DPO Daily

I happened upon a service offered by a company offering “Social media screening to comply with new KCSIE guidelines”. Aspects of the Keeping children safe in education (AKA KCSIE) guidelines have proven controversial, not least paragraph 226: “... as part of the shortlisting process schools and colleges should consider carrying out an online search as part of their due diligence on the shortlisted candidates. This may help identify any incidents or issues that have happened, and are publicly available online, which the school or college might want to explore with the applicant at interview. Schools and colleges should inform shortlisted candidates that online searches may be done as part of due diligence checks.” I’m not the first to comment on this, but two things here. First is the unhelpful vagueness: do you trawl the applicant’s Instagram or not? Schools should ‘consider’ doing it as it ‘may’ help identify any incidents. It’s not a requirement (although unions think Ofsted treat it as such), but you should definitely think about it. That’s quite the can of worms you opened and then gleefully handed to me. The second issue is transparency: the guidance acknowledges that candidates need to know a check will be carried out. I agree: GDPR transparency requires that candidates are told. I can easily argue for keeping monitoring secret as part of an investigation into specific allegations, especially if there are safeguarding or criminal concerns about an existing employee. I could also justify a secret probe into a candidate where suspicions have been raised (I’ve never been involved in school recruitment, so I’ve no idea how likely that would be to happen). Leaving that aside, being transparent about general ‘social media screening’ often causes disagreements. While I think the GDPR implications are clear, I’ve been repeatedly told that telling people allows them to clean up accounts and hide their guilty secrets. It’s all in the public domain anyway, so where’s the harm? I persuaded one manager of the flaws inherent in this by asking them to log into their Twitter account on a screen in a meeting room and inviting their team look at all of their likes. “Point. Taken.” she said firmly and we worked out something a bit more subtle. Of course, thanks to everyone’s favourite Apartheid Nepo Baby, Twitter likes are secret anyway. I am not saying I am definitively right here. I think the legally correct approach is transparency for general monitoring, secrecy only for specific investigations but I am keen to hear alternative ideas i.e. if you’re more in favour of secrecy and you’ve got a GDPR-friendly argument, comment below or message me. I’ll be polite. But as far as seeking out for this kind of business, especially as this company cites both employees and candidates as being targets for this service, I’ve got all flavours of Nope. This should be handled carefully and intelligently, not touted at £36.99 a pop.

One of the main tenets of Stoicism is the dichotomy of control. At its most basic (and this has been bastardised into a thousand self-help courses), the idea is to be aware of what is within your control and what isn’t. It’s also important to understand that while some things are outside your control, how you react to them is not. Before I go any further, if these ideas sound appealing, it’s a lot cheaper to buy a few paperbacks about Stoicism than to shovel gold into the mouth of a guru who is selling you a cuddly version of Epictetus.  An oft-repeated GDPR cliché is that one of its aims is “to empower individuals and give them control over their personal data”. I took that quote from the website of the European Data Protection Supervisor, but the idea is everywhere. Sometimes, it’s characterised as the main aim. There are two things I want to say about this. The first is that if it was true, the GDPR / UK GDPR does a spectacularly incompetent job of delivering. The justifications for personal data use are heavily weighted against consent – any processing necessary for a legal or contractual purpose is allowed, and even some commercial uses can be justified under legitimate interests. The individual has no meaningful control here. Even though the GDPR gives arguably enhanced rights over the previous version, controllers can legitimately refuse to provide transparency, and access in some circumstances. The ‘right to be forgotten’ doesn’t work more often than it does, while portability is severely constrained. Rectification is fairly absolute, but even then is subject to arguments about the nature of accuracy (try getting an opinion you don’t agree with rectified). Perhaps the only one with no obvious exceptions is the ability to opt-out of processing for direct marketing purposes. Unless you arbitrarily change what the definition of marketing is, as the ICO did during the pandemic to remove your right to opt out of public sector promotions. In the light of this, campaigners, activists and DP professionals alike should exercise stoicism and recognise the limits of control. The EDPS statement isn’t true: at best, it’s a huge exaggeration. Even if you want it to be true, you have to recognise that the high-level summaries and clichés don’t reflect reality. It’s vital to understand what the GDPR actually does and work from there, rather than starting from what people say it does or what you wish it did.

