The Ombudsman’s investigation of the ICO

Having initially rejected my complaint without bothering to contact the ICO to clarify anything, the Ombudsman is currently investigating my complaint on appeal: that the ICO’s formal complaints process is not fit for purpose and probably never has been. It’s also likely that senior managers are well aware that the process is flawed and are trying to cover it up.

The ICO operates a formal complaints process so that individuals can complain about UK companies. If you’re not happy with the way in which a company has processed your personal information, then section 42 of the DPA grants all UK citizens the statutory right to submit a complaint to the ICO. The complaint process is called a Request For Assessment (RFA). Upon receipt of a completed complaint form, a case officer at the ICO will conduct an assessment to determine whether, in their view, the company (data controller) that the individual (data subject) has submitted a complaint about has processed their personal information fairly. If you’re not happy with the view given by a case officer in the assessment then you can seek a Case Review. A case review is carried out by a Lead Case Officer who is the line manager of the case officer who conducted the assessment. If you’re not happy with the case review, then you can ask your MP to submit a complaint about the ICO to the Parliamentary and Health Service Ombudsman (PHSO).

As it stands, I’m not too far away from having 30 flawed case reviews and the Ombudsman (PHSO) is currently investigating six of them (see below). That’s nearly 30 assessments where a case officer has given a flawed view and nearly 30 case reviews where a lead case officer has supported the view given in the assessment. So either I’m utterly clueless or there’s a serious problem with the ICO’s process. I welcome any feedback if someone wants to point out where I’ve gone wrong but I don’t think I have.

I believe the RFA process to be shambolic and I expect the Ombudsman to conclude that it’s not fit for purpose. I’m going to outline the issues that I have by analysing a couple of letters that I received from Paul Arnold – the ICO’s Head of Customer and Business Services. These letters were sent in response to an enquiry made on my behalf by my MP. However, Mr Arnold has now clammed up because I’ve asked since asked him a question that he can’t answer correctly without admitting that he is wrong so he has refused to answer it or any further questions. I’ve outlined the question that he refuses to answer and why he refuses to answer it below. This is an example of what I have to deal with. ICO staff are bound by the Civil Service Code of Conduct yet here we have their Head of Customer and Business Services refusing to answer a question because he doesn’t want to admit that he’s wrong. Isn’t it his job to deal with customer’s concerns?

What I’ve done below is to extract the key points from the two letters that Mr Arnold sent to me and analysed them. I’ve shuffled the key points around slightly for editorial purposes only.

Let’s begin.
1. Mr Arnold clarified the Request for assessment (RFA) process

The Commissioner has delegated responsibility for dealing with section 42 assessments to his staff – most notably to his case officers. Whenever you receive an assessment from one of our case officers, you are receiving the formal view of the Information Commissioner and his office.

Mr Arnold confirmed that the assessment process has been assigned to the ICO’s case officers and that their subjective views reflect the formal view of the Information Commissioner. However, I fail to see how a case officer can subjectively provide the consistent and objective formal view of the Information Commissioner without the view of the Commissioner first being clearly defined as published policy. How do the case officers know what the formal view of the Commissioner is? Alternatively, if it is the role of case officers to create formal policy on behalf of the Commissioner, then a process should exist whereby trained policymakers review, approve and publish a case officer’s subjective view as formal policy. I fail to see how the subjective views of a team of case officers can be deemed to constitute formal policy without some process in place to recognise which subjective views reflect the formal and objective view of the Commissioner.

The formal view of the Commissioner either needs to be top-down published policy or a process needs to exist to convert the subjective views of the case officers into top-down published policy. There is no other reliable method available to give the consistent and objective formal view of the Commissioner – his view must constitute policy for the system to work. The policy needs to be published because this will satisfy the Commissioner’s obligation to promote good practice and compliance among data controllers.

There appears to be no formal policy that reflects the view of the Commissioner and as far as I’m aware, the ICO does not operate a process to review, approve and publish the subjective views given by case officers.

Indeed, no subjective view given by a case officer in any of my flawed cases has ever been converted into published policy – you won’t find any of the views published on the ICO’s website for example. Furthermore, it’s not clear what the status of the Commissioner’s published guidance is. The Commissioner has created guidance and codes of practice to give his interpretation of various aspects of the DPA yet case officers hardly ever refer to this guidance and in some cases, they don’t even know that a particular guidance document exists. A case officer is supposed to give the formal view of the Commissioner in an assessment and they do this by subjectively interpreting the DPA without any kind of validation or approval. If that’s not bad enough, what happens if the Commissioner has already interpreted the DPA in his guidance? Shouldn’t case officers aim to support their views with the Commissioner’s guidance first before opting to subjectively interpret the DPA?

Due to the serious lack of process, I tend to treat the Commissioner’s guidance as formal policy because it reflects the view of the Commissioner and case officers are required to give the view of the Commissioner in an assessment. However, in one case review I was told by the lead case officer that the Commissioner’s guidance is just guidance and had no place in the RFA process so it’s just not clear. Even when case officers do acknowledge the Commissioner’s guidance, they seem to want to interpret it to give their own view. For example, according to the Commissioner’s published guidance, data controllers should not rely on consent alone to justify their data processing. The Commissioner states:

‘A particular consent may not be adequate to satisfy the condition for processing (especially if the individual might have had no real choice about giving it), and even a valid consent may be withdrawn in some circumstances. For these reasons an organisation should not rely exclusively on consent to legitimise its processing. In our view it is better to concentrate on making sure that you treat individuals fairly rather than on obtaining consent in isolation. Consent is the first in the list of conditions for processing set out in the Act, but each condition provides an equally valid basis for processing personal data’.

I believe that this published view (you’ll find it on the ICO’s website) reflects the view of the Commissioner and therefore constitutes formal office policy. Or if not office policy, for the purpose of conducting an assessment under section 42 of the DPA, it reflects the view of the Commissioner. In one of my case reviews however, the lead case officer told me that it was unnecessary for the data controller to satisfy another condition for processing because they had clearly obtained my consent:

This is because they have clearly consented to the processing by signing up to its service.

But anyone who knows anything about the DPA and the PECR will tell you that consent is far from clear because it requires the individual to give an informed indication of their consent. Do I give my informed indication when I tick a box to accept a company’s terms and conditions? Can a company obtain my informed indication contractually? Apparently so but where’s the policy to support this view? Where does it state in the Commissioner’s guidance that a data controller obtains consent from their terms and conditions? When I quoted the above guidance to the lead case officer in the case review, he said:

‘You have pointed out that ICO guidance states that organisations should not exclusively rely upon consent to legitimise processing. However, this part of the guidance simply highlights that there will often be more than one condition for processing personal data’.

Sorry, but the Commissioner is making a clear statement that an organisation should not rely exclusively on consent to legitimise its processing. So not only did this case officer brush the Commissioner’s guidance aside, he is of the view that I clearly gave my consent when I ticked a box to accept the company’s terms and conditions. A number of my flawed cases are about consent yet you won’t find any published guidance on the ICO’s website that confirms that consent can be obtained via a standard form civil contract. Indeed, case officers seem to have nothing but contempt for the DPA because apparently, everything can override the DPA – civil law, a privacy policy, a company’s code of practice. Where’s the policy?

This is what I have to deal with all the time and this is why I have so many flawed case reviews – there’s no formal policy in place at the ICO. Instead, the case officers want to give me their own subjective view all the time and their view will nearly always support the data controller in all but the simplest of cases. I should add that the view given in the above case has never been reviewed, approved and published – they haven’t amended the guidance to reflect the lead case officer’s view – that the Commissioner is simply highlighting that there will often be more than one condition for processing personal data. Furthermore, when I sought to clarify the matter, the view that I was given by a different case officer has not been reviewed, approved and published either. And in a recent case another case officer told me that I agreed to the company’s terms and conditions so I am bound by them. That case officer has been working at the ICO for at least six years so has he held the view all this time that a company can override the DPA with civil law? Where’s the policy to support his view? How many cases has he conducted over the years where he’s given this view? Where’s the policy the reflects the consistent, objective and formal view of the Commissioner?

