Home > News
Mind my data Click to visit the homepage

Are the ICO's case officers deliberately supporting abuse of the DPA?

Evidence would suggest that the default position of the ICO in all but the simplest of cases, is to always support the company that a member of the public complains about. Such a process is likely to be unfair and a fundamental failure of this government agency. I suspect that we could be looking at thousands of flawed cases where the ICO has opted to bury the fact that a company has abused the data protection rights of an individual.

Let me start with an example. I've been told time and time again by the ICO's case officers that a "service message" is a marketing communication sent under the terms of a contract and that such a communication does not constitute direct marketing. If this were true, then any company that you have an ongoing relationship with would be able to phone your TPS registered phone number to promote their products and services to you. This is because, according to the ICO's case officers, such a phone call would not constitute direct marketing - it's just a service message. But try and find a definition of a service message on the ICO's website or in the Commissioner's guidance and you won't because it doesn't exist. It's just nonsense made up by case officers so that they can take the side of those companies that abuse our data protection rights. Yet, this same issue has gone through the ICO's case review process on more than one occasion so why hasn't anyone at the ICO picked up on this? Is it because the ICO does not want to challenge companies that abuse our rights to target us with unwanted direct marketing? Is the ICO covering up the fact that there's been such a massive turnover of staff that their current batch of case officers are simply not up to the job?

I can only reasonably conclude that it's a deliberate intention of the case officers because the definition of direct marketing is clearly given at section 11(3) of the DPA as ANY advertising or marketing material which is directed to particular individuals. The definition of direct marketing does not mention the intentions of the data controller (the company that processed the personal data) at all. Thus, if the main focus of a communication is to promote an organisation's products or services to a named individual then it is likely to constitute direct marketing. This has been confirmed in writing by a Lead Information Governance Officer; that the ICO considers the whole communication to determine whether it would amount to direct marketing. This being the case, the case officer should only be considering the nature of the communication, not the intentions of the data controller. Who gives a toss if the company says it's a service message if all we're interested in is the nature of the communication?

Fair enough, the Commissioner is well within his rights to modify the definition of direct marketing given in the DPA - albeit his view will not be statutorily mandated. But the section 11(3) definition of direct marketing can also be found (unaltered) in the Commissioner's direct marketing guidance; which is likely to form office policy. Surely if the Commissioner was going to change the definition of direct marketing to require his case officers to consider the intentions of the data controller then it's this revised definition that should appear in his direct marketing guidance? It doesn't though because the Commissioner accepts the definition at section 11(3) of the DPA. So while senior managers at the ICO are telling the public that they're clamping down on marketing e-mails, texts and phone calls, the Commissioner's case officers are simply talking nonsense so that they can always take the side of companies that abuse our rights as data subjects. It's either deliberate or the ICO's case officers are simply not fit for purpose.

Let me explain how you would go about submitting a complaint about a data controller to the ICO.

In brief, if an individual is not happy about the way in which a data controller (usually a company) has processed their information, then that individual has a right under section 42 of the DPA to ask the Information Commissioner to conduct an assessment to determine whether or not he thinks the data controller has complied with the DPA. This process is called a Request for Assessment (RFA); it's free of charge and anyone can do it. Obviously the Commissioner cannot personally conduct every assessment so he has assigned this role to his case officers. Thus, when you submit an RFA, a case officer at the ICO will be assigned and they will make an assessment on behalf of the Commissioner. If you're not happy with the view given by the case officer in the assessment you can request an internal case review and this will be conducted by a lead case officer who is the line manager of the case officer that conducted the assessment. If you're not happy with the case review you can ultimately submit a complaint to the Parliamentary and Health Service Ombudsman (PHSO). That's the process in a nutshell.

