Category Archives: Freedom of Information

February 10, 2012 · 2:30 pm

Transparent as mud

Our Prime Minister is committed to transparency in government. In June 2010 he set up a Public Sector Transparency Board containing some of the great and good in the field of open data and transparency: you’d struggle to pick better people than Tom Steinberg, Nigel Shadbolt, Rufus Pollock and Tim Berners-Lee (I’m not hyperlinking him – if you don’t know who he is then find out who invented hyperlinks). The Board is chaired by Francis Maude, Minister for the Cabinet Office, who has written – at the same time as he was lambasting Tony Blair’s dispiriting comments on freedom of information –  that

If I ever sit down to write my own memoirs, freeing up government information will not number amongst my regrets. In fact, I very much hope that it will be one of my very proudest achievements.

Mr Cameron seems to feel the same way:

In the years to come, people will look back at the days when government kept all its data – your data – in vaults and think how strange it was that the taxpayers – the people who actually own all this – were locked out.

Now, it so happens that there has been, in recent months, much debate about whether – or rather, to what extent – private emails written by those connected with the Department for Education are “caught” by the Freedom of Information Act 2000 (FOIA).  (Read the BBC’s Martin Rosenbaum and the Financial Times’ Chris Cook on this, I insist). The Information Commissioner has been very clear that his view is that information concerning official business held in private email accounts is subject to FOIA (he’s right, by the way) but Michael Gove, Secretary of State for Education, told the House of Commons Education Select Committee that

The advice that we had received from the Cabinet Office was that anything that was held on private email accounts was not subject to Freedom of Information requests.

So, when, Lisa Nandy, MP for Wigan, tabled a question in parliament on 6 February asking if the Cabinet Office would publish

guidance on private emails and the Freedom of Information Act referred to in the Education Select Committee evidence session of 31 January 2012 as having been issued to the Department for Education.

It was, let’s say, not very encouraging for those of us who support the “transparency agenda” (as it seems it must be called) that she received the following response

Information relating to internal discussion and advice is not normally disclosed

Yep. That’s right – internal information about how a goverment department handles requests under FOIA, is not to be disclosed.

It might be thought odd, or interesting, or both, that the minister who replied to Ms Nandy was Francis Maude, MP. I’ll leave you to write your own jokes.

1 Comment

Filed under Freedom of Information, Information Commissioner, transparency

Tagged as , ,

January 5, 2012 · 8:57 am

Shaft? You’re damn right

There was a heartening story in the Leicester Mercury a few days ago. Journalist  David MacLean praised Lynn Wyeth, Leicester City Council’s Head of Information Governance for her promotion of transparency (and her assistance in giving him “countless stories over the past two years”). The article illustrates how, when it comes to the Freedom of Information Act 2000 (FOIA), a relationship of mutual respect and openness between a public authority and the media can help both sides.

Contrast this with an item on Newbury Today’s site this morning. This is a follow-up to a recent series of FOIA requests made to police forces around the country. It appears that the Press Association asked for information relating to thefts of police property. I don’t know exactly what the request said (I don’t have a Press Association log-in, and the main release is unclear) and it has been variously reported as being specifically about thefts from police stations or simply thefts in general from the police (I rather suspect it was the latter, but if anyone can clarify this, I’d be most appreciative).

The Daily Mail highlighted that Thames Valley Police (TVP), with 90 incidents, “tops the list of crime-hit forces”. No public authority likes to be “top” of any of these type of lists, and the Newbury Today article shows TVP hitting back

…force spokesman Craig Evry…explained that the majority of the thefts took place from “trap cars” and added: “Thames Valley Police is one of several forces to use ‘trap houses’ and ‘trap vehicles.’ These are used in areas which police believe are being targeted by burglars or thieves.“When criminals break in, they could be recorded by cameras or any property taken may be remote tagged or marked with ultraviolet inks allowing police to quickly track it down. It’s a useful criminal reduction and evidence tool and criminals should realise that the home or vehicle they’re breaking into might be covered by hidden cameras. Hopefully using this technology might make them think twice about committing a crime.”

