On at least three occasions in the past year, a member of staff from the Information Commissioner’s Office has spoken at conferences organised under the banner of GDPR Conference or GDPR Summit. Garreth Cameron has appeared twice, and Lisa Atkinson was at the latest event on October 9th. Nothing odd about this, you would think – the ICO clearly wants to spread its message (such as it is) to a wide audience, and conferences are a way to do it. They should be wary about showing favouritism and they’re not very good at avoiding it – a certain Assistant Commissioner often appears at a certain training company’s courses, and appearing three times at one company’s commercial events comes close to being an endorsement.
But even if such regular support for a conference would otherwise be justified, in this case, I don’t think it is. It’s not easy to find out from the GDPR Summit website who is actually organises the conferences. A little bit of digging suggests that it is a company called Amplified Business Content. Amplified Business Content is also responsible for ‘GDPR Report’, which used to publish articles for free but has now gone to a subscriber model. Having an opaque company structure isn’t compliant with Data Protection because it’s not clear who the Data Controller is. Moreover, some of the material on their website is garbage – they have published quizzes with wrong answers, and harvested information without a privacy policy (though I noticed that after people on Twitter made a fuss of it, they stopped demanding email addresses to get scores on the quiz). Via GDPR Report, the organisation has pumped out reams of vague, badly-written stories including one titled ‘The Data Protection Apocalypse’ that claimed that organisations need consent for all processing – it was so bad that after a morning of criticism via Twitter and other sites, they had to delete it. Worst of all, Amplified Business Content has not notified the ICO under Data Protection – unless they are exempt (which for a conference organisation is hard to believe), this is a criminal offence.
Given that the ICO have given Amplified Business Content so much support, I wondered whether they had done any due diligence on the organisation before agreeing to speak at their events. Under FOI, I asked for the following:
Any information about due diligence carried out by the ICO before accepting invitations to speak at these events, including whether ICO staff checked if the company had a notification, and whether their materials and publications were accurate and reflected the ICO’s approach to the GDPR
Any procedure that requires ICO staff to carry out due diligence before accepting speaking engagements
The answer was that no information was held. The best they could offer was “We apply our speaking engagement policy here when making a decision whether or not to accept a request for a speaker“. Needless to say, the speaking engagement policy does not include any requirement to carry out due diligence. In other words, the fact that Amplified Business Content has not notified and has spread misleading and unhelpful information about a Data Protection apocalypse is irrelevant to Wilmslow. They’re not even expected to check whether the organisation has taken the most basic steps to comply with Data Protection law. This is remarkable, especially at a time when so many dodgy people have flooded into the Data Protection market.
Their answer to the first part of my request was more interesting, and more worrying. I asked for:
All correspondence between the ICO and Amplified Business Content or those purporting to represent GDPR Conference or GDPR Summit or GDPR Summit Europe (or other variations on the theme of GDPR Summit).
I’ve done this before, both with the Privacy Laws and Business Conference (which led to this blog) and True Swift, another organisation for whom the ICO has done several online courses. Both times, the ICO gave me detailed correspondence between themselves and the organisation, which allowed me to see, among other things, Stewart Dresner of PLB complaining that he doesn’t have special access to news about ICO activities. This time, however, the ICO has refused to give me any of the correspondence. The exemption they used is a prohibition on disclosure that applies when organisations supply data to the Commissioner when information “has been obtained by or furnished to the Commissioner under or for the purposes of the Information Acts”. In other words, ICO claims that when arranging their spots at the GDPR events, they were exercising their functions under the Data Protection Act. Needless to say, the refusal doesn’t say which function they were exercising – presumably I am expected to guess. I think the only function that could apply is the duty to promote the following of good practice under Section 51, but the idea that Parliament intended conference arrangements to be secret is a fairly bizarre idea.
Only two possibilities present themselves. The first is that the ICO’s policy is only to release material such as this with the consent of the organisation (which the prohibition allows), so PLB and TrueSwift consented to the disclosure and Amplified Business Content refused, which begs the question of what ABC have to hide. Their internal business arrangements are nobody’s business but theirs, but when dealing with the regulator, they should expect to be more open. I’ve made fun of Dresner following the disclosures, but the emails I received didn’t show him or his company doing anything inappropriate – the only criticism I’ve got is that the ICO should hold all organisations at arms length.
The other possibility is that the ICO is being inconsistent. They didn’t use this exemption before, but there is something awkward or embarrassing about their relationship with ABC that they want to cover up. Either way, it isn’t a good look for the transparency regulator to be hiding information about its dealings with a private company. The prohibition allows data controllers and public authorities being investigated for DP and FOI breaches to provide secret business information to the Commissioner with the confidence that it won’t be disclosed. This is entirely justifiable – otherwise, no organisation would ever give the ICO information they had withheld from an FOI or subject access applicant in case the applicant then tried to use FOI or DP to get it from Wilmslow.
This case is very different. The ICO has scant resources, and yet has regularly provided speakers to a commercial company with a spotty approach to Data Protection and is using the prohibition on disclosure to prevent legitimate scrutiny of their relationship. The prohibition does allow disclosures that are ‘necessary in the public interest’ – given ABC’s dissemination of scaremongering articles and possibly illegitimate non-notification, I am convinced that the public interest does support transparency here. Of course, the ICO might argue that if they disclose, this will deter conference organisers and others from approaching them – but who cares? This is far from a core activity for the Commissioner. If you’re not willing to be open in these circumstances, what has anyone involved in this got to hide?