Consent has a fundamental impact on data processing because if a data controller can rely solely on consent then they have far more leeway in the processing of personal information. If they can rely solely on consent for example, then they don’t have to satisfy a legitimate interest. It’s likely therefore that the issue of consent has been raised in thousands of cases over the years, yet here we are in 2016 and the ICO still has no formal policy on consent. Can a data controller override the DPA with their terms and conditions? Can a data controller obtain consent from their terms and conditions? Where is the ICO’s finalised, clear, and published policy for this and other major issues? It doesn’t exist so case officers simply make it up, close the case, bury the case and start again. We’re probably looking at thousands of flawed cases over the years.

There’s no evidence to support Mr Arnold’s view that case officers provide the consistent and objective formal view of the Commissioner in their assessments. Where’s the policy? How many government agencies operate without formal policy?
2. Mr Arnold outlined my issue

Mr King seems to believe that our case officers only have two types of answer available to them: answers that state ICO ‘policy’ and answers that are wrong. This is not the case.

I absolutely do hold this view.

I’m an application developer so from my point of view, the logic doesn’t make sense. There’s no loop that feeds the subjective view of a case officer back into the process so that it can be reviewed, approved and published as office policy. Instead case officers tend to give their subjective interpretation of the DPA in each case regardless of the Commissioner’s guidance. The case is then concluded, closed and that view becomes archived and buried after six months.

This is a massive failure of process because the ICO is operating a system where the case officers are likely to be subjectively interpreting the same bit of legislation over and over again. For example, one case officer gives their subjective interpretation – case closed, interpretation buried. A few months later in a similar case, another case officer gives their subjective interpretation (which may or may not reflect the view given previously) – case closed, interpretation buried. And so on – year after year. Indeed, if you contact the ICO and ask for the Commissioner’s formal view on something you won’t get it because such policy does not exist. Instead a case officer will subjectively interpret the DPA to provide you with an answer which will then be buried. Earlier in the year I had to wait three months to get an answer to some questions and none of the answers provided have been published on the ICO’s website. As such, I do not accept those answers as reflecting the view of the Commissioner.

At the end of the day, if the view given by a case officer in an assessment reflects the view of the Commissioner then that view should be reviewed – to ensure that it doesn’t contradict the Commissioner’s published view or other published guidance, approved – by a more senior member of staff (ideally a qualified policymaker) as being the formal view of the Commissioner for a particular issue, and published on the ICO’s website. This needs to happen to give the case officer’s view credibility.
3. Mr Arnold clarified the role of case officers

He also seems to think that case officers are ‘administrators’ and should ‘always support their view with office policy’. Again, this is not so.

Again, I absolutely do hold this view.

What qualifies a case officer to interpret the law? According to the case officer job spec on the ICO’s website, a case officer requires a degree or equivalent work experience. It does not stipulate a law degree or relevant legal experience. For Knowledge, skills and ability, the case officer job spec makes no mention whatsoever of the need to have legal knowledge, skills or abilities. This means that someone with a degree in Cruise Management could work as a case officer at the ICO so what would qualify that person to directly and subjectively interpret the law?

The job spec for the lead case officer role is also devoid of any formal legal training or legal knowledge, skills or ability. There’s a desirable that the candidate has a relevant professional qualification and the examples given are: CIPR – Chartered Institute of Public Relations, CIM – Chartered Institute of Marketing, CAM – Communication, advertising and Marketing. Indeed, the lead case officer role seems to focus on customer service, marketing and advertising. For example, good knowledge of print, design and production is a desirable. Why on earth isn’t an understanding of the DPA a desirable?

I’m sorry, but there’s nothing in these job descriptions to indicate that case officers and lead case officers are anything other than office administrators as far as the RFA process is concerned. As such, every view they have should be supported by formal office policy created by a suitably qualified person rather then their own subjective interpretation of the DPA. Case officers have no legal training so they lack the credibility to argue their view with a legal professional – their view must be supported with formal policy to have any chance of being taken seriously by a company lawyer. As it stands they’re making a mockery of the legal profession. Would Mr Arnold seriously have us believe that these individuals can interpret the DPA and argue their view with a data protection lawyer working for Pinsent Masons for example? If so then he’s having a laugh! I don’t wish to sound mean but according to the job descriptions case officers and lead case officers are simply not qualified to subjectively interpret the DPA. As such, if Mr Arnold expects them to give the formal view of the Commissioner then such a process is clearly flawed.

I honestly do not understand why the ICO would desire its case officers to have a marketing qualification over a legal qualification. In my experience, people that work in marketing are likely to be the worst offenders when it comes to compliance with the DPA because the blatant promotion of products and services is a fundamental element of the creative industry. They’d be much better off with a logical thinker – an accountant or programmer who has training or experience of working within a defined framework. There’s no place for creativity when interpreting the law. When you consider that thousands of direct marketing complaints are submitted to the ICO each month, the notion that being a creative is a desirable trait for a role that requires the subjective interpretation of the law is just wrong.

The case officer job spec also states: ‘Wherever you join us, you’ll be responsible for taking cases to a clear and consistent outcome, in line with our policies and operational strategy’. Err… what policies?

How can you have a consistent outcome when case officers subjectively interpret the law and that interpretation never gets published and becomes obsolete after six months? I stand by my claim; that these jobs focus on customer service/marketing and communications so as far as interpreting the law goes, the ICO’s case officers and lead case officers are nothing more than office administrators because these roles require no legal qualifications, experience, training, skills or knowledge to do the job.
4. Mr Arnold further clarified the duties of case officers

When considering DPA complaints, case officers are not only ‘allowed’ to give their own views about what the law says, we expect it of them. It is a fundamental part of their role. They are, furthermore, no less ‘qualified’ than their policy colleagues to do so.

You’ve got to be kidding me! It is a fundamental part of their role… seriously? Based on what? Have I been looking at the wrong job descriptions?

Based on the job description, a case officer/lead case officer is no more qualified than the next person to subjectively interpret the DPA so how can the subjective interpretation of the law possibly be a fundamental part of their role? If being able to give an informed legal interpretation of the DPA is indeed a fundamental part of a case officer’s role then they reasonably need to have a formal legal qualification and training as a minimum; to avoid making a mockery of the process. And you’d still need a process in place to review, approve and publish the subjective views as formal policy. As it stands though, they surely are making a mockery of the process and it’s likely that they have been doing so from day one – for 18 years or so.

Alternatively, there needs to be some process where a trained legal professional validates the case officer’s view as reflecting the objective view of the Information Commissioner and that view should be published to ensure consistency: review, approve and publish. This doesn’t happen either. For example, a number of case officers have told me in an assessment/case review that a promotional service message – a marketing communication sent under the terms of a contract, does not constitute direct marketing. The ICO’s case officers have likely held this nonsense view for many years because it has never been reviewed and published on the ICO’s website? Mr Arnold has since confirmed that this view is nonsense yet at least four of my case reviews have held this flawed view and who knows how many cases in total – possibly thousands over the years. This is what happens when you allow office administrators to run the show. And Mr Arnold’s clarification that a promotional service message does indeed constitute direct marketing has yet to be published on the ICO’s website so what’s to prevent the case officers from continuing to hold the view that a promotional service message is not direct marketing? Mr Arnold’s view will get buried as all the other views do.

Mr Arnold would have us believe that a case officer – with no formal legal training, is qualified to contact a company lawyer to point out that the company must comply with their subjective interpretation of a section of the DPA. Where’s the credibility? “Oh, hello Barclays Bank, I’m a case officer working for the ICO, my former role was as a Cruise Manager and I have no formal legal training but I’m writing to tell you that I’ve subjectively interpreted the DPA and you need to take my interpretation on board.” Ha! And Barclays’s lawyers are going to just accept that are they? They’re going to think it’s some kind of wind-up because case officers are no more qualified to subjectively interpret the DPA than a member of a cabin crew is to fly a plane. Indeed, I suspect that this analogy accurately reflects the massive gulf that exists between a case officer and a legal professional. It’s nonsense! Case officers must be able to support their views with formal policy to give them credibility.

Based on the job description, anyone who believes that a case officer is remotely qualified to subjectively interpret the DPA is clearly deluded.

