Category: Information Commissioner

A New Commissioner, a New Approach?

Earlier this month John Edwards, former Privacy Commissioner and Barrister in New Zealand, replaced Elizabeth Denham as Information Commissioner.  The job of Information Commissioner is a significant one with many challenges. He has began what he calls a “listening exercise”. I have completed the survey, which didn’t give much room for comment. I thought I would place a more detailed outline of my thoughts here; more as an exercise for expressing my own frustrations with the ICO and to perhaps give others some ideas about what they can include in their own response to the Commissioner’s survey.

Freedom of Information

Under this heading, for the sake of clarity, I’m not simply referring to the Freedom of Information Act 2000, but also to both the Environmental Information Regulations 2004 and the more obscure INSPIRE Regulations 2009 (which are concerned with spatial data).

FOI, especially the Freedom of Information Act 2000 and the Environmental Information Regulations 2004, is, as the Commissioner has himself acknowledged, critical to our democracy. They are a means for individuals to find out what is going on in areas that interest or directly affect them and to obtain information which they can use to help keep public bodies and officials accountable.

There are two main areas of concern, from my perspective, with the ICO in respect of FOI: (1) length of time taken to deal with regulatory complaints; (2) the apparent reluctance of previous commissioners to make full use of their enforcement powers in this area.

Turning first to the issue of delay; currently it is taking around 6 months for complaints, once received, to be allocated for investigation. That means that for up to six months the complaint is just sitting there, with absolutely nothing happening. The last decision notice I received from the Commissioner, was issued 11 months and 18 days after the complaint had been made to the ICO. This is unhelpful, and quite frankly, unacceptable. In many cases, these delays at the ICO are compounding already significant delays by some public bodies. There are some public authorities with well-known compliance issues in this area, where requests can take upwards of 6 months to be dealt with by the authority; meaning from request to ICO decision it can be upwards of 18 months.

FOI is a critical tool in helping individuals, community groups, journalists and others hold public bodies and officials to account. In a great many cases the value of the information sought diminishes over time; if information is being sought to help oppose, for example, changes to the provision of services in local communities, the delays at the ICO significantly hamper (and indeed damage) the usefulness of FOI in this area. If information is only, finally, being released several years after it was first requested it has almost certainly come far too late to be of any use to those requesting it.

The length of time that it takes for a FOI request to be dealt with is, in some respects, hampered by the legislation itself, with provisions for open-ended extensions for consideration of the public interest test and no statutory timescales (beyond the statutory Code of Practice) in relation to internal reviews. These have both been highlighted to Parliament on several occasions, but no legislative action has been forthcoming to deal with these issues. However, I will return to this in a moment.

What is completely within the control of the Commissioner is how long it takes his office to deal with matters once complaints have been made. A priority for the Commissioner should be looking to significantly reduce the backlog; and put in place systems that ensure complaints are being dealt with promptly once they end up with his office. The Scottish Commissioner (who, granted, has a much smaller office and a much smaller scope of responsibility in that he only deals with FOI complaints concerning Scottish public authorities) has an average closure time of just 4.37 months (2020-21), with 60% of all complaints to his office being dealt with within 4 months (the Freedom of Information (Scotland) Act 2002 makes provision for the Scottish Commissioner to deal with all such complaints within 4 months, but there is flexibility). It is not a like-for-like comparison due to the significant differences in volumes of work; however, the ICO needs to put more effort and resources into trying to resolve complaints much more quickly.

Turning to the issue of enforcement; some public authorities have a horrendous reputation for compliance with FOI, especially around the timeliness of responses. For some authorities these issues have existed for a decade or more. Previous Commissioners have seemed not just reluctant but almost wholly disinterested in exercising the significant enforcement powers that they possess to tackle problems here. Some public authorities have been having their compliance closely monitored by the ICO for years with no discernible improvement. Yet, no formal enforcement action has been taken to force these public authorities to make significant improvements.

Enforcement must be proportionate; formal enforcement powers should not, in most cases, be a first resort. However, they must be utilised if the ICO is going to be taken seriously as a regulator. Other authorities watch what the ICO is doing; there is currently no real incentive to engage with the ICO over poor FOI performance. The threat of formal enforcement action effectively doesn’t exist because of the apparent reluctance of the ICO to use its enforcement powers. The ICO needs to adopt a much more robust approach to regulation, which can be achieved in a way that is consistent with the relevant provisions of the Legislative and Regulatory Reform Act 2006.

Data Protection

Some of the problems that exist with the ICO’s FOI function also exist in relation to its Data Protection function. When it comes to Data Protection, the ICO is too business friendly and has often acted more like a think-tank than a regulator in this field.

