There’s a piece up on the Mishcon de Reya website about the launch event for this campaign, run jointly by ARA and IRMS, at which I was recently invited to speak:
https://www.mishcon.com/news/jon-baines-speaks-at-parliamentary-event-on-foi-and-records-management
Article 30(4) of the UK GDPR requires a controller to make its records of processing activities (ROPA) available to the Information Commissioner (ICO) upon request.
ROPAs are required for most large controllers, and should include at least
Ordinarily, in my experience, controllers will maintain a ROPA in one document, or one set of linked documents. This not only enables a controller to comply with Article 30(4), but reflects the fact that a ROPA is not just a compliance obligation, but contributes to and assists the controller in its information governance functions.
This all makes the position of the Department of Health and Social Care (DHSC) rather odd. Because, in response to a Freedom of Information Act (FOIA) request for disclosure of its ROPA, it stated that the request was “vexatious” on the grounds of the time and costs it would have to incur to respond. This was because, as the DHSC subsequently told the ICO when the latter was asked to issue a FOIA decision notice
We hold a collection of documentation across different formats which, when put together, fulfils our obligation under Article 30 of the GDPR to record and document all of our personal data processing activities…[and]…to locate, retrieve and extract all of this documentation would involve a manual trawl of the whole organisation and each document would then need to be reviewed to check for content such as personal data, commercially sensitive data and any other information that would otherwise not be appropriate to place into the public domain
For this reason, the ICO accepted that compliance with the request would be “grossly oppressive” and this, taken with other factors, meant that the FOIA request was indeed vexatious.
The ICO is tasked with regulating both FOIA and data protection law. The decision notice here notes this, and says
the Commissioner feels duty bound to note that, if the DHSC cannot comply with the request because it would impose a grossly oppressive burden to do so, it is unlikely that the DHSC would be able to provide its ROPA to the Commissioner, which is a requirement under Article 30 of the UK GDPR, without that same burden
There’s a big hint here to DHSC that it should adopt a different approach to its ROPA for the future.
But the decision notice does contain some rather strange wording. In the context of the words quoted just above, the ICO says
This decision notice looks at the DHSC’s compliance with FOIA only and the Commissioner cannot order the DHSC to take any action under any other legislation.
It is true that, under his FOIA powers, the ICO cannot order the DHSC to comply with the UK GDPR, but, quite evidently, under his UK GDPR powers, he certainly can: Article 58(2)(d) specifically empowers him to
order the controller…to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period
I am not aware of anything in FOIA, or data protection law (or wider regulatory and public law) that prevents the ICO from taking enforcement action under UK GDPR as a result of findings he has made under FOIA. Indeed, it would be rather strange if anything did prevent him from doing so.
So it does seem that the ICO could order DHSC to get its ROPA in order. Maybe the big hint in the FOIA decision notice will have the desired effect. But regulation by means of big hints is perhaps not entirely in compliance with the requirement on the ICO, deriving from the Regulators’ Code, to ensure that its approach to its regulatory activities is transparent.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.In 2008 the Law Society estimated that it held in storage 3.5 million files, in 180,000 boxes, at an annual cost of some £500,000 per annum. Those numbers can only have increased considerably since then. These are files gathered as a result of interventions in law firms by the Solicitors Regulation Authority (SRA) which, although an independent body, is administered and funded by the Law Society. An intervention involves the closing down of a firm, and the seizure of all money held by the firm (including clients’ money) and all documents and papers that relate to its clients, including files and accounting records. What happens to the money has been the subject of much analysis, and litigation, and the position is reasonably settled. But what happens to the files is less clear. Until 2001 the Law Society was of the opinion that it had the power to destroy obsolete files, but its confidence in that stance waned, and in The Law Society (Solicitors Regulation Authority) [2015] EWHC 166 (Ch) it sought, under paragraph 9(10) of the Solictors Act 1974 (“the Society may apply to the High Court for an order as to the disposal or destruction of any documents [or other property] in its possession by virtue of this paragraph”) an order that it could destroy
non-original documents seized from 885 firms, totalling around 1.5 million files (the equivalent of some 109,600 boxes), the destruction of which would produce an estimated annual saving of £344,000 per annum
In making an order to that effect Iain Purvis QC, sitting as a Deputy Judge of the Chancery Division, noted that the risks in doing so were low: it was highly unlikely that any person would need the documents in question. That low risk needed to balanced against the data protection risks in retaining the documents (it was observed that permanent retention was likely in contravention of the fifth data protection principle in the Data Protection Act 1998) and the high costs of doing so. Moreover, the judge took into account that a responsible law firm would have had a document destruction policy under which the documents in question would have been unlikely to have survived. And finally, he considered whether there were any alternative measures which could be adopted, but the obvious ones – scanning the documents, or writing to the original clients – were prohibitively expensive.
