Tag Archives: FOI

October 22, 2014 · 4:58 pm

Upper Tribunal rules on complying “promptly” with an FOI request

The Upper Tribunal has ruled on what “promptly” means in the FOI Act. The answer’s no surprise, but it’s helpful to have binding authority

The Freedom of Information Act 2000 (FOIA) demands that a public authority must (subject to the application of exemptions) provide information to someone who requests it within twenty working days. But it goes a bit further than that, it says (at section 10(1))

a public authority must comply…promptly and in any event not later than the twentieth working day following the date of receipt

But what does “promptly” mean in this context? This issue has recently been considered by the Upper Tribunal, in John v ICO & Ofsted 2014 UKUT 444 AAC. Matters before the Information Commissioner (IC) and the First-tier Tribunal (FTT) had turned on when the initial request for information had been made and responded to. The IC held that Ofsted had failed to respond within twenty working days, and Ofsted appealed this. Mr John argued before the FTT that although the IC had found in his favour to the extent that it held that Ofsted had failed to respond within twenty working days, it had failed to deal with the issue of whether Ofsted had responded promptly. The FTT found in Ofsted’s favour, but did not, Upper Tribunal Judge Jacobs observed, deal with Mr John’s argument on promptness. That was an error of law, which Judge Jacobs was able to remedy by considering the issue himself.

“Promptly” he observed, has a range of dictionary meanings, some of which relate more to attitude (“willingly”, or “unhesitatingly”) and others more to time (“immediate”, or “without delay”). The context of section 10(1) of FOIA “is concerned with time rather than attitude, although the latter can have an impact on the former”. It is clear though that “promptly” does not mean, in the FOIA context, “immediately” (that, said Judge Jacobs, would be “unattainable”) but is more akin to “without delay”:

There are three factors that control the time that a public authority needs to respond. First, there are the resources available to deal with requests. This requires a balance between FOIA applications and the core business of the authority. Second, it may take time to discover whether the authority holds the information requested and, if it does, to extract it and present it in the appropriate form. Third, it may take time to be sure that the information gathered is complete. Time spent doing so, is not time wasted.

What is particularly interesting is that Judge Jacobs shows a good understanding of what the process for dealing with FOIA requests might be within Ofsted, and, by extension, other public authorities:

A FOIA request would have to be registered and passed to the appropriate team. That team would then have to undertake the necessary research to discover whether Ofsted held the information requested or was able to extract it from information held. The answer then had to be composed and approved before it was issued.

In the instant case all this had been done within twenty working days:

I regard that as prompt within the meaning and intendment of the legislation. Mr John has used too demanding a definition of prompt and holds an unrealistic expectation of what a public authority can achieve and is required to achieve in order to comply with section 10(1).

This does not mean, however, that it might not be appropriate in some cases to enquire into how long an authority took to comply.

The Upper Tribunal’s opinion accords with the approach taken in 2009 by the FTT, when it held that

The plain meaning of the language of the statute is that requests should be responded to sooner than the 20 working days deadline, if it is reasonably practicable to do so. (Gradwick v IC & Cabinet Office EA/2010/0030)

It also accords with the IC’s approach in guidance and decision notices under FOIA, and its approach under the Environmental Information Regulations 2004 (where the requirement is that “information shall be made available…as soon as possible and no later than 20 working days”).

Most FOI officers will greet this judgment as a sensible and not unexpected one, which acknowledges the administrative procedures that are involved in dealing with FOIA requests. Nonetheless, as a binding judgment of an appellate court, it will be helpful for them to refer to it when faced with a requester demanding a response quicker than is practicable.

Appeals and Cross Appeals

A further issue determined by the Upper Tribunal concerned what should happen if both parties to a decision notice disagree with some or all of its findings and want to appeal, or at least raise grounds of appeal: must there be an appeal and cross-appeal, or can the respondent party raise issues in an appeal by the other party? Judge Jacobs ruled, in a comprehensive a complex analysis that merits a separate blog post (maybe on Panopticon?), that “although cross-appeals are permissible, they are not necessary”

 

 

2 Comments

Filed under Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, Upper Tribunal

Tagged as ,

September 29, 2014 · 2:47 pm

Information-chairing

The MPs’ expenses scandal invigorated freedom of information in the UK. For one wood-carver in particular, it appears also to have moved him to furniture-making excellence. On 28 September the Antiques Roadshow, on an outing to Kirby Hall in Northamptonshire, featured the unnamed craftsman and his creation – a chair engraved with the words “The Freedom of Information Act” and with carvings of Gordon Brown, David Cameron, Nick Clegg, The Daily Telegraph…and a duckhouse.