I stand by what I’ve said consistently: that case officers are merely office administrators because they are no more qualified than the next person to interpret the DPA. As such, case officers should only ever quote published policy to support their views and if they cannot support their view with published policy, then they should seek new policy from a suitably qualified individual. There should also be a process in place to ensure that all new policy is reviewed, approved and published – ideally within 30 days. Then, if I have to submit a complaint to the Ombudsman, if the views given by the case officer cannot be found as published policy on the ICO’s website, the Ombudsman can easily conclude failure of process; that the view of the case officer does not reflect the view of the Information Commissioner because it has not been published. This process should have been put in place years ago.

It’s all beginning to make sense. Mr Arnold’s clarification might explain why case officers tend to manipulate the process to always support the data controller in all but the simplest of cases. Let me explain.

If the case is simple – failure to respond to a Subject Access Request within 40 days for example, then case officers tend to get it right and they’ll write to the company and tell them that they need to comply. But as soon as the legal arguments become slightly more complex, the case officer’s default position is to always support the data controller. For example, they tend to take the data controller at their word, or they won’t bother to clarify something with the data controller whereas I’m always expected to support my case. In a number of cases the case officer has told me that there’s no evidence to support my view yet section 43 of the DPA grants a case officer the right to obtain evidence from the data controller if it is required to conduct a fair assessment. So the process is stacked in favour of the data controller from the start but I believe that there’s a more sinister reason why case officers tend to support the data controller by default.

Remember, Mr Arnold expects case officers to interpret the law – something that they’re clearly not qualified to do. Stressful right? In this situation, the last thing that a case officer wants to do is to present their nonsense subjective interpretation of the DPA to a legal professional – a company’s legal team or lawyer for example. What can one do to avoid being exposed by a legal professional? Well, case officers are aware of two things:

That the majority of the public do not understand data protection law so they would likely accept a case officer’s view without questioning it – as I used to do many years ago. These days I regularly have to submit case reviews.

That the PHSO does not get involved with legal technicalities. Thus, providing that the case officer’s legal arguments appear to make sense, it’s likely that they can say whatever they like and the Ombudsman will be unlikely to question it. Indeed, I have been advised (RCC0518635) that ‘If, however, your complaint relates to the way in which we have interpreted the law then the Ombudsman cannot help you’. That’s a failure of process because it opens up a loophole that can be exploited by case officers.

My point, is that lead case officers are well aware that they can spout a load of nonsense in a case review and it’s highly unlikely that they will be challenged by the Ombudsman. Thus, the entire process is seriously flawed because a case officer who is in no way qualified to interpret the law can make a total and utter mess of an interpretation of the DPA and get away with it. The Ombudsman should share some of the blame here. They’ve just reviewed six of my cases and concluded that there’s issue despite the fact that I spent hours trying to explain why each case is flawed. The ICO can’t be wrong can it?

When you put it all together… the fact that the ICO expects case officers to interpret the law, the fact that case officers are not qualified to interpret the law, the fact that companies often have scary legal professionals who are qualified to interpret the law, the fact that the PHSO does not get involved in legal technicalities and the fact that members of the public do not tend to understand data protection law… it’s clear that the easy option for lead case officers is to exploit the loophole by always finding in favour of the company in all but the simplest of cases.

I strongly believe that case officers deliberately and knowingly abuse the process to support the data controller because they are well aware that they are likely to get away with it. And the fact that Mr Arnold is openly refusing to answer a question which would prove both him and a particular case review to be wrong, suggests that more senior managers are actively involved in the abuse. Indeed, in one of the cases below it was three different levels of staff that told me I was wrong – the case officer, the lead case officer and the Group Manager, Complaints Resolution. They all told me that a year on its own constitutes a date and they’re all clearly wrong.

In all of cases where I do not accept the view of the ICO – the ones that I have submitted to the PHSO and the ones I have yet to submit, the default position of the case officer is to interpret the DPA in a manner that supports the data controller. It’s clear to me therefore, that case officers do this to avoid having to confront legal professionals and thus be exposed as being not fit for purpose. Even when I’ve endeavoured to support my view with the Commissioner’s published guidance, case officers will tend to ignore it or interpret it differently as we’ve seen above. And in one recent case, the case officer opted to manipulate the definition of the fifth data principle that appears on the ICO’s website to better support his view. He couldn’t just copy and paste the published definition into his response, oh no, he copied, pasted and amend it. This action was supported by his line manager in the Case Review.
5. Mr Arnold explained the lack of policy

Given the DPA’s breadth of application (it applies to all processing of personal data in the UK) and its emphasis on the circumstances of each organisation (they have to consider what is fair, appropriate and reasonable in each case), it is impossible for us to produce formal policy lines for all processing. We have to be selective.

This nonsense highlights a massive failure of process. How many years has this organisation had to create and publish formal policy? What’s their process for reviewing, approving and publishing the subjective views of unqualified case officers to create formal policy? They don’t even have formal policy for the fundamental aspects of the DPA for example, whether a data controller can rely solely on consent to justify their data processing and if so, whether that consent can be obtained via a standard form civil contract.

Bearing in mind that the overwhelming majority of complaints submitted by the public are about direct marketing, the ICO should have had the following formal policy in place over a decade ago:

Can consent for data processing be obtained by ticking a box to accept terms/privacy policy?
Can consent for electronic marketing be obtained by ticking a box to accept terms/privacy policy?
Can an active invite for solicited marketing be obtained by ticking a box to accept terms/privacy policy?
Can a promotional e-mail sent under the terms of a contract bypass the definition of direct marketing?
Provide some examples of what would be deemed an excessive request for identifying information in an SAR.
Can a data controller bind me to their privacy policy and continue to process my information fairly?

We’re now in 2016 and as it stands, there is no clear policy to outline how civil law impacts on the DPA. For this one issue alone you’re probably looking at thousands of flawed cases over the years.
6. Mr Arnold provided clarification on the role of policy staff

Policy staff are only required to give policy advice where an issue raises new, novel or complex points of law or good practice. Before requesting policy advice, case officers must first consider whether they can reasonably answer the questions themselves either by extrapolating the position from other policy lines, through the knowledge and experience they have gained through previous work, or through the knowledge and experience of their managers and colleagues.

In other words…

Policy staff (who according to Mr Arnold are no more qualified to interpret the law than case officers) are only required to give policy advice where an issue raises new, novel or complex points of law or good practice. Before requesting policy advice, case officers (who are not qualified to interpret the law) must first consider whether they can reasonably answer the questions themselves either by extrapolating the position from other policy lines (which they’re not qualified to do), through the knowledge and experience they have gained through previous work (which they’re unlikely to have because previous legal experience is not required for the role), or through the knowledge and experience of their managers and colleagues (who are no more qualified to interpret the law than any other non-legal professional working at the ICO).

If policy staff are no more qualified to interpret the DPA than case officers then they too need to have their interpretation of the DPA reviewed, approved and published to have any credibility.
7. Mr Arnold explained how they ensure consistency

Of course it is important that the views we give are consistent and we help to ensure this by sharing information through a variety of mechanisms, including our casework management system, knowledge bases, staff intranet pages, ‘know about’ sessions and meetings (regular and ad-hoc).

Mr Arnold claims that there are mechanisms in place to ensure consistency but all they need is a single process in place that reviews, approves and publishes a case officer’s view as formal office policy. Let’s review what mechanisms they do have:

Casework management system. When I supported one of my cases with the views given in two previous assessments, I was advised by the lead case officer in the case review that past cases older than six months will not be considered. The DPA doesn’t change that fast so why won’t they consider the views given in a three year old case? Is it so that they can bury the nonsense views? Why six months?

Knowledge bases. Bearing in mind that it’s the role of the Information Commissioner is to promote good practice and compliance among data controllers, why would the ICO have their own knowledge base? If the ICO’s case officers have access to a knowledge base that tells them how to correctly interpret the law, then that information should be made available to the public? I suspect however that these knowledge bases only contain the basics.

Staff intranet pages. As with the Knowledge bases, if the staff intranet pages contain information about how to interpret the DPA then it should be published and shared with the public.

Know about sessions and meetings. How about having a meeting to put a process in place so that the view of a case officer is reviewed, approved and published?

