Category Archives: FOISA

June 15, 2015 · 7:58 pm

What a difference a day makes

Back in 2013 I blogged about a little-known (not unknown, as some commenters thought I was suggesting) oddity of the Freedom of Information Act 2000 (FOIA). This oddity is that a bank holiday falling in any part of the United Kingdom counts as a non-working-day for the purposes of FOIA. So, as January 2nd (or the nearest substitute day) is a bank holiday in Scotland, it is not a working day for the purposes of calculating the maximum timescale for compliance with a request made under FOIA, despite the fact that Scotland has its own Freedom of Information (Scotland) Act 2002.
What “bank holiday” means, according to section 10(6) of FOIA, is 

any day other than a Saturday, a Sunday, Christmas Day, Good Friday or a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom

And section 1 of the Banking and Financial Dealings Act 1971 says 

the days specified in Schedule 1 to this Act shall be bank holidays in England and Wales, in Scotland and in Northern Ireland as indicated in the Schedule

The Schedule therefore provides a number of dates which are to be considered as bank holidays

All straightforward then? Not quite. Sections 1(2) and 1(3) of The Banking and Financial Dealings Act 1971 also provide that the Queen can effectively remove or add a bank holiday “by proclamation”. What this means has recently been considered by the First-tier Tribunal (Information Rights) (FTT), and it shows that even the Information Commissioner’s Office (ICO) can get this issue wrong sometimes. In the case, the ICO had said in its decision notice that the public authority, Monitor, had complied with its obligation to respond to a FOIA request within twenty working days, because the period involved included two bank holidays within the UK (on 14 July (Northern Ireland) and 4 August (Scotland)). However, when faced with an appeal to the FTT by the requester, the ICO faltered, and

recalculated the 20 day period and concluded that while July 14 was commemorated as the anniversary of the Battle of the Boyne for the purpose of a public holiday in Northern Ireland it was not a bank holiday and accordingly the response from Monitor had been outside the 20 day period

Not so fast, said the FTT – remember section 1(3) of the Banking and Financial Dealings Act 1971? Well, as the London Gazette records, on 14 June 2013 a proclamation was made by Her Majesty, providing that

…We consider it desirable that Monday the fourteenth day of July in the year 2014 should be a bank holiday in Northern Ireland

As the FTT said

The effect of this was to insert a bank holiday in July…accordingly [Monitor] responded within the time limit

All very arcane and abstruse, no doubt, but practitioners and requesters should note that the London Gazette records that on 18 July 2014 Her Majesty also proclaimed that 13th July 2015 would also be a bank holiday. So, for FOI requests whose normal twenty-working-day period includes the date of 13th July this year, everyone needs to bear in mind that, as hard as they may be working on that date, it is not to be counted as a FOIA working day. 

But everyone should also bear in mind that, if they find this tricky, even the ICO gets confused sometimes.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with..

8 Comments

Filed under FOISA, Freedom of Information, Information Commissioner, Information Tribunal

November 26, 2014 · 7:42 pm

Does Simon Hughes really want to receive FOI complaints?

At an event on the evening of 26 November, to celebrate (slightly early) the ten year anniversary of the Freedom of Information Act 2000 (FOIA) the Minister of State for Justice and Civil Liberties, Simon Hughes, appeared to offer to take on part of the Information Commissioner’s regulatory role.

The event, hosted at the RSA by the Commissioner himself, brought together a panel of FOIA luminaries consisting of Deputy Information Commissioner Graham Smith, the BBC’s Martin Rosenbaum, Scottish Information Commissioner Rosemary Agnew and Hughes himself. In response to a question from the floor about the considerable delays and obstructiveness by certain public authorities in dealing with FOIA requests, Hughes invited people to send him examples, so that he could start to compile data on compliance (of the sort already being compiled by Agnew’s office).

Astute eyebrows at the event (and possibly on the panel) were raised: dealing with miscreant public authorities is a role clearly assigned to the Information Commissioner. For the Minister to invite complaints seems to be to risk usurping that role. One wonders if he knows what he’s let himself in for.

