Category Archives: transparency

FOI vs Transparency debate

Yesterday, after attending a fascinating and in-depth briefing from Network Rail on their journey towards being subject to the Freedom of Information Act 2000, I was privileged to appear on a panel debating “In a world of Freedom of Information, does voluntary transparency still matter?” Although rather daunted by the illustrious fellow panel members – the Campaign for Freedom of Information‘s Maurice Frankel, the Guardian’s Jane Dudman and Sir Alex Allan KCB1 – I delivered a short address on the subject (as did those others). Perhaps unsurprisingly, the panel were unanimous in feeling that voluntary transparency does still matter in a world of FOI, but, just as importantly, that voluntary transparency does not and should not make FOI redundant. This is broadly what I said, with added hyperlinks:

A very wise man called Tim Turner once wrote: “The point of FOI is that you get to ask about what YOU want to know, not what The Nice Man Wants To Tell You”. And this I think is the key point which distinguishes the access rights afforded to individuals under Freedom of Information and related legislation, from the transparency agenda which has led to the UK government again this week being pronounced the most open and transparent in the world, by Tim Berners Lee’s World Wide Web Foundation.

At the same time as that first place was announced, cynics amongst us might have pointed to the fact that in the 2013 Global Right to Information Ratings compiled by Access Info and the Canadian Centre for Law and Democracy, the UK was in 29th place, behind countries like Kyrgyzstan and Sierra Leone.

There’s clearly a gap in perception there, and one that is not simply explained away by questions about methodology.

In 2012 Francis Maude said “I’d like to make Freedom of Information redundant, by pushing out so much data that people won’t have to ask for it”. While this is in some ways a laudable aim, it is simply never going to wash: there will always be some information which Mr Maude doesn’t want disclosed, but which I, or, you, or someone else, does (to illustrate this one only has to look at how regularly the Cabinet Office claims FOI exemptions and refuses to disclose).

By the same token Network Rail, who have disclosed an impressive amount of valuable data over recent years, would not, I am sure, pretend that they expect only ever to disclose information in response to FOI requests, when they come under the Act’s coverage in a few months. There will clearly be information which they will not be able to disclose (and for perfectly valid reasons).

The transparency agenda cannot simply sweep away concerns about disclosure of commercially sensitive information, or of personal data, or of information which might prejudice national security. But there will always be people who want this information, and there will always be the need for a legal framework to arbitrate disputes about disclosure, and particularly about whether the public interest favours disclosure or not.

And, as a brief aside, I think there’s an inherent risk in an aggressive, or, rather, enthusiastic, approach to publication under a transparency agenda – sometimes information which shouldn’t be published does get published. I have seen some nasty erroneous, and even deliberate, disclosures of personal data within Open Datasets. The framework of FOI should, in principle at least, provide a means of error-checking before disclosure.

When FOI was in its infancy we were assured that effective and robust publication schemes would ultimately reduce the amount of time spent dealing with FOI requests – “Point them to the publication scheme” we were told…While I am sure that, on some level, this did transpire, no one I have spoken to really feels that proactive publication via a publication scheme has led to a noticeable decrease in FOI requests. And I think the same applies with the Transparency Agenda – as much as Mr Maude would like to think it will make FOI redundant, it has, and will continue to have, only a minor effect on the (necessary) burden that FOI places on public authorities.

I do not think we are going to see either the Transparency Agenda dispense with FOI, nor FOI dispense with the Transparency Agenda: they are, if not two sides of the same coin, at least two different coins in the same purse. And we should always bear in mind that public scrutiny of public authorities is not just about what the Nice Man Wants To Tell You, but is equally about what the Nasty Man Doesn’t Want To Tell You.

1I’m delighted to see from his Wikipedia entry that Sir Alex is a huge Grateful Dead fan, and that further research suggests that this isn’t just Wikipedian inaccuracy

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Freedom of Information, transparency

A strict test for compliance with access to information laws

The High Court has quashed planning permission for a wind turbine because the Council involved failed to make information available beforehand, in breach of its legal obligations

The statutory rights to information held by public authorities which commenced in January 2005 – when the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 came into effect – are not the only legal mechanism whereby people can or must have public information imparted to them. For instance, sections 100A-E of the Local Government Act 1972 (as inserted by the Local Government (Access to Information) Act 1985) deal with access to meetings of and information relating to meetings of specified local authorities (broadly, County, Borough, District, City or Unitary Councils). Section 100B deals with access to agendas and reports and section 100D with access to background papers. In both cases these must be “open to inspection by members of the public at the offices of the council” at least five clear days before the meeting (“clear days” refers to weekday working days and does not include the day of publication or the day of the meeting (R v Swansea City Council, ex p Elitestone Ltd (1993) 66 P. & C.R. 422)).

