Tag Archives: ICO

November 23, 2012 · 1:35 pm

Tweets and Tw*ts, redux

NOTHING TO SEE HERE, MOVE ALONG.

UPDATE: 13 December 2012

In a tweet to me of 5 December the ICO kindly clarified that there has been no change. The reference to twitter names is now contained in this guidance.

Has there been a subtle change of policy by the ICO on the subject of FOI requests made by twitter?

Last year I blogged about a Freedom of Information Act 2000 (FOIA) request I made to the Information Commissioner’s Office (ICO) via twitter. I referred the ICO to their own guidance (hosted as part of a web page, not as a separate download), which said

The request must state the name of the applicant…A Twitter name may not be the requester’s real name, but the real name may be shown in their linked profile…The request must also state an address ‘for correspondence’. Does this include Twitter names? The length of a tweet makes it difficult for the authority to respond fully, but there are ways of dealing with this. The authority could ask the requester for an email address in order to provide a full response. Alternatively, it could publish the requested information, or a refusal notice, on its website and tweet a link to that.

The question I have given emphasis there did not have a specific answer in the guidance, but one inferred that the answer was “yes” from the words that followed.

This morning I made a twitter FOIA request to the Department for Education, to which they replied asking me to provide an email address or fill in an online form. I was going to refer them to the ICO’s guidance, but found that it doesn’t exist anymore. Fair enough: websites change and URLs get broken. However, unless I am mistaken what I have also found is that the ICO no longer seems to imply that a twitter name is an address for correspondence, according to section 8(1)(b) of FOIA. As far as my search skills can ascertain, the ICO now says

Requests can also be made via the web, or even on social networking sites such as Facebook or Twitter if your public authority uses these…[the request must] include an address for correspondence. This need not be the person’s residential or work address – it can be any address at which you can write to them, including a postal address or email address

No reference there to twitter names. More detailed guidance from the ICO says

Where a request has request in line with section 8(1) of FOIA if the requester has provided their name and a valid address. Where possible a response to the requester should be sent for example by providing a web link. If the name or address is not provided it is not a valid request, therefore if information is not being provided a reply should be sent advising the requester of this, and asking for the required information.

Again, no reference to twitter names.

These changes, unless I have indeed missed something, with their absence of reference to the possibility of a twitter name being “an address for correspondence” indicate a retreat by the ICO. It could well be that they’ve had to acknowledge that twitter is perhaps not the most appropriate medium for FOIA requests. If so, it would be helpful if they could – clearly – issue revised guidance. Their announcement that requests could be made by twitter got a lot of coverage, and led to the highest court in the land accepting that it had been wrong to imply it would not consider them valid requests.

I’ve made a FOIA request to the ICO to find out whether their policy has changed. Guess which medium I used?

UPDATE: 13 December 2012

In a tweet to me of 5 December the ICO kindly clarified that there has been no change. The reference to twitter names is now contained in this guidance.

7 Comments

Filed under Freedom of Information, Information Commissioner, transparency, Uncategorized

Tagged as ,

September 29, 2012 · 9:04 am

Private emails, FOI and Criminality

Private emails are subject to FOI searches, and it’s a crime intentionally to conceal relevant information.

So, it appears that the Department of Education (DfE) has conceded that business emails sent by private email accounts are subject to the Freedom of Information Act 2000 (FOIA), thus accepting what the right-thinking world, and, indeed, anyone with a glimmer of common sense knew all along.

Plaudits, or brickbats, according to your position on the merits of FOIA, should go to Christopher Cook of the Financial Times, who has pursued the Department of Education (DfE) on this with the enthusiasm of a Jack Russell terrier faced with a scurrying rat. Fellow hacks at the Independent had also joined themselves to the proceedings listed (but now withdrawn) in the First-tier Tribunal (Information Rights). The DfE had had the balls to launch a challenge to a previous decision by the Information Commissioner (ICO) that the information (held in private email accounts) requested by Chris should be released. The decision notice itself was clear, and difficult to argue with, as is the advice on the subject published by the ICO around the same time. One wondered what possible grounds the DfE had to base a successful appeal on, and the withdrawal of the appeal probably answers that point, although it appears the withdrawal was actually prompted by the imminent publication of Cabinet Office guidance.