The fact is, there’s very little evidence to suggest that there’s any consistency at the ICO. Let me give a recent example that I mentioned earlier.

Earlier in the year I wrote to the Information Commissioner to get answers to some questions. The views that I had been provided with previously had been unsupported so I wanted the Commissioner to provide me with formal policy. In other words, I was seeking the formal view of the Commissioner for a number of issues. I was advised however, that the ICO had no formal policy in place for these issues so it would take some time to provide the answers to my questions. In the end it took over three months to get a response and the response was supposed to be the formal view of the Commissioner yet none of the views provided have been added to the ICO’s published guidance. Further evidence that the ICO operates a creative process where people who have no right whatsoever to interpret the DPA just make it up as they go rather than having a process that creates formal, consistent, verified and published top-down policy. One of the questions that I asked was:

“Can a data controller rely solely on consent to justify its data processing?”

The answer provided by the case officer after collaborating with fellow case officers was:

Yes, you can rely on consent as a condition for processing and be compliant with the Data protection Act (DPA). However, our advice from a practical point of view is that it may not be advisable to do so in every situation. This is because of the possibility of consent being withdrawn, or consent not being considered to be adequate for a particular type of processing.

This response doesn’t help me at all because it’s still open to interpretation. Thus, if I submit a complaint about a data controller it means that those case officers who are of the opinion that the Commissioner’s guidance is just guidance will likely conclude that a data controller can rely solely on consent to justify their data processing. Whereas those like me who are of the view that the Commissioner’s published guidance reflects the formal view of the Commissioner for the purpose of making an assessment under section 42 of the DPA, will conclude that a data controller cannot rely solely on consent to justify it’s data processing. As outlined at section 3.1.5 of The Commissioner’s Data Protection Act 1998 Legal Guidance document and as published on the ICO’s website:

One of the conditions for processing is that the data subject has given his consent to the processing. The Commissioner’s view is that consent is not particularly easy to achieve and that data controllers should consider other conditions in Schedule 2 (and Schedule 3 if processing sensitive personal data) before looking at consent.

As I’ve said earlier, consent is one of the fundamental elements of data processing so how is it possible that the UK’s Data Watchdog does not have a clear message on this and many other fundamental data processing issues? What is a “Practical point of view?” How should it be interpreted for the purpose of an assessment under section 42 of the DPA? I need to know whether or not, the Commissioner is of the view that a data controller can obtain my consent to justify its data processing contractually. And if so, that the data controller does not need to satisfy another condition? Or, as I suspect, does the Commissioner expect companies to satisfy a legitimate interest to justify their data processing rather than relying solely on consent?

I can’t get a straight answer and for this reason alone, this organisation should be deemed not fit for purpose. As it stands it’s not clear whether any view given by a case officer reflects the formal view of the Commissioner.
8. Mr Arnold concluded…

In spite of this, we know that we may not always get things right first time and we have implemented a complaints process. If anyone uses any of our services and thinks that we should have done something different, they can complain. A manager of the individual what provided the service will review the matter and respond. It appears that Mr King has no faith in this process. However, it provides a useful opportunity for us to put right any mistakes we have made and to ensure that the views we provide are consistent. I am satisfied that our managers act on that opportunity appropriately.

Mr Arnold is absolutely right – I have no faith in the process at all. I’m getting close to 30 flawed cases so why on earth would I? I have no faith in the ability of case officers to provide an informed interpretation of the DPA because they’re simply not qualified to do so. I have no faith in the honestly of the ICO’s employees because I suspect that the majority of case officers have no qualms about manipulating the process or taking advantage of the loophole described earlier. This abuse goes all the way up the chain of command too as Mr Arnold still refuses to answer a question that will prove him wrong. Then there’s the lead case officer who refuses to clarify her view that I had to pay a company to comply with my statutory DPA rights. Yet another case officer who manipulated the definition of the Fifth Data Principle to support his view. Deliberately manipulating the process should be a disciplinary matter because it likely breaches the civil service code of conduct. What’s the PHSO doing about it?

Of course there’s one easy way to sort this out and that’s for either the ICO or the Ombudsman to pay for an independent data protection lawyer to review the six cases that the Ombudsman is currently investigating. Like I say, I accept that the I could be wrong with one case but apart from that, I’d be willing to pick up the costs if the lawyer concludes that any of the remaining five correctly reflect the view of the Information Commissioner. Of course, first we’d need to clarify what the view of the Commissioner is because it’s just not clear because we have no formal policy.
9. Mr Arnold continued…

We understand though, that some of our decisions are finely balanced and that we might not always get them right first time, whoever makes them. This is why we have a case review process. As you know, if anyone uses our services and thinks that we should have done something differently, they can complain. A manager of the individual that provided the service will review the matter and respond

Finely balanced? Policy advisors and lead case officers are no more qualified to interpret the law than the case officers are so his case review process is a joke. To add to this mockery, a case review is conducted by the line manager of the case officer who conducted the assessment. Bearing in mind that it’s the lead case officers who will be responsible for training the case officers, isn’t there a clear conflict of interests here? Of course a lead case officer is going to support the view of his subordinate case officer because that view is going to impact on them. In other words, if you’re a lead case officer at the ICO and it’s down to you to train the case officer that you line manage, then it’s unlikely that you’re going to disagree with their view when it was probably you who told them what to say.

Case reviews should never be conducted by the line manager of the person who carried out the assessment because it’s a process that’s just open to abuse.
Why is Mr Arnold refusing to answer my question?

This particular case is one that I have yet to pass to the Ombudsman but I passed it to Mr Arnold as an example of his flawed process. In this case I obtained a quote for insurance from a comparison website and besides the quotes appearing on screen, I also received an e-mail that summarised the top five or so quotes. As I was not clearly advised that I would receive the e-mail, my view is that the quote summary e-mail constitutes unsolicited electronic marketing that required my prior consent. My view is that the company failed to obtain my consent to send me the quote summary e-mail.

Why I hold this view. An e-mail that is sent to an individual to remind them to renew an existing service is likely to constitute unsolicited electronic marketing because it’s promoting a service and therefore requires prior consent. I’m not saying that a company cannot inform you that your service needs to be renewed; it’s just that they cannot do it via electronic means unless they’ve given you the option not to have your information used in this way. Unless of course they clearly advise you when you subscribed to the service, in which case a renewal e-mail will likely be solicited electronic marketing and will not require consent. The same goes for any other promotional information that the company wants to target at you.

The data controller can always post you a letter to remind you that your service is due for a renewal but they want to save money so the overwhelming majority of UK companies opt to abuse our data protection rights to save money. And because the ICO’s case officers lack the ability to consistently apply the same rules to different scenarios, companies have been getting away with it for years. Some companies like insurance providers however, qualify for an exemption so as a rule they don’t require your consent because they’re obligated under ICOBS to provide you with a quote for a renewal of insurance. I’m not convinced that all comparison websites are exempt however, if any.

In the assessment (RFA0576717) the case officer was of the view that a promotional service message does not constitute direct marketing so her view was that the quote summary e-mail did not fall under the definition of direct marketing given at section 11(3) of the DPA. Of course I rejected this nonsense and submitted a case review. By the way, this was the same case officer who, in another assessment, didn’t know that the Commissioner had a 20 pages guidance on the difference between data controllers and data processors.

The case review (RCC0586606) spotted the error made in the assessment and concluded that the view was flawed; that there’s no such thing as a promotional e-mail that bypasses the definition of direct marketing. However, the case review concluded that the quote summary e-mail was not unsolicited electronic marketing that required my consent but solicited electronic marketing that I had actively invited. Again, I’ve rejected this view as nonsense and I’m going to submit it to the PHSO at some point. In the meantime, I forwarded the case to Mr Arnold to demonstrate how the failure to have approved and published top-down formal policy in place has allowed case officers and lead case officers to organically create their own unfounded interpretation of the DPA that is so flawed that it makes a mockery of the ICO’s formal complaint process. Mr Arnold replied and said:

A team manager reviewed it. He explained that although the term ‘service message’ doesn’t appear in the DPA, it serves to draw a useful distinction between marketing communications and other communications organisations might send to their customers. However, he agreed with you that the message constituted direct marketing (although he also pointed out that it wasn’t unsolicited, because you had clearly asked for quotes).