Untitled2

The rather magnificent chair, which took 500 hours to create, was valued at anywhere between £2,000 and £10,000 “and upwards”.Untitled

As expert Paul Atterbury suggested, perhaps its most appropriate home would be somewhere in the Palace of Westminster, to serve as a perpetual reminder to MPs.

(The programme is available, in the UK at least, on BBC iPlayer, until 4 October. Relevant extracts are at 17:54 to 19:05 and 29:23 to 34:39 minutes).

Leave a comment

Filed under Freedom of Information

Tagged as

August 22, 2014 · 4:05 pm

The Savile Tapes – ICO says request for audio was vexatious

There is no index of character so sure as the voice – Benjamin Disraeli, Tancred

In October 2013 Surrey Police disclosed, in response to a request made under the Freedom of Information Act 2000 (FOIA) the transcripts of police interviews (under caution) of Jimmy Savile. The Information Commissioner’s Office ICO) has now ruled on a related request, which was for the actual audio recordings of the same interview, and, rather surprisingly, the ICO has agreed with the Police that they did not have to comply with the request, on the grounds that it was vexatious.

Until relatively recently it was difficult to rely on section 14(1) of FOIA (“a public authority [need not] comply with a request for information if the request is vexatious”) simply because the costs burden of dealing with it was too great. The ICO’s guidance did advise that one of the factors to bear in mind when considering whether a request was vexatious was “Would complying with the request impose a significant burden in terms of expense and distraction?”, but in general, for a public authority to refuse to comply with a FOIA request because of the costs, it had to be able to claim that the cost of compliance exceeded the appropriate limit (section 12 FOIA). However, a decision of the First-tier Tribunal (FTT) in 2012 appeared to shift the ground somewhat. Although FTTs’ decisions are not precedent, it was notable that a public authority (the IPCC in this case) was said to be entitled to rely on section 14(1) on the basis that

A request may be so grossly oppressive in terms of the resources and time demanded by compliance as to be vexatious, regardless of the intentions or bona fides of the requester. If so, it is not prevented from being vexatious just because the authority could have relied instead on s.12

As the always-excellent Pantopticon blog said at the time

This will be welcomed by those who find themselves unable to rely on section 12 due to the restricted list of activities which can be taken into account for cost purposes

but the context in that particular case meant that, in fact, the intentions and bona fides of the requester were relevant

The present requests were, in our opinion, not just burdensome and harassing but furthermore wholly unreasonable and of very uncertain purpose and dubious value…We are by no means convinced of [the requester’s] good faith in making it

In the leading case on section 14(1) – IC v Dransfield [2012] UKUT 440 (AAC) – Wikeley J said that it was helpful, when considering whether a FOIA request is vexatious, to consider four “broad issues or themes”

(1) the burden (on the public authority and its staff); (2) the motive (of the requester); (3) the value or serious purpose (of the request) and (4) any harassment or distress (of and to staff)

but that ultimately, the test amounts to

is the request vexatious in the sense of being a manifestly unjustified, inappropriate or improper use of FOIA?

The ICO’s guidance, amended in light of Dransfield reframes this slightly and says that the

the key question a public authority must ask itself is whether the request is likely to cause a disproportionate or unjustified level of disruption, irritation or distress

The ICO draws on this guidance in the Savile decision, but, notably, appears to give considerable credence to the police’s evidence regarding the disruption – the burden – that redacting the audio of the interviews would cause, but does not appear to have interrogated this assertion in any depth. Moreover, the ICO notes its lack of expert knowledge on the subject of redaction, but nothing (other than, presumably, limited resources) prevented it from consulting an expert. Given that this appears to have been the primary evidence for the finding of vexatiousness (the ICO accepted that the requester’s motives were not intended to cause disruption or harassment) and given that the ICO accepted that there was a “qualitative difference” between the written transcripts and the audio (“The speed, volume, expressiveness and intonation of the actual speech may be considered to shed more light on how Savile responded to what was put to him in the interview”) it is difficult to see how the ICO decided that request could have been vexatious, rather than just of a level of annyoance and disruption it accepts a public authority must absorb. The request, using Wikeley J’s formulation, was not improper, it was not inappropriate – and was it really, therefore, a “manifestly unjustified use of FOIA”?

