Blog

Thousands of children’s futures were jeopardised by a salesman who blagged his way into a job running state schools, a tribunal has revealed.

When Johnson Kane co-founded the Education Fellowship Trust in 2012, he presented an impressive CV suggesting he was more than up for the job.

He claimed the Government had put him on the board of the British Airports Authority before it was privatised, that he had run a venture capital bank and that he was high up in John Lewis, when in fact he was a shop floor salesman.

Mr Kane, 67, earned a £160,000 salary for six years as chief executive of the trust, which collapsed after leaving five schools with disastrous exam results and millions of pounds in the red.

In 2017 the trust became the first in the country to give up all of its schools, after several failed inspections damaged the prospects of 6,500 students.

Files from an Information Rights Tribunal released this week show the Department for Education’s (DFE) failure to check Mr Kane’s credentials or handle whilstleblower disclosures properly.

Internal emails showed Government officials couldn’t verify the qualifications he had in 2014, but they sat on their hands until it was all too late.

One message said the DfE had ‘taken this as far as they can’ and would need Mr Kane’s written consent for a more in depth check, the Times reports.

An Information Rights Tribunal allows people to appeal against the Information Commissioner’s Office if their Freedom of Information requests have not been answered.

Mr Kane did work for the BAA as a commercial services director for 18 months having lied about his qualifications, but he was never on the board, the tribunal heard.

Former personnel director for the BAA John Mills told the tribunal how something about his claims didn’t add up.

He said: ‘The lies included naming a secondary school he had not attended and falsely claiming educational exam results.’

In 2014 the trust’s co-founder Sir Ewan Harper, who played an instrumental role in the academies policy in Tony Blair’s government, stood down from his post.

The decision to quit came after the Department for Education found ‘unusual payments’ and that Sir Ewan’s daughter had been working for a press officer.

They also found the trust had been renting its offices from his wife.

After the trust’s eventual downfall regional schools commissioner Martin Post forged a deal which meant all 12 of the trust’s schools were in the hands of central government.

Mr Kane got to stay in his job for one more year while new sponsors were found for the schools in Wiltshire, Northamptonshire and Berkshire.

The DfE said: ‘The Education Fellowship Trust has now closed. Since the introduction of regional schools commissioners, the department’s processes for sponsor approval have been strengthened, while senior appointments are a matter for academy trusts.’

Finding and retaining staff is an inevitable expense of business, for all but the humblest garage start-up.

A study at U.C. Berkeley found that hiring a new employee can cost as much as $4K without counting salary. That figure rises to $7K for employees at the level of management or specialized professionals. Even in the best-case scenario, a successful hire still leaves a dent in the company’s bottom line for a while. An unsuccessful hire just wastes that money and forces you to start over again. This is one of the most cost-focused arguments to run a background check.

Criminal history, liability, and your company

It is only natural for anyone applying for a position to present their best face to you. It is up to you to vet a candidate and find out if their history includes criminal convictions which would make them a risky proposition. But beyond that, being negligent in employing someone in a sensitive position can expose you to liability from other employees, customers, or the public. Some examples of scenarios where a company can be liable for a bad hire include:

• DUI (Driving Under Influence) history in a driving position

• Theft/embezzlement /financial fraud in a position that will handle money

• Identity theft in a position that will have access to customer data

• Assault/violent record placed in a public-facing position

• Sex offender in a position that’s part of a team

Any of these kinds of cases can be brought into court as charges that your company is liable for damages as a result of your negligence. This is a negative outcome on top of the damages or losses to your company and the cost of hiring a new person to fill that position.

Checking credentials

It would seem that proving a candidate’s educational credentials would be a simple matter of viewing a diploma, but that’s not the case. There are several ways in which academic certifications can turn out to be fake. Diplomas can be obtained from a diploma mill, or they can be outright counterfeit forgeries.

Above that, there is such thing as fraud and corruption in academic circles, as well as student fraud such as purchased essays or bribed university officials. A little scrutiny and investigation into the background check process can root out at least some attempts at academic falsification. Paying attention to any red flags raised in the credentials check can save you the later embarrassment of hiring an impostor in a professional position.

Company reputation

We live in an age of easy information access, where one critical Yelp review can sink your company’s reputation. While customers can freely gossip about your employee’s service, sites like Glassdoor are also available for prospective candidates to check your reputation on the employment-end. If you are unlucky enough to have an incident where one co-worker had an unpleasant experience with an improperly vetted hire, future candidates might shy away from applying to your company.

