NADPO event – some free spaces on request

NADPO, the membership association for information rights professionals, which I’ve chaired for some years now, is holding the latest in its online lunchtime webinars next Tuesday.

We’re delighted to be joined by Professor Kirstie Ball of St Andrews University, who will be talking on the theme of “Worker monitoring and surveillance: Psycho-social risks and organizational justice” and by Dr Ben Worthy, Senior Lecturer in Politics at Birkbeck College, University of London on “Resistance and undermining of FOI”.

Attendance is free for members, but we generally allow a few free tickets for those who are interested in the topics, and who may be interested in joining NADPO. Please contact me (chair at NADPO dot co dot uk) if you would like to request a place.

Leave a comment

Filed under Uncategorized

COVID booster messages and the law

GET BOOSTED NOW Every adult needs a COVID-19 booster vaccine to protect against Omicron. Get your COVID-19 vaccine or booster. See NHS website for details

On Boxing Day, this wording appears to have been sent as an SMS in effect to every mobile telephone number in the UK. The relevant government web page explains that the message is part of the national “Get Boosted Now” campaign to protect against the Omicron variant of COVID-19. The web page also thanks the Mobile Network Operators for “their assistance in helping deliver the vitally important Get Boosted Now message”.

It is inevitable that questions may get raised raised about the legality of the SMSs under data protection law. What is important to note is that, although – to the extent that the sending involved the processing of personal data – the GDPR may apply (or, rather, the UK GDPR) the relevant law is actually the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). Under the doctrine of lex specialis where two laws govern the same situation, the more specific rules will prevail over more general rules. Put another way, if the more specific PECR can justify the sending of the SMSs, then the sending will also be justified under the more general provisions of UK GDPR.

Regulation 16A of PECR (inserted by a 2015 amendment), provides that where a “relevant communications provider” (in this case a Mobile Network Operator) is notified by a government minister (or certain other persons, such as chief constables) that an “emergency” has occurred, is occurring or is about to occur, and that it is expedient to use an emergency alert service, then the usual restrictions on the processing of traffic and location data can be disregarded. In this instance, given the wording on the government website, one assumes that such a notification was indeed made by a government minister under regulation 16A. (These are different emergency alerts to those proposed to be able to be sent under the National Emergency Alert system from 2022 which will not directly involve the mobile network operators.)

“Emergency” is not defined in PECR, so presumably will take its definition here from section 1(1)(a) of the Civil Contingencies Act 2004 – “an event or situation which threatens serious damage to human welfare in a place in the United Kingdom”.

The effect of this is that, if the SMSs are legal under PECR, they will also be legal under Article 6(1)(c) and 6(1)(e) of the UK GDPR (on the grounds that processing is necessary for compliance with a legal obligation to which the controller is subject, and/or necessary for the performance of a task carried out in the public interest).

There is an interesting side note as to whether, even though the SMSs count as emergency alerts, they might also be seen as direct marketing messages under regulations 22 and 23 of PECR, thus requiring the content of the recipient before they could be sent. Under the current guidance from the Information Commissioner (ICO), one might argue that they would be. “Direct marketing” is defined in the Data Protection Act 2018 as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals” and the ICO defines it further by saying that this “covers any advertising or marketing material, not just commercial marketing. All promotional material falls within this definition, including material promoting the aims of not-for-profit organisations”. Following that line of thought, it is possible that the Omicron SMSs were both emergency alerts and direct marketing messages. This would be an odd state of affairs (and one doubts very much that a judge – or the ICO, if challenged on this – would actually agree with its own guidance and say that these SMSs were indeed direct marketing messages). The ICO is in the process of updating its direct marketing guidance, and might be well advised to consider the issue of emergency alerts (which aren’t covered in the current consultation document).

[Edited to add: I don’t think what I say above necessarily covers all the legal issues, and no doubt there are aspects of this that could have been done better, but I doubt very much there is any substantive legal challenge which can be made.]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under communications data, consent, Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, PECR, UK GDPR

Reporter uses FOI to lift anonymity order

Here’s a remarkable example of good use of Freedom of Information (FOI) law. Tanya Fowles, a reporter covering courts in Northern Ireland, has successfully applied to lift a reporting restriction order, originally made in the magistrates’ court, which prevented her naming a person convicted of causing a child to engage in sexual activity.

The court appears to have imposed the original order because of a perceived risk to the defendant’s safety, based on evidence given by a police officer, who is reported to have told the court that

It’s a small, rural community. The family would be well-known. I think he would be easily identified. I know of incidents recently where paedophile hunters have gone to houses and attacked individuals. I am aware that is prevalent within the area, or certainly was last year. They have turned up at houses and one was arrested for assault. After that there was a bit of a lull, but I believe they are still active in the area.

