Tag Archives: ICO

March 13, 2025 · 6:32 am

Cabinet Office unsuccessfully appeals FOIA information notices

When a public authority relies on an exemption to refuse to disclose information in response to a Freedom of Information Act request, the requester can ask the Information Commissioner’s Office for a decision as to whether the refusal was in accordance with the law. In order to make such a decision, the ICO may often need to see the information withheld by the public authority. Where the public authority is unwilling to provide this, or perhaps drags its heels over it, the ICO may serve, under section 51 of FOIA, an “information notice”, requiring the information to be provided. Failure to comply with an Information Notice can be certified as contempt of court, but there is a right of appeal to the First-tier Tribunal.

And so it was that the Tribunal recently found itself hearing appeals by the Cabinet Office in relation to two Information Notices served on it by the ICO, who is investigating whether FOIA requests for information relating to Rishi Sunak’s declarations of interest when he was Prime Minister.

The Cabinet Office sought to argue, among other things, that access by the ICO was not necessary, was unfair and damaging to the process of handling ministerial declarations of interest, and would constitute unlawful processing of personal data. All of these arguments got short shrift from the Tribunal – ultimately, it held that it would not be possible to determine whether any of the exemptions prayed in aid by the Cabinet Office were made out without an examination of the material, and the appeals were dismissed.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Cabinet Office, Freedom of Information, Information Commissioner, information notice, Information Tribunal, judgments

Tagged as ,

March 12, 2025 · 4:50 am

Cabinet Office wins Covid face masks FOIA appeal

The Information Tribunal has overturned a decision of the Information Commissioner’s Office and ruled that the Cabinet Office is not required to disclose minutes of meetings in June and July 2020 at which policy decisions were taken to make mandatory the wearing of face masks in shops and on public transport.

It is a shame that, for a decision of some import, the judgment reads like a stream-of-consciousness draft, and that it is infused with unnecessary sarcasm at various points.

The ICO had determined that although the exemption at s35 FOIA (for information relating to the formulation of government policy) was engaged. He acknowledged the importance of a protected space for government decision-making, and of the principle of collective responsibility, but decided that the “exceptionally weighty” public interest favoured disclosure.

The Tribunal, however, via reasoning which is – frankly – very difficult to follow, appears to have focused on the issue of “accountability”, something that the requester had mentioned rather in passing in support of his request, but which was not a matter expressly mentioned in the ICO’s decision. Having fixed on this concept, the Tribunal appears to have decided that as those in government at the time have since been held accountable in various ways, there was diminished public interest in achieving accountability by way of disclosure of the requested information. The key passage is probably this (at 57):

In considering the context of this request there is a stark contrast between the salience and effectiveness of other multiple forms of accountability…and the value of the information sought – in contrast with the risk of harm to the functioning of government caused by its release disproportionate to any benefit.

I do not say the Tribunal has necessarily got this wrong, but I do say that this a FOIA case of some significance, and that it warranted a clearer judgment.

Whether the judgment is amenable to an appeal is not entirely clear, but it’s worth pointing out that the original requester was not a party to, and was not joined to, these proceedings, and so I do not believe he himself has a right of appeal to the Upper Tribunal, and one wonders whether the ICO will have the enthusiasm to do so, given the costs involved.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Cabinet Office, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as , ,

March 11, 2025 · 6:04 am

Why is the ICO so quiet about prosecutions?

Not infrequently, I get contacted (personally and professionally) by individuals who are concerned that their personal data has been compromised in circumstances that may constitute the criminal offence of “obtaining” or “retaining”, under section 170 of the Data Protection Act 2018.

In many cases, there is not much I can bring to the table. If an offence has been committed then this is a matter for the prosecutor. Normally, for data protection offences, this is the Information Commissioner’s Office.

But what strikes me is that there appears to be no information on the ICO website for anyone who wants to report an alleged or potential offence. Their “For the public” pages don’t cover the scenario, and all of the data protection complaints information there is predicated on the assumption that the individual will be complaining about the data controller’s compliance (whereas, in a section 170 offence, the controller is more of the status of “victim”).

In fact, the best I can find is one brief reference (at page 61) of a lengthy guide to the DPA 2018, aimed at “organisations and individuals who are already familiar with data protection law”, and which doesn’t even actually explain that the offences described can be prosecuted by the ICO.

Dr David Erdos has recently highlighted both the low number of ICO prosecutions, and the rather slapdash way in which the ICO appears to be handling information about them. But the section 170 provisions are criminal ones for a reason: they will sometimes involve the most distressing and serious interferences with people’s data protection and privacy rights.

