Category Archives: Information Commissioner

August 11, 2024 · 10:06 am

Soft opt in marketing for non-profits

Why can’t charities send speculative promotional emails and text messages to customers and enquirers, in circumstances where commercial organisations can? And should the law be changed?

Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) deals with circumstances under which a person can send an unsolicited direct marketing communication by email, or text message.

In simple and general terms, a person cannot send an unsolicited direct marketing email or text message to an individual’s private email account, unless the individual has consented to receive it. “Consent”, here, has the stringent requirements imposed by Article 4(11) and Article 7 of the UK GDPR.

(The actual law is more complex – it talks of an “individual subscriber”. This is the person who is a party to a contract with a provider of public electronic communications (for which, read “email” and “text message”) services for the supply of such services. So, if you have signed up for, say, a gmail account, you have a contract with Google, and you are – if you are an individual – an individual subscriber.)

The exception to the requirement to have the recipient’s consent is at regulation 22(3) of PECR, which says that the sender of the marketing communication does not need the prior consent of the recipient where the sender: obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; the direct marketing is in respect of the sender’s similar products and services only; and the recipient has been given a simple means of refusing the use of their contact details for the purposes of such direct marketing, at the time that the details were initially collected, and at the time of each subsequent communication.

This exception to the general “consent required” rule has long (and probably unhelpfully) been known as the “soft opt in”.

The notable requirement for the soft opt in is, though, that the recipient’s contact details must have been collected in the course of the sale or negotiations for the sale of a product or service.

There are various types of non-profit organisation which may well correspond with, and wish to send promotional emails and text messages to individuals, but which don’t as a rule sell products or services. Perhaps the most obvious of these are charities, but political parties also fall into the type.

The Information Commissioner’s Office (ICO) has long held that promotional communications sent by such non-profits do constitute “marketing” (and the Information Tribunal upheld this approach as far back as in 2006, when the SNP appealed enforcement action by the ICO). (I happen to think that there’s still an interesting argument to be had about what “marketing” means in the PECR and data protection scheme, and at one end of that argument would be a submission that it implies a commercial relationship between the parties. However, no one has yet taken the issue – as far as I’m aware – to an appellate court.)

But the combined effect of regulation 22(3) and the interpretation of “marketing” as covering promotional emails and text messages by charities, means that those charities (and political parties etc.) can’t send soft opt in communications.

The Data Protection and Digital Information Bill, which tripped and fell yards from the finishing line, when Mr Sunak, in a strategic master stroke, called the general election early, proposed, in clause 115, to extend the soft opt in where the direct marketing was “solely for the purpose of furthering a charitable, political or other non-commercial objective” of the sender.

Will the new Labour administration’s proposed Digital Information and Smart Data Bill revive the clause? The government’s background paper on the legislative agenda in the King’s Speech doesn’t refer to it, but that may be because it’s seen as a relatively minor issue. But, in fact, for many charities, the issue carries very significant implications for their operations and their ability effectively to fundraise.

It should be revived, and it should be enacted.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under charities, Data Protection Bill, Information Commissioner, marketing, PECR, political parties

Tagged as , ,

August 8, 2024 · 6:38 am

Fly Me (three quarters of the way) To The Moon?

When the ICO’s annual report was published a few weeks ago, I noted the proliferation of flights taken by ICO staff (which have more than tripled from 2022/2023 to 2023/2024 (from 206 to 774)).

And now, I note a response by the ICO to a WhatDoTheyKnow FOI request asking for the number of (publicly funded) air miles the Information Commissioner himself has flown. The figure is pretty remarkable: 275,182 km, or 171,000 miles.

By my calculations that’s the equivalent of 75% of the way to the moon, or seven times round the world.

It is only fair to note that a large chunk of this consists of flights to the Commissioner’s home country, New Zealand. Anyone can be excused for wanting to visit home, and family.

But the ICO has an Environment Policy, which commits it to “minimising damaging environmental impacts which may arise from the conduct of our activity”, and the government which recommended his appointment to the Crown published its “Jet Zero” strategy only months after he had been appointed.