7 Comments

Filed under FOISA, Freedom of Information, Information Commissioner, Ministry of Justice

August 9, 2014 · 4:31 pm

Lay, Laddie, Lay

In which I suggest the Information Commissioner could lay a report at Westminster drawing attention to compliance with time limits under the FOIA Act

The Scottish Information Commissioner (SIC), Rosemary Agnew, this week used the powers available to her under section 46(3) of the Freedom of Information (Scotland) Act 2002 (FOISA) to lay a report before the Holyrood Parliament. The report draws MSPs’ (and others) attention to

the issue of failure [by Scottish public authorities] to respond to information requests, and to stimulate debate about what we can collectively do to address it

The background is that approximately 25% of complaints to Agnew’s office in 2013/14 were about failures to respond to requests for information. Section 46(3) of FOISA permits the laying of reports “from time to time” by the SIC with respect to her functions. It thus confers a broad discretion on the SIC to draw attention to matters of concern to her. The report says

– Many public authorities have shown that it is possible to respond on time to large volumes of requests, but too many authorities are still not doing so. Delays and obfuscation are not only damaging to authorities’ relationships with individual requesters but also Scotland’s reputation for openness and transparency.
– The FOI experience is not consistent for all requesters or types of requesters
– Failure to respond is an issue, but it is not uniform across all Scottish public authorities.  Issues are more acute in some authorities than others

Requesters in the rest of UK experience similar difficulties, and similar lack of consistency, whereby some authorities are exemplary in the timeliness of responses to FOI requests, and some are very poor. As that last link indicates, the rUK Information Commissioner (IC) does monitor authorities for FOI compliance. He has also issued informal undertakings and even on occasions issued enforcement notices against authorities performing particularly poorly. However, what evidence there is does not suggest that this has led to overall improvements. Since 2009 the number of decision notices issued annually by the IC in which section 10 (“time for compliance”) was a factor have been as follows: 223 in 2009, 276 in 2010, 371 in 2011, 227 in 2012, 223 in 2013. These figures represent approximately 25% of all cases. They are not directly comparable with the SIC’s figures (which represent complaints made, rather than decisions notices issued) but they do suggest similar problems both sides of the border.

The IC does have essentially the same powers as the SIC to lay reports before Parliament (under section 49(2) of the Freedom of Information Act 2000 (FOIA)). However he has never exercised this FOIA power (there have been a couple of reports laid relating to data protection concerns). Given the serious concerns expressed by commentators about certain authorities’ attitude to FOIA, perhaps a report to Parliament would be a way of promoting debate – and improved compliance – which regulatory action has, to date, failed to achieve.

Leave a comment

Filed under Cabinet Office, FOISA, Freedom of Information, Information Commissioner

Tagged as ,

September 28, 2013 · 8:44 am

It’s our Right to Know, Mr ICO

On 29 August the Information Commisioner’s Office (ICO) served a monetary penalty notice (MPN) of £100,000 on Aberdeen City Council. MPNs can be served on a data controller under section 55A of the Data Protection Act 1998 (DPA) for a serious contravention of the Act of a sort likely to cause serious damage or serious distress. In this instance, the ICO explained

sensitive information relating to social services involvement with several individuals [was] published online. The information included details relating to the care of vulnerable children.

The circumstances under which this happened were

a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website

Many people in the field of information rights have concerns that there is a significant lack of understanding on the part of many about the risk of inadvertently disclosing personal data on the web. In view of this, I though I would simply ask the ICO, and the Council, what website was involved, in order to inform my understanding. So I tweeted

What “website” were the files uploaded to?