However, Fowles then made an FOI request to the Police Service of Northern Ireland, which revealed that, far from such incidents being prevalent, police had only attended seven incidents in the entire County Armagh area during 2019/20, resulting in a single report of assault but zero prosecutions. This evidence was accepted in the county court (to which the case had been transferred) and the reporting restriction order was lifted.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Open Justice, journalism, crime

ICO fails at FOI

I won’t rehearse the points I made in previous posts. Enough to say this – the Information Commissioner’s Office (ICO), in addition to being tasked with regulating Freedom of Information (FOI) law, must also comply with it, and anecdotal evidence suggested a long-standing failure to do so adequately (prior to, as well as during the COVID pandemic). That being the case – to whom should other public authorities look for exemplary guidance? Or put even more shortly – why should public authorities bother with compliance?

I now have some statistics.

I asked the ICO, under FOI, how many FOI cases it had failed to respond to within three months of their receipt (bear in mind that one month is the statutory limit). They have now told me that in 92 cases in the past year they have failed to respond to an FOI request within three months. Some cases are still open – in one, they have failed to reply to a request for 951 days and counting (I don’t know, and am almost beyond caring, whether these are calendar days or working days – it barely matters any more), and five cases are over a year old and still unanswered.

As I said previously, the ICO says that FOI enforcement may be appropriate where there are “repeated or significant failures to meet the time for compliance” and that, when deciding to take enforcement action, the ICO will take into account such factors as “the severity and/or repetition of the breach; whether there is evidence that obligations are being…persistently ignored; whether there would be an educative or deterrent affect; whether it would help clarify or test an issue; and whether an example needs to be created or a precedent set”.

A clearer case for (self-)enforcement action could scarcely be imagined.

Outgoing Commissioner Elizabeth Denham is handing her successor John Edwards a severe problem, both in terms of compliance but also – crucially – in terms of reputation of the office.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, access to information, rule of law

“Access delayed is access denied” – ICO’s terrible FOI compliance

Statistics show that the ICO is regularly delayed – sometimes very severely so – when responding to FOIA requests made to it. Is there a need for a review of the ICO’s own compliance?

The Information Commissioner’s Office (ICO) is tasked with regulating and enforcing the Freedom of Information Act 2000 (FOIA). The ICO is also – perhaps unusually for a regulator – subject to the law it regulates (it is a public authority, listed in Schedule One to FOIA). This means that – sometimes – the ICO must investigate its own compliance with FOIA. It also means that its own compliance with FOIA, and the seriousness with which it treats its own compliance, is bound to be viewed by other public authorities as an example.

FOIA is, let us not forget, of profound democratic importance. The right to receive information is one of the components of Article 10 of the European Convention on Human Rights. Information Commissioner Elizabeth Denham has previously said

openness of information, through FOI laws and other instruments, is vitally-important not only for government accountability in the moment, but also for the long-term health of our democracy… since information is power, the right to information goes to the heart of a democracy’s healthy functioning.

FOIA lays down timescales for complying with a request for information. The core one says that information must in general be provided within twenty working days. In that same speech Ms Denham referred to timeliness (“It is rightly said that access delayed is access denied”) and the benefits of publicising delays by authorities:

Reporting publicly on timeliness has proved to be a powerful tool for improving timely disclosure of information. And public authorities have used their poor grades to push successfully for more resources where the demand has outstripped supply.

Indeed, she has previously taken government departments to task for their FOIA delays

I think that central government though has got away with – I’m not going to say murder – I think they’ve got away with behaviour that needs to be adjusted…I know which organisations we need to focus on…

The ICO certainly has enforcement powers, and a policy which informs it when action is appropriate. The Freedom of information regulatory action policy (which doesn’t appear to have been updated since 2012) says that enforcement may be appropriate where there are “repeated or significant failures to meet the time for compliance” and that, when deciding to take enforcement action, the ICO will take into account such factors as

the severity and / or repetition of the breach; whether there is evidence that obligations are being deliberately or persistently ignored; whether there would be an educative or deterrent affect; whether it would help clarify or test an issue; and whether an example needs to be created or a precedent set.

With all of this in mind, one organisation the ICO apparently needs to focus on is itself.

Regrettably, and rather oddly, the ICO doesn’t publish figures on its own FOI compliance, except at a very high level, and combined with other types of access requests, in its annual report). This is despite the fact that the Code of Practice issued under section 45 of FOIA, observance of which the ICO is specifically tasked with promoting, says that public authorities with more than 100 members of staff should published detailed statistics on compliance.