According to Mr Arnold then, when I obtained a quote from this particular comparison website I actively invited the summary quote e-mail. I did not! I was not clearly advised that I would receive a summary quote e-mail during the registration process so how can I “actively invite” something that I’m not aware of?

Here’s what an active invite looks like:

Moneysupermarket

In the screen shot above, Moneysupermarket clearly advise me on the registration form that they will send me a specific e-mail containing a summary of the quotes and by proceeding I actively invite that solicited marketing. They also seek my consent for unsolicited marketing using tick boxes. And here’s another one:

Go Compare

In the screen shot above, Go Compare is near perfect as they clearly advise me on the registration form that they will send me a specific e-mail containing a summary of the quotes as well as a specific e-mail containing a renewal quote when it’s due. By proceeding I accept that I actively invite these two specific solicited marketing e-mails. They also inform me that they won’t pass on my information to third parties and they obtain my consent for unsolicited electronic marketing with a tick box. In a perfect world the tick box would be opted out by default but I’m nit-picking. With this example, Go Compare are putting many UK companies to shame… and they’ve put the message at the start of the form too so that I don’t have to proceed if I don’t want to receive the solicited marketing. This is great stuff!

The ICO are once again totally clueless! Not only did the case officer get it wrong by concluding that the summary quote e-mail did not constitute direct marketing but the lead case officer has also got it wrong by concluding that the marketing is solicited in the case review. There were no active invites on the registration form in this case. Indeed, I made it clear in my complaint to the ICO that the data controller put this information in their privacy policy and I included a screen shot. As such, the only way I could possibly “actively invite” the summary quote e-mail in this case is if a data controller can obtain my active invite contractually. And that’s the question that I put to Mr Arnold; can a data controller obtain an “active invite” to solicited electronic marketing contractually. He refuses to answer my question because he doesn’t want to admit that he’s wrong or that the case review is flawed. if he says that a data controller can obtain an “active invite” contractually or via the acceptance of their privacy policy, then this would mean that a company could phone my TPS phone number to follow-up on a quote or to make me aware that it’s time to renew without the need to obtain my prior consent; as long as they’d identified the specific marketing items in their terms and conditions/privacy policy.

Thus the ICO’s Head of Customer and Business Services is refusing to answer my question because he’s wrong, he knows that he’s wrong but he doesn’t to admit that he’s wrong because he’s hoping that the Ombudsman won’t do anything and it’ll all blow over. Mr Arnold actually wrote to me and told me that he wasn’t prepared to discuss the matter further. So there you go… that’s the ICO’s Head of Customer and Business Services for you.
In Conclusion

Senior managers at the ICO are making a mockery of the RFA process by expecting their case officers to subjectively interpret the DPA. Case officers are simply not qualified to interpret the law and they make a mockery of the legal profession by endeavouring to do so. It’s likely too that case officers are well aware that they are unqualified to interpret the law but because it’s expected of them, and because they’re not qualified to and because they’re unlikely to be caught out, it’s likely that they manipulate the process to always find in favour of the data controller in all but the simplest of cases. By always supporting the data controller they mitigate the risk of having to deal with a company’s lawyers and thus avoid being exposed as not fit for purpose.

Due to this massive/deliberate failure of process, it’s likely that thousands of complaints and enquiries have been incorrectly assessed by the ICO over the years. This affects us all too because we’re now in 2016 yet the majority of UK companies are likely to be abusing the the rights of their customers. Indeed, the overwhelming majority of companies that advertise on TV are likely to abusing the data protection rights of their customers. Ironically, Amazon.co.uk – a non-UK data controller, is likely to be more compatible with my data protection rights than the majority of UK companies. Who’s fault is that? The Information Commissioner ultimately must take responsibility.

What should happen is that every single view given by a case officer should be supported by published office policy. If it ain’t published then it ain’t policy; it’s just the unfounded view of an office administrator. The failure to implement formal policy over the years is a disgrace!
Questions that the Ombudsman should seek answers to.

I’m currently waiting to hear back from the PHSO and I’ve been assured that this will happen early in 2016. Here are some questions that I expect the Ombudsman to answer when they conclude their investigation.

Can an “active invite” for solicited electronic marketing be obtained contractually? If it cannot then that’s another flawed case review to add to my list and confirmation that Mr Arnold withheld answering the question because he knew that he was wrong.

What is the status of the Commissioner’s published guidance and how does it impact on section 42 of the DPA? In my view, his published guidance reflects the formal view of the Commissioner and as I’m legally entitled to the formal view of the Commissioner under section 42, why are case officer’s opting to subjectively interpret the DPA rather than quote the Commissioner’s published guidance?

What qualifies a case officer, lead case officer or policy advisor to subjectively interpret the DPA? Is Mr Arnold seriously suggesting that someone with no formal legal training whatsoever is capable of interpreting DPA with the level of expertise necessary to convince a company lawyer to accept their view? Why would any legal professional accept the view of someone who has no formal legal training? Surely this is a joke? The only way that any legal professional is going to accept the view of the a case officer is if their view is supported by formal policy.

What process exists to verify, approve and publish the subjective views of case officers to ensure consistency?

Why have none of the views given in any of my assessments/case reviews never been published? Surely if this is the view of a case officer then it needs to be approved and published to ensure consistency?

if case officers should quote the Commissioner guidance in an assessment, what checks are carried out to ensure that they are giving the view of the Commissioner over their own subjective view?

Are the views given in an assessment obsolete after six months?

I expect the Ombudsman to conclude that the ICO is not fit for purpose and that the Commissioner has failed miserably in his duty to conduct assessments under section 42 of the DPA. I also expect the Ombudsman to recommend that the ICO be formally investigated by a Parliamentary Select Committee and I’d like to be involved in that process. Alternatively, I shall submit a complaint of fraud to the police and ask them to investigate why case officers always find in favour of data controllers. For all I know case officers are getting back-handers to bury complaints made by the public.
The Cases

Below I’ve listed the eight cases that I submitted to the Ombudsman earlier in the year with my analysis of why I think the lead case officer’s view is flawed for each. Of the eight cases that I submitted the Ombudsman rejected two because I had exceeded their strict 12 month cut-off, not enough hours in the day to keep on top of the nonsense. The Ombudsman investigated the remaining six cases but concluded that there was no evidence of a failure of process. They reached this conclusion without bothering to clarify anything with the ICO; they never contacted the ICO to question anything. I have since submitted an appeal and the Ombudsman is currently investigating. As it stands I have about another 20 cases still to submit to the Ombudsman with a few more in the pipeline. However, as the time drags on some of these cases will fail to meet the 12 month cut-off so I’m hoping that the PHSO will give me some leeway bearing in mind that they’ve been investigating my appeal since the summer.

Case 1: RCC0460510

The data controller sent me electronic marketing and the case review concluded:

‘As has been mentioned to you where an existing relationship exists between the data subject and the data controller it is unlikely to breach the DPA if the data controller continues to correspond with the data subject for non-marketing purposes, In short, to participate in the scheme requires that they are able to write to you and provide you with information which may be of interest, or even benefit, to you. An example might be where they are providing household insurance and they wish to make you aware that you have qualified for a discount due to your age etc’.

This is an example of where a lead case officer has concluded in a case review that a promotional service message does not constitute direct marketing.

This case is flawed because there’s no such thing as a promotional service message that bypasses the definition of direct marketing given at section 11(3) of the DPA. Mr Arnold has now confirmed this.

———————————————————————————————————————————

Case 2: RCC0513623

The data controller (an insurance provider) sent me a renewal quote for my insurance even though I had opted out of direct marketing under section 11 of the DPA. Once I’ve opted out under section 11, a company cannot send me direct marketing at all.

Why I opted out under section 11 of the DPA. I don’t like rolling contracts that I have to cancel to avoid being renewed automatically. Insurance providers love rolling contracts because it gives them the opportunity to claw back some of the money that they would have lost giving me a competitive new customer discount. However, if an insurance provider cannot send me a renewal quote then they cannot legally renew the contract; I’ve clarified this previously with Trading Standards. Thus, by opting out under section 11 of the DPA, the insurance company cannot send me any direct marketing so they cannot send me the renewal quote and they cannot renew the rolling contract. Believe it or not, I’m quite capable of putting a date in a calendar to remind me of when my car insurance is due.

