Author Archives: Jon Baines

August 23, 2013 · 2:00 pm

Contributing to society?

Why are proponents of care:data resorting to rudeness about those who are not as convinced as they are?

When I attended the launch of MedConfidential in April of this year I was largely ignorant of the proposals to amass patient data by the Health and Social Care Information Centre (HSCIC) under the banner of care:data. I was concerned by what I heard, and I remain so: details were unclear and in many cases remain so, regarding what data will be gathered, and how, and for what purposes, and what arrangements will be to allow third party access to it, and whether or to what extent it will be anonymised, and whether patients’ consent will be sought, or assumed, or ignored.

What I did see, and was greatly impressed by, was a large group of people, from various backgrounds and roles, coming together, mostly on a purely voluntary basis (for instance, I took a day’s leave to attend), to discuss the implications of this.

The centralising and use of patient confidential data raises questions of profound importance, which don’t have easy answers: such as to what extent should people waive an expectation of privacy in order – for instance – to further medical research? These are issues which led two of my favourite bloggers to come to (digital) blows recently.

Yet earlier today I read an otherwise sensible piece on the subject (I am not saying I agree with it) by the high-profile columnist Polly Toynbee, which talked about her receiving letters from people who ask her to

investigate the dark forces planting cameras and microphones in their walls: they think I’m part of the conspiracy when I suggest this is a usually curable delusion, and their doctor is probably not part of the plot

I fail to see the relevance of this reference to people with a diagnosis of apparent paranoid schizophrenia, unless it is to draw an analogy by insinuation with

those not clinically ill [among whom] there is a growing trend to fear Big Brother and the state

This is nasty stuff, and leads one to wonder why she feels the need to resort to such a rhetorical device.

Someone who liked Toynbee’s post was Tim Kelsey, NHS National Director for Patients and Information, and former government “czar” for Transparency and Open Data. He described it as “seminal” on twitter. I’m sure Tim finds the constant questioning of the care:data plans irritating: his tweets are often replied to by people who are not as convinced as he is that it is unequivocally a Good Thing. An example of this irritation was his response to an observation by Calderdale councillor James Baker. James tweeted, in response to Tim’s “seminal” tweet

I don’t think using people’s data for research purposes without informed consent is ‘good for science’

This is unexceptional, and a fair comment. Tim’s reply* was certainly not

you can object and your data will not be extracted and you can make no contribution to society

I think that to suggest that someone who might object (in the context of a worrying lack of, er, transparency, about the details of care:data) to the extraction of their highly sensitive medical data is making “no contribution to society” is extraordinarily unfair, and, as James pointed out in reply

It’s an offensive thing to say to an elected representative who contributes a lot to society…It’s also using trying to use guilt and shame to persuade someone to partake in medical research. Unethical

I couldn’t agree more.

UPDATE:

*It appears the tweet has now been deleted. Tim did reply to James saying

offence not intended – I meant contribution to health improvement thru sharing non PID

but there’s been no explanation or apology for that original tweet

20130823-174459.jpg

3 Comments

Filed under Data Protection, NHS, Privacy, transparency

Tagged as

August 23, 2013 · 6:56 am

Pivot tables and databreaches

About a year ago I first became aware of reports of disturbing inadvertent disclosures of personal data (often highly sensitive) by public authorities who had intended only to disclose anonymous and/or aggregate data. These incidents were occurring both in the context of disclosures under the Freedom of Information Act 2000 (FOIA) and in the context of proactive disclosure of datasets. Mostly they were when what had been disclosed was not just raw data, but the spreadsheet in which the data was presented. Spreadsheet software is often very powerful, and not all users necessarily understand its capabilities (I don’t think I do). By use of pivot tables data can be sorted, summarised etc, but also, from the uninitiated or unwary, hidden. If the person who created or maintained a spreadsheet containing a pivot table is not involved in the act of publicly disclosing it it is possible that an apparently innocuous disclosure will contain hidden personal data.

Clearly such errors are likely to constitute breaches – sometimes very serious breaches – of the Data Protection Act 1998 (DPA) Those of us who were aware of a number of these inadvertent breaches were also aware that, if public authorities were not alerted to the risk a) the practice would continue and b) potentially large numbers of “disclosive” datasets would remain out in the open (in disclosure logs, on WhatDoTheyKnow, in open data sets etc). But we were also aware that, if the situation was not managed well and quietly, with authorities given the opportunity to correct/withdraw errors, inquisitive or even malicious sorts might go trawling open datasets for disclosures which could potentially be very damaging and distressing to data subjects.

