Tag Archives: FOI

October 23, 2023 · 1:15 pm

Verging on contempt

Where the Information Commissioner serves a decision notice on a public authority, under section 50(3)(b) of the Freedom of Information Act 2000 (FOIA), it is a legal notice and a failure to comply may be treated by the High Court (or in Scotland, the Court of Session) as if the authority had committed a contempt of court. It is, therefore (and to state the obvious) a serious matter not to comply. The process involves the Commissioner “certifying” to the court that there has been a failure to comply.

Yet, a recent FOIA disclosure by the Information Commissioner’s Office (ICO) reveals that it currently has two such cases where it has referred non-compliance by one particular public authority to its own solicitors to initiate (or at least consider) certification proceedings. The rather remarkable thing is that the public authority in question is the government department with overall responsibility for FOIA policy – namely, the Cabinet Office.

The disclosure reveals no more in the way of detail – we do not know what the cases relate to, or what the current progress is (other than court proceedings have not yet commenced). However, it is very rare for a case actually to proceed to certification (in fact, I can only recall one case relating to a s50(3)(b) decision notice, and that was instead certified to the High Court by the First-tier Tribunal under section 61 of FOIA (as it applied then)).

It is worth pointing out that it doesn’t necessarily follow that, if there were a finding of contempt, sanctions would be imposed. Although a committal application or fines are, in principle, available, the Court could merely make a public finding that the Cabinet Office had breached the obligation to respond to the decision notice, but impose no further punishment.

Over the years the Cabinet Office has been subject to much criticism for its approach to FOIA – some of it, quite frankly, fully justified. However, there have been encouraging signs of improvements more recently, with its response to the “Clearing House” review, and its setting up of an Information Rights User Group (of which I am a member), although the latter has not fully kicked off yet, as far as I can understand.

However, it is a terrible look for the primus inter pares of government departments, and the one which holds the brief for FOIA policy, to be faced with potential contempt proceedings for failure to do what the law, and the regulator, requires it to do. Although the original FOIA request to the ICO was not mine, I’ll be interested to see if any updates are given.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under access to information, Cabinet Office, contempt, Freedom of Information, Information Commissioner

Tagged as ,

September 28, 2023 · 7:23 am

Review of Freedom of Information: A practical guidebook, by Martin Rosenbaum

For a law that can be so integral to their trade, the actual workings of Freedom of Information Act 2000 (FOIA) get surprisingly little attention from journalists. This is not to say that it is not deployed by journalists: last year there were more than 52,000 requests made to government bodies alone. When one considers the range of public authorities subject to FOIA, or to its Scottish equivalent, or to the parallel Environmental Information Regulations 2004 – not just central government, but also local authorities, NHS Trusts, police forces, public utilities companies, and many others – one can see that, largely unheralded, the right of access to FOIA is one of the most heavily and regularly exercised of rights. And often, it will be journalists making these requests.

Yet if one lists those journalists who really specialise in the area, who really know how to use FOIA most effectively, the same handful of names tend to come up. The doyen of them all, though, is Martin Rosenbaum.

Formerly the BBC’s in-house expert in the use of FOIA (not, as he often patiently had to explain – including to me – the person responsible for the BBC’s FOIA compliance), but also a distinguished producer, Martin went freelance a couple of years ago. But while at the BBC he broke, or otherwise reported on, any number of stories which were the result of FOIA research, as his own website reveals:

The wide list of topics I investigated ranged from what Tony Blair and Bill Clinton said to each other, to revealing which models of cars had the worst MOT failure record; from the Hillsborough disaster and Margaret Thatcher, to flaws in the workings of the honours system; from the policing of anti-nuclear protests at Greenham Common, to how date of birth can affect university entrance. [hyperlinks to stories on the web page itself]

Martin has now published an essential book on the topic: Freedom of Information: A practical guidebook.

Quite simply, if you’re new to FOI you’d be silly not to read it, and even if you’re experienced in it, it will tell you things of value.

The book is structured in a straightforward way (a summary of the law, making requests, what sort of replies you might get, how to challenge replies) but has some extras which will be tremendously helpful. In particular, the template requests which are suggested will help avoid some of the biggest pitfalls requesters make (such as not being specific or clear enough, or making requests which are too broad in scope).

Although the book as a whole is excellent, if requesters only read Part B, on requests (including tactics and advice) they are still likely to make much more sensible and productive requests.