As an example, I tend to submit a Subject Access Request (SAR) to any company that targets me with unexpected direct marketing and often those companies fail to comply with my SAR within the 40 day period so I'll ask the ICO to conduct an assessment. The ICO will contact the company and tell them that they need to comply - dead easy. Another popular one at the moment is employment agencies farming my information from social media, making up a likely e-mail addresses for me and using it to contact me to promote their candidates to me. Over the years I had submitted a number of RFA's where I suspected that the view given in each assessment did not reflect the view of the Commissioner; the case officer had either subjectively argued the merits of the DPA - not the job of a case officer, or their view was completely unsupported - their own personal view. I had submitted a case review for each assessment but in each case review the lead case officer who conducted the review, supported the assessment by subjectively arguing the merits of the DPA - again, not the job of a case officer. Here are two examples of the nonsense spouted by the case officers in the assessments/case reviews:

1. RCC0513623: The case officer argued in the assessment that a promotional e-mail sent under the terms of a contract is a service message and as such, does not constitute direct marketing. As explained above, no guidance or policy exists to support this view so it's just the unfounded and subjective view of the case officer that carried out the assessment and blindly supported by the lead case officer that carried out the case review. What should have happened is that the lead case officer should have checked to make sure that the views given in the assessment reflected the policies of the Commissioner's Office but instead he argued a load of subjective nonsense too!

2. RCC0518635: The case officer argued that O2 were not being excessive by requiring me to provide a three year old receipt for the SIM card as identifying information in a Subject Access Request (SAR). So according to the case officer, because I had not retained the receipt for purchase of the O2 SIM three years previous, O2 were not entitled to comply with my fundamental right of subject access. What should have happened is that the lead case officer should have checked to make sure that the views given in the assessment reflected the policies of the Commissioner's Office but instead she argued a load of subjective nonsense too!

To be fair though, O2 have since changed this requirement in their privacy policy; possibly as a result of my complaint. However, the ICO is an utter waste of space when it comes to data controllers abusing the SAR process. For example, I've been advised this week by Domino's Pizza's legal team that I will have to provide a certified copy of my passport or driving licence so that they can confirm my identity - before they will respond to my SAR. This is totally over the top in my view. What's wrong with a copy of a recent utility bill? And I don't even know what they mean by certified; do I need to get a justice of the peace to sign the copy to prove that it's genuine? And what checks will Dominos perform to validate that signature? Why do Dominos need photo ID? Why do they need my passport when my address does not appear on my passport? What I'm saying is, Domino's only hold basic information about me - name, address, phone number, yet their legal department is asking for, in my opinion, an extreme amount of identifying information to put me off submitting an SAR. Yet the ICO will always support the data controller over issues about extreme requests for identifying information. The O2 case being an superb example of how case officers will always take the side of the data controller to avoid having to follow the correct process. Where's the policy advice? Where's the ever growing knowledge base?

Anyway, back to my complaint to the PHSO.

Initially I had eight flawed case reviews to submit to the PHSO but they rejected two of them immediately because I had missed the strict 12 month cut-off. It took me some time to write them all up. For the remaining six, I argued that the views given by the case officers were unfounded nonsense The problem is, my arguments were legalistic; it had taken me so long because I had endeavoured to explain how the views of the case officers given in the assessments, and supported by the case reviews, incorrectly interpreted the DPA. I actually enjoyed doing it and I did a number of re-writes so that my arguments were spot on. Unfortunately though, the PHSO doesn't get involved in legal technicalities so despite the fact that I almost pleaded with the PHSO case officer to contact the ICO and seek clarification with a suitably qualified policy advisor, this didn't happen and the PHSO concluded that there was no maladministration in all six case reviews.

In other words, the PHSO reached their conclusion on six flawed case reviews without bothering to contact the ICO to clarify anything.

Yet a five minute phone call to a policy advisor at the ICO about any one of those six cases would have confirmed that the view given does not reflect the view of the Commissioner.

I submitted an appeal to the PHSO last week. I'm appealing the PHSO's decision that they saw no evidence of maladministration. In the appeal though, I decided to change tack. Instead of arguing the legal technicalities of the DPA, I decided to focus on the failure of the Request for Assessment/case review process. Let me explain.

The case officer role at the ICO is one level up from the administrative assistant role. My overarching issue is that case officers, in my view, are the Commissioner's administrators. As such, I'm not interested in the subjective view of a case officer or in their opinion - why should I be? If I wanted an unfounded interpretation of the DPA I can go down the pub. I don't wish to be discourteous but I need to demonstrate that a case officer at the ICO is nothing more than an administrator. You can find the job description for a case officer on the ICO's website.