What the judge declined to do was to make a formal declaration to the general effect that the SRA had the power to destroy documents (without the need for a court order). Although he accepted that such power did exist under paragraph 16 of Part II of Schedule 1 of the 1974 Act, the application he was hearing was unopposed, and so a declaration would have no obvious legal effect.
Nonetheless, the Law Society cannot be unpleased with an order which should save them almost £350,000 per annum. Document storage is not cheap, and excessive retention is both unnecessary and inherently risky in data protection terms. Most organisations don’t have the complex statutory underpinning of their functions as the Law Society does in this regard. A comprehensive and robust document retention policy can save a lot of money.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under Data Protection, records management
“The Tribunal is an unusual position in respect of this Appeal…”
The Freedom of Information Act 2000 (FOIA) requires a public authority, when someone makes a request for information, to say whether or not it holds it, and if it does, to disclose that information to the requester (subject to the application of any exemption). But what if it doesn’t know whether it holds it or not? What if, after it has said it can’t find the information, and after the Information Commissioner’s Office (ICO) has accepted this and issued a decision notice upholding the authority’s approach, it then discovers it held it all along? This is the situation the First-tier Tribunal (FTT) recently found itself faced with.
The facts of the case are relatively complex, but the issues turned on whether briefing notes, prepared for the Mayor of Doncaster Metropolitan Borough Council (DMBC) in the lead-up to a decision to withdraw funding for DMBC’s United Nations Day, could be found. The ICO had determined, in Decision Notice FS50503811 that
Ultimately the Commissioner had to decide whether a set of briefing notes were held by the Council. His decision, on the balance of probabilities, is that it does not
The requester appealed to the FTT, which, after initially considering the matter on the papers, ordered an oral hearing because of some apparent inconsistencies in DMBC’s evidence (I have to be frank, what exactly these were is not really clear from the FTT’s judgment (at paragraph 27). However, prior to that oral hearing DMBC located the briefing notes in question, so
the focus of the oral hearing was limited simply to establishing whether, at the time of the information request by the Appellant, DMBC knew that it held the information in the light of the searches that it had made in response to the Information Commissioner’s enquiries prior to his issuing the Decision Notice
In determining that it was satisfied that DMBC did not know, at the time of the request, that it held the information, the FTT was swayed by the fact that DMBC “even during the Information Commissioner’s enquiries, DMBC had maintained it had nothing to gain from ‘hiding’ the briefing notes” but also by the fact that DMBC owned up to poor records management practice in the period leading up to the request
In many senses it is more embarrassing for DMBC now to admit the truth that it had, historically, an unreliable and ineffective Records Management system than to continue to maintain that it could not find the requested information
It doesn’t surprise me that the FTT found as it did. What does surprise me, however, is that records management is not given a greater focus by the ICO. Although FOIA is not, primarily, a records management act, it does contain provisions relating to records management. Powers do exist both to help improve practice both generally (through guidance) and specifically (through the use of practice recommendations). As I’ve written before
section 46 of FOIA [requires] the Lord Chancellor to issue a code of practice for management of records. Section 9 of that Code deals with the need to keep records in systems that enable records to be stored and retrieved as necessary, and section 10 with the need to know what records are held and where they are.