It was with some relief, therefore that, following an earlier announcement by WhatDoTheyKnow, the Information Commissioner’s Office (ICO) finally gave a warning, and good guidance, on 28 June (although this relief was tempered by finding out, via Tim Turner, that the ICO had known about, and apparently done nothing about, the problem for three years). At the same time the ICO announced that it was “actively considering a number of enforcement cases on this issue”.

It appears that, according to an announcement on its own website, Islington Council is the first recipient of this enforcement. The Council says it has

accepted a £70,000 fine from the Information Commissioner’s Office (ICO) after a mistake led to personal data being released

after it

responded to a Freedom of Information (FOI) request asking for information including the ethnicity and gender of people the council had rehoused. The response, in the form of Excel spreadsheet tables, included personal information concealed behind the summary tables

Fair play to Islington for acknowledging this and agreeing immediately to pay the monetary penalty notice. And if some of the other reported breaches I heard about were as bad as they sounded £70,000 will be at the lower end of the scale.

(thanks to @owenboswarva on twitter for flagging this up)

UPDATE:

The ICO has now posted details of the MPN, and this clarifies that the disclosure was made on WhatDoTheyKnow and was only identifed when one of their site administrators noticed it.

Leave a comment

Filed under Breach Notification, Data Protection, Freedom of Information, Information Commissioner, monetary penalty notice, transparency

Tagged as , ,

August 22, 2013 · 5:28 pm

Academic Freedom and FOI

Pointed observations in a judgment which are not directly related to the matters pleaded are usually worth noting. Those in a recent case involving the PACE trial and Queen Mary, University of London, are essential reading for academics and support staff who deal with FOI

In a ruling handed down this week the First-tier Tribunal (Information Rights) (“FTT”) has upheld the Information Commissioner’s (IC) decision that Queen Mary, University of London, was entitled to rely on the exemption at section 36(2)(b)(1) and (2) of the Freedom of Information Act 2000 in refusing to disclose minutes of the Trial Steering Committee and Trial Management Groups of the Pace Trial. The trial had been set up to compare and test the effectiveness of four of the main treatments currently available for people suffering from chronic fatigue syndrome (CFS), also known as myalgic encephalomyelitis (ME), but it attracted considerable criticism from some quarters. In the words of the FTT

There has been a storm of comments about this study. There had been deeply wounding personal criticisms of individuals concerned and over the years individuals in this field of research and treatment have withdrawn from research in the face of hostile irrational criticism and threats.

The FTT found that the exemption was engaged:

it is pellucidly clear that the progress and conduct of research in this area would be hampered by the publication of minutes of meetings such as sought by this request because individuals would be less willing to engage in research, participate in steering committees, provide guidance, debate issues about the conduct of research as fully and frankly as they otherwise would; as fully and frankly as would most benefit the research and the patients it is intended to help

and the public interest favoured maintaining the exemption:

the appellant’s arguments in favour of disclosure of the minutes when so much has been made available publicly in relation to this research and been subjected to such high levels of independent scrutiny do not outweigh the considerable weight to be given to the public interest in maintaining the safe space for academic research

But the FTT then made wide-ranging and significant observations about the concept of academic freedom and its relation to FOI. The decision cites Article 13 of The Charter of Fundamental Rights of the European Community:

Freedom of the arts and sciences The arts and scientific research shall be free of constraint. Academic freedom shall be respected.

and section 202 of the Education Reform Act 1988 which places an obligation on the University Commissioners to

ensure that academic staff have freedom within the law to question and test received opinion, and to put forward new ideas and controversial or unpopular opinions, without placing themselves in jeopardy of losing their jobs or privileges they may have their institutions

and the FTT stresses the “profound importance” of academic freedom, noting that the IC has an obligation, as an emanation of the state, to give effect to Article 13. The judgment notes that the purpose of universities is to disseminate and generate knowledge and that disclosure of information is their primary purpose (“the activity which imbues the University with its moral significance”). In rather remarkable terms, the seeking of and disclosure of information (from academic institutions) under FOIA is unfavourably compared to this academic dissemination:

A parallel process of dissemination through FOIA is unlikely to be as effective or robust as the process of lectures, seminars, conferences and publications which are the lifeblood of the University. They are likely to be a diversion from the effective evaluation, publication and scrutiny of research through the academic processes. All too often such requests are likely to be motivated by a desire not to have information but a desire to divert and improperly undermine the research and publication process – in football terminology – playing the man and not the ball

One might pause to question whether this unfairly overplays the likelihood of FOIA requests being detrimental to academia, and also overstates the amount of information which is disseminated to the general public through academic research. Part of the reason for FOIA is that it enables the public to access information that public authorities specifically choose not to proactively disclose. One sees similar arguments at play in the apparent prioritising of the “transparency agenda” over FOIA disclosure.