Surely the ICO should pay more attention to such incidents, and assist concerned data subjects (or others) who might want to report potential offences?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, Information Commissioner, offences

Tagged as ,

March 1, 2025 · 9:20 am

Concerns over the Public Authorities (Fraud, Error and Recovery) Bill

When it comes to proposed legislation, most data protection commentary has understandably been on the Data (Use and Access) Bill, but it’s important also to note some of the provisions of the Public Authorities (Fraud, Error and Recovery) Bill, introduced in the Commons on 25 January.

The abandoned Tory Data Protection and Digital Information Bill would have conferred powers on the DWP to inspect bank accounts for evidence of fraud. To his credit, the Information Commissioner John Edwards, in evidence given on that earlier Bill, had warned about the “significant intrusion” those powers would have created, and that he had not seen evidence to assure him that they were proportionate. This may be a key reason why they didn’t reappear in the DUA Bill.

The Public Authorities (Fraud, Error and Recovery) Bill does, however, at clause 74 and schedule 3, propose that the DWP will be able to require banks to search their own data to identify whether recipients of Universal Credit, ESA and Pension Credit meet criteria for investigation for potential fraud.

But such investigative powers are only as good as the data, and the data governance, in place. And as the redoubtable John Pring of Disability News Service reports, many disabled activists are rightly concerned about the potential for damaging errors. In evidence to the Bill Committee one activist noted that “even if there was an error rate of just 0.1 per cent during this process, that would still mean thousands of people showing up as ‘false positives’, even if it just examined those on means-tested benefits”.

The Bill does not appear to confer any specific role on the Information Commissioner in this regard, although there will be an independent reviewer, and – again, creditably – the Commissioner has said that although he could not be the reviewer himself, he would expect to be involved.

It is worth also reading the concerns of the Public Law Project, contained in written evidence to the Bill committee.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection, data sharing, Information Commissioner

Tagged as ,

February 19, 2025 · 9:41 am

The state of central government transparency

[reposted from my LinkedIn account]

This is one of the most extraordinary FOIA judgments I’ve ever seen, and it says an awful lot about the approach to transparency at the centre of the civil service.

The Cabinet Office have been trying to resist disclosure under FOIA of copies of blank ministerial declaration of interest forms, on grounds that to do so would be prejudicial to the conduct of public affairs, because among other things [checks notes] “Disclosure may lead to speculative scrutiny regarding why certain elements are included in the forms, potentially leading to amendments to the form which undermines its effectiveness”.

But there’s also an extraordinary citation of a piece of evidence given by a Cabinet Office witness – the “Director of Propriety and Ethics” – to the effect that the system for Minister declaring interests relies heavily on the trust and candour of Ministers, and the effect of disclosure would be that they “may be reluctant to provide the same level of detail” than they do currently.

Let’s just think about that. Ministers have a constitutional and ethical duty to declare interests, but this relies on trust and candour, and disclosure of a blank declaration form might mean that those we trust to be candid in their ethical duty to declare those interests might decide to be less trustworthy and candid as a result? What a sorry state of affairs.

Fortunately, the Information Tribunal, like the Information Commissioner’s Office before, had no truck with these arguments, and refused the Cabinet Office’s appeal.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Cabinet Office, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as ,

February 7, 2025 · 4:17 am

Clarity needed on NHS publication of reports into homicides

[reposted from my LinkedIn account]

Does the law need clarifying on the publication of reviews into homicides by those receiving mental health services from the NHS?

The Times led recently on stories that NHS England was refusing to publish the full independent report into the health care and treatment of Valdo Calocane prior to his manslaughter of three people in Nottingham in 2023. NHSE apparently argued that data protection and patient confidentiality concerns prevented them publishing anything but a summary. Under pressure from victims’ families, and the media, NHSE about-turned, and the full report is reported to contain damning details of failings in Calocane’s treatment which were not in the summary version.

Now The Times reports that this is part of a pattern, since last year, of failure to publish full reviews of homicides by mental health patients, contrary to previous practice. It says that NHSE received legal advice that the practice “could breach data protection rules and the killers’ right to patient confidentiality”. The charity Hundred Families talks of cases where the names of victims are not published, or even the identity of the NHS Trust involved.