One initially wonders, why didn’t they say that in the first place? Well, they say they did:

The FoI response included the caveat: “Please note that of the above thefts recorded, all but six involved ‘trap vehicles’ deployed specifically to be targeted by offenders.”
Mr Evry said: “They simply misinterpreted the data.”

Most, if not all, FOI officers have been here. A request is received for “All the information on X”. Now, you hold this information, but, taken in isolation, it might be misinterpreted, so you add an explanation, or a disclaimer. However, for whatever reason, the disclaimer is lost in the bustle of preparing a story for print, and suddenly your nuanced explanation of the information is lost, and you are being lambasted in the press.

In fairness to the Press Association, it seems that the background details to their original story might have included TVP’s disclaimer. For instance, the Oxford Mail, writing three days before the Daily Mail, referred to it in their article. So maybe the fault is only with those media organisations who misinterpreted, or chose to misrepresent, the Press Association material. Nonetheless (and I can speak from bitter experience here) journalists may want to ask themselves whether the helpfulness of FOI officers might be inversely related to the likelihood of their getting shafted as a result of that helpfulness.

 

 

 

 

2 Comments

Filed under Freedom of Information, police

Tagged as

December 2, 2011 · 9:03 am

Mandatory breach reporting and the public interest

In May of this year the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 amended the existing Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “PECR”).

The regulations apply to different bodies in different circumstances (for instance those parts relating to cookies, which apply effectively to anyone using cookies on their website). However, a key amendment applies to specifically to providers of a public electronic communications service (broadly, telecoms companies and internet service providers): regulation 5A(2) of the PECR now says

If a personal data breach occurs, the service provider shall, without undue delay, notify that breach to the Information Commissioner.

This is the first appearance in domestic law of a mandatory requirement to inform the Information Commissioner (IC) of a data breach. “Data breach” itself  is defined as

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service

While a PECR data breach is not, expressly, a breach of the Data Protection Act 1998 (DPA) I cannot imagine circumstances in which a PECR breach would not also involve a breach of the provisions of the DPA (and – specifically and primarily – the seventh data protection principle). How the IC responds to notifications made to him under regulation 5A(2) will, therefore, be of interest to all data controllers.

This is because the imminent new European data protection instrument (either a new Directive or a Regulation) is likely to introduce mandatory data breach reporting into the Data Protection laws. It is not yet clear how far the requirement would extend. In an interview on 16 November with The Washington Post the EU Justice Commissioner, Vivian Reding, said

…we will now have such rules on notification for all sectors so citizens will know when their data has been breached, whether by criminal intent, accidental or other circumstances. We already have this rule for telecom companies but not for other sectors such as e-banking services, private-sector medical records and online shopping. We will extend the telecom rules to the Internet.

So will mandatory notification apply to “all sectors” or just (in addition to telcos/ISPs) “e-banking services, private-sector medical records and online shopping”? We’ll have to wait and see.

I made a Freedom of Information Act 2000 (FOIA) request to the IC asking how many mandatory notifications had been made to this office since the amended PECR came into effect, and by whom and whether the companies involved had informed data subjects of the breach. The IC’s response is that 76 notifications have been made (they don’t say, but I presume this is to the 3 November, the date of my request) and in 64 of these cases data subjects were also informed. By way of explanation for the latter figure the IC says

…it is not a requirement of the regulations for providers to tell the ICO whether or not they have notified data subjects. The service providers only have to inform subscribers where ‘the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user’. If that is the case they have to ‘without undue delay, notify that breach to the subscriber or user concerned.’

