Skip to content

Dominic Grieve: A Good Start But Misses ICO Unfitness For Purpose

Shadow Secretary of State for Justice Dominic Grieve QC MP has announced a list of proposals a future Conservative government would put into place to “reverse the rise of the Surveillance State”.

Sounds good but what are the facts behind the soundbites?  More importantly what are the omissions behind the soundbites?  What isn’t said is as important as what is.  Specifically with reference to the Information Commissioner’s Office, a body which Mr Grieve wants to give more powers to.

Those who have followed the Phorm story will no doubt be aware that the ICO is complicit in allowing Phorm and BT to get away with their secret and illegal tests as any other government department.  Perhaps even more so because it is not unreasonable to expect those charged with the guardianship of Data Protection legislation to have a decent understanding of such legislation.

Mr Grieve has failed to understand the Information Commissioner’s Office complicity.  Perhaps he doesn’t know about it.

The ICO has admitted that it is under resourced and does not have amongst its staff any Computer Science or Information Security graduates (see comment by, sadly the video from the Convention on Modern Liberty has been taken down.  I wonder why?)  The fact that the ICO did not stand up and declare Phorm’s Webwise product to be in breach of UK and EU law shows that they themselves do not have a proper understanding of the relevant legislation.  How then can they be seen as fit for purpose as things stand?

For the ICO to be taken seriously it needs to be completely overhauled.  Simply saying the status quo is fine and awarding the ICO new powers is unacceptable and narrow minded.  Those involved in and responsible for Phorm and BT being allowed to get as far as they did should be removed from the ICO.  New, independent leadership needs to be put in place.  It needs to be staffed with competent, thorough professionals capable of investigating issues more quickly and better than you and I.  A thorough education programme needs to be undertaken to ensure that there is a proper understanding of the legislation throughout the organisation.  It needs to be given the teeth to take those who break UK and EU data protection and privacy laws to task, whoever they are.

Then it needs to grow a pair so that it actually has the wherewithal to take such breaches to court.

Audits by the ICO in its current Phorm, sorry, form will be seen as nothing more dangerous than a lick from a fat labrador rather than a search by a well trained bloodhound or a ravenous Rottweiler.  Indeed, if these new audit and investigation powers mean the ICO will act as it did with Phorm then those on the wrong side of the law have nothing to fear. Now I’ve been present at places where a governing body has decided to inspect.  I’ve seen top level people nervous, twitchy and worried.  I’ve seen other staff extremely nervous, almost panicking. As if the Gestapo have moved in next door and invited themselves round to dinner.

Does the ICO generate that kind of response from those it investigates?  OFSTED does.  The Housing Corporation does.  There are lessons to be learned here.  Despite the complex nature of the Data Protection and privacy legislation it shouldn’t be rocket science to conduct a thorough investigation.

The idea that the ICO will engage in a discussion with the private sector about best practice is laughable.  Again Mr Grieve has learned nothing from the Phorm case.  Take a look at the lobbying which the EU is facing over their intention to investigate advert tracking technology.  This is the kind of thing that will happen here: all those companies in potential peril from proper enforcement of Data Protection and privacy laws will bombard and lobby the ICO.  Look at Phorm’s response to the APComms Inquiry announcement.  With its current staff lacking in any information security or computer science knowledge how will the ICO (in its current form) come to any competent judgements?  The Phorm case has shown us that it can’t.

I wrote at length to Mr Grieve and included my submission to the APComms Committee Inquiry.  It details how the ICO should be restructured and how government dealings in IT should be handled.  I also mentioned that with the exceptions of the Earl of Northesk and Baroness Miller, there had been a marked lack of Parliamentary response to the issues raised by the Phorm case.

A response was quick to come.

Thank you for your recent email to Dominic Grieve QC MP regarding the Conservative Party’s proposals to reverse the surveillance state. Your specific concerns are duly noted and had been passed to Mr Grieve for his consideration.

Do I detect a sense of “Hmm… that’s one area we hadn’t really looked at” there?  I hope this means that Mr Grieve will read my e-mail and APComms submission.  It’s interesting stuff, especially if you don’t know about the Phorm case.

Dominic today made clear at launch of the policy paper that private sector companies must be held to account if they are found to breach the law by undertaking covert surveillance or intercepting private data.

Does this mean that under a Conservative government we will see people from BT and Phorm in court to face the reckoning they deserve?  Being held to account must include full due legal process, whether a governmental department, a private company or an individual.

As outlined in our policy paper, Conservatives are committed to strengthening the role of the Information Commissioner. We believe that the Information Commissioner should be appointed by Parliament rather than the Ministry of Justice. After all, if the Information Commissioner is to be an effective guardian of the public interest against privacy intrusions by government, he cannot be appointed by government. In addition, a Conservative government would require the Information Commissioner to report directly and annually to Parliament.

Strengthening someone’s role is all well and good if they are fit for purpose in the first place.  The ICO is not fit for purpose and is not an effective guardian.  That needs to be addressed before anything else.  I’m sure that Mr Grieve will, once he has learned more about the Phorm case, understand my cautious approach to the idea of Parliament appointing the Information Commissioner.  The Home Office, Ministry of Justice and BERR departments seem to have had some dealings with Phorm.  The web of Freedom Of Information requests relating to contact with Phorm is a tangled one which the Cabinet Office do not want exposed any further.  This all seems very dirty and I get the feeling there’s a faint and unpleasant niff in the air.

Something else the new, overhauled ICO needs to be is timely, transparent and accountable for their actions.  And reporting more than just annually.  The ICO is deeply tainted by its complicity with Phorm and BT; not only must it be clean it must be seen to be clean.  That means quarterly reports at the very least.

Ultimately these proposals as they stand do not convince me that Parliament and the ICO would stop another Phorm-a-like company from coming along.  I don’t know how Eurosceptic Mr Grieve is but whether he is or not, it must grate hugely that the EU is standing up to protect UK internet users’ privacy because this “government” and the ICO failed in their duties.

In conclusion this is a promising start but the surveillance state covers government and private companies.  The ICO is not up to holding any kind of discourse with the private sector.  Until that is remedied and strengthened there is not enough of a safeguard to prevent another Phorm-a-like company coming along.  How Mr Grieve amends these proposals in light of the Phorm case will determine how serious the Conservatives are about privacy and personal data protection.

Published ingovernmentInternetparliamentaryPoliticsprivacysurveillance state