Tag Archives: ICO

July 18, 2024 · 4:21 am

FOIA appeals in the UT: when is there an “error of law”?

Here is a good and interesting judgment in the Upper Tribunal from Judge Citron, on a Freedom of Information Act 2000 (FOIA) case arising from defects in the 2019 “11+” exam run by The Buckinghamshire Grammar Schools (TBGS), with test materials designed and supplied by a third party – GL Assessment Limited. TBGS, as a limited company made up of a consortium of state schools, is a public authority under s6(1)(b) FOIA (by way of s6(2)(b)).

The FOI request was, in broad terms, for the analysis that had subsequently been conducted into the defects, and the statistical solution that had been adopted.

TBGS had refused the request on grounds including that disclosure of the requested information would be an actionable breach of confidence. The ICO upheld this, and, on appeal, the First-tier Tribunal agreed, although only by a majority decision (the dissent was on the part of the judge, and it’s worth reading his reasons, at 85-90 of the FTT judgment).

Possibly bolstered by the vehemence of that dissenting view of the FTT judge, the applicant appealed to the Upper Tribunal.

Judge Citron’s judgment is a measured one, addressing how an appellate court should approach an argument to the effect that there was an error of law at first instance, with a run-through, at 35, of the authorities (unfortunately, from that point, the paragraph numbering goes awry, because the judgment, at “67”, follows the numbering of the judgment it has just quoted).

Judge Citron twice notes that a different FTT might have approached the facts and the evidence in a different way, and weighted them differently, but

that is no indicator of the evaluative judgement reached being in error of law…The question is whether the evaluative judgement…was one no reasonable tribunal could have reached on the evidence before it; it whether some material factor was not taken into account. I am not persuaded.

Therefore, the FTT had made no material error in dismissing the appeal.

A final note. This was a judgment on the papers, but – remember – the Information Commissioner will always be a party to FOIA cases, because it is his decision that is at issue. In this instance, the Commissioner chose not to participate. Paragraph 32 records that he was “directed” to make a response to the appeal, but did not. If this correctly records a failure by the Commissioner to comply with a direction of the court, it is surprising there’s no note of disapproval from the judge.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under FOIA, Freedom of Information, Information Commissioner, Information Tribunal, Upper Tribunal

Tagged as , ,

July 12, 2024 · 7:05 am

Unreasonably accessible – ICO and misapplication of s21?

I’ll start with a simple proposition: if a dataset is made publicly available online by a public authority, but some information on it is withheld – by a deliberate decision – from publication, then the total dataset is not reasonably accessible to someone making an FOI request for information from it.

I doubt that any FOI practitioners or lawyers would disagree.

Well, sit back and let me tell you a story.

In November 2023 the Information Commissioner’s Office (ICO) refused to disclose information in response to a Freedom of Information request, on the grounds that the exemption at section 21 of the Freedom of Information Act 2000 (FOIA) applied: the information was “reasonably accessible to the applicant” without his needing to make a FOIA request.

The request was, in essence, for “a list…of the names of all the UK parish councils that have received 20 or more ICO Decision Notices (for FOIA cases only) since 1st January 2014”. The refusal by the ICO was on the basis that

the search function on the decision notice section of the ICO website returned 415 decision notices falling within the scope of the complainant’s request…[therefore] it is possible to place the names of the parish councils into an Excel sheet and then establish quickly how many decision notices relate to each individual parish council.

The ICO noted that, when it comes to the application of section 21

It is reasonable for a public authority to assume that information is reasonably accessible to the applicant as a member of the general public until it becomes aware of any particular circumstances or evidence to the contrary [emphasis added]

On appeal to the Information Tribunal, the ICO maintained reliance on the exemption, saying that all the applicant needed to do was to go to the ICO website and “look at each entry and count-up [sic] the numbers of [Decision Notices] against each parish council”. The Tribunal agreed: the ICO had provided the requester

with a link to the correct page of the ICO website, and instructing him how to use the search function. These instructions have enabled him to identify from the tens of thousands of published decision notices those 415-420 notices which have been issued to parish councils over the past decade or so

All straightforward, if one’s analysis is predicated on an assumption that the ICO’s public Decision Notice database is a complete record of all decision notices.