When it comes to disclosing the names of the companies involved, however, the IC is scratching his head. He has identified (at least this is how I read his response) that disclosing this information would prejudice the commercial interests of those companies, and that, therefore, section 43 of FOIA is engaged. Having decided this, however, he has to consider (under section 2(2)(b) of FOIA) whether

in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information

Section 10(3)(b) of FOIA allows authorities to extend the time for compliance with a request (from 20 working days) where they need to consider the public interest test. FOIA itslef unhelpfully only says that it can be extended by “such time as is reasonable in the circumstances” but the IC himself advises that the maximum time that should be taken, in total, is 40 working days. His office has advised me that this applies with my request for names of companies, and it

…may take up to an additional 20 working days to take this decision.  We therefore aim to provide you with a response to this part of your request for information by 23 December 2011

This is, of course, completely acceptable, and I’ll update this post when I get the response, but three things occur to me.

First, if or when mandatory breach notification is extended to other organisations, they will need to be aware that people may request information about such breaches from the IC, and that there is a clear public interest in such information.

Second, if the IC is wrestling with the public interest factors this is clearly a finely-balanced point, and if he comes down against disclosure then this might be a case worth appealing.

Third, surely the IC anticipated that he would get such requests? I’m surprised he hadn’t already considered this public interest point.

 

 

1 Comment

Filed under Breach Notification, Data Protection, Freedom of Information, PECR, Privacy

November 17, 2011 · 9:10 am

Tweets and Tw*ts

A few days ago I tweeted @ICONews, the twitter account of the Information Commissioner (IC)

@ICONews any chance you can disclose (waive privilege?) legal advice/analysis of Letwin case? Important re: manual data/Cat E data #DPA

The context of this was that there had been some discussions in data protection circles, following the revelations about Oliver Letwin and his dumping of correspondence in the bins of St Jame’ss Park, about whether in strict terms there would have been a breach of the Data Protection Act 1998 (DPA) (on this see similar questions raised by Stewart Room about Vince Cable’s recent incident).

The undertaking signed by Letwin didn’t make clear exactly how the IC had arrived at a decision that there had been a breach of the DPA, and I was keen to know more. So was fellow tweeter @tim2040 who asked me

@bainesy1969 Are you going to #FOI them or am I? Or did your tweet to them count?

When I sent my first tweet I hadn’t thought of it as a request made under Freedom of Information Act 2000 (FOIA). However, knowing that a public authority must treat a request for information even if the requester does not “mention the Freedom of Information Act…although it may help to do so” I realised that I had rather inadvertently made a formal request which the IC’s office had to respond to, in accordance with Part 1 of FOIA. I also know that it’s easy sometimes for a public authority to miss that a valid FOIA request has been made. So, in a spirit of helpfulness, I clarified:

@ICONews Just to confirm, this earlier tweet to you was request for information #FOI http://t.co/gUeqdwGg

I’ve now received a reply from @ICONews, which says

@bainesy1969 In line with our guidance please could you provide a postal or email address for further correspondence.

Now, I really don’t want to come across as a twit (what else did you think the asterisked word was in this post title?) but I know what their guidance says (it’s my job to know it)

The request must state the name of the applicant…A Twitter name may not be the requester’s real name, but the real name may be shown in their linked profile

as mine is

The request must also state an address ‘for correspondence’. Does this include Twitter names? The length of a tweet makes it difficult for the authority to respond fully, but there are ways of dealing with this. The authority could ask the requester for an email address in order to provide a full response. Alternatively, it could publish the requested information, or a refusal notice, on its website and tweet a link to that.

So I’ve gone back to them saying

@ICONews My name’s in my profile. In line with yr guidance cd you not publish info or refusal notice on yr site and tweet link to it?

A bit twattish twittish, I accept, and I’ll be extending an olive branch to the IC’s office by contacting them privately to give them my email address. However, it does raise interesting questions about the extent to which one has to put a request for information in “formal” terms for it to be recognised. I don’t know if the IC’s office would have recognised my original tweet as a request for information – maybe they would. But, as I say, I wasn’t thinking of FOIA when I made it – I was rather hoping that someone at the office would see it and think “Hey – it would be a good idea for us to publish a note explaining how we arrived at our findings in the Letwin case”.