Under section 47 of FOIA the [ICO] must promote the following of good practice by public authorities and perform his functions so as to promote the observance by authorities of the section 46 Code, as well as the requirements of the Act in general. And under section 48 he may issue a “practice recommendation” if it appears to him that the authority has not conformed with the section 46 Code. In investigating compliance with the Code he has the power (section 51) to issue an “information notice” requiring the authority to furnish him with the information. Failure to comply with an information notice can, ultimately, constitute contempt of court.
I appreciate that the ICO has a lot on its hands, but good records management is so very integral not just to good FOIA compliance, but also to good compliance with the other major statute the ICO oversees – the Data Protection Act 1998. Greater focus on records management could drive better overall compliance with information rights law.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
If the Ministry of Justice really can’t search the text of emails for information, how can it comply with the FOI Code of Practice on Records Management?
In performing his functions under the Freedom of Information Act 2000 (FOIA) the Information Commissioner (IC) must promote the observance by public authorities of codes of practice issued under section 45 and section 46 of FOIA. Section 46 provides for a code of practice to be issued by the Lord Chancellor as to desirable practice for public authorities for the keeping, management and destruction of their records. A code was duly issued by the then Lord Chancellor Lord Irvine in 2002.
So, when deciding whether, for instance, a public authority has complied with its obligations under part 1 of FOIA (i.e. has it properly responded to a request for information?) the IC should, I submit, take into account where necessary whether the authority is complying with the Records Management Code.
With this in mind, consider the Ministry of Justice’s (MoJ) reported response to an FOI request for any mentions on its systems of the Howard League for Penal Reform. As Ian Dunt reports, the MoJ said that
On this occasion, the cost of determining whether we hold the information would exceed the limit set by the Freedom of Information Act
I have seen the MoJ response in question, and I accept that it is legitimate for a public authority to refuse to disclose information if the costs of determining whether it is held exceeds the limit prescribed by regulations (although authorities have an obligation under section 16 FOIA to advise and assist applicants as to how they might reframe their request to fall within the cost limits, and the MoJ have failed to do this). However, while the response refers to a necessity to search paper records, it also says
A manual search is required as central search functions (for example, those on email systems) would not identify all correspondence – for example, if the Howard League for Penal Reform was mentioned in the body of the text
This appears to suggest, as Ian says, that “they can only search electronically for the headline of an email, not the body of a message”
If this is true (which seems extraordinary, but one is sure it must be, because intentionally to conceal information which otherwise should be disclosed under FOIA is an offence) it would appear to be contrary to the desirable practice in the Records Management Code, which says that
Records systems should be designed to meet the authority’s operational needs and using them should be an integral part of business operations and processes. Records systems should…enable quick and easy retrieval of information. With digital systems this should include the capacity to search for information requested under [FOIA]
It would be most interesting if the Howard League were to refer this to the IC for a decision. The IC rarely these days mentions the Records Management Code, but as the Code itself says
Records and information are the lifeblood of any organisation. They are the basis on which decisions are made, services provide and policies developed and communicate
Not only does poor records management affect compliance with FOIA (and other legal obligations), but it is not conducive to the reduction of back-office costs, developing new ways of working, and driving economies of scale (all things, of course, which the current Lord Chancellor prays in aid of his potentially devastating changes to legal aid provision).
p.s. As @Unity_MoT points out on twitter, if the MoJ struggles to search its systems to respond to FOIA requests, how does it undertake searches for responding to subject access requests under section 7 of the Data Protection Act 1998? See e.g. page 17 of the IC Code of Practice on Subject Access:
Not only should your systems have the technical capability to search for the information necessary to respond to a SAR, but they should also operate by reference to effective records management policies
I blogged last week about “data breaches”, and the need to define and sometimes to differentiate between a breach of the Data Protection Act 1998 (DPA) and a general data security breach. Well, I’m (not at all) pleased to say that today’s news of the latest monetary penalty notice (MPN) served by the Information Commissioner’s Office (ICO) on Kent Police doesn’t need any such nuanced analysis. Here was a data security breach which was also a manifest breach of the DPA.