But it isn’t.

I made an FOI request of my own to the ICO; for how many Decision Notices do not appear on the database. And the answer is 45. A number of possible reasons are given (such as that sensitive information was involved, or that there was agreement by the parties not to publish). But the point is stark: the Decision Notice database is not a complete record of all Decision Notices issued. And I do not see how it is possible for the ICO to rely on section 21 FOIA in circumstances like those in this case. It is plainly the case that the ICO knew (or was likely reckless in not knowing) that there were “particular circumstances or evidence” which showed that the information could not have been reasonably accessible to the applicant.

Of course, it is quite likely (perhaps inevitable) that the 45 unpublished Decision Notices would make no difference at all to a calculation of how many UK parish councils have received 20 or more Decision Notices since 1st January 2014. But that really isn’t the point. The ICO could have come clean – could have done the search itself and added in the 45 unpublished notices. It knew they existed, but for some reason thought it didn’t matter.

The ICO is the regulator of FOIA, as well as being a public authority itself under FOIA. It has to get these things right. Otherwise, why should any other public authority feel the need to comply?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under access to information, datasets, Freedom of Information, Information Commissioner, Information Tribunal, section 21

Tagged as , ,

July 6, 2024 · 10:45 am

FOI and government/ministerial WhatsApps

[reposted from LinkedIn]

An important Information Tribunal (T) judgment on a FOIA request, by Times journalist George Greenwood, to DHSC for gov-related correspondence between Matt Hancock (MH) and Gina Coladangelo (GC), grappling with issues regarding modern messaging methods in government and how they fit into the FOIA scheme.

Two requests were made. The first was for government-related correspondence between MH and GC using departmental email accounts, and any private email account MH had used for government business. The second was for all correspondence between them using other methods, such as WhatsApp.

Request 1

DHSC had found four emails and by the time of the hearing had disclosed them. It maintained that no further info was held.

However DHSC argued that emails sent by MH’s private secretaries and not by MH himself were out of scope. Not so, said the T: “even if a private office email account is operated by a private secretary…correspondence with a private office email account ought to be regarded as correspondence with the relevant minister”. Accordingly, they upheld that part of the appeal and ordered further searches.

Request 2

DHSC had initially said, and ICO had agreed(!), that government-related WhatsApp messages sent from MH’s personal device were not “held” for the purposes of FOIA because they were not held “as part of the official record”. By the time of the hearing, all of the parties were agreed that this was an error, and the T ruled that section 3(2)(b) FOIA applied, and that “WhatsApp messages from Mr Hancock’s personal device were held [by MH] on a computer system on [DHSC’s] behalf”.

DHSC then sought to argue that WhatsApp messages in a group were not “correspondence” between MH and GC, saying (in the T’s formulation of DHSC’s argument) “unless correspondence consists of one person corresponding directly with another, it is not ‘true’ correspondence”. The T was dismissive of this: “correspondence in the age of multiple methods of electronic communication can take different forms…the fact that simply because one or other of the relevant parties did not respond or may not have responded to a particular message does not mean that communications within a WhatsApp group cannot be considered to be correspondence”. The T also rejected the related submission that a person posting a message to a WhatsApp group is “broadcasting”, rather than “corresponding”

(I have to say that I think the T probably overstepped here. I would tend to think that whether information in a WhatsApp group is correspondence or not should be determined on the facts, and not as a matter of general principle.)

Finally, the T did not warm to the evidence from an otherwise unidentified “Mr Harris” for the DHSC, to the effect that the request was vexatious on grounds of the burden. They therefore held that it was not. (As the messages were subsequently disclosed into the public domain during the Covid inquiry, not much turns on this.)

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner, Information Tribunal, journalism

Tagged as , ,

July 1, 2024 · 10:57 am

Can you stop election candidates sending you post?

During every recent general election campaign I can remember, there have been social media posts where people complain that they’ve received campaign material sent to them, by name, in the post. Electoral law (whether one likes it or not) permits a candidate to send, free of charge, one such item of post regardless of whether the recipient has objected to postal marketing, in general or specific terms. This right is contained in section 91 of The Representation of the People Act 1983. So, if you don’t like it, lobby your new MP in a few weeks’ time to get it changed.

