Category Archives: Freedom of Information

ICO fails at FOI

I won’t rehearse the points I made in previous posts. Enough to say this – the Information Commissioner’s Office (ICO), in addition to being tasked with regulating Freedom of Information (FOI) law, must also comply with it, and anecdotal evidence suggested a long-standing failure to do so adequately (prior to, as well as during the COVID pandemic). That being the case – to whom should other public authorities look for exemplary guidance? Or put even more shortly – why should public authorities bother with compliance?

I now have some statistics.

I asked the ICO, under FOI, how many FOI cases it had failed to respond to within three months of their receipt (bear in mind that one month is the statutory limit). They have now told me that in 92 cases in the past year they have failed to respond to an FOI request within three months. Some cases are still open – in one, they have failed to reply to a request for 951 days and counting (I don’t know, and am almost beyond caring, whether these are calendar days or working days – it barely matters any more), and five cases are over a year old and still unanswered.

As I said previously, the ICO says that FOI enforcement may be appropriate where there are “repeated or significant failures to meet the time for compliance” and that, when deciding to take enforcement action, the ICO will take into account such factors as “the severity and/or repetition of the breach; whether there is evidence that obligations are being…persistently ignored; whether there would be an educative or deterrent affect; whether it would help clarify or test an issue; and whether an example needs to be created or a precedent set”.

A clearer case for (self-)enforcement action could scarcely be imagined.

Outgoing Commissioner Elizabeth Denham is handing her successor John Edwards a severe problem, both in terms of compliance but also – crucially – in terms of reputation of the office.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner, rule of law

“Access delayed is access denied” – ICO’s terrible FOI compliance

Statistics show that the ICO is regularly delayed – sometimes very severely so – when responding to FOIA requests made to it. Is there a need for a review of the ICO’s own compliance?

The Information Commissioner’s Office (ICO) is tasked with regulating and enforcing the Freedom of Information Act 2000 (FOIA). The ICO is also – perhaps unusually for a regulator – subject to the law it regulates (it is a public authority, listed in Schedule One to FOIA). This means that – sometimes – the ICO must investigate its own compliance with FOIA. It also means that its own compliance with FOIA, and the seriousness with which it treats its own compliance, is bound to be viewed by other public authorities as an example.

FOIA is, let us not forget, of profound democratic importance. The right to receive information is one of the components of Article 10 of the European Convention on Human Rights. Information Commissioner Elizabeth Denham has previously said

openness of information, through FOI laws and other instruments, is vitally-important not only for government accountability in the moment, but also for the long-term health of our democracy… since information is power, the right to information goes to the heart of a democracy’s healthy functioning.

FOIA lays down timescales for complying with a request for information. The core one says that information must in general be provided within twenty working days. In that same speech Ms Denham referred to timeliness (“It is rightly said that access delayed is access denied”) and the benefits of publicising delays by authorities:

Reporting publicly on timeliness has proved to be a powerful tool for improving timely disclosure of information. And public authorities have used their poor grades to push successfully for more resources where the demand has outstripped supply.

Indeed, she has previously taken government departments to task for their FOIA delays

I think that central government though has got away with – I’m not going to say murder – I think they’ve got away with behaviour that needs to be adjusted…I know which organisations we need to focus on…

The ICO certainly has enforcement powers, and a policy which informs it when action is appropriate. The Freedom of information regulatory action policy (which doesn’t appear to have been updated since 2012) says that enforcement may be appropriate where there are “repeated or significant failures to meet the time for compliance” and that, when deciding to take enforcement action, the ICO will take into account such factors as

the severity and / or repetition of the breach; whether there is evidence that obligations are being deliberately or persistently ignored; whether there would be an educative or deterrent affect; whether it would help clarify or test an issue; and whether an example needs to be created or a precedent set.

With all of this in mind, one organisation the ICO apparently needs to focus on is itself.

Regrettably, and rather oddly, the ICO doesn’t publish figures on its own FOI compliance, except at a very high level, and combined with other types of access requests, in its annual report). This is despite the fact that the Code of Practice issued under section 45 of FOIA, observance of which the ICO is specifically tasked with promoting, says that public authorities with more than 100 members of staff should published detailed statistics on compliance.

However, what evidence there is indicates a repeated, and serious, failure by the ICO to comply with the timescales it is supposed to enforce on others. Of the formal decision notices issued by the ICO against itself, in 2020 and 2021, 50% (10 out of 20) found a failure to comply with the statutory timescale (and two further ones appear – from an analysis of the notices – to have involved delay, without resulting in a specific finding of such). And it is worth noting that these are formal decisions where requesters have asked for formal notices to be issued – it is almost inevitable that there will be similar delays in a significant proportion of those requests which don’t make it to a formal decision.