Harvard Business Review reports that a bad reputation costs a company an extra 10% for all future hires. Once word gets out that your company has bed hiring practices, it becomes that much harder to attract the talent you need. This is an unavoidable reality when the job market is competitive. All other metrics being equal, people like to work at a job where they feel safe and secure.

Job seekers tend to avoid companies with aspects like a high turnover rate, which is also a symptom of low-quality hiring.

Conducting a background check

As an employer, you’re responsible for compliance with all laws regarding fair hiring practices. This is simple enough if you stick to some common-sense rules:

• Always inform the subject that you are running a background check on them

• Get their signature on the release form

• Do not make considerations that could be construed as discrimination against race, gender, orientation, or beliefs

• Remember that in criminal matters, an arrest, mugshot, or trial means nothing without a conviction

• Give the candidate a fair chance to answer for your findings

A one-on-one sit-down is recommended with the candidate. Everyone is different and few people are without a single questionable incident on their record. Your candidate might be able to clear up misunderstandings in their record.

There are even some cases where you can have a bad mark on your record that you weren’t aware of, thanks to identity theft or simple clerical errors. Going over the candidate with the results can help illuminate the undisputed truth of their record.

The Indian government finally introduced its Personal Data Protection Bill in Parliament on Dec. 11, 2019, after more than two years of fierce debate on the bill’s provisions. Rather than pushing to immediately pass this hugely significant bill, India’s minister of information technology, Ravi Shankar Prasad, referred it for scrutiny to a joint parliamentary committee. After the committee publishes a report on the bill, it will then be debated in the Indian Parliament—and, given the huge majority the ruling coalition has in both houses, likely passed—in 2020.

This bill has implications far beyond India, as the country seeks to develop a comprehensive data governance framework that would affect virtually any company attempting to do business in India. India—thanks to its population size, gross domestic product and influx of new internet users—has a unique ability to exercise leverage over multinational tech companies and shape global policy.

As many countries begin to construct data governance regimes, this bill will have an important role in shaping the regulation governing today’s increasingly data-driven geopolitical landscape. All the while, the bill contains some elements of the protectionist and authoritarian-leaning data policies that are cropping up around the world as some countries attempt to curtail the global and open internet.

What are the main takeaways from the bill, and how do they impact global geopolitics and data policy?

A Brief History of the Bill

The narrative around data protection in India reached a crescendo during the hearings in the K.S. Puttaswamy vs. Union of India (2017) “right to privacy” case. In a landmark verdict, a nine-judge bench of the Supreme Court of India affirmed the right to privacy as a fundamental right.

During the case, the Indian government set up an expert committee to devise India’s data protection framework. After a public consultation on a white paper, the committee submitted a draft Personal Data Protection Bill and an accompanying report interestingly entitled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians.” Ultimately, the Personal Data Protection Bill was introduced into Parliament in December 2019.

The Bill’s Foundations

What are the stated motivations behind the law? The bill’s preamble identifies three key focal points:

• “[T]he right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy[.]”
• “[T]he growth of the digital economy has expanded the use of data as a critical means of communication between persons[.]”
• “[I]t is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion.”

Not explicitly mentioned is that the bill was developed through continued engagement and consultation with a host of stakeholders. These interests included Indian law enforcement’s desire to access U.S.-stored data during investigations and an aversion to so-called data colonialism by large Western technology firms—a grievance against large-scale collection of Indian citizens’ data by Western companies.

What’s in the Bill?

Many of the consent-related provisions in India’s data protection bill sound quite similar to those enshrined in the European Union’s General Data Protection Regulation (GDPR). According to the new Indian bill, to collect personal data, those entities classified as data fiduciaries must obtain consent from the individuals whose data is in question. Data fiduciaries are essentially any entity determining the “purpose and means of processing personal data,” a wide definition that could encompass everything from ride-sharing apps to social media platforms to data brokers that buy and resell customer data.

Data collectors are also subject to various new reporting requirements. For example, the bill imposes additional requirements, such as a requirement to obtain parent or guardian consent for the collection of data belonging to children.

That said, the legislation’s text does carve out a number of exceptions for when data fiduciaries may not have to obtain consent in order to collect personal data on Indian citizens. For instance, there are consent exemptions for state or other entities complying with court orders, enforcing the law, providing public benefits or services, and treating medical emergencies. There are other “reasonable purpose” carve-outs for situations like whistleblowing, mergers and acquisitions, credit scoring, and the operation of search engines. Europe’s GDPR, by comparison, also contains consent exemptions in areas such as law enforcement data access and functions related to taxation, but the exemptions in India’s draft bill are defined a bit more vaguely.

