Category Archives: Freedom of Information

December 19, 2014 · 4:03 pm

Hidden data in FOI disclosures

The Hackney Gazette reports that details of 15,000 residents have been published on the internet after Hackney Council apparently inadvertently disclosed the data when responding to a Freedom of Information (FOI) request made using the WhatDoTheyKnow site.

This is not the first time that such apparently catastrophic inadvertent disclosures have happened through WhatDoTheyKnow, and, indeed, in 2012 MySociety, who run the site, issued a statement following a similar incident with Islington Council. As that made clear

responses sent via WhatDoTheyKnow are automatically published online without any human intervention – this is the key feature that makes this site both valuable and popular

It is clearly the responsibility of the authorities in question to ensure that no hidden or exempt information is included in FOI disclosures via WhatDoTheyKnow, or indeed, in FOI disclosures in general. A failure to have appropriate organisational and technical safeguards in place can lead to enforcement action by the Information Commissioner’s Office for contraventions of the Data Protection Act 1998 (DPA): Islington ended up with a monetary penalty notice of £70,000 for their incident, which involved 2000 people. Although the number of data subjects involved is not the only factor the ICO will take into account when deciding what action to take, it is certainly a relevant one: 15000 affected individuals is a hell of a lot.

What concerns me is this sort of thing keeps happening. We don’t know the details of this incident yet, but with such large numbers of data subjects involved it seems likely that it will have involved some sort of dataset, and I would not be at all surprised if it involved purportedly masked or hidden data, such as in a pivot table [EDIT – I’m given to understand that this incident involved cached data in MS Excel]. Around the time of the Islington incident the ICO’s Head of Policy Steve Wood published a blog post drawing attention to the risks. A warning also takes the form of a small piece on a generic page about request handling, which says

take care when using pivot tables to anonymise data in a spreadsheet. The spreadsheet will usually still contain the detailed source data, even if this is hidden and not immediately visible at first glance. Consider converting the spreadsheet to a plain text format (such as CSV) if necessary.

This is fine, but does it go far enough? Last year I wrote on the Guardian web site, and called for greater efforts to be made to highlight the issue. I think that what I wrote then still holds

The ICO must work with the government to offer advice direct to chief executives and those reponsible for risk at councils and NHS bodies (and perhaps other bodies, but these two sectors are probably the highest risk ones). So far these disclosure errors do not appear to have led to harm to those individuals whose private information was compromised, but, without further action, I fear it is only a matter of time.

Time will tell whether this Hackney incident results in a finding of DPA contravention, and ICO enforcement, but in the interim I wish the word would get spread around about how to avoid disclosing hidden data in spreadsheets.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under Data Protection, Freedom of Information, Information Commissioner, monetary penalty notice

Tagged as , ,

December 19, 2014 · 10:46 am

The Twelve Days of FOI Christmas

For fans of contrived, awful-punning seasonal blog posts that take 20 times longer to write than you imagined when you started, I present…

On the first day of Xmas FOI revealed to me…cartridges for the army

On the second day of Xmas FOI revealed to me two turtle docs and cartridges for the army

On the third day of Xmas FOI revealed to me 3 pinched hens*, two turtle docs and cartridges for the army

On the fourth day of Xmas FOI revealed to me four NADPO nerds, 3 pinched hens, two turtle docs and cartridges for the army

On the fifth day of Christmas FOI revealed to me FIVE GOLD THINGS, four NADPO nerds, 3 pinched hens, two turtle docs and cartridges for the army

On the sixth day of Christmas FOI revealed to me Six Tree Inspections, FIVE GOLD THINGS, four NADPO nerds, 3 pinched hens, two turtle docs and cartridges for the army

On the seventh day of Christmas FOI revealed to me Seven Dons-a-Sinning, Six Tree Inspections, FIVE GOLD THINGS, four NADPO nerds, 3 pinched hens, two turtle docs and cartridges for the army

