Category Archives: access to information

November 17, 2023 · 6:35 am

EIR you sure you got that right?

Someone said they’d read this post if I wrote it. That’s miles more encouragement than I normally need, so here goes.

The other day, Tim Turner’s FOIDaily account pointed out how, after twenty-odd years, some public authorities still fail to identify when a request for information should be dealt with under the Environmental Information Regulations 2004 (EIR), rather than the Freedom of Information Act 2000 (FOIA). An example was given of Information Commissioner’s Office (ICO) identifying where a public authority had got this wrong.

As any fule kno, the two laws operate in parallel to create a regime for access to information held by public authorities, and it’s Regime 101 for a public authority to be able to know, and identify, when each applies. But, in short, if requested information is on, for instance, “measures (including administrative measures), such as policies, legislation, plans, programmes, environmental agreements, and activities affecting or likely to affect…the state of the elements of the environment, such as air and atmosphere, water, soil, land, landscape…” then the EIR, and not FOIA, apply.

I pointed out in the comments to the FOIDaily post that I’d seen a case where everyone, from the requester, to the public authority, to the ICO, to the First-tier Tribunal, had failed to deal with a case under the correct scheme.

This was it.

The case was about a request to a district council for information about whether a councillor had (in a private capacity) been required to pay any money to the council in relation to a fly-tipping incident or incidents. The request itself even referred to the Environmental Protection Act 1990, which was a very big hint that environmental information might be at issue.

What appears to have happened is that everyone jumped to the issue of whether disclosure of the requested information would contravene the councillor’s data protection rights. As most similar discussions take place in relation to the provisions of section 40 FOIA, the public authority, the ICO and the Tribunal (and presumably even the requester) all appear to have gravitated towards FOIA, without asking the correct first question: what is the applicable law? The answer to which was, clearly, EIR.

Regulation 13 of the EIR deals with personal data, and is cast in very similar terms to section 40 FOIA. It is, then, strongly arguable that, given that similarity, both the ICO and the Tribunal would have arrived at the same decision whichever regime applied. But Parliament has chosen to have two separate laws, and this is because they have a different genesis (EIR emanate from EU law which in turn emanates from international treaty obligations). Additionally, where all things are otherwise equal, the EIR contain an express presumption in favour of disclosure (something that is not the case in relation to personal data under the FOIA regime – see Lord Hope’s opinion in Common Services Agency v Scottish Information Commissioner).

As Tim implies in his post, the EIR have always been seen as somehow inferior, or subservient, to FOIA. No doubt this is because they are in the form of secondary legislation, rather than statute. This is more an accident of history, rather than of constitutional significance, and is never going to be relevant in most practice. But if the ICO and the courts continue to miss their relevance, it shouldn’t be that surprising that some public authorities will also do so.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal

Tagged as , , ,

October 23, 2023 · 1:15 pm

Verging on contempt

Where the Information Commissioner serves a decision notice on a public authority, under section 50(3)(b) of the Freedom of Information Act 2000 (FOIA), it is a legal notice and a failure to comply may be treated by the High Court (or in Scotland, the Court of Session) as if the authority had committed a contempt of court. It is, therefore (and to state the obvious) a serious matter not to comply. The process involves the Commissioner “certifying” to the court that there has been a failure to comply.

Yet, a recent FOIA disclosure by the Information Commissioner’s Office (ICO) reveals that it currently has two such cases where it has referred non-compliance by one particular public authority to its own solicitors to initiate (or at least consider) certification proceedings. The rather remarkable thing is that the public authority in question is the government department with overall responsibility for FOIA policy – namely, the Cabinet Office.

The disclosure reveals no more in the way of detail – we do not know what the cases relate to, or what the current progress is (other than court proceedings have not yet commenced). However, it is very rare for a case actually to proceed to certification (in fact, I can only recall one case relating to a s50(3)(b) decision notice, and that was instead certified to the High Court by the First-tier Tribunal under section 61 of FOIA (as it applied then)).

It is worth pointing out that it doesn’t necessarily follow that, if there were a finding of contempt, sanctions would be imposed. Although a committal application or fines are, in principle, available, the Court could merely make a public finding that the Cabinet Office had breached the obligation to respond to the decision notice, but impose no further punishment.