Upon receipt of my section 11 opt-out, the data controller pointed out that they were obligated by ICOBS – the insurance business code of practice, to send me the renewal quote. Fair enough, but I had specifically opted out under section 11 of the DPA so I believe that their statutory obligation to process my personal data in accordance with my rights as a data subject would supersede any obligation that they had under ICOBS.

To be sure though, I contacted the FCA and asked them whether they thought that ICOBS would negate the rights afforded me by the DPA. The FCA informed me that ICOBS placed a regulatory obligation on the insurance business – not a statutory obligation. As far as I can tell, there’s nothing in ICOBS then that supersedes the DPA so the data controller must comply with my right under section 11 of the DPA. I submitted the FCA’s response as evidence with my complaint and in the assessment, the case officer for once supported my view and wrote to the data controller and told them to comply. However, the company CEO stamped his foot and disagreed with the assessment so it went to a case review. In the case review the lead case officer had no qualms about making up a silly argument to support the company as he said:

‘I am satisfied that [The company] is likely to have complied with the DPA when sending you a renewal notice for your insurance policy. This is because there are circumstances where communications directed at an individual in relation to services offered by an organisation would not be defined as direct marketing material. In my view the renewal notice sent to you by the AA on 17 April 2012 can be characterised as a legitimate service message associated with your customer relationship with the AA. Therefore, the communication does not fall under the terms of section 11 of the DPA’.

Utter nonsense! How is it possible for someone to get the role of a lead case officer without understanding what constitutes direct marketing? it’s outrageous when you consider the thousands of direct marketing complaints the ICO receives each month. This is another example of where a lead case officer has concluded in a Case Review that a promotional communication was a service message and as such, did not constitute direct marketing. Mr Arnold has since confirmed that there’s no such thing as a service message that bypasses the definition of direct marketing.

This is also a good example that demonstrates how companies walk all over the ICO’s case officers. Based on the facts of the case the view given in the assessment is likely to be correct. But when the company challenged the view, the lead case officer simply caved in and made up a load of nonsense in the case review to support the company. This is outrageous but what do you expect when case officers are unqualified to argue their case with legal professionals? This case highlights the total and utter failure of the process.

This case is flawed because there’s no such thing as a promotional service message that bypasses the definition of direct marketing given at section 11(3) of the DPA. Mr Arnold has now confirmed this.

———————————————————————————————————————————

Case 3: RCC0500824

The data controller (a comparison website) sent me unsolicited electronic marketing without obtaining my consent. According to the Commissioner’s published guidance consent is only valid if I’ve been given the option not to give it. The case officer said:

‘Privacy policies can contain more information than purely those that fall under the DPA or PECR. We cannot comment on issue that fall outside of our remit. If you choose to tick the box to accept the privacy policy then, in terms of the DPA or PECR, you are accepting the terms in which the company will process your personal data’.

Another nonsense view from a lead case officer. A privacy policy hasn’t been defined by the DPA, I’m under no obligation to read, view, accept or even visit a privacy policy and any attempt to bind me to a privacy policy will likely be unenforceable in a court of law. Furthermore, regulation 27 of the PECR states that ‘any term in a contract between a service provider and a subscriber or network provider that is inconsistent with PECR will be automatically void’. Bearing in mind that the Commissioner’s published guidance states that consent is only valid if the individual has been given the option not to give it, a data controller cannot obtain consent to target me with unsolicited electronic marketing just because I accepted their terms and conditions.

This is an embarrassingly flawed case review that has been conducted by someone who is not fit to do the job.

———————————————————————————————————————————

Case 4: RCC0483070

The data controller (an employment agency) held an actual date (day, month, year) of when they obtained my information – a date/timestamp in their information management system. They provided me with all the other information that they held about me in response to my Subject Access Request (SAR) but failed to provide this date information. The data controller then made the autonomous decision to delete my account without checking with me first. When I asked them to provide the missing date they couldn’t because they’d deleted my information. My view is that they didn’t want to tell me when they obtained my information because they were concerned that they’d held it for too long so they deleted my information so that they could then lie about the date.

My complaint to the ICO was that the data controller had failed to comply with my SAR because they had held an actual date of when they obtained my information but failed to provide it, and now they never can because they’d opted to delete my information. The company told the ICO that, as a result of an earlier investigation, they had determined that they had obtained my information in 2007 and in the assessment/case review were both case officers happy with this. I was adamant that they were wrong though so eventually the ICO’s Group Manager, Complaints Resolution wrote to me and said:

‘We are satisfied that all the personal information held by the data controller in your case on receipt of your SAR was supplied to you. Regarding the reference to 2007, I would point to the following statement contained in the case review: “It was able to inform you of this date as a result of its earlier investigation into your complaint even though, by the time of your further enquiries, your personal data had been deleted’.

This is nonsense! The data controller provided me with all the other information so why didn’t they provide me with the date? This wasn’t the first time that they’d dodged this question either because prior to submitting the RFA I’d asked them informally to clarify the date of when they obtained my information and they said it was from ‘an earlier application’ – no date though. Furthermore, a data controller can’t delete my information and then provide me with a date without evidence that this information constitutes my personal information. Where’s the evidence or did the ICO just take a data controller at their word again? Let me explain.

It’s often the case that an individual’s identifying information will be stored by a data controller as a record within a personnel database: members, customers, employees etc. The company’s systems will then link to the personnel database so that once they delete your personnel record, the relational database will either delete all the linked items from their systems or it will make them obsolete. The other way that data controllers tend to store personal information is as self-contained items of personal data – an e-mail for example that contains a full name and e-mail address. Thus, even if they were to delete your personnel record, it’s possible that your personal information could still exist as an e-mail, for example, on an employee’s computer. In response to an SAR, data controllers tend to provide you with the information that they hold in your personnel record; they’ll only look for self-contained items of personal information if you specifically ask them to. This is my experience having submitted many SARs.

The data controller told the ICO that they had obtained the year of 2007 as a result of an earlier investigation but who cares? The data controller provided this information only after they’d deleted my personnel record so it means nothing to me because it’s not based on my personal information. Not unless that year of 2007 is quoted in a self-contained bit of personal information that exists outside of the personnel record. As there was no evidence of this, and as the ICO never bothered to seek evidence, there’s nothing to support their claim that the year of 2007 constitutes my personal information. The notion that a data controller can delete my account, pluck information out of thin air and claim that it constitutes my personal information is ridiculous!

This is another flawed case review that demonstrates how case officers are willing to blindly accept a data controller at their word. In this case, the fact that the ICO’s Group Manager, Complaints Resolution also supported the view of the case officer and lead case officer only serves to demonstrate that the ICO is run by office administrators that don’t have a clue what they’re talking about.

I wouldn’t mind but it was a simple case – they held an actual date but failed to provide it – failure, and there was no evidence that the year of 2007 constitutes my personal information – failure. Information provided in response to an SAR must be based on the information that a data controller holds about you not on what they held about you. Thus, once they’d deleted my identifying information, a data controller’s only response to my SAR is that they do not hold my information. Unless they can find some self-contained personal information on one of their computers.

This case is flawed because three different levels of staff at the ICO do not fully understand the SAR process and because they opted to take the data controller at their word.

———————————————————————————————————————————

The following two case reviews were conducted by the same person who had the job title of: Team Manager – Access Rights. I can only conclude that she specialises in complaints about Subject Access Requests. Let’s see what this expert had to say.

Case 5: RCC0510441

The data controller (a marketing company) was one of a number of marketing companies that had bought and sold my personal information. I tracked down the companies one by one by issuing a Subject Access Request (SAR) to each in turn so I was aware that this company had held my information at some point before I contacted them. I think in total I’ve submitted about 80 SARs over the past four years.

In this case, because I was aware of the information that they held or had held about me, I’d already provided about five items of identifying information with the SAR – usually more than enough for any data controller to find a likely match: full name, address, e-mail, postcode etc. If a data controller cannot find a likely match based on this amount of information then they either need to reasonably conclude that I am not their data subject or ask me to provide some specific required-field information. Let me explain.

