Home > Analysis
Mind my data Click to visit the homepage

Response to a Twitter post by the ICO

I saw this post by the ICO and a re-Tweet isn't enough to say what I need to say.

Twitter

Here, a Senior Policy Officer at the ICO is stressing how important it is to update their guidance as a result of court decisions but surely it's just as important to update their guidance to reflect any changes. Especially changes to the law implemented by the ICO's case officers.

The ICO's case officers are the ICO's front line staff in dealing with data protection complaints from the public. Based on the job description for a Case Officer and a Lead Case Officer, it's reasonable to conclude that they are nothing more than office administrators as they do not require any formal legal training. Indeed, the job description seems to favour candidates with a marketing background rather than a legal background.

When I submit a DPA complaint to the ICO, a case officer will carry out an Assessment to determine whether the organisation that I'm complaining about - the data controller, has complied with the DPA. The Assessment process is a requirement of Section 42 of the DPA and in response to an Assessment, I'm entitled to the view of the Information Commissioner. My understanding is that case officers act as a proxy for the Information Commissioner so I expect them to carry out an Assessment that is supported by formal published policy. If the view in an Assessment is not supported by published policy, then there's no evidence that it reflects the view of the Commissioner.

What actually happens in an Assessment, is that the ICO's office administrators (case officers) who have no formal legal training, take it upon themselves to subjectively interpret the DPA to determine whether the data controller has complied. More often than not, the case officer will manipulate the process to support the data controller because they don't really have a clue what they're talking about and if they find against the data controller their view might be challenged by the organisation's legal advisors. Your typical member of the public though tends to be clueless about data protection law so it's easy for a case officer to subjectively interpret the DPA and give a totally unsupported view in an assessment because they're unlikely to be challenged.

I have case after case after case of unsupported nonsense from the ICO's case officers and I shall be publishing them all in due course. So the question is... who at the ICO is creating policy? My view, and it's a view that I suspect will be held by many of us, is that suitably trained staff at the ICO should create and published top-down policy that gives the Information Commissioner's view on various aspects of the DPA. This policy guidance should be published and used by case officers when carrying out their Assessments. But this doesn't happen. Fair enough, we know that the ICO does have policy makers but it's very rare that a case officer will seek policy advice. Oh, no, case officers just give their own opinion in an assessment; often when published guidance that reflects the view of the Information Commissioner already exists.

For example, in a recent case, Zoheb Anarwala - a case officer at the ICO, told me that I couldn't ask a data controller to tell me how they obtained my information (the source) in a Subject Access Request because this wasn't stipulated by the DPA. So as an office administrator, Ms Anarwala is literarily reading the DPA and subjectively interpreting it to conclude that I cannot ask a data controller to provide me with the source of how they obtained my Information. Does this reflect the view of the Information Commissioner? Well, the ICO's Subject Access Request code of practice, which the policy maker is referring to in her tweet, has held the view for years that I can ask a data controller to tell me how they obtained my information. So I had to submit a case review and a lead case officer concluded that Ms Anarwala had got it wrong. Unfortunately, most of the case reviews get it wrong too!

The ICO's assessment process is a joke! In response to a complaint about an organisation, a case officer will give us their own subjective view which may or may not reflect the view of the Commissioner. If you don't really understand the DPA then you're likely to accept the nonsense view. But if you do understand the DPA as I do, then I'll have to challenge the view. The process therefore, places the obligation to challenge a nonsense view on the individual and even when I challenge it, the case review will often support the assessment - again, without any reference to policy guidance. It's such a flawed process it's a utter disgrace! Case officers are likely getting away with talking utter bollocks in their Assessments on a grand scale and have likely been doing so for many years. This nonsense is actively supported by senior managers at the ICO.

In what universe would anyone deem it acceptable for an unqualified office administrator to create corporate policy on the fly? And the case officers are not even creating policy because the views given in Assessments are never converted into published policy. Instead the case officers give their own nonsense views and this view will eventually get buried. Indeed, none of the views given in any of my assessments have been published as guidance as far as I know.