On the eighth day of Christmas FOI revealed to me Eight-year-olds Bilking, Seven Dons-a-Sinning, Six Tree Inspections, FIVE GOLD THINGS, four NADPO nerds, 3 pinched hens, two turtle docs and cartridges for the army

On the ninth day of Christmas FOI revealed to me Nine  Babies’ chances, Eight-year-olds Bilking, Seven Dons-a-Sinning, Six Tree Inspections, FIVE GOLD THINGS, four NADPO nerds, 3 pinched hens, two turtle docs and cartridges for the army

On the tenth day of Christmas FOI revealed to me Ten Lords-a-Judging, Nine Babies’ chances, Eight-year-olds Bilking, Seven Dons-a-Sinning, Six Tree Inspections, FIVE GOLD THINGS, four NADPO nerds, 3 pinched hens, two turtle docs and cartridges for the army

On the eleventh day of Christmas FOI revealed to me Eleven-plus deciding,Ten Lords-a-Judging, Nine Babies’ chances, Eight-year-olds Bilking, Seven Dons-a-Sinning, Six Tree Inspections, FIVE GOLD THINGS, four NADPO nerds, 3 pinched hens, two turtle docs and cartridges for the army

On the twelfth day of Christmas FOI revealed to me Twelve-Tonne Containers, Eleven-plus deciding,Ten Lords-a-Judging, Nine Babies’ chances, Eight-year-olds Bilking, Seven Dons-a-Sinning, Six Tree Inspections, FIVE GOLD THINGS, four NADPO nerds, 3 pinched hens, two turtle docs and cartridges for the army

*3 large maram hens, page 9, if you were wondering

Leave a comment

Filed under Freedom of Information, nonsense

Tagged as

December 15, 2014 · 2:58 pm

FOI disclosure of personal data: balancing of interests

In June this year I blogged about the case of AB v A Chief Constable (Rev 1) [2014] EWHC 1965 (QB). In that case, Mr Justice Cranston had held that, when determining whether personal data is being or has been processed “fairly” (pursuant to the first principle of Schedule One of the Data Protection Act 1998 (DPA))

assessing fairness involves a balancing of the interests of the data subject in non-disclosure against the public interest in disclosure [¶75]

I was surprised by this reading in of an interests balance to the first principle, and said so in my post. Better people than I disagreed, and I certainly am even less sure now than I was of the correctness of my view.

In any case, the binding authority of the High Court rather trumps my meanderings, and it is cited in a recent decision of the First-tier Tribunal (Information Rights) in support of a ruling that the London Borough of Merton Council must disclose, under the Freedom of Information Act 2000 (FOIA), an email sent to a cabinet member of that council by Stephen Hammond MP. The Tribunal, in overturning the decision of the Information Commissioner, considered the private interests of Mr Hammond, including the fact that he had objected to the disclosure, but felt that these did not carry much weight:

we do not consider anything in the requested information to be particularly private or personal and that [sic] this substantially weakens the weight of interest in nondisclosure…We accept that Mr Hammond has objected to the disclosure, which in itself carries some weight as representing his interests. However, asides from an expectation of a general principle of non-disclosure of MP correspondence, we have not been given any reason for this. We have been given very little from the Commissioner to substantiate why Members of Parliament would have an expectation that all their correspondence in relation to official work remain confidential

and balanced against these were the public interests in disclosure, including

no authority had been given for the statement [in the ICO’s decision notice] that MPs expect that all correspondence to remain confidential…[;]…withholding of the requested information was not compatible with the principles of accountability and openness, whereby MPs should subject themselves to public scrutiny, and only withhold information when the wider public interest requires it…[;]…the particular circumstances of this case [concerning parking arrangements in the applicant’s road] made any expectation of confidentiality unreasonable and strongly indicated that disclosure would be fair

The arguments weighed, said the Tribunal, strongly in favour of disclosure.