Some are now predicting that there will be a deluge of FOI requests specifically targeted at information held in private emails, or text messages, and I think this is probably right. What is not clear is how they will be handled. The ICO’s guidance suggests that, faced with requests for information that could be held in private emails, public authorities should restrict themselves to asking the person to search their account and keeping a record to show that this was asked:

The public authority will then be able to demonstrate, if required, that appropriate searches have been made in relation to a particular request. The Commissioner may need to see this in the event of a…complaint

This suggests that, when investigating a complaint about refusal to disclose information, the ICO will restrict himself merely to satisfying himself that an authority has asked its staff to check emails. Absent any evidence that those staff have not been honest about the contents of those private emails, the ICO will take no further action. The reasons for this are, really, quite obvious: the powers open to a public authority to access private email accounts are limited. Although the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 allow an employer to “intercept” an employee’s private emails  (if sent using the employer’s systems) to determine whether they are business-related, those powers must be exercised with due regard to the employee’s privacy rights. The interception of private emails in a private email account (sent using the employer’s systems) must be necessary and proportionate. If an employee has told his or employer that their private emails contain no information caught by an FOI request it is doubtful, absent any evidence to the contrary, that a “trawl” of emails without the employee’s consent would be lawful (I’ve written for PDP journals on this subject – subscription needed).

On one view, then, nothing much has changed with the concession by the DfE, although no doubt many new FOI requests will be made as a result. What has changed, perhaps, is the focus on individuals’ personal responsiblity under FOIA. Currently, section 77 creates an offence if a person alters, defaces, blocks, erases, destroys or conceals a record in response to an FOI request. If a trawl of emails on a public authority’s systems is required this will normally fall to IT, or similar, and employees have little say – or, if you like, given the existence of back-up systems – limited opportunity to commit a section 77 offence. Now, if the same employee is asked whether private emails contain specific information, and he or she untruthfully says “no”, criminality – the mens rea – will be relatively easy to make out.

The question is, how would we find out?

6 Comments

Filed under Freedom of Information, Information Commissioner, Information Tribunal, Privacy, RIPA, Uncategorized

Tagged as , ,

August 31, 2012 · 10:22 am

Data Security and Churnalism

On the lazy reporting of a silly story about increases in data breaches

Over the past couple of days the following have all published stories on the fact that data breaches in the UK have “rocketed” or “spiked” by an “alarming” 1000% over the last five years.

Computer Business Review
Techweek Europe
The Nextweb
Public Service
Help Net Security
V3.co.uk
Computing.co.uk
SC Magazine
UKAuthority.com
The Register
Computer World UK
The BBC

These are mostly well-respected news sources, serving either the tech industries or the public sector. All of them report this story as though the news that self-reporting to the Information Commissioner of serious data breaches is a bad thing. I’ve given the links to the stories not because I want to increase their clicks, but to show the remarkable similarity between them. This is not surprising, as they are all picking up on a press release by Imation (ironically, as a non-hack, I don’t have access to it) which was issued following an FOI request to the Information Commissioner. The response to the request showed that, indeed, in 2007-08 the number of breaches reported to the ICO was 79, and in 2011-12 it was 828. But does that really mean that “Data breaches in the UK have increased tenfold in the past five years” as the BBC put it?

The answer, certainly, is “no”.

The reporting of breaches has increased by that proportion. But that is not particularly surprising. As far as I recall the first guidance issued by the ICO on reporting serious breaches was only issued in July 2010.  Before that while there may have been an inferrable assumption that serious breaches should be reported, there was not much in the way of clear direction or expectation until relatively recently. This expectation has become much more explicit since the ICO gained powers to issue civil monetary penalties for serious breaches. Now, all major data controllers know that when there is a serious breach of data security it needs to be reported to the ICO (and for telecoms providers, there is a lawful requirement to do so under the Privacy and Electronic Communications (EC Directive) Regulations 2003).

But is it a bad thing that numbers of reported incidents has increased? Of course not. All breaches of data security are to be regretted, and lessons learnt to avoid they don’t recur. But data controllers need to be encouraged to recognise breaches, and put their hands up when they happen. The ICO even considers self-reporting to be a mitigating factor when assessing what action he should take.