There are only a handful of useful guides (in print or online) to FOI. And really, there are not much more than a handful of experts in it. This is a useful guide by one of those experts – why would you not buy it?

[Disclaimer: I received a free review copy, and Martin and I have known each other for a number of years.]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Environmental Information Regulations, Freedom of Information, Information Commissioner

Tagged as ,

September 12, 2023 · 8:49 am

Arbitrary criminality and data protection

It shouldn’t be too controversial to state that to commit a criminal offence is a serious matter: although there are – obviously – different levels of severity, certain acts or omissions are so injurious to society as a whole that they warrant prosecution.

The majority of infringements of data protection law are not criminal offences, but, rather, contravention of civil law. But there are a few offences in the statutory scheme. Section 132 of the Data Protection Act 2018 (DPA) is one such. It says that it is an offence for the Information Commissioner, or a member of his staff, to disclose information

which—

(a)has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner’s functions,

(b)relates to an identified or identifiable individual or business, and

(c)is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources,

However, it will not be an offence if the disclosure is made with “lawful authority”, and a disclosure is made with lawful authority only if and to the extent that

(a)the disclosure was made with the consent of the individual or of the person for the time being carrying on the business,

(b)the information was obtained or provided as described in subsection (1)(a) for the purpose of its being made available to the public (in whatever manner),

(c)the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner’s functions,

(d)the disclosure was made for the purposes of, and is necessary for, the discharge of an EU obligation,

(e)the disclosure was made for the purposes of criminal or civil proceedings, however arising, or

(f)having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest.

This means that, for instance, if an individual or a business has given (willingly or under compulsion) information to the Commissioner for the purposes of a regulatory investigation, and the information is not already public, then the Commissioner must not disclose it, unless he has lawful authority to do so.

Where, also for instance, the Commissioner publishes a legal decision notice, or monetary penalty notice, or the like, this will ordinarily contain information of this kind, but the Commissioner can point to the lawful authority he has under section 132(2)(c) – namely that the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner’s functions. No offence committed.

But section 132 is why the Commissioner’s Office might refuse, under the Freedom of Information Act 2000 (FOIA), to disclose information it has received from an individual or business. For instance, a notification report a controller has submitted pursuant to its “personal data breach” obligations under Article 33 UK GDPR. Here is an example. The ICO withholds the “breach report” in question, citing the exemption at section 44, because of the offence provisions at section 132 DPA.

Whether this is an over-cautious stance is one thing, but it is understandable.

What puzzles me, though, is the inconsistency, because elsewhere, in very similar circumstances, in response to a FOIA request, the ICO has disclosed a personal data report (albeit with redactions). Here, also.

If the Commissioner’s staff in the first example feel that they would commit an offence by disclosing the report, do the staff dealing with the second or third examples not feel that they would also?

One thing that should certainly not happen is claiming exemptions because it is easier to do so than not. I am not saying that has happened here, but there certainly seems to be inconsistency. And inconsistency, or uncertainty, about whether a regulator and his staff might commit a criminal offence is not a good situation.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, crime, Data Protection, Data Protection Act 2018, Freedom of Information, Information Commissioner

Tagged as , , , ,

September 9, 2023 · 9:56 am

ICO breaching section 45 FOI code which it has a duty to promote

Under section 45 of the Freedom of Information Act 2000 (FOIA), the Minister for the Cabinet Office is required to issue a Code of Practice providing guidance to public authorities as to the practice which it would, in his opinion, be desirable for them to follow. A Code of Good Practice, if you will. The Information Commissioner’s Office (ICO) says, about the most recent version of the section 45 Code, that it

should be used as a handbook which sets out best practice to help you with the day to day handling of requests. Adhering to the Code will result in positive benefits for your authority, and in practical terms, offer good customer service.

And under section 47(1)(b) of FOIA the ICO has a duty to perform his functions so as to promote the observance of the Code.

Paragraph 8.5 of the Code says that

Public authorities with over 100 Full Time Equivalent (FTE) employees should, as a matter of best practice, publish details of their performance on handling requests for information under [FOIA…and] should do so on a quarterly basis…

However, the ICO themselves do not do, indeed never have done, this.