One hopes the bar of vexatiousness has not been lowered too far.

 

31 Comments

Filed under Freedom of Information, Information Commissioner, police, vexatiousness

Tagged as , , ,

August 21, 2014 · 4:34 pm

Jackals among the tombs*

The Information Commissioner has ordered disclosure by the Metropolitan Police of the ages of the deceased children whose identities were used by the ‘Special Demonstration Squad’

UPDATE 23.09.14: The latest listings from the Information Tribunal reveal that the Met are appealing the ICO decision :END UPDATE

UPDATE 07.01.15: The Met clearly decided to withdraw their appeal, and disclosed the information :END UPDATE

In Frederick Forsyth’s novel The Day of the Jackal the protagonist uses a heartless, but, at the time of the novel’s writing, well-known, method of assuming a false identity. He visits graveyards until he finds the gravestone of a dead child who would have been born about the same time as him, then purchases the child’s birth certificate, which he uses to obtain a fake passport. In 2003 Forsyth said

I asked a forger how to get hold of a passport. He told me there were three ways. Steal one and substitute a photograph. Bribe an official for one ‘en blanc’ in which you can fill in your details. Or apply for one under a false name

In February 2013 the Home Secretary, Theresa May, announced that the existing investigation into undercover policing in the Metropolitan Police Service would now be headed by the Chief Constable of Derbyshire Police. This was in part because of serious allegations aired in the Guardian about a covert police officer apparently adopting the identity of a baby named Rod Richardson, who had died at the age of two days old, in 1973.

The ensuing first report into what had become Operation Herne found that there was

 both documentary proof and witness accounts to confirm that the genuine details of deceased children were extensively used by members of the SDS until around 1995 so as to create cover identities and thereby enable the officers to infiltrate a range of violent protest groups

It described the practice as “morally repugnant”, effectively excused it as being necessary within the constraints of the time, but did acknowledge that

There is understandable public, political and media concern about the use of the identities of deceased children, irrespective of the context, of the operational rationale, of any perceived necessity and of any legal considerations

 Although it said that the issue should not detract from the importance of the tactic of undercover policing.

Perhaps the Met had this in mind when they refused to disclose, in response to a request made under the Freedom of Information Act 2000 (FOIA), the mere ages of the 42 dead children whose identities the report either confirmed were or were considered as highly likely to have been (ab)used. The Met placed perhaps most weight on the fact that disclosing this information would allow officers to be identified (thus engaging the FOIA exemption at section 40(2)), but the Information Commissioner’s Office (ICO) was distinctly unimpressed with this argument

 the Commissioner does not consider the age of a child who dies at some point over a forty year period meets the criteria of being the ‘personal data’ of an undercover officer as the age alone is simply too far removed to make any such link

Nor, for a similar reason, were the exemptions at section 38 (prejudice to health and safety) and section 24 (safeguarding national security) engaged: if officers could not be identified from this information then their health and safety could not be prejudiced and there was no compromise to the need to safeguard national security.

The ICO did concede that exemptions at section 30 was engaged. This exemption deals – broadly – with investigations conducted by relevant public authorities into potential criminal offences, and information which relates to the obtaining of information from confidential sources. However, and ultimately, the public interest favoured disclosure. The ICO found particularly compelling, as will many, the following submission from the requester

There is…a clear public interest with regards to the hundreds of thousands of families who lost a child during the relevant period. Any of these families may fear that their relative’s details were used by police officers without consent. The question of whether the 42 families should be told is complex. By confirming which ages were used, the MPS would also be confirming which ages were not used. This information could help answer the questions of tens of thousands of families for each any [sic] age that is identified as not having been used

Perhaps, if it transpires (the Met can, of course, appeal) this FOIA disclosure will, even more than most, serve a public interest.

*Faith, like a jackal, feeds among the tombs, and even from these dead doubts she gathers her most vital hope – Herman Melville

1 Comment

Filed under Freedom of Information, Information Commissioner, police

Tagged as , ,

August 16, 2014 · 6:29 pm

Wacky FOI requests – with serious motives?

