary Penalties and who has access to the full details of the self reported breaches. There are only 4 honest answers you can give to who you think is better– private, public, the same or don’t know. Whether you agree or disagree, was his answer a reasonable one – especially when again considering the underresourced and undersupported nature of the public sector?

The caveat I would add, which I think the Deputy Commissioner would have been wise to have included, is that is comments were on the context of keeping data secure. I think it would fascinating to know which sector he believes processed data more fairly, because personally I think this is an area where the private sector will be more inclined to push the boundaries, spurred by the same commercial interests that motivate them keep the data secure.

Whilst critics should acknowledge that those processing the most senstivie data in the most complex way means they are naturally more likely to end up involved in breaches of a kind likely to cause damage, equally so the ICO should recognise that their compliance might not be comparatively worse. Indeed, I note from a recent ICO statement on their new approach to handling casework that

With any report we publish summarising the number of concerns raised with us we will always include a statement to explain that organisations processing high volumes of personal information are likely to generate a proportionate number of concerns to the regulator.

Personally, I don’t actually think the ICO needs to go overboard in contextualising every set of figures it releases to pander to the sensitivities of certain sectors, but if they believe in the above statement, then surely they should apply a similar rhetoric to all areas of their work?

I’ve not given huge thought to which sector is better, as despite my 2500 words here, I don’t actually think its especially important. However, if we are looking at Private sector compliance bias then it’s surely pertinent to raise, or at least be aware of, the fact that losses of customer data in the financial services will often be looked at by the FCA. For example, Zurich were fined a comparatively eye watering £2.3million for losing an unencrypted disc. The date of that fine preceded the ICO’s CMP powers but had it not, it still would have been left to the FCA to handle, because of their greater powers. But that raises an interesting point – the FCA has stronger powers for mandatory reporting and stronger fining powers. Yet since 2010 there hasn’t been a single fine from the FCA for a data loss.

These are interesting political times, the polarisation of debate is quite clear and the divide between the private and public sector is increasingly apparent. Whoever, or whatever is to blame for that general shift, I don’t think we should artificially extend the battleground to the ICO’s approach. I think public sector compliance professionals should concentrate on getting their own house in order before they worry about ICO press releases which may (or may not) turn out to be misguided. I’m sure the vast majority are already do so, in which case they arent would have little to fear from the ICO.

Howe’s that? It’s just not cricket, Mr Graham and Mr Smith.

The anatomy of a request

One of the daily challenges of an FOI Officer is gaining the necessary contributions from colleagues that are required to fulfill the primary requirement of FOI – to establish the information held within the scope of the request. A request handler is often heavily reliant on the co-operation of colleagues to locate and understand the information requested.

With that in mind, I refer to the two Decision Notices issued against the ICO in relation to their handling of a requests for legal advice regarding the decision not to prosecute journalists in connection with Operation Motorman.

The history of the various requests for Motorman legal advice is quite complex and I don’t intend to try and break them down in great detail, but I would like to highlight some troubling aspects of the Information Commissioner and his Deputy’s conduct, so a short narrative is necessary.

On September 16th 2011, addressing the non-prosecution of journalists as part of Operation Motorman, Mr Graham submitted the following evidence to the Leveson Inquiry:

“External legal advice at the time suggested that for this reason it would not be in the public interest to pursue possible prosecutions. This was also because of the difficulty in
proving that the journalists involved knew that the information they were seeking could only be obtained by unlawful means”.

On Septemebr 15^th 2011, the Deputy Commissioner, David Smith, made a robust public defence of the ICO’s decision not to prosecute journalists, and specifically tackled an accusation from an ex employee that the failure to prosecute journalist was as a result of a fear of the press, with the following rationale given in a guest article in The Independent

“Any suggestion that the decision not to pursue prosecutions against journalists was driven by a fear of the press is entirely false. We exposed the involvement of the press in the first place. Our decision was based on expert legal advice that pursuing prosecutions would not be in the public interest, because of the difficulty in proving beyond all reasonable doubt that the journalists who received information from Mr Whittamore knew it could only be obtained illegally”.