As I have already said, enforcement must be proportionate. However, the ICO needs to remember that it is a regulator first and foremost. It is not a professional adviser for data controllers; there are lawyers and data protection consultants out there who can (and should) be fulfilling the professional advisor role. The balance between the informal methods of encouraging compliance and the formal methods of enforcing compliance have been all wrong. The ICO is obliged to have guidance in place, but it is not its sole purpose to produce and promulgate guidance.

The Regulators’ Code [pdf] (which applies to the ICO) does require regulators to carry out their activities in a way that supports those they regulate to comply and grow. It provides that “[r]egulators should avoid imposing unnecessary regulatory burdens through their regulatory activities and should assess whether similar social, environmental and economic outcomes could be achieved by less burdensome means.” However, it appears that the ICO has historically taken this to a degree that is inappropriate.

The Regulators’ code also provides that “[i]f a regulator concludes, on the basis of material evidence, that a specific provision of the Code is either not applicable or is outweighed by another relevant consideration, the regulator is not bound to follow that provision, but should record that decision and the reasons for it.” The balance is all wrong with the ICO; it appears to focus too much on the provisions of section 1 of the Regulators’ Code and not enough on forcing compliance where other, less burdensome, means have obviously failed.

In short, the ICO needs to re-orientate its relationship with those it regulates so that it is in a much stronger position to deploy its considerable enforcement powers when needed. When it comes to data protection, the most powerful tool at the ICO’s disposal is not the fines that it can levy but rather the power to issue Enforcement Notices; these can be used to force controllers to stop processing personal data altogether, or in certain ways, and they can be used to require data controllers to take certain specified steps to bring them into compliance.

The recent Enforcement Notice [pdf] issued to the Ministry of Justice is an example of formal enforcement action coming far too late; the MoJ has a backlog of many thousands of Subject Access Requests. The ICO records in its Enforcement Notice that it first became aware that the MoJ’s backlog had grown again (following an Enforcement Notice in 2017) in January 2019. It then records a shift in the ICO’s enforcement activities as a result of the COVID-19 pandemic, but that was more than a year after the ICO first became involved with the MoJ, for a second time, over its compliance with the right of subject access. An Enforcement Notice was then issued in January 2022, almost 2 years to the day after it started to get involved with the MoJ for a second time. This is, in my opinion, an example of a failure in regulation. The ICO watched as the MoJ continued to fail in a basic and important aspect of data protection law; much earlier formal intervention ought to have been taken (especially given that this was the second time the ICO had to get involved with the controller over the same issue).

Conclusion

The overriding issue with the ICO, in my opinion, is that it has got the balance wrong between soft and hard regulation. The ICO needs to adopt a much more robust approach to regulation; neither the 2006 Act nor the Regulators’ Code prohibits this. However, the ICO seems to have become paralysed in its regulatory activity in a way that the neither the 2006 Act, nor the Code which flows from it, intended.

Procedures, Training and Data Protection

On Thursday last week the Information Commissioner’s Office published a Monetary Penalty Notice that it had served upon a GP Surgery in England for breaches of the Data Protection Act 1998.  The Notice cited the all too familiar seventh data protection principle.  This data protection principle broadly requires a data controller to have in place adequate technical and organisational measures to protect personal data.  It is the data protection principle which features in almost all of the Information Commissioner’s enforcement in relation to the Data Protection Act.

The Monetary Penalty Notice served on the GP Practice arose out of the practice’s handling of a Subject Access Request which it had received.  The request was received in respect of a child patient from one of the patient’s parents (the child’s father).  The child’s parents had separated sometime before and that separation had not been amicable.  The child’s mother had moved and did not want the father knowing where she was currently living.  The mother’s new address was contained within the child’s medical records.

The practice handled the Subject Access request and sent the father everything that was contained within the child’s medical records.  These records were subsequently lodged in court as part of ongoing court proceedings between the parents.  The records were then forwarded onto the mother who discovered that her personal data had been disclosed to the father in response to the subject access request concerning the child as well as personal data relating to another child not related to the father and other personal information that should not have been disclosed to the child’s father.

The Monetary Penalty Notice records that there had been no training given in respect of the handling of Subject Access Requests and that there were no procedures within the practice for the handling of these requests.  In this case the disclosure was not checked before it was sent out to ensure that there was nothing within the records that ought to be excluded.

The handling of Subject Access Requests are not straight forward.  It is not simply a matter of printing out all of the records held and posting them or downloading them and E-mailing them to the data subject.  The information has to be carefully gone through to identify any third party personal data so that decisions can be taken about whether or not that third party personal data can or should be disclosed.  Furthermore, there are a range of exemptions that can be applied to information that is held – some of which may well apply to medical records – which enable the data controller to refuse to provide that information in response to a Subject Access Request.  That is in addition to the other (often forgotten) rights contained in Section 7 of the Data Protection Act 1998.