A further point fell to be considered, however: for processing of personal data to be fair and lawful (per the first data protection principle) there must be met, beyond any general considerations, a condition in Schedule Two DPA. The relevant one, condition 6(1) requires that

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject

It has to be noted that “necessary” here in the DPA imports a human rights proportionality test and it “is not synonymous with ‘indispensable’…[but] it implies the existence of a ‘pressing social need'” (The Sunday Times v United Kingdom (1979) 2 EHRR 245). The Tribunal, in what effectively was a reiteration of the arguments about general “fairness”, accepted that the condition would be met in this case, citing the applicant’s arguments, which included the fact that

disclosure is necessary to meet the public interest in making public what Mr Hammond has said to the Council on the subject of parking in Wimbledon Village, and that as an elected MP, accountable to his constituents, disclosure of such correspondence cannot constitute unwarranted prejudice to his interests.

With the exception of certain names within the requested information, the Tribunal ordered disclosure.  Assessing “fairness” now, following Mr Justice Cranston, and not following me, clearly does involve balancing the interests of the data subject against the public interest in disclosure.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Freedom of Information, Information Commissioner, Information Tribunal

Tagged as , , ,

December 9, 2014 · 12:42 pm

Making an FOI request to oneself…

Can the executive of a local authority make an FOI request to itself?

The Brighouse Echo reveals that Stephen Baines (no relation, of course), the Leader of Calderdale Council, resorted to submitting a Freedom of Information (FOI) request in exasperation, after apparently failing to get answers from officers at the Council

I asked officers on November 10 if there was there was any truth in these allegations [about officers ignoring warnings about the legality of a parking scheme], and I hadn’t received a reply, and last Friday I’d had enough – I finally lost it and put in a Freedom of Information request. It’s highly probable that I’m the first council leader to have done this, but I was just getting so frustrated.

But did he need to make an FOI request? In fact, could he even make an FOI request?

I would say that it is strongly arguable that in a council operating executive arrangements – as Calderdale does – under part 9C(3) of the Local Government Act 2000 (LGA 2000), whereby a Leader with a Leader-appointed Cabinet constitute the executive, the executive are deemed generally to be in control of information relating to the council’s functions. So in general terms, the Leader and Cabinet are “the Council”. Section 9D(3) of LGA 2000 provides that “any function of the local authority which is not specified in regulations…is to be the responsibility of an executive of the authority under executive arrangements” (the regulations in question are The Local Authorities (Functions and Responsibilities) (England) Regulations 2000 (as amended). Put another way, the executive are the ones who should take any decision on access to documents, rather than officers (other than officers who have had that decision delegated to them). The exceptions to this general principle would be where the documents relate to functions which are not the responsibility of the executive. Effectively, the executive will be the possessors/controllers of all council information for which the executive has the functional responsibility.

I feel bolstered in this suggestion by Part 5 of The Local Authorities (Executive Arrangements) (Meetings and Access to Information) (England) Regulations 2012. This gives “Additional rights of [access of] members of the local authority and of members of overview and scrutiny committees” and sections 16 and 17 talk in terms of the right of a member, or a member of an overview and scrutiny committee, to inspect certain documents which are “in the possession or under the control of the executive of a local authority”. No interpretative guide is given to what “in the possession or under the control of the executive of a local authority” means, but it is clear that there must be a category of documents which are “in the possession or under the control of the executive of a local authority”. That being the case, one might ask “which documents are not ‘in the possession or under the control of the executive of a local authority’?” To which I am tempted to answer “those which do not relate to the functions for which the executive has responsibility”.

So, if it is, for instance, a function of a local authority to provide library services (section 7 of the Public Libraries and Museums Act 1964).  This function is the responsibility of the executive (because regulations do not specify otherwise). Delivery of the function will normally be by delegation to officers, but I cannot see how those officers, or others, could then restrict a member of the executive from seeing a document relating to the exercise of executive functions. And if, as I understand is the case, civil enforcement of parking contraventions is also an executive functions (surely delegated to officers) one wonders also if officers can restrict a Leader from seeing a document relating to the exercise of that specific function.

