Tag Archives: FOI

July 18, 2024 · 4:21 am

FOIA appeals in the UT: when is there an “error of law”?

Here is a good and interesting judgment in the Upper Tribunal from Judge Citron, on a Freedom of Information Act 2000 (FOIA) case arising from defects in the 2019 “11+” exam run by The Buckinghamshire Grammar Schools (TBGS), with test materials designed and supplied by a third party – GL Assessment Limited. TBGS, as a limited company made up of a consortium of state schools, is a public authority under s6(1)(b) FOIA (by way of s6(2)(b)).

The FOI request was, in broad terms, for the analysis that had subsequently been conducted into the defects, and the statistical solution that had been adopted.

TBGS had refused the request on grounds including that disclosure of the requested information would be an actionable breach of confidence. The ICO upheld this, and, on appeal, the First-tier Tribunal agreed, although only by a majority decision (the dissent was on the part of the judge, and it’s worth reading his reasons, at 85-90 of the FTT judgment).

Possibly bolstered by the vehemence of that dissenting view of the FTT judge, the applicant appealed to the Upper Tribunal.

Judge Citron’s judgment is a measured one, addressing how an appellate court should approach an argument to the effect that there was an error of law at first instance, with a run-through, at 35, of the authorities (unfortunately, from that point, the paragraph numbering goes awry, because the judgment, at “67”, follows the numbering of the judgment it has just quoted).

Judge Citron twice notes that a different FTT might have approached the facts and the evidence in a different way, and weighted them differently, but

that is no indicator of the evaluative judgement reached being in error of law…The question is whether the evaluative judgement…was one no reasonable tribunal could have reached on the evidence before it; it whether some material factor was not taken into account. I am not persuaded.

Therefore, the FTT had made no material error in dismissing the appeal.

A final note. This was a judgment on the papers, but – remember – the Information Commissioner will always be a party to FOIA cases, because it is his decision that is at issue. In this instance, the Commissioner chose not to participate. Paragraph 32 records that he was “directed” to make a response to the appeal, but did not. If this correctly records a failure by the Commissioner to comply with a direction of the court, it is surprising there’s no note of disapproval from the judge.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under FOIA, Freedom of Information, Information Commissioner, Information Tribunal, Upper Tribunal

Tagged as , ,

July 12, 2024 · 7:05 am

Unreasonably accessible – ICO and misapplication of s21?

I’ll start with a simple proposition: if a dataset is made publicly available online by a public authority, but some information on it is withheld – by a deliberate decision – from publication, then the total dataset is not reasonably accessible to someone making an FOI request for information from it.

I doubt that any FOI practitioners or lawyers would disagree.

Well, sit back and let me tell you a story.

In November 2023 the Information Commissioner’s Office (ICO) refused to disclose information in response to a Freedom of Information request, on the grounds that the exemption at section 21 of the Freedom of Information Act 2000 (FOIA) applied: the information was “reasonably accessible to the applicant” without his needing to make a FOIA request.

The request was, in essence, for “a list…of the names of all the UK parish councils that have received 20 or more ICO Decision Notices (for FOIA cases only) since 1st January 2014”. The refusal by the ICO was on the basis that

the search function on the decision notice section of the ICO website returned 415 decision notices falling within the scope of the complainant’s request…[therefore] it is possible to place the names of the parish councils into an Excel sheet and then establish quickly how many decision notices relate to each individual parish council.

The ICO noted that, when it comes to the application of section 21

It is reasonable for a public authority to assume that information is reasonably accessible to the applicant as a member of the general public until it becomes aware of any particular circumstances or evidence to the contrary [emphasis added]

On appeal to the Information Tribunal, the ICO maintained reliance on the exemption, saying that all the applicant needed to do was to go to the ICO website and “look at each entry and count-up [sic] the numbers of [Decision Notices] against each parish council”. The Tribunal agreed: the ICO had provided the requester

with a link to the correct page of the ICO website, and instructing him how to use the search function. These instructions have enabled him to identify from the tens of thousands of published decision notices those 415-420 notices which have been issued to parish councils over the past decade or so

All straightforward, if one’s analysis is predicated on an assumption that the ICO’s public Decision Notice database is a complete record of all decision notices.

But it isn’t.

