Category Archives: access to information

February 28, 2023 · 8:29 pm

FOI embarrassment

At a recent awards event, recognising high-performing Freedom of Information officers and teams (fantastic idea by the organisers/sponsors, by the way*) I gave a brief talk where I stressed that it was important to recognise how much FOI has achieved in its 23 (or 18**) years, and to remember that every day thousands of disclosures are made by thousands of public authorities. It’s very easy to snipe at bad practice, and I often do, but if we don’t acknowledge the benefits, the real opponents of FOI might start arguing for its repeal.

So. Celebrate success. Accentuate the positive. Eliminate the negative.

However.

Then you see a decision notice from the Information Commissioner (ICO), in which a large London council had refused to disclose, under FOI, information on how many enquiries (MEQs) each of its councillors*** had submitted to the council on behalf of constituents. The reason for refusal was that this was the personal data of the councillors (well, yes) and that disclosure would infringe those councillors’ rights under the data protection law (hell, no).

This isn’t time for legal analysis. It really is as extraordinary as it sounds.

Thankfully, the ICO had no truck with it (and the notice does have legal analysis).

Frankly, though, the council should be ashamed.

______________________

*I have no personal or professional interest

**The Act commenced in 2000, but the main provisions didn’t commence until 2005

***At the end of the notice there is a big hint as to the role of the person who made the request – see if you can guess

.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, Freedom of Information, Information Commissioner, local government

Tagged as , ,

February 10, 2023 · 7:32 pm

Campaign for Records – Democracy and Rights in the Digital Age

There’s a piece up on the Mishcon de Reya website about the launch event for this campaign, run jointly by ARA and IRMS, at which I was recently invited to speak:

https://www.mishcon.com/news/jon-baines-speaks-at-parliamentary-event-on-foi-and-records-management

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner, records management

December 18, 2022 · 10:48 am

ICO investigated potential FOI criminal offences by government departments

Under section 77 of the Freedom of Information Act 2000 (FOIA) a person commits a criminal offence if – after someone has made a request for information to a public authority, and would have been entitled to disclosure of that information – he or she

alters, defaces, blocks, erases, destroys or conceals any record held by the public authority, with the intention of preventing the disclosure by that authority of all, or any part, of the information to the communication of which the applicant would have been entitled

This is the only section of FOIA which carries a criminal penalty. It is very rarely invoked: since FOIA commenced in January 2005, there has been just one successful prosecution brought by the Information Commissioner’s Office (ICO) (and, as far as I know, only one other, unsuccessful, prosecution).

One reason for the lack of cases is that the ICO can only bring a prosecution within six months of the offence occurring. This has been identified for many years as an issue which should be addressed (but successive governments have declined to do so).

Nonetheless, a recent FOIA disclosure by the ICO reveals that in the last few years potential section 77 offences by government departments have been investigated. The request, made via the public WhatDoTheyKnow platform, was for information on “all Section 77 investigations carried out regardless of outcome for all Government departments”. In response, the ICO disclosed that

we have opened the following cases with regard to allegations of s77 allegations against Government Departments:
PCB/0013/2018 – MoJ IC/506/2020 – DWP IC/0549/2020 – Cabinet Office INV/0950/2021 – Cabinet Office.

This appears to suggest the existence of four separate investigations. In response to a request for further comment the ICO press office stated to me that none of the cases was still open, but declined to say any more. This seems to confirm that no proceedings were brought as a result of the investigations, but it is not possible to speculate on the reasons why. Nor are details available as to the circumstances under which the investigations were made.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Cabinet Office, DWP, Freedom of Information, Information Commissioner, Ministry of Justice, section 77

Tagged as ,

November 26, 2022 · 10:59 am

Does DHSC have a compliant ROPA?

Article 30(4) of the UK GDPR requires a controller to make its records of processing activities (ROPA) available to the Information Commissioner (ICO) upon request.