I doubt that many, if any of the people writing for the websites I link to above really think that data security breaches (rather than reports of breaches) have increased 1000% over five years. I’m sure their writers and reporters are very busy, and an eye-catching press release makes for easy copy. But these websites (with the execption of the BBC) are important and specialist sources of information. For them to resort to “churnalism” (a form of journalism in which press release…are used to create articles…without undertaking further research or checking) at the expense of common-sense, especially when it might lead to greater reluctance to self-report, is greatly to be regretted.

 

 

 

 

 

 

 

 

1 Comment

Filed under Breach Notification, Data Protection, Information Commissioner, PECR

Tagged as ,

February 12, 2012 · 4:32 pm

In Praise of the ICO (or how to avoid a £500k fine)

In the UK if you process personal data, you must comply in relevant part with your obligations under the Data Protection Act 1998 (DPA). This applies whether you are one of the world’s largest companies, or a sole-practitioner law firm, whether you’re a self-employed barrister, or the Lord Chief Justice of Northern Ireland. All of those hyperlinks go to examples of enforcement action taken by the Information Commissioner (IC) and are part of a regime which currently enables the IC, as statutory regulator, to impose, in appropriate cases, a civil monetary penalty notice of up to £500,000 for a serious contravention of the DPA. And when the draft European Commission Data Protection Regulation is ultimately passed, a similar contravention could risk a penalty of €1,000,000 or 2% of turnover for very large organisations. It is in any data controller’s interest to take all offers of advice and support to avoid the risk of sanctions under the DPA.

However much the IC and his office are criticised for failure to act, or failure to target the right data controllers, there are some things for which he and his office deserve praise. By section 51(1) of the DPA he must “promote the following of good practice by data controllers” and, by section 51(7) he

may, with the consent of the data controller, assess any processing of personal data for the following of good practice and shall inform the data controller of the results of the assessment

This is a power to conduct consensual audits. (There is also a power under s41A to conduct audits without consent, on central government bodies, and the IC would like that power extended, but I digress). In my view, if you are an organisation processing large amounts of and/or sensitive data, you would be mad not to consider this (with a couple of reservations I will address below).

Any in-depth audit of a statutory part of an organisation’s business will not normally come cheap (ask one of the “Big Four” accountancy firms how much their services cost, and then realise why they are called the Big Four). The IC could, with the Secretary of State’s agreement, charge for this service but (probably with a mind to his section 51(1) duty) he doesn’t.

So, you can ask for a in-depth audit of your compliance with the DPA. You can learn what the IC feels is best practice, get advice on improving poor practice and build positive relationships between your organisation and the IC’s office, and, in the event of a future major data breach,  it might well act as mitigation, because it would show at least that you are aware of your obligations and prepared to engage positively with the IC’s office. And all of this for free.

If you are a smaller organisation there is more informal approach by way of an Advisory Visit, again offered for free by the IC. Advisory visits involve a one-day visit and result in a short report.

The reservations I refer to earlier apply only really if your compliance is poor, and this is obvious to you. The IC, as a general approach, publishes summaries of his audits. What you really don’t want is for the IC to make a finding of “limited assurance” or “very limited assurance”. Additionally, although the IC will not publish any summary without your agreement, he will publish a note stating that an audit took place. Speculation being what it is, the fact that an organisation has not agreed to publication might not be viewed positively. So, if you suspect that your compliance is poor, my advice would be to get one of the specialist data protection advisory companies to audit you to. And appoint a good data protection officer (or pay more attention (and money) to him or her).

2 Comments

Filed under Data Protection, Information Commissioner, Uncategorized

Tagged as ,

February 10, 2012 · 2:30 pm

Transparent as mud

Our Prime Minister is committed to transparency in government. In June 2010 he set up a Public Sector Transparency Board containing some of the great and good in the field of open data and transparency: you’d struggle to pick better people than Tom Steinberg, Nigel Shadbolt, Rufus Pollock and Tim Berners-Lee (I’m not hyperlinking him – if you don’t know who he is then find out who invented hyperlinks). The Board is chaired by Francis Maude, Minister for the Cabinet Office, who has written – at the same time as he was lambasting Tony Blair’s dispiriting comments on freedom of information –  that

If I ever sit down to write my own memoirs, freeing up government information will not number amongst my regrets. In fact, I very much hope that it will be one of my very proudest achievements.

Mr Cameron seems to feel the same way:

In the years to come, people will look back at the days when government kept all its data – your data – in vaults and think how strange it was that the taxpayers – the people who actually own all this – were locked out.

Now, it so happens that there has been, in recent months, much debate about whether – or rather, to what extent – private emails written by those connected with the Department for Education are “caught” by the Freedom of Information Act 2000 (FOIA).  (Read the BBC’s Martin Rosenbaum and the Financial Times’ Chris Cook on this, I insist). The Information Commissioner has been very clear that his view is that information concerning official business held in private email accounts is subject to FOIA (he’s right, by the way) but Michael Gove, Secretary of State for Education, told the House of Commons Education Select Committee that

The advice that we had received from the Cabinet Office was that anything that was held on private email accounts was not subject to Freedom of Information requests.

So, when, Lisa Nandy, MP for Wigan, tabled a question in parliament on 6 February asking if the Cabinet Office would publish

guidance on private emails and the Freedom of Information Act referred to in the Education Select Committee evidence session of 31 January 2012 as having been issued to the Department for Education.

It was, let’s say, not very encouraging for those of us who support the “transparency agenda” (as it seems it must be called) that she received the following response

Information relating to internal discussion and advice is not normally disclosed

Yep. That’s right – internal information about how a goverment department handles requests under FOIA, is not to be disclosed.

It might be thought odd, or interesting, or both, that the minister who replied to Ms Nandy was Francis Maude, MP. I’ll leave you to write your own jokes.

1 Comment

Filed under Freedom of Information, Information Commissioner, transparency

Tagged as , ,

January 25, 2012 · 8:12 pm

STOP BOTHERING US!

I’m a customer of the mobile phone service provider O2. They’re OK. Probably much the same as the rest, but I’ve been with them for a few years now, and I’ve had no real problems with them. And every so often they give me an “upgrade” to a nice shiny new smartphone which half fools me into thinking I’m getting a nice deal.

This morning a corner (my favourite corner) of twitter was buzzing with news of a potential security flaw (or was it deliberate coding?) discovered by a twitter user by the name of @lewispeckover which meant that customers using O2’s mobile network to access the internet were inadvertently revealing their mobile phone number in the headers delivered when they visited a website. As Lewis succinctly put it

So, @O2 send my phone no in an HTTP header to every site I browse. WTF? Is this normal?

No, it’s not normal. Some people have very good reasons for not wanting their mobile numbers handed to third parties, especially when they aren’t aware that it’s being done, and I’m one of them (actually, I haven’t got a “very good reason”, other than I just don’t like it). I had intended blogging about why this incident might involve breaches of the first, second, seventh and eighth data protection principles in the Data Protection Act 1998 (DPA), regulations 6 and 7 of the Privacy and Electronic Communications Regulations 2003 (PECR) and chapter II of the Regulation of Investigatory Powers Act 2000 (RIPA). However, as the news got picked up, first by specialist media then mainstream, and as I realised that people were complaining in numbers to the Information Commissioner (IC), who regulates compliance with both the DPA and the PECR (although not RIPA), I decided that the issue was in the appropriate hands.

But I still intended, when I got home from work tonight, making a complaint to that statutory regulator. This is a) an issue that concerns me, b) one I know something about, c) one that has made me a bit angry, and d) one I’m prepared to rant about. However, I noted, on my bus journey home, browsing the internet on my shiny smartphone via O2’s network, that the IC had updated his home page, and was saying

Today we’ve received a large number of complaints about an alleged data breach on the O2 mobile phone network.

We now have enough information to take this matter further, so there is no need for customers to complain to us.

Great. They’re taking the matter further. But hang on – they don’t want us to complain now, because they have enough information? Well, that’s a bit presumptuous, and risky (how do they know they’ve got enough information?). But also, it’s quite concerning. The IC has many powers available to him if he finds that a data controller has breached the DPA or the PECR. In assessing how bad a breach might be, he has to take into account various factors. For instance, from his own guidance on imposing Monetary Penalty Notices,

The number of individuals actually or potentially affected by the contravention

Hang on a minute.