If you have a personnel database: members, customers, employees etc., where the Surname and Postcode fields are required-fields, then every single record in that database must have a Surname and a Postcode – these fields cannot be empty because they must contain information. And, if you want to search a database, the most efficient way to search it is to search on a required-field; in this example, Surname and/or Postcode or more likely, a partial required field: the first part of the postcode for example. You could search on the Mobile Phone field for example but if it’s not a required-field, then it could be empty so the phone number that you’re searching on may not exist in the database. This would be bad practice because if you were to search on a non-required field and find nothing then you wouldn’t know if this is because you don’t hold the individual’s personal information or that you do hold their information but they didn’t enter a mobile phone number.

With this in mind, for the purpose of locating an individual in a personnel database, the data controller should always request required-field information. This is basic database management stuff.

As I’d already provided the data controller with a substantial amount of my personal information, one would reasonably have to conclude that at least one of these items of information was a required-field yet the person who was conducting the search was unable to locate me on their system so she asked me to provide her with a phone number to search on. Now bearing in mind that I had no prior relationship with this data controller, I’m only prepared to give them the information that they need to find a match for me in their personnel database. As such, I asked them to clarify which phone number they wanted – my home or mobile. The data controller replied and said that I needed to decide what phone number to provide. I said no, you’re the data controller; you need to tell me whether you want my home phone number of my mobile phone number. The data controller wouldn’t accept this, she wanted me to decide so we reached an impasse and I submitted a complaint to the ICO.

In the assessment, the case officer made no attempt to clarify whether or not the data controller had already searched on all the information provided before asking me for further information. Yet section 43 of the DPA states that the Commissioner can issue an information notice if he or she ‘reasonably requires any information for the purpose of determining whether the data controller has complied or is complying with the data protection principles’. The case officer simply accepted the view of the data controller – that I needed to provide more information, without bothering to clarify anything. You’ve got to be utterly clueless about the SAR process not to question why a data controller hadn’t concluded that they did not hold my information having been provided with all that information – why is she asking for more?

I submitted a case review and the lead case officer said:

‘Section 7(3) of the Data Protection Act 1998 (the “DPA”) allows an organisation to request any information that it reasonably requires to locate the information that you seek. Until it is provided with that information, the organisation is not obliged to respond to your request’.

Oh dear! It goes from bad to worse. In a nutshell, where the data controller holds my information on a personnel database there’s a process that they reasonably need to follow upon receiving an SAR. If the individual has not already provided some required-field information to search on, then they should request that information. They then do a search on the information provided by the requester to see if they can find a partial match. If they do, then they should clarify if necessary, whether or not the requester is the same person that they hold information about. Once the data controller is reasonably satisfied that the individual is the person that the information relates to, they can reasonably conclude that the individual is their data subject. They can then look to provide the information requested in the SAR.

In some cases, the data subject will want more than just a copy of their personnel record. If they were an ex-employee for example, they might want a copy of an e-mail that they sent to a colleague – the information that you seek. In which case, the data controller can rely on section 7(3) of the DPA to require the data subject to help them find that specific information. In which case, the data controller would likely ask the data subject to provide them with the name of the colleague who the e-mail was sent to, when it was sent, what it was about etc. Until the data subject provides this information, the data controller is not obliged to respond.

This process is clearly defined on page 55 of the Commissioner’s SAR code of practice. Once you’ve found a likely match for the person requesting the information the next steps are:
Step 2: Ask the requester for any evidence you reasonably need to confirm their identity.
Step 3: Ask them promptly for the other information you reasonably need so you can find the information they want.

Step 3 only occurs once the data controller has confirmed that the requester is their data subject (Step 2). Clear evidence that section 7(3) only comes into play once the data controller has established that I am their data subject. In this case however, the lead case officer has taken section 7(3) of the DPA completely out of context by applying it to very first step of the SAR process – finding a likely match for me in the personnel database. So according to this lead case officer, I have to decide what information I need to provide to the data controller so that they can search on it to find a likely match for me. Rubbish! It’s up to the data controller to tell me what information I need to provide so that they can locate a likely match for me. I would only dictate what information to provide if I were seeking something specific and I needed to tell the data controller how to find it.

Once she’d concluded the case review with her nonsense response, I decided to provide both phone numbers and the data controller but she still couldn’t find me. The data controller tried entering the postcode again and this time she found a match for me. The data controller later admitted that she had made a mistake when initially searching on my postcode and that’s why she couldn’t find me; she forgotten to include the space in the postcode and didn’t know how to do a partial search. She preferred to search on numbers and that’s why she wanted my phone number. The data controller was clearly at fault yet the ICO made a mockery of the process. The fact is that the data controller was incompetent and the ICO never bothered to clarify anything.

The case officer should have questioned why the data controller had failed to find a likely match for me and ask them to clarify that they’d made a reasonable effort. This would likely have prompted the data controller to search again and it’s likely that she would have found me.

Due to the utter incompetence of both case officers and the fact that their view would require parents to submit an almost unlimited amount of information about their children to an unknown data controller, this is a seriously flawed case review. I believe that the lead case officer in this case has been promoted to a more senior role within the ICO.

———————————————————————————————————————————

Case 6: RCC0518635

I submitted a Subject Access Request (SAR) to the data controller (a mobile phone company) but on their website they required me to provide the following identifying information:

‘Proof of purchase of the SIM, not the handset (a copy of your purchase receipt for the SIM must show the mobile number). Hand written receipts can’t be accepted’.

What this means is that the data controller will refuse to comply with my SAR until I provide them with a receipt for the SIM that I had purchased years earlier. To repeat, if I can’t find that receipt the data controller will refuse to comply with my SAR.

This is without doubt an excessive request for identifying information because the Commissioner requires the data controller to be reasonably satisfied about the identity of the person submitting the request. Where the person making the request already has an account with the data controller, and if the information requested is to be posted to the requester’s address and contains no sensitive personal information, then being reasonably satisfied that the information relates to the person making the request can likely be achieved by asking that person a few simple questions about their account over the phone. The Commissioner also makes it clear in his SAR guidance that any requests for identifying information should be reasonable, yet asking for the receipt for anything in an SAR demonstrates to me that the data controller is trying to negate their obligation to comply with my SAR.

Newsflash! Commercial organisations do not want to process SARs because they are expensive and unproductive.

A note about clarifying identity. It is not the role of a data controller to strictly validate my identity in response to an SAR. They merely need to be reasonably satisfied that I am the same person that they hold information about. In my extensive experience of submitting SARs however, the overwhelming majority of companies require photo ID – a copy of a passport of driving licence. I believe that they request this information for one reason only, because they know that people are unconformable about providing this level of information for security reasons. Indeed, the aim of most data controllers is to avoid having to deal with an SAR. For example, the legal team for Domino’s Pizza required me to provide a verified copy of my passport or driving licence – signed by a judge, a policeman or teacher. When I told him that this was blatantly excessive, he backed down but this is what companies do and the ICO couldn’t give a toss! Where’s the policy and where’s the examples of what is deemed excessive?

Millions of phone transactions are carried out each day by asking the caller a few questions about their account to verify them so why can’t data controllers do the same in response to an SAR? Obviously it’s never that straightforward but there’s no need to be so excessive. In the majority of cases a copy of a utility bill is more than enough to be reasonably satisfied. The Commissioner’s guidance is partially to blame here because it states that data controllers should validate the requester’s identity and people take that literally without bothering to read the Commissioner’s definition of validating one’s identity – see below.

I rejected the assessment as nonsense and the case review was carried out by the same person who conducted the SAR case review above – the one who now occupies a more senior role at the ICO. The lead Case Officer said:

‘You have stated that you have submitted a valid SAR. This does not appear to be the case as [the data controller] requires an individual to submit additional information and a fee. It appears you have not done this; therefore your SAR is not valid. A SAR is only valid once the data controller has all the information and the fee they require in order to ‘satisfy himself as to the identity of the person making the request and to locate the information which that person seeks’

She’s wrong of course. I submitted the SAR to a valid e-mail address so my SAR was valid. I accept that I need to provide the fee if required and comply with any reasonable request for identifying information, but failing to do this does not “invalidate” my SAR; the process merely pauses until I provide the information. This information is clearly outlined in the Commissioner’s SAR code of practice. According to the Commissioner, I can submit an SAR by e-mail and even via social media and I’m not obliged to follow a data controller’s SAR process. That’s the view of the Commissioner so why is this lead case officer saying that my SAR is not valid? Rubbish!