Given the complexity of handling such requests it is important that there are proper procedures in place as to how such requests should be handled.  This should cover everything from the recording of the request having come in through to identifying the data subject’s personal data, considering it for disclosure, compiling the disclosure, checking and recording that the response has been sent (and everything else not mentioned in that list).

It’s not just a case of having in place a procedure; everyone who is involved in the process needs to have training appropriate to the functions that they are performing.  Those who are responsible for identifying what should be disclosed should have proper training to enable them to identify third party information as well as the information which could potentially be withheld.  That training must also be regular to ensure that persons involved in the process are kept up-to-date with the procedures and any changes in the relevant law – regular training is especially important for people who rarely handle Subject Access Requests.

Having in place good quality, detailed procedures together with a comprehensive training programme can substantially reduce the risk of experiencing a data breach.  If things do go wrong, having in place good quality, detailed procedures (compliance with which is being regularly monitored) and a comprehensive training programme can substantially mitigate any regulatory action taken by the Information Commissioner.

Round-Up on DPA and PECR: September 2015

A new, trial feature on the blog in which I take a monthly look at the Monetary Penalty and Enforcement Notices issued by the ICO together with the formal undertakings also published.

September has seen the Information Commissioner issue two Monetary Penalty Notices in respect of breaches of PECR and publish three formal undertakings following breaches of the DPA.

General Dental Council

The General Dental Council (‘the GDC’), a statutory regulator, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal.  This followed an incident in which fitness to practice allegations and a CD containing background information relative to the allegations were sent to the wrong practitioner.  An investigation by the GDC established that the error had occurred because the recipient had a similar name to the intended recipient.

The GDC had in place guidance on the processing of such information; this had not been followed by the employees who had arranged for this information to be sent out.  The GDC’s guidance and processes required that the CD on which the background information was sent was encrypted.  In this particular incident the CD was not encrypted.

The Commissioner established that while the GDC had in place sufficient policies and procedures, there was a lack of corporate refresher training in relation to data protection for those employees whose job roles entailed the processing of personal data.  The GDC had introduced induction training, but this was not rolled out to existing staff.  The GDC did have examples of where data protection training was being delivered; however, much of this was delivered on an ad hoc basis.

The Undertaking records a second incident where a patient’s dental records had gone missing.  The GDC’s investigation suggested that the records had never left their office, but had instead been securely destroyed.  However, the employee involved in this incident had not received induction data protection training.

Cold Call Elimination Ltd

The Commissioner served a Monetary Penalty Notice on Cold Call Elimination Ltd following breaches of PECR.  Somewhat ironically Cold Call Elimination Ltd was making unsolicited cold calls to sell a service and device to stop unsolicited cold calls.

The Commissioner wrote to the company following a number of complaints to the Commissioner and the Telephone Preference Service.  The Company provided an explanation and further explained that it would be putting in additional measures relating to unsolicited marketing calls.  The Commissioner placed the company on a period of monitoring for a period of 3 months, during which a large number of complaints continued to be received.

The Commissioner’s Office met with Cold Call Elimination Ltd to discuss its compliance with PECR following which a further period of monitoring took place.  During that second period of monitoring there was a drop in the number of complaints received, but the Commissioner described this as an insignificant drop.

The Commissioner had received 46 complaints directly from individuals who were subscribed to the Telephone Preference Service between 14 June 2013 and 31 March 2015.  The Telephone Preference Service had received 336 complaints over the same period.

The Commissioner determined that the company was in breach of Regulation 21 of PECR and subsequently issued a Monetary Penalty Notice in the amount of £75,000.

Martin & Company

Martin & Company, a firm of solicitors, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal following an incident in which a DVD containing CCTV footage went missing.  The firm was acting for a criminal accused and the CCTV footage was released to them by the Crown Office and Procurator Fiscal Service (‘the COPFS’).  Martin & Company is based in Ayr and the DVD required to be collected from the COPFS office in Kilmarnock.  Martin & Company instructed a third party to collect the DVD from the COPFS.  The DVD went missing having been collected by the third party, but before reaching Martin & Company.

The Commissioner’s investigation found that there were some shortcomings in Martin & Company’s procedures.  In particular the Commissioner highlighted a lack of guidance to staff regarding the DPA as well as relevant training on the DPA.  The Commissioner also took the view that there was a lack of formal procedure for staff when arranging to have personal data collected from outside of the office environment.

FlyBe Limited

FlyBe Limited, an airline, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal following an incident in which a temporary employee sent a scanned image of another individual’s passport to his personal E-mail address.  The incident occurred in the department responsible for processing airside clearance for other FlyBe staff.

The Commissioner investigated and discovered that FlyBe did not provide any training to its staff members who processed personal data, including the temporary employee who was involved in this particular incident.  The Commissioner also found that FlyBe’s data protection policy was inadequate and only provided limited information.