However, what evidence there is indicates a repeated, and serious, failure by the ICO to comply with the timescales it is supposed to enforce on others. Of the formal decision notices issued by the ICO against itself, in 2020 and 2021, 50% (10 out of 20) found a failure to comply with the statutory timescale (and two further ones appear – from an analysis of the notices – to have involved delay, without resulting in a specific finding of such). And it is worth noting that these are formal decisions where requesters have asked for formal notices to be issued – it is almost inevitable that there will be similar delays in a significant proportion of those requests which don’t make it to a formal decision.

Indeed, analysis of recent requests to the ICO made on the request website WhatDoTheyKnowsimilarly shows delays in approximately half the requests. But even worse, many of those delays are of an extraordinary length. In two cases, requests made in February 2021 have only been responded to in November – delays of ninemonths, and in other cases there are delays of six, four and two months.

COVID has – no doubt – affected the ICO, as it has affected all organisations. But if the ICO needs extra resource to comply with FOIA, it has certainly not indicated that. Its published approach to regulatory compliance during the pandemic (not updated since June this year) says that where public authorities have backlogs, the ICO expects them to “establish recovery plans focused on bringing the organisation back within compliance with the Freedom of Information Act within a reasonable timeframe”. In the accompanying blogpost the Deputy Commissioner said that

we have seen more and more organisations adjusting to the circumstances, and returning to offering the transparency…our [own] recovery plan has had a positive impact in removing and reducing backlogs

If that is the case it is hard to know why the WhatDoTheyKnow examples (and one’s own experiences) show precisely the opposite picture.

What is also of concern – though this is an issue for policy-makers and Parliament – is that there is nothing that an individual can do when faced with delays like this, except complain – once more to the ICO. FOIA expressly does not permit individuals to take civil action against public authorities for failure to comply – the only recourse is through the ICO as regulator. Short of bringing judicial review proceedings, citizens must just suck it up.

In 2016 the Independent Commission on Freedom of Information said that FOIA was “generally working well”, but that it “would like to see a significant reduction in the delays in the process”. In 2016, that was not addressed at the ICO, but now it most certainly could be. That Independent Commission has long been dissolved. Meanwhile, the Public Administration and Constitutional Affairs Committee is conducting an inquiry into the Cabinet Office’s FOI handling. 

But, maybe, there actually needs to be some Parliamentary oversight of the ICO’s own FOI compliance.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, transparency, human rights, access to information, rule of law

What John Edwards will inherit

The new Information Commissioner will have a lot on his plate. I’m going to focus very briefly on what is, objectively, a very small matter but which, to me, illustrates much about priorities within the ICO.

On 29 July I happened to notice an Information Tribunal decision which I thought was slightly odd, in that apparently both the Tribunal, and the Commissioner beforehand, had dealt with it under the Freedom of Information Act 2000 rather than the Environmental Information Regulations 2004, despite the subject matter (a tree inspection report) appearing to fall squarely under the latter’s ambit.

However, the decision notice appealed (referred to as FS5081345 in the Tribunal judgment), does not appear on the ICO’s searchable online database (in fact, no decisions relating to the public authority – the mighty Great Wyrley Parish Council – are listed). It’s unusual but certainly not unheard of for decision notices not to get uploaded (either by overlook, or – occasionally – for other, legal reasons) but in the past when I’ve asked for one of these, informally, it’s been provided by return.

So I used the ICO’s online Chat function to ask for a copy of the decision notice. However, I was told I had to submit a request in writing (of course I’d already done so – the Chat function is in writing, after all, but let’s not quibble). I said I was concerned that what was a simple request would get sucked up into the ICO’s own FOI processes, but the person on the Chat thought I would get a response within a couple of days.

Those who’ve stayed this far into the blogpost will be unsurprised to hear what happened next – my simple request got sucked into the ICO’s own FOI processes, and more than seven weeks on (more than three weeks beyond the statutory timescale for responding) I have still had no response, and no indication of why not, other than the pressure the FOI team is under.

And that last point is key: if the ICO’s own FOI caseworkers are under such pressure that they cannot deal with a very simple request within the legal timescale, nor update me in any meaningful way as to why, something has surely gone wrong.

At a recent NADPO webinar Dr Neil Bhatia spoke about his own difficulties with getting information out of the ICO through FOI. He (and I) were challenged by one of the other speakers on why we didn’t more regularly take formal action to force the issue. It was a fair point, and prompted me yesterday to ask the ICO for a formal decision under section 50 of the FOI Act (which means the ICO will have to issue an FOI decision notice on whether the ICO handled an FOI request for an FOI request in accordance with the law – and that sentence itself illustrates the ridiculousness of the situation).