As an administrator, a case officer should always support their view with the policies of the Commissioner's Office. It's a fairly simple administrative process; the case officers apply the policies of the office to the case or seek policy advice if they cannot find any policy to support their view. If this is what they should be doing, then the notion that a case officer can give their own subjective, unqualified and likely unfounded view in an assessment by directly arguing the merits of the DPA is outrageous! This also applies to lead case officers when conducting case reviews. Again, they are not qualified to directly and subjectively argue the merits of the DPA and even if they were, it's not their job to do so. Indeed, the only people at the ICO who should be arguing the merits of the DPA are those individuals who are suitably qualified to create and or advise on office policy. Furthermore, the Commissioner doesn't always agree with the DPA which is another reason why all case officers should only be referencing policy or seeking policy advice and not directly quoting the DPA to support their views.

Let me put it this way; imagine if the administrators working for HM Revenue & Customs were creating their own versions of the tax codes to calculate tax rebates instead of using the tax codes defined by the Office that employs them. This would be an obvious maladministration right? But this is the kind of thing that is happening at the ICO; case officers are subjectively arguing the merits of the DPA when it's not their job to do so, they're not qualified to do so, and there's no process to convert their view into office policy. Due to this massive failure by the ICO, I am confident that nearly every single one of my 20+ assessments/case reviews are flawed. Extrapolate that for all the complaints handled by case officers in recent years and we're looking at possibly thousands of flawed assessments. In other words, we're looking at a massive failure by this government office.

What's interesting is that the ICO does tend to get it right if the case is straightforward. For example, where a data controller has failed to comply with a Subject Access Request within 40 days, the assessments tend to be correct. The case officer will write to the data controller and inform them that they need to comply. I suspect that they tend to get these simple cases right because they're simple and it's likely that they have standard letter templates that they can use to contact the data controller. However, as soon as the case becomes slightly more complex two things tend to happen:

1. The case officer will endeavour to subjectively argue the merits of the DPA to support their view and often get it wrong;

2. The case officer's subjective and unfounded view will always be tailored to support the data controller.

Let me explain what I mean by point 2. In my experience, case officers will often quote a section of the DPA and subjectively interpret in a way that supports the company. But it's worse than that because they also tend to miss bits out of the definition given in the DPA because doing so better supports their view. Or they'll just focus on one aspect of the definition and ignore anything else. For example, if the DPA states that a data controller has to comply with A and B, and the data controller hasn't complied with B, then the case officer will simply ignore B. In their response they will say something like, "The DPA states that the data controller has to comply with A and they have done this so it is likely that the data controller has complied with the DPA." What about B? Okay, I've simplified it but hopefully you get the idea. This happened only last week - the case officer - an administrator of the ICO, gave me his own subjective definition of the fifth data principle; modified to support the data controller. I've just submitted the case review for that asking them to explain why the definition of the fifth data principle quoted in the assessment does not reflect the definition defined by the DPA and replicated in the Commissioner's guidance?

This is what the ICO's case officers do... they are a law unto themselves and it's highly unlikely that senior members of staff are not aware of what's going on.

I have a theory about this. Remember, I'm the data subject and in an assessment I'm submitting a complaint about a company that has processed my personal data - the data controller. If the assessment upholds my complaint and concludes that the data controller has failed to comply with the DPA, then the case officer has to write to the company to tell them what they've done wrong and how to put things right. Quite a scary prospect if you don't actually know what you're talking about, bearing in mind that the company's lawyers are likely to challenge the case officers view. The case officer would need to ensure that he/she is spot on in their understanding of the DPA in their response to the company and that could take them ages; they'd probably need to clarify all the legal arguments with a more senior member of staff and by doing so, demonstrate that they don't actually understand what they're talking about. However, if the case officer supports the data controller in the assessment then they don't need to write to the data controller; they just need to write to the person who submitted the complaint. And when you consider that members of the public are likely to accept the view of the ICO because they don't know any better, the chances are that the person who submitted the complaint will just accept it.

It's a nice little scam but it requires the case officer's line manager to be in on it to work. It goes something like this. The case officer that carries out the assessment subjectively interprets the DPA and quotes subjective nonsense to support the company and writes to the individual that submitted the complaint. The person who submitted the complaint is likely to accept the view given in the assessment but if they were to challenge it, then the case officer who conducts the case review should check to ensure that the views given in the assessment reflect the objective and consistent view of the Commissioner. Furthermore, any attempt by the case officer to subjectively argue the merits of the DPA in the assessment should be deemed a failure of process in the case review. However, in my 20+ case reviews, the case officer has actually supported the nonsense quoted in the assessment with further nonsense. Add to this the fact that case officers are aware that the PHSO don't get involved in legal technicalities and we're looking at a conspiracy to abuse the assessment/case review process.

