Earlier this month John Edwards, former Privacy Commissioner and Barrister in New Zealand, replaced Elizabeth Denham as Information Commissioner. The job of Information Commissioner is a significant one with many challenges. He has began what he calls a “listening exercise”. I have completed the survey, which didn’t give much room for comment. I thought I would place a more detailed outline of my thoughts here; more as an exercise for expressing my own frustrations with the ICO and to perhaps give others some ideas about what they can include in their own response to the Commissioner’s survey.
Freedom of Information
Under this heading, for the sake of clarity, I’m not simply referring to the Freedom of Information Act 2000, but also to both the Environmental Information Regulations 2004 and the more obscure INSPIRE Regulations 2009 (which are concerned with spatial data).
FOI, especially the Freedom of Information Act 2000 and the Environmental Information Regulations 2004, is, as the Commissioner has himself acknowledged, critical to our democracy. They are a means for individuals to find out what is going on in areas that interest or directly affect them and to obtain information which they can use to help keep public bodies and officials accountable.
There are two main areas of concern, from my perspective, with the ICO in respect of FOI: (1) length of time taken to deal with regulatory complaints; (2) the apparent reluctance of previous commissioners to make full use of their enforcement powers in this area.
Turning first to the issue of delay; currently it is taking around 6 months for complaints, once received, to be allocated for investigation. That means that for up to six months the complaint is just sitting there, with absolutely nothing happening. The last decision notice I received from the Commissioner, was issued 11 months and 18 days after the complaint had been made to the ICO. This is unhelpful, and quite frankly, unacceptable. In many cases, these delays at the ICO are compounding already significant delays by some public bodies. There are some public authorities with well-known compliance issues in this area, where requests can take upwards of 6 months to be dealt with by the authority; meaning from request to ICO decision it can be upwards of 18 months.
FOI is a critical tool in helping individuals, community groups, journalists and others hold public bodies and officials to account. In a great many cases the value of the information sought diminishes over time; if information is being sought to help oppose, for example, changes to the provision of services in local communities, the delays at the ICO significantly hamper (and indeed damage) the usefulness of FOI in this area. If information is only, finally, being released several years after it was first requested it has almost certainly come far too late to be of any use to those requesting it.
The length of time that it takes for a FOI request to be dealt with is, in some respects, hampered by the legislation itself, with provisions for open-ended extensions for consideration of the public interest test and no statutory timescales (beyond the statutory Code of Practice) in relation to internal reviews. These have both been highlighted to Parliament on several occasions, but no legislative action has been forthcoming to deal with these issues. However, I will return to this in a moment.
What is completely within the control of the Commissioner is how long it takes his office to deal with matters once complaints have been made. A priority for the Commissioner should be looking to significantly reduce the backlog; and put in place systems that ensure complaints are being dealt with promptly once they end up with his office. The Scottish Commissioner (who, granted, has a much smaller office and a much smaller scope of responsibility in that he only deals with FOI complaints concerning Scottish public authorities) has an average closure time of just 4.37 months (2020-21), with 60% of all complaints to his office being dealt with within 4 months (the Freedom of Information (Scotland) Act 2002 makes provision for the Scottish Commissioner to deal with all such complaints within 4 months, but there is flexibility). It is not a like-for-like comparison due to the significant differences in volumes of work; however, the ICO needs to put more effort and resources into trying to resolve complaints much more quickly.
Turning to the issue of enforcement; some public authorities have a horrendous reputation for compliance with FOI, especially around the timeliness of responses. For some authorities these issues have existed for a decade or more. Previous Commissioners have seemed not just reluctant but almost wholly disinterested in exercising the significant enforcement powers that they possess to tackle problems here. Some public authorities have been having their compliance closely monitored by the ICO for years with no discernible improvement. Yet, no formal enforcement action has been taken to force these public authorities to make significant improvements.
Enforcement must be proportionate; formal enforcement powers should not, in most cases, be a first resort. However, they must be utilised if the ICO is going to be taken seriously as a regulator. Other authorities watch what the ICO is doing; there is currently no real incentive to engage with the ICO over poor FOI performance. The threat of formal enforcement action effectively doesn’t exist because of the apparent reluctance of the ICO to use its enforcement powers. The ICO needs to adopt a much more robust approach to regulation, which can be achieved in a way that is consistent with the relevant provisions of the Legislative and Regulatory Reform Act 2006.
Some of the problems that exist with the ICO’s FOI function also exist in relation to its Data Protection function. When it comes to Data Protection, the ICO is too business friendly and has often acted more like a think-tank than a regulator in this field.
As I have already said, enforcement must be proportionate. However, the ICO needs to remember that it is a regulator first and foremost. It is not a professional adviser for data controllers; there are lawyers and data protection consultants out there who can (and should) be fulfilling the professional advisor role. The balance between the informal methods of encouraging compliance and the formal methods of enforcing compliance have been all wrong. The ICO is obliged to have guidance in place, but it is not its sole purpose to produce and promulgate guidance.
The Regulators’ Code [pdf] (which applies to the ICO) does require regulators to carry out their activities in a way that supports those they regulate to comply and grow. It provides that “[r]egulators should avoid imposing unnecessary regulatory burdens through their regulatory activities and should assess whether similar social, environmental and economic outcomes could be achieved by less burdensome means.” However, it appears that the ICO has historically taken this to a degree that is inappropriate.
The Regulators’ code also provides that “[i]f a regulator concludes, on the basis of material evidence, that a specific provision of the Code is either not applicable or is outweighed by another relevant consideration, the regulator is not bound to follow that provision, but should record that decision and the reasons for it.” The balance is all wrong with the ICO; it appears to focus too much on the provisions of section 1 of the Regulators’ Code and not enough on forcing compliance where other, less burdensome, means have obviously failed.
In short, the ICO needs to re-orientate its relationship with those it regulates so that it is in a much stronger position to deploy its considerable enforcement powers when needed. When it comes to data protection, the most powerful tool at the ICO’s disposal is not the fines that it can levy but rather the power to issue Enforcement Notices; these can be used to force controllers to stop processing personal data altogether, or in certain ways, and they can be used to require data controllers to take certain specified steps to bring them into compliance.
The recent Enforcement Notice [pdf] issued to the Ministry of Justice is an example of formal enforcement action coming far too late; the MoJ has a backlog of many thousands of Subject Access Requests. The ICO records in its Enforcement Notice that it first became aware that the MoJ’s backlog had grown again (following an Enforcement Notice in 2017) in January 2019. It then records a shift in the ICO’s enforcement activities as a result of the COVID-19 pandemic, but that was more than a year after the ICO first became involved with the MoJ, for a second time, over its compliance with the right of subject access. An Enforcement Notice was then issued in January 2022, almost 2 years to the day after it started to get involved with the MoJ for a second time. This is, in my opinion, an example of a failure in regulation. The ICO watched as the MoJ continued to fail in a basic and important aspect of data protection law; much earlier formal intervention ought to have been taken (especially given that this was the second time the ICO had to get involved with the controller over the same issue).
The overriding issue with the ICO, in my opinion, is that it has got the balance wrong between soft and hard regulation. The ICO needs to adopt a much more robust approach to regulation; neither the 2006 Act nor the Regulators’ Code prohibits this. However, the ICO seems to have become paralysed in its regulatory activity in a way that the neither the 2006 Act, nor the Code which flows from it, intended.