The number of individuals actually or potentially affected by the contravention

Er.

I just question how can you can properly assess how many people have been affected by an alleged contravention if you discourage people from complaining about that alleged contravention?

And not satisfied with this attempt at dissuasion, the IC took to tweeting the same message, earlier this evening. He clearly doesn’t want any more people to send him complaints, but this could lead to a misleading assessment of the number of people actually affected. I’m sure that O2, in assisting the IC in his subsequent investigation, will tell him how many people were potentially affected, but, if were them, I would say “well, only a small number actually complained, so it wasn’t that bad a breach, after all”.

And this is not the first time the IC has done this. Currently, the first question and answer on his “Data Protection for the Public” FAQs page are

Q: I have received a letter from Welcome Financial Services Limited. What should I do?

We have recently been informed of a data breach involving Welcome Financial Services Limited including its business Shopacheck. We believe they are taking steps to inform those affected. We will be making enquiries into the circumstances of the apparent breach of the Data Protection Act before deciding what action, if any, needs to be taken.

As we are already aware of this issue and in contact with Welcome Financial Services Limited, there is no need to submit further complaints to this office. [emphasis added, as if you needed to know]

I do try to defend the IC and his office, and I know they are always sorely lacking funds, but when a regulator, who is supposed to be receptive to complaints about alleged failures to comply with laws he regulates, actively discourages people from complaining, my enthusiasm for defending falters.

To the IC I ask, do you want me to complain, and say how I have been affected by O2’s handling of my personal data? And if not, why not?

2 Comments

Filed under Data Protection, Information Commissioner, PECR, Privacy

Tagged as , ,

January 10, 2012 · 7:11 pm

Potential big DPA fine for NHS Trust

The Argus, a Brighton newspaper, is reporting that Brighton and Sussex University Hospitals NHS Trust has been served with a “notice of intent to fine” by the Information Commissioner (IC), for a breach of the Data Protection Act 1998 (DPA). The sum proposed is £375,000.

Assuming the story is true, the notice of intent to fine would be, strictly, a notice of intent, under s55B of the DPA, to impose a Monetary Penalty Notice (MPN). MPNs were introduced into the DPA by the provisions of Criminal Justice Act 2003. They provide a means whereby the IC can impose financial sanctions on Data Controllers for serious contraventions of the data protection principles. The maximum amount for an MPN is £500,000, and the sums levied are not retained by the IC, but go to the consolidated fund.

The paper says

The incident relates to the theft of 232 drives out of 1,000 being decommissioned.

The Sussex Health Informatics Service was responsible for the disposal of the drives on the trust’s behalf and had appointed an individual to carry out the job.

In December 2010 it emerged four hard drives had been bought by a data recovery organisation on eBay.

The buyer contacted the trust and the drives were collected with the information destroyed.

An investigation revealed that 232 hard drives in total had been stolen and sold on.

The trust worked with the ICO, NHS Counter Fraud and Sussex Police and all the drives have been recovered.

The trust says there was a very low risk of any of the data being passed into the public domain.

Several points arise from this.

At a proposed £375,000 this MPN, if imposed, would be by far the highest so far served on a data controller. The previous highest – £130,000 – was imposed in December last year on Powys County Council.

The fact that news of the proposed MPN has come out before it has been actually served (that is, at the “notice of intent” stage) is perhaps connected with the fact that the Argus reports that “The trust says it will be contesting the fine”. By s55B(5) of the DPA a data controller in receipt of an MPN may appeal to the Information Tribunal against both the issue of the MPN, and the amount. If the Trust are contesting the fine now, they may ultimately decide to appeal to the Tribunal. This would be interesting: most of the guidance on sanctions for serious contraventions of the DPA comes from the IC himself, and from previous MPNs and undertakings. Many data controllers would find it helpful also to have some judicial analysis to draw on in these circumstances.