I made an FOI request of my own to the ICO; for how many Decision Notices do not appear on the database. And the answer is 45. A number of possible reasons are given (such as that sensitive information was involved, or that there was agreement by the parties not to publish). But the point is stark: the Decision Notice database is not a complete record of all Decision Notices issued. And I do not see how it is possible for the ICO to rely on section 21 FOIA in circumstances like those in this case. It is plainly the case that the ICO knew (or was likely reckless in not knowing) that there were “particular circumstances or evidence” which showed that the information could not have been reasonably accessible to the applicant.

Of course, it is quite likely (perhaps inevitable) that the 45 unpublished Decision Notices would make no difference at all to a calculation of how many UK parish councils have received 20 or more Decision Notices since 1st January 2014. But that really isn’t the point. The ICO could have come clean – could have done the search itself and added in the 45 unpublished notices. It knew they existed, but for some reason thought it didn’t matter.

The ICO is the regulator of FOIA, as well as being a public authority itself under FOIA. It has to get these things right. Otherwise, why should any other public authority feel the need to comply?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under access to information, datasets, Freedom of Information, Information Commissioner, Information Tribunal, section 21

Tagged as , ,

July 6, 2024 · 10:45 am

FOI and government/ministerial WhatsApps

[reposted from LinkedIn]

An important Information Tribunal (T) judgment on a FOIA request, by Times journalist George Greenwood, to DHSC for gov-related correspondence between Matt Hancock (MH) and Gina Coladangelo (GC), grappling with issues regarding modern messaging methods in government and how they fit into the FOIA scheme.

Two requests were made. The first was for government-related correspondence between MH and GC using departmental email accounts, and any private email account MH had used for government business. The second was for all correspondence between them using other methods, such as WhatsApp.

Request 1

DHSC had found four emails and by the time of the hearing had disclosed them. It maintained that no further info was held.

However DHSC argued that emails sent by MH’s private secretaries and not by MH himself were out of scope. Not so, said the T: “even if a private office email account is operated by a private secretary…correspondence with a private office email account ought to be regarded as correspondence with the relevant minister”. Accordingly, they upheld that part of the appeal and ordered further searches.

Request 2

DHSC had initially said, and ICO had agreed(!), that government-related WhatsApp messages sent from MH’s personal device were not “held” for the purposes of FOIA because they were not held “as part of the official record”. By the time of the hearing, all of the parties were agreed that this was an error, and the T ruled that section 3(2)(b) FOIA applied, and that “WhatsApp messages from Mr Hancock’s personal device were held [by MH] on a computer system on [DHSC’s] behalf”.

DHSC then sought to argue that WhatsApp messages in a group were not “correspondence” between MH and GC, saying (in the T’s formulation of DHSC’s argument) “unless correspondence consists of one person corresponding directly with another, it is not ‘true’ correspondence”. The T was dismissive of this: “correspondence in the age of multiple methods of electronic communication can take different forms…the fact that simply because one or other of the relevant parties did not respond or may not have responded to a particular message does not mean that communications within a WhatsApp group cannot be considered to be correspondence”. The T also rejected the related submission that a person posting a message to a WhatsApp group is “broadcasting”, rather than “corresponding”

(I have to say that I think the T probably overstepped here. I would tend to think that whether information in a WhatsApp group is correspondence or not should be determined on the facts, and not as a matter of general principle.)

Finally, the T did not warm to the evidence from an otherwise unidentified “Mr Harris” for the DHSC, to the effect that the request was vexatious on grounds of the burden. They therefore held that it was not. (As the messages were subsequently disclosed into the public domain during the Covid inquiry, not much turns on this.)

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner, Information Tribunal, journalism

Tagged as , ,

June 4, 2024 · 6:16 pm

How far can a legal fiction go?

When the Information Commissioner, as a public authority subject to the Freedom of Information Act 2000 (FOIA), is required to consider, as regulator, his own handling of a FOIA request, he enters into a legal fiction, whereby he separates himself into two, along these lines (taken from a decision notice):

This decision notice concerns a complaint made against the Information Commissioner (‘the Commissioner’). The Commissioner is both the regulator of FOIA and a public authority subject to FOIA. He’s therefore under a duty as regulator to make a formal determination of a complaint made against him as a public authority…In this notice the term ‘ICO’ is used to denote the ICO dealing with the request, and the term ‘Commissioner’ denotes the ICO dealing with the complaint.