ROPAs are required for most large controllers, and should include at least

  • The name and contact details of the organisation (and where applicable the data protection officer).
  • The purposes of processing.
  • A description of the categories of individuals and categories of personal data.
  • The categories of recipients of personal data.
  • Details of transfers to third countries including documenting the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of the controller’s technical and organisational security measures.

Ordinarily, in my experience, controllers will maintain a ROPA in one document, or one set of linked documents. This not only enables a controller to comply with Article 30(4), but reflects the fact that a ROPA is not just a compliance obligation, but contributes to and assists the controller in its information governance functions.

This all makes the position of the Department of Health and Social Care (DHSC) rather odd. Because, in response to a Freedom of Information Act (FOIA) request for disclosure of its ROPA, it stated that the request was “vexatious” on the grounds of the time and costs it would have to incur to respond. This was because, as the DHSC subsequently told the ICO when the latter was asked to issue a FOIA decision notice

We hold a collection of documentation across different formats which, when put together, fulfils our obligation under Article 30 of the GDPR to record and document all of our personal data processing activities…[and]…to locate, retrieve and extract all of this documentation would involve a manual trawl of the whole organisation and each document would then need to be reviewed to check for content such as personal data, commercially sensitive data and any other information that would otherwise not be appropriate to place into the public domain

For this reason, the ICO accepted that compliance with the request would be “grossly oppressive” and this, taken with other factors, meant that the FOIA request was indeed vexatious.

The ICO is tasked with regulating both FOIA and data protection law. The decision notice here notes this, and says

the Commissioner feels duty bound to note that, if the DHSC cannot comply with the request because it would impose a grossly oppressive burden to do so, it is unlikely that the DHSC would be able to provide its ROPA to the Commissioner, which is a requirement under Article 30 of the UK GDPR, without that same burden

There’s a big hint here to DHSC that it should adopt a different approach to its ROPA for the future.

But the decision notice does contain some rather strange wording. In the context of the words quoted just above, the ICO says

This decision notice looks at the DHSC’s compliance with FOIA only and the Commissioner cannot order the DHSC to take any action under any other legislation.

It is true that, under his FOIA powers, the ICO cannot order the DHSC to comply with the UK GDPR, but, quite evidently, under his UK GDPR powers, he certainly can: Article 58(2)(d) specifically empowers him to

order the controller…to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period

I am not aware of anything in FOIA, or data protection law (or wider regulatory and public law) that prevents the ICO from taking enforcement action under UK GDPR as a result of findings he has made under FOIA. Indeed, it would be rather strange if anything did prevent him from doing so.

So it does seem that the ICO could order DHSC to get its ROPA in order. Maybe the big hint in the FOIA decision notice will have the desired effect. But regulation by means of big hints is perhaps not entirely in compliance with the requirement on the ICO, deriving from the Regulators’ Code, to ensure that its approach to its regulatory activities is transparent.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, DHSC, Freedom of Information, Information Commissioner, records management, ROPA, Uncategorized

Tagged as , , ,

September 26, 2022 · 4:20 pm

Government urged to take action to protect UK citizens’ information rights

The Retained EU Law (Revocation and Reform) Bill was introduced to Parliament on 22 September 2022. The Bill sets a “sunset date” of 31 December 2023 by which all remaining retained EU Law will either be repealed, unless expressly assimilated into UK domestic law. The sunset may be extended for specified pieces of retained EU Law until 2026. A large number of UK laws which cover “information rights” appear to be caught by the Bill.

Mishcon de Reya has written an open letter to the Minister of State at the Department for Digital, Culture, Media & Sport, Julia Lopez, to highlight the risk to these laws.

Government urged to take action to protect UK citizens’ (mishcon.com)

Leave a comment

Filed under access to information, Data Protection, DCMS, Environmental Information Regulations, Freedom of Information, UK GDPR

Tagged as ,

September 23, 2022 · 8:00 am

Was the Queen’s Funeral day a FOIA “working day”?