What should happen is that the ICO's case officers should support their views with published policy guidance to ensure that the view given reflects the formal view of the Information Commissioner. If policy does not exist, then there should be a system in place where the case officer seeks policy advice, that advice should then be published as policy guidance and the case officer should support their view with the published policy guidance. In other words, if a case officer is giving their own personal interpretation of the DPA in an Assessment, then that view should become the ICO's policy and it should be published. Otherwise, you've got a system where policy makers are creating top-down published policy while case officers are creating their own bottom-up unpublished policy. WTF!

To be fair, earlier in the year a case officer did seek policy advice. The case officer was told by the ICO's policy advisors that if an organisation processes personal information found in the public domain, that their processing would be unfair but not unlawful. I don't necessarily agree with this view and as it was never published, I'm beginning to think that it's a load of bollocks. Hopefully, you'll see how important it is for the ICO to publish policy guidance as they deal with Assessments if the guidance doesn't already exist. That policy advice has now been buried due to the ICO's flawed process.

It gets worse. Here's what Paul Arnold - the ICO's Head of Customer and Business Services told my MP in 2015:

When considering DPA complaints, case officers are not only 'allowed' to give their own views about what the law says, we expect it of them. It is a fundamental part of their role. They are furthermore no less "qualified" than their policy colleagues to do so.

You can read Paul Arnold's response to my MP hereLightbox window. The guy is deluded. Actually, I don't think he's deluded; I think he's trying to cover up a massive failure by senior staff at the ICO. He's come out fighting in his response to my MP but it all comes down to the fact that a member of staff at the ICO gives their own subjective view in an Assessment and shortly afterwards, that view gets buried. How does this satisfy Section 42 of the DPA? Where's the evidence that I've been given the view of the Commissioner in an Assessment.

Mr Arnold goes on to explain how it's impossible for the ICO to create formal policy for all aspects of the DPA. No it's not; they just need to have a process in place and that process should have been in place last century. Case officers should be supporting their views with published guidance and if they cannot, then they should seek policy advice and that policy guidance should then be published.

Had they started doing this back in the day, they'd have published policy guidance for many aspects of the DPA by now. But because the ICO's senior staff have failed to do this, they're having to rely on their office administrators to bale them out. It simply doesn't work! It's like asking the receptionist in a doctor's surgery to carry out a diagnosis on patients. They may have some idea but they're just as likely to be wrong as they are right? So why does Paul Arnold think that his case officers are qualified to interpret the DPA when they are no more qualified to interpret the DPA then you or I, or some guy down the pub? We can all have a go at interpreting the DPA but what we need to know in an Assessment carried out under Section 42 of the DPA is the view of the Commissioner? There's often no evidence that the view of the case officer reflects the view of the Commissioner.

Paul Arnold's view; that he expects case officers to give their own interpretation of the DPA, is a serious failure of process for so many reasons. Firstly, in an Assessment carried out under Section 42 of the DPA, I believe that I'm legally entitled to be given the view of the Information Commissioner in that Assessment. Bearing in mind that the ICO's case officers are no more qualified to interpret the DPA than you or I, their views MUST be supported by published guidance or they should be converted into published guidance. My view seems to be shared by the Secretary of State for Culture, Media and Sport. My MP asked the following question in Parliament (38213) on my behalf:

To ask the Secretary of State for Culture, Media and Sport, what mechanisms the Information Commissioner's Office has in place to ensure decisions of staff of that Office are compliant with Section 42 of the Data Protection Act 1998.

The Minister's response was:

The Information Commissioner’s Office (ICO) produces guidance for organisations on their obligations under the Data Protection Act 1998 (DPA). This guidance is used by the Information Commissioner’s staff when assessing concerns and complaints from the public under S42 of the DPA. In addition, staff receive formal training to ensure that consistent outcomes are achieved in decision making.

According to the Minister who is responsible for the ICO, the ICO produces guidance for organisations. Well, this guidance must be published for those organisations to see it - right? And it's this "published" guidance that is used by case officers - the Information Commissioner's staff, when carrying out Assessments under Section 42 of the DPA.