For 75% of the UK's nations, today is a bank holiday and the end of the long summer break beckons for parents and children alike. So instead of giving you a rather earnest post about data protection and Stoicism (come back tomorrow, Epictetus fans)…. DO YOU WANT TO PLAY A GAME? I'm working on more ambitious (translation: paid for) versions of this kind of thing, but today, I give you the test version of a Choose Your Own Path type exercise. If you're a dinosaur like me, you'll recognise the format immediately. If not, just start at option 1 and choose where you want to go next. Follow the path that your choices take you on and try not to lose any points. If you'd like to enjoy more interactive, scenario-based training, I'm running both SAR and FOI courses in September, and I have several others coming soon. Check the comments for more information.

A bit of a change of approach today: I am hoping to crowdsource some material. I have two projects on the go, both of which are aimed at a free webinar that I am planning. The first is already scheduled: I'm running a session about the red flags that indicate that a DP consultant / outsourced DPO service should be approached with caution. Any examples you can send to me of dodgy behaviour / sharp practice would be much appreciated. I won't naming and shaming the guilty parties or identifying my sources, so feel free to send me the evidence. The second is longer term, but I'm hoping for October or November. I'd like to see evidence of legal letters sent to controllers over technical breaches: claims based on alleged cookie violations, Facebook pixels, that kind of thing. Obviously, you'd need to be very careful about what you share with me here, but I'm keen to see what the current state of the minor DP claims market is. Either way, probably better if you message me or email me via my company email address. Whichever subject takes your fancy, if you've got interesting material, send it my way.

Data Protection issues only enter the wider public consciousness occasionally, and often it’s due to nonsense. Northumbria Police weren’t prevented from retaining and sharing data about the murderer Ian Huntley. British Gas could have informed social services about a vulnerable couple who had been cut off and later died of hypothermia. In both cases, institutions trying to cover for individual decisions or poor practices tried to blame data protection and it hit the headlines. More recently, I knew the onset of GDPR was going to be bigger than I had expected when I heard jokes about reconsenting on Radio 4’s the News Quiz. I suspect that debacle was caused by new entrants into the DP sector, confused about DP consent and ignorant of PECR because the training courses they’d done didn’t cover it. Put simply: if you were sending direct marketing to individuals in 2017, you’d needed consent since 2003 when PECR came in. Opt-out consent had never been valid if you looked at what the 1995 Directive said (and you had to do that because the 1998 DPA was ambiguous). If you already had consent, you didn’t need to get it again. If you didn’t already have valid consent, you couldn’t ask for it via email because that message would be sent for marketing purposes, and you need consent for marketing purposes. But it became a form of mass-delusion: I remember explaining all this to some high-profile clients who went ahead and did it anyway, despite not thinking they needed to, because everyone else was doing it. Data Protection is once again in the headlines. Non-specialists are asking me about something, and it’s seeping into mainstream news coverage. Can you guess what it is? Consent or pay. Unlike these previous examples, I don’t think anyone is to ‘blame’. There is a genuine disagreement between those who think it’s valid and those who think it isn’t. Some of this is ideological. I saw one zealot talk about tech firms as ‘data rapists’ which shows a lack of perspective that I find remarkable, but I’ve also seen supporters incapable of accepting that companies’ ability to make profits can be curtailed. But a lot of it is a genuine and sincere debate. I know serious people (several of them lawyers) who think consent or pay can be rationalised legally. I know consultants and activists who know their stuff and think it’s unlawful. This is the second time I’ve written about this in a week so perhaps I’m overplaying its significance. I do think that consent or pay has a limited scope - many website operators won’t put any barrier in the way of seeing their content because they’re not selling ads. But high-profile sites who do are all jumping on the bandwagon and regular folk are noticing. Meanwhile, the Commissioner has been crouched on the fence for over a year; time to jump off, John, people can see you up there. https://lnkd.in/eW7X42_f