Indeed, analysis of recent requests to the ICO made on the request website WhatDoTheyKnowsimilarly shows delays in approximately half the requests. But even worse, many of those delays are of an extraordinary length. In two cases, requests made in February 2021 have only been responded to in November – delays of ninemonths, and in other cases there are delays of six, four and two months.

COVID has – no doubt – affected the ICO, as it has affected all organisations. But if the ICO needs extra resource to comply with FOIA, it has certainly not indicated that. Its published approach to regulatory compliance during the pandemic (not updated since June this year) says that where public authorities have backlogs, the ICO expects them to “establish recovery plans focused on bringing the organisation back within compliance with the Freedom of Information Act within a reasonable timeframe”. In the accompanying blogpost the Deputy Commissioner said that

we have seen more and more organisations adjusting to the circumstances, and returning to offering the transparency…our [own] recovery plan has had a positive impact in removing and reducing backlogs

If that is the case it is hard to know why the WhatDoTheyKnow examples (and one’s own experiences) show precisely the opposite picture.

What is also of concern – though this is an issue for policy-makers and Parliament – is that there is nothing that an individual can do when faced with delays like this, except complain – once more to the ICO. FOIA expressly does not permit individuals to take civil action against public authorities for failure to comply – the only recourse is through the ICO as regulator. Short of bringing judicial review proceedings, citizens must just suck it up.

In 2016 the Independent Commission on Freedom of Information said that FOIA was “generally working well”, but that it “would like to see a significant reduction in the delays in the process”. In 2016, that was not addressed at the ICO, but now it most certainly could be. That Independent Commission has long been dissolved. Meanwhile, the Public Administration and Constitutional Affairs Committee is conducting an inquiry into the Cabinet Office’s FOI handling. 

But, maybe, there actually needs to be some Parliamentary oversight of the ICO’s own FOI compliance.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Freedom of Information, human rights, Information Commissioner, rule of law, transparency

What John Edwards will inherit

The new Information Commissioner will have a lot on his plate. I’m going to focus very briefly on what is, objectively, a very small matter but which, to me, illustrates much about priorities within the ICO.

On 29 July I happened to notice an Information Tribunal decision which I thought was slightly odd, in that apparently both the Tribunal, and the Commissioner beforehand, had dealt with it under the Freedom of Information Act 2000 rather than the Environmental Information Regulations 2004, despite the subject matter (a tree inspection report) appearing to fall squarely under the latter’s ambit.

However, the decision notice appealed (referred to as FS5081345 in the Tribunal judgment), does not appear on the ICO’s searchable online database (in fact, no decisions relating to the public authority – the mighty Great Wyrley Parish Council – are listed). It’s unusual but certainly not unheard of for decision notices not to get uploaded (either by overlook, or – occasionally – for other, legal reasons) but in the past when I’ve asked for one of these, informally, it’s been provided by return.

So I used the ICO’s online Chat function to ask for a copy of the decision notice. However, I was told I had to submit a request in writing (of course I’d already done so – the Chat function is in writing, after all, but let’s not quibble). I said I was concerned that what was a simple request would get sucked up into the ICO’s own FOI processes, but the person on the Chat thought I would get a response within a couple of days.

Those who’ve stayed this far into the blogpost will be unsurprised to hear what happened next – my simple request got sucked into the ICO’s own FOI processes, and more than seven weeks on (more than three weeks beyond the statutory timescale for responding) I have still had no response, and no indication of why not, other than the pressure the FOI team is under.

And that last point is key: if the ICO’s own FOI caseworkers are under such pressure that they cannot deal with a very simple request within the legal timescale, nor update me in any meaningful way as to why, something has surely gone wrong.

At a recent NADPO webinar Dr Neil Bhatia spoke about his own difficulties with getting information out of the ICO through FOI. He (and I) were challenged by one of the other speakers on why we didn’t more regularly take formal action to force the issue. It was a fair point, and prompted me yesterday to ask the ICO for a formal decision under section 50 of the FOI Act (which means the ICO will have to issue an FOI decision notice on whether the ICO handled an FOI request for an FOI request in accordance with the law – and that sentence itself illustrates the ridiculousness of the situation).

This isn’t the only FOI request I have that the ICO is late responding to. I have one going back to May this year and another to June (albeit on rather more complex subjects). And I know that I and Dr Bhatia are not alone.

All the fine talk from the current Commissioner about forging international data protection accords, and encouraging “data driven innovation” can’t prevent a perception that her office seems increasingly to have left FOI regulation (and in some cases its own FOI compliance) behind. The right to access information is (part of) a fundamental right (just as is the right to data protection). If the ICO doesn’t want the role, is it time for a separate FOI Commissioner?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, rule of law

ICO ignores its own FOI investigators

In the past I recall a few cases where the Information Commissioner’s Office (ICO) had to adjudicate on its own compliance with the Freedom of Information Act 2000 (FOIA). As a public authority, the ICO must comply with FOIA in the same way that all other public authorities must (fundamentally, by responding to a request within twenty working days). In a few cases, the ICO’s investigation of itself would even be slightly critical (along the lines of “you could have handled this a bit better”). But I have never, until now, seen a case like this one.