As for the identifying information, there’s no evidence that the lead case officer is aware that any request must be reasonable. Once again, on page 19 of his code of practice the Commissioner states:

The key point is that you must be reasonable about what you ask for. You should not request a lot more information if the identity of the person making the request is obvious to you. This is particularly the case when you have an ongoing relationship with the individual.

Did this lead case officer ever bother to read the Commissioner’s guidance or does she just call it as she sees it because Mr Arnold expects case officers to subjectively interpret the DPA regardless of what guidance the Commissioner has already provided? In what way does a receipt for a SIM constitute identifying information? The data controller has since changed this requirement on their website.

This case is a double failure of process because not only did the lead case officer deem my SAR to be invalid but she failed to conclude that having to provide a three year old receipt as identifying information was excessive. Again, there’s no evidence that this person had a clue what she was talking about. The Ombudsman is well aware of the facts of this case yet they still found nothing wrong. Let’s hope they revisit it in the appeal.

This is an embarrassingly flawed case review and I can only conclude that it was deliberate – that it was the intention of the lead case officer to deliberately abuse the process. Either that or she wasn’t fit to do the job.

———————————————————————————————————————————

Case 7: RCC0512207

The data controller (a PPI company) sent me a text to my mobile phone without identifying themselves so I replied for the sole purpose of finding out the identity of the company that sent me the text. I found the name of the company and submitted a complaint to the ICO and argued unfair data processing. The case officer concluded that this wasn’t a contravention of the DPA because a mobile phone number on its own does not constitute personal information. I had clarified previously with the data controller that they only held my mobile phone number. However, the wording of the text message invited me to take part in a no obligation PPI check so I argued that it was the data controller’s intention to obtain further personal information from me. I suspect that they can’t conduct a PPI check without obtaining my name, address, bank details etc., and the Commissioner’s guidance states:

‘The definition also allows for an individual to be identified from data together with information “likely to come into the possession” of the data controller. It will be for a data controller to satisfy himself whether it is likely that such information will come into his possession to render data personal data. This will depend largely on the nature of the processing undertaken by a data controller’.

I submitted a case review and the lead case officer said:

‘When considering whether information is likely to come into the possession of the data controller we consider the nature of the processing undertaken by the data controller and the context in which the processing was performed. In this case the nature and context of their processing was to conduct a broad direct marketing campaign to a number, usually hundreds and more frequently thousands, of people in the hope that a very small proportion of the recipients of the message would actually supply their personal data to them. In this case when sending you the message the data controller would have had no knowledge of whether you personally or anyone else would respond positively to them. Additionally, to our knowledge, they had no means of coming into possession of your personal data other than you providing it to them. Thus in our view the data controller would not have been able to determine that they would likely to come into possession of information about you or about any other specific individual to who the text message was sent’.

This is unfounded nonsense! Firstly, the lead case officer has a right under section 43 of the DPA to clarify the facts of the case with the data controller but he never bothered to do so. Instead he concluded, without any supporting evidence, that the processing of my phone number was part of a broad marketing campaign. The case review is immediately flawed therefore because no attempt was made to clarify the facts of the case in the case review – he had no idea how many phone numbers the data controller processed. Furthermore, the lead case officer failed to correctly identify the nature and the context of the processing undertaken by the data controller. Instead he opted to focus on the generally accepted notion that positive returns from a marketing campaign tend to be very small. Thus, while I accept that when the data controller processed my information they had no knowledge of whether I would respond positively, it’s a mute point in my view because there’s no mechanism in the DPA to recognise odds. Why would the odds of something happening have an impact on the intentions of the data controller? Why did the data controller process my phone number? They did so not just to make me aware of their service but to obtain my information. The lead case officer’s view that I had to perform an action to provide them with my information is also mute – why does that matter? Where’s the supporting policy?

In this case, the sole purpose and therefore the nature of the processing was to obtain enough information about the owner of the mobile phone number to perform a PPI check; in the hope that it might lead to a formal PPI claim where the data controller would earn a commission – their legitimate business interest. The context of the processing is that the data controller processed my phone number to send me a text that actively invited me to take part in a no obligation PPI check which would require me to provide them with my personal information. Like I say, the lead case officer failed to identify the nature and context of the processing in this case, preferring instead to focus on a generalised context without even bothering to clarify anything.

The context in this case is key because the data controller is not just sending me an unsolicited marketing text to make me aware of their PPI service; they sent me a solicited text that actively invited me to provide my personal information by actively inviting me to request a no obligation PPI check. Had the text simply been advertising a service then I’d be more tempted to agree with the lead case officer. However, in this case, the sole purpose of the processing was not to merely make me aware of the service but to obtain feedback and ultimately my identifying information. I am of the view therefore that my mobile phone number in this case constituted my personal information because the data controller processed it for the sole purpose of obtaining further identifying information from the owner of the phone number. The fact that it was unlikely that they would receive a response is mute because it’s all about the intentions of the data controller – what they expected to gain by processing the phone numbers, not on the odds of the recipients providing their information.

I honestly can’t see how it can be deemed good practice to quote odds when interpreting the law. Perhaps the ICO should deem it okay for data controllers to promote their products and services to a TPS phone number without bothering to obtain consent based on the odds that only a small majority of people will complain.

What is clear in this case is that the lead case officer is more than happy in a case review to elaborate the facts of the case and speculate as to the view of the Commissioner without providing any supporting evidence. This is yet another example of a flawed case review. I accept that I might be wrong in this case but the lead case officer has failed to clarify the facts or support his view. Indeed, his view has not been added to the guidance on the ICO’s website and it’s been well over 12 months. At what point is the ICO going to add this subjective interpretation of the DPA to it’s published guidance? It won’t get added because it’s likely to be nonsense that has already been buried. On a different occasion another case officer might have a different interpretation and that won’t be published either.

———————————————————————————————————————————

Case 8: RCC0501217

The data controller (an employment agency) processed my Monster CV to send me an e-mail about a job except the e-mail contained no information about the job. I argued that the data controller had unfairly processed my information because they’d failed to satisfy a condition for processing. I argued that for their processing to be valid they would have to demonstrate a need to process my personal information to satisfy their legitimate interest of finding a suitable candidate. The assessment/case review concluded that the data controller had obtained my consent so they could rely on that to justify their data processing. The lead case officer said:

‘It is clear in this case that you volunteered your personal data to the Monster website and therefore consented to the terms of the service it provides, which includes access and use by its agents. Where an individual chooses to submit their personal data to a website for this purpose, it is clear that they are actively consenting to their data being processed in this way’.

According to this lead case officer then, not only did I give my consent to justify Monster’s processing of my information, but every single company that pays to use Monster’s services can also rely on my indirect consent to justify their processing of my information. And does that mean that those third party companies can pass my indirect consent to their third party companies and so on? So that in the end, just because I ticked a box to accept a company’s terms and conditions I’ve “clearly” given my consent to potentially thousands of companies that I’ve never heard of to process my information? Seriously? So according to the ICO, there’s nothing wrong with an employment agency paying to access the Monster CV database and simply targeting the millions of registered candidates with a job alert for a Cruise Manager. They’re not required to satisfy a legitimate interest of finding a suitable candidate so they’re not required to search for keywords, to filter the results and review the filtered CVs because they can rely solely on consent? They can simply spam millions of people can they? I’m not having that! Where’s the policy?

I think this is a great example to explain why the Commissioner is of the view that data controllers shouldn’t rely solely on consent to justify their data processing.

If a data controller can rely solely on consent to justify their data processing and if consent can clearly be obtained contractually, then the ICO need to update the Commissioner’s guidance to reflect this view because as it stands, there’s clearly a contradiction. This case is flawed because the lead case officer’s view is incompatible with the published view of the Commissioner and no attempt has been made to update the published view.