So, my argument goes, a leader of a council cannot make an FOI request to the council for information about the exercise of an executive functions, because in that regard he is the council. Comments welcomed!

And n.b. I have not even begun to consider where a councillor’s, or a leader’s, common law right to know fits in to this…

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

6 Comments

Filed under Freedom of Information, local government

Tagged as ,

December 6, 2014 · 7:47 am

ICO confirm they are considering enforcement action over #samaritansradar app

FOI response from ICO refuses disclosure of correspondence with Samaritans because it could prejudice ongoing investigations

On 12 November I asked the Information Commissioner’s Office to disclose to me, under the Freedom of Information Act (FOIA) information relating to their assessment of the legality of the “Samaritans Radar” app (see blog posts passim).

The ICO have now responded to me, refusing to disclose because of the FOIA exemption for “law enforcement”. As the ICO say

The exemption at section 31(1)(g) of the FOIA refers to circumstances
where the disclosure of information “would, or would be likely to,
prejudice – … the exercise by any public authority of its functions for
any of the purposes specified in subsection (2).”

The purposes referred to in sections 31(2)(a) and (c) are –

“(a) the purpose of ascertaining whether any person has failed to comply
with the law” and

“(c) the purpose of ascertaining whether circumstances which would
justify regulatory action in pursuance of any enactment exist or may arise
…”

Clearly, these purposes apply when the Information Commissioner is
considering whether or not an organisation has breached the Data Protection Act

But the exemption is subject to a public interest test, and the ICO acknowledge that there is public interest in the matter, particularly in how Samaritans have responded to their enquiries. Nonetheless, as the investigation is ongoing, and as no decision has apparently been made about whether enforcement action should be taken, the balance in the public interest test falls on the side of non-disclosure.

The question of potential enforcement action is an interesting one. Although the ICO have power to serve monetary penalty notices (to a maximum of £500,000) they can also issue enforcement notices, requiring organisations (who are data controllers, as I maintain Samaritans were for the app) to cease or not begin processing personal data for specific purposes. They also can ask data controllers to sign undertakings to take or not take specific action. This is of interest because Samaritans have indicated that they might want to launch a reworked version of the app.

It is by no means certain that enforcement action will result – the ICO are likely to be reluctant to enforce against a generally admirable charity – but the fact that it is being considered is in itself of interest.

The ICO acknowledge that the public interest in maintaining this particular exemption wanes once the specific investigation has been completed. Consequently I have asked them, outwith FOIA, to commit to disclosing this information proactively once the investigation has finished. They have no obligation to do so, but it would be to the benefit of public transparency, which their office promotes, if they did.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under Data Protection, enforcement, Freedom of Information, Information Commissioner

November 26, 2014 · 7:42 pm

Does Simon Hughes really want to receive FOI complaints?

At an event on the evening of 26 November, to celebrate (slightly early) the ten year anniversary of the Freedom of Information Act 2000 (FOIA) the Minister of State for Justice and Civil Liberties, Simon Hughes, appeared to offer to take on part of the Information Commissioner’s regulatory role.

The event, hosted at the RSA by the Commissioner himself, brought together a panel of FOIA luminaries consisting of Deputy Information Commissioner Graham Smith, the BBC’s Martin Rosenbaum, Scottish Information Commissioner Rosemary Agnew and Hughes himself. In response to a question from the floor about the considerable delays and obstructiveness by certain public authorities in dealing with FOIA requests, Hughes invited people to send him examples, so that he could start to compile data on compliance (of the sort already being compiled by Agnew’s office).

Astute eyebrows at the event (and possibly on the panel) were raised: dealing with miscreant public authorities is a role clearly assigned to the Information Commissioner. For the Minister to invite complaints seems to be to risk usurping that role. One wonders if he knows what he’s let himself in for.