There you have it; there's a massive contradiction between what Paul Arnold told my MP and the view of the Minister. While Paul Arnold expects case officers to subjectively interpret the DPA and their unfounded view eventually becomes buried, the Minister expects case officers to support their views with published guidance - as I do and as any reasonable person would do.

Paul Arnold is talking utter nonsense! Where's his evidence that a case officer is giving the view of the Information Commissioner in an Assessment? He's already admitted that the view given in at least four of my case reviews is flawed. And let's be clear, case officers will give their own interpretation no matter how complicated the question. Even a barrister might have to spend some time researching some of the questions that I've raised in an Assessment but not the ICO's case officers - they have all the answers because they're encouraged by senior ICO staff to talk utter bollocks in Assessments. Who do they think they're kidding?

Here are a few examples of the nonsense that I have to put up with.

Recently I made the ICO's Mary Jarvis - a Lead Case Officer, aware that a particular organisation is likely to be operating a flawed process. The organisation operates a database where individuals can register and upload CV information to the database. It's likely that some of those individuals will upload sensitive personal information to the database. The data controller's partners who are also data controllers in their own right, pay to access the CV database and view the CV information. My question to Ms Jarvis was that, if data controllers are required to obtain explicit consent to process an individual's sensitive personal information, how do those third parties obtain explicit consent?

This is a very serious matter. Ms Jarvis confirmed that there is no such thing as indirect explicit consent and then she quoted the GDPR to me. But this is a DPA matter; why did she quote the GDPR? Bearing in mind that it's highly unlikely that the third parties will obtain the explicit consent required to view sensitive personal information uploaded to the CV database, I contacted Ms Jarvis on the 4 July to confirm whether or not she had passed the matter to the ICO's Intelligence Hub for investigation. She has yet to respond. My guess is that she quoted the GDPR because she's a Lead Case Officer at the ICO yet she doesn't understand this issue because there's no policy in place and there's no process to get policy published. This one issue is likely to have a massive impact on the employment agency business.

And while we're talking about comparison websites, I've got another one for you.

Consent for the processing of sensitive personal information has to be obtained directly from the individual. There are some exemptions though, and these were stipulated in the The Data Protection (Processing of Sensitive Personal Data) Order 2000. Section 5 grants an exemption to organisations that operate as an "insurance business", as defined by in section 95 of the Insurance Companies Act 1982. But the Insurance Companies Act 1982 has been repealed and replaced by the has replaced by The Financial Services & Markets Act 2000 (FSMA). Has the ICO updated their policy guidance to reflect this change? No! My concern is that the comparison websites do not operate as an "insurance business" but instead they arrange insurance. If so then this could be a massive abuse because the comparison websites will not obtain the exemption to process third party explicit consent. I've made the ICO aware of this previously but they have no policy so they're not interested.

Here's another example!

Recently a third party company sent me direct marketing. I submitted an complaint to the ICO because my view was that the company should have provided me with a fair processing notice (first data principle) well before they targeted me with direct marketing. Now, I do accept that the Information Commissioner applies a reasonableness test to organisations that obtain personal information indirectly and act as a data controller for that information. However, my view is that we all have a fundamental right under Section 11 of the DPA to ask a data controller to cease or not to begin processing our information for the purpose of direct marketing and as such, a data controller should not target us with direct marketing without first providing us with a fair processing notice. The simple fact is, we as individuals cannot exercise our key right to ask a data controller not to begin processing our personal information until they provide us with a fair processing notice.

Section 11 DPA partially implements Article 14b of EU Directive 95/46/EC, the European Directive on which the DPA is based: to object, on request and free of charge, to the processing of personal data relating to him which the controller anticipates being processed for the purposes of direct marketing.

When an organisation obtains our personal information from a source other than directly from ourselves, if that data controller wants to use our personal information to target us with direct marketing, they will need to provide a fair processing notice first and give us the time to object. This is the only way that the organisation can comply with our rights under Section 11 of the DPA. Does published policy exist? No! Does the ICO's direct marketing guidance explain when organisations are expected to provide a fair processing notice? No!