Unless it's blatantly obvious that the company is at fault and there's a chance that the PHSO might pick-up on it, then providing that both case officers conspire to talk nonsense in support of the company, it's likely that they'll aways get away with it. In the simple cases it's easy anyway so they don't mind writing to the company to tell them that they've failed to comply with the DPA. However, in slightly more complex cases where the case officer's lack of understanding might be exposed and even challenged by a legal professional, they just spout subjective nonsense to support the company. I believe that this explains why every single one of my case reviews has supported the company. It's not direct marketing it's a service message - nonsense! The company does not have to comply with your Subject Access Request until you provide them with a three year old receipt- nonsense! A year on its own constitutes a date - nonsense! Utter, utter nonsense! Indeed, I'm just about to submit my third case review since the start of June. In this case, the case officer opted to subjectively interpret contract law in the assessment to.... support the company that I complained about. Do we think that it's the role of a case officer to interpret a standard form civil contract? Are we to believe that this case officer is a qualified legal professional who has opted to work as a administrator at the ICO?

Conclusion

The ICO's RFA process is seriously flawed and as a result, many companies are likely to be abusing the DPA and simply getting away with it because a case officer has opted to talk utter nonsense to support them, and their line manager is failing to pick-up on the errors. In a recent case, the data controller apparently processed my personal data from a third party mailing list to target me with direct marketing - a phone call to my TPS registered phone, and then deleted my information once they had reached the end of the mailing list. I argued that data controllers shouldn't be deleting information immediately after processing because I have a right to submit a Subject Access Request to find out how they obtained my information. The data controller also had a need to retain the mailing list to demonstrate that they obtained consent because it's a criminal offence to process personal data to phone a TPS registered phone number unless you have obtained consent. The case officer argued that the data controller was merely complying with the fifth data principle by deleting my information. This view is highly unlikely to reflect the view of the Commissioner. As explained above, the case officer also gave me his own flawed interpretation of the fifth data principle rather than use the definition that forms office policy. I believe that he missed bits out because his subjective definition better supported his view. This is what they do. The other week another case officer told me that a quote for insurance was a service message and not direct marketing. It goes on and on... just utter nonsense.

Senior managers at the ICO are happy to go on TV and tell us that they're clamping down on companies that abuse the TPS, companies that fail to obtain consent, companies that use dodgy mailing lists etc. However, I can prove beyond all reasonable doubt, that unless a complaint is so straightforward that it's difficult to manipulate the outcome, case officers at the ICO tend to do whatever they can to support a company that a member of the public has complained about. They'll misquote the DPA to support their view, they'll subjectively argue the DPA when it's not their job to do so, they'll subjectively argue contract law when it's not their job to do so, they all seem to think that a contract negates all aspects of the DPA - they shouldn't be working at the ICO if they hold this view, and they'll ask the individual to support their complaint yet take the company at their word - which is unfair. The process is so flawed that one can only conclude that it is deliberate and that senior managers must be aware. Indeed, on one occasion, three different levels of staff at the ICO - the case officer, the lead case officer and his manager, told me that a year on its own constitutes a date. It's Christmas every day at the ICO then?

It all boils down to the fact that one can't write to a company like O2 and tell them that they've failed to comply with the DPA if one doesn't know what they're talking about. By abusing the assessment/case review process to always support the company whenever possible, a case officer can continue to do their job and get away with being incompetent because they mitigate the possibility of being challenged and therefore exposed by the company's lawyers. The facts speak for themselves; every single one of the 20+ case reviews that I've submitted to the ICO has found in favour of the data controller. And in every single case review the case officer subjectively argued the DPA to support the data controller.

I'm currently waiting to hear back from the PHSO. In the meantime, I've made my MP aware and she has contacted the CEO of the ICO to bring my complaint to his attention. If he goes through my 20+ case reviews he'll have a shock. As it stands the RFA process is not fit for purpose.

Added: 07.07.2015