7 Comments

Filed under FOISA, Freedom of Information, Information Commissioner, Ministry of Justice

November 17, 2014 · 4:59 pm

Do your research. Properly

Campaigning group Big Brother Watch have released a report entitled “NHS Data Breaches”. It purports to show the extent of such “breaches” within the NHS. However it fails properly to define its terms, and uses very questionable methodology. I think, most worryingly, this sort of flawed research could lead to a reluctance on the part of public sector data controllers to monitor and record data security incidents.

As I checked my news alerts over a mug of contemplative coffee last Friday morning, the first thing I noticed was an odd story from a Bedfordshire news outlet:

Bedford Hospital gets clean bill of health in new data protection breach report, unlike neighbouring counties…From 2011 to 2014 the hospital did not breach the data protection act once, unlike neighbours Northampton where the mental health facility recorded 346 breaches, and Cambridge University Hospitals which registered 535 (the third worst in the country).

Elsewhere I saw that one NHS Trust had apparently breached data protection law 869 times in the same period, but many others, like Bedford Hospital had not done so once. What was going on – are some NHS Trusts so much worse in terms of legal compliance than others? Are some staffed by people unaware and unconcerned about patient confidentiality? No. What was going on was that campaigning group Big Brother Watch had released a report with flawed methodology, a misrepresentation of the law and flawed conclusions, which I fear could actually lead to poorer data protection compliance in the future.

I have written before about the need for clear terminology when discussing data protection compliance, and of the confusion which can be caused by sloppiness. The data protection world is very found of the word “breach”, or “data breach”, and it can be a useful term to describe a data security incident involving compromise or potential compromise of personal data, but the confusion arises because it can also be used to describe, or assumed to apply to, a breach of the law, a breach of the Data Protection Act 1998 (DPA). But a data security incident is not necessarily a breach of a legal obligation in the DPA: the seventh data protection principle in Schedule One requires that

Appropriate technical and organisational measures shall be taken [by a data controller] against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

And section 4(4) of the DPA obliges a data controller to comply with the Schedule One data protection principles. This means that when appropriate technical and organisational measures are taken but unauthorised or unlawful processing, or accidental loss or destruction of, or damage to, personal data nonetheless occurs, the data controller is not in breach of its obligations (at least under the seventh principle). This distinction between a data security incident, and a breach, or contravention, of legal obligations, is one that the Information Commissioner’s Office (ICO) itself has sometimes failed to appreciate (as the First-tier Tribunal found in the Scottish Borders Council case EA/2012/0212). Confusion only increases when one takes into account that under The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) which are closely related to the DPA, and which deal with data security in – broadly – the telecoms arena, there is an actual legislative provision (regulation 2, as amended) which talks in terms of a “personal data breach”, which is

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service

and regulation 5A obliges a relevant data controller to inform the ICO when there has been a “personal data breach”. It is important to note, however, that a “personal data breach” under PECR will not be a breach, or contravention, of the seventh DPA data protection principle, provided the data controller took appropriate technical and organisational to safeguard the data.

Things get even more complex when one bears in mind that the draft European General Data Protection Regulation proposes a similar approach as PECR, and defines a “personal data breach” in similar terms as above (simply removing the words “in connection with the provision of a public electronic communications service“).

Notwithstanding this, the Big Brother Watch report is entitled “NHS Data Breaches”, so one would hope that it would have been clear about its own terms. It has led to a lot of coverage, with media outlets picking up on headline-grabbing claims of “7225 breaches” in the NHS between 2011 and 2014, which is the equivalent to “6 breaches a day”. But when one looks at the methodology used, serious questions are raised about the research. It used Freedom of Information requests to all NHS Trusts and Bodies, and the actual request was in the following terms

1. The number of a) medical personnel and b) non-medical personnel that have been convicted for breaches of the Data Protection Act.

2. The number of a) medical personnel and b) non-medical personnel that have had their employment terminated for breaches of the Data Protection Act.