But what happens if these obligations are not complied with? what, for example, happens if background papers are not available for inspection for five clear days before a meeting? Often, nothing happens at all, but sometimes such a failure can be significant and costly. In a recent case (Joicey, R (on the Application of) v Northumberland County Council [2014] EWHC 3657) this is exactly what transpired. A planning application for a wind turbine was at issue,1 with a meeting scheduled for 5 November 2013 to consider it. The judgment informs us that “the officer’s report recommending approval…subject to conditions, was made available on 23 October” (it is not clear whether this means made available only for inspection, or whether it was also available on the Council’s website, although nothing turns on this). A Dr Ferguson, opposing the application (and a friend of the applicant Mr Joicey) noticed from the officer report that an external noise assessment report had been commissioned and produced. He emailed the Council on 30 October asking about the noise assessment report, getting no immediate reply, and attended the Council offices on 1 November to inspect the files, but no noise assessment report was included. On 4 November, the day before the committee meeting, he received a reply to his 30 October email, with a copy of the noise assessment report attached. The same day a copy of the report was uploaded to the Council website.

The committee approved the application, despite Mr Joicey addressing the meeting in the following terms

Noise impact assessment has been carried out again, in full, for this application, but I don’t suppose any of you have seen it, because this highly relevant document (74 pages of it) appeared only yesterday, and that was after requests to see it. If you study it, and you are properly armed with the knowledge of previous planning history connected with this site, you will find that it is actually fundamentally flawed, again, and that it shows that this application must actually be refused on noise grounds.

Mr Joicey brought judicial review proceedings on six grounds, but the one which concerns us here is the first: the non-availability of the noise assessment. As the noise assessment report was not included in a list of the background papers for the report to the committee, and was not available for inspection five clear days before the meeting there was, said Mr Justice Cranston

no doubt that there were a number of breaches of the public’s right to know under the Local Government Act 1972

Furthermore, the fact that the report was not available on the Council’s website was a breach of its undertakings in its Statement of Community Involvement (SCI) prepared pursuant to its obligations under section 18(1) of the Planning and Compulsory Purchase Act 2004. The Council’s SCI stated that “Once a valid planning application has been received we will…Publish details of the application with supporting documentation on the council website.” The Council even conceded that, although the report had been uploaded on 4 November, it had been described as published on 9 September, and the judge took a “dim view of any public authority backdating a document in a manner which could give a false impression to the public”. The undertaking in the SCI went further, said the judge, than the statutory obligations in the 1972 Act, and constituted a continuing promise giving rise to a legitimate expectation on the part of the public, and “otherwise the public’s right to know what is being proposed regarding a planning application would be frustrated”.

But what was the effect of these failings? The Council submitted that no prejudice had been caused to the claimant, because the planning committee’s decision had been inevitable and, adopting the test in Bolton MBC v Secretary of State for the Environment (1990) 61 P. & C.R. 343, if the court was uncertain whether, absent the failings, there would be a real possibility of a different decision being there was no basis for concluding that it was invalid. However, Mr Justice Cranston held that the correct test was different: drawing on the authorities of Simplex GE Holdings Ltd v Secretary of State for Environment (1988) 3 PLR 25 and R (on the application of Holder) v Gedding District Council [2014] EWCA Civ 599 he said that

the claimant will be entitled to relief unless the decision-maker can demonstrate that the decision it took would inevitably have been the same had it complied with its statutory obligation to disclose information in a timely fashion [emphasis not in original]

And in this case the Council failed to persuade him that the decision would inevitably have been the same if the noise assessment report had been made available earlier: the issue of noise had been a key one in earlier challenges to the developments and remained so now, and Mr Joicey could have made further representations and sought further expert opinion which might have persuaded the planning committee.

Some of Mr Joicey’s other grounds of challenge succeeded, and some failed, but the merits of the successful challenges led to the planning permission being quashed.

Local authorities would do well to note the strictness of the test here: breaches of the access to information provisions of the 1972 Local Government Act, and of the undertakings in a Statement of Community Involvement, will mean decisions taken are liable to be quashed upon challenge, unless the decision would inevitably have been the same without the breaches. Inevitability is a hard thing to prove.

1Northumberland County Council, despite its name, is a unitary authority, and, therefore, a local planning authority

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under local government, transparency

Wacky FOI requests – with serious motives?