Given that it’s always a topic of contention, I welcome the Information Commissioner’s Office’s publishing of guidance (including on the “one item of post” point) for the public on “The General Election and my personal data – what should I expect?

What the guidance does not address, however, is a conflict of laws point. Article 21(2-3) of the UK GDPR create an absolute right to object to direct marketing and a consequent absolute obligation on a person not to process personal data for direct marketing purposes upon receipt of an objection. So how does this talk with the right given to electoral candidates to send one such communication?

Tim Turner has written on this point, in his “DPO Daily”, and says “I don’t think the Representation of the People Act trumps the DP opt-out right”, but – on this rare occasion – I think I disagree with him. This is because section 3(1) of the Retained EU Law (Revocation and Reform) Act 2023 provides that retained direct EU legislation – such as the UK GDPR – must be read and given effect in a way which is compatible with all domestic enactments, and, insofar as it is incompatible with them, those domestic enactments prevail.

So, the short answer to the title of this blog is “no” (although they can only send you just one personally addressed item).

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, elections, Information Commissioner, marketing, political parties, UK GDPR

Tagged as , , ,

June 4, 2024 · 6:16 pm

How far can a legal fiction go?

When the Information Commissioner, as a public authority subject to the Freedom of Information Act 2000 (FOIA), is required to consider, as regulator, his own handling of a FOIA request, he enters into a legal fiction, whereby he separates himself into two, along these lines (taken from a decision notice):

This decision notice concerns a complaint made against the Information Commissioner (‘the Commissioner’). The Commissioner is both the regulator of FOIA and a public authority subject to FOIA. He’s therefore under a duty as regulator to make a formal determination of a complaint made against him as a public authority…In this notice the term ‘ICO’ is used to denote the ICO dealing with the request, and the term ‘Commissioner’ denotes the ICO dealing with the complaint.

It’s a legal fiction because the Information Commissioner is a corporation sole: every single function he has vests in him (and he has powers of delegation).

With this in mind, it is interesting to consider section 132(1) of the Data Protection Act 2018. This provides that

A person who is or has been the Commissioner, or a member of the Commissioner’s staff or an agent of the Commissioner, must not disclose information which— (a) has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner’s functions, (b) relates to an identified or identifiable individual or business, and (c) is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources. (Unless the disclosure is made with lawful authority.)

When partaking in the legal fiction described above, can it be said that the Commissioner, or the Commissioner’s staff, have obtained, or been provided with, information, when the Commissioner is the person who holds the information? I think not. And if I’m right, that should mean that the Commissioner cannot rely on the exemption at section 44 of FOIA, on the grounds that there is a statutory bar on disclosure. But that’s what he does in response to this recent FOIA request. It will be interesting if the applicant asks for a decision notice.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection Act 2018, Freedom of Information, Information Commissioner, Uncategorized

Tagged as , ,

June 1, 2024 · 10:43 am

EIR and sewage discharges: a shift in the ICO’s position

It’s interesting (and encouraging) to see that, in a notable shift of position, the Information Commissioner’s Office (ICO) is now ordering water companies to disclose data relating to allegedly unlawful discharges of dry spillage sewage.

Previously, the ICO had tended to agree with the companies’ arguments that disclosure would adversely affect investigations by Ofwat and the Environment Agency, and the information was, therefore, exempt from disclosure under regulation 12(5)(b) of the Environmental Information Regulations 2004 (EIR). Those arguments were rather forcefully undermined by a statement to the Public Accounts Committee by the CEO of Ofwat last November that

We do not think that the investigation itself is a good reason for companies not to provide data. They have some legal obligations to disclose information, and there is a process for working that through. That process does not involve Ofwat directly, but we would encourage companies to be open and transparent about their environmental performance.

Additionally, the ICO has taken note of the judgment of the Information Tribunal in the recent Lavelle case.

This Decision Notice neatly summarises the issues and the ICO’s new position.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Information Commissioner, Uncategorized

Tagged as ,

April 30, 2024 · 5:58 am

ICO applies public sector fine approach to charity

The Information Commissioner’s Office has fined the CENTRAL YOUNG MEN’S CHRISTIAN ASSOCIATION (YMCA) of London £7500.