Over the years the Cabinet Office has been subject to much criticism for its approach to FOIA – some of it, quite frankly, fully justified. However, there have been encouraging signs of improvements more recently, with its response to the “Clearing House” review, and its setting up of an Information Rights User Group (of which I am a member), although the latter has not fully kicked off yet, as far as I can understand.

However, it is a terrible look for the primus inter pares of government departments, and the one which holds the brief for FOIA policy, to be faced with potential contempt proceedings for failure to do what the law, and the regulator, requires it to do. Although the original FOIA request to the ICO was not mine, I’ll be interested to see if any updates are given.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under access to information, Cabinet Office, contempt, Freedom of Information, Information Commissioner

Tagged as ,

September 12, 2023 · 8:49 am

Arbitrary criminality and data protection

It shouldn’t be too controversial to state that to commit a criminal offence is a serious matter: although there are – obviously – different levels of severity, certain acts or omissions are so injurious to society as a whole that they warrant prosecution.

The majority of infringements of data protection law are not criminal offences, but, rather, contravention of civil law. But there are a few offences in the statutory scheme. Section 132 of the Data Protection Act 2018 (DPA) is one such. It says that it is an offence for the Information Commissioner, or a member of his staff, to disclose information

which—

(a)has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner’s functions,

(b)relates to an identified or identifiable individual or business, and

(c)is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources,

However, it will not be an offence if the disclosure is made with “lawful authority”, and a disclosure is made with lawful authority only if and to the extent that

(a)the disclosure was made with the consent of the individual or of the person for the time being carrying on the business,

(b)the information was obtained or provided as described in subsection (1)(a) for the purpose of its being made available to the public (in whatever manner),

(c)the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner’s functions,

(d)the disclosure was made for the purposes of, and is necessary for, the discharge of an EU obligation,

(e)the disclosure was made for the purposes of criminal or civil proceedings, however arising, or

(f)having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest.

This means that, for instance, if an individual or a business has given (willingly or under compulsion) information to the Commissioner for the purposes of a regulatory investigation, and the information is not already public, then the Commissioner must not disclose it, unless he has lawful authority to do so.

Where, also for instance, the Commissioner publishes a legal decision notice, or monetary penalty notice, or the like, this will ordinarily contain information of this kind, but the Commissioner can point to the lawful authority he has under section 132(2)(c) – namely that the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner’s functions. No offence committed.

But section 132 is why the Commissioner’s Office might refuse, under the Freedom of Information Act 2000 (FOIA), to disclose information it has received from an individual or business. For instance, a notification report a controller has submitted pursuant to its “personal data breach” obligations under Article 33 UK GDPR. Here is an example. The ICO withholds the “breach report” in question, citing the exemption at section 44, because of the offence provisions at section 132 DPA.

Whether this is an over-cautious stance is one thing, but it is understandable.

What puzzles me, though, is the inconsistency, because elsewhere, in very similar circumstances, in response to a FOIA request, the ICO has disclosed a personal data report (albeit with redactions). Here, also.

If the Commissioner’s staff in the first example feel that they would commit an offence by disclosing the report, do the staff dealing with the second or third examples not feel that they would also?

One thing that should certainly not happen is claiming exemptions because it is easier to do so than not. I am not saying that has happened here, but there certainly seems to be inconsistency. And inconsistency, or uncertainty, about whether a regulator and his staff might commit a criminal offence is not a good situation.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, crime, Data Protection, Data Protection Act 2018, Freedom of Information, Information Commissioner

Tagged as , , , ,

August 20, 2023 · 3:38 pm

PSNI data breaches and questions over ICO’s investigations retention policy

I’ve been running this blog for about 15 years now. I’m not a records manager, but I recognise that information has a lifecycle. Maybe I could weed some older posts, but the thing is, I occasionally find some of the old posts useful. For instance when news broke of recent nasty data breaches involving police forces (including the Police Service of Northern Ireland, or “PSNI”) and freedom of Information disclosures, I was able to point to a ten-year-old post on this blog which illustrated that concerns about such disclosures have been around for a long time.