I reminded the ICO and the Council on several occasions about this, and pointed out it was a valid request under the Freedom of Information Act 2000 (FOIA) and Freedom of Information (Scotland) Act 2002 (FOI(S)A), even though I had really only wanted a quick factual reply. The Council have asked me to contact them separately to make the FOI(S)A request, and I’m aware the Scottish Information Commissioner takes a different view on tweeted requests to her counterpart for the rest of the UK, so I’ve banged in a request at WhatDoTheyKnow. The ICO, by contrats, did treat my tweet as a valid request (although I got no acknowledgment of this, contrary to their good practice guidance) and responded yesterday on the twentieth working day, with a link to their disclosure log

Those who know me will be unsurprised to know that I don’t accept the refusal, and also unsurprised to know that, on International Right to Know Day 2013 I’ve submitted a crashingly pompous request for ICO to conduct an internal review. Here it follows, in all said crashing pomposity:

Please review your refusal to disclose information.

On 29 August you served a Monetary Penalty Notice on Aberdeen City Council

“after a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website, publishing sensitive information about several vulnerable children and their families, including details of alleged criminal offences”

I asked, on 30 August, “What ‘website’ were the files uploaded to?”

You have refused to disclose, claiming the exemption at section 44 of the Freedom of Information Act 2000, which provides an exemption “if disclosure [of the information] (otherwise than under this Act) by the public authority holding it…is prohibited by or under any enactment”. You say disclosure is prohibited, because “the information was provided to the ICO in confidence as part of our regulatory activities” and that the provisions of section 59(1) of the Data Protection Act 1998 forbid disclosure. Section 59(1) says

“No person who is or has been the Commissioner, a member of the Commissioner’s staff or an agent of the Commissioner shall disclose any information which—

(a)has been obtained by, or furnished to, the Commissioner under or for the purposes of the information Acts [of which FOIA is one],

(b)relates to an identified or identifiable individual or business, and

(c)is not at the time of the disclosure, and has not previously been, available to the public from other sources

unless the disclosure is made with lawful authority”

I am happy to concede that a) and b) are met here, but not c). This is because section 59(2) explains what “with lawful authority” means. Firstly, and largely as an aside, section 59(2)(a) says that a disclosure is made with lawful authority if

“the disclosure is made with the consent of the individual or of the person for the time being carrying on the business”

I am surprised you do not feel that, in your role as a public authority but also as the regulator for Freedom of Information, it would be prudent and transparent simply to ask the Council whether it consents. Nonetheless, on a strict reading of the law, I concede that you do not have an obligation to do so.

Secondly (and I note you do not even address this important provision), section 59(2)(e) says that disclosure is made with lawful authority if

“having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”

I would argue that analysis of whether this provision permits disclosure requires a two-fold test. Firstly, is disclosure necessary in the public interest? Secondly, if it is, do the rights and freedoms or legitimate interests of any person militate against this public-interest disclosure?

On the first point, I am not aware of any direct authority on what “necessary” means in section 59(2)(e) of DPA, but I would argue that it imports the meaning adopted by leading European authorities. Thus, as per the high Court in Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 “‘necessary”…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends”. It is my view that there is a pressing social need to recognise the risks of indavertent uploading to the internet, by public authorities and others, of sensitive personal data, especially when this is by automatic means. Other examples of recent incidents and enforcement action illustrate this. For instance, as your office is aware, there have been reports that a regional Citizens’ Advice Bureau has indavertently made available on the internet very large amounts of such data, probably because of a lack of technical knowledge or security which resulted in automatic caching by Google of numerous files https://informationrightsandwrongs.com/2013/09/24/citizens-advice-bureaucracy/. Also for instance, as you are aware, there have been many many examples of indavertent internet publishing of personal data in hidden cells in spreadsheets http://www.ico.org.uk/news/blog/2013/the-risk-of-revealing-too-much. There is a clear lack of public understanding of the risks of such indavertent disclosures, with a consequent risk to the privacy of individuals’ often highly sensitive personal data. Any information which the regulator of the DPA can disclose which informs and improves public understanding of these risks serves a pressing social need and makes the disclosure “necessary”.