3. The number of a) medical personnel and b) non-medical personnel that have been disciplined internally but have not been prosecuted for breaches of the Data Protection Act.

4. The number of a) medical personnel and b) non-medical personnel that have resigned during disciplinary procedures.

5. The number of instances where a breach has not led to any disciplinary action.

The first thing to note is that, in broad terms, the only way that an individual NHS employee can “breach the Data Protection Act” is by committing a criminal offence under section 55 of unlawfully obtaining personal data without the consent of the (employer) data controller. All the other relevant legal obligations under the DPA are ones attaching to the NHS body itself, as data controller. Thus, by section 4(4) the NHS body has an obligation to comply with the data protection principles in Schedule One of the DPA, not individual employees. And so, except in the most serious of cases, where an employee acts without the consent of the employer to unlawfully obtain personal data, individual employees, whether medical or non-medical personnel, cannot as a matter of law “breach the Data Protection Act”.

One might argue that it is easy to infer that what Big Brother Watch meant to ask for was information about the number of times when actions of individual employees meant that their employer NHS body had breached its obligations under the DPA, and, yes, that it probably what was meant, but the incorrect terms and lack of clarity vitiated the purported research from the start. This is because NHS bodies have to comply with the NHS/Department of Health Information Governance Toolkit. This toolkit actually requires NHS bodies to record serious data security incidents even where those incidents did not, in fact, constitute a breach of the body’s obligations under the DPA (i.e. incidents might be recorded which were “near misses” or which did not constitute a failure of the obligation to comply with the seventh, data security, principle).

The results Big Brother Watch got in response to their ambiguous and inaccurately termed FOI request show that some NHS bodies clearly interpreted it expansively, to encompass all data security incidents, while others – those with zero returns in any of the fields, for instance – clearly interpreted it restrictively. In fact, in at least one case an NHS Trust highlighted that its return included “near misses”, but these were still categorised by Big Brother Watch as “breaches”.

And this is not unimportant: data security and data protection are of immense importance in the NHS, which has to handle huge amounts of highly sensitive personal data, often under challenging circumstances. Awful contraventions of the DPA do occur, but so too do individual and unavoidable instances of human error. The best data controllers will record and act on the latter, even though they don’t give rise to liability under the DPA, and they should be applauded for doing so. Naming and shaming NHS bodies on the basis of such flawed research methodology might well achieve Big Brother Watch’s aim of publicising its call for greater sanctions for criminal offences, but I worry that it might lead to some data controllers being wary of recording incidents, for fear that they will be disclosed and misinterpreted in the pursuit of questionable research.

1 Comment

Filed under Data Protection, Freedom of Information, Information Commissioner, NHS

Tagged as , , , ,

October 22, 2014 · 4:58 pm

Upper Tribunal rules on complying “promptly” with an FOI request

The Upper Tribunal has ruled on what “promptly” means in the FOI Act. The answer’s no surprise, but it’s helpful to have binding authority

The Freedom of Information Act 2000 (FOIA) demands that a public authority must (subject to the application of exemptions) provide information to someone who requests it within twenty working days. But it goes a bit further than that, it says (at section 10(1))

a public authority must comply…promptly and in any event not later than the twentieth working day following the date of receipt

But what does “promptly” mean in this context? This issue has recently been considered by the Upper Tribunal, in John v ICO & Ofsted 2014 UKUT 444 AAC. Matters before the Information Commissioner (IC) and the First-tier Tribunal (FTT) had turned on when the initial request for information had been made and responded to. The IC held that Ofsted had failed to respond within twenty working days, and Ofsted appealed this. Mr John argued before the FTT that although the IC had found in his favour to the extent that it held that Ofsted had failed to respond within twenty working days, it had failed to deal with the issue of whether Ofsted had responded promptly. The FTT found in Ofsted’s favour, but did not, Upper Tribunal Judge Jacobs observed, deal with Mr John’s argument on promptness. That was an error of law, which Judge Jacobs was able to remedy by considering the issue himself.