I recently made a FOIA request to the ICO, in which I queried the absence of they published statistics under paragraph 8.5 of the Code, and asked for disclosure of the last two years’ statistics. The response revealed statistics that are not particularly interesting, other than that they show that the ICO has made commendable improvements in its own compliance, following the dip which coincided with the pandemic. But all that was said about the proactive publication point was

We are not presently publishing our quarterly stats

No explanation as to why, and the fact that it appears expressly contrary to the ICO’s duty under section 47 to promote observance of the Code.

The ICO has, in recent months, indicated a willingness to get a bit tougher on public authorities don’t comply with FOIA, but if it does not itself comply, the effect of such tougher enforcement is greatly weakened.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner

Tagged as ,

July 30, 2023 · 11:05 am

Has the Information Commissioner’s Office lost its FOI purposes?

When Parliament passed the Data Protection Act 1984 it created a role of a regulator for that new data protection law. Section 3(1)(a) said that

For the purposes of this Act there shall be…an officer known as the Data Protection Registrar

The office remained in this form until the passing of the Data Protection Act 1998, section 6(1) of which provided that

The office originally established by section 3(1)(a) of the Data Protection Act 1984 as the office of Data Protection Registrar shall continue to exist for the purposes of this Act but shall be known as the office of Data Protection Commissioner

The advent of the Freedom of Information Act 2000 necessitated a change, so as to create a role of regulator for that Act. Paragraph 13(2) of Schedule 2 to the Freedom of Information Act 2000 amended section 6(1) of the Data Protection Act 1998 so it read

For the purposes of this Act and of the Freedom of Information Act 2000 there shall be an officer known as the Information Commissioner

So, at this point, and indeed, until 25 May 2018, there was an Information Commissioner “for the purposes of” the Data Protection Act 1998, and “for the purposes of” the Freedom of Information Act 2000.

25 May 2018 marked, of course the date from which (by effect of its Article 99) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, or “GDPR“, applied.

Also on 25 May 2018, by effect of the Data Protection Act 2018 (Commencement No. 1 and Transitional and Saving Provisions) Regulations 2018, section 114 of the Data Protection Act 2018 commenced. This provided (and provides)

There is to continue to be an Information Commissioner.

However, paragraph 44 of schedule 19 to the Data Protection Act 2018 (commenced also by effect of the Data Protection Act 2018 (Commencement No. 1 and Transitional and Saving Provisions) Regulations 2018) repealed the “FOIA purpose” provisions of section 6(1) of the Data Protection Act 1998 (which, to recall, said that “for the purposes of…the Freedom of Information Act 2000 there shall be an officer known as the Information Commissioner“). At the same time, paragraph 59 of schedule 19 to the Data Protection Act 2018 repealed section 18(1) (which had provided that “The Data Protection Commissioner shall be known instead as the Information Commissioner“).

So, the Information Commissioner is no longer described, in statute, as an officer which shall be for the purposes of the Freedom of Information Act 2000.

Probably nothing turns on this. Elsewhere in the Freedom of Information Act 2000 it is clear that the Information Commissioner has various functions, powers and duties, which are not removed by the repeal (and subsequent absence of) the “FOIA purpose” provisions. However, the repeal (and absence) do raise some interesting questions. If Parliament thought it right previously to say that, for the purposes of the Freedom of Information Act 2000 there should have been an Information Commissioner, why does it now think it right not to? No such questions arise when it comes to the data protection laws, because section 114 and schedule 12 of the Data Protection Act 2018, and Articles 57 and 58 of the UK GDPR, clearly define the purposes (for those laws) of the Information Commissioner.

Maybe all of this rather painful crashing through the thickets of the information rights laws is just an excuse for me to build up to a punchline of “what’s the purpose of the Information Commissioner?” But I don’t think that is solely what I’m getting at: the implied uncoupling of the office from its purposes seems odd, and something that could easily have been avoided (or could easily be remedied). If I’m wrong, or am missing something – and I very much invite comment and correction – then I’ll happily withdraw/update this post.

Please note that links to statutes here on the legislation.gov.uk website are generally to versions as they were originally enacted.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, Freedom of Information, GDPR, Information Commissioner

Tagged as , , , ,

May 10, 2023 · 8:55 pm

ICO “does not use AI” – really?

There’s an interesting Freedom of Information (FOI) response by the Information Commissioner’s Office (ICO) on the website WhatDoTheyKnow. In response to the question

have you examined the use of AI to help you in doing your work as an organisation?

their reply includes the statement that

For information, the ICO does not use any artificial intelligence (“AI”) technology.