A police officer, by chance, discovered in some premises video tapes clearly marked as police material. He subsequently ascertained that the owner had found them, and much more besides, in the basement of a former police station which he had purchased. It is difficut to think of more sensitive information than the kind which was involved here. In part it consisted of
documents and video/audio tapes containing confidential and highly sensitive personal data about a significant number of individuals. These included files relating to threats to kill, rape, grievous bodily harm and child abuse cases; interviews with victims, witnesses/informants and suspects
Although the force had initially
taken some steps to safeguard the information by carrying out inspections of the former police station which identified that items were still in situ
the failure to have any policies in place, or to assign responsibility to anyone, meant that this was a clear and serious contravention of the seventh data protection principle (relating to data security measures) of a kind likely to cause, at least, substantial distress. I would add, although the ICO does not, that it might well have been also a serious contravention of the fifth principle (“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”). Given this, it is somewhat surprising that this case falls (admittedly at the top end) into the lowest category of cases qualifying for an MPN (the ICO’s internal guidance says that these cases will attract an amount of £40,000 to £100,000). Bearing in mind that Brighton and Sussex University Hospitals NHS Foundation Trust got an MPN of £325,000 for failing to dispose of computer hard drives properly, this current MPN seems low.
It also, once again, draws attention to the importance of good records management within police forces. I wrote only recently, in the context of the Ellison Review of policing relating to the Stephen Lawrence inquiry, about how records management is essential for the operation of the rule of law and the current case just gives even greater strength to this.
Failings in records management hampered the Ellison Review. In the absence of legal enforcement mechanisms, we should recognise the important of records managers
It is a truism that good records management is essential to good information rights practice. Section 46 of the Freedom of Information Act 2000 requires the Lord Chancellor to issue a records management code of practice, and the code itself says
Freedom of information legislation is only as good as the quality of the records and other information to which it provides access. Access rights are of limited value if information cannot be found when requested or, when found, cannot be relied upon as authoritative
Similarly, records management is embedded in the principles of Schedule One to the Data Protection Act 1998, particularly those relating to adequacy, accuracy and retention of personal data.
But Mark Ellison QC’s report following The Stephen Lawrence Independent Review throws even sharper focus on how important records management can be in the service of justice, and the rule of law. Ellison’s Review was not a statutory inquiry, and thus did not have the legal powers to search records, or compel production of information (although its terms of reference did say that it should be given access to all necessary files). However, it appears to have been hampered by what looks like failings in records management. The report notes that
a number of potentially important areas of documentation…have not been provided to us. The explanation for this absence varies between:
a) a suspicion (or sometimes hard evidence) that they have been destroyed;
b) a belief that they must exist but cannot be found; or
c) that there simply is no record available and no way of knowing if one was ever made
Note that none of these explanations gives an indication that information has been deliberately withheld, so the subsequent announcement by the Home Secretary that there will now be a public inquiry (with full legal powers to gather information) into the infiltration methods of undercover police does not necessarily mean that information-gap will be filled.
The revelations of the disgraceful “spying” on the Lawrence family during the initial McPherson inquiry into Stephen’s death are, of course, the most important outcome of the Ellison Review. However, what unnerves me about the Ellison Review’s difficulties in getting information is that they starkly show that a failure to follow good records management practice potentially enables corruption and illegality to be covered-up, and that there is a lack of enforcement and regulatory mechanisms to prevent or punish this. The criminal sanctions regarding wilful destruction or withholding of information under FOIA apply only if the actions occur following the submission of a FOIA request, and, under the DPA, criminal sanctions only apply to unlawful obtaining or disclosure of personal data: destruction or hiding of information is unlikely to be a criminal act, in the absence of other factors.
I think this shows that Records Managers hold an exceptionally important role, one which is vital for organisational governance and compliance, and one which is sadly not recognised by some organisations. Records Managers should sit on information governance boards, should have a hotline to the Chief Information Officer, Head of Legal, Senior Information Risk Officer etc., and should be properly resourced and supported by those senior officers.
Stephen Lawrence would have been forty this year. The Stephen Lawrence Charitable Trust helps transform the lives of the young people it supports.
Filed under Data Protection, Freedom of Information, police, records management
informationrightsandwrongs 