Quis custodiet ipsos custodes?

by | Aug 2, 2023 | Uncategorised

I’ve often written about the delusion that data protection applies only to private data – there’s nothing to support that in the GDPR and some specifics to show that the opposite is true. But it’s still tricky for some to deal with the idea that data protection applies to data in the public domain.

If, for example, I put information out into the public domain, other people can obviously read it and I can’t complain about that. I can block individual people (and I have) but generally, if I publish something, others can read it.

What else can they do? Can they specifically monitor what I in particular say? Can they monitor responses to a particular account? The answer to both questions is – in my opinion – yes. In both cases, the information is public and it’s hard to imagine how you would fail on legitimate interests.

But if you’re targeting specific people, I equally don’t see how you get out of your transparency obligations. I made an FOI request to the Commissioner asking whether his office monitors social media accounts and what the transparency position is.

The ICO monitors social media for several purposes: responding to their own accounts, monitoring FOI compliance (e.g. looking for complaints about non-compliance) and crucially “to find news which is relevant to or likely relevant to our work”.  The Commissioner has a series of saved searches that they rely on for that final purpose.

  • Tweets to John Edwards Twitter account.
  • Tweets that mention “the ICO”.
  • Tweets that include the ICO’s site link.
  • Tweets that mention “ICO registration letter” or “data protection fee”.
  • Tweets from the tech journalists list* [a specific named list] that include the following phrases: “#journorequest”, “journo request”, “journo requests”, “PR request”, “#PRRequest”, “DMs open”, “get in touch”, “data protection”, “GDPR”, “FOI”, or “privacy”.

While “FOI, “journo” and “request” tagged posts are unlikely to contain personal data, those that mention the ICO, GDPR or privacy might well contain people’s personal stories and data. By definition they’re putting them into the public domain but the Commissioner is actively seeking the content.

The Commissioner also disclosed an excerpt from meeting minutes where a number of FOI notables are named by Warren Seddon as being worth monitoring to see what they’re saying about FOI. Again, there is a possibility that this will result in the Commissioner gathering personal data.

There are two problems here: the first is that the Commissioner doesn’t mention this monitoring in his privacy notice. He only mentions active engagement with his office. I think this means that what the Commissioner’s active monitoring is unlawful because it’s invisible processing.

This is especially important for the second issue. The Commissioner’s staff are actively monitoring John Edwards’ Twitter account. Edwards’ position is that his social media accounts are personal; his LinkedIn bio goes a bit further but his Twitter account is plainly not badged as official.

Whether the holder of a Corporation Sole role can ever have a personal account is debatable, but if his office is actively monitoring interactions with it in secret, I think the idea that it isn’t an official account is untenable. But because he claims it’s not, I don’t think anyone would expect it to be monitored by his staff.

20 years ago when I worked for the Commissioner, I suggested to a more senior colleague that in the run-up to FOI’s implementation, the office should seek to be an exemplar on matters such as FOI and records management. He was dead against it; we should just act like any other public body.

I disagreed then but this is worse. Even if only in a low-impact way, the Commissioner is breaking the laws he is notionally supposed to be regulating. I know that Edwards’ homeopathic approach to enforcement is something we have to live with now, but he’s not even keeping his own house in order.

A list of named journalists are subject to direct monitoring; anyone who interacts with Edwards’ lame jokes and passive-aggressive customer service complaints may be captured. To do this without letting people know is unfair and untransparent. A competent regulator would do better.