It’s a legal fiction because the Information Commissioner is a corporation sole: every single function he has vests in him (and he has powers of delegation).

With this in mind, it is interesting to consider section 132(1) of the Data Protection Act 2018. This provides that

A person who is or has been the Commissioner, or a member of the Commissioner’s staff or an agent of the Commissioner, must not disclose information which— (a) has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner’s functions, (b) relates to an identified or identifiable individual or business, and (c) is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources. (Unless the disclosure is made with lawful authority.)

When partaking in the legal fiction described above, can it be said that the Commissioner, or the Commissioner’s staff, have obtained, or been provided with, information, when the Commissioner is the person who holds the information? I think not. And if I’m right, that should mean that the Commissioner cannot rely on the exemption at section 44 of FOIA, on the grounds that there is a statutory bar on disclosure. But that’s what he does in response to this recent FOIA request. It will be interesting if the applicant asks for a decision notice.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection Act 2018, Freedom of Information, Information Commissioner, Uncategorized

Tagged as , ,

March 9, 2024 · 11:02 am

A sad procedural judgment

In 1973, Pat Campbell, a Catholic factory worker from Banbridge, Northern Ireland, was shot and killed in front of his wife and children, at their family home.

No one was ever convicted of Pat Campbell’s murder, but for many years it has been believed that the killer was senior Ulster Volunteer Force member Robin “The Jackal” Jackson. Jackson – suspected of being responsible for, but never convicted of, at least 50 killings during the Troubles – was also suspected of having links with British military intelligence agencies.

In 2022 Pat Campbell’s widow reached a settlement with the Police Service of Northern Ireland, or PSNI (successor to the Royal Ulster Constabulary, or RUC) of a civil claim for damages, in which she alleged negligence and misfeasance in public office. The BBC reported at the time that “a former RUC officer and two ex-military intelligence officers were set to give evidence about Jackson’s alleged role”.

In the same year as Pat Campbell was murdered, a British intelligence officer wrote a report which is understood to have proposed increasing the RUC’s special branch’s intelligence gathers capabilities.

In 2021 journalist Phil Miller took a case under the Freedom of Information Act 2000 (FOIA) to the Information Tribunal, seeking disclosure by the PSNI of the Morton Report. However, the Tribunal upheld the Information Commissioner’s decision that PSNI were entitled to withhold the report because of the FOIA absolute exemption in relation to information supplied to a public authority by the Security Service.

Mrs Campbell, herself, however, still sought to get hold of the Morton Report. I know this because of a sad procedural judgment from the Information Tribunal.

She is identified as the appellant in case EA/2023/0276, an appeal from ICO decision notice IC-173342-D4D8. But as the judgment explains, she has since died, and the Tribunal has accordingly struck out the proceedings, under rule 8(2) of the procedure Rules, for want of jurisdiction. This is because, although The Law Reform (Miscellaneous Provisions) Act 1934 permits a “cause of action” to proceed after a claimant has died, for the benefit of the deceased’s estate, the Tribunal held, applying the same approach the Upper Tribunal took in a previous case in relation to data protection rights, a FOIA appeal is not a “cause of action” (Letang v Cooper [1965] 1 QB 232 applied). Instead, “‘[the] procedure is no more than a statutory appeal route, a procedural mechanism, for challenging’, in this case, the issue of the decision notice by the Information Commissioner”.

It seems doubtful, in any case, that Mrs Campbell would have succeeded: the exemption at section 23 is effectively insuperable.

But, of course, the PSNI has discretion to disclose information. As the ICO’s decision notice notes, the PSNI previously decided to disclose a redacted version of the 1980 Walker Report on RUC Special Branch informant handling, after the Committee on Administration of Justice took another FOIA case to the Information Tribunal.

There is no reason to suggest the same would happen if another case involving a request for the Morton Report reached the Tribunal again, but someone might consider it worth trying.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner, Information Tribunal, police

Tagged as , , ,

February 9, 2024 · 8:39 am

When is a breach of FOIA not a breach of FOIA?