I don't want to steal my own thunder as I am running a free webinar next month about this sort of thing, but it's nevertheless worth throwing out one morsel: with only a few exceptions, any organisation that displays the Information Commissioner's Office logo is dodgy. The exemptions are situations where a member of the Commissioner's staff is speaking at an event organised by the company in question, or where the Commissioner is explicitly working with them. I did not wake up this morning with the intention of starting a beef with the Digital Regulation Cooperation Forum, who are plainly using the logo with consent. But for anyone else, it's the hallmark of the grifter. The aim is obvious and sometimes explicit: to create the impression that the organisation has been approved in some way to do what it is doing by the regulator. The fact that the Commissioner does not approve anyone to do anything beyond the ongoing error of judgement that is the Sandbox should put you on notice. The only possible defence is stupidity - literally not realising that you can't use someone else's logo or copyrighted material without their permission. But it's not exactly a positive if someone's explanation is 'I don't know how basic legal ideas work'. Logo misuse isn't limited to misapplying the ICO's mark. I'm told that a famous DP consultant uses big companies' logos on their website, creating the impression that they've worked with those organisations, when in fact it's just individual staffers usually paying out of their own pocket. I don't know if this is true, but it's not hard to imagine that such recklessness will catch up with them if it is. If I was being unkind, I might wonder why - despite the hard work done by most people at the office - a company would want to be associated with the ICO right now, given that it is headed by the least accomplished and effective incumbent in the organisation's history (and yes, I do remember who Liz Denham is). But as long as jokers keep pretending that they have the regulator's stamp of approval, it's right to point at them and laugh. And maybe tip off the ICO's comms people. Which I might have done yesterday.

When I worked in the NHS, a doctor told me a story. He used X-rays and other real materials when he gave lectures, but was zealous in ensuring that the patient was anonymous. If possible, the patient would not realise that this was their case. But even with this as his intention, he would never hint at a case without the consent of the individual. Part of this was just patient confidentiality, as it should be. He would talk his patients through how he hoped to use their case and almost invariably, they were enthusiastic, pleased that their story would help to educate other professionals.  But there was another side to it. He also knew of a terrible incident. A medic had given a lecture and used an X-Ray. He didn’t go into detail, but my colleague told me that the feature highlighted in the image was remarkable. The lecturer thought that as he wasn’t mentioning any names or locations, the patient would be anonymous. It was just a picture of someone’s insides, albeit their insides were not as they should be. Confident he was in the clear, the speaker freestyled a bit, including some picaresque details. In the audience were some local doctors. The case was legitimately known to a few people because of its distinctiveness. As soon as they saw the X-Ray, a couple of the attendees immediately knew which patient it was. And now, the lecturer was giving out all sorts of colourful details that they didn’t know. In a moment that could be a trainer’s anxiety dream, one of them interrupted him and told him to stop speaking. Even before I met my charming doctor friend, I was always careful not to tell stories that I did not have the right to tell. I’m even more wary now. If you’re using real cases, be sure that people concerned know that you’re telling their story and how you’re telling it. I have many great tales I can’t tell because of the chance of identification, or those concerned simply want me to put a sock in it. I say all this in preparation to share a somewhat different story with the same punchline. In a training course that was allegedly written using AI, a trainer revealed the name of a victim of sexual harassment in a course taking place in the victim's former place of work. “Psychosocial Leadership trainer Charlotte Ingham said she used Microsoft's Copilot chatbot to generate examples of psychosocial hazards employees might face at Bunbury prison, where she was delivering the course.” It was only when someone in the meeting told her that she discovered that the name was real. https://lnkd.in/gGHbdTwb

This is a postscript to what I wrote on Sunday, but it's worth sharing. I mentioned a case where a landlord was left with sensitive data after a tenant went bust, and both the NHS and local council arguably had an interest in the data. Both refused to accept immediate responsibility for the files, but had stern words for the landlord who they insisted had to keep it until it was all sorted. This went on for a while - I don't know what was going on, but my guess is that each side was trying to make the other collect and store the files. In the meantime, the landlord was increasingly uncomfortable about being responsible for boxes of sensitive data they never asked to deal with. The landlord received advice from an outsourced DP professional who I know, and because I used to work in local government, they wanted a second opinion about who I thought might be more responsible for the records (if anyone was). They leaned towards the council and I agreed. The DP professional read my post (hello!) and said I can share the outcome, especially as their client is quite proud of how they resolved it. On the basis of the advice that the council was the most likely candidate for inheriting the records, the landlord rang the council's data protection officer to say this: I've got all these files and I'm going to take them to a council facility. You get to choose which one. Either I deliver them to a nice safe office or I go to the tip. Where should I go? The landlord was directed to the town hall where they dropped off the files. My friend doesn't know what happened after that.