Did anyone at DCMS consider the environmental impact of appointing a Commissioner whose home is on the other side of the world? Is anyone at the ICO considering whether it is complying with its own Policy (and maybe just general environmental ethics) when racking up the numbers of flights?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under environment, Information Commissioner, Uncategorized

Tagged as

August 8, 2024 · 5:09 am

Blistering criticism for Home Office and ICO

[From a LinkedIn post]

A blistering judgment of the Information Tribunal upholding an FOI appeal by Bail for Immigration Detainees (BID) against the decision by the Information Commissioner’s Office (ICO) to uphold the Home Office’s refusal to disclose info about the process for deportation to Eritrea and Somalia (and by extension, the likelihood of deportees being either detained, or bailed, pending removal).

The request, about how many Emergency Travel Documents were requested, how many issued, how many people were then removed and how long this took, was refused by the HO on grounds that disclosure would be likely to harm international relations and would prejudice the operation of immigration controls.

The HO failed to reply to the ICO’s enquiries until served with a formal Information Notice. But the ICO then agreed that the exemptions were engaged.

The Tribunal did not agree.

The judgment notes the HO “made no effort to engage” with the appeals, and its evidence consisted of “thinly reasoned assertions, with no evidential support”, and

…we hope that the reasons were not meant to be comprehensive. It would betray a rather dim view by the Home Office of other countries’ governments to think that “many if not most” only care about money, and whether their citizens commit crimes or migrate unlawfully – as humans from all countries do.

To the extent the FOIA exemptions were engaged, the public interest test fell heavily in favour of disclosure. In the face of evidence from BID about levels of unlawful detention (in the form of the number of cases in which it had successfully appealed refusals of bail for detainees) the Tribunal observed that

For hundreds of years, the common law has demanded that administrative detention must be justified and be capable of proper challenge…The work done by BID, both on behalf of individuals and more broadly, supports that public interest. Disclosure…would help it to achieve those ends and avoid injustice.

There were minimal factors in favour of disclosure. In fact “it is difficult to conceive of a case concerning this exemption where the scales could be less weighted in favour of exemption”.

And, in closing, the Tribunal had a blast at the ICO, noting

our surprise that [he] thought it appropriate to accept the [HO’s] bare assertions, given the way in which it had responded to the previous requests described above and the compulsion required before it then properly engaged with these. In turn the…Decision Notices disclose no consideration of the various public interest factors carefully put forward by BID. A pattern of conduct has been established on the part of the [HO] that is within neither the spirit nor the letter of FOIA, and which can now be seen as having resulted in considerable delay together with expense of resources both on the part of the Tribunal and BID…We hope that future decisions will be reached after considerably more care and scrutiny.

Let’s see.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, FOIA, Freedom of Information, Home Office, Information Commissioner, Information Tribunal, LinkedIn Post

Tagged as , ,

July 20, 2024 · 9:11 pm

Crowdstrike and personal data breaches: loss vs unavailability

I ran a poll on LinkedIn in recent days which asked “If a controller temporarily can’t access personal data on its systems because of the Crowdstrike/MSFT incident is it a personal data breach?” 

I worded the question carefully.

50% of the 100-odd people who voted said “no” and 50% said “yes”. The latter group are wrong. I say this with some trepidation because there are people in that group whose opinion I greatly respect. 

But here’s why they, and, indeed, the Information Commissioner’s Office and the European Data Protection Board, are wrong.

Article 4(12) of the GDPR/UK GDPR defines a “personal data breach”. This means that it is a thing in itself. And that is why I try always to use the full term, or abbreviate it, as I will here, to “PDB”. 

This is about the law, and in law, words are important. To refer to a PDB as the single word “breach” is a potential cause of confusion, and both the ICO and the EDPB guidance are infected by and diminished by sloppy conflation of the terms “personal data breach” and “breach”. In English, at least, and in English law, the word “breach” will often be used to refer to a contravention of a legal obligation: a “breach of the law”. (And in information security terminology, a “breach” is generally used to refer to any sort of security breach.) But a “breach” is not coterminous with a “personal data breach”.