I posted about this originally on LinkedIn, but I found it so nerdily interesting I wanted to preserve it better by putting it on this blog.

In 4 December 2023 the Information Commissioner’s Office (ICO) issued a decision notice under section 50 of the Freedom of Information Act 2000 (FOIA) finding that its own office did not deal with a FOIA request within the statutory time limit. Subsequently, however, as the ICO website has it, “Following a review of this case it has been noted that the Commissioner erred in citing a breach of section 17(1) of FOIA, having omitted to include the Scottish bank holiday of 7 August 2023 in his calculation of the 20 working day deadline. Therefore, the ICO did not breach section 17(1) of FOIA.”

However, merely staring on its website that “the ICO did not breach FOIA” is not sufficient. As a matter of law, the decision notice itself stands, unless it is substituted by another notice made by the Information Tribunal upon appeal. The ICO cannot withdraw/amend a decision notice, in the absence of an appeal (under the doctrine of “functus officio”, but see also IC v Bell [2014] UKUT 0106)).

So merely saying on its website “we didn’t breach the time limits” cannot cancel or overturn the decision notice.

In some analogous circumstances of “wrong” legal decisions by public authorities bound by functus officio, the authority will consent to judicial review proceedings quashing the decision. But here, the only person with any interest in quashing the decision is the ICO itself, and I don’t believe it could apply for judicial review of its own decision (although there have been cases, I believe, where local authorities have judicially reviewed decisions of their own planning committees).

What the ICO could have done though (and I give a nod to Ganesh Sittampalam here) is appeal the decision itself to the Tribunal. It would seem to be the case that the ICO, as the public authority on whom the decision notice was served, would have had a right of appeal to the Tribunal, even though it would be both the appellant and the respondent. This would, obviously, be rather an odd situation, but it’s one that the ICO already faces when it has to rule (as it did here) on its own compliance with the laws it regulates and enforces (for these purposes it effectively creates a fictional divide between “the ICO” and the “Commissioner” – see for example paragraph four in the decision notice linked above).

However, for whatever reason, the right of appeal was not exercised. But, given that that was the statutory route for challenge, why was the purported correction of the error instead subject to an internal, non-binding and unsatisfactory “review” within the ICO?

One wonders how this will be recorded within the ICO’s datasets: will the ICO accept the point that, as a matter of law, the decision is and remains that it breached the time limits? I doubt it.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

6 Comments

Filed under Freedom of Information, Information Commissioner, Information Tribunal

Tagged as ,

November 17, 2023 · 6:35 am

EIR you sure you got that right?

Someone said they’d read this post if I wrote it. That’s miles more encouragement than I normally need, so here goes.

The other day, Tim Turner’s FOIDaily account pointed out how, after twenty-odd years, some public authorities still fail to identify when a request for information should be dealt with under the Environmental Information Regulations 2004 (EIR), rather than the Freedom of Information Act 2000 (FOIA). An example was given of Information Commissioner’s Office (ICO) identifying where a public authority had got this wrong.

As any fule kno, the two laws operate in parallel to create a regime for access to information held by public authorities, and it’s Regime 101 for a public authority to be able to know, and identify, when each applies. But, in short, if requested information is on, for instance, “measures (including administrative measures), such as policies, legislation, plans, programmes, environmental agreements, and activities affecting or likely to affect…the state of the elements of the environment, such as air and atmosphere, water, soil, land, landscape…” then the EIR, and not FOIA, apply.

I pointed out in the comments to the FOIDaily post that I’d seen a case where everyone, from the requester, to the public authority, to the ICO, to the First-tier Tribunal, had failed to deal with a case under the correct scheme.

This was it.

The case was about a request to a district council for information about whether a councillor had (in a private capacity) been required to pay any money to the council in relation to a fly-tipping incident or incidents. The request itself even referred to the Environmental Protection Act 1990, which was a very big hint that environmental information might be at issue.

What appears to have happened is that everyone jumped to the issue of whether disclosure of the requested information would contravene the councillor’s data protection rights. As most similar discussions take place in relation to the provisions of section 40 FOIA, the public authority, the ICO and the Tribunal (and presumably even the requester) all appear to have gravitated towards FOIA, without asking the correct first question: what is the applicable law? The answer to which was, clearly, EIR.