There follows, though, a sensible suggestion for what researchers might consider at the outset of projects. With a view to the obligation to publish and maintain a publication scheme, institutions are advised that

it might well be worth considering at the start of a major project such as this setting out a publication strategy identifying what materials will be produced in the course of the project, which materials will be published and when (this will enable s22 to be considered if FOIA requests are received for such material), and which are unlikely to be published under FOIA as exemptions may be engaged

and the IC is (again with a nod to his Article 13 obligations) prompted to issue guidance on this.

Finally, the judgment suggests that the University missed a trick with this specific request

properly viewed in its context, this request should have been seen as vexatious- it was not a true request for information-rather its function was largely polemical and as such in the light of recent Upper Tribunal judgements might have been more efficiently and effectively handled if treated as vexatious

The Tribunal Judge, Christopher Hughes, has a wealth of experience in the field of academic and medical research. These are crucial observations about the relationship between FOI and academia. We already have a new exemption on its way specifically for academic research (by way of clause 19 of the Intellectual Property Bill) but this decision appears to reinforce the protection that academic research and associated information will be given from FOIA disclosure.

Postscript:

The BMJ has an article on this judgment (behind the paywall, but letters in response are here (thanks to Zuton who has commented below for drawing this to my attention).

8 Comments

Filed under Freedom of Information, Further education, Information Commissioner, Information Tribunal, Uncategorized

Tagged as ,

August 21, 2013 · 3:30 pm

Monetary penalties – focus on the breach, not the incident

The Information Tribunal’s judgment in the successful appeal by Scottish Borders Council shows that the ICO needs to focus on the contravention itself, not an incident which might arise from it

looking at the facts of the case, what did happen was in our view a surprising outcome, not a likely one

Sections 55A-E of the Data Protection 1998 (DPA), inserted by the Criminal Justice and Immigration Act 2008, provide for the Information Commissioner (IC) to serve a data controller with a monetary penalty notice (MPN) to a maximum of £500,000 if

  • he is satisfied that there has been a serious contravention of the controller’s obligations to comply with the data protection principles in Schedule One of the DPA, and
  • the contravention was of a kind likely to cause substantial damage or substantial distress, and
  • the contravention was either deliberate or the controller either knew or ought to have known that there was a risk that the contravention of its occurring and that it would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.

In its judgment, handed down today, on what is effectively* a successful appeal by Scottish Borders Council, the First-tier Tribunal (Information Rights) (“FTT”) has given guidance on, what is required in order for the IC to be satisfied that a serious contravention was likely to cause substantial damage or substantial distress. In particular, the FTT has clarified that, where the DPA talks about a “serious contravention”, the IC must focus on that, and not on any incident which might follow.

The Monetary Penalty Notice

The events giving rise to the original MPN (still currently on the IC’s website) are laid out by the FTT in the first two paragraphs of the judgment

Outside Tesco in South Queensferry there are some bins for recycling waste paper. They are of the “post box” type. On 10 September 2011 a member of the public found that one of the bins was overflowing. The material at the top, easily accessible, consisted of files containing pension records kept by a local authority (“Scottish Borders”). It turned out that a data processing company had transferred the information from hard copy files to CDs at Scottish Borders’ request. The data processor had then disposed of about 1,600 manual files in the post box bins at Tesco and at another supermarket in the town.

The police took into their possession all those files which they could reach. They then secured the bins and, with the cooperation of Scottish Borders, it was ascertained that the files concerned had now either been pulped without manual intervention or were now back in the safe keeping of the council.

The IC imposed an MPN of £250,000, finding that there had been a serious contravention of the obligation to comply with the seventh data protection principle (DPP7) which states that

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

and that, where, as here, processing of personal data is carried out by a data processor on behalf of a data controller, the latter must choose as the former one who provides sufficient guarantees in respect of its data security measures, and ensure that such processing is carried out under a suitable written contract (I paraphrase).

