Category Archives: Information Commissioner

Commons Committee report on Cabinet Office FOI “Clearing House”

I’ve written on the Mishcon website about the PACAC report on the Clearing House.

Leave a comment

Filed under Freedom of Information, Information Commissioner

Lots of FOI contempt applications in the wings

A new piece on the Mishcon de Reya site: the First-tier Tribunal is dealing with at least eight applications to certify contempt of court for failure by public authorities to comply with decision notices.

FOI enforcement starts to get serious?

Leave a comment

Filed under access to information, contempt, Freedom of Information, Information Commissioner, Information Tribunal

First ever FOI contempt certification

I’ve written a piece on the Mishcon de Reya website on the first ever case of certification of contempt of court to the High Court, for failure to comply with a decision notice.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal

Open Letter to new ICO

I was delighted recently to be invited by OpenDemocracy to sign an open letter to John Edwards, new Information Commissioner, calling for more to be done to regulate FOI effectively. I’ve written many posts in the past breaking the state of FOI enforcement, so everything in the letter resonated with me. The letter has now been sent, and there are some very high profile journalists, MPs and campaigners who have signed:

https://www.opendemocracy.net/en/freedom-of-information/information-commissioner-foi-open-letter-secrecy/

Edwards has already replied, and said that addressing these concerns will be a priority for him.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner, journalism

Ineffectual powers

The Information Commissioner’s Office (ICO) has just announced that it has served a fine (strictly, a monetary penalty notice) of £80,000, under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), on a company which sent a large number of particularly tasteless SMSs during the pandemic, of this sort

“Get Debt FREE during the Lockdown! Write off 95% of ALL DEBTS with ALL charges and fees FROZEN. Government backed. Click [here] Stop 2optout”

(In passing, I’m rather surprised the ICO’s announcement gave hyperlinks to the offending, albeit broken, URLs.)

In that accompanying announcement, the ICO’s Head of Investigations is quoted as saying

The company director failed to cooperate with our investigations through concealing his identity by using false company details on his websites; changing the wording on the text messages; and, changing his company’s registered address after becoming aware of our investigation.

and we are told that the director

tried to evade the ICO investigations with different tactics since 2019, but investigators were determined to bring this company to account for plaguing people’s lives with thousands of spam messages

What is interesting in this context is that the ICO’s powers to issue fines for serious contraventions were added to, in 2018, to allow them also to fine company directors themselves (where the contravention was with the consent of connivance of the director, or attributable to any neglect on their part).

I asked the ICO if they had a comment on why no director fine was issued here, but they only wished to say

The action we have taken is proportionate and appropriate in the circumstances of this case.

This is fair enough: there may be facts which are not public, and I don’t criticise what is a sound piece of enforcement against unlawful marketing communications.

However, as far as I am aware, since the ICO acquired the powers to fine directors (and similar officers) under PECR they have not exercised those powers once. This is odd – they had long lobbied for the powers, and when the change in the law was being proposed, the then Commissioner Elizabeth Denham told The Register “It should have a real deterrent effect”. Maybe there are legal issues with actually ascribing liability to directors, or practical issues with tracking and pinning them down to try to enforce against them. If so, and if the 2018 change in the law has not had that “real deterrent effect”, is the ICO letting government know?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Information Commissioner, monetary penalty notice, PECR, spam texts

The Seepage of Information Act

Transport yourself back to January 2020 (what a different world that was). You are a journalist, or maybe just an informed citizen, and you want to know what preparations the government had made in the event Boris Johnson had lost his seat in the general election a month previously.

You make a request for this information to the Cabinet Office under the Freedom of Information Act 2000 (FOIA). You know that you should get a response within twenty working days (section 10 of FOIA says so). And you know that there is a regulator (the Information Commissioner, or “ICO”) who oversees compliance with FOIA.

What you probably don’t expect is that, 25 months on, you not only haven’t received the information you requested but you have only just had a ruling from the ICO that you are not entitled to it.

That’s how long it has taken this request to make its way through what is an unacceptably slow process. The requester made the request to the Cabinet Office on 7 January 2020. By 12 March 2020 they had had no response whatsoever, so complained to ICO. Three months later, on 16 June 2020, ICO formally told the Cabinet Office to pull its finger out. On 3 August it did, and refused to disclose the requested information, citing one of the statutory exemptions. On 22 September 2020 the requester again complained to ICO, who then took sixteen months to decide that the Cabinet Office was entitled to rely on the exemption claimed.