Not for the first time the Local Government Association (LGA), an almost entirely public-funded association of first- and second-tier local councils in England and Wales, has produced a press release bemoaning the fact that its members have to deal with “wacky FOI requests”. Peter Fleming, of the LGA’s Improvement Board, is quoted as saying

While the majority of requests to councils are for details of council policy and expenditure, some of the FoI requests received do not relate very closely to the services they are focused on providing every day of the year. Councils are working very hard to keep local communities running as efficiently as possible during these challenging financial times and anything which distracts from that can affect the value for money that taxpayers receive

Examples of “wacky requests” are given, and the implication is very much that the requesters were wasting public money by making them. So let’s have a look at them:

Please list all the types of animals you have frozen since March 2012, including the type and quantity of each animal?
How very wacky. Or is it? Some councils freeze dead dogs and cats found by the roadside so that concerned or distressed owners of lost animals can try to locate them. Maybe that practice is beyond what councils need to do, and it certainly involves public expenditure. What is so wrong with someone wanting to look into the practice by making a relevant FOI request? Indeed, at least one council makes the information available as a dataset.
How many times has the council paid for the services of an exorcist, psychic or religious healer? Were the services performed on an adult, child, pet or building?
How very wacky. However, at least one council has previously been identified as paying an exorcist to remove a poltergeist from a tenancy. If such extraordinary use of public money were repeated elsewhere this would be a scandal, and it doesn’t seem too wrong to make an FOI request to establish if that might be the case.
Please can you let me know how many roundabouts are located within your council boundaries?
How wacky. But, research suggests that optimal use and placement of roundabouts on a highway network reduces delays and accidents, with consequent potentially large savings to the public purse. It seems entirely legitimate to request information like this, perhaps in pursuance of an investigation into whether a council is apportioning its resources properly when it comes to highways management.
What precautions, preparations, planning and costings have been undertaken in the case an asteroid crashes into Worthing, a meteorite landing in Worthing or solar activity disrupting electromagnetic fields?
How wacky. In fact, yes it is, despite what former MPs say. And despite the fact that, yes, I know there is always a risk of asteroidal impact. Move along.
How many holes in privacy walls between cubicles have been found in public toilets and within council buildings in the last 10 years?
How wacky. Not at all: the Home Office itself identifies voyeurism as a form of harassment and anti-social behaviour. Councils have statutory duties to prevent anti-social behaviour. Why is a request about one aspect of this so wacky?
How many bodies are there in mortuaries that have been unclaimed for ten years? How long have these bodies been in the mortuary? How old were they when they died? Is it possible to have the names of these people?
How wacky. Well, bear in mind that local authorities have a statutory duty to pay for burial or cremation of unclaimed bodies in their area. Perhaps a request for this information is aimed at investigating whether the council was saving money by disregarding its duties?
How many people in the town have a licence to keep a tiger, lion, leopard, lynx or panther as a pet?
How wacky. Why? There might be any number of reasons to make this request – councils have statutory duties to ensure that licences to own dangerous animals are only issued subject to rigid and specific conditions. A large number of dangerous animals within one town might point to failings in those duties.
How many requests were made to council-run historic public-access buildings (e.g. museums) requesting to bring a team of ‘ghost investigators’ into the building?
Not wacky (see “exorcism” above).
How many children in the care of the council have been micro-chipped?
How wacky. Well, maybe a bit – I’m not aware of any serious suggestions that this will happen. But there are many concerned – if perhaps deluded – people who think this might already be happening. This request might be odd,but I suspect it was made with the utmost seriousness.

I’m not saying that my speculations about the reasons behind these requests are right. Maybe some of the requests were made for entirely frivolous purposes, or to waste councils’ time and money, but I’m far from convinced that is the case. And, of course, if the requests were entirely frivolous the Freedom of Information Act 2000 contains a provision which enables the authority to dismiss them forthwith. Truly frivolous requests should not cost a council more than a few minutes’ work, and, in my experience, they are rare.

Careful readers will note that I haven’t mentioned the first of the LGA’s examples:

What plans are in place to protect the town from a dragon attack?
How wacky. Yes, boringly, gloom-inducingly unfunnily “wacky”, and thoroughly demolished (while questioning the motives of the council who publicised it) by Tim Turner only a couple of months ago.