However, if one uses most of the standard definitions of AI (such as the one from the government’s National AI Strategy: “machines that perform tasks normally requiring human intelligence, especially when the machines learn from data how to do those tasks”) one might find that hard to believe. What about spam filters on the ICO email network? Or the fact they recommend Google Maps for anyone needing directions to their offices? Or their corporate use of social media? All of those technologies use, or constitute, AI.

There is a wider point here: the task of regulating AI, or even of comprehending how it uses personal data, will fall increasingly on some key regulators in coming years (including the ICO). It is going to be crucial that there is understanding within those organisations of these issues, and if they don’t comprehend now how, within their own walls, the technology operates, they will be starting off on the back foot.

(One should also add that, if the ICO has missed some of its own more obvious uses of AI, then it has probably also failed to respond to the FOI request in accordance with the law.)

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under AI, Freedom of Information, Information Commissioner

Tagged as , ,

February 28, 2023 · 8:29 pm

FOI embarrassment

At a recent awards event, recognising high-performing Freedom of Information officers and teams (fantastic idea by the organisers/sponsors, by the way*) I gave a brief talk where I stressed that it was important to recognise how much FOI has achieved in its 23 (or 18**) years, and to remember that every day thousands of disclosures are made by thousands of public authorities. It’s very easy to snipe at bad practice, and I often do, but if we don’t acknowledge the benefits, the real opponents of FOI might start arguing for its repeal.

So. Celebrate success. Accentuate the positive. Eliminate the negative.

However.

Then you see a decision notice from the Information Commissioner (ICO), in which a large London council had refused to disclose, under FOI, information on how many enquiries (MEQs) each of its councillors*** had submitted to the council on behalf of constituents. The reason for refusal was that this was the personal data of the councillors (well, yes) and that disclosure would infringe those councillors’ rights under the data protection law (hell, no).

This isn’t time for legal analysis. It really is as extraordinary as it sounds.

Thankfully, the ICO had no truck with it (and the notice does have legal analysis).

Frankly, though, the council should be ashamed.

______________________

*I have no personal or professional interest

**The Act commenced in 2000, but the main provisions didn’t commence until 2005

***At the end of the notice there is a big hint as to the role of the person who made the request – see if you can guess

.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, Freedom of Information, Information Commissioner, local government

Tagged as , ,

December 18, 2022 · 10:48 am

ICO investigated potential FOI criminal offences by government departments

Under section 77 of the Freedom of Information Act 2000 (FOIA) a person commits a criminal offence if – after someone has made a request for information to a public authority, and would have been entitled to disclosure of that information – he or she

alters, defaces, blocks, erases, destroys or conceals any record held by the public authority, with the intention of preventing the disclosure by that authority of all, or any part, of the information to the communication of which the applicant would have been entitled

This is the only section of FOIA which carries a criminal penalty. It is very rarely invoked: since FOIA commenced in January 2005, there has been just one successful prosecution brought by the Information Commissioner’s Office (ICO) (and, as far as I know, only one other, unsuccessful, prosecution).

One reason for the lack of cases is that the ICO can only bring a prosecution within six months of the offence occurring. This has been identified for many years as an issue which should be addressed (but successive governments have declined to do so).

Nonetheless, a recent FOIA disclosure by the ICO reveals that in the last few years potential section 77 offences by government departments have been investigated. The request, made via the public WhatDoTheyKnow platform, was for information on “all Section 77 investigations carried out regardless of outcome for all Government departments”. In response, the ICO disclosed that

we have opened the following cases with regard to allegations of s77 allegations against Government Departments:
PCB/0013/2018 – MoJ IC/506/2020 – DWP IC/0549/2020 – Cabinet Office INV/0950/2021 – Cabinet Office.

This appears to suggest the existence of four separate investigations. In response to a request for further comment the ICO press office stated to me that none of the cases was still open, but declined to say any more. This seems to confirm that no proceedings were brought as a result of the investigations, but it is not possible to speculate on the reasons why. Nor are details available as to the circumstances under which the investigations were made.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Cabinet Office, DWP, Freedom of Information, Information Commissioner, Ministry of Justice, section 77

Tagged as ,

November 26, 2022 · 10:59 am

Does DHSC have a compliant ROPA?