Not for the first time the Local Government Association (LGA), an almost entirely public-funded association of first- and second-tier local councils in England and Wales, has produced a press release bemoaning the fact that its members have to deal with “wacky FOI requests”. Peter Fleming, of the LGA’s Improvement Board, is quoted as saying

While the majority of requests to councils are for details of council policy and expenditure, some of the FoI requests received do not relate very closely to the services they are focused on providing every day of the year. Councils are working very hard to keep local communities running as efficiently as possible during these challenging financial times and anything which distracts from that can affect the value for money that taxpayers receive

Examples of “wacky requests” are given, and the implication is very much that the requesters were wasting public money by making them. So let’s have a look at them:

Please list all the types of animals you have frozen since March 2012, including the type and quantity of each animal?
How very wacky. Or is it? Some councils freeze dead dogs and cats found by the roadside so that concerned or distressed owners of lost animals can try to locate them. Maybe that practice is beyond what councils need to do, and it certainly involves public expenditure. What is so wrong with someone wanting to look into the practice by making a relevant FOI request? Indeed, at least one council makes the information available as a dataset.
How many times has the council paid for the services of an exorcist, psychic or religious healer? Were the services performed on an adult, child, pet or building?
How very wacky. However, at least one council has previously been identified as paying an exorcist to remove a poltergeist from a tenancy. If such extraordinary use of public money were repeated elsewhere this would be a scandal, and it doesn’t seem too wrong to make an FOI request to establish if that might be the case.
Please can you let me know how many roundabouts are located within your council boundaries?
How wacky. But, research suggests that optimal use and placement of roundabouts on a highway network reduces delays and accidents, with consequent potentially large savings to the public purse. It seems entirely legitimate to request information like this, perhaps in pursuance of an investigation into whether a council is apportioning its resources properly when it comes to highways management.
What precautions, preparations, planning and costings have been undertaken in the case an asteroid crashes into Worthing, a meteorite landing in Worthing or solar activity disrupting electromagnetic fields?
How wacky. In fact, yes it is, despite what former MPs say. And despite the fact that, yes, I know there is always a risk of asteroidal impact. Move along.
How many holes in privacy walls between cubicles have been found in public toilets and within council buildings in the last 10 years?
How wacky. Not at all: the Home Office itself identifies voyeurism as a form of harassment and anti-social behaviour. Councils have statutory duties to prevent anti-social behaviour. Why is a request about one aspect of this so wacky?
How many bodies are there in mortuaries that have been unclaimed for ten years? How long have these bodies been in the mortuary? How old were they when they died? Is it possible to have the names of these people?
How wacky. Well, bear in mind that local authorities have a statutory duty to pay for burial or cremation of unclaimed bodies in their area. Perhaps a request for this information is aimed at investigating whether the council was saving money by disregarding its duties?
How many people in the town have a licence to keep a tiger, lion, leopard, lynx or panther as a pet?
How wacky. Why? There might be any number of reasons to make this request – councils have statutory duties to ensure that licences to own dangerous animals are only issued subject to rigid and specific conditions. A large number of dangerous animals within one town might point to failings in those duties.
How many requests were made to council-run historic public-access buildings (e.g. museums) requesting to bring a team of ‘ghost investigators’ into the building?
Not wacky (see “exorcism” above).
How many children in the care of the council have been micro-chipped?
How wacky. Well, maybe a bit – I’m not aware of any serious suggestions that this will happen. But there are many concerned – if perhaps deluded – people who think this might already be happening. This request might be odd,but I suspect it was made with the utmost seriousness.

I’m not saying that my speculations about the reasons behind these requests are right. Maybe some of the requests were made for entirely frivolous purposes, or to waste councils’ time and money, but I’m far from convinced that is the case. And, of course, if the requests were entirely frivolous the Freedom of Information Act 2000 contains a provision which enables the authority to dismiss them forthwith. Truly frivolous requests should not cost a council more than a few minutes’ work, and, in my experience, they are rare.

Careful readers will note that I haven’t mentioned the first of the LGA’s examples:

What plans are in place to protect the town from a dragon attack?
How wacky. Yes, boringly, gloom-inducingly unfunnily “wacky”, and thoroughly demolished (while questioning the motives of the council who publicised it) by Tim Turner only a couple of months ago.

There are many serious threats to councils’ revenues, but I don’t accept that FOI is one of them. FOI costs, but it costs relatively little and it has big societal benefits, as the Justice Committee recognised in 2012 when it called it a “significant enhancement of our democracy”. Truly “wacky requests” can be deftly deflected by using the “vexatiousness exemption” of the FOI Act, but let’s not assume that all requests with apparently wacky themes have unserious motives. And – digressing somewhat – let us not forget the LGA is not subject to FOI.