There are many serious threats to councils’ revenues, but I don’t accept that FOI is one of them. FOI costs, but it costs relatively little and it has big societal benefits, as the Justice Committee recognised in 2012 when it called it a “significant enhancement of our democracy”. Truly “wacky requests” can be deftly deflected by using the “vexatiousness exemption” of the FOI Act, but let’s not assume that all requests with apparently wacky themes have unserious motives. And – digressing somewhat – let us not forget the LGA is not subject to FOI.

7 Comments

Filed under Freedom of Information, transparency

Tagged as

August 14, 2014 · 8:55 am

ICO refuses to disclose information about “non-trivial data security incident”

In July this year the Information Commissioner’s Office (ICO) disclosed within their annual report that they had themselves experienced

one non-trivial data security incident. The incident was treated as a self-reported breach. It was investigated and treated no differently from similar incidents reported to us by others. We also conducted an internal investigation. It was concluded that the likelihood of damage or distress to any affected data subjects was low and that it did not amount to a serious breach of the Data Protection Act. A full investigation was carried out with recommendations made and adopted.
This got a fair amount of attention, (even I, who rarely have anything to say on such matters, blogged about it) in a way which hadn’t happened when the ICO had reported a similar-sounding incident two years previously. I understand that there were several freedom of information (FOI) requests made to the ICO, and, I notice, they have now published their response, in their disclosure log.
I wasn’t hugely surprised to find that they are totally refusing disclosure. In their statement to me (and others) in July they had said
We are unable to provide details of the breach at this stage, as the information involved is linked to an ongoing criminal investigation
and this remains the position. Some information is exempt because it is the personal data of staff involved, and they do not have a reasonable expectation of disclosure. But primarily they invoke the exemption at section 30 of the FOI Act, which provides in terms an exemption to disclosure if the information is held for the purposes of an investigation to establish whether someone has committed an offence, or which may lead to a decision to bring criminal proceedings. As this is a qualified exemption, the ICO has considered whether the public interest in disclosure outweighs the public interest in maintaining the exemption, and finds that it doesn’t:
It is of the utmost importance that ICO is able to carry out its statutory duty and conduct investigations into potential criminal offences confident that information will not be inappropriately disclosed
However, the ICO have indicated that when the criminal investigation is completed “the ICO will make a clear public statement about what occurred and the action taken”.
As I say, none of this is particularly surprising: when one heard in July that there was an ongoing criminal investigation it was apparent that little further information would emerge until that was complete. We will have to be patient.

Leave a comment

Filed under Freedom of Information, Information Commissioner

Tagged as ,

August 9, 2014 · 4:31 pm

Lay, Laddie, Lay

In which I suggest the Information Commissioner could lay a report at Westminster drawing attention to compliance with time limits under the FOIA Act

The Scottish Information Commissioner (SIC), Rosemary Agnew, this week used the powers available to her under section 46(3) of the Freedom of Information (Scotland) Act 2002 (FOISA) to lay a report before the Holyrood Parliament. The report draws MSPs’ (and others) attention to

the issue of failure [by Scottish public authorities] to respond to information requests, and to stimulate debate about what we can collectively do to address it

The background is that approximately 25% of complaints to Agnew’s office in 2013/14 were about failures to respond to requests for information. Section 46(3) of FOISA permits the laying of reports “from time to time” by the SIC with respect to her functions. It thus confers a broad discretion on the SIC to draw attention to matters of concern to her. The report says

– Many public authorities have shown that it is possible to respond on time to large volumes of requests, but too many authorities are still not doing so. Delays and obfuscation are not only damaging to authorities’ relationships with individual requesters but also Scotland’s reputation for openness and transparency.
– The FOI experience is not consistent for all requesters or types of requesters
– Failure to respond is an issue, but it is not uniform across all Scottish public authorities.  Issues are more acute in some authorities than others

Requesters in the rest of UK experience similar difficulties, and similar lack of consistency, whereby some authorities are exemplary in the timeliness of responses to FOI requests, and some are very poor. As that last link indicates, the rUK Information Commissioner (IC) does monitor authorities for FOI compliance. He has also issued informal undertakings and even on occasions issued enforcement notices against authorities performing particularly poorly. However, what evidence there is does not suggest that this has led to overall improvements. Since 2009 the number of decision notices issued annually by the IC in which section 10 (“time for compliance”) was a factor have been as follows: 223 in 2009, 276 in 2010, 371 in 2011, 227 in 2012, 223 in 2013. These figures represent approximately 25% of all cases. They are not directly comparable with the SIC’s figures (which represent complaints made, rather than decisions notices issued) but they do suggest similar problems both sides of the border.