Article 30(4) of the UK GDPR requires a controller to make its records of processing activities (ROPA) available to the Information Commissioner (ICO) upon request.

ROPAs are required for most large controllers, and should include at least

  • The name and contact details of the organisation (and where applicable the data protection officer).
  • The purposes of processing.
  • A description of the categories of individuals and categories of personal data.
  • The categories of recipients of personal data.
  • Details of transfers to third countries including documenting the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of the controller’s technical and organisational security measures.

Ordinarily, in my experience, controllers will maintain a ROPA in one document, or one set of linked documents. This not only enables a controller to comply with Article 30(4), but reflects the fact that a ROPA is not just a compliance obligation, but contributes to and assists the controller in its information governance functions.

This all makes the position of the Department of Health and Social Care (DHSC) rather odd. Because, in response to a Freedom of Information Act (FOIA) request for disclosure of its ROPA, it stated that the request was “vexatious” on the grounds of the time and costs it would have to incur to respond. This was because, as the DHSC subsequently told the ICO when the latter was asked to issue a FOIA decision notice

We hold a collection of documentation across different formats which, when put together, fulfils our obligation under Article 30 of the GDPR to record and document all of our personal data processing activities…[and]…to locate, retrieve and extract all of this documentation would involve a manual trawl of the whole organisation and each document would then need to be reviewed to check for content such as personal data, commercially sensitive data and any other information that would otherwise not be appropriate to place into the public domain

For this reason, the ICO accepted that compliance with the request would be “grossly oppressive” and this, taken with other factors, meant that the FOIA request was indeed vexatious.

The ICO is tasked with regulating both FOIA and data protection law. The decision notice here notes this, and says

the Commissioner feels duty bound to note that, if the DHSC cannot comply with the request because it would impose a grossly oppressive burden to do so, it is unlikely that the DHSC would be able to provide its ROPA to the Commissioner, which is a requirement under Article 30 of the UK GDPR, without that same burden

There’s a big hint here to DHSC that it should adopt a different approach to its ROPA for the future.

But the decision notice does contain some rather strange wording. In the context of the words quoted just above, the ICO says

This decision notice looks at the DHSC’s compliance with FOIA only and the Commissioner cannot order the DHSC to take any action under any other legislation.

It is true that, under his FOIA powers, the ICO cannot order the DHSC to comply with the UK GDPR, but, quite evidently, under his UK GDPR powers, he certainly can: Article 58(2)(d) specifically empowers him to

order the controller…to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period

I am not aware of anything in FOIA, or data protection law (or wider regulatory and public law) that prevents the ICO from taking enforcement action under UK GDPR as a result of findings he has made under FOIA. Indeed, it would be rather strange if anything did prevent him from doing so.

So it does seem that the ICO could order DHSC to get its ROPA in order. Maybe the big hint in the FOIA decision notice will have the desired effect. But regulation by means of big hints is perhaps not entirely in compliance with the requirement on the ICO, deriving from the Regulators’ Code, to ensure that its approach to its regulatory activities is transparent.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, DHSC, Freedom of Information, Information Commissioner, records management, ROPA, Uncategorized

Tagged as , , ,

October 18, 2022 · 7:34 am

NADPO conference on 22 Nov, with keynote from John Edwards, Information Commissioner

NADPO’s 2022 annual conference will see a return to in-person events. And we are delighted that the keynote speaker is UK Information Commissioner John Edwards. John will be joined by a stellar line up including

  • Maurice Frankel, from the Campaign for Freedom of Information
  • Professor Victoria Nash, from the Oxford Internet Institute
  • Professor Lilian Edwards, from Newcastle University, and also the Ada Lovelace Institute
  • Sarah Houghton, Head of Competition Law at Mishcon de Reya LLP
  • Stewart Room, of DWF and also President of NADPO

The conference will take place on 22 November, at the Mishcon de Reya offices at Africa House, Kingsway (right next to Holborn tube station).

Attendance is free (as ever) for all NADPO members, and it is not too late to purchase a membership, for the price of £130, which guarantees free attendance at all NADPO events, as well as at some partners’ events, as well as discounted rates on commercial training services from respected providers. Members also receive a monthly newsletter.

Leave a comment

Filed under Data Protection, Freedom of Information, Information Commissioner, NADPO

Tagged as , , ,