So I was rather surprised to see the Information Commissioner’s Office (ICO) saying – in response to claims from two former anti-terrorist officers that the recent incidents were part of a pattern of serious mistakes, and that their information had previously been compromised (albeit not by PSNI itself) – that

Having checked with relevant teams, we do not appear to have record of an investigation regarding this data controller for the time frame noted. This may be due to our retention policy

The retention policy in question says (at page 28) that information in relation to regulatory investigations will normally be retain for five or six years, but that in civil enforcement cases where no action was taken information will be destroyed after two years.

There is nothing inherently “wrong” about this; unless there is a statutory requirement to retain information it will fall to each public body to determine what is an appropriate retention period. However, the ICO elsewhere emphasises the need to consider patterns in compliance. The regulatory action policy, for instance, says that an organisation’s “prior regulatory history” including the “pattern…of complaints” might be an aggravating factor when it comes to taking enforcement action, and that “as issues or patterns of issues escalate in frequency or severity then we will issue more significant powers in response”. But the retention policy means that, unless formal action has been taken against an organisation, such patterns might only be able to be taken into account when they involve incidents occurring within the previous two years. Is that sufficient or adequate?

I would suggest not. The policy’s version history illustrates that it is regularly reviewed (including an annual review). I would hope that the next review consider whether there is compelling evidence to suggest that retaining investigation information for longer than two years is warranted, especially in light of recent events.

Leave a comment

Filed under access to information, adequacy, Data Protection, Information Commissioner, retention, security

Tagged as , , ,

February 28, 2023 · 8:29 pm

FOI embarrassment

At a recent awards event, recognising high-performing Freedom of Information officers and teams (fantastic idea by the organisers/sponsors, by the way*) I gave a brief talk where I stressed that it was important to recognise how much FOI has achieved in its 23 (or 18**) years, and to remember that every day thousands of disclosures are made by thousands of public authorities. It’s very easy to snipe at bad practice, and I often do, but if we don’t acknowledge the benefits, the real opponents of FOI might start arguing for its repeal.

So. Celebrate success. Accentuate the positive. Eliminate the negative.

However.

Then you see a decision notice from the Information Commissioner (ICO), in which a large London council had refused to disclose, under FOI, information on how many enquiries (MEQs) each of its councillors*** had submitted to the council on behalf of constituents. The reason for refusal was that this was the personal data of the councillors (well, yes) and that disclosure would infringe those councillors’ rights under the data protection law (hell, no).

This isn’t time for legal analysis. It really is as extraordinary as it sounds.

Thankfully, the ICO had no truck with it (and the notice does have legal analysis).

Frankly, though, the council should be ashamed.

______________________

*I have no personal or professional interest

**The Act commenced in 2000, but the main provisions didn’t commence until 2005

***At the end of the notice there is a big hint as to the role of the person who made the request – see if you can guess

.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, Freedom of Information, Information Commissioner, local government

Tagged as , ,

February 10, 2023 · 7:32 pm

Campaign for Records – Democracy and Rights in the Digital Age

There’s a piece up on the Mishcon de Reya website about the launch event for this campaign, run jointly by ARA and IRMS, at which I was recently invited to speak:

https://www.mishcon.com/news/jon-baines-speaks-at-parliamentary-event-on-foi-and-records-management

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner, records management

December 18, 2022 · 10:48 am

ICO investigated potential FOI criminal offences by government departments

Under section 77 of the Freedom of Information Act 2000 (FOIA) a person commits a criminal offence if – after someone has made a request for information to a public authority, and would have been entitled to disclosure of that information – he or she

alters, defaces, blocks, erases, destroys or conceals any record held by the public authority, with the intention of preventing the disclosure by that authority of all, or any part, of the information to the communication of which the applicant would have been entitled

This is the only section of FOIA which carries a criminal penalty. It is very rarely invoked: since FOIA commenced in January 2005, there has been just one successful prosecution brought by the Information Commissioner’s Office (ICO) (and, as far as I know, only one other, unsuccessful, prosecution).

One reason for the lack of cases is that the ICO can only bring a prosecution within six months of the offence occurring. This has been identified for many years as an issue which should be addressed (but successive governments have declined to do so).

