Last month, the Information Commissioner, Christopher Graham, made an appearance on the Today programme. As always, Graham made big, broad, compelling points, claiming that his office needed more resources to deal with the ‘tsunami’ of complaints about the Google Right to Be Forgotten* case and stronger powers to do mandatory audits of both public (and because of some prompting from Justin Webb) private sector organisations. Graham implied that organisations refusing to volunteer for audits was part of the problem.
To be clear, I think that a properly resourced Information Commissioner is vital for a healthy democracy, both to deal effectively with FOI and to ensure some measure of protection for personal data. There is the side issue that no matter how much money the ICO has, they also need the resolve to deal with big targets, but that’s a blog I’ve written more than once. Moreover, I also think that the ICO should have been given the power to do mandatory audits for everyone. The current position (which means only Central Government has mandatory audits) is absurd. I’m not wholly convinced by the rigour of the ICO’s audit process (they have given an ostensibly clean bill of health to organisations that I know to be hopeless), but that’s again a question for another time. There is no reason why the ICO should not have the powers.
However, I was curious enough about Mr Graham’s claims that I decided to make an FOI request for two key facts: how many Right to be Forgotten complaints had been received as part of the ‘tsunami’, and which organisations had refused an ICO audit. They answered my request in two parts.
I don’t know how many complaints they have received now, but on the 18th July 2014, the Right to be Forgotten complaint tsunami numbered 12. There was a po-faced explanation for the apparent disparity between Mr Graham’s language and the actual facts “We understand that the statement as written in your request might sound as though we had already received more complaints than this – we anticipate receiving more in the coming months as Google inform more people of the outcome of their considerations.“
It took the ICO slightly longer to answer the second part of my request, which was for the names of the organisations that have refused a voluntary audit. Bear in mind, Graham made the case that expanded audit powers were necessary because organisations refuse. In a remarkable coincidence, the ICO responded to this second question on the 20th working day, and the answer was two (if you’re interested, Staffordshire County Council and Network Rail). Again, perhaps conscious of the apparent contradiction between the Commissioner’s interview and the facts, the ICO pointed out that 75 organisations had failed to respond to a request for a voluntary audit.
There are two problems with this. Even though I agree with Christopher Graham that he needs more resources and better powers, his soundbites don’t ring true. The ICO’s head of enforcement Steve Eckersley made a good case this week for changing the threshold on PECR by pointing at the concrete effects of the Niebel decision at the Upper Tribunal. The ICO gets more complaints about PECR than the DPA and FOI combined, and those involved in the dodgy spam trade will be undeterred by enforcement notices. The ICO tried using enforcement notices on PECR breaches in the last decade, and all they had to show for it were puny fines from the magistrates – like the DPA, a conviction for a PECR breach doesn’t even go on your criminal record. Mr Eckersley’s case is sound and based on evidence, but I’m not sure about Mr Graham. Rather than jump on the Right to be Forgotten bandwagon, the Commissioner should point to the rampant inaccuracy, the black market in information, and demand resources to deal with that.
The other problem with the ICO’s response is the sleight of hand involved in the 75 non-responses. Many organisations that I train on FOI are paranoid about the ICO, fearful that any slip or mistake will bring down Wilmslow’s furious anger. Anyone who has been watching the Cabinet Office will know what a silly attitude this is, but all you need to do is look at the why the ICO handles it’s own FOI. They want to bolster the Commissioner’s case, so they tell me about the 75 non-responders, but they don’t feel under any obligation to tell me who they are. “These have not refused requests to be audited, and are therefore outside the scope of your request. This information is therefore offered to provide additional context for your request.” This is bullshit. Either they’re outside the scope of my request, and we’re back to the problem that Graham wants new powers because just two organisations have refused an audit, or they’re relevant to Graham’s case and my request, and I should have been told who they are. They can’t have it both ways, and using an FOI response for such ungainly spin is hardly best practice.
Needless to say, now that they have brought them up, I want to know who the 75 are, and my follow-up FOI is already receiving their attention.
* It isn’t a right to be forgotten, it’s a right to have search results removed. I should stop playing Google’s game and using the phrase, but I don’t yet have a better one.