The legislation also contains provisions giving rights to “data principals,” those about whom data are being collected, to request information from data fiduciaries about what is being collected on them. Similarly, data principals are given rights to correct or erase data stored by the fiduciary—a “right to be forgotten,” like in the GDPR. Data principals will also have the right to view the data itself in a clear and portable manner, with the data presented in a “structured, commonly used and machine-readable” format.

These protections demonstrate that the Indian government is interested in both safeguarding the rights of Indian data principals and chipping away at the gross power imbalance that currently exists between large technology firms and individual Indian citizens around data collection. But, again, it remains to be seen how that relationship will play out when it comes to individuals and the government, not just individuals and corporations. For example, the numerous vaguely defined exemptions on data regulation could potentially enable forms of surveillance, when government organs deem collection and use pertinent to state functions. 

In fact, the biggest concern about the bill among academics and activists is the exemptions granted to the government for data collection. Section 35 states that exceptions can be made to collection rules, reporting requirements, and other requirements whenever the government feels that it is “necessary or expedient” in the “interests of sovereignty and integrity of India, national security, friendly relations with foreign states, and public order.” Most importantly, “necessary or expedient” has replaced the “necessary and proportionate” standard for government processing of data. The latter was a recognized standard in Indian constitutional and international law. Just last year, the right to privacy ruling had stated clearly that any intrusion into the right must be authorized by law, conducted in accordance with procedure established by law, and be necessary and proportionate to the objective being sought. The use of the term “necessary or expedient” does not impose an obligation to undertake the balancing act between the intrusion and the objective, thereby augmenting the government’s surveillance powers. This leaves a gaping regulatory vacuum around surveillance law in India and fails to adequately protect citizen privacy, as there are no clear rules that govern government use of data.

In a bid to regulate social media corporations, marking a departure from both the GDPR and the 2018 draft of the bill, the most recent bill proposes the creation of a special class of significant “data fiduciaries” known as “social media intermediaries.” These are defined as entities whose primary purpose is enabling online interaction among users (and does not include intermediaries that enable business transactions or access to the internet, or that are in the nature of search engines or encyclopedias). Essentially, a “data fiduciary” is a social media company. The bill includes vague language that stipulates that social media intermediaries allow for the voluntary verification of their accounts by any users who use their services from India or register from within India. However, the proof users need to submit to the social media intermediary to verify their accounts is unclear. No other country has the provision for a voluntary verification mechanism of this nature. 

Despite adding layers of regulatory obligations, the revised version of the bill does provide some cheer to foreign technology companies. After protracted lobbying and pushback from foreign companies, diplomats, and heads of state (including President Trump), the bill narrowed the scope of a data “mirroring” requirement for all data, which was present in the earlier draft. This data mirroring requirement would have mandated that a copy of all data on Indian citizens be stored within India’s borders. Now, the legislation only requires that certaintypes of data must be stored in India. The first, “critical personal data,” must be stored and processedonly in India. The second, “sensitive personal information,” must be stored within India but can be copied elsewhere provided certain conditions are met. This includes a provision that mimics the GDPR’s adequacy requirement: In order for data to be copied into a country, the destination country must apply sufficient privacy protections to the data and not impede Indian law enforcement access to the data.

Localized data storage requirements are also not entirely new to India. Rather, they would supplement measures that are already in place. Most important among the preexisting protections is a Reserve Bank of India (India’s central bank) requirement for the local storage of payment data. Major technology firms such as WhatsApp Pay, Google Pay, Mastercard and other payment companies have made attempts to comply with the new Reserve Bank regulation.

Finally, the government made sure to add Section 91—a provision clarifying that it reserves the right to interpret any policies for the benefit of India’s digital economy—as long as this does not involve the use of personal data that can be directly used to identify an individual. Section 91(2) states further that the government can direct data collectors to hand over anonymized personal information or other “non-personal data” for the purpose of “evidence-based policy-making.” Little clarity has been provided on what that might entail.