What follows is far from a fully thought-out legal argument, but bear with me for the purposes of polemic: Article 10 of European Convention on Human Rights says that everyone has the qualified right to receive information (as well as to impart information) without interference by public authority. Previous attempts to argue that Article 10 confers something above and beyond FOIA in respect of accessing information from public authorities have foundered, on the grounds that, in context, Article 10 doesn’t add anything to the rights in FOIA (see Kennedy, para 92 and elsewhere). But it does seem to me that if the regulatory scheme itself interposes a delay which might be, as here, 1600% longer than the original statutory timescale given to the original recipient for responding to the request, the basis might arise for mounting an argument that the scheme fails to avoid public authority interference in the Article 10 fundamental right.

Maybe I’m overreaching. Let’s just say this: it cannot be right that it takes over two years to get a response and a regulatory decision on a FOIA request. Let’s hope new Commissioner John Edwards sorts this out.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Cabinet Office, access to information, Article 10

COVID booster messages and the law

GET BOOSTED NOW Every adult needs a COVID-19 booster vaccine to protect against Omicron. Get your COVID-19 vaccine or booster. See NHS website for details

On Boxing Day, this wording appears to have been sent as an SMS in effect to every mobile telephone number in the UK. The relevant government web page explains that the message is part of the national “Get Boosted Now” campaign to protect against the Omicron variant of COVID-19. The web page also thanks the Mobile Network Operators for “their assistance in helping deliver the vitally important Get Boosted Now message”.

It is inevitable that questions may get raised raised about the legality of the SMSs under data protection law. What is important to note is that, although – to the extent that the sending involved the processing of personal data – the GDPR may apply (or, rather, the UK GDPR) the relevant law is actually the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). Under the doctrine of lex specialis where two laws govern the same situation, the more specific rules will prevail over more general rules. Put another way, if the more specific PECR can justify the sending of the SMSs, then the sending will also be justified under the more general provisions of UK GDPR.

Regulation 16A of PECR (inserted by a 2015 amendment), provides that where a “relevant communications provider” (in this case a Mobile Network Operator) is notified by a government minister (or certain other persons, such as chief constables) that an “emergency” has occurred, is occurring or is about to occur, and that it is expedient to use an emergency alert service, then the usual restrictions on the processing of traffic and location data can be disregarded. In this instance, given the wording on the government website, one assumes that such a notification was indeed made by a government minister under regulation 16A. (These are different emergency alerts to those proposed to be able to be sent under the National Emergency Alert system from 2022 which will not directly involve the mobile network operators.)

“Emergency” is not defined in PECR, so presumably will take its definition here from section 1(1)(a) of the Civil Contingencies Act 2004 – “an event or situation which threatens serious damage to human welfare in a place in the United Kingdom”.

The effect of this is that, if the SMSs are legal under PECR, they will also be legal under Article 6(1)(c) and 6(1)(e) of the UK GDPR (on the grounds that processing is necessary for compliance with a legal obligation to which the controller is subject, and/or necessary for the performance of a task carried out in the public interest).

There is an interesting side note as to whether, even though the SMSs count as emergency alerts, they might also be seen as direct marketing messages under regulations 22 and 23 of PECR, thus requiring the content of the recipient before they could be sent. Under the current guidance from the Information Commissioner (ICO), one might argue that they would be. “Direct marketing” is defined in the Data Protection Act 2018 as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals” and the ICO defines it further by saying that this “covers any advertising or marketing material, not just commercial marketing. All promotional material falls within this definition, including material promoting the aims of not-for-profit organisations”. Following that line of thought, it is possible that the Omicron SMSs were both emergency alerts and direct marketing messages. This would be an odd state of affairs (and one doubts very much that a judge – or the ICO, if challenged on this – would actually agree with its own guidance and say that these SMSs were indeed direct marketing messages). The ICO is in the process of updating its direct marketing guidance, and might be well advised to consider the issue of emergency alerts (which aren’t covered in the current consultation document).

[Edited to add: I don’t think what I say above necessarily covers all the legal issues, and no doubt there are aspects of this that could have been done better, but I doubt very much there is any substantive legal challenge which can be made.]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under communications data, consent, Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, PECR, UK GDPR

ICO fails at FOI

I won’t rehearse the points I made in previous posts. Enough to say this – the Information Commissioner’s Office (ICO), in addition to being tasked with regulating Freedom of Information (FOI) law, must also comply with it, and anecdotal evidence suggested a long-standing failure to do so adequately (prior to, as well as during the COVID pandemic). That being the case – to whom should other public authorities look for exemplary guidance? Or put even more shortly – why should public authorities bother with compliance?