On the second point, I simply fail to see what rights and freedoms or legitimate interests of any person can be engaged, let alone suffer a detriment by disclosing what public website the Council employee uploaded this to. If there are any, it would be helpful if your response to this Internal Review could address this. It may be that you would point to the information having been provided to you in confidence, but I similarly fail to see how that can be: was this an express obligation of confidence, or have you inferred it? In either case, I would question (per one the elements of the classic formulation for a cause of action in breach of confidence given by Megarry J in Coco v A.N.Clark (Engineers) Ltd [1969] R.P.C. 41) whether the information even has the necessary quality of confidence (this was a public website after all).

I hope you can reconsider your decision.

best wishes

1 Comment

Filed under Confidentiality, Data Protection, FOISA, Freedom of Information, human rights, Information Commissioner, monetary penalty notice, transparency

Tagged as , ,

August 14, 2013 · 8:00 am

Poor judgement?

Public authorities need to be cautious when disclosing performance figures of their staff under Freedom of Information (FOI) laws. They need to be even more cautious when disclosing performance figures of third parties.

Imagine if your employer, or, worse, a third party, disclosed under FOI that, of all your peers, you made the most decisions in the exercise of your employment which were subsequently found to be wrong, and which had to be overturned. If in fact those figures turned out to be incorrect, you would probably rightly feel aggrieved, and perhaps question whether the failure of data quality was in fact a breach of your rights under the Data Protection Act 1998 (DPA) and of your employment rights.

That is what appears to have happened to certain judges in Scotland, according to a letter in The Scotsman today, from the Chief Executive of the Scottish Court Service. The letter points out that a previous (29 July) article in The Scotsman – “Meet the judge with the highest number of quashed convictions” (now no longer available, for obvious reasons) – was, although published in good faith, based on inaccurate information disclosed to the paper under FOI. The letter contains an apology to

Lord Carloway and Lord Hardie, who featured prominently in 
this article, for misrepresenting their position in relation to 
appeal decisions

because the erroneous disclosed statistics suggested they had had more judgments overturned on appeal than was actually the case.

Of course, the principle of judicial independence means that judges are, strictly, not employed. But as Carswell LCJ said

All judges, at whatever level, share certain common characteristics. They all must enjoy independence of decision without direction from any source, which the respondents quite rightly defended as an essential part of their work. They all need some organisation of their sittings, whether it be prescribed by the president of the industrial tribunals or the Court Service, or more loosely arranged in collegiate fashion between the judges of a particular court. They are all expected to work during defined times and periods, whether they be rigidly laid down or managed by the judges themselves with a greater degree of flexibility. They are not free agents to work as and when they choose, as are self-employed persons. Their office accordingly partakes of some of the characteristics of employment . .. [Perceval-Price v Department of Economic Development [2000] IRLR 380]

and the Supreme Court took this further in O’Brien v Ministry of Justice [2010] UKSC 34 by saying “Indeed judicial office partakes of most of the characteristics of employment” (emphasis added).

Whatever their employment status, judges’ performance figures are clearly an important matter to them, and the Scottish Court Service has a duty to maintain accurate figures (particularly when disclosing them publicly). As Wodehouse said, “it has never been difficult to distinguish between a Scotsman with a grievance and a ray of sunshine”. I imagine that the office of Mr McQueen, the day after the first article, was not filled with sunshine.

Leave a comment

Filed under Data Protection, employment, FOISA, Freedom of Information, Uncategorized

Tagged as ,

July 29, 2013 · 1:29 pm

An Unnecessary FOI Appeal?

South Lanarkshire Council have lost what seems to me to have been a rather unnecessary, and surely rather costly, FOI case in the Supreme Court. That said, the judgment is important reading.

It is well-established that, for disclosure of personal data to be lawful under Freedom of Information law (both the Freedom of Information Act 2000 (FOIA and the Freedom of Information (Scotland) Act 2002 (FOI(S)A) it will normally be necessary to satisfy the test in the sixth condition of Schedule Two of the Data Protection Act 1998 (DPA)

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Disclosure is, by section 1(1) of the DPA, an act of “processing”.