And a PDB is not a breach of the law: it is a neutral thing. It is also crucial to note that nowhere do the GDPR/UK GDPR say that there is an obligation on a person (whether controller or processor) not to experience a PDB, and nowhere do GDPR/UK GDPR create liability for failing to prevent one occurring. This does not mean that where a PDB has occurred because of an infringement of other provisions which do create obligations and do confer liability (primarily Article 5(1)(f) and Article 32) there is no potential liability. But not every PDB arises from an infringement of those provisions.

The Article 4(12) definition is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Let us break that down:

  • A breach of security…
  • leading to [one or more of]
  • accidental or unlawful…
  • 1. destruction of…
  • 2. loss of…
  • 3. alteration of…
  • 4. unauthorised disclosure of…
  • 5. unauthorised access to…
  • personal data processed.

If an incident is not a breach of security, then it’s not a PDB. And if it is a breach of security but doesn’t involve personal data, it’s not a PDB. But even if it is a breach of security, and involves personal data, it’s only a PDB if one of the eventualities I’ve numbered 1 to 5 occurs.

Note that nowhere in 1 to 5 is there “unavailability of…” or “loss of access to…”. 

Now, both the ICO, and the EDPB, read into the words “loss of…personal data…” the meaning, or potential meaning “loss of availability of personal data”. But in both cases they appear to do so in the context of saying, in terms, “loss of availability is Article 4(12) ‘loss’ because it can cause harm to data subjects”. I don’t dispute, and nor will many millions of people affected by the Crowdstrike incident, that unavailability of personal data can cause harm. But to me, “loss” means loss: I had something, and I no longer have it. I believe that that is how a judge in the England and Wales courts would read the plain words of Article 4(12), and decide that if the legislator had intended “loss” to mean something more than the plain meaning of “loss” – so that it included a meaning of “temporary lack of access to” – then the legislator would have said so. 

Quite frankly, I believe the ICO and EDPB guidance are reading into the plain wording of the law a meaning which they would like to see, and they are straining that plain wording beyond what is permissible.

The reason, of course, that this has some importance is that Article 33 of the GDPR/UK GDPR provides that “in the case of” (note the neutral, “passive” language) a PDB, a controller must in general make a notification to the supervisory authority (which, in the UK, is the ICO), and Article 34 provides that where a PDB is likely to result in a high risk to the rights and freedoms of natural persons, those persons should be notified. If a PDB has not occurred, no obligation to make such notifications arises. That does not mean of course, that notifications cannot be made, through an exercise of discretion (let’s forget for the time being – because they silently resiled from the point – that the ICO once bizarrely and cruelly suggested that unnecessary Article 33 notifications might be a contravention of the GDPR accountability principle.)

It might well be that the actions or omissions leading to a PDB would constitute an infringement of Articles 5(1)(f) and 32, but if an incident does not meet the definition in Article 4(12), then it’s not a PDB, and no notification obligation arises. (Note that this is an analysis of the position under the GDPR/UK GDPR – I am not dealing with whether notification obligations to any other regulator arise.)

I can’t pretend I’m wholly comfortable saying to 50% of the data protection community, and to the ICO and EDPB, that they’re wrong on this point, but I’m comfortable that I have a good arguable position, and that it’s one that a judge would, on balance agree with. 

If I’m right, maybe the legislator of the GDPR/UK GDPR missed something, and maybe availability issues should be contained within the Article 4(12) definition. If so, there’s nothing to stop both the UK and the EU legislators amending Article 4(12) accordingly. And if I’m wrong, there’s nothing to stop them amending it to make it more clear. In the UK, in particular, with a new, energised government, a new Minister for Data Protection, and a legislative agenda that will include bills dealing with data issues, this would be relatively straightforward. Let’s see.

And I would not criticise any controller which decided it was appropriate to make an Article 33 notification. It might, on balance, be the prudent thing for some affected controllers to do so. The 50/50 split on my poll indicates the level of uncertainty on the part of the profession. One also suspects that the ICO and the EU supervisory authorities might get a lot of precautionary notifications.

Heck, I’ll say it – if anyone wants to instruct me and my firm to advise, both on law and on legal strategy – we would of course be delighted to do so.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, EDPB, GDPR, Information Commissioner, Let's Blame Data Protection, LinkedIn Post, personal data breach, UK GDPR

Tagged as , ,

July 18, 2024 · 4:21 am

FOIA appeals in the UT: when is there an “error of law”?