Nonetheless, a recent FOIA disclosure by the ICO reveals that in the last few years potential section 77 offences by government departments have been investigated. The request, made via the public WhatDoTheyKnow platform, was for information on “all Section 77 investigations carried out regardless of outcome for all Government departments”. In response, the ICO disclosed that

we have opened the following cases with regard to allegations of s77 allegations against Government Departments:
PCB/0013/2018 – MoJ IC/506/2020 – DWP IC/0549/2020 – Cabinet Office INV/0950/2021 – Cabinet Office.

This appears to suggest the existence of four separate investigations. In response to a request for further comment the ICO press office stated to me that none of the cases was still open, but declined to say any more. This seems to confirm that no proceedings were brought as a result of the investigations, but it is not possible to speculate on the reasons why. Nor are details available as to the circumstances under which the investigations were made.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Cabinet Office, DWP, Freedom of Information, Information Commissioner, Ministry of Justice, section 77

Tagged as ,

November 26, 2022 · 10:59 am

Does DHSC have a compliant ROPA?

Article 30(4) of the UK GDPR requires a controller to make its records of processing activities (ROPA) available to the Information Commissioner (ICO) upon request.

ROPAs are required for most large controllers, and should include at least

  • The name and contact details of the organisation (and where applicable the data protection officer).
  • The purposes of processing.
  • A description of the categories of individuals and categories of personal data.
  • The categories of recipients of personal data.
  • Details of transfers to third countries including documenting the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of the controller’s technical and organisational security measures.

Ordinarily, in my experience, controllers will maintain a ROPA in one document, or one set of linked documents. This not only enables a controller to comply with Article 30(4), but reflects the fact that a ROPA is not just a compliance obligation, but contributes to and assists the controller in its information governance functions.

This all makes the position of the Department of Health and Social Care (DHSC) rather odd. Because, in response to a Freedom of Information Act (FOIA) request for disclosure of its ROPA, it stated that the request was “vexatious” on the grounds of the time and costs it would have to incur to respond. This was because, as the DHSC subsequently told the ICO when the latter was asked to issue a FOIA decision notice

We hold a collection of documentation across different formats which, when put together, fulfils our obligation under Article 30 of the GDPR to record and document all of our personal data processing activities…[and]…to locate, retrieve and extract all of this documentation would involve a manual trawl of the whole organisation and each document would then need to be reviewed to check for content such as personal data, commercially sensitive data and any other information that would otherwise not be appropriate to place into the public domain

For this reason, the ICO accepted that compliance with the request would be “grossly oppressive” and this, taken with other factors, meant that the FOIA request was indeed vexatious.

The ICO is tasked with regulating both FOIA and data protection law. The decision notice here notes this, and says

the Commissioner feels duty bound to note that, if the DHSC cannot comply with the request because it would impose a grossly oppressive burden to do so, it is unlikely that the DHSC would be able to provide its ROPA to the Commissioner, which is a requirement under Article 30 of the UK GDPR, without that same burden

There’s a big hint here to DHSC that it should adopt a different approach to its ROPA for the future.

But the decision notice does contain some rather strange wording. In the context of the words quoted just above, the ICO says

This decision notice looks at the DHSC’s compliance with FOIA only and the Commissioner cannot order the DHSC to take any action under any other legislation.

It is true that, under his FOIA powers, the ICO cannot order the DHSC to comply with the UK GDPR, but, quite evidently, under his UK GDPR powers, he certainly can: Article 58(2)(d) specifically empowers him to

order the controller…to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period

I am not aware of anything in FOIA, or data protection law (or wider regulatory and public law) that prevents the ICO from taking enforcement action under UK GDPR as a result of findings he has made under FOIA. Indeed, it would be rather strange if anything did prevent him from doing so.