It is also well-established (indeed, one might almost say it is trite law), that “necessary” in that condition is to be construed in accordance with the relevant European authorities. As the High Court held, in the MPs’ expenses case

‘necessary’ within para 6 of Sched 2 to the DPA should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends. Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 (Admin)

For reasons which are not entirely clear to me (but I’m not a Scottish lawyer) (in fact, I’m neither Scottish, nor a lawyer) the Court of Session in Scotland said, when hearing an appeal from South Lanarkshire Council of a decision by the Office of the Scottish Information Commissioner (OSIC) to order disclosure of information on how many of the total number of a certain post were placed at specific points in the pay scale, that it saw the force of a submission by counsel for the Council that

the word “necessary” should be accorded its ordinary and natural meaning, with the opening phrase being understood as imposing a distinct requirement

and that

but for the authority [of the MPs expenses case], we would have had little hesitation in giving effect to it

but they didn’t even need to reach a concluded view on this, because it was clear that, in this case, whatever construction was given to “necessary”

the Commissioner could only have concluded that necessity was made out. In particular, he held that the Requester’s own interest coincided with a widespread public interest in the matter of gender equality and that it was important to achieve transparency on the subject of Equal Pay. No better means existed to achieve that goal than by releasing the information in question

Apparently grabbing at that tiny bone thrown them by the Court of Session, the Council appealed to the Supreme Court. The hearing was three weeks ago, and judgment has been handed down today (which strikes me as rather quick) unanimously dismissing the Council’s appeal. At the time of the hearings The Herald reported that the Supreme Court had “slapped down” the Council

A cash-strapped Labour council has been scolded by one of the UK’s most senior judges for “dancing on the head of a pin” with “Alice In Wonderland” legal arguments, which have cost taxpayers thousands of pounds.

Anyone with any experience of litigation knows that it is a dangerous game to predict the outcome on the basis of the apparent approval or disapproval of your argument by the judge – often the strongest argument will be given the heaviest interrogation – but it does appear that, in this case, The Herald wasn’t taking too much of a gamble in anticipating the outcome. Lady Hale, giving the leading judgment, agreed with the Council that

the word “necessary” has to be considered in relation to the processing to which it relates. If that processing would involve an interference with the data subject’s right to respect for his private life, then [Rechnungshof v Ősterreichischer Rundfunk (Joined Cases C-465/00, C-138/01 and C-139/01) [2003] 3 CMLR 265] is clear authority for the proposition that the requirements of article 8(2) of the European Convention on Human Rights must be fulfilled

but in this instance, although disclosure of the information would be “processing” of “personal data” by the Council (as the Council itself could identify those to whom the data related), the requester (nor any other third party) would not be able to identify the data subjects. Accordingly

as the processing requested would not enable Mr Irvine or anyone else to discover the identity of the data subjects, it is quite difficult to see why there is any interference with their right to respect for their private lives

And Lady Hale disagreed with the Council on the construction of “necessary”

all that has to be asked is whether the requester is pursuing a legitimate interest in seeking the information…and whether he needs that information in order to pursue it. It is well established in community law that, at least in the context of justification rather than derogation, “necessary” means “reasonably” rather than absolutely or strictly necessary…necessity is well established in community law as part of the proportionality test. A measure which interferes with a right protected by community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less 

As the requester was clearly pursuing a legitimate interest, and this could only be met by disclosure under FOI(S)A the appeal had to fail, and the information falls to be disclosed. It is difficult to see how any other outcome, following the domestic and European authorities, could have ensued.