Here is a good and interesting judgment in the Upper Tribunal from Judge Citron, on a Freedom of Information Act 2000 (FOIA) case arising from defects in the 2019 “11+” exam run by The Buckinghamshire Grammar Schools (TBGS), with test materials designed and supplied by a third party – GL Assessment Limited. TBGS, as a limited company made up of a consortium of state schools, is a public authority under s6(1)(b) FOIA (by way of s6(2)(b)).

The FOI request was, in broad terms, for the analysis that had subsequently been conducted into the defects, and the statistical solution that had been adopted.

TBGS had refused the request on grounds including that disclosure of the requested information would be an actionable breach of confidence. The ICO upheld this, and, on appeal, the First-tier Tribunal agreed, although only by a majority decision (the dissent was on the part of the judge, and it’s worth reading his reasons, at 85-90 of the FTT judgment).

Possibly bolstered by the vehemence of that dissenting view of the FTT judge, the applicant appealed to the Upper Tribunal.

Judge Citron’s judgment is a measured one, addressing how an appellate court should approach an argument to the effect that there was an error of law at first instance, with a run-through, at 35, of the authorities (unfortunately, from that point, the paragraph numbering goes awry, because the judgment, at “67”, follows the numbering of the judgment it has just quoted).

Judge Citron twice notes that a different FTT might have approached the facts and the evidence in a different way, and weighted them differently, but

that is no indicator of the evaluative judgement reached being in error of law…The question is whether the evaluative judgement…was one no reasonable tribunal could have reached on the evidence before it; it whether some material factor was not taken into account. I am not persuaded.

Therefore, the FTT had made no material error in dismissing the appeal.

A final note. This was a judgment on the papers, but – remember – the Information Commissioner will always be a party to FOIA cases, because it is his decision that is at issue. In this instance, the Commissioner chose not to participate. Paragraph 32 records that he was “directed” to make a response to the appeal, but did not. If this correctly records a failure by the Commissioner to comply with a direction of the court, it is surprising there’s no note of disapproval from the judge.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under FOIA, Freedom of Information, Information Commissioner, Information Tribunal, Upper Tribunal

Tagged as , ,

July 12, 2024 · 7:05 am

Unreasonably accessible – ICO and misapplication of s21?

I’ll start with a simple proposition: if a dataset is made publicly available online by a public authority, but some information on it is withheld – by a deliberate decision – from publication, then the total dataset is not reasonably accessible to someone making an FOI request for information from it.

I doubt that any FOI practitioners or lawyers would disagree.

Well, sit back and let me tell you a story.

In November 2023 the Information Commissioner’s Office (ICO) refused to disclose information in response to a Freedom of Information request, on the grounds that the exemption at section 21 of the Freedom of Information Act 2000 (FOIA) applied: the information was “reasonably accessible to the applicant” without his needing to make a FOIA request.

The request was, in essence, for “a list…of the names of all the UK parish councils that have received 20 or more ICO Decision Notices (for FOIA cases only) since 1st January 2014”. The refusal by the ICO was on the basis that

the search function on the decision notice section of the ICO website returned 415 decision notices falling within the scope of the complainant’s request…[therefore] it is possible to place the names of the parish councils into an Excel sheet and then establish quickly how many decision notices relate to each individual parish council.

The ICO noted that, when it comes to the application of section 21

It is reasonable for a public authority to assume that information is reasonably accessible to the applicant as a member of the general public until it becomes aware of any particular circumstances or evidence to the contrary [emphasis added]

On appeal to the Information Tribunal, the ICO maintained reliance on the exemption, saying that all the applicant needed to do was to go to the ICO website and “look at each entry and count-up [sic] the numbers of [Decision Notices] against each parish council”. The Tribunal agreed: the ICO had provided the requester

with a link to the correct page of the ICO website, and instructing him how to use the search function. These instructions have enabled him to identify from the tens of thousands of published decision notices those 415-420 notices which have been issued to parish councils over the past decade or so

All straightforward, if one’s analysis is predicated on an assumption that the ICO’s public Decision Notice database is a complete record of all decision notices.

