Category Archives: Freedom of Information

FOI 101 on “held”

I note that the First-tier Tribunal has recently had to school the Information Commissioner’s Office (ICO) on one of the real basics of the Freedom of Information Act (FOIA).

A request had been made to the Parliamentary and Health Service Ombudsman (PHSO) for past versions of a Joint Working Team (JWT) Manual setting out how the PHSO and the Local Government and Social Care Ombudsman (LGSCO) should work together. Rather oddly, the PHSO searched for these, and couldn’t find them. More oddly, the PHSO decided that this meant that it didn’t “hold” the information, for the purposes of FOIA (and directed the requester to LGSCO). Even more oddly, the ICO then upheld the PHSO’s refusal, saying

Copies of the JWT manuals are stored on the LGSCO website and the PHSO argue that it has no control over the production of the manual. The Commissioner is therefore satisfied that the PHSO do not hold copies of the JWT manuals published in March and June 2019

I use the word “oddly”, because one of the first thing FOIA practitioners and lawyers learn is that whether information is “held” for the purposes of FOIA turns on two situations – namely, whether

(a)it is held by the authority, otherwise than on behalf of another person, or

(b)it is held by another person on behalf of the authority.

If either of those applies, then information is held.

In this case, as Her Honour Judge Shanks realised very quickly, when the requester appealed the ICO decision to the First-tier Tribunal, surely a joint working manual, setting out “guidance on key processes and on jurisdictional and policy considerations which have been agreed by the two Ombudsmen”, would be held by both offices? And, if copies were not physically held by the PHSO, any copies physically held by the LGSCO would be held on behalf of the PHSO. Furthermore, HH Judge Shanks noted

Indeed, leaving aside any technical arguments I am puzzled as to why the PHSO did not just get hold of the documents from the LGSCO and pass them over to Mr McDougall, thereby saving a great deal of unnecessary time and expense.

The ICO has good guidance for public authorities on this very topic. Let’s hope they refer to it themselves in future similar cases.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal

HMG FOI “Clearing House” – infringing GDPR?

I’ve written a piece for OpenDemocracy questioning the legality of the government’s practice of circulating some FOI requesters’ names across all departments.

Leave a comment

Filed under Cabinet Office, Data Protection, Freedom of Information, transparency

ICO (bizarrely) suggests DPO conflict of interest is criminal offence

*UPDATE, 17.11.20: ICO has now “reissued” its FOI response, saying that there was an error in the original, and that section 31 (dealing, broadly, with prejudice to regulatory functions), rather than section 30, of FOIA applies. If this was a plain example of a typo, I would not have drawn attention, but the original response specifically showed that the author thought that criminality would arise in a case of DPO conflict of interest.

I would add two things. First, the exemption is still questionable in my view – I can’t see how disclosing whether organisations have been investigated regarding DPO conflicts (and if so, the numbers involved) could conceivably cause or be likely to cause prejudice to ICO’s regulatory functions. Second, I raised this, as NADPO chair, as a matter of concern with ICO, but, despite the withdrawal of the offending response, I have heard nothing yet. END UPDATE*

As chair of NADPO* (the National Association of Data Protection and Freedom of Information Officers) I’m understandably interested in information and news about data protection officers (DPOs). In particular, what the Information Commissioner’s Office (ICO) (as the regulatory body most DPOs will interact with) says on this subject will be especially notable.

When I saw that someone had made a Freedom of Information (FOI) request to the ICO about whether the latter had investigated or taken enforcement action against any controllers for reasons relating to potential conflict of interest regarding DPO positions, I was intrigued to see what the response would be (I knew no fines had been issued, but I wanted to know how many investigations might have taken place – indeed, I had blogged about the ICO’s own DPO role a few months previously).

However, the ICO’s response to the FOI request is, let’s say, odd. They have refused to disclose (in fact, have refused even to confirm or deny whether they hold) the requested information, citing the FOI exemption that applies to information held for the purposes of investigations into whether someone should be charged with a criminal offence: remarkably, the ICO seems to think that a conflict of interest such as envisaged by Article 38(6) of the General Data Protection Regulation (GDPR) would amount to a criminal offence – “it is likely that, if proven, an offence under the DPA [Data Protection Act 2018] may have been committed”. This cannot be the case though – there are no offence provisions under the DPA which come close to criminalising a potential conflict of interest regarding a DPO role, and it would be extraordinary if parliament had decided to make it an offence.

Why the ICO should suggest that there are such provisions is not at all clear, and – if it is not just a stray error – might indicate a rather worrying lack of understanding of both data protection and FOI law.

One final point to note – even the part of the FOI response which didn’t mistakenly assume criminal law provisions were engaged, said, in respect of the part of the request which asked for any information the ICO holds “to assist public authorities protect [sic] against a conflict of interest with the role of the DPO”, that staff at the ICO had been consulted and “there is no information held”. However, on the ICO’s website, in plain view, is guidance on the subject (admittedly not in any detail, but clearly in scope of this request).