Filed under Freedom of Information, transparency

The days of wine and disclosures

I like FOI. I like wine. Here’s an FOI disclosure about wine.

In the early days of the Freedom of Information Act 2000 (FOI) there were frequent attempts to get the government to disclose detailed information about its wine cellar (see for instance this seemingly interminable request). Eventually, the Information Commissioner got fed up with the lack of FOI hospitality from the Foreign and Commonwealth Office (FCO), who seem to be responsible for this sort of thing, and started issuing decision notices requiring disclosure.

I’m pleased to see that disclosure is now, if not a matter of routine, not resisted by FCO (except for some intriguing little redactions – one wonder if they hide things like “this is the Minister for X’s favourite”). So, we now know that the government has reserves of, for instance, 139 bottles of Latour 1961, with a market value of £321,000. This is the highest value wine, but we (sorry, they) also hold 110 bottles of Chateau Margaux 1983 (market value £15k – not the best vintage, after all). And their Pétrus is only the 1978, but even so, the estimated market value of £250 seems very low.

It’s a shame the dataset isn’t in resuable format, but, we’re all in it together, so I’d invite others to search out some other interesting cellar items. Those Krug ’82 magnums look a steal at £125 a pop…

Leave a comment

Filed under Freedom of Information, Information Commissioner, transparency, Uncategorized

Political attitudes to ePrivacy – this goes deep

With the rushing through of privacy-intrusive legislation under highly questionable procedures, it almost seems wrong to bang on about political parties and their approach to ePrivacy and marketing, but a) much better people have written on the #DRIP bill, and b) I think the two issues are not entirely unrelated.

Last week I was taking issue with Labour’s social media campaign which invited people to submit their email address to get a number relating to when they were born under the NHS.

Today, prompted by a twitter exchange with the excellent Lib Dem councillor James Baker, in which I observed that politicians and political parties seem to be exploiting people’s interest in discrete policy issues to harvest emails, I looked at the Liberal Democrats’ home page. It really couldn’t have illustrated my point any better. People are invited to “agree” that they’re against female genital mutilation, by submitting their email address.


There’s no information whatsoever about what will happen to your email address once you submit it. So, just as Labour were, but even more clearly here, the Lib Dems are in breach of the The Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 1998. James says he’ll contact HQ to make them aware. But how on earth are they not already aware? The specific laws have been in place for eleven years, but the principles are much older – be fair and transparent with people’s private information. And it is not fair (in fact it’s pretty damn reprehensible) to use such a bleakly emotive subject as FGM to harvest emails (which is unavoidably the conclusion I arrive at when wondering what the purpose of the page is).

So, in the space of a few months I’ve written about the Conservatives, Labour and the Lib Dems breaching eprivacy laws. If they’re unconcerned about or – to be overly charitable – ignorant of these laws, then is it any wonder that they railroad each other into passing “emergency” laws (which are anything but) with huge implications for our privacy?

UPDATE: 13.07.14

Alistair Sloan draws attention to the Scottish National Party’s website, which is similarly harvesting emails with no adequate notification of the purposes of future use. The practice is rife, and, as Tim Turner says in the comments below, the Information Commissioner’s Office needs to take action.



Filed under consent, Data Protection, PECR, Privacy, transparency

The slings and arrows of FOI

“…investigation by and even adverse comment from the Ombudsman is one of the slings and arrows of local government misfortune with which broad shouldered officials have to cope…” (Feld v London Borough of Barnet [2004] EWCA Civ 1307)

Ombudsmen loom over the actions of many public authorities. Particularly, the NHS and local authorities are subject to the scrutiny of respectively, the Parliamentary and Health Service Ombudsman (PHSO), and the Local Government Ombudsman (LGO). The Ombudsmen themselves must have broad shoulders, subject as they are to the oversight of both parliament, and, because they are public authorities subject to the Freedom of Information Act 2000 (FOIA), the Information Commissioner’s Office (ICO).