But it isn’t.

I made an FOI request of my own to the ICO; for how many Decision Notices do not appear on the database. And the answer is 45. A number of possible reasons are given (such as that sensitive information was involved, or that there was agreement by the parties not to publish). But the point is stark: the Decision Notice database is not a complete record of all Decision Notices issued. And I do not see how it is possible for the ICO to rely on section 21 FOIA in circumstances like those in this case. It is plainly the case that the ICO knew (or was likely reckless in not knowing) that there were “particular circumstances or evidence” which showed that the information could not have been reasonably accessible to the applicant.

Of course, it is quite likely (perhaps inevitable) that the 45 unpublished Decision Notices would make no difference at all to a calculation of how many UK parish councils have received 20 or more Decision Notices since 1st January 2014. But that really isn’t the point. The ICO could have come clean – could have done the search itself and added in the 45 unpublished notices. It knew they existed, but for some reason thought it didn’t matter.

The ICO is the regulator of FOIA, as well as being a public authority itself under FOIA. It has to get these things right. Otherwise, why should any other public authority feel the need to comply?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under access to information, datasets, Freedom of Information, Information Commissioner, Information Tribunal, section 21

Tagged as , ,

July 6, 2024 · 10:45 am

FOI and government/ministerial WhatsApps

[reposted from LinkedIn]

An important Information Tribunal (T) judgment on a FOIA request, by Times journalist George Greenwood, to DHSC for gov-related correspondence between Matt Hancock (MH) and Gina Coladangelo (GC), grappling with issues regarding modern messaging methods in government and how they fit into the FOIA scheme.

Two requests were made. The first was for government-related correspondence between MH and GC using departmental email accounts, and any private email account MH had used for government business. The second was for all correspondence between them using other methods, such as WhatsApp.

Request 1

DHSC had found four emails and by the time of the hearing had disclosed them. It maintained that no further info was held.

However DHSC argued that emails sent by MH’s private secretaries and not by MH himself were out of scope. Not so, said the T: “even if a private office email account is operated by a private secretary…correspondence with a private office email account ought to be regarded as correspondence with the relevant minister”. Accordingly, they upheld that part of the appeal and ordered further searches.

Request 2

DHSC had initially said, and ICO had agreed(!), that government-related WhatsApp messages sent from MH’s personal device were not “held” for the purposes of FOIA because they were not held “as part of the official record”. By the time of the hearing, all of the parties were agreed that this was an error, and the T ruled that section 3(2)(b) FOIA applied, and that “WhatsApp messages from Mr Hancock’s personal device were held [by MH] on a computer system on [DHSC’s] behalf”.

DHSC then sought to argue that WhatsApp messages in a group were not “correspondence” between MH and GC, saying (in the T’s formulation of DHSC’s argument) “unless correspondence consists of one person corresponding directly with another, it is not ‘true’ correspondence”. The T was dismissive of this: “correspondence in the age of multiple methods of electronic communication can take different forms…the fact that simply because one or other of the relevant parties did not respond or may not have responded to a particular message does not mean that communications within a WhatsApp group cannot be considered to be correspondence”. The T also rejected the related submission that a person posting a message to a WhatsApp group is “broadcasting”, rather than “corresponding”

(I have to say that I think the T probably overstepped here. I would tend to think that whether information in a WhatsApp group is correspondence or not should be determined on the facts, and not as a matter of general principle.)

Finally, the T did not warm to the evidence from an otherwise unidentified “Mr Harris” for the DHSC, to the effect that the request was vexatious on grounds of the burden. They therefore held that it was not. (As the messages were subsequently disclosed into the public domain during the Covid inquiry, not much turns on this.)

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner, Information Tribunal, journalism

Tagged as , ,

July 1, 2024 · 10:57 am

Can you stop election candidates sending you post?

During every recent general election campaign I can remember, there have been social media posts where people complain that they’ve received campaign material sent to them, by name, in the post. Electoral law (whether one likes it or not) permits a candidate to send, free of charge, one such item of post regardless of whether the recipient has objected to postal marketing, in general or specific terms. This right is contained in section 91 of The Representation of the People Act 1983. So, if you don’t like it, lobby your new MP in a few weeks’ time to get it changed.