This isn’t the only FOI request I have that the ICO is late responding to. I have one going back to May this year and another to June (albeit on rather more complex subjects). And I know that I and Dr Bhatia are not alone.

All the fine talk from the current Commissioner about forging international data protection accords, and encouraging “data driven innovation” can’t prevent a perception that her office seems increasingly to have left FOI regulation (and in some cases its own FOI compliance) behind. The right to access information is (part of) a fundamental right (just as is the right to data protection). If the ICO doesn’t want the role, is it time for a separate FOI Commissioner?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, rule of law

NADPO events

Just a very quick blogpost to highlight that, since earlier this year NADPO (of whom I am Chair), has been running monthly online webinars for members on the third Tuesday of each month (with a break in August).

The latest event will take place on Tuesday 21 September, with speakers Sophie Van der Zee on “The power of personalised deception detection – Is Trump lying or just wrong?” and Dr Neil Bhatia on “Enforcing the enforcer? – The ICO orders the ICO to respond to an FOI request!”

Further details are available on the NADPO website.

Leave a comment

Filed under Uncategorized

DCMS admits reappointment of Elizabeth Denham was unlawful

A post by me on the Mishcon de Reya website.

Leave a comment

Filed under Uncategorized

ICO calls for global cookie standards (but why not enforce the law?)

The outgoing UK Information Commissioner, Elizabeth Denham, is calling on G7 countries to adopt her office’s new “vision” for websites and cookie consent.

Her challenge to fellow G7 data protection and privacy authorities has been issued at a virtual meeting taking place on 7 and 8 September, where they will be joined by the Organisation for Economic Cooperation and Development (OECD) and the World Economic Forum (WEF).

Denham says “There are nearly two billion websites out there taking account of the world’s privacy preferences. No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organisations to develop a coordinated approach to this challenge”.

What is not clear is whether her vision is, or can be, underpinned by legal provisions, or whether it will need to take the form of a non-enforceable set of standards and protocols. The proposal is said to mean that “web browsers, software applications and device settings [should] allow people to set lasting privacy preferences of their choosing, rather than having to do that through pop-ups every time they visit a website”. The most obvious way of doing this would be through a user’s own browser settings. However, previous attempts to introduce something similar – notably the “Do Not Track” protocol – foundered on the lack of adoption and the lack of legal enforceability.

Also unaddressed, at least in the advance communications, is why, if cookie compliance is a priority area for the Information Commissioner, there has been no enforcement action under the existing legal framework (which consists primarily of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (or “PECR”)). Those current laws state that a website operator must seek consent for the placing of all cookies unless they are essential for the website to function. Although many website operators try hard to comply, there are countless examples of ones who don’t, but who suffer no penalty.

Denham says that “no single country can tackle this alone”, but it is not clear why such a single country can’t at least take steps towards tackling it on domestic grounds. It is open to her to take action against domestic website operators who flout the law, and there is a good argument that such action would do more to encourage proper compliance than will the promotion or adoption of non-binding international standards.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under cookies, Data Protection, Information Commissioner, marketing, PECR

ICO ignores its own FOI investigators

In the past I recall a few cases where the Information Commissioner’s Office (ICO) had to adjudicate on its own compliance with the Freedom of Information Act 2000 (FOIA). As a public authority, the ICO must comply with FOIA in the same way that all other public authorities must (fundamentally, by responding to a request within twenty working days). In a few cases, the ICO’s investigation of itself would even be slightly critical (along the lines of “you could have handled this a bit better”). But I have never, until now, seen a case like this one.

Extraordinarily, here we have a decision in which we see the ICO (as “the Commissioner”) berating itself (as “the ICO”) for…failing to reply to its own investigators. The notice gives the details:

On 18 May 2021, the complainant wrote to the ICO…and requested information…

The ICO acknowledged the request for information on 19 May 2021…

To date, a substantive response has not been issued…

The complainant contacted the Commissioner on 19 June 2021 to complain about the failure by the ICO to respond to his request…

On 5 July 2021, the Commissioner wrote to the ICO, reminding it of its responsibilities and asking it to provide a substantive response to the complainant within 10 working days…

Despite this intervention the ICO has failed to respond to the complainant.

As the notice says (indeed, as all such notices say), failure to comply may now result in the ICO making written certification of this fact to the High Court pursuant to section 54 of the Act and may be dealt with as a contempt of court. How on earth would this work though? As a matter of law, could a regulator certify its own non-compliance to the High Court in this way?

What a bizarre situation.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner