Home > News
Mind my data Click to visit the homepage

Nigel Frank confuses the ICO's Criminal Investigation Team

It would appear that the ICO's Enforcement Team are just has happy to dish out unfounded nonsense as the ICO's case officers are. What does this say about the validity of their prosecutions?

Nigel Frank

In a previous article I explained how, in February 2014, the employment agency Nigel Frank International had scraped my profile from LinkedIn, created a likely e-mail address for me at work and sent me an e-mail that promoted one of their candidates to me. Scraping profiles from LinkedIn is a growth industry at the moment but it's actually unfair data processing. As part of my complaint to the ICO I asked them to consider prosecuting Nigel Frank for contravening Section 55 of the DPA. However, in a case review the ICO were of the view that it would be necessary to prove that Nigel Frank 'knowingly' and 'recklessly' processed my information and there was no evidence that they were aware that what they were doing was wrong.

Jump to October 2015 and Nigel Frank were at it again; they contacted me at work to promote one of their candidates to me. When I asked Nigel Frank why they had continued to contact me, their Group Operations Director told me that there had been a technical issue that 'in theory wasn't possible' and that he had IT looking into the anomaly. He never did explain the anomaly to me so I'm concerned that a member of staff at Nigel Frank scraped my profile from LinkedIn a second time after being told by the ICO that it's unfair data processing to scrape profiles from social media. I submitted another complaint to the ICO and argued that Nigel Frank had unfairly and unlawfully processed my information - Section 55 of the DPA.

Section 55 of the DPA states that a person must not knowingly or recklessly, without the consent of the data controller, obtain or disclose personal data or the information contained in personal data. Bearing in mind that the ICO had previously advised Nigel Frank that it was unfair data processing to scrape profiles, my view was that both the Knowingly or recklessly element and the without consent element of Section 55 were satisfied. LinkedIn's terms of use clearly states that members should not scrape profiles and Nigel Frank is a LinkedIn member.

The ICO's Assessment (Section 42 of the DPA)

The ICO carried out an assessment (RFA0612308) and the case officer concluded that no contravention of Section 55 had occurred. The case officer said:

I have contacted our criminal investigation team on this matter and they have confirmed that this matter would not constitute a breach under section 55 of the DPA. This is because the information obtained from LinkedIn is publicly available so no offence is committed as it hasn't been obtained without the consent of the Data Controller. For this reason we are unable to take any further action in this case.

I sought further clarification and the case officer reaffirmed:

Whilst I appreciate Nigel Frank has accessed some of your information by having their own membership with Linkedin and in breach of Linkedin terms and conditions the information is still ultimately publically available and as such further processing this information would be a likely breach under principle 1 of the DPA but would not constitute a section 55 offence. 

I think it's fair to say that the view given by the ICO in the assessment is clear; as my information is publicly available on the LinkedIn website it does not require the consent of the data controller because the information has already been disclosed.

As there is nothing in the DPA or in any published guidance to support the view given in the assessment, and as I've been advised previously by the ICO that all assessments are supported by guidance, I submitted a case review. My case review application specifically focussed on the fact that there is no evidence that publicly available information does not require the consent of the data controller.

The ICO's Case Review

The ICO carried out a case review (RCC0630441) and the case officer concluded that no contravention of Section 55 had occurred. The case officer said:

As confirmed by our Enforcement team, we do not consider that this demonstrates that the agency knowingly or recklessly obtained data. I refute your statement that ‘…the ICO’s default position is to actively support the data controller.’ We are an independent body which reaches decisions through documentary evidence. On this occasion, while there is enough evidence to show that the agency is unlikely to have complied with the Act, there is not enough evidence to prove that an offence has been committed.

Err, sorry, but that's not what the enforcement team said. Indeed, knowingly or recklessly obtaining the information was never an issue that I contested it in the assessment. The only issue that I contested in the assessment was the view that publicly available information does not require the consent of the data controller and the case officer who carried out the case review has completely ignored this issue. I wonder why that is? Is it because, as I've said all along, that the view given by the ICO's criminal investigators is a load of bollocks and the case officer is covering for them?

Furthermore, if the assessment had concluded that there wasn't enough evidence then the case officer has the right under section 43 of the DPA to require Nigel Frank to provide them with more information so that they can carry out a reasonable and fair assessment. Bearing in mind the seriousness of this case, why didn't she do that before concluding the assessment? Why, because not enough evidence was never an issue in the assessment. Instead it's something that has been created in the case review to cover up the fact that that the ICO's criminal investigators are incompetent.

An overview of the issues

Here's a summary of the issues that I have with the ICO's handling of this matter.

1. There is no evidence to support the view given by the ICO's criminal investigators - that publicly available information does not require the consent of the data controller. There's no exception given in the DPA, in the Information Commissioner's DPA: A Legal Guidance document, or on the ICO's website to support their view.

2. The ICO lacks the power to change an Act of Parliament. However, I accept that the Information Commissioner is entitled to give his/her own interpretation of the DPA (albeit not statutorily mandated) pending a formal review by the Judiciary. Whenever the Information Commissioner does this he always creates published guidance to explain why his view differs from the DPA. Where's that guidance?

For example, Section 44 of the ICO's Direct Marketing guidance outlines the Commissioner's extended definition of direct marketing. The view of the Commissioner is that direct marketing also includes the promotion of an organisation's aims and ideals but this information isn't found in the DPA. Section 44 demonstrates that whenever the Commissioner has a differing view from the DPA he publishes his view so that we're all aware. What's the alternative? That the Commissioner has a view that no one is aware of because he's not published the guidance? For crying out loud! So where's the published guidance that supports the view that publicly available information does not require the consent of the data controller? It's not given in the DPA so where's the guidance?

3. While I accept that information that appears on a website can be disclosed to the public, it's somewhat naive to conclude that this information can be obtained without the consent of the data controller. A quick definition of "public domain" on Google gives it as: the state of belonging or being available to the public as a whole, especially through not being subject to copyright or other legal restrictions. Clearly there are legal restrictions on website information because that information is stored on servers, someone owns those servers and someone is responsible for the information stored on those servers - in this case it's LinkedIn. Thus, the information cannot be deemed publicly available - it's not a free for all. The notion that the ICO's Enforcement team believe it is without having any published guidance in place is a disgrace! How are data controllers supposed to know what they can and cannot do?

Fair enough, extract the information from a website, put it on a CD and hand it around in the pub and that information is likely to be in the public domain, but not while it's hosted online. The ICO's register of data controllers is publicly available and can contain personal information so is the ICO saying that they're not responsible for that information just because its being disclosed to the public? Is the ICO no longer the data controller... do they no longer have to give consent? I asked the ICO to answer this question but they refused to do so. What if the information had been accidentally disclosed to the public? They never answered that question either.

4. I've been advised previously that all assessments carried out under section 42 of the DPA are supported with guidance but that the guidance is not always published. So where's that guidance, who created it and who authorised it? I've asked for a copy of it.

Conclusion

I'll now be submitting a complaint of maladministration to the Ombudsman and a Judicial Review if the PHSO doesn't uphold my complaint. I can demonstrate that the ICO is covering up this case and I'm not letting it go. This is just the kind of case that I've been waiting for because it involves to the ICO's enforcement team, it demonstrates that staff at the ICO just make it up as they go, and it shows that the ICO is making a mockery of the case review process.

To be fair though, the case officer who carried out the assessment did a fair job and made the effort to seek clarification from the ICO's enforcement team. However, she should have asked the enforcement team to put something in writing because I'm continually being advised that case officers always support their cases with guidance but this never seems to be the case.

Added: 30.08.2016