Given that it’s always a topic of contention, I welcome the Information Commissioner’s Office’s publishing of guidance (including on the “one item of post” point) for the public on “The General Election and my personal data – what should I expect?

What the guidance does not address, however, is a conflict of laws point. Article 21(2-3) of the UK GDPR create an absolute right to object to direct marketing and a consequent absolute obligation on a person not to process personal data for direct marketing purposes upon receipt of an objection. So how does this talk with the right given to electoral candidates to send one such communication?

Tim Turner has written on this point, in his “DPO Daily”, and says “I don’t think the Representation of the People Act trumps the DP opt-out right”, but – on this rare occasion – I think I disagree with him. This is because section 3(1) of the Retained EU Law (Revocation and Reform) Act 2023 provides that retained direct EU legislation – such as the UK GDPR – must be read and given effect in a way which is compatible with all domestic enactments, and, insofar as it is incompatible with them, those domestic enactments prevail.

So, the short answer to the title of this blog is “no” (although they can only send you just one personally addressed item).

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, elections, Information Commissioner, marketing, political parties, UK GDPR

Tagged as , , ,

June 4, 2024 · 6:16 pm

How far can a legal fiction go?

When the Information Commissioner, as a public authority subject to the Freedom of Information Act 2000 (FOIA), is required to consider, as regulator, his own handling of a FOIA request, he enters into a legal fiction, whereby he separates himself into two, along these lines (taken from a decision notice):

This decision notice concerns a complaint made against the Information Commissioner (‘the Commissioner’). The Commissioner is both the regulator of FOIA and a public authority subject to FOIA. He’s therefore under a duty as regulator to make a formal determination of a complaint made against him as a public authority…In this notice the term ‘ICO’ is used to denote the ICO dealing with the request, and the term ‘Commissioner’ denotes the ICO dealing with the complaint.

It’s a legal fiction because the Information Commissioner is a corporation sole: every single function he has vests in him (and he has powers of delegation).

With this in mind, it is interesting to consider section 132(1) of the Data Protection Act 2018. This provides that

A person who is or has been the Commissioner, or a member of the Commissioner’s staff or an agent of the Commissioner, must not disclose information which— (a) has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner’s functions, (b) relates to an identified or identifiable individual or business, and (c) is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources. (Unless the disclosure is made with lawful authority.)

When partaking in the legal fiction described above, can it be said that the Commissioner, or the Commissioner’s staff, have obtained, or been provided with, information, when the Commissioner is the person who holds the information? I think not. And if I’m right, that should mean that the Commissioner cannot rely on the exemption at section 44 of FOIA, on the grounds that there is a statutory bar on disclosure. But that’s what he does in response to this recent FOIA request. It will be interesting if the applicant asks for a decision notice.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection Act 2018, Freedom of Information, Information Commissioner, Uncategorized

Tagged as , ,

June 1, 2024 · 10:43 am

EIR and sewage discharges: a shift in the ICO’s position

It’s interesting (and encouraging) to see that, in a notable shift of position, the Information Commissioner’s Office (ICO) is now ordering water companies to disclose data relating to allegedly unlawful discharges of dry spillage sewage.

Previously, the ICO had tended to agree with the companies’ arguments that disclosure would adversely affect investigations by Ofwat and the Environment Agency, and the information was, therefore, exempt from disclosure under regulation 12(5)(b) of the Environmental Information Regulations 2004 (EIR). Those arguments were rather forcefully undermined by a statement to the Public Accounts Committee by the CEO of Ofwat last November that

We do not think that the investigation itself is a good reason for companies not to provide data. They have some legal obligations to disclose information, and there is a process for working that through. That process does not involve Ofwat directly, but we would encourage companies to be open and transparent about their environmental performance.

Additionally, the ICO has taken note of the judgment of the Information Tribunal in the recent Lavelle case.

This Decision Notice neatly summarises the issues and the ICO’s new position.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Information Commissioner, Uncategorized

Tagged as ,