Until now, nearly all MPNs have been imposed on local authorities. I’ve previously questioned why this was, and posited that it would be a high risk move for the IC to serve an MPN on the NHS:

one wonders what sort of critical media coverage might ensue, as well as what the effect on the reputation of the DPA regime would be, if the IC were to impose hefty monetary penalties on the NHS. And as the sums levied go not towards improving general data security, but rather straight into the government consolidated fund, one begins to see why it might not be a particularly attractive option: a regulator who takes direly-needed money from the NHS, and places it in the government’s wallet, could well struggle to maintain popularity with the media and the public.

If this MPN is served, as intended, then the IC might be faced with headlines equating (for example) £375,000 to the amount it costs to employ a nurse, or a doctor or provide essentail but costly medical treatment. I hope (and I am sure) he has a strategy for such circumstances.

1 Comment

Filed under Breach Notification, Data Protection, Information Commissioner

Tagged as , ,

November 17, 2011 · 9:10 am

Tweets and Tw*ts

A few days ago I tweeted @ICONews, the twitter account of the Information Commissioner (IC)

@ICONews any chance you can disclose (waive privilege?) legal advice/analysis of Letwin case? Important re: manual data/Cat E data #DPA

The context of this was that there had been some discussions in data protection circles, following the revelations about Oliver Letwin and his dumping of correspondence in the bins of St Jame’ss Park, about whether in strict terms there would have been a breach of the Data Protection Act 1998 (DPA) (on this see similar questions raised by Stewart Room about Vince Cable’s recent incident).

The undertaking signed by Letwin didn’t make clear exactly how the IC had arrived at a decision that there had been a breach of the DPA, and I was keen to know more. So was fellow tweeter @tim2040 who asked me

@bainesy1969 Are you going to #FOI them or am I? Or did your tweet to them count?

When I sent my first tweet I hadn’t thought of it as a request made under Freedom of Information Act 2000 (FOIA). However, knowing that a public authority must treat a request for information even if the requester does not “mention the Freedom of Information Act…although it may help to do so” I realised that I had rather inadvertently made a formal request which the IC’s office had to respond to, in accordance with Part 1 of FOIA. I also know that it’s easy sometimes for a public authority to miss that a valid FOIA request has been made. So, in a spirit of helpfulness, I clarified:

@ICONews Just to confirm, this earlier tweet to you was request for information #FOI http://t.co/gUeqdwGg

I’ve now received a reply from @ICONews, which says

@bainesy1969 In line with our guidance please could you provide a postal or email address for further correspondence.

Now, I really don’t want to come across as a twit (what else did you think the asterisked word was in this post title?) but I know what their guidance says (it’s my job to know it)

The request must state the name of the applicant…A Twitter name may not be the requester’s real name, but the real name may be shown in their linked profile

as mine is

The request must also state an address ‘for correspondence’. Does this include Twitter names? The length of a tweet makes it difficult for the authority to respond fully, but there are ways of dealing with this. The authority could ask the requester for an email address in order to provide a full response. Alternatively, it could publish the requested information, or a refusal notice, on its website and tweet a link to that.

So I’ve gone back to them saying

@ICONews My name’s in my profile. In line with yr guidance cd you not publish info or refusal notice on yr site and tweet link to it?

A bit twattish twittish, I accept, and I’ll be extending an olive branch to the IC’s office by contacting them privately to give them my email address. However, it does raise interesting questions about the extent to which one has to put a request for information in “formal” terms for it to be recognised. I don’t know if the IC’s office would have recognised my original tweet as a request for information – maybe they would. But, as I say, I wasn’t thinking of FOIA when I made it – I was rather hoping that someone at the office would see it and think “Hey – it would be a good idea for us to publish a note explaining how we arrived at our findings in the Letwin case”.

I know of an incident where the press office at a Council received an enquiry from a local journalist. He and the press office were well-acquainted and on generally good terms. He asked for information about a council employee and an alleged criminal offence, and he was given an “unable to comment” response. He queried this and was told (correctly) that it was for data protection reasons. He, knowing something of the regulatory process, then complained to the IC. The problem was that the press office had followed their normal press enquiry prcoedures and consequently not issued a formal refusal notice under section 17 of FOIA. The IC, if he had been asked to issue a decision notice, could not have avoided a determination that there had been a breach of FOIA. However, I would suggest neither the local media nor the Council’s press office could effectively function if every enquiry by a time-pressed local hack was dealt with as a formal FOIA request (with a 20 working day deadline).