At this time, the ICO received a request from regular requester, frequent blogger and all round thorn(pain) in the (back)side Tim Turner. Mr Turner, presumably on seeing the ICO’s article in the Independent, requested the legal advice in question.

So, the scene at this point is that ICO maintain they were ‘as disappointed as anyone’ with the outcome of Motorman and refer to expert legal advice as the key reason why journalists weren’t prosecuted. As a primary function of FOI is to hold officials (and their accounts) open to scrutiny, one can understand why an interested and inquisitive mind would want to see the legal advice, especially as its contents were seemingly being relied upon as justification for a high profile decision.

Upon receipt of the request, the request handler, as one might expect, contacted David Smith to seek the location of the legal advice. He replied that

“I haven’t got a copy of any written legal advice. I understand that the advice came from our barrister Bernard Thorogood but I am not sure whether it was in writing or just oral. Stephen McCartney and /or Simon Ebbitt might be able to help because they have access to all the Motorman documentation”.

Firstly, it’s not easy to reconcile the above statement with Mr Smith’s later contention in the Internal Review that his reference to legal advice

“was on the basis of his understanding of the totality of internal and external advice and the contents of the What Pricy Privacy report. He has clarified that he was not referring to any one piece of advice or recorded information”.

If the latter statement is true, why didn’t he tell the request handler that, so that a response could be framed explaining this position? Why reference a specific piece of advice, even noting the name of the author? Granted, perhaps Mr Smith genuinely wasn’t sure if there was a record of external legal advice of the type reported and thus wished for the request handler to try and locate it, as part of the requirement of Section 1. If that’s the case then his response might be just about be reasonable from an FOI handling perspective, although it does bring into question the integrity behind his article for the Independent in which he was very unambiguous about the position, quoting expert legal advice and it’s specific contents.

He certainly didn’t tell the Independent that he was writing about his understanding of the position. Aside from anything else, it is troubling such a high profile statement about a high profile topic would be handled with such imprecision.

Back to the request…

Having received Mr Smith’s steer, the Internal Compliance Manager and request handler checked with those named, who also had no recollection of seeing such legal advice. They subsequently carried out a comprehensive search of all the Motorman records and they couldn’t find anything either. They therefore  wrote to the great and the good to inform them that they had not located any information and that it was important for all to be aware of this, given ‘it was likely to attract some attention’. This is standard stuff for a request handler – cast the net for the information and keep an awareness for the potential fallout from the (non) disclosures.

At this stage, bearing in mind the ICO had publically referenced expert/external legal advice and that Mr Graham had specifically quoted it in his submission to a high profile Inquiry, one may have thought this would have caused something of a reaction, but Mr Graham still offered no comment.

For the avoidance of any doubt, we should note that both Mr Smith and Mr Graham (and the wider distribution list) were asked for a copy of the legal advice. They weren’t asked for the legal advice referred to by Mr Smith, Mr Thomas or indeed Mr Graham. Any legal advice held should surely have been volunteered.

To put that in context, the ICO were happy to run a dual approach to telling the public and Leveson that External Legal advice told them not to proceed, whilst simply telling an FOI requestor who requested the legal advice that no information was held, without any additional explanation.

A subsequent request saw the ICO acknowledge “there was no evidence the document ever existed”, but no amendments were made to the Inquiry evidence, or the public position. Oddly, they didn’t want to confirm this, as they didn’t want to pre-empt Richard Thomas’ evidence to the Inquiry. Surely by referencing the legal advice in the first instance they had already committed to their position?

If the ICO had previously genuinely believed they had external legal advice, it was now being flagged that they did not. The Internal Review into Mr Turner’s request from the (other) Deputy Commissioner even noted that “None of those who were involved in Operation Motorman and its immediate consequences are still at the ICO, so we are largely working on the documents retained”, yet conversely he still defended the “accuracy of David Smith’s statement”. How can one say you are relying on documents, find no documents, yet still believe it’s correct to quote and rely upon legal advice when you also accept that it never existed?

