We have not in the past had a system to check the identity of requesters but have now implemented a system to randomly seek proof of identity. (Emphasis added)
Section 8 of the Freedom of Information Act 2000 (FOI Act) does require that an applicant provide their real name when making a request for information. However, nothing within the legislation actually provides that a public authority can check the identity of an applicant. Where a public authority believes that an applicant may be making their request under a pseudonym then it has become practice that rather than simply refusing the request that public authority gives the applicant an opportunity to prove their identity. After all, this is something that they would be required to do if they wished to complaint to the Information Commissioner that a public authority has failed to comply with a valid FOI request (the request not being valid if it fails to use the applicant’s real name).
There are a number of reasons why the true identity of the applicant is needed. Firstly, the authority needs to ensure that what is being made is not actually a Subject Access Request under the Data Protection Act. This requires the authority to follow a separate framework for providing the information and the FOI Act provides an absolute exemption to a public authority where the applicant is requesting their own personal information (Section 40(1)).
There is also the question of considering whether a request is vexatious or repeated. That might be harder to do if a person is able to make applications for information under one or more pseudonyms. A public authority is not required to comply with a request for information that it deems is vexatious or repeated (Section 14). This is to try and safeguard public money. Providing answers to requests for information costs public authorities in both time and money and it is not right that they be required to comply with a request that is vexatious or one which is repeated.
The final main reason as to why it is important to know the identity of the applicant is so that it can properly apply the fees regulations. A public authority is not required to comply with a request if to do so would exceed the appropriate fee (either £450 or £600 depending on the authority). Again, this is about safeguarding public resources. The providing of information to an applicant should not cause a significant drain on the public authority’s resources. Public Authorities exist to provide specific functions and their finances are better spent on providing those functions to the public (although I do believe that FOI is necessary and essential, it’s reasonable that the costs of FOI are limited). Public authorities can group similar requests by an applicant made together and if those requests as a whole would exceed the appropriate cost limit then they can all be refused on costs grounds. This is to prevent applicants simply splitting their requests up into smaller chunks in a bid to avoid the cost limitations. If an applicant is able to make these smaller requests under various pseudonyms it would defeat the purpose of having the fee limit and the aggregation provisions in the first place.
However, at the same time a public authority is supposed to treat a request for information in a way that is blind to the applicant and to the motives of the applicant for requesting the information. While not expressly stated in the legislation the lack of any reference to being able to refuse on the grounds of who made or why the request was made (beyond vexatious and repeated requests) has been taken to mean that the authorities should be blind to these matters when processing the request.
So, what does all this have to do with the quote I mentioned at the start of this article? Well, quite simply Bristol City Council has said that it has introduced a process of randomly checking the identities of FOI applicants. This would go against what the Information Commissioner and the Tribunal considers to be the appropriate way to deal with an FOI request. It is not being blind to the applicant or their motives and without having a good reason for requesting proof of identity the Council could land itself in a spot of bother if it fails to respond to what is a valid request for information within the statutory framework. There are strict time limits laid out in the FOI Act as to when an applicant must receive a substantive response to their request for information (including a notice refusing the request).
When I telephoned the Council in October to confirm that they really did mean a random check I was told that this was in fact their policy. I then spoke with the Information Commissioner’s Office who said that if this did turn out to be the case that they would be concerned about such a policy.
I made an Information request pursuant Section 1(1) of the FOI Act (this is what gives people the right to approach a public authority for information). The Council responded to the request for information on 23 November 2011. The Council’s response did not actually comply with the requirements of the FOI Act. It took the request as being “what is the Council’s policy on this” rather than actually supplying the content of the policy documents as requested by me (among other things). The Council failed to tell me whether it held the information and to provide it to me (or a notice that it was exempt), but instead sent me to its website which contained a short paragraph on checking the identity.
As the Council had failed to respond to the request for information I sought from the Council a review into its response. The FOI Act doesn’t set out any statutory timescales for responding to such requests (unlike the Scottish FOI Act), however the Information Commissioner has issued guidance on this matter to fill the gap left by it not being provided for in the legislation. The Information Commissioner’s guidance states that:
[T]he Commissioner considers that a reasonable time for completing an internal review is 20 working days from the date of the request for review. There may be a small number of cases which involve exceptional circumstances where it may be reasonable to take longer. In those circumstances, the public authority should, as a matter of good practice, notify the requester and explain why more time is needed.
In our view, in no case should the total time taken exceed 40 working days.
In my request for review I made reference to the Information Commissioner’s guidance and let the public authority know that I would contact them if I hadn’t received a response from them (whether that be a full response or notification that it had not been possible to conduct a review) by a certain date. This date represented the twentieth working day following receipt. The Council didn’t respond and so I have written to them prompting them and advising them that if no response is forthcoming by a specified date that I would exercise my rights under Section 50 of the FOI Act and apply for a decision from the Information Commissioner to the effect that they failed to comply with the request for information.
Are Bristol City Council being evasive? If they are why would this be? One can only speculate, but it would seem rather odd that the request could not be answered fully within the twenty working days permitted by the request (subject to any public interest considerations). The bulk of the request related to policy documents presumably held by their FOI Officer given it relates to their FOI policy. The remained related to communications either internally or with the ICO when developing the policy.
It will be interesting to see what comes back from Bristol City Council in terms of their policy on identity checking. Their failure to answer the request the first time and the delay without explanation in conducting the internal review does put more weight to the “being evasive” category. What exactly does Bristol City Council have to hide?
The request made and all associated written correspondence can be viewed here. Certainly worth keeping an eye on to see what happens.