The PHSO was recently asked, under FOIA, for the email address and telephone number of the Ombudsman herself, Dame Julie Mellor. The request was refused, on the basis of the exemption at section 40(2) of FOIA – namely that the requested information was Dame Julie’s personal data, and disclosure would breach the first data protection principle in the Data Protection Act 1998. This refusal has now been upheld by the ICO, in a decision notice which explains that

the data requested relates to a living individual who may be identified from that data and that [therefore] it constitutes personal data

That much is uncontroversial: a person’s email address and telephone number will generally be held to be their personal data, even in a professional context, providing that they can be identified from that data. However, the ICO goes on to say

the Commissioner considers that the Ombudsman would have a reasonable expectation that her email address and direct telephone number would not be placed into the public domain by disclosure under the FOIA…

…The Commissioner is aware that the requested email address and telephone number are personal to the Ombudsman but are professional contact details. He considers that their disclosure is unlikely to cause the Ombudsman distress on a personal level. However the Commissioner is satisfied that disclosure would disrupt the running of the organisation and it is apparent that the consequences would have a negative impact upon the PHSO

This seems to conflate two quite separate issues – personal privacy, and organisational impact. As far as I can understand it the argument is that, because this is personal data, and because disclosure would disrupt the running of the organisation, disclosure would not be “fair”, in line with the requirements of the first data protection principle. But, as the ICO’s own guidance on disclosure of personal data under FOIA explains (paragraph 44), the consequences to be taken into account are those to the data subject, not to their organisation, or a third party.

If disclosure of information would disrupt the running of a public authority, there are other, more appropriate FOIA exemptions which might apply. Specifically, section 36(2)(c), for situations where disclosure would prejudice, or would be likely otherwise to prejudice, the effective conduct of public affairs.

But even then I struggle to see how disclosure of such innocuous information would really cause sufficient prejudice to warrant keeping this information secret – shouldn’t the Ombudsman be able to implement systems to deal with a possible increase in emails and calls if the email address and phone number were made public? Isn’t this sort of potential irritation one of the slings and arrows of administrative misfortune with which broad shouldered officials have to cope?

(As a footnote to this piece, neither the section 40(2), nor the section 36(2)(c) are going to carry much weight when the information is readily available online already. I will not link to it, because I’m a cautious soul, but Dame Julie’s email address, at least, has been published on the internet as part of a document created by her, and hosted by a reputable academic institution.)





Filed under Data Protection, Freedom of Information, Information Commissioner, ombudsman, transparency

Implications of the Home Office data breach

What sanctions might result from the recent Home Office data breach, and how does it relate to the transparency agenda?

News emerged yesterday, through the rather unusual route of a statement to Parliament by Mark Harper, Minister for Immigration, that a spreadsheet containing the personal information of almost 1600 people had been inadvertently published by the Home Office on a government website. The minister’s statement says

between 15 and 28 October 2013 some personal data was available on the Home Office website as part of a spreadsheet alongside the regular data set in error. This was identified by Home Office officials on 28 October 2013 and the personal information was  removed immediately. The personal data related to the names of 1,598 main applicants in the family returns process, their date of birth and limited details about their immigration case type and status

On these conceded facts this would appear to be a clear breach of the Data Protection Act 1998 (DPA), and, specifically, the principles of Schedule 1 to the Act which require that processing be fair and lawful, and that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data. But what are the implications of this?

By virtue of section 4(4) of the DPA a data controller – in this instance the Home Office – must comply with those principles. A serious contravention of them, of a kind which is likely to cause substantial damage or substantial distress, can (by section 55A) invoke the powers of the Information Commissioner’s Office (IC) to serve a monetary penalty notice, to a maximum of £500,000. Whether the IC would exercise his discretion to do so would depend on various factors. Firstly, he would need to satisfy himself whether the personal data involved was “sensitive”. Sensitive personal data is afforded greater protection by the DPA, and breaches involving it are accordingly more serious. We are told that the information involved here consisted of people’s names, dates of birth, and their immigration status. Information about a person’s racial or ethnic origin is sensitive personal data – could one derive or infer that from the mistakenly disclosed information? This will be an important question to answer. But, additionally and more simply, it seems that these were “illegal immigrants” – the data was related to immigration family returns, and this would certainly seem to imply either the commission or alleged commission of an offence by those whose data was exposed, and this would also move the data into the category of “sensitive”.

Whether the apparent contravention was likely to cause substantial damage or substantial distress is less clear. The minister points out that there appear to have been fewer than thirty page views, but that we don’t know whether any of those people accessed or downloaded the data. But this perhaps overlooks the part of the statutory scheme which talks about whether the contravention was “of a kind likely” to cause the damage or distress. If for instance, this incident, which we are told is being investigated by the IC, is a symptom of inappropriate or insufficient data security measures, then that factor, rather than this discrete incident, could potentially give rise to sanctions. Also relevant might be what efforts the Home Office has taken to ensure that cached versions of the data have been removed from the internet – it is remarkably easy for information quickly to be captured and mirrored elsewhere, by automated web services.