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

*I notice that the cookie notice on the NADPO site has somehow slipped into error – I am on the blower to our webdev as we speak.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, DPO, Freedom of Information, GDPR, Information Commissioner, Uncategorized

ICO tells ICO off for terrible FOI compliance

As any fule kno, a public authority has to comply with a Freedom of Information Act 2000 (FOIA) request within 20 working days. Where the authority fails to do so, the requester can ask the Information Commissioner’s Office (ICO) to issue a decision notice.

And so, here we have a newly published decision where the ICO is telling itself that it has overshot the twenty working day limit by almost seven months:

“it is clear that, in failing to issue a full response to this request within 20 working days, the ICO has breached section 10 of the FOIA.”

Unsurprisingly, the ICO doesn’t appear to be taking enforcement action against itself. Surprisingly, though, there seems to be no indication in the notice itself that this is an extraordinary, and extraordinarily poor, state of affairs.

I’d like to imagine this is single aberration, but it isn’t. On 12 March this year I also made a FOIA request to ICO, and I am still to get a (complete) answer. And only a couple of months ago ICO again had to rule against itself, after it took six months to respond to a request.

Leave a comment

Filed under Freedom of Information, Information Commissioner

Met – FOI requester’s focus on police misconduct was a “vexatiousness” factor

I regularly criticise the Information Commissioner’s Office on this blog. But credit where it’s due. They have upheld a complaint about the Met Police’s handling of a Freedom of Information Act 2000 (FOIA) request, in which the Met, remarkably, had argued that the request for information about police officers stopping people without cause and asking for their ID was vexatious (per section 14(1) of FOIA).

Clearly, there was some history to the request and the requester, and in line with authority, the Met were entitled to take this into account at arriving at their (now overturned) decision. But, as the decision notice points out, one of the factors which they said pointed towards vexatiousness was this:

Complainant’s focus upon police misconduct and/or related issues

I’ll say that again

Complainant’s focus upon police misconduct and/or related issues

Yes, the Met did indeed argue that a focus by a FOIA requester on police misconduct was a factor which led them to believe there was a pattern of behaviour which made this request (about stopping people without cause and asking for their ID) vexatious.

So well done ICO for dismissing that argument.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, police

Upper Tribunal on enforcement of First-tier Tribunal FOIA decisions

What happens if a public authority does not comply with steps specified in a decision notice issued by the Information Commissioner under the Freedom of Information Act 2000 (FOIA)? Assuming that no appeal is brought by the authority, then section 54 of FOIA provides that, in such circumstances, the Commissioner may (not “must” – this is a power, not a duty) certify in writing to the High Court (or, in Scotland, the Court of Session) that the authority has failed to comply with that notice, and the court may (after inquiring into the matter) deal with the authority as if it had committed a contempt of court.

This much is, relatively, straightforward, but what happens if the Commissioner’s decision notice doesn’t specify steps the public authority should take – for instance (and most normally) where the Commissioner doesn’t uphold a complaint by the requester, and the latter appeals to the First-tier Tribunal (FTT), with the FTT subsequently upholding the appeal,  substituting its own decision for that of the Commissioner, and itself specifying steps to be taken by the public authority? In those circumstances, who is responsible for (or at least has the power of) enforcement of those steps? Is it the Commissioner, or the FTT itself?

This is not a hypothetical question – the FTT will frequently disagree with the Commissioner – sometimes, of course upholding an appeal by the public authority, but at other times upholding a requester’s appeal, and ordering the public authority to take steps which were not originally specified by the Commissioner. 

The answer, says the Upper Tribunal, in Information Commissioner v Moss and the Royal Borough of Kingston upon Thames [2020] UKUT 174 (AAC), is that it is for the FTT to enforce, on the (slightly circular sounding) grounds that it has the power to do so, and the Commissioner doesn’t.

The FTT’s power to enforce emanates from paragraph 61(4) of FOIA, which provides that where a person fails to do something, in relation to proceedings before the FTT on an appeal, and if those proceedings were (instead) proceedings before a court which had a power to commit for contempt, and the failure would constitute contempt (such as failing to comply with steps in a substituted decision) the FTT may certify the offence to the Upper Tribunal (in Moss, which related to matters before section 61 was amended by the Data Protection Act 2018, the power was to certify to the High Court, but nothing turns on this).

By contrast, for the Commissioner to control the enforcement of the FTT’s decision would be to offend the “fundamental constitutional principle” as enunciated by Lord Neuberger (in R (Evans) v Attorney General [2015] AC 1787 – also a FOIA case, of course) that “a decision of a court is binding as between the parties, and cannot be ignored or set aside by anyone” (including, one might add, by the Commissioner, upon exercise of her power (not, remember, her duty) to enforce her own decisions by certifying to the High Court).

In Moss Upper Tribunal Judge Jacobs did not have to decide who is responsible for enforcing a decision notice if the FTT dismisses an appeal against it (i.e. where the Commissioner’s original decision, and any specified and required steps are unchanged). He merely noted that “there is authority that, even if an appeal against a decision is dismissed, it thereafter derives its authority from the tribunal’s decision” (which to me, looks like strong obiter indication that he would have, if required to do so, found that the FTT, and not the Commissioner, would also have the enforcement power in those circumstances).