I now have some statistics.

I asked the ICO, under FOI, how many FOI cases it had failed to respond to within three months of their receipt (bear in mind that one month is the statutory limit). They have now told me that in 92 cases in the past year they have failed to respond to an FOI request within three months. Some cases are still open – in one, they have failed to reply to a request for 951 days and counting (I don’t know, and am almost beyond caring, whether these are calendar days or working days – it barely matters any more), and five cases are over a year old and still unanswered.

As I said previously, the ICO says that FOI enforcement may be appropriate where there are “repeated or significant failures to meet the time for compliance” and that, when deciding to take enforcement action, the ICO will take into account such factors as “the severity and/or repetition of the breach; whether there is evidence that obligations are being…persistently ignored; whether there would be an educative or deterrent affect; whether it would help clarify or test an issue; and whether an example needs to be created or a precedent set”.

A clearer case for (self-)enforcement action could scarcely be imagined.

Outgoing Commissioner Elizabeth Denham is handing her successor John Edwards a severe problem, both in terms of compliance but also – crucially – in terms of reputation of the office.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, access to information, rule of law

“Access delayed is access denied” – ICO’s terrible FOI compliance

Statistics show that the ICO is regularly delayed – sometimes very severely so – when responding to FOIA requests made to it. Is there a need for a review of the ICO’s own compliance?

The Information Commissioner’s Office (ICO) is tasked with regulating and enforcing the Freedom of Information Act 2000 (FOIA). The ICO is also – perhaps unusually for a regulator – subject to the law it regulates (it is a public authority, listed in Schedule One to FOIA). This means that – sometimes – the ICO must investigate its own compliance with FOIA. It also means that its own compliance with FOIA, and the seriousness with which it treats its own compliance, is bound to be viewed by other public authorities as an example.

FOIA is, let us not forget, of profound democratic importance. The right to receive information is one of the components of Article 10 of the European Convention on Human Rights. Information Commissioner Elizabeth Denham has previously said

openness of information, through FOI laws and other instruments, is vitally-important not only for government accountability in the moment, but also for the long-term health of our democracy… since information is power, the right to information goes to the heart of a democracy’s healthy functioning.

FOIA lays down timescales for complying with a request for information. The core one says that information must in general be provided within twenty working days. In that same speech Ms Denham referred to timeliness (“It is rightly said that access delayed is access denied”) and the benefits of publicising delays by authorities:

Reporting publicly on timeliness has proved to be a powerful tool for improving timely disclosure of information. And public authorities have used their poor grades to push successfully for more resources where the demand has outstripped supply.

Indeed, she has previously taken government departments to task for their FOIA delays

I think that central government though has got away with – I’m not going to say murder – I think they’ve got away with behaviour that needs to be adjusted…I know which organisations we need to focus on…

The ICO certainly has enforcement powers, and a policy which informs it when action is appropriate. The Freedom of information regulatory action policy (which doesn’t appear to have been updated since 2012) says that enforcement may be appropriate where there are “repeated or significant failures to meet the time for compliance” and that, when deciding to take enforcement action, the ICO will take into account such factors as

the severity and / or repetition of the breach; whether there is evidence that obligations are being deliberately or persistently ignored; whether there would be an educative or deterrent affect; whether it would help clarify or test an issue; and whether an example needs to be created or a precedent set.

With all of this in mind, one organisation the ICO apparently needs to focus on is itself.

Regrettably, and rather oddly, the ICO doesn’t publish figures on its own FOI compliance, except at a very high level, and combined with other types of access requests, in its annual report). This is despite the fact that the Code of Practice issued under section 45 of FOIA, observance of which the ICO is specifically tasked with promoting, says that public authorities with more than 100 members of staff should published detailed statistics on compliance.

However, what evidence there is indicates a repeated, and serious, failure by the ICO to comply with the timescales it is supposed to enforce on others. Of the formal decision notices issued by the ICO against itself, in 2020 and 2021, 50% (10 out of 20) found a failure to comply with the statutory timescale (and two further ones appear – from an analysis of the notices – to have involved delay, without resulting in a specific finding of such). And it is worth noting that these are formal decisions where requesters have asked for formal notices to be issued – it is almost inevitable that there will be similar delays in a significant proportion of those requests which don’t make it to a formal decision.

Indeed, analysis of recent requests to the ICO made on the request website WhatDoTheyKnowsimilarly shows delays in approximately half the requests. But even worse, many of those delays are of an extraordinary length. In two cases, requests made in February 2021 have only been responded to in November – delays of ninemonths, and in other cases there are delays of six, four and two months.