I know of an incident where the press office at a Council received an enquiry from a local journalist. He and the press office were well-acquainted and on generally good terms. He asked for information about a council employee and an alleged criminal offence, and he was given an “unable to comment” response. He queried this and was told (correctly) that it was for data protection reasons. He, knowing something of the regulatory process, then complained to the IC. The problem was that the press office had followed their normal press enquiry prcoedures and consequently not issued a formal refusal notice under section 17 of FOIA. The IC, if he had been asked to issue a decision notice, could not have avoided a determination that there had been a breach of FOIA. However, I would suggest neither the local media nor the Council’s press office could effectively function if every enquiry by a time-pressed local hack was dealt with as a formal FOIA request (with a 20 working day deadline).

I’m not sure there is an easy answer to this, and perhaps there will always be a grey area  separating “general correspondence” from “FOI request”. However, public authorities who have a twitter account must be aware of the possibility (probability?) that they will receive requests for information, and that sometimes these won’t be clearly labelled as FOI requests. I would hope that, in the event that these end up as complaints to his office, the IC would show some understanding of the difficulties of applying the formal mechanisms of FOIA to circumstances which might warrant a less formal approach (as in fact he did in the press office case in the preceding paragraph) .

8 Comments

Filed under Data Protection, Freedom of Information

Tagged as ,

November 9, 2011 · 8:51 am

Biting the Hand that Feeds – a Risky Business?

Bloggers in the fields of UK Information Rights can sometimes be critical of the Information Commissioner’s Office (ICO) (we can?). But that’s really because we love the IC and his people. Or, at least, we strongly support the existence of the office, and the principle functions it carries out. There may be disagreements on the decisions and actions taken, but many frustrations are caused by the restrictions on his powers, or as a result of the limited funding he gets.

I noticed earlier this week that Francis Maude, Minister for the Cabinet Office, had told parliament that his Department’s shocking record on compliance with Freedom of Information Act 2000 (FOIA) timescales (in the last quarter only 48% of response met the 20-working-day deadline) was in part as a result of the fact that

The Cabinet Office deals with FoI requests in relation to cabinet papers under the last government which takes some time to be dealt with because we need to consult with ministers in the last government.

As I suggested on twitter, it would be nice if we all could blame our predecessors for our heavy workload (I for one still can’t forgive Rupert Baxter for handing over that tricky planning file to me in 2002) but this really is not good enough as an excuse.

In the same period in which the Cabinet Office achieved 48% compliance, the Ministry of Justice (MoJ) achieved a still very poor 75% (by contrast the Department of Health achieved 99%, the Department for Culture, Media and Sport 96% and the Department for Work and Pensions 93% – all these figures are from the MoJ’s own quarterly stats) The MoJ is the sole provider, by means of grant in aid, of funding for the IC’s Freedom of Information work (the IC also receives approximately £15 million from the notification fee that data controllers pay to operate under the Data Protection Act 1998 (DPA), but this is ring-fenced for DPA work). This FOI grant amounted last year to approximately £5.5 million. However, that grant is at risk of reduction, and the IC is concerned about that. His risk register has recently been disclosed and this shows as a “red risk” a “gap between FOI resources and incoming casework affects FOI and DP casework…” and it is clear that this risk potentially leads on to others, such as the “ICO reputation suffers because some of the risks facing the ICO materialise…”. None of this is real news, of course. Christopher Graham himself told the Home Affairs Select Committee

Like all public authorities, we are having to take our slice of the cuts. We are responding to that constructively, trying to achieve better for less. But the fact is that if we are asked to do more and more under the transparency and accountability agenda, we will need the resources to do it.