Regulation 13 of the EIR deals with personal data, and is cast in very similar terms to section 40 FOIA. It is, then, strongly arguable that, given that similarity, both the ICO and the Tribunal would have arrived at the same decision whichever regime applied. But Parliament has chosen to have two separate laws, and this is because they have a different genesis (EIR emanate from EU law which in turn emanates from international treaty obligations). Additionally, where all things are otherwise equal, the EIR contain an express presumption in favour of disclosure (something that is not the case in relation to personal data under the FOIA regime – see Lord Hope’s opinion in Common Services Agency v Scottish Information Commissioner).

As Tim implies in his post, the EIR have always been seen as somehow inferior, or subservient, to FOIA. No doubt this is because they are in the form of secondary legislation, rather than statute. This is more an accident of history, rather than of constitutional significance, and is never going to be relevant in most practice. But if the ICO and the courts continue to miss their relevance, it shouldn’t be that surprising that some public authorities will also do so.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal

Tagged as , , ,

October 23, 2023 · 1:15 pm

Verging on contempt

Where the Information Commissioner serves a decision notice on a public authority, under section 50(3)(b) of the Freedom of Information Act 2000 (FOIA), it is a legal notice and a failure to comply may be treated by the High Court (or in Scotland, the Court of Session) as if the authority had committed a contempt of court. It is, therefore (and to state the obvious) a serious matter not to comply. The process involves the Commissioner “certifying” to the court that there has been a failure to comply.

Yet, a recent FOIA disclosure by the Information Commissioner’s Office (ICO) reveals that it currently has two such cases where it has referred non-compliance by one particular public authority to its own solicitors to initiate (or at least consider) certification proceedings. The rather remarkable thing is that the public authority in question is the government department with overall responsibility for FOIA policy – namely, the Cabinet Office.

The disclosure reveals no more in the way of detail – we do not know what the cases relate to, or what the current progress is (other than court proceedings have not yet commenced). However, it is very rare for a case actually to proceed to certification (in fact, I can only recall one case relating to a s50(3)(b) decision notice, and that was instead certified to the High Court by the First-tier Tribunal under section 61 of FOIA (as it applied then)).

It is worth pointing out that it doesn’t necessarily follow that, if there were a finding of contempt, sanctions would be imposed. Although a committal application or fines are, in principle, available, the Court could merely make a public finding that the Cabinet Office had breached the obligation to respond to the decision notice, but impose no further punishment.

Over the years the Cabinet Office has been subject to much criticism for its approach to FOIA – some of it, quite frankly, fully justified. However, there have been encouraging signs of improvements more recently, with its response to the “Clearing House” review, and its setting up of an Information Rights User Group (of which I am a member), although the latter has not fully kicked off yet, as far as I can understand.

However, it is a terrible look for the primus inter pares of government departments, and the one which holds the brief for FOIA policy, to be faced with potential contempt proceedings for failure to do what the law, and the regulator, requires it to do. Although the original FOIA request to the ICO was not mine, I’ll be interested to see if any updates are given.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under access to information, Cabinet Office, contempt, Freedom of Information, Information Commissioner

Tagged as ,

September 28, 2023 · 7:23 am

Review of Freedom of Information: A practical guidebook, by Martin Rosenbaum

For a law that can be so integral to their trade, the actual workings of Freedom of Information Act 2000 (FOIA) get surprisingly little attention from journalists. This is not to say that it is not deployed by journalists: last year there were more than 52,000 requests made to government bodies alone. When one considers the range of public authorities subject to FOIA, or to its Scottish equivalent, or to the parallel Environmental Information Regulations 2004 – not just central government, but also local authorities, NHS Trusts, police forces, public utilities companies, and many others – one can see that, largely unheralded, the right of access to FOIA is one of the most heavily and regularly exercised of rights. And often, it will be journalists making these requests.

Yet if one lists those journalists who really specialise in the area, who really know how to use FOIA most effectively, the same handful of names tend to come up. The doyen of them all, though, is Martin Rosenbaum.