The penalty notice is not published at the time of writing (nor anything else yet on the ICO website), although the fine is said to have already been paid, and the press release issued by the ICO says the fine was issued for “a data breach where emails intended for those on a HIV support programme were sent to 264 email addresses using CC instead of BCC, revealing the email addresses to all recipients. This resulted in 166 people being identifiable or potentially identifiable”.

The press release also says that the fine was reduced from an initially-recommended £300,000, “in line with the ICO’s public sector approach”. When I queried the rather obvious point that a charity is not a public authority, an ICO spokesman initially told me that “as Central YMCA is a charity that does a lot of good work, they engaged with us in good faith after the incident happened, recognised their mistake immediately and have made amends to their processing activities and they paid the fine in full straight away, we applied the spirit of the public sector approach to them even though they’re not strictly a public sector body”.

This led to a further follow-up query from me because as a matter of logic and timing, how could the fact that a controller “paid the fine in full straight away” be a mitigating factor in reducing the amount of the fine to be paid? The further response was “The point was that they engaged fully and subsequently paid the fine in full, thus confirming our position that they were engaging and taking the breach seriously. The calculation comes before the payment which has no bearing on the assessed amount.”

I’m not quite sure what to make of this. Can any controller which “does a lot of good work”, engages with the ICO in good faith and remedies processing activities also benefit from a 3900% decrease in fine from an originally-recommended sum? What does “a lot of good work” mean? Is it something only charities do? What about private companies with a strong ESG ethos, or who make significant charitable contributions?

[this post was originally published on my LinkedIn page.]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, fines, Information Commissioner, LinkedIn Post, monetary penalty notice, Uncategorized

Tagged as ,

March 9, 2024 · 11:02 am

A sad procedural judgment

In 1973, Pat Campbell, a Catholic factory worker from Banbridge, Northern Ireland, was shot and killed in front of his wife and children, at their family home.

No one was ever convicted of Pat Campbell’s murder, but for many years it has been believed that the killer was senior Ulster Volunteer Force member Robin “The Jackal” Jackson. Jackson – suspected of being responsible for, but never convicted of, at least 50 killings during the Troubles – was also suspected of having links with British military intelligence agencies.

In 2022 Pat Campbell’s widow reached a settlement with the Police Service of Northern Ireland, or PSNI (successor to the Royal Ulster Constabulary, or RUC) of a civil claim for damages, in which she alleged negligence and misfeasance in public office. The BBC reported at the time that “a former RUC officer and two ex-military intelligence officers were set to give evidence about Jackson’s alleged role”.

In the same year as Pat Campbell was murdered, a British intelligence officer wrote a report which is understood to have proposed increasing the RUC’s special branch’s intelligence gathers capabilities.

In 2021 journalist Phil Miller took a case under the Freedom of Information Act 2000 (FOIA) to the Information Tribunal, seeking disclosure by the PSNI of the Morton Report. However, the Tribunal upheld the Information Commissioner’s decision that PSNI were entitled to withhold the report because of the FOIA absolute exemption in relation to information supplied to a public authority by the Security Service.

Mrs Campbell, herself, however, still sought to get hold of the Morton Report. I know this because of a sad procedural judgment from the Information Tribunal.

She is identified as the appellant in case EA/2023/0276, an appeal from ICO decision notice IC-173342-D4D8. But as the judgment explains, she has since died, and the Tribunal has accordingly struck out the proceedings, under rule 8(2) of the procedure Rules, for want of jurisdiction. This is because, although The Law Reform (Miscellaneous Provisions) Act 1934 permits a “cause of action” to proceed after a claimant has died, for the benefit of the deceased’s estate, the Tribunal held, applying the same approach the Upper Tribunal took in a previous case in relation to data protection rights, a FOIA appeal is not a “cause of action” (Letang v Cooper [1965] 1 QB 232 applied). Instead, “‘[the] procedure is no more than a statutory appeal route, a procedural mechanism, for challenging’, in this case, the issue of the decision notice by the Information Commissioner”.

It seems doubtful, in any case, that Mrs Campbell would have succeeded: the exemption at section 23 is effectively insuperable.