The IC’s powers are not limited, however, to issuing monetary penalties. He can also issue enforcement notices requiring data controllers to take specified actions, and a breach of an enforcement notice can be a criminal offence. Less seriously, he can simply make a determination as to whether there is likely to have been a breach of the DPA. And he can take informal action, requiring a responsible person at the ministry to sign an undertaking to improve compliance.

The transparency agenda

What I also find noteworthy is that the minister prefaces his statement with remarks about the government’s commitment

to openness and transparency to enable the public to hold the government and other public bodies to account. This government has made more data available than ever before…

These are laudable aims and actions, but, I have written before that the transparency agenda carries with it risks that, in the rush to publish more and more data, there will be privacy and data protection breaches. And if the government and the IC, as regulator, do not do more to alert people to these risks they must be aware that they risk being seen as complicit in such breaches. As I said in my piece for The Guardian

The IC must work with the government to offer advice direct to chief executives and those responsible for risk…So far these disclosure errors do not appear to have led to harm to those individuals whose private information was compromised, but, without further action, I fear it is only a matter of time.

1 Comment

Filed under Data Protection, enforcement, Home Office, Information Commissioner, monetary penalty notice, parliament, transparency

Reducing regulation…by clogging up the courts

The only thing that made me stop laughing about the Cabinet Office’s arguments in a doomed Tribunal appeal was thinking about the cost to the public purse.

Soon after it was formed the coalition government made an admirable commitment to cut government red tape, by reducing the amount of domestic regulation

Through eliminating the avoidable burdens of regulation and bureaucracy, the Government aims to promote growth, innovation and social action

A Cabinet sub-committee – the Reducing Regulation Committee (RRC) – was set up, to “take strategic oversight of the delivery of the Government’s regulatory framework”.

Around the same time the government was also trumpeting its transparency agenda, with the Prime Minister saying, in an Observer article in September 2010

For too long those in power made decisions behind closed doors, released information behind a veil of jargon and denied people the power to hold them to account. This coalition is driving a wrecking ball through that culture – and it’s called transparency

One might not have supposed, therefore, that it would have been necessary in August 2012 for a request under the Freedom of Information Act 2000 (FOIA) to be made, for (merely) the number of times the RRC had met. Surely this is the sort of information which should be made public as a matter of course? But it was necessary. Moreover, this particular door stayed shut, despite the gentle tapping of transparency’s wrecking ball, when the Cabinet Office refused the request, citing the FOIA exemption which applies to information held by a government department which relates to a) the formulation or development of government policy, or (b) Ministerial communications (section 35(1)(a) and (b)).

The Cabinet Office continued to argue that this exemption was engaged, and that the public interest favoured non-disclosure, when the requester complained to the Information Commissioner’s Office (ICO). And when the ICO held that, yes, the exemption was engaged, but, no, the public interest favoured disclosure , the Cabinet Office appealed the decision.

The First-tier Tribunal (Information Rights) (FTT) has now handed down its judgment, and it makes amusing if dispiriting reading. Wholly unsurprisingly, the ICO’s decision is upheld, and it seems that the Cabinet Office’s argument boils down to two main points: “if we tell you how often the RRC has met then it might mislead you into missing all the great work being done elsewhere, and as a result that great work elsewhere might be adversely affected” (my apologies to the Cabinet Office if this misrepresents their position, but I’ve really tried my best).

The FTT had very little time for these arguments. The only thing vaguely in the Cabinet Office’s favour was that, as a lot of information about “reducing regulation” processes was already publicly available, the public interest in disclosure was small. But, rather devastatingly, the FTT says

the public interest in maintaining the exemption is so weak that it does not equal, let alone outweigh, the, admittedly light, public interest in disclosure (para 27) [emphasis added]

It is worth reading the judgment (which I won’t dissect in detail), as an example of a particularly weak argument against FOIA disclosure, but I would add three closing observations from which you might deduce my level of approval of the Cabinet Office’s conduct:

1. this was a request simply and merely for the number of times a government committee has met (how “transparent” is a refusal to disclose that?)
2. taking a case to FTT is not without significant costs implications (bear in mind this was an oral hearing, with a witness, and with counsel instructed on both sides)
3. the whole litigation in any case carries a huge hint as to the nature/substance of the information held (if the RRC had met often, would the Cabinet Office really want to withhold that fact?)