Formerly the BBC’s in-house expert in the use of FOIA (not, as he often patiently had to explain – including to me – the person responsible for the BBC’s FOIA compliance), but also a distinguished producer, Martin went freelance a couple of years ago. But while at the BBC he broke, or otherwise reported on, any number of stories which were the result of FOIA research, as his own website reveals:

The wide list of topics I investigated ranged from what Tony Blair and Bill Clinton said to each other, to revealing which models of cars had the worst MOT failure record; from the Hillsborough disaster and Margaret Thatcher, to flaws in the workings of the honours system; from the policing of anti-nuclear protests at Greenham Common, to how date of birth can affect university entrance. [hyperlinks to stories on the web page itself]

Martin has now published an essential book on the topic: Freedom of Information: A practical guidebook.

Quite simply, if you’re new to FOI you’d be silly not to read it, and even if you’re experienced in it, it will tell you things of value.

The book is structured in a straightforward way (a summary of the law, making requests, what sort of replies you might get, how to challenge replies) but has some extras which will be tremendously helpful. In particular, the template requests which are suggested will help avoid some of the biggest pitfalls requesters make (such as not being specific or clear enough, or making requests which are too broad in scope).

Although the book as a whole is excellent, if requesters only read Part B, on requests (including tactics and advice) they are still likely to make much more sensible and productive requests.

There are only a handful of useful guides (in print or online) to FOI. And really, there are not much more than a handful of experts in it. This is a useful guide by one of those experts – why would you not buy it?

[Disclaimer: I received a free review copy, and Martin and I have known each other for a number of years.]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Environmental Information Regulations, Freedom of Information, Information Commissioner

Tagged as ,

September 12, 2023 · 8:49 am

Arbitrary criminality and data protection

It shouldn’t be too controversial to state that to commit a criminal offence is a serious matter: although there are – obviously – different levels of severity, certain acts or omissions are so injurious to society as a whole that they warrant prosecution.

The majority of infringements of data protection law are not criminal offences, but, rather, contravention of civil law. But there are a few offences in the statutory scheme. Section 132 of the Data Protection Act 2018 (DPA) is one such. It says that it is an offence for the Information Commissioner, or a member of his staff, to disclose information

which—

(a)has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner’s functions,

(b)relates to an identified or identifiable individual or business, and

(c)is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources,

However, it will not be an offence if the disclosure is made with “lawful authority”, and a disclosure is made with lawful authority only if and to the extent that

(a)the disclosure was made with the consent of the individual or of the person for the time being carrying on the business,

(b)the information was obtained or provided as described in subsection (1)(a) for the purpose of its being made available to the public (in whatever manner),

(c)the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner’s functions,

(d)the disclosure was made for the purposes of, and is necessary for, the discharge of an EU obligation,

(e)the disclosure was made for the purposes of criminal or civil proceedings, however arising, or

(f)having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest.

This means that, for instance, if an individual or a business has given (willingly or under compulsion) information to the Commissioner for the purposes of a regulatory investigation, and the information is not already public, then the Commissioner must not disclose it, unless he has lawful authority to do so.

Where, also for instance, the Commissioner publishes a legal decision notice, or monetary penalty notice, or the like, this will ordinarily contain information of this kind, but the Commissioner can point to the lawful authority he has under section 132(2)(c) – namely that the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner’s functions. No offence committed.

But section 132 is why the Commissioner’s Office might refuse, under the Freedom of Information Act 2000 (FOIA), to disclose information it has received from an individual or business. For instance, a notification report a controller has submitted pursuant to its “personal data breach” obligations under Article 33 UK GDPR. Here is an example. The ICO withholds the “breach report” in question, citing the exemption at section 44, because of the offence provisions at section 132 DPA.

Whether this is an over-cautious stance is one thing, but it is understandable.

What puzzles me, though, is the inconsistency, because elsewhere, in very similar circumstances, in response to a FOIA request, the ICO has disclosed a personal data report (albeit with redactions). Here, also.

If the Commissioner’s staff in the first example feel that they would commit an offence by disclosing the report, do the staff dealing with the second or third examples not feel that they would also?

One thing that should certainly not happen is claiming exemptions because it is easier to do so than not. I am not saying that has happened here, but there certainly seems to be inconsistency. And inconsistency, or uncertainty, about whether a regulator and his staff might commit a criminal offence is not a good situation.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, crime, Data Protection, Data Protection Act 2018, Freedom of Information, Information Commissioner

Tagged as , , , ,