The contravention here was the failure by the Council to ensure that it engaged an appropriate data processor (to dispose of the pensions records) in an appropriate way (by means of an adequate contract, properly monitored and adequately evidenced in writing).

The IC said that contravention was likely to cause substantial damage or substantial distress (query, which?) to those whose confidential data was seen by a member of the public and that

If the data has been disclosed to untrustworthy third parties then it is likely that the contravention would cause further distress and also substantial damage to the data subjects such as exposing them to identity fraud and possible financial loss

Arguments and findings

The FTT found that there was a contravention. The Council had a long-standing (some 25-30 years) agreement with the data processor but it appears that the contractual arrangement was largely based on informal agreements and assurances. Although it was to an extent evidence in writing, this was still inadequate. Accordingly

the arrangements made by Scottish Borders for processing pension records in July and August 2011 were in contravention of the DPA

Further, the FTT was satisfied that the contravention was serious

the duties in relation to data processing contracts in paras 11 and 12 of schedule 1 are at the heart of the system for protecting personal data under DPA. It is fundamental that the data controller cannot be allowed to contract out its responsibilities [and] the contravention was not an isolated human error. It was systemic

However, counsel for the IC, the redoubtable Robin Hopkins, reminded the FTT that they must focus on the contravention which gave rise to the MPN. In this case, this was distinguishable from the events described in the first two paragraphs of the judgment: the contravention was the breach of DPP7, not the discovery of the data. On this basis, the FTT did not accept that the contravention had been of a kind likely to cause substantial damage or substantial distress. Evidence was taken from David Smith, Deputy IC, and the IC developed an argument focusing on the risks of identity theft, but the FTT seems to have felt that the evidence was either unconvincing (regarding the likelihood of identity theft) or still focused wrongly on what it calls the “trigger point” (the disposal/finding of the files in the bin) rather than the contravention itself. As to the latter

it seems to us that the fact that the data processor was a specialist contractor with a history of 25-30 years of dealings with Scottish Borders carries weight. He was no fly by night. The council had good reason to trust the company.

And, therefore

Focussing on the contravention we have been unable to construct a likely chain of events which would lead to substantial damage or substantial distress. What did happen was of course startling enough. Again, though, looking at the facts of the case, what did happen was in our view a surprising outcome, not a likely one.

This illustrates a fundamental point, but one, it seems, of great significance. It will, no doubt, be seized upon eagerly by any data controller in receipt of a notice of intent to serve an MPN. (It was also, I should acknowledge, anticipated by observations by Tim Turner and Andrew Walsh, both former ICO employees). However, the FTT do stress that although this case did not involve a contravention of a kind likely to cause substantial damage or substantial distress

No doubt some breaches of the seventh DPP in respect of some data might be of such a kind

What now?

I said earlier this was “effectively a successful appeal”. It was in fact an appeal on a preliminary issue (on the liability of the Council to pay an MPN) and under the Data Protection (Monetary Penalties) Order 2010 the FTT may either allow the appeal or substitute such other notice or decision which could have been served or made by the IC. The FTT’s concerns about the Council’s procedures in relation to data processing contracts were “too serious” for them simply to allow the appeal, and they are – pending discussions between the IC and the Council – considering whether to issue an enforcement notice.

Notwithstanding the outcome of those discussions, this is an important judgment to be read alongside the unsuccessful MPN appeal by the Central London Community Healthcare NHS Trust. Until an MPN case gets appealed further we will not have binding authority, but the lines are perhaps becoming a bit clearer for data controllers, and, indeed for the ICO.

There were some interesting comments and observations by the FTT on “other issues canvassed in the course of [the] appeal but which it has not been necessary to resolve”. I hope to post a follow-up about these in due course.

Leave a comment

Filed under Data Protection, enforcement, Information Commissioner, Information Tribunal, monetary penalty notice

Tagged as ,

August 18, 2013 · 10:46 am

Data Protection audits in the NHS

Do the results of an anonymous survey into data protection practices and attitudes of junior doctors provide justification for compulsory audits?

Continue reading

4 Comments

Filed under Data Protection, Information Commissioner, NHS

Tagged as ,

August 16, 2013 · 5:13 pm

An unshared perspective

Paul Gibbons, FOI Man, has blogged about data-sharing, questioning whether an over-cautious approach to sharing of health data is damaging. Paul says

What I’m increasingly worried about is what appears to be a widely held and instinctive view that any sharing of personal data – and even data that has been anonymised – is necessarily a “bad thing”.