Under the Freedom of Information Act 2000 a public authority must respond to a request for information within 20 working days. For obvious reasons “working day” does not include a bank holiday. Does this mean that for FOIA requests made before Monday 19 September 2022 (the bank holiday in recognition of the late Queen’s funeral) public authorities and requesters must add an extra day when calculating when a response to the request is due? The jury is out.

Section 10(6) of FOIA defines a “working day” as

any day other than a Saturday, a Sunday, Christmas Day, Good Friday or a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom

And section 1 of the Banking and Financial Dealings Act 1971 says

the days specified in Schedule 1 to this Act shall be bank holidays in England and Wales, in Scotland and in Northern Ireland as indicated in the Schedule

The Schedule to that 1971 Act therefore provides a number of dates which are to be considered as bank holidays

All straightforward then? Not quite. Sections 1(2) and 1(3) of the 1971 Act go on to add that the Sovereign can effectively remove or add a bank holiday “by proclamation”, and this was the means by which 19 September was made a bank holiday.

(In passing it’s interesting to note that those sections of the 1971 Act refer to proclamations by “Her Majesty”. Clearly “Her Majesty” could not have made the proclamation. However, by section 10 of the Interpretation Act 1978 “In any Act a reference to the Sovereign reigning at the time of the passing of the Act is to be construed, unless the contrary intention appears, as a reference to the Sovereign for the time being”.)

But the question of whether the 19 September should be classed as a working day or not for the purposes of FOIA requests which were already running, might turn on the extent to which the general presumption at common law applies, whereby legislation is not intended to have retrospective effect. See, in this regard, Lord Kerr in Walker v Innospec Limited and others [2017] UKSC 47:

The general rule, applicable in most modern legal systems, is that legislative changes apply prospectively…The logic behind this principle is explained in Bennion on Statutory Interpretation, 6th ed (2013), Comment on Code section 97:

‘If we do something today, we feel that the law applying to it should be the law in force today, not tomorrow’s backward adjustment of it.’

An exception to the general rule will only apply where a contrary intention appears.

It might be said, though, that the proclamation of a bank holiday, pursuant to a statutory power, is not in itself a legislative change to which the general rule against retrospectivity applies. I’m not sure there’s a clear answer either way.

Whether public authorities should have one extra day for a FOIA request is clearly not a constitutional issue which should trouble the great minds of our generation (although I know plenty of FOI teams and officers who are judged on their performance against indicators such as response times). Nonetheless, I asked the ICO this week what their view was, and the answer that came back was that they didn’t have a settled position on the issue, but that, in the event of a subsequent complaint about whether a deadline had been met, they would take all the circumstances into account (which I take to mean that they are unlikely to criticise a public authority whichever way it decided to approach the question).

Shortly after initially uploading this post, I was contacted by someone who pointed out that the New Zealand parliament has specifically legislated to give retrospective “non-working-day” effect to its own extraordinary bank holiday. This would seem to reinforce the point about the presumption against retrospectivity unless there’s an express intention to the contrary.

So it probably doesn’t matter, and probably no one really cares. But I enjoyed thinking about it.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner

Tagged as ,

July 25, 2022 · 1:18 pm

A day to remember

I’ve written about this oddity before, but thought it was worth saying it again, because it can catch the *cough cough* best of us out. The oddity being that a bank holiday falling in any part of the United Kingdom counts as a non-working-day for the purposes of FOIA. So, as January 2nd (or the nearest substitute day) is a bank holiday in Scotland, it is not a working day for the purposes of calculating the maximum timescale for compliance with a request made under FOIA, despite the fact that Scotland has its own Freedom of Information (Scotland) Act 2002.

What “bank holiday” means, according to section 10(6) of FOIA, is 

any day other than a Saturday, a Sunday, Christmas Day, Good Friday or a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom

And section 1 of the Banking and Financial Dealings Act 1971 says 

the days specified in Schedule 1 to this Act shall be bank holidays in England and Wales, in Scotland and in Northern Ireland as indicated in the Schedule

The Schedule therefore provides a number of dates which are to be considered as bank holidays

All straightforward then? Not quite. Sections 1(2) and 1(3) of The Banking and Financial Dealings Act 1971 also provide that the Queen can effectively remove or add a bank holiday “by proclamation”.