A further request went in for the legal advice Mr Graham was referring to and 2 specific pieces of legal advice were produced, despite these being 2 pieces of advice that had explicitly been ruled outside of the scope of the initial request on the back of David Smith’s statement. As an aside, the provided advice certainly didn’t compare to the description Mr Graham had given to Leveson. The Decision Notice in that case noted the ICO had since changed their position and that Mr Graham’s evidence was referring to the full body of legal advice.

Whether Mr Graham was referring to two particular documents or the wider body of legal advice, surely he should have explained this to his staff when he was first asked about the existence of legal advice?  It was even flagged to him that the likely response, which did not appear at all helpful, ‘would likely get a reaction’ but he was quite happy for his own staff to send a reply that was at best disengenous and at worst downright wrong. 

If Mr Graham and Mr Smith had explained the basis for their clear statements was infact based around their understandings and/or the complete body of evidence, then it would have saved all concerned an awful lot of time. Some may feel it perhaps would have exposed their public line as not credible. Personally I feel they thought they had some legal advice on the basis that’s what Mr Thomas told them, and as such just blindly followed his statements. Hardly a robust way to deal with an accusation from a previous employee but these are incredibly busy people and we all make mistakes. Refusing to correct or acknowledge these oversights is perhaps less understandable. The simple fact remains that the ICO has no such legal advice and those high profile statements to the contrary were baseless – the requests should have led to a rethink. FOI can sometimes lead to embarassing disclosures, but so long as lessons are learnt, isn’t that the whole point?

Anyway, returning to the central thrust of my blog, if the Information Commissioner and his Deputy cannot find the time to show sufficient respect to his FOI request handlers, then what kind of example does that set for public authority employees of all grades?

The situation reminds of the withering quote Geoffrey Howe served up about Margaret Thatcher in his resignation speech to the House:

“It is rather like sending your opening batsmen to the crease only for them to find, the moment the first balls are bowled, that their bats have been broken before the game by the team captain”.

The requests here were doomed – how can a request handler properly comply with the spirit and wording of the legislation if the skipper doesn’t provide them with the context that they require – and indeed lets them spend hours searching for information that never existed.

I like and respect both David Smith and Chris Graham, but that doesn’t make them immune from criticism – or, again borrowing from the Howe themed vernacular, a savaging from a dead sheep.

CMP’s – what happens next?

The First Tier Tribunal recently overturned the ICO monetary penalty to Scottish Borders and I believe their reasons for doing have left a number of problematic issues. In very brief terms, the initial CMP was issued after former employees’ pension records were found in an over-filled paper recycle bank in a supermarket car park, having been dumped there by data processor. No contract was in place with the data processor and it sounded like the disposal of the files wasn’t really considered by the Council.

In summary, the FTT judgement confirmed that the information that was lost included “name, date of birth, national insurance number and salary. In some cases the files contained bank account details, a signature…”. The Tribunal accepted that there was breach of the 7^th principle and that it was a serious breach. They effectively overturned the ICO’s decision on the basis that it wasn’t a breach “of a kind likely to cause substantial damage or substantial distress”. There was some typical legal analysis around the definition of “likely”, that can perhaps be boiled down to their conclusion that “it is insufficient to point to such consequences merely being a possibility”.

The tribunal also concluded that what had happened was a surprising outcome, not a likely one and indeed they further offered that they thought the safe destruction of the files was the likely outcome (“we would not describe any other outcome as likely”). Given the files weren’t actually safely destroyed that’s quite a bold assertion – we can all have our theories but sometimes the facts can speak for themselves.

The tribunal sought to make a clear distinction between the contravention/breach and the trigger incident. This is entirely understandable, indeed myself and others have previously highlighted that the ICO has sometimes appeared to be fining for the incident itself rather than the breach. The breach here was not ensuring they had selected a data processor offering sufficient safeguards and not evidencing that agreement in writing. The trigger incident was the files ending up in Tesco’s car park. It is incidents that the ICO asks to be informed of, not breaches – an incident might not always be a breach of the DPA and of course a breach doesn’t need an accompanying incident. As an aside, it would therefore be fascinating to know how the ICO would react if a Data Controller was to notify them that they hadn’t trained staff in Data Protection, or that they didn’t have a policy for using fax machines – both breaches that have previously been the subject of CMP’s when the breach resulted in a trigger incident.