Leave a comment

Filed under Cabinet Office, Freedom of Information, Information Commissioner, Information Tribunal, transparency

Let’s Blame Data Protection – the Gove files

Thanks to Tim Turner, for letting me blog about the FOI request he made which gives rise to this piece

On the 12th September the Education Secretary, Michael Gove, in an op-ed piece in the Telegraph, sub-headed “No longer will the quality, policies and location of care homes be kept a secret” said

A year ago, when the first shocking cases of sexual exploitation in Rochdale were prosecuted, we set up expert groups to help us understand what we might do better…Was cost a factor? Did we need to spend more? There was a lack of clarity about costs. And – most worrying of all – there was a lack of the most basic information about where these homes existed, who was responsible for them, and how good they were….To my astonishment, when I tried to find out more, I was met with a wall of silence

And he was in doubt about where the blame lay (no guesses…)

The only responsible body with the information we needed was Ofsted, which registers children’s homes – yet Ofsted was prevented by “data protection” rules, “child protection” concerns and other bewildering regulations from sharing that data with us, or even with the police. Local authorities could only access information via a complex and time-consuming application process – and some simply did not bother…[so] we changed the absurd rules that prevented information being shared

This seemed a bit odd. Why on earth would “data protection” rules prevent disclosure of location, ownership and standards of children’s homes? I could understand that there were potentially child protection concerns in the too-broad-sharing of information about locations (and I don’t find that “bewildering”) but data protection rules, as laid out in the Data Protection Act 1998 (DPA), only apply to information relating to identifiable individuals. This seemd odd, and Tim Turner took it upon himself to delve deeper. He made a freedom of information request to the Department for Education, asking

1) Which ‘absurd’ rules was Mr. Gove referring to in the first

2) What changes were made that Mr. Gove referred to in the second

3) Mr Gove referred to ‘Data Protection’ rules. As part of the
process that he is describing, has any problem been identified with
the Data Protection Act?

Fair play to the DfE – they responded within the statutory timescales, explaining

Regulation 7(5) of the Care Standards Act 2000 (Registration) (England) Regulations 2010 …prohibited Ofsted from disclosing parts of its register of children’s homes to any body other than to a local authority where a home is located. Whatever the original intention behind this limitation, it represented a barrier preventing Ofsted from providing information about homes’ locations to local police forces, which have explicit responsibilities for safeguarding all children in their area…we introduced an amendment to Regulation 7 with effect from April 2013

But their response also revealed what had been very obvious all along: this had nothing to do with data protection rules:

the reference to “data protection” rules in Mr Gove’s article involved the Regulations discussed above, made under section 36 of the Care Standards Act 2000. His comments were not intended as a reference to the Data Protection Act 1998

This is disingenuous: “data protection” has a very clear and statutory context, and to extend it to more broadly mean “information sharing” is misleading and pointless. One could perhaps understand it if Gove had said this in an oral interview, but his piece will have been checked carefully before publication, and personally I am in no doubt that blaming data protection has a political dimension. The government is determined, for some right reasons, and some wrong ones, to make the sharing of public sector data more easy, and data protection does, sometimes – and rightly – present an obstacle to this, when the data in question is personal data and the sharing is potentially unfair or unlawful. Anything which associates “data protection” with a risk to child safety, serves to represent it as bureaucratic and dangerous, and serves the government agenda.

And the rather delicious irony of all this – as pointed out on twitter by Rich Greenhill – is that the “absurd rules” (the Care Standards Act 2000 (Registration) (England) Regulations 2010) criticised by Gove were made on 24 August 2010. And the Secretary of State who made these absurd rules was, of course, the Right Honourable Michael Gove MP.

How absurd.

Leave a comment

Filed under Data Protection, data sharing, Freedom of Information, Let's Blame Data Protection, transparency

It’s our Right to Know, Mr ICO

On 29 August the Information Commisioner’s Office (ICO) served a monetary penalty notice (MPN) of £100,000 on Aberdeen City Council. MPNs can be served on a data controller under section 55A of the Data Protection Act 1998 (DPA) for a serious contravention of the Act of a sort likely to cause serious damage or serious distress. In this instance, the ICO explained

sensitive information relating to social services involvement with several individuals [was] published online. The information included details relating to the care of vulnerable children.

The circumstances under which this happened were

a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website

Many people in the field of information rights have concerns that there is a significant lack of understanding on the part of many about the risk of inadvertently disclosing personal data on the web. In view of this, I though I would simply ask the ICO, and the Council, what website was involved, in order to inform my understanding. So I tweeted

What “website” were the files uploaded to?