This does leave unanswered what the outcome would be if, for instance, no legitimate interest were advanced by a requester and/or the data subjects could be identified. In this instance, the OSIC had sought clarification of the requester’s purposes, in an investigation which the Supreme Court held was not in breach of the rules of natural justice, despite a failure to involve the Council in the correspondence. As a blogger activist the requester, Mr Irvine, could clearly point to a legitimate interest – a “serious, ongoing interest in equal pay matters”, but Lady Hale observed that

for example, if Mr Irvine had asked for the names and addresses of the employees concerned, not only would article 8 have clearly been engaged, but the Commissioner would have had to ask himself whether his legitimate interests could have been served by a lesser degree of disclosure

 In European Commission & United Kingdom v Bavarian Lager (Case C-28/08 P) the European Court of Justice found that the European Commission had not erred in refusing to disclose, under the EU Access Regulation, the identities of people attending a meeting, because the company requesting it had not been able to advance a legitimate interest in disclosure (see the excellent Panopticon post on this). FOI was traditionally said to be “applicant blind”, with a requester not needing to advance a purpose for asking for information, but, as these “personal data” cases (and others not relating to personal data – the “social watchdog” argument in the ongoing litigation involving Dominic Kennedy and the Charity Commission) show that motivation can be a determining point when it comes to disclosure under FOI.

2 Comments

Filed under Data Protection, FOISA, Freedom of Information, human rights, Uncategorized

Tagged as , ,

July 18, 2013 · 2:21 pm

FOI timescales decisive for public law claim

An FOI request is used to show when the clock for bringing a claim starts ticking

As I am neither Scottish, not a lawyer, I make a foray into Scottish law with a distinct lack of confidence. However, I notice an interesting* case in the Scottish Court of Session, where the dates relating to a request for information were crucial in deciding whether a claim could continue.

The pursuer (equivalent to the claimant in England and Wales) was Nationwide Gritting Services (NGS), and it is aggrieved at, as it claims, missing out on the opportunity in 2010 and 2011 to tender to supply de-icing salt to Transport Scotland. The preliminary matter before Lord Woolman was whether the claim for breach of the then-in-force Public Contracts (Scotland) Regulations 2006 (“the Regulations”) was time-barred. The key issue, for the purposes of deciding when the time limits for making the claim began (applying the authority of the European Court of Justice in Uniplex (UK) Ltd v NHS Business Services Authority), was to determine the date on which NGS knew or ought to have known of the alleged infringement.

The claim had to be brought within three months of the date when the grounds for bringing the proceedings first arose. NGS served the summons in the present action on 28 August 2012. Accordingly, the critical date is 28 May 2012. The Scottish Ministers contend that NGS had the grounds to bring proceedings prior to that date (¶5)

Although there had been media coverage of salt-procurement matters in 2010, and some contact between an agent of NGS and Transport Scotland in 2010, it was only when another customer stated that Transport Scotland had purchased de-icing salt that NGS decided to make enquiries. On 30 April 2012 it sent an email headed “Formal Request for Information on Procurement Process for Salt” to Transport Scotland. It is not clear whether it cited the Freedom of Information (Scotland) Act 2002 (FOISA) but it appears that Transport Scotland properly treated it as a request under the same, because they replied on 30 May 2012 – the twentieth working day following receipt. Thus, contended NGS, 30 May was the date on which it had the requisite knowledge to bring a claim under the Regulations.

The judge agreed. Although NGS might have had “suspicions” in 2010 and 2011 that Transport Scotland had acquired salt, it had no “hard information”. When it received “hearsay evidence” from its customer it acted to enquire whether this was correct. The wording of its FOISA request (even though it had stated that NGS was “of the opinion” that proper process had not been followed) should not be taken to mean that it had “sufficient information to make an informed decision”. Only on 30 May 2012 had NGS’s suspicions “ripened into hard knowledge”.

Consequently, the claim can proceed:

as at 28 May 2012, NGS only suspected that an infringement has occurred. That suspicion was unsupported. Accordingly the grounds for bringing proceedings had not arisen by that date (¶30)

Of course, on one view this make perfect sense and is uncontroversial. People don’t normally make FOI requests unless they want to receive new information.

I don’t for a second claim the case is ground-breaking, but it is interesting for showing that the strict deadlines applying to FOI requests can potentially be useful for drawing a line in the sands of litigation.

(*Indulge me – happen to find judicial analysis of salt procurement interesting.)

Leave a comment

Filed under FOISA, Freedom of Information

Tagged as