The IC does have essentially the same powers as the SIC to lay reports before Parliament (under section 49(2) of the Freedom of Information Act 2000 (FOIA)). However he has never exercised this FOIA power (there have been a couple of reports laid relating to data protection concerns). Given the serious concerns expressed by commentators about certain authorities’ attitude to FOIA, perhaps a report to Parliament would be a way of promoting debate – and improved compliance – which regulatory action has, to date, failed to achieve.

Leave a comment

Filed under Cabinet Office, FOISA, Freedom of Information, Information Commissioner

Tagged as ,

July 16, 2014 · 7:17 pm

The days of wine and disclosures

I like FOI. I like wine. Here’s an FOI disclosure about wine.

In the early days of the Freedom of Information Act 2000 (FOI) there were frequent attempts to get the government to disclose detailed information about its wine cellar (see for instance this seemingly interminable request). Eventually, the Information Commissioner got fed up with the lack of FOI hospitality from the Foreign and Commonwealth Office (FCO), who seem to be responsible for this sort of thing, and started issuing decision notices requiring disclosure.

I’m pleased to see that disclosure is now, if not a matter of routine, not resisted by FCO (except for some intriguing little redactions – one wonder if they hide things like “this is the Minister for X’s favourite”). So, we now know that the government has reserves of, for instance, 139 bottles of Latour 1961, with a market value of £321,000. This is the highest value wine, but we (sorry, they) also hold 110 bottles of Chateau Margaux 1983 (market value £15k – not the best vintage, after all). And their Pétrus is only the 1978, but even so, the estimated market value of £250 seems very low.

It’s a shame the dataset isn’t in resuable format, but, we’re all in it together, so I’d invite others to search out some other interesting cellar items. Those Krug ’82 magnums look a steal at £125 a pop…

Leave a comment

Filed under Freedom of Information, Information Commissioner, transparency, Uncategorized

Tagged as ,

July 16, 2014 · 2:58 pm

ICO v ICO?

UPDATE: 16 July 2014 – in the comments to this piece the ICO adds some further details on the “non-trivial” incident: “We are unable to provide details of the breach at this stage, as the information involved is linked to an ongoing criminal investigation.”

The ICO had a “non-trivial” data security incident last year. Can it “fine” itself? Will/has it?

There was an interesting teaser in the Information Commissioner’s Annual Report. As The Times reports

Christopher Graham, the Information Commissioner (ICO), revealed yesterday that his office had suffered a “non-trivial data security incident” within the last 12 months, which prompted a full internal investigation

The ICO, of course, processes personal data and in doing so assumes the role of the data controller (according to section 1(1) of the Data Protection Act 1998 (DPA)). It also assumes the obligation to comply with the data protection principles, and the liability for contravening them. In 2012 the ICO responded to a Freedom of Information Act 2000 (FOIA) request for its “data breach log” with a document that showed admirable commitment to recording even the smallest of potential data security incidents (“person taking photographs outside building”, “theft of small amount of money”). In that instance there were two incidents identified as “high risk”, but the ICO declined to provide information, and the requester, it seems, did not pursue the matter.

This time, with national media picking the story up, the matter may be pushed further. At the moment the ICO is apparently declining to offer any further comment to the media, advising The Times that

You will have to fill out a freedom of information request

which doesn’t really sit that well with their normal commitment to transparency.

But to what extent can or should the ICO investigate its own compliance with the DPA? The Act does not provide for any derogation for the ICO from its obligations, and nor does it provide for any alternative to “self regulation”. Nor, moreover, does it appear to provide for any delegation to a third party to investigate. When it deals with complaints about its own handling of FOIA requests it habitually issues decision notices about itself (sometimes even finding against itself). It does this by distinguishing between “the ICO” (the entity dealing with the request) and “the Commissioner” (the entity dealing with the complaint). I would imagine that a similar nominal separation would be used if it came to formal enforcement action being contemplated in response to a data security incident.