I’ve got to say, in all the time I’ve worked in the field of information rights I’ve never come across anyone who actually thinks that, let alone articulates it (in my experience the only people who say it are those who seek to misrepresent it). The Data Protection Act 1998 (DPA) and EC Directive 95/46/EC to which it gives effect do not act as a default bar to sharing of data. There may be circumstances under which compliance with the law means that sharing of personal data cannot happen, but the converse is true – there will be times when sharing is lawful, necessary and proportionate.

Paul’s prime example of what he sees as (to adopt the title of his piece) “a disproportionate fear of ‘Big Brother’” preventing us from seeing the big picture” is the “predictable outcry” about the care:data programme, whereby the Health and Social Care Information Centre will, through the exercise of certain provisions in the Health and Social Care Act 2012, extract enormous amounts of health and social care information from local systems to centralised ones. The first step in this is the GP Extraction Service (GPES) whereby information relating to medical conditions, treatments and diagnosis, with each patient’s NHS number, date of birth, postcode, gender, ethnicity and other information will be uploaded routinely. The information will then be made available to a range of organisations, sometimes including private companies, sometimes in ostensibly anonymised, sometimes in identifiable, form, for a variety of purposes. This will happen to your medical records unless you opt-out (and if you think you’ve already done so, you probably haven’t – those who objected to the creation of a summary care record will have to go through another opt-out process). And this week we were informed that there will be no national campaign to alert patients to the GPES – the responsibility (and liability) will lie with GP practices themselves. (Anyone wanting to understand this complex and less-than-transparent process must read and follow the superb MedConfidential).

I accept that, on one view, this amassing of health and social care data could be seen as a good thing: as Paul suggests, medical research, for instance is a hugely important area. And the NHS Commissioning Board identifies the following desired outcomes from care:data

– support patients’ choice of service provider and treatment by making comparative data publicly available
– advance customer services, with confidence that services are planned around the patient
– promote greater transparency, for instance in support of local service planning
– improve outcomes, by monitoring against the Outcomes Frameworks
– increase accountability in the health service by making data more widely available
– drive economic growth through the effective use of linked data

But how realistic are these? And what are the attendant risks or detriments? Paul says

central medical records for all NHS patients…would mean that when you turned up at a hospital far from home, as I have done myself, doctors would have access to your medical records and history. Believe me, when you are in pain and desperate to be treated, the last thing that you want to do is to answer questions about your medical history

With great respect, the ideal of a centralised system whereby medics can provide emergency treatment to patients by accessing electronic records is never going to be more than a myth. Put another way – would Paul be happy trusting his life to the accuracy of an electronic record that might or might not say, for instance, whether he is allergic to aspirin? Treatment of patients is a matter of diagnosis, and emergency diagnoses will never be made solely, if at all, on the basis of records.

Security of information, and risks of identification of individuals are other key concerns. Paul says Daniel Barth-Jones identifies “deficiencies in [reidentification] studies” but I think what Barth-Jones is actually arguing is that the risks of reidentification are real, but they must be accurately reported and balanced against the likelihood of their happening.

But ultimately I have two major conceptual concerns about care:data and what it implies. The first is that, yes, I am instinctively distrusting of agglomeration of sensitive personal data in identifiable form in mass processing systems: history has taught us to be this way so I don’t see this, as Paul appears to, as a “fashionable” mistrust (and, for instance, the Joseph Rowntree Foundations’ exemplary Database State report is now over six years old). The second is that patient-medic confidentiality exists, and has existed for a very long time, for a reason: if patients are not certain that their intimate medical details are confidential, they might be reluctant to speak candidly to their doctor. In fact, they might not even visit their doctor at all.