Of course, without seeing the advice, it is difficult to comment with any conviction, but I did write in recent days about how the law can justify publication where it is “necessary for a protective function” such as exposing malpractice, or failures in services. And it’s important to note that, in many cases, such reports show failings that mean that killers themselves have been let down by the adequacy of treatment: publication can surely, in some cases, cast light on this so that similar failings don’t happen in the future. In any case, guidance says that those preparing reports should do so with a view to their being published, and so confidentiality concerns should be taken into account in the drafting.

However, if NHSE remains concerned about the legality of publication, and if its legal advice continues to say that data protection and medical confidentiality law militated against disclosure, it strikes me that this might call for Parliament to legislate. I also believe that it would be welcomed if the Information Commissioner’s Office issued a statement on the legal issues arising.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Confidentiality, Data Protection, Information Commissioner, NHS

Tagged as , ,

February 6, 2025 · 7:47 am

Is the legal sector really suffering a flood of databreaches?

[reposted from my LinkedIn account]

There have been various articles in the media recently, reporting a significant rise in personal data breaches reported by the legal sector to the Information Commissioner’s Office. I have some real doubts about the figures.

An example article says

A new analysis of data from the Information Commissioner’s Office (ICO) by NetDocuments has revealed a sharp increase in data breaches across the UK legal sector. In the period between Q3 2023 and Q2 2024, the number of identified data breaches in the UK legal sector rose by 39% (2,284 cases were reported to the ICO, compared to 1,633 the previous year)

But something didn’t seem right about those numbers. The ICO say that they have received 60,607 personal data breach reports since their current reporting methods began in Q2 2019 (see their business intelligence visualised database), so it seemed remarkable to suggest that the legal sector was scoring so highly. And, indeed, when I look at the ICO BI data for self-reported personal data breaches, filtered for the legal sector, I see only 197 reported in Q3 2023, and, coincidentally, 197 in Q2 2024 (see attached visuals) – an increase from one relatively low number to another relatively low number of precisely 0%.

A serious question to those more proficient with data than I am – am I missing something?

If I’m not, I really think the ICO should issue some sort of corrective statement.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, data security, Information Commissioner, personal data breach

Tagged as , ,

February 5, 2025 · 8:04 am

Is information held by external solicitors “held” for the purposes of FOIA?

[reposted from my LinkedIn account]

Where an external solicitor’s firm holds information in relation to advice given by the solicitor on instructions by a public authority client, is the information held by the solicitor “on behalf of” the public authority, for the purposes of section 3(2)(b) of the Freedom of Information Act 2000?

While the matter is live, the answer is probably “yes”, but what if the public authority client has long since destroyed its own records, but the solicitor’s firm has retained its records for its own regulatory or risk purposes? Here, the answer is probably “no”.

And that is the situation which came before the Information Tribunal recently. The requester was seeking information from Sheffield City Council about a development scheme from 2007/2008. The Council had said that it would have destroyed its own records, and said that to determine whether the information was held would necessitate the inspection of 28 box files held by law firm Herbert Smith Freehills, who had been instructed by the Council at the relevant time. To even determine whether the information was held or not would exceed the costs limits in section 12 of FOIA. The ICO, in the decision notice being appealed, had agreed.

As I was reading the first few paragraphs of the Tribunal judgment, I said to myself “hang on – is this info being held by HSF on behalf of the Council, or is it being held for HSF’s purposes?” I was limbering up my fingers to write a post criticising everyone for not spotting this, so I was then pleased to see that the Tribunal, of its own volition, identified it as an issue and sought submissions from the ICO and the Council on it.

After some back and fro (it is not entirely clear from the judgment who said what in their submissions, and there was a side issue as to whether in fact the Environmental Information Regulations applied) the evidence was pretty clear that the Council had had no intention to retain the information, nor to entrust it to HSF. Accordingly, the information was not “held” for the purposes of FOIA.

I’m not sure I understand why the Tribunal did not substitute a different decision notice to reflect this (it simply dismissed the requester’s appeal), but ultimately nothing really turns on that.

What one can take from this is that solicitors and their clients (especially public authority clients) should, jointly and separately, make clear in agreements and policies what the status is of information retained by solicitors after an instruction has ceased, and how requests for such information should be dealt with.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as , ,

January 30, 2025 · 7:54 am

Exceptionally unlikely: ICO and judicial review

[reposted from my LinkedIn account]

Where Parliament has entrusted a specialist body with bringing prosecutions, such as the Serious Fraud Office, or the Information Commissioner’s Office (ICO), it is “only in highly exceptional circumstances” that a court will disturb a decision made by that body (see Lord Bingham in R(Corner House and others) v Director of the Serious Fraud Office [2008] UKHL 60)).