I’m not sure there is an easy answer to this, and perhaps there will always be a grey area  separating “general correspondence” from “FOI request”. However, public authorities who have a twitter account must be aware of the possibility (probability?) that they will receive requests for information, and that sometimes these won’t be clearly labelled as FOI requests. I would hope that, in the event that these end up as complaints to his office, the IC would show some understanding of the difficulties of applying the formal mechanisms of FOIA to circumstances which might warrant a less formal approach (as in fact he did in the press office case in the preceding paragraph) .

8 Comments

Filed under Data Protection, Freedom of Information

Tagged as ,

November 9, 2011 · 8:51 am

Biting the Hand that Feeds – a Risky Business?

Bloggers in the fields of UK Information Rights can sometimes be critical of the Information Commissioner’s Office (ICO) (we can?). But that’s really because we love the IC and his people. Or, at least, we strongly support the existence of the office, and the principle functions it carries out. There may be disagreements on the decisions and actions taken, but many frustrations are caused by the restrictions on his powers, or as a result of the limited funding he gets.

I noticed earlier this week that Francis Maude, Minister for the Cabinet Office, had told parliament that his Department’s shocking record on compliance with Freedom of Information Act 2000 (FOIA) timescales (in the last quarter only 48% of response met the 20-working-day deadline) was in part as a result of the fact that

The Cabinet Office deals with FoI requests in relation to cabinet papers under the last government which takes some time to be dealt with because we need to consult with ministers in the last government.

As I suggested on twitter, it would be nice if we all could blame our predecessors for our heavy workload (I for one still can’t forgive Rupert Baxter for handing over that tricky planning file to me in 2002) but this really is not good enough as an excuse.

In the same period in which the Cabinet Office achieved 48% compliance, the Ministry of Justice (MoJ) achieved a still very poor 75% (by contrast the Department of Health achieved 99%, the Department for Culture, Media and Sport 96% and the Department for Work and Pensions 93% – all these figures are from the MoJ’s own quarterly stats) The MoJ is the sole provider, by means of grant in aid, of funding for the IC’s Freedom of Information work (the IC also receives approximately £15 million from the notification fee that data controllers pay to operate under the Data Protection Act 1998 (DPA), but this is ring-fenced for DPA work). This FOI grant amounted last year to approximately £5.5 million. However, that grant is at risk of reduction, and the IC is concerned about that. His risk register has recently been disclosed and this shows as a “red risk” a “gap between FOI resources and incoming casework affects FOI and DP casework…” and it is clear that this risk potentially leads on to others, such as the “ICO reputation suffers because some of the risks facing the ICO materialise…”. None of this is real news, of course. Christopher Graham himself told the Home Affairs Select Committee

Like all public authorities, we are having to take our slice of the cuts. We are responding to that constructively, trying to achieve better for less. But the fact is that if we are asked to do more and more under the transparency and accountability agenda, we will need the resources to do it.

Now consider this: the IC is under a statutory duty to operate so as to ensure the observance by public authorities of their requirements under FOIA. One means by which he does this is to monitor authorities which repeatedly or seriously fail to respond to freedom of information requests within the appropriate timescales. This monitoring can be a precursor to further action, and the Cabinet Office was subject to such further action when it signed an undertaking with the IC in June this year to improve its performance.
The IC says that he is likely to monitor authorities if, among other criteria, “(for those authorities which publish data on timeliness) it appears that less than 85% of requests are receiving a response within the appropriate timescales”. Well, as we have seen, it certainly appears, from the published data, that less than 85% of requests to the MoJ are receiving a response within the appropriate timescales. Interestingly, in the previous quarter the figure was 83%, the quarter before that 87% and the quarter before that 88%. A downward trend like that is arguably further evidence of a need for monitoring, and it would be interesting to know if the IC takes this into account, or whether, perhaps, he takes an annual average from those quarterly stats.
So a simple question arises – when the next group of authorities whose compliance is begin monitored is announced, will it include the MoJ? Will the IC risk biting the hand that feeds him?

2 Comments

Filed under Freedom of Information

Tagged as , ,