3 Comments

Filed under Confidentiality, Data Protection, data sharing, human rights, Let's Blame Data Protection

August 15, 2013 · 9:19 am

Data Protection Act: little-known, well-known

According to Lord Justice Leveson

The UK data protection regime suffers from an unenviable reputation, perhaps not wholly merited, but nevertheless important to understand at the outset. To say that it is little known or understood by the public, regarded as a regulatory inconvenience in the business world, and viewed as marginal and technical among legal practitioners (including by our higher courts), might be regarded as a little unfair by the more well-informed, but is perhaps not so far from the truth. [page 999, of report of An inquiry into the culture, practices and ethics of the press]
But I’m not sure (thank to Gary Slapper for pointing this out)
dpa
And in fairness to Brian, he does go on to say
And yet the subject-matter of the data protection regime, how personal information about individuals is acquired, used and traded for business purposes, could hardly be more fundamental to issues of personal integrity, particularly in a world of ever-accelerating information technology capability [ibid]
Perhaps this is why data protection and its practical application appeal so much to some odd people, and why it is our littlest-known-most-requested piece of legislation.

Leave a comment

Filed under Data Protection, Leveson

Tagged as

August 14, 2013 · 4:28 pm

Take the train(ing)

IG policies are essential, but not much use if you don’t comply with them

In NHS and Social Care settings a standard requirement is that all staff are trained in information governance (a large component of which is data protection): “Information Governance awareness and mandatory training procedures are in place and all staff are appropriately trained” (IG Toolkit v11) and “Ensure all staff are trained, updated and aware of their responsibilities” (Local Government Data Handling Guidelines). If an organisation suffers a serious breach of data security, and the Information Commissioner’s Office (ICO) investigates, one of the first things they will look at is whether staff were appropriately trained. If they weren’t, enforcement action, possibly in the form of a monetary penalty notice, is highly likely.

It is vital, therefore, that all organisations have a policy that all relevant staff are trained (and in some organisations – like the NHS and local authorities – that will normally mean all staff).

But, policies only work if they are implemented, enforced and monitored. The ICO has recently published an Undertaking (the “last chance saloon” before formal enforcement action) signed by the Northern Health and Social Care Trust. This arose following an incident which

involved confidential service user information being faxed from a ward in Antrim Hospital to a local business in error. The information was intended for the Trust’s Community Rehabilitation Team. The referral form contained sensitive clinical data

Although the Trust had a “fax policy” (good) it wasn’t complied with (bad) but also 

The Commissioner’s investigation into the Trust revealed that despite the Trust having introduced what should have been mandatory Information Governance training for all staff, the majority of staff involved in these incidents had not received this training. This highlighted a potentially serious failing in respect of staff awareness of Information Governance policies. In particular, the failure to monitor and enforce staff completion of training was a concern.

This failure constituted a breach of the seventh data protection principle (“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”). It is highly likely that, if training requirements had been complied with, no action would have been (or would have been able to be) taken, because there would have been no breach.

Put simply, if a data controller can show it has complied with the seventh data protection principle, and there is an accidental data security breach – however horrendous – then (providing there are no breaches of other principles) no sanctions will arise.

It’s in every data controller’s interests not only to require appropriate data protection training for staff, but also to ensure that it has been taken.

Leave a comment

Filed under Data Protection, employment, Information Commissioner, monetary penalty notice

August 14, 2013 · 8:00 am

Poor judgement?

Public authorities need to be cautious when disclosing performance figures of their staff under Freedom of Information (FOI) laws. They need to be even more cautious when disclosing performance figures of third parties.

Imagine if your employer, or, worse, a third party, disclosed under FOI that, of all your peers, you made the most decisions in the exercise of your employment which were subsequently found to be wrong, and which had to be overturned. If in fact those figures turned out to be incorrect, you would probably rightly feel aggrieved, and perhaps question whether the failure of data quality was in fact a breach of your rights under the Data Protection Act 1998 (DPA) and of your employment rights.

That is what appears to have happened to certain judges in Scotland, according to a letter in The Scotsman today, from the Chief Executive of the Scottish Court Service. The letter points out that a previous (29 July) article in The Scotsman – “Meet the judge with the highest number of quashed convictions” (now no longer available, for obvious reasons) – was, although published in good faith, based on inaccurate information disclosed to the paper under FOI. The letter contains an apology to

Lord Carloway and Lord Hardie, who featured prominently in 
this article, for misrepresenting their position in relation to 
appeal decisions

because the erroneous disclosed statistics suggested they had had more judgments overturned on appeal than was actually the case.

