Bitter Chocolate

Just before Christmas 2021, as a thank you gift to 254 staff for their hard work after a challenging year (not my words, but those of the Information Commissioner’s Office), someone in the ICO used their corporate credit card to buy them all a box of chocolates from Hotel Chocolat. I cannot tell you who this was, as ICO refused to tell me. I cannot tell you who the more senior person who approved the purchase was, as the ICO also refused to tell me that. The ICO has apparently confirmed to me that someone was disciplined over the matter, as they have refused to give me information about who got disciplined, rather than saying they don’t hold any data or refusing to confirm or deny whether they do. I suspect that this was an accident.

When financial information was published in February 2021, the redoubtable Chris Stokel Walker revealed that purchase showed up amongst the other spending. ICO promised to investigate, and like most people, I imagined that after a ponderous interlude, it would be revealed that the expenditure was nothing more sinister than a calorific Christmas bonus (which indeed it was), and we’d all move on. What I didn’t know at the time is that the ICO commissioned an external legal firm to investigate at an ultimate cost of £23,027.

Some overenthusiastic applicants on What Do They Know immediately made FOIs demanding to know the outcome of the investigation, even though it had plainly just started. I was tempted to ask some awkward questions, but decided to wait – Wilmslow rarely does anything fast. And then I forgot about the whole thing until July. Confident that even the ICO could get to the bottom of a single credit card purchase in five months, I asked various questions via FOI – was the investigation complete? If not, when would it be finished? Who made the purchase? Did someone more senior approve it? Was there any disciplinary action? Were any changes made as a result?

ICO refused all of my requests under section 36(2)(c) of FOI, the prejudice to the effective conduct of public affairs exemption. And here lies the first of two serious matters that this story raises for me. ICO used this exemption on the trigger-happy WDTK crew in February, and then again with me for all of my questions. They argued that their internal investigation would be impaired if they provided any information, and that the public interest favoured withholding because of the need to allow “internal investigations to occur and conclude in a way which does not pre-empt findings from the investigation or deny any staff the right to due process“. A quirk of S36 is that it can only be used when the Qualified Person agrees that it applies; the QP for the ICO is the Commissioner herself, Elizabeth Denham.

I can’t decide whether describing an investigation that has been outsourced to independent solicitors as “internal” is just an unfortunate turn of phrase or is deliberately misleading. However, now I know that they did it, I think it’s unlikely that Forbes’ ability to get to the bottom of a single credit card purchase would be hindered by telling me that they were doing so, by confirming whether or not the investigation had ended, and if not, when they thought it might. It’s bizarre that ICO threw so much money at investigators who they judge to be so fragile, they could be derailed by such banal disclosures.

When I asked for an internal review, I specifically asked for confirmation that the ICO hadn’t just recycled the S36 opinion obtained for the February refusals – this mattered because my request was different to those and was made months later when the issues might have changed. Despite the ICO’s own policy on internal reviews saying that complainants’ representations should be considered, there was no mention of this issue at all in their reply.

Exasperated at the ridiculousness of the still ongoing investigation, I made an additional request in August, asking how much all of this had cost. The sweet irony is that I know that the ICO doesn’t generally do time recording (due to previous people asking similar questions), but it seemed like a reasonable request to make, so many months in. The ultimate revelation of Forbes’ involvement and how much money they trousered is God Tier ICO Nonsense.

Both the internal review and 2nd request were delayed by several weeks. I regret to say that I believe ICO deliberately sat on their replies to both until the investigation was concluded so they could issue a statement and try to put a lid on it. I hope Chris’s excellent follow-up story thwarts that plan.

I don’t believe that the ICO’s use of S36 is valid here, especially not for some of the questions I asked. But there’s something else about this story that leaves a bitter taste. The ICO is bloated with directors, executive directors, deputy commissioners, and various other overpaid corporate automatons. They spend millions of pounds on the top layer of senior decision-makers. And yet, faced with a single breach of financial policy, whoever brought in Forbes plainly decided that nobody in the organisation could be trusted to get to the bottom of it. None of the lawyers or auditors, non-exec directors, not a single person is capable of finding out exactly how someone didn’t buy thank-you gifts in the entirely appropriate way.

This is a serious verdict – ICO allegedly regulates both data protection and FOI, but is at the same time subject to both. Being able to investigate itself competently and objectively is an inherent part of the ICO’s day job. What does it say about the ICO’s view of itself that the senior people don’t actually have confidence in the organisation to do so? Given the choice, they farm scrutiny out to pricey lawyers instead. That’s what they think of themselves.

I’m not saying they’re wrong. The management class at the ICO is seemingly so inert, it turns out they need a corporate policy to tell them that their staff might like to be thanked for hard work, and are so incapable of saying so competently, they need a ‘e-thankyou’ template on the ICO intranet to assist them in doing so. When reading the ‘Recognition at the ICO‘ document, released to one of the WDTK requesters, I wondered about asking for the template, or for information about how many staff had received one of the bronze, silver or gold lanyards, doled out in recognition of long service. I wonder how many staff have enjoyed a non-alcoholic sandwich lunch in ICO HQ with a member of the Executive team to reward them for some particularly good work; up to 10 colleagues can be invited, and it will be organised in a way “respecting religious and cultural differences in the provision of refreshments and entertainment“. Plainly, nobody is taking any risks with the ICO’s brewery-based piss-up skills.

But what’s the point? I’ll appeal the S36 decision because it’s wrong and though I have little expectation of a fair hearing from the complaints people, I might want to roll the dice in the Tribunal. But further FOIs will only reveal is that the ICO is a silly, badly-run, fundamentally unserious organisation, and I already know that. I don’t know how you fix a regulator that is so broken it can’t trust itself to investigate a credit card receipt, especially in the context of a government who want to neuter it still further and a new Commissioner who has never worked in the UK DP world, and has no experience of regulating FOI in any context.

But if someone at the ICO would like to pay me over the odds to investigate that for them, they’re welcome to give me a call.