“Promptly” he observed, has a range of dictionary meanings, some of which relate more to attitude (“willingly”, or “unhesitatingly”) and others more to time (“immediate”, or “without delay”). The context of section 10(1) of FOIA “is concerned with time rather than attitude, although the latter can have an impact on the former”. It is clear though that “promptly” does not mean, in the FOIA context, “immediately” (that, said Judge Jacobs, would be “unattainable”) but is more akin to “without delay”:

There are three factors that control the time that a public authority needs to respond. First, there are the resources available to deal with requests. This requires a balance between FOIA applications and the core business of the authority. Second, it may take time to discover whether the authority holds the information requested and, if it does, to extract it and present it in the appropriate form. Third, it may take time to be sure that the information gathered is complete. Time spent doing so, is not time wasted.

What is particularly interesting is that Judge Jacobs shows a good understanding of what the process for dealing with FOIA requests might be within Ofsted, and, by extension, other public authorities:

A FOIA request would have to be registered and passed to the appropriate team. That team would then have to undertake the necessary research to discover whether Ofsted held the information requested or was able to extract it from information held. The answer then had to be composed and approved before it was issued.

In the instant case all this had been done within twenty working days:

I regard that as prompt within the meaning and intendment of the legislation. Mr John has used too demanding a definition of prompt and holds an unrealistic expectation of what a public authority can achieve and is required to achieve in order to comply with section 10(1).

This does not mean, however, that it might not be appropriate in some cases to enquire into how long an authority took to comply.

The Upper Tribunal’s opinion accords with the approach taken in 2009 by the FTT, when it held that

The plain meaning of the language of the statute is that requests should be responded to sooner than the 20 working days deadline, if it is reasonably practicable to do so. (Gradwick v IC & Cabinet Office EA/2010/0030)

It also accords with the IC’s approach in guidance and decision notices under FOIA, and its approach under the Environmental Information Regulations 2004 (where the requirement is that “information shall be made available…as soon as possible and no later than 20 working days”).

Most FOI officers will greet this judgment as a sensible and not unexpected one, which acknowledges the administrative procedures that are involved in dealing with FOIA requests. Nonetheless, as a binding judgment of an appellate court, it will be helpful for them to refer to it when faced with a requester demanding a response quicker than is practicable.

Appeals and Cross Appeals

A further issue determined by the Upper Tribunal concerned what should happen if both parties to a decision notice disagree with some or all of its findings and want to appeal, or at least raise grounds of appeal: must there be an appeal and cross-appeal, or can the respondent party raise issues in an appeal by the other party? Judge Jacobs ruled, in a comprehensive a complex analysis that merits a separate blog post (maybe on Panopticon?), that “although cross-appeals are permissible, they are not necessary”

 

 

2 Comments

Filed under Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, Upper Tribunal

Tagged as ,

September 29, 2014 · 2:47 pm

Information-chairing

The MPs’ expenses scandal invigorated freedom of information in the UK. For one wood-carver in particular, it appears also to have moved him to furniture-making excellence. On 28 September the Antiques Roadshow, on an outing to Kirby Hall in Northamptonshire, featured the unnamed craftsman and his creation – a chair engraved with the words “The Freedom of Information Act” and with carvings of Gordon Brown, David Cameron, Nick Clegg, The Daily Telegraph…and a duckhouse.

Untitled2

The rather magnificent chair, which took 500 hours to create, was valued at anywhere between £2,000 and £10,000 “and upwards”.Untitled

As expert Paul Atterbury suggested, perhaps its most appropriate home would be somewhere in the Palace of Westminster, to serve as a perpetual reminder to MPs.

(The programme is available, in the UK at least, on BBC iPlayer, until 4 October. Relevant extracts are at 17:54 to 19:05 and 29:23 to 34:39 minutes).