According to the Press Gazette, the Sun's decision to move to a 'pay or consent' model was prompted by "recent enforcement action by the UK Information Commissioner against publishers". They say in the FAQs: "we have been forced to introduce new technology to ask our subscribers to consent to the advertising cookies". I don't want to be one of those pedants who haunt every comment section correcting people who think provisional action is real, but there's an interesting point here. Way back in March, Stephen Almond portentously claimed that "our next announcement in this space will be about enforcement action". But so far, that announcement hasn't come. I doubt anyone at the Sun is confused about this, so what gives? Was the possibility of action - however hypothetical - the excuse the newspapers needed? The obvious conclusion to draw is that Almond's cookie letters have massively backfired here, despite apparently having the desired effect with most publishers. Or could this be the outcome that the Commissioner wanted? Sit on any final verdict on 'consent or pay', give the press ample time to change their online business model and then use that as an excuse to back down. We can hardly force such an important sector to change things again, I can imagine Almond saying. Cookie harms are proclaimed loudly but not backed up with a lot of evidence. I'm an outlier in being vaguely sympathetic towards 'consent or pay'. Newspapers and other content-driven websites have to be paid for somehow, so this seems like a messy but obvious compromise. If people really want to read the Sun or use Facebook and be tracked online, I think they should be allowed to make that choice even if privacy purists disapprove. I've been told several times by people who disagree with this that the Commissioner can't simply decide not to enforce the law. My friends, have you met John Edwards? That's his thing. But even given all of that, I'm not pretending it would be lawful. Give us consent for [EDIT] personalised ads or pay up doesn't seem like the freely given consent that the GDPR requires, and I don't see how PECR allows for any other option to justify using cookies or similar techniques. I can't imagine the ICO saying that 'consent or pay' is unlawful but they'll let it slide, but equally, in the alleged words of former Deputy Commissioner Francis Aldhouse when talking about the press in a different context: "they're too big for us". Despite Almond's sabre-rattling, it seems unlikely that his reprimand-loving boss will suddenly take on the majority of the UK press, with the possibility of Meta down the line. So as we await the Commissioner's promised verdict on all this "later in the year", I confess I have no idea what it will be. https://lnkd.in/eE2pVuMk

This is far too quick a post for such a monumental subject, but yesterday, Carole Cadwalladr wrote an apocalyptic opinion piece for the Observer about Big Tech's role in the upcoming US Presidential election. In a throwaway remark, she said this: "For a brief minute after 2016, there was an attempt to understand how these tech platforms had been used to spread lies and falsehoods – or mis- and disinformation – as we came to know them and to try to prevent it. But that moment has passed." The "brief minute" is the longest and most detailed investigation into online misinformation conducted anywhere in the world i.e. 'Operation Cederberg', the Information Commissioner's Office's probe into Cambridge Analytica and other assorted nonsense. For years, Cadwalladr and her ilk have spread propaganda about other people spreading propaganda, constantly trying to throw doubt on the inconvenient truth: that Cambridge Analytica were hype-merchants. The mind-bending technology didn't work and Brexit and Trump happened because of brutal, simplistic but effective adverts and not mind-control. Cadwalladr's problem is not that we didn't get answers; it's that she doesn't like the answers we got. I've written this post before and I suspect I will write it again: every time someone cites the Cambridge Analytica scandal, ask them to tell you what it was and ask them to show you the evidence. Because people were definitely fooled by Cambridge Analytica: the twist is, it's the people who tell you that people were fooled. https://lnkd.in/e_9YwGXA