As per usual, the Assessment was a waste of time so it went to a case review where the ICO's Joff Gray concluded that the data controller can provide me with a fair processing notice at the same time as they send me the marketing. I totally disagree! If I receive marketing from an unknown third party out of the blue then clearly, I've not been given the opportunity to exercise my key right under Section 11. Did Mr Gray support the case review with published policy? No! Did he seek policy advice? No! Is there any evidence at all to suggest that the view given in this case review is nothing more than the subjective view of an office administrator? No!

The ICO had no policy in place prior to the assessment, the ICO has carried out an assessment and a case review, and the ICO still has no policy in place. Indeed, there's no mention at all that organisations need to provide a fair processing notice when they obtain our information indirectly in the ICO's direct marketing guidance. I suspect that that was deliberately omitted. It must have been omitted deliberately because providing a fair processing notice is essential. Yet you won't see a reference to Section 11 or the need to provide a fair processing notice in the ICO's direct marketing guidance. WTF! This single issue, that the ICO has opted to bury, will likely have a massive impact on the mailing list industry so why hasn't the ICO created policy? Another total failure of process by the UK's data watchdog.

And while we're taking about the ICO direct marketing guidance, I have another example.

In Para:88 of the ICO's direct marketing guidance, the ICO states that for electronic marketing, the data controller will need to identify any third party organisations that they wish to disclose personal information to. In other words, if Company A wants to sell my information to Company B and Company C for direct marketing, then they will have to identify Company B and C when they seek consent to pass my personal information to these third parties. However, Para:89 of the guidance goes on to suggest that if the third parties are all of a similar category, then they may not need to name them all. So if they're all employment agencies for example, then Company A does not have to list them.

However, In Optical Express v Information Commissioner (EA/2015/0014) the Tribunal concluded:

If the point at which the recipient ticks a box to opt-in (in other words, consents) does not give details of the actual sender's name and contact details, how can he or she be said to be fairly informed? An opt-in issued by a company intending to sell-on the personal data it collects in this way is, in effect, only valid so far as marketing which itself sends and no other party.

Consent must be freely given, specific an informed. What the Tribunal is saying is that organisations that seek consent to disclose personal information to third parties for direct marketing, must identify those third parties for that consent to be valid. If they don't name the data controller then not only has company A failed to comply with Article 14b, but the third party will lack the consent to satisfy a condition for processing. In both cases, we can now claim compensation in the small claims court under Section 13 of the DPA. The direct marketing that you receive from the third party will likely constitute actual damages.

This has a massive impact on the mailing list industry yet has the ICO updated their direct marketing policy guidance to reflect this? No! Is the ICO still claiming that there is a well established trade in traditional mailing lists in their direct marketing guidance? Yes! This is another massive failure by the ICO. What is the ICO's policy on third party marketing?

My interpretation of the law is that, as individuals, we should always be made well aware of any data controller that obtains our information with the intention of processing it for the purpose of Advertising, Marketing and Public Relations. This goes for marketing sent to a corporate e-mail address containing

The law supports this view but the ICO has not created clear and consistent policy and the ICO's case officers have no intention of complying with any policy or guidance anyway.

I can't mention direct marketing without giving a mention to online direct marketing.

Back in the day, I suggested to the ICO that any advertising banners displayed on a website while someone is logged in to that website will constitute direct marketing. The ICO dismissed this idea and this was way back in 2009 so nothing has changed there then; the ICO's office administrators didn't bother to seek policy advice back then and it very rarely happens today. As I build websites, I decided to spend a Sunday afternoon drafting a report to explain why it is impossible for someone to be "logged in" to a website and the data controller not to know who that individual is. Whether they login directly or via a session cookie, the individual will have to be validated each time the access a page while logged in.

The ICO accepted that it was a valid point and then opted to bury it. And this is why you'll find no mention of this in the ICO's direct marketing guidance, and last time I checked, their online guidance doesn't mention it either. Let's be clear... this is a KEY right for individuals - to opt out of all direct marketing from a data controller by whatever means, yet the UK data watchdog has no policy or guidance in place, and opted to bury the issue when I raised it. There's no process to seek policy advice on the matter because there's no bottom-up process; there's no process whereby an individual can raise a new issue, get policy advice and get the guidance updated based on that policy advice.