But, of course, the PSNI has discretion to disclose information. As the ICO’s decision notice notes, the PSNI previously decided to disclose a redacted version of the 1980 Walker Report on RUC Special Branch informant handling, after the Committee on Administration of Justice took another FOIA case to the Information Tribunal.

There is no reason to suggest the same would happen if another case involving a request for the Morton Report reached the Tribunal again, but someone might consider it worth trying.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner, Information Tribunal, police

Tagged as , , ,

March 1, 2024 · 7:02 am

John Edwards evidence to the Angiolini inquiry

On 29 February Lady Elish Angiolini published the first report from her inquiry into how off-duty Metropolitan police officer Wayne Couzens was able to abduct, rape and murder Sarah Everard.

Information Commissioner John Edwards contributed to the inquiry, and his evidence is cited at 4.320 (the paragraph is quoted below). It deals with the profoundly important (and perennially misunderstood) issue of data-sharing within and between police forces.

Although for obvious reasons the identity and content of some witness evidence to the inquiry is being kept anonymous, there should be no obvious reason that Mr Edwards’s is, and I hope that the Information Commissioner’s Office will, in addition to publishing his press statement, also publish any written evidence he submitted. It would also be good to know the details of the work Mr Edwards says his office is doing, and continuing, with the police, in this context.

In discussions with senior leaders of relevant organisations, the Inquiry was told that gaps in information-sharing between human resources, recruitment, professional
standards and vetting teams – and, indeed, between forces themselves – were a
significant barrier to capturing a clear picture of officers. The Inquiry heard from different sources, including senior leaders, that there are significant barriers to
information-sharing. Some cite data privacy and protection laws as a reason not to
share information. However, in a discussion with the Information Commissioner, John Edwards, the Inquiry was assured that data protection law recognises that there are legitimate reasons for information-sharing, particularly given the powers attributed to police officers. Indeed, Mr Edwards suggested that data protection law is widely misunderstood and misconstrued, and highlighted a failure of training in this regard.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, data sharing, Information Commissioner, police

Tagged as , , ,

March 1, 2024 · 6:48 am

How did George Galloway come to send different canvassing info to different electors?

As electors went to the polls in the Rochdale by-election on 29 February, a few posts were made on social media showing the disparity between letters sent to different electors by candidate George Galloway. An example is here

On the face of it, Galloway appears to have hoped to persuade Muslim voters to vote for him based on his views on a topic or topics he felt would appeal to them, and others to vote for him based on his views on different topics.

It should be stressed that there is nothing at all wrong that in principle.

What interests me is how Galloway identified which elector to send which letter to.

It is quite possible that a candidate might identify specific roads which were likely to contain properties with Muslim residents. And that, also would not be wrong.

But an alternative possibility is that a candidate with access to the full electoral register, might seek to identify individual electors, and infer their ethnicity and religion from their name. A candidate who did this would be processing special categories of personal data, and (to the extent any form of automated processing was involved) profiling them on that basis.

Article 9(1) of the UK GDPR introduces a general prohibition on the processing of special categories of personal data, which can only be set aside if one of the conditions in Article 9(2) is met. None of these immediately would seem available to a candidate who processes religious and/or ethnic origin data for the purposes of sending targeted electoral post. Article 9(2)(g) provides a condition for processing necessary for reasons of substantial public interest, and Schedule One to the Data Protection Act 2018 gives specific examples, but, again, none of these would seem to be available: paragraph 22 of the Schedule permits such processing by a candidate where it is of “personal data revealing political opinions”, but there is no similar condition dealing with religious or ethnic origin personal data.

If such processing took place in contravention of the prohibition in Article 9, it would be likely to be a serious infringement of a candidate’s obligations under the data protection law, potentially attracting regulatory enforcement from the Information Commissioner, and exposure to the risk of complaints or legal claims from electors.

To be clear, I am not saying that I know how Galloway came to send different letters to different electors, and I’m not accusing him of contravening data protection law. But it strikes me as an issue the Information Commissioner might want to look into.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under access to information, Data Protection, Data Protection Act 2018, data sharing, Information Commissioner, political parties, UK GDPR

Tagged as , , ,