COVID has – no doubt – affected the ICO, as it has affected all organisations. But if the ICO needs extra resource to comply with FOIA, it has certainly not indicated that. Its published approach to regulatory compliance during the pandemic (not updated since June this year) says that where public authorities have backlogs, the ICO expects them to “establish recovery plans focused on bringing the organisation back within compliance with the Freedom of Information Act within a reasonable timeframe”. In the accompanying blogpost the Deputy Commissioner said that

we have seen more and more organisations adjusting to the circumstances, and returning to offering the transparency…our [own] recovery plan has had a positive impact in removing and reducing backlogs

If that is the case it is hard to know why the WhatDoTheyKnow examples (and one’s own experiences) show precisely the opposite picture.

What is also of concern – though this is an issue for policy-makers and Parliament – is that there is nothing that an individual can do when faced with delays like this, except complain – once more to the ICO. FOIA expressly does not permit individuals to take civil action against public authorities for failure to comply – the only recourse is through the ICO as regulator. Short of bringing judicial review proceedings, citizens must just suck it up.

In 2016 the Independent Commission on Freedom of Information said that FOIA was “generally working well”, but that it “would like to see a significant reduction in the delays in the process”. In 2016, that was not addressed at the ICO, but now it most certainly could be. That Independent Commission has long been dissolved. Meanwhile, the Public Administration and Constitutional Affairs Committee is conducting an inquiry into the Cabinet Office’s FOI handling. 

But, maybe, there actually needs to be some Parliamentary oversight of the ICO’s own FOI compliance.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Freedom of Information, human rights, Information Commissioner, rule of law, transparency

What John Edwards will inherit

The new Information Commissioner will have a lot on his plate. I’m going to focus very briefly on what is, objectively, a very small matter but which, to me, illustrates much about priorities within the ICO.

On 29 July I happened to notice an Information Tribunal decision which I thought was slightly odd, in that apparently both the Tribunal, and the Commissioner beforehand, had dealt with it under the Freedom of Information Act 2000 rather than the Environmental Information Regulations 2004, despite the subject matter (a tree inspection report) appearing to fall squarely under the latter’s ambit.

However, the decision notice appealed (referred to as FS5081345 in the Tribunal judgment), does not appear on the ICO’s searchable online database (in fact, no decisions relating to the public authority – the mighty Great Wyrley Parish Council – are listed). It’s unusual but certainly not unheard of for decision notices not to get uploaded (either by overlook, or – occasionally – for other, legal reasons) but in the past when I’ve asked for one of these, informally, it’s been provided by return.

So I used the ICO’s online Chat function to ask for a copy of the decision notice. However, I was told I had to submit a request in writing (of course I’d already done so – the Chat function is in writing, after all, but let’s not quibble). I said I was concerned that what was a simple request would get sucked up into the ICO’s own FOI processes, but the person on the Chat thought I would get a response within a couple of days.

Those who’ve stayed this far into the blogpost will be unsurprised to hear what happened next – my simple request got sucked into the ICO’s own FOI processes, and more than seven weeks on (more than three weeks beyond the statutory timescale for responding) I have still had no response, and no indication of why not, other than the pressure the FOI team is under.

And that last point is key: if the ICO’s own FOI caseworkers are under such pressure that they cannot deal with a very simple request within the legal timescale, nor update me in any meaningful way as to why, something has surely gone wrong.

At a recent NADPO webinar Dr Neil Bhatia spoke about his own difficulties with getting information out of the ICO through FOI. He (and I) were challenged by one of the other speakers on why we didn’t more regularly take formal action to force the issue. It was a fair point, and prompted me yesterday to ask the ICO for a formal decision under section 50 of the FOI Act (which means the ICO will have to issue an FOI decision notice on whether the ICO handled an FOI request for an FOI request in accordance with the law – and that sentence itself illustrates the ridiculousness of the situation).

This isn’t the only FOI request I have that the ICO is late responding to. I have one going back to May this year and another to June (albeit on rather more complex subjects). And I know that I and Dr Bhatia are not alone.

All the fine talk from the current Commissioner about forging international data protection accords, and encouraging “data driven innovation” can’t prevent a perception that her office seems increasingly to have left FOI regulation (and in some cases its own FOI compliance) behind. The right to access information is (part of) a fundamental right (just as is the right to data protection). If the ICO doesn’t want the role, is it time for a separate FOI Commissioner?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, rule of law