Implications for India and the World

Since the bill was introduced in Parliament, the global business community has expressed disapproval over certain aspects of the proposed legislation. For example, U.S.-India Business Council President Nisha Biswal criticized the obsensibly privacy-focused bill for reaching into other areas, such as liability of social media intermediaries, that she thinks should be handled in separate legislation. Despite her reservations about legislative overreach, Biswal praised the bill for relaxing India’s data localization requirements, a move she feels would provide access to global processing and data analytics that could benefit India’s economy. Moving forward, it will be interesting to watch other responses from the international business community to the now-diluted data localization elements of the bill.

There are also business costs associated with data localization compliance that many foreign companies would prefer to avoid. There is no doubt that many companies incorporated within India, and particularly those incorporated beyond, will continue to push back against other existing data localization requirements that raise storage and processing costs. The revised data localization provision in the new bill addresses these costs as the mandate is limited to “sensitive personal data” and “critical personal data.”

Beyond purely financial concerns, some observers in the business community may have other worries about the data localization rules because these rules can sometimes create legitimate cybersecurity and national security concerns. In Russia, for example, more aggressive data localization rules have created conflicts between the Russian government and Western technology companies. The Russian government has pressured foreign-incorporated companies to store their encryption keys within Russia’s borders, as part of a broader tightening control of Russian cyberspace. This has raised concerns about elevated (and unchecked) government access to sensitive communications. In light of some concerning provisions in the draft bill about government surveillance (notably exemptions when “the security of the State” is in question), it’s possible that foreign companies may have similar concerns around local data storage in India’s case.

The U.S. has broadly supported a business-led pushback against data localization in India, purportedly for economic reasons: At the G-20 summit this past summer, a major event for global data governance, President Trump stated that “the United States opposes data localization and policies, which have been used to restrict digital trade flows and violate privacy and intellectual property protections.”

Beyond business concerns, what does India’s Personal Data Protection Bill mean for the U.S. privacy stance? 

The Indian bill mirrors and appears to endorse parts of the stance taken by the GDPR. Federal data privacy approaches in the United States have to date taken a much more laissez-faire approach to data regulation than the approach embodied in the EU’s GDPR. This perhaps reflects a fundamentally different understanding of how human rights pertains to the protection of online speech and data privacy. The U.S. largely views the protection of online data and information as less the government’s responsibility than, for example, many counterparts in the European Union. 

While its data regulation model is far more controlling, China has already looked to the GDPR as a model for building out some elements of its emerging data governance regime. India’s proposal represents yet another country attempting to model its own data governance regime on the GDPR’s privacy standards. India’s bill reflects the GDPR’s further entrenchment as the global standard on which to base early-stage data protection regulations.

For those American policymakers who would have preferred India to take a slightly different approach, it’s worth wondering how better U.S. government action on the data governance front could influence this global contestation over data access and regulation.

What does the bill mean for India’s role in the global data conversation? India is an important player in the global internet policy space. Indian government leadership is eager to position India as a global leader on democratic data regulation and has largely succeeded. India has high levels of global internet policy participation—that is, activity in the UN General Assembly and elsewhere on internet issues—and analysts have rated the nation high on its ability to influence international policy.

The introduction of a data protection bill in furtherance of a constitutionally guaranteed right to privacy is a very small step toward occupying a leadership position on democratic data governance. However, the text of the bill largely appears to be a crude amalgamation of provisions in the GDPR with authoritarian leanings. In the Indian bill, these include the enabling framework for government surveillance in the bill, which undoubtedly entrenches government power to undermine citizen privacy. Further, the blurring of the distinctions between non-personal data and personal data remain is concerning. The bill ultimately dilutes protections on individual data rights by enabling the government to access anything it feels would fit within the laid-out categories of exemptions.

These authoritarian leanings ultimately undermine India’s potential to guide emerging market economies and smaller democratic states. The bill makes India a less appealing model for those nations looking to chart out a new vision of data governance that merges the right to privacy with important civil liberties. Though some privacy-protecting measures in the bill mimic several provisions of the GDPR, the legislation needs significant revisions if India wants to be a leader in forging a democratic, privacy-protecting approach to the internet.

India’s strategic interest likely lies in ensuring that it upholds its constitutional responsibility to its populace and privileges citizen rights and economic welfare over mere business or bureaucratic interests. But—particularly due to concerning exemptions in the text of the Personal Data Protection Bill—it is not clear whether this objective is satisfied. As the Joint Parliamentary Committee starts its deliberations on the draft of the bill, it remains to be seen whether the policymaking pendulum swings the right way.

Image: Ministry of Law & Justice GODL-India