So it does seem that the ICO could order DHSC to get its ROPA in order. Maybe the big hint in the FOIA decision notice will have the desired effect. But regulation by means of big hints is perhaps not entirely in compliance with the requirement on the ICO, deriving from the Regulators’ Code, to ensure that its approach to its regulatory activities is transparent.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, DHSC, Freedom of Information, Information Commissioner, records management, ROPA, Uncategorized

Tagged as , , ,

September 26, 2022 · 4:20 pm

Government urged to take action to protect UK citizens’ information rights

The Retained EU Law (Revocation and Reform) Bill was introduced to Parliament on 22 September 2022. The Bill sets a “sunset date” of 31 December 2023 by which all remaining retained EU Law will either be repealed, unless expressly assimilated into UK domestic law. The sunset may be extended for specified pieces of retained EU Law until 2026. A large number of UK laws which cover “information rights” appear to be caught by the Bill.

Mishcon de Reya has written an open letter to the Minister of State at the Department for Digital, Culture, Media & Sport, Julia Lopez, to highlight the risk to these laws.

Government urged to take action to protect UK citizens’ (mishcon.com)

Leave a comment

Filed under access to information, Data Protection, DCMS, Environmental Information Regulations, Freedom of Information, UK GDPR

Tagged as ,

September 23, 2022 · 8:00 am

Was the Queen’s Funeral day a FOIA “working day”?

Under the Freedom of Information Act 2000 a public authority must respond to a request for information within 20 working days. For obvious reasons “working day” does not include a bank holiday. Does this mean that for FOIA requests made before Monday 19 September 2022 (the bank holiday in recognition of the late Queen’s funeral) public authorities and requesters must add an extra day when calculating when a response to the request is due? The jury is out.

Section 10(6) of FOIA defines a “working day” as

any day other than a Saturday, a Sunday, Christmas Day, Good Friday or a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom

And section 1 of the Banking and Financial Dealings Act 1971 says

the days specified in Schedule 1 to this Act shall be bank holidays in England and Wales, in Scotland and in Northern Ireland as indicated in the Schedule

The Schedule to that 1971 Act therefore provides a number of dates which are to be considered as bank holidays

All straightforward then? Not quite. Sections 1(2) and 1(3) of the 1971 Act go on to add that the Sovereign can effectively remove or add a bank holiday “by proclamation”, and this was the means by which 19 September was made a bank holiday.

(In passing it’s interesting to note that those sections of the 1971 Act refer to proclamations by “Her Majesty”. Clearly “Her Majesty” could not have made the proclamation. However, by section 10 of the Interpretation Act 1978 “In any Act a reference to the Sovereign reigning at the time of the passing of the Act is to be construed, unless the contrary intention appears, as a reference to the Sovereign for the time being”.)

But the question of whether the 19 September should be classed as a working day or not for the purposes of FOIA requests which were already running, might turn on the extent to which the general presumption at common law applies, whereby legislation is not intended to have retrospective effect. See, in this regard, Lord Kerr in Walker v Innospec Limited and others [2017] UKSC 47:

The general rule, applicable in most modern legal systems, is that legislative changes apply prospectively…The logic behind this principle is explained in Bennion on Statutory Interpretation, 6th ed (2013), Comment on Code section 97:

‘If we do something today, we feel that the law applying to it should be the law in force today, not tomorrow’s backward adjustment of it.’

An exception to the general rule will only apply where a contrary intention appears.

It might be said, though, that the proclamation of a bank holiday, pursuant to a statutory power, is not in itself a legislative change to which the general rule against retrospectivity applies. I’m not sure there’s a clear answer either way.

Whether public authorities should have one extra day for a FOIA request is clearly not a constitutional issue which should trouble the great minds of our generation (although I know plenty of FOI teams and officers who are judged on their performance against indicators such as response times). Nonetheless, I asked the ICO this week what their view was, and the answer that came back was that they didn’t have a settled position on the issue, but that, in the event of a subsequent complaint about whether a deadline had been met, they would take all the circumstances into account (which I take to mean that they are unlikely to criticise a public authority whichever way it decided to approach the question).

Shortly after initially uploading this post, I was contacted by someone who pointed out that the New Zealand parliament has specifically legislated to give retrospective “non-working-day” effect to its own extraordinary bank holiday. This would seem to reinforce the point about the presumption against retrospectivity unless there’s an express intention to the contrary.

So it probably doesn’t matter, and probably no one really cares. But I enjoyed thinking about it.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner

Tagged as ,