This supports my theory that people like Paul Arnold wants the case officers to give us their nonsense views to avoid having to create policy and guidance that will result in too many complaints. This is why there's no mention in the ICO's direct marketing guidance about marketing while logged in to a website or the need for data controllers that obtain our information indirectly; for the purpose of direct marketing, to provide us with a fair processing notice. Are you telling me that the ICO's policy makers aren't aware of these issues?

Oh, and UK data controllers that have third party advertising on their websites will likely need to obtain consent to display those third party adverts in a logged-in web page as this is fundamental to fair data processing. Again, if I am logged in to a web page those adverts are being directed at me so the data controller is obligated to obtain my consent. Article 14b of EU Directive 95/46/EC states:

...or to be informed before personal data are disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object free of charge to such disclosures or uses.

Try finding a reference to this in the ICO's direct marketing guidance. Further evidence that the UK's data watchdog deliberately manipulates the process to serve their own purpose. Are you telling me that the policy makers at the ICO are not aware of this? Clearly the ICO is manipulating their top down policies.

Here's another cracker!

The ICO expects data controllers to answer questions about how they will process personal information fairly. Organisations need to provide this information to comply with Schedule 1, Part 2, 2(3) of the DPA. Indeed, the ICO has published guidance for data controllers: How we deal with complaints and concerns a guide for data controllers. You can Google it. As per usual, when you actually ask a case officer about anything you get their own subjective view on the matter. As a result, one case officer told me that I could ask fair processing questions as a genuine enquiry and another told me that I had to submit a Subject Access Request to ask these questions. I argued that the latter view was bollocks because I shouldn't have to pay £10 to get answers to questions that a data controller is obligated to answer in order to comply with the first data principle. Up pops Paul Arnold again, to clarify the situation. He said:

Consider making a subject access request if finding out what personal information is held about you is an important part of your concerns (for example, if you are concerned about the accuracy of your personal information). Ask questions of any organisation if you want to know more about how they are processing your personal information or personal information more generally, particularly if this is not clear from the information they routinely publish’.

Basically, he's saying that I don't have to submit an SAR to get answers to these types of questions. Has this view been published into policy? No!

Anyway, I followed Mr Arnold's advice and asked Halfords to answer certain questions about their data processing. Halfords' customer service person started to answer my questions but when it got a bit awkward for her, Halfords' solicitor stepped in and said that they'd answered my questions. They had not. I quoted Paul Arnold's view to the solicitor and gave them the reference number so she could seek clarification, but she took no notice so I took Halfords to court. In their Defence Halfords' solicitor argued that she did not have to answer my questions. In court, Halfords' barrister argued that Paul Arnold's view was open to interpretation. Perhaps if the ICO had bothered to create some policy around Paul Arnold's view, he wouldn't have argued this in court.

Following the court case, I submitted a complaint to the ICO. The Assessment focussed on another aspect of my complaint while completely ignoring the issue that I had raised where Halfords had refused to accept Paul Arnold's view. In light of this, when I submitted the case review, I specifically asked the ICO to address this issue; what are you going to do about the fact that Halfords have made it clear that they do not accept Paul Arnold's view?

The ICO's Elaine Stewart carried out the case review and again, she avoided dealing with the issue. In the case review she said:

As you have already taken your concerns to court, then it is our view that there are no further DPA matters for us to progress at the current time.

Is she having a laugh? No, she's not because this is what they do. Ms Stewart has made up some rule so that she doesn't have to write to Halfords and tell them to accept the view of the Information Commissioner. I mean, why on earth would the Regulator not be concerned about an organisation that so blatantly refuses to accept the view of the Information Commissioner?

I'm not saying that Halfords cannot argue their own interpretation of the DPA in court to defend my claim for compensation, but win or lose that case, if a data controller's Defence is incompatible with the view of the Regulator, in a follow-up Assessment, the Regulator MUST surely write to the data controller and tell them what they need to do to comply? Indeed, when my bank's barristers argued their own interpretation of direct marketing in court, following the court case, the matter was passed to the ICO's Regulatory Action Division and they were threatened with prosecution if they didn't comply with or challenge the ICO's view. Of course they complied. So is Ms Stewart deliberately manipulating the process? As it stands, I'm still waiting for her to provide me with policy that supports the view that she gave in the case review that the Information Commissioner.