Extraordinarily, here we have a decision in which we see the ICO (as “the Commissioner”) berating itself (as “the ICO”) for…failing to reply to its own investigators. The notice gives the details:

On 18 May 2021, the complainant wrote to the ICO…and requested information…

The ICO acknowledged the request for information on 19 May 2021…

To date, a substantive response has not been issued…

The complainant contacted the Commissioner on 19 June 2021 to complain about the failure by the ICO to respond to his request…

On 5 July 2021, the Commissioner wrote to the ICO, reminding it of its responsibilities and asking it to provide a substantive response to the complainant within 10 working days…

Despite this intervention the ICO has failed to respond to the complainant.

As the notice says (indeed, as all such notices say), failure to comply may now result in the ICO making written certification of this fact to the High Court pursuant to section 54 of the Act and may be dealt with as a contempt of court. How on earth would this work though? As a matter of law, could a regulator certify its own non-compliance to the High Court in this way?

What a bizarre situation.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner

Oil well not personal data shock

In news that should surprise no one, the Information Commissioner’s Office (ICO) has ruled that the locations of two oprhaned oil or gas well bores do not amount to personal data, for the purposes of the Environmental Information Regulations 2004 (EIR).

Perhaps more interestingly, the ICO cites the much-derided-but-probably-still-good-law case of Durant:

The Commissioner accepts that placing the two addresses into the public domain would allow the [owners of the land] to be identified. However, she does not consider that the information that would be revealed via disclosure “relates to” those individuals and it is therefore not their personal data…

And specifically refers to the famous dicta of Mr Justice Auld (as he was) from the Durant case

Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree. It seems to me that there are two notions that may be of assistance. The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject’s involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised. The second is one of focus. The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person’s or body’s conduct that he may have instigated. In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity

So, at least for now, oil wells will stay out of the list of Things Which Have Been Found to be Personal Data.

And as my esteemed colleague Adam Rose notes, oil’s well that ends well. Pun complaints should be addressed here.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner

FOI – there’s no (jurisdictional) limits

Practitioners tend to have a few mantras about the Freedom of Information Act 2000 (FOIA). Some of those mantras admit of exceptions (“it’s requester and motive blind” may, for instance, fall away where the wider context of the request needs to be considered in “vexatious” cases) but the mantra that “anyone, anywhere can make a request” had never been seriously challenged, until recently.

In conjoined cases, the First tier Tribunal – apparently, one understands, of its own volition – had raised an issue as to whether FOIA did indeed have extra-territorial application – contrary to the standard approach to statutory construction whereby UK legislation applies only to those who are citizens of the UK, or on its territory – such that requests could be made by anyone, anywhere in the world.

If the Tribunal had decided that the standard approach applied, and no extra-territorial effect was in place, there would have been a significant diminution of rights, and a consequent diminution in the accountability of public authorities. More practically, we would have no doubt seen, at least from some public authorities, identity verification measures being directed at requesters.

Thankfully, the Tribunal decided that there was extra-territorial effect, in a decision handed down orally on 27 January (with written reasons to follow).

There are posts about the case(s) on both Cornerstone Barristers’ and Doughty Street’s websites.

Leave a comment

Filed under Freedom of Information, Information Tribunal, transparency

FOI 101 on “held”

I note that the First-tier Tribunal has recently had to school the Information Commissioner’s Office (ICO) on one of the real basics of the Freedom of Information Act (FOIA).

A request had been made to the Parliamentary and Health Service Ombudsman (PHSO) for past versions of a Joint Working Team (JWT) Manual setting out how the PHSO and the Local Government and Social Care Ombudsman (LGSCO) should work together. Rather oddly, the PHSO searched for these, and couldn’t find them. More oddly, the PHSO decided that this meant that it didn’t “hold” the information, for the purposes of FOIA (and directed the requester to LGSCO). Even more oddly, the ICO then upheld the PHSO’s refusal, saying

Copies of the JWT manuals are stored on the LGSCO website and the PHSO argue that it has no control over the production of the manual. The Commissioner is therefore satisfied that the PHSO do not hold copies of the JWT manuals published in March and June 2019

I use the word “oddly”, because one of the first thing FOIA practitioners and lawyers learn is that whether information is “held” for the purposes of FOIA turns on two situations – namely, whether

(a)it is held by the authority, otherwise than on behalf of another person, or

(b)it is held by another person on behalf of the authority.

If either of those applies, then information is held.