The problem I have here is the Tribunal appear to be saying that they can only consider the breach itself, yet they still require the ICO to “construct a likely chain of events which would lead to substantial damage or distress”. I think that is a very difficult burden whereby the circumstances flowing from the beach are essentially not allowed to be considered.

If an unencrypted disc containing personal data of millions of people goes missing in the post, one would presume that is a breach, a serious breach and (depending on the data) one of a kind likely to cause substantial damage/distress.  If the disc then turns up a day after the incident is reported to the ICO, that doesn’t make the breach disappear, but it does make the chance of damage/distress all but disappear. To me it is a serious breach that fulfils the criteria irrespective of what harm actually comes from the incident, but I wonder how would the Tribunal assess the likelihood of damage in these circumstances?

It strikes me that the Tribunal overlooked the phrasing “a breach of a kind likely to cause…”, a phrase that I think is significant as it changes the meaning of the sentence.  I interpret the full phrase to essentially be saying “is this the type of breach that has the potential to cause damage/distress”. When you give processers personal data without any safeguards then you have opened the data subjects up to potential damage, so for me it is a breach of a kind likely to cause damage/distress, irrespective of what happens next.

Whether it does or doesn’t cause actual harm is probably always going to be down to the specifics of the incident that flows from the breach. If an unencrypted laptop containing witness details is stolen in a burglary, I would say that fulfils all the criteria. But if the same laptop was discovered by Police searching their colleague’s house, there would be no likelihood of damage/distress to the witnesses. But the breach remains the same and that’s a breach of a kind likely to cause damage. Similarly the chap who had his unencrypted hard drive stolen from his car– the breach occurred when he failed to encrypt his laptop, not when he had it pinched. Obviously now he has had it stolen the likelihood of mis-use is much greater, but again we must recall the assessment is of the breach itself. With breaches like these any number of outcomes could occur, some likley, some probably exceptionally unlikely, but you have no control and are entrusting the data to fate.

Trigger incidents will often flow from a breach – the unencrypted laptop containing witness details might be wiped before it’s sold on in the pub or it might end up on being sold to the local gangster to intimidate the witnesses. I would regard the latter example as extremely unlikely, but I don’t think that’s a sufficient assurance to the people whose data and security has been compromised.

I’m not sure if it’s a drafting error in the legislation but the idea a breach must carry a likelihood of significant damage or distress, as opposed to “merely a possibility” is a difficult standard to achieve. Further, the CMP is about punishing the lack of compliance, not the incident and therefore I don’t see why the ICO should be expected to speculate about the likelihood of potentially harmful scenarios.

What I also found a little odd is that the judgement didn’t even consider the issue of the significant distress, focussing solely on the question as to whether damage would occur. The issue seemed to solely come down to an assessment of whether identity fraud would be likely to take place – and as someone  who works for a Pension company it’s a surprising and comforting that the tribunal doesn’t seem to hold that names, addresses, NI numbers, bank account details, signatures and salary/pension details are especially problematic fields of data.

The ICO’s amended power to issue a CMP can possibly be traced back to the furore around the infamous HMRC data loss, but based on their reasoning here,  I can’t see the Tribunal would have regarded that as fulfilling the criteria for a CMP either – as effectively they would have been left with the same equation re likelihood of identity fraud.

I’d also imagine Sony and Welcome Finance, amongst others, are kicking themselves for not appealing earlier CMPs involving this type of data given the judgement here. Strangely the ICO appear unmoved by the Tribunal’s logic, as their most recent CMP again quotes the potential for identity theft.

Looking back through the ICO’s CMPs I can’t think of many where there was a real likelihood of substantial damage. The biggest fine, to BSUH being an example where it would be very difficult to construct a likely chain of events leading to damage to the data subject. I doubt the data subjects were ever told their data ended up on Ebay so nor would there technically even be distress. That outcome didn’t become likely when they undertook to destroy hundreds of harddrives without a contract – but it did become a possibility, which I think is enough to justify a CMP – even if the Tribunal doesn’t.