Now consider this: the IC is under a statutory duty to operate so as to ensure the observance by public authorities of their requirements under FOIA. One means by which he does this is to monitor authorities which repeatedly or seriously fail to respond to freedom of information requests within the appropriate timescales. This monitoring can be a precursor to further action, and the Cabinet Office was subject to such further action when it signed an undertaking with the IC in June this year to improve its performance.
The IC says that he is likely to monitor authorities if, among other criteria, “(for those authorities which publish data on timeliness) it appears that less than 85% of requests are receiving a response within the appropriate timescales”. Well, as we have seen, it certainly appears, from the published data, that less than 85% of requests to the MoJ are receiving a response within the appropriate timescales. Interestingly, in the previous quarter the figure was 83%, the quarter before that 87% and the quarter before that 88%. A downward trend like that is arguably further evidence of a need for monitoring, and it would be interesting to know if the IC takes this into account, or whether, perhaps, he takes an annual average from those quarterly stats.
So a simple question arises – when the next group of authorities whose compliance is begin monitored is announced, will it include the MoJ? Will the IC risk biting the hand that feeds him?

2 Comments

Filed under Freedom of Information

Tagged as , ,

September 20, 2011 · 7:54 am

Hiding Information and section 77 FOIA

My twitter timeline was alive this morning with discussion of news that the Information Commissioner (“IC”) is to investigate the Education Secretary Michael Gove and his close advisers at the Department for Education in connection with allegations that they have deliberately been using private email accounts to conduct government business.

E-mail traffic, seen by the FT, shows the education secretary and his advisers have conducted government business using private e-mail addresses. Civil servants were then unable to find these e-mails when asked to retrieve them under the Freedom of Information Act (FOIA).

(It should be stressed that the Department concerned appear to deny that there was any impropriety, and that private email was being used to conduct party political rather than government business.)

The article concludes by referring to section 77 of FOIA

Section 77 of the act states that officials must not conceal or destroy information to prevent its disclosure. Breaches of the law carry a fine of up to £5,000.

This perhaps misses a key point. Section 77 states

Where…a request for information has been made to a public authority, and… the applicant would have been entitled…to communication of any information…any person to whom this subsection applies is guilty of an offence if he alters, defaces, blocks, erases, destroys or conceals any record held by the public authority, with the intention of preventing the disclosure by that authority of all, or any part, of the information to the communication of which the applicant would have been entitled.

This is carefully worded and means, I would submit, that an offence can only be committed if the attempt to conceal occurs in response to a request having been received. If, however, it is merely standard practice to conceal, no offence would be committed. FOIA is predicated largely on what happens or must happen if a request for information is made. It is not, primarily, a records management act.

However section 46 of FOIA does require the Lord Chancellor to issue a code of practice for management of records. Section 9 of that Code deals with the need to keep records in systems that enable records to be stored and retrieved as necessary, and section 10 with the need to know what records are held and where they are.

Under section 47 of FOIA the IC must promote the following of good practice by public authorities and perform his functions so as to promote the observance by authorities of the section 46 Code, as well as the requirements of the Act in general. And under section 48 he may issue a “practice recommendation” if it appears to him that the authority has not conformed with the section 46 Code. In investigating compliance with the Code he has the power (section 51) to issue an “information notice” requiring the authority to furnish him with the information. Failure to comply with an information notice can, ultimately, constitute contempt of court.

None of this is to down-play the potential seriousness of an allegation of a “pre-emptive” attempt to conceal information. It is also not to suggest that it might not constitute a breach of other kinds of code.  However, I would suggest that the biggest weapon at the IC’s disposal is one of publicity, something that Christopher Graham, the current IC, with his journalistic background, is quite good at creating.

[EDITED TO ADD] FoIMan’s and Tim Turner’s takes on this are worth a read. Additionally, I note that the indefatigable Campaign for Freedom of Information took the opportunity to maintain the push for greater sanctions under section 77.

24 Comments

Filed under Freedom of Information

September 17, 2011 · 9:10 am

Whip your information, and beat the messenger

To supplement my random firings on twitter (@bainesy1969) and the occasional guest post on other blogs and sites, I’ve started this blog.

“Information Rights” covers a number of areas, but primarily I’m interested in the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the Data Protection Act 1998.

Like a million bloggers before me, I intend to post regularly on these and related subjects. I hope that, unlike most of those million bloggers before me, I actually manage to do that.

Title of this post is Shakespeare, by the way, and nothing dodgy.

Leave a comment

Filed under Data Protection, Freedom of Information, Privacy