In this case, as Her Honour Judge Shanks realised very quickly, when the requester appealed the ICO decision to the First-tier Tribunal, surely a joint working manual, setting out “guidance on key processes and on jurisdictional and policy considerations which have been agreed by the two Ombudsmen”, would be held by both offices? And, if copies were not physically held by the PHSO, any copies physically held by the LGSCO would be held on behalf of the PHSO. Furthermore, HH Judge Shanks noted

Indeed, leaving aside any technical arguments I am puzzled as to why the PHSO did not just get hold of the documents from the LGSCO and pass them over to Mr McDougall, thereby saving a great deal of unnecessary time and expense.

The ICO has good guidance for public authorities on this very topic. Let’s hope they refer to it themselves in future similar cases.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal

HMG FOI “Clearing House” – infringing GDPR?

I’ve written a piece for OpenDemocracy questioning the legality of the government’s practice of circulating some FOI requesters’ names across all departments.

Leave a comment

Filed under Cabinet Office, Data Protection, Freedom of Information, transparency

ICO (bizarrely) suggests DPO conflict of interest is criminal offence

*UPDATE, 17.11.20: ICO has now “reissued” its FOI response, saying that there was an error in the original, and that section 31 (dealing, broadly, with prejudice to regulatory functions), rather than section 30, of FOIA applies. If this was a plain example of a typo, I would not have drawn attention, but the original response specifically showed that the author thought that criminality would arise in a case of DPO conflict of interest.

I would add two things. First, the exemption is still questionable in my view – I can’t see how disclosing whether organisations have been investigated regarding DPO conflicts (and if so, the numbers involved) could conceivably cause or be likely to cause prejudice to ICO’s regulatory functions. Second, I raised this, as NADPO chair, as a matter of concern with ICO, but, despite the withdrawal of the offending response, I have heard nothing yet. END UPDATE*

As chair of NADPO* (the National Association of Data Protection and Freedom of Information Officers) I’m understandably interested in information and news about data protection officers (DPOs). In particular, what the Information Commissioner’s Office (ICO) (as the regulatory body most DPOs will interact with) says on this subject will be especially notable.

When I saw that someone had made a Freedom of Information (FOI) request to the ICO about whether the latter had investigated or taken enforcement action against any controllers for reasons relating to potential conflict of interest regarding DPO positions, I was intrigued to see what the response would be (I knew no fines had been issued, but I wanted to know how many investigations might have taken place – indeed, I had blogged about the ICO’s own DPO role a few months previously).

However, the ICO’s response to the FOI request is, let’s say, odd. They have refused to disclose (in fact, have refused even to confirm or deny whether they hold) the requested information, citing the FOI exemption that applies to information held for the purposes of investigations into whether someone should be charged with a criminal offence: remarkably, the ICO seems to think that a conflict of interest such as envisaged by Article 38(6) of the General Data Protection Regulation (GDPR) would amount to a criminal offence – “it is likely that, if proven, an offence under the DPA [Data Protection Act 2018] may have been committed”. This cannot be the case though – there are no offence provisions under the DPA which come close to criminalising a potential conflict of interest regarding a DPO role, and it would be extraordinary if parliament had decided to make it an offence.

Why the ICO should suggest that there are such provisions is not at all clear, and – if it is not just a stray error – might indicate a rather worrying lack of understanding of both data protection and FOI law.

One final point to note – even the part of the FOI response which didn’t mistakenly assume criminal law provisions were engaged, said, in respect of the part of the request which asked for any information the ICO holds “to assist public authorities protect [sic] against a conflict of interest with the role of the DPO”, that staff at the ICO had been consulted and “there is no information held”. However, on the ICO’s website, in plain view, is guidance on the subject (admittedly not in any detail, but clearly in scope of this request).

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

*I notice that the cookie notice on the NADPO site has somehow slipped into error – I am on the blower to our webdev as we speak.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, DPO, Freedom of Information, GDPR, Information Commissioner, Uncategorized

ICO tells ICO off for terrible FOI compliance

As any fule kno, a public authority has to comply with a Freedom of Information Act 2000 (FOIA) request within 20 working days. Where the authority fails to do so, the requester can ask the Information Commissioner’s Office (ICO) to issue a decision notice.

And so, here we have a newly published decision where the ICO is telling itself that it has overshot the twenty working day limit by almost seven months:

“it is clear that, in failing to issue a full response to this request within 20 working days, the ICO has breached section 10 of the FOIA.”

Unsurprisingly, the ICO doesn’t appear to be taking enforcement action against itself. Surprisingly, though, there seems to be no indication in the notice itself that this is an extraordinary, and extraordinarily poor, state of affairs.

I’d like to imagine this is single aberration, but it isn’t. On 12 March this year I also made a FOIA request to ICO, and I am still to get a (complete) answer. And only a couple of months ago ICO again had to rule against itself, after it took six months to respond to a request.

Leave a comment

Filed under Freedom of Information, Information Commissioner