Talking about Subject Access, here's a good one

The right of Subject Access is a key right of individuals under the DPA. Sparta Telecom had phoned my TPS registered phone number to promote their products and services to me so I submitted a Subject Access Request (SAR) to find out how they obtained my information; did they obtain my personal information or were they just randomly phoning phone numbers? Sparta informed me that the spreadsheet containing my personal information had been destroyed shortly after they'd processed it so they were unable to provide this information in response to my SAR.

I submitted a complaint to the ICO to focus on how the Fifth data principle - not to keep personal information longer than necessary, will impact on my right of subject access in this case. My view is that the ICO should have a clear policy in place that requires organisations to retain personal information for a minimum of, say, three months, when used for the purpose of direct marketing. The ICO's George Burkinshaw carried out an assessment and concluded:

It would be impractical for the DPA to be able to give specific retention periods for every type of organisation that must comply with the DPA. Therefore the fifth principle means in practice that once it is no longer necessary for a data controller to retain data collected for a particular purpose, they should take the appropriate steps to dispose of it.

This is not entirely true though. According to the Commissioner's legal guidance:

To comply with this Principle, data controllers will need to review their personal data regularly and to delete the information which is no longer required for their purposes.

According to the Commissioner, Sparta should review their personal information on a regular basis, not simply delete it as soon as they've processed it to avoid having to comply with an SAR. The Commissioner's view is also supported by the guidance on the ICO's own website:

This is the fifth data protection principle. In practice, it means that you will need to:
review the length of time you keep personal data;
consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;    securely delete information that is no longer needed for this purpose or these purposes; and
update, archive or securely delete information if it goes out of date.

There's nothing in law to support Mr Burkinshaw's view that organisations should delete personal information immediately after processing it. In the Case Review, I asked the ICO to clarify whether Mr Burkinshaw had manipulated the definition of the fifth data principle to support his own subjective view. Joff Gray was the Lead Case Officer who carried out the case review and he said:

Mr Burkinshaw has quoted the definition directly from the legislation, with a slight truncation for ease of reading. His advice on the requirements of this principle was correct.

WFT! So what are we saying... that a case officer copied and pasted the definition of the fifth data principle and deliberately removed the need for organisations to review, to give his own view credence? Slight truncation my arse!

This is not the first time that a case officer has manipulated the process to support their own unfounded view. What should have happened in this case is that the ICO should have asked Sparta to clarify their data retention period for personal information used for making telemarketing calls and they should have questioned why they need to delete the information immediately. They should have then sought policy advice to see whether it is fair for an organisation to obtain personal information, process it for direct marketing and then delete it, bearing in mind that this will negate an individual's key rights: the right of subject access (Section 7 DPA) and the right to ask a data controller not to begin processing their personal information for the purpose of direct marketing (Section 11 DPA). Did Sparta provide me with a fair processing notice before making the marketing call?

What's clear to me is that the ICO's Assessment process (Section 42) is one massive abuse. The ICO goes through the motions because they're obligated to do so but case officers will often manipulate the process to support a data controller. When I write up all the cases you'll get a better idea of just how bad it is. I have well over 40 cases now.

I could go on and on but I'll bring the matter to a conclusion.

The ICO only tells us what they want us to hear. So this lady has tweeted about how important it is to keep policy up to date, after she's updated the SAR policy guidance. What's she's not telling us though, is that the ICO has failed miserably to create and publish top-down policies over the years on many fundamental aspects of data processing. It's likely that senior staff at the ICO are well aware of this massive failure and they rely on the ICO's case officers to sell the lie. And they're getting away with it because most of us don't fully understand data protection law so we're unlikely to challenge the ICO's view, and the PHSO doesn't get involved with legal technicalities.

I'm sure that there are people at the ICO who are really good at their jobs but the Assessment process is one big scam because the ICO has failed to implement and update top-down policies over the years. They must all be in on the abuse.