Such was the situation faced by the claimant in an unsuccessful recent application for judicial review of two decisions of the ICO.

The claimant, at the time of the events in question, was a member of the Labour Party and of the Party’s “LGBT+Labour” group, She had been concerned about an apparent disclosure of the identity and trans status of 120 members of a “Trans Forum” of the group, of which she was also a member, and of what she felt was a failure by the LGBT+Labour group to inform members of the Forum of what had happened.

She reported this to the ICO as potential offences under sections 170 and 173 of the Data Protection Act 2018 (it’s not entirely clear what specific offences would have been committed), and she asked whether she was “able to discuss matters relating to potential data breaches with the individuals involved”. The ICO ultimately declined to prosecute, and also informed her that disclosing information to the individuals could in itself “potentially be a section 170 offence”.

The application for judicial review was i) in respect of the “warning” about a potential prosecution in the event she disclosed information to those data subjects, and her subsequent rejected request for a commitment that she would not be prosecuted, and ii) in respect of the decision not to prosecute LGBT+Labour.

Neither application for permission succeeded. In the first case, there was no decision capable of being challenged: it was an uncontroversial statement by the ICO about a hypothetical and fact-sensitive future situation, and in any event she was out of time in bringing the application. In the second case, there were no “highly exceptional circumstances” that would enable the court “to consider there was a realistic prospect of showing that the ICO had acted outside the wide range of its discretion when deciding not to prosecute”.

One often sees suggestions that the ICO should be JRd over its failure to take action (often in a civil context). This case illustrates the deference that the courts will give to its status and expertise both as regulator and prosecutor. Outside the most exceptional of cases, such challenges are highly unlikely to succeed.

Peto v Information Commissioner [2025] EWHC 146 (Admin)

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under crime, Data Protection, Data Protection Act 2018, Information Commissioner, judgments, judicial review

Tagged as ,

December 3, 2024 · 6:00 am

I don’t think that word means what you think it means

[reposted from LinkedIn]

I think there’s a plain error of law in this Information Tribunal judgment (O’Hanlon & Anor v Information Commissioner & Anor [2024] UKFTT 1061 (GRC)).

Section 36(2)(b) of the Freedom of Information Act 2000 (FOIA) says that information is exempt if, in the reasonable opinion of a qualified person, disclosure would, or would be likely to, inhibit the free and frank provision of advice, or the free and frank exchange of views for the purposes of deliberation, or would otherwise prejudice (or would be likely to do so) the effective conduct of public affairs.

I’ve written elsewhere about the flawed concept of who a “qualified person” is, but, at least in relation to govt departments, it’s straightforward: it’s a minister (s36(5)(a)).

In June 2022, Lord True, Minister of State in the Cabinet Office, in the context of a then-live FOIA request, gave a s36 “reasonable opinion”, as a qualified person, that internal department email addresses were exempt, and – crucially – that his opinion was to apply “going forward” in relation to any similar requests. Subsequently, the Cabinet Office applied his opinion to a new request which was received after he had given it.

The ICO said this was not permitted: “the provisions of s36 only become relevant once a request for information has been made…a Qualified Person’s opinion must therefore necessarily post-date the request for the information, and must be an opinion relating to the specific request”.

Not so, said the Tribunal: s36(6)(b) allows an “authorisation” to be “general”, and, therefore “a general authorisation must include be [sic] forward looking to other requests”.

But that is not what “authorisation” means in s36: the word only occurs, prior to s36(6)(b), in s36(5), and it refers to the authorisation of persons as qualified persons to give a reasonable opinion. In other words, the qualified person gives an opinion – not an “authorisation”. The reference in s36(6)(b) to an authorisation being permitted to be “general” is followed by “or limited to specific classes of case” – i.e. a person may be authorised in general to give a reasonable opinion, or authorised (perhaps they have a specialism) only in certain cases).

It does not mean that they are “authorised” to give a prospective qualified opinion that classes of information will always be exempt (subject to a public interest test).

The Tribunal’s reading of s36(6)(b) heavily informed its judgment, and it’s certainly questionable whether, but for this error, it would have decided in favour of giving this “prospective effect” to some s36 qualified opinions.

One hopes the ICO will appeal – because there will otherwise be a risk that public authorities will start classifying, of their own accord, certain classes of information as “always exempt”.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as , ,