I emphasis the word “if” in the previous sentence, because, although The Times says

The ICO, which can levy fines of up to £500,000 for data protection breaches, did not disclose whether it had fined itself for the breach

it is clear in fact that no such enforcement action resulted in this instance. This is clear because, firstly, the ICO’s own Monetary Penalty Guidance says that any monetary penalty notice (for which “fine” is a convenient, if not strictly correct, shorthand) will be published on its website. None has been published (believe me – I check these things very regularly). And secondly, and more fundamentally, the ICO’s report says that the incident in question

did not amount to a serious breach of the Data Protection Act [emphasis added]

By section 55A a monetary penalty can only be served for a serious contravention of the data controller’s obligations under the DPA. If the incident was not a serious contravention, the statutory threshold for a monetary penalty is simply not met. So, regardless of what other information about the incident might be winkled out of the ICO, we are not going to have a story of “ICO fines ICO”.

However, on a final point, I note that the ICO expects data controllers to report serious data security incidents to the ICO. So the question arises – did the ICO report this to the ICO, or did the ICO assess this as not serious enough to refer to the ICO?  How did the ICO get to know? Could it have been a leak by the ICO? Or even by the ICO? These questions deserve answers*.

*no they don’t

8 Comments

Filed under Data Protection, enforcement, Freedom of Information, Information Commissioner, monetary penalty notice

Tagged as , ,

July 3, 2014 · 4:23 pm

A green light for publishing FOI requesters names? I hope not

The Information Commissioner’s Office (ICO) today issued a statement about the data protection implications of public authorities publishing the names of people who have made requests under the Freedom of Information Act 2000 (FOIA). It was issued to journalist Jules Mattsson (it may have been issued to others) and I credit him for pursuing it. It arose out of concerns expressed on Twitter yesterday that a council had uploaded a disclosure log in which the names of requesters were unredacted*.

When the Justice Committee undertook its post-legislative scrutiny of FOIA in 2012 it made a recommendation (¶82) that names of requesters be published in disclosure logs

it can be argued that someone seeking to exercise freedom of information rights should be willing for the fact they have requested such information to be in the public domain; we therefore recommend that where the information released from FOI requests is published in a disclosure log, the name of the requestor should be published alongside it

But this was rejected by the government in its response to the report (¶25)

The Government does not share the view that publishing the names of requesters in disclosure logs would be beneficial in terms of burdens. Such a move would have implications for the data protection of requesters..

 Tim Turner blogged in his usual meticulous style on these data protection implications yesterday, and I am not going to rehearse the points he makes. Indeed, the ICO in its statement more or less agrees with Tim’s comments on fairness, and necessity, when it comes to the publication of requesters’ names

Individuals who make…requests must have their details handled fairly. Many people who have made a request would not expect to have their name linked to published details of the request they have made. If a public authority is considering publishing this information then they must consider why publishing the requester’s name is necessary/ While there is a need for authorities to be transparent about the [FOI] process, in most cases this would not extend to releasing people’s name simply to deter requesters

There then follow some (correct) observations that journalists and politicians might have different expectations, before the statement says

At the very least people should be told that their details will be published and given the opportunity to explain to the council why their name should not be disclosed. If having raised it with the authority a person is not happy with the way their details have been handled then we may be able to help

So what the ICO appears to be doing is agreeing that there are data protection implications, but, as long as authorities give requesters a privacy notice, announcing that they’re not going to do anything (unless people complain). It’s not often I take issue with the excellent Matt Burgess, who runs FOI Directory, but he claims that “the ICO has criticised the Council”. With respect, I don’t see any targeted criticism in the ICO’s statement, and I fear some public authorities will see it as a green light to publishing names.

As source does inform me that an ICO spokesman has said that they are going to be in touch with the council in question, to find out the full details. However, I wonder if the statement shows an approach more in line with the ICO’s new, largely reactive (as opposed to proactive), approach to data protection concerns (described on my blog by Dr David Erdos as having worrying implications for the rule of law), but I fear it risks the exposure of the personal data of large numbers of people exercising their right to information under a statutory scheme which, at heart, is meant to be applicant-blind. As the ICO implies, this could have the effect of deterring some requesters, and this would be, in the words of the always perceptive Rich Greenhill, a type of reverse chilling effect for FOIA.

 *I’m not going to link to the information: I don’t think its publication is fair. 

 

 

UPDATE: 05.07.14

The Council appears to have taken the information down, with Jules Mattsson reporting on 3 July that they are reviewing the publication of requesters’ names.

6 Comments

Filed under Data Protection, Freedom of Information, Information Commissioner

Tagged as , ,