Leave a comment

Filed under Freedom of Information

Tagged as

August 22, 2014 · 4:05 pm

The Savile Tapes – ICO says request for audio was vexatious

There is no index of character so sure as the voice – Benjamin Disraeli, Tancred

In October 2013 Surrey Police disclosed, in response to a request made under the Freedom of Information Act 2000 (FOIA) the transcripts of police interviews (under caution) of Jimmy Savile. The Information Commissioner’s Office ICO) has now ruled on a related request, which was for the actual audio recordings of the same interview, and, rather surprisingly, the ICO has agreed with the Police that they did not have to comply with the request, on the grounds that it was vexatious.

Until relatively recently it was difficult to rely on section 14(1) of FOIA (“a public authority [need not] comply with a request for information if the request is vexatious”) simply because the costs burden of dealing with it was too great. The ICO’s guidance did advise that one of the factors to bear in mind when considering whether a request was vexatious was “Would complying with the request impose a significant burden in terms of expense and distraction?”, but in general, for a public authority to refuse to comply with a FOIA request because of the costs, it had to be able to claim that the cost of compliance exceeded the appropriate limit (section 12 FOIA). However, a decision of the First-tier Tribunal (FTT) in 2012 appeared to shift the ground somewhat. Although FTTs’ decisions are not precedent, it was notable that a public authority (the IPCC in this case) was said to be entitled to rely on section 14(1) on the basis that

A request may be so grossly oppressive in terms of the resources and time demanded by compliance as to be vexatious, regardless of the intentions or bona fides of the requester. If so, it is not prevented from being vexatious just because the authority could have relied instead on s.12

As the always-excellent Pantopticon blog said at the time

This will be welcomed by those who find themselves unable to rely on section 12 due to the restricted list of activities which can be taken into account for cost purposes

but the context in that particular case meant that, in fact, the intentions and bona fides of the requester were relevant

The present requests were, in our opinion, not just burdensome and harassing but furthermore wholly unreasonable and of very uncertain purpose and dubious value…We are by no means convinced of [the requester’s] good faith in making it

In the leading case on section 14(1) – IC v Dransfield [2012] UKUT 440 (AAC) – Wikeley J said that it was helpful, when considering whether a FOIA request is vexatious, to consider four “broad issues or themes”

(1) the burden (on the public authority and its staff); (2) the motive (of the requester); (3) the value or serious purpose (of the request) and (4) any harassment or distress (of and to staff)

but that ultimately, the test amounts to

is the request vexatious in the sense of being a manifestly unjustified, inappropriate or improper use of FOIA?

The ICO’s guidance, amended in light of Dransfield reframes this slightly and says that the

the key question a public authority must ask itself is whether the request is likely to cause a disproportionate or unjustified level of disruption, irritation or distress

The ICO draws on this guidance in the Savile decision, but, notably, appears to give considerable credence to the police’s evidence regarding the disruption – the burden – that redacting the audio of the interviews would cause, but does not appear to have interrogated this assertion in any depth. Moreover, the ICO notes its lack of expert knowledge on the subject of redaction, but nothing (other than, presumably, limited resources) prevented it from consulting an expert. Given that this appears to have been the primary evidence for the finding of vexatiousness (the ICO accepted that the requester’s motives were not intended to cause disruption or harassment) and given that the ICO accepted that there was a “qualitative difference” between the written transcripts and the audio (“The speed, volume, expressiveness and intonation of the actual speech may be considered to shed more light on how Savile responded to what was put to him in the interview”) it is difficult to see how the ICO decided that request could have been vexatious, rather than just of a level of annyoance and disruption it accepts a public authority must absorb. The request, using Wikeley J’s formulation, was not improper, it was not inappropriate – and was it really, therefore, a “manifestly unjustified use of FOIA”?

One hopes the bar of vexatiousness has not been lowered too far.

 

31 Comments

Filed under Freedom of Information, Information Commissioner, police, vexatiousness

Tagged as , , ,