I can recall (purely anecdotally) occasions where successful appellants to the FTT have bemoaned subsequent failure by public authorities promptly to take the steps specified by the FTT in its decision. The position now seems clear – if those steps need enforcement to make them happen, it is to the FTT that the aggrieved requester should turn.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal, Upper Tribunal

Heathrow is public authority under EIRs, says ICO

A post by me on the Mishcon de Reya website, on a recent ICO decision holding that Heathrow Airports Ltd is subject to the Environmental Information Regulations 2004.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner

Open by Design, Closed by Default?

The Information Commissioner’s Office (ICO) have published their new access to information strategy. Something strikes me about their “Goal #2”:

Goal #2: Providing excellent customer service to individuals making requests to us and lead by example in fulfilling our own statutory functions

The thing strikes me is that, bizarrely, they seem to have misunderstood the goal they’ve set themselves (I nearly referred to it as their “own goal”, which has a bit of a ring about it). They say

We have a varied range of individuals who request an independent review from us and a diverse range of public authorities within our jurisdiction from large central government departments to very small parish councils.

What they don’t say is “we are a public authority, subject to the Freedom of Information Act, and have to comply with its timescales, and promote observance of it by example”.

And, unfortunately, there is much evidence recently of a failure to do this.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, transparency

ICO still breaching law it’s meant to oversee

A month ago I pointed out some rather concerning  failings by the Information Commissioner’s Office (ICO) in its own compliance with Freedom of Information (FOI) law. At the time, the ICO press office told me

We acknowledge that we have fallen short of expectations in these instances but can confirm that the responses to both requests will be issued soon

It’s with some incredulity, therefore, that I see that one of the requests has still not been responded to, despite a further twenty working days having elapsed, and despite the (even greater) incredulity of the requester:

You have missed your own deadline, months after you should have answered this request. Your inability to answer a simple FOI promptly would be a disgrace if you were a local council. The fact that you are the FOI regulator makes your handling of my request a scandal.

I am utterly powerless here – I cannot complain to the regulator about your contempt for FOI because you are supposed to be the organisation I would complain to. Do you have no shame at all? No self respect?

What am I supposed to do now?

The other request I highlighted at the time has had a response, albeit one that was cursory, to say the best, and which is now the subject of a request for internal review.

My own request for the ICO’s compliance figures is now the subject of a formal complaint (with a request for a decision notice under section 50 of the FOI Act), although I am told that there will be, er, a delay in getting to it.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, transparency

ICO breaching the law it’s meant to oversee

This may be complete coincidence, but on the WhatDoTheyKnow website, there are two Freedom of Information (FOI) requests, on similar themes, which requesters have made to the Information Commissioner’s Office (ICO), to which – at the time of writing – the ICO appears simply to be failing to respond, way beyond the statutory timescale of 20 working days.

Both requests are about procurement of external consultants. In the first, the requester asked

Please disclose all current agreements for provision of legal services by outside bodies such as barristers chambers, law firms etc. This should include the rates of pay agreed.

The request was made on the 19th February and more than three months on, has simply had no response (other than an automated acknowledgment).

In the second the (different) requester asked

how many times the Information Commissioner’s Office has engaged consultants, companies or other specialists to deliver services to the ICO without putting the work out to tender or otherwise advertising the opportunity externally

That request was made on the 26th February and, barring some holding responses, which seem to have dried up, it has had no substantive response.

The failure to respond is concerning, and the failure to communicate inexplicable. One wonders where the reluctance comes from.

My own recent experience of making FOI requests to them indicates a less-than-ideal level of compliance with the laws the ICO is meant to regulate. However, when, some time ago, I asked the ICO for compliance figures, they refused to disclose them, saying they would be published soon. Yet approximately six months on they still haven’t done so (which is not in compliance with the best-practice requirements of the section 45 FOI Code of Practice).

I offered the ICO an invitation to comment on this blogpost, and in response a spokesperson said: “We aim to resolve 95% of information requests within the statutory deadline, unless we have sought an extension. We acknowledge that we have fallen short of expectations in these instances but can confirm that the responses to both requests will be issued soon.” No comment was made on the wider point about compliance, and publication of compliance statistics. (I would also make the observation that it’s rather surprising ICO only aims to respond to 95% of requests within the statutory deadline – surely they would (and should) aim to respond to 100% within the timeframe mandated by the law?)

I’ve previously expressed concern about the ICO’s unwillingness to take enforcement action against recalcitrant, if not contemptuous, public authorities for poor FOI compliance. Elizabeth Denham has recently (and unsuccessfully) called for an extension of FOI law, saying

Part of my job is to make sure that the legislation my office regulates fulfils its objectives and remains relevant. When it does not, I will speak out

Will she also speak out about the fact that her office is not itself complying with the legislation it regulates?

The views in this post (and indeed all posts on this blog, unless they indicate otherwise) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, transparency