I reminded the ICO and the Council on several occasions about this, and pointed out it was a valid request under the Freedom of Information Act 2000 (FOIA) and Freedom of Information (Scotland) Act 2002 (FOI(S)A), even though I had really only wanted a quick factual reply. The Council have asked me to contact them separately to make the FOI(S)A request, and I’m aware the Scottish Information Commissioner takes a different view on tweeted requests to her counterpart for the rest of the UK, so I’ve banged in a request at WhatDoTheyKnow. The ICO, by contrats, did treat my tweet as a valid request (although I got no acknowledgment of this, contrary to their good practice guidance) and responded yesterday on the twentieth working day, with a link to their disclosure log

Those who know me will be unsurprised to know that I don’t accept the refusal, and also unsurprised to know that, on International Right to Know Day 2013 I’ve submitted a crashingly pompous request for ICO to conduct an internal review. Here it follows, in all said crashing pomposity:

Please review your refusal to disclose information.

On 29 August you served a Monetary Penalty Notice on Aberdeen City Council

“after a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website, publishing sensitive information about several vulnerable children and their families, including details of alleged criminal offences”

I asked, on 30 August, “What ‘website’ were the files uploaded to?”

You have refused to disclose, claiming the exemption at section 44 of the Freedom of Information Act 2000, which provides an exemption “if disclosure [of the information] (otherwise than under this Act) by the public authority holding it…is prohibited by or under any enactment”. You say disclosure is prohibited, because “the information was provided to the ICO in confidence as part of our regulatory activities” and that the provisions of section 59(1) of the Data Protection Act 1998 forbid disclosure. Section 59(1) says

“No person who is or has been the Commissioner, a member of the Commissioner’s staff or an agent of the Commissioner shall disclose any information which—

(a)has been obtained by, or furnished to, the Commissioner under or for the purposes of the information Acts [of which FOIA is one],

(b)relates to an identified or identifiable individual or business, and

(c)is not at the time of the disclosure, and has not previously been, available to the public from other sources

unless the disclosure is made with lawful authority”

I am happy to concede that a) and b) are met here, but not c). This is because section 59(2) explains what “with lawful authority” means. Firstly, and largely as an aside, section 59(2)(a) says that a disclosure is made with lawful authority if

“the disclosure is made with the consent of the individual or of the person for the time being carrying on the business”

I am surprised you do not feel that, in your role as a public authority but also as the regulator for Freedom of Information, it would be prudent and transparent simply to ask the Council whether it consents. Nonetheless, on a strict reading of the law, I concede that you do not have an obligation to do so.

Secondly (and I note you do not even address this important provision), section 59(2)(e) says that disclosure is made with lawful authority if

“having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”

I would argue that analysis of whether this provision permits disclosure requires a two-fold test. Firstly, is disclosure necessary in the public interest? Secondly, if it is, do the rights and freedoms or legitimate interests of any person militate against this public-interest disclosure?

On the first point, I am not aware of any direct authority on what “necessary” means in section 59(2)(e) of DPA, but I would argue that it imports the meaning adopted by leading European authorities. Thus, as per the high Court in Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 “‘necessary”…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends”. It is my view that there is a pressing social need to recognise the risks of indavertent uploading to the internet, by public authorities and others, of sensitive personal data, especially when this is by automatic means. Other examples of recent incidents and enforcement action illustrate this. For instance, as your office is aware, there have been reports that a regional Citizens’ Advice Bureau has indavertently made available on the internet very large amounts of such data, probably because of a lack of technical knowledge or security which resulted in automatic caching by Google of numerous files Also for instance, as you are aware, there have been many many examples of indavertent internet publishing of personal data in hidden cells in spreadsheets There is a clear lack of public understanding of the risks of such indavertent disclosures, with a consequent risk to the privacy of individuals’ often highly sensitive personal data. Any information which the regulator of the DPA can disclose which informs and improves public understanding of these risks serves a pressing social need and makes the disclosure “necessary”.

On the second point, I simply fail to see what rights and freedoms or legitimate interests of any person can be engaged, let alone suffer a detriment by disclosing what public website the Council employee uploaded this to. If there are any, it would be helpful if your response to this Internal Review could address this. It may be that you would point to the information having been provided to you in confidence, but I similarly fail to see how that can be: was this an express obligation of confidence, or have you inferred it? In either case, I would question (per one the elements of the classic formulation for a cause of action in breach of confidence given by Megarry J in Coco v A.N.Clark (Engineers) Ltd [1969] R.P.C. 41) whether the information even has the necessary quality of confidence (this was a public website after all).

I hope you can reconsider your decision.

best wishes

1 Comment

Filed under Confidentiality, Data Protection, FOISA, Freedom of Information, human rights, Information Commissioner, monetary penalty notice, transparency