As the London Gazette records, on 23 July 2021 a proclamation was made by Her Majesty, providing that

We in pursuance of section 1(3) of the Banking and Financial Dealings Act 1971, do hereby appoint …Tuesday the twelfth day of July in the year 2022 to be a bank holiday in Northern Ireland

So those calculating when FOI responses to requests made in recent weeks are due, will need to factor in this extra day.

Leave a comment

Filed under access to information, Freedom of Information

Tagged as

April 12, 2022 · 1:06 pm

Lots of FOI contempt applications in the wings

A new piece on the Mishcon de Reya site: the First-tier Tribunal is dealing with at least eight applications to certify contempt of court for failure by public authorities to comply with decision notices.

FOI enforcement starts to get serious?

Leave a comment

Filed under access to information, contempt, Freedom of Information, Information Commissioner, Information Tribunal

Tagged as ,

April 7, 2022 · 6:57 am

Open Letter to new ICO

I was delighted recently to be invited by OpenDemocracy to sign an open letter to John Edwards, new Information Commissioner, calling for more to be done to regulate FOI effectively. I’ve written many posts in the past breaking the state of FOI enforcement, so everything in the letter resonated with me. The letter has now been sent, and there are some very high profile journalists, MPs and campaigners who have signed:

https://www.opendemocracy.net/en/freedom-of-information/information-commissioner-foi-open-letter-secrecy/

Edwards has already replied, and said that addressing these concerns will be a priority for him.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner, journalism

Tagged as , ,

February 22, 2022 · 6:03 pm

The Seepage of Information Act

Transport yourself back to January 2020 (what a different world that was). You are a journalist, or maybe just an informed citizen, and you want to know what preparations the government had made in the event Boris Johnson had lost his seat in the general election a month previously.

You make a request for this information to the Cabinet Office under the Freedom of Information Act 2000 (FOIA). You know that you should get a response within twenty working days (section 10 of FOIA says so). And you know that there is a regulator (the Information Commissioner, or “ICO”) who oversees compliance with FOIA.

What you probably don’t expect is that, 25 months on, you not only haven’t received the information you requested but you have only just had a ruling from the ICO that you are not entitled to it.

That’s how long it has taken this request to make its way through what is an unacceptably slow process. The requester made the request to the Cabinet Office on 7 January 2020. By 12 March 2020 they had had no response whatsoever, so complained to ICO. Three months later, on 16 June 2020, ICO formally told the Cabinet Office to pull its finger out. On 3 August it did, and refused to disclose the requested information, citing one of the statutory exemptions. On 22 September 2020 the requester again complained to ICO, who then took sixteen months to decide that the Cabinet Office was entitled to rely on the exemption claimed.

What follows is far from a fully thought-out legal argument, but bear with me for the purposes of polemic: Article 10 of European Convention on Human Rights says that everyone has the qualified right to receive information (as well as to impart information) without interference by public authority. Previous attempts to argue that Article 10 confers something above and beyond FOIA in respect of accessing information from public authorities have foundered, on the grounds that, in context, Article 10 doesn’t add anything to the rights in FOIA (see Kennedy, para 92 and elsewhere). But it does seem to me that if the regulatory scheme itself interposes a delay which might be, as here, 1600% longer than the original statutory timescale given to the original recipient for responding to the request, the basis might arise for mounting an argument that the scheme fails to avoid public authority interference in the Article 10 fundamental right.

Maybe I’m overreaching. Let’s just say this: it cannot be right that it takes over two years to get a response and a regulatory decision on a FOIA request. Let’s hope new Commissioner John Edwards sorts this out.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Article 10, Cabinet Office, Freedom of Information, Information Commissioner

Tagged as , ,