Of course, the principle of judicial independence means that judges are, strictly, not employed. But as Carswell LCJ said

All judges, at whatever level, share certain common characteristics. They all must enjoy independence of decision without direction from any source, which the respondents quite rightly defended as an essential part of their work. They all need some organisation of their sittings, whether it be prescribed by the president of the industrial tribunals or the Court Service, or more loosely arranged in collegiate fashion between the judges of a particular court. They are all expected to work during defined times and periods, whether they be rigidly laid down or managed by the judges themselves with a greater degree of flexibility. They are not free agents to work as and when they choose, as are self-employed persons. Their office accordingly partakes of some of the characteristics of employment . .. [Perceval-Price v Department of Economic Development [2000] IRLR 380]

and the Supreme Court took this further in O’Brien v Ministry of Justice [2010] UKSC 34 by saying “Indeed judicial office partakes of most of the characteristics of employment” (emphasis added).

Whatever their employment status, judges’ performance figures are clearly an important matter to them, and the Scottish Court Service has a duty to maintain accurate figures (particularly when disclosing them publicly). As Wodehouse said, “it has never been difficult to distinguish between a Scotsman with a grievance and a ray of sunshine”. I imagine that the office of Mr McQueen, the day after the first article, was not filled with sunshine.

Leave a comment

Filed under Data Protection, employment, FOISA, Freedom of Information, Uncategorized

Tagged as ,

August 8, 2013 · 6:00 pm

Small Council, Big Burden

“Parish Councils are the smallest unit in our system of elected government…In rural areas their jurisdiction typically extends to a single village or perhaps two or three, depending on size…Their budget generally runs to a few thousand pounds a year…They generally employ one part – time clerk to perform secretarial and administrative tasks… Their income derives from their precept – usually a small fraction of the Council tax. Most Parish Councils probably have little experience of FOIA requests for information.”  (EA/2013/0022)

When judgment was handed down earlier this year in the key case on vexatious requests under the Freedom of Information Act 2000 (FOIA), Wikely J said

It may be helpful to consider the question of whether a request is truly vexatious by considering four broad issues or themes – (1) the burden (on the public authority and its staff); (2) the motive (of the requester); (3) the value or serious purpose (of the request) and (4) any harassment or distress (of and to staff).

The first of these comes into important focus in a recent decision by the First-tier Tribunal (Information Rights) (FTT). In Harvey v ICO and Walberswick Parish Council (EA/2013/0022) the Council had received nearly five hundred FOIA requests (from various requesters) in a two-year period  (by way of contrast, county councils (which are hugely better-resourced) will perhaps have received about 2000-3000 over a similar period). It is not clear how many of these were made by the applicant, but the judgment says she was one of four residents who made the majority of them (which appear to stemmed from planning issues). At some point the Council had ill-advisedly purported to exclude requesters from making further requests. This in itself had only generated more requests. At one point all the parish councillors resigned as a result of the stress, tension and acrimony.

The request here was of a type often called a “meta-request” (a request about a previous request). It was for information about fifty previous requests refused on the grounds of cost. This meta-request was also refused, on the basis that, per section 14(1) of FOIA, it was vexatious. The FTT noted the dicta of Wikely J to the effect that

The purpose of section 14 must be to protect the resources (in the broadest sense of that word) of the public authority from being squandered on disproportionate use of FOIA.

and applied this to the fact that the public authority in this case was a small parish council

Parish councils are not equipped to handle a torrent of FOIA requests and, we suppose, very rarely do so. If WPC was failing to handle such matters efficiently, to bombard it with an unending further stream of requests and demands seems an odd way of helping it to improve its service […] the grossly excessive burden placed upon the resources of WPC by the flood of requests, of which this was one, is the decisive consideration in any assessment as to whether it was vexatious.

A hero emerges from the judgment (no doubt the four requesters do not see her in this light): Mrs Gomm, the parish clerk. Before she arrived “FOIA issues –and probably other council functions – were not efficiently handled” but, in far exceeding her hours and “left at one stage to her own devices and with no authorised source of income for her services” she wrote “admirably clear and courteous responses, which accurately addressed the issues of law involved”, in the face of “relentlessly agressive” correspondence.

(I wonder if Mrs Gomm might have been behind the rather odd outcome to the events, whereby the parties agreed the pragmatic step of disclosing the information just before the appeal hearing (this was not, said the FTT, an acknowledgment that the request had not been vexatious).)

The judgment shows that – although all public authorities have the same obligations under FOIA-  the smaller they are, the greater the burden, and that this can come into play on an analysis of whether a request has been vexatious. The judge ends with an odd but memorably alliterative observation:

Remorseless repetition of regressive requests is not a sensible way to improve performance

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal, vexatiousness

Tagged as