Home Energy & Lifestyle Management Ltd

The Commissioner served a Monetary Penalty Notice on Home Energy & Lifestyle Management Ltd following breaches of PECR.  Home Energy & Lifestyle Management Ltd engaged in a marketing campaign via automated recorded calls to 6 million people in relation to the ‘Green Deal’, a Government backed energy saving initiative

The Commissioner wrote to the company having received a number of complaints about the calls being made.  The Company explained that it had now ceased the marketing campaign and that it had not realised that there were different rules in the Privacy and Electronic Communications Regulations for recorded calls as opposed to “live” calls.  The company also sought to explain the calls by attempting to lay the blame at the door of the third party company it had contracted to make the calls on its behalf.

The Commissioner’s office received 242 complaints concerning Home Energy & Lifestyle Management Ltd’s calls during a three month period of monitoring. The Commissioner decided that the company had breached Regulation 19 of PECR. The Commissioner also found that the company had breached Regulation 24 of PECR by not identifying the person who was sending the automated marketing calls, not providing the address of the person and not providing a telephone number on which the person responsible for making the calls can be reached free of charge.

The Commissioner issued a Monetary Penalty notice requiring the company to pay the sum of £200,000, the largest amount ever required for a breach of PECR. Press reports of the Monetary Penalty Notice have indicated that the company intends to appeal.

Comment

In respect of the three undertakings for breaches of the Data Protection Act 1998 it is clear that data controllers, even large organisations, are still failing in the basics by not having in place adequate policies and procedures covering data protection and failing to provide adequate induction and refresher training on data protection to those who handle personal data.  This is a regular feature in enforcement action taken by the Information Commissioner.  Having in place sufficient policies and procedures, as well as training and adequate checks to ensure compliance, will reduce the chances of experiencing a data breach in the first place.  Furthermore, it will undoubtedly serve to mitigate any enforcement action taken by the Commissioner should a data controller experience a breach.

The Monetary Penalty Notices issued this month highlight the importance of ensuring that organisations undertaking marketing by telephone have in place he appropriate consents and take sufficient steps to ensure that the calls are not made to individuals who have registered with the Telephone Preference Service.  They also highlight the truth of the latin maxim ignorantia legis neminem excusat – or ignorance of the law excuses no one. Following a change in the law, it is now much easier for the Commissioner to issue Monetary Penalty Notices in respect of breaches of PECR; it is therefore now much more likely that breaches of PECR will result in the Commissioner issuing Monetary Penalty Notices.

Valid FOI requests via Twitter?

The Information Commissioner’s Office (ICO) has issued a Decision Notice that the Metropolitan Police failed to comply with section 10 of the Freedom of Information Act 2000 (FOIA) which was made to it through Twitter.  In November 2012 the ICO issued a one page document setting out its view on whether a valid request can be made via Twitter.  In that document the ICO acknowledged that Twitter was not the most effective way to submit a FOI request; however, it went on to say that requests made via Twitter are not necessarily invalid.

The test for whether a request is a valid one or not is to be found in section 8 of the FOIA; it sets out the requirements as to what constitutes a valid request.  The Act provides:

(1) In this Act any reference to a “request for information” is a reference to such a request which—

(a) is in writing,

(b) states the name of the applicant and an address for correspondence, and

(c) describes the information requested.

(2) For the purposes of subsection (1)(a), a request is to be treated as made in writing where the text of the request—

(a) is transmitted by electronic means,

(b) is received in legible form, and

(c) is capable of being used for subsequent reference.

 Let us look at each requirement in turn:

The request is in writing

The starting point with statutory interpretation would normally be what is the literal meaning of the word?  Here Parliament has given us some assistance in interpreting what is considered to be in writing.  This does appear to be one of those ‘for the avoidance of doubt’ provisions and was most probably inserted to take account of E-mail.  There is little doubt that when passing the Act Parliament did not think about Facebook or Twitter, indeed when the Act was passed Facebook was barely a thing and Twitter hadn’t been invented.  However, as technology changes it is necessary for the law to move with it – whether it is capable of doing so without amendment by Parliament is a different matter!

Is a tweet transmitted by electronic means?

It is certainly sent and received by electronic means, but what does ‘transmitted’ mean?  According to the literal rule of statutory interpretation we must look at the ordinary meaning of the word transmitted.  Let’s turn to the online Oxford English dictionary and its entry for transmit.  Only the first two definitions are relevant here.  To transmit something is to “cause (something) to pass on from one person or place to another” or “broadcast or send out (an electrical signal or a radio or television programme).”  So, is a tweet transmitted by electronic means?  Sending a tweet is certainly causing something (the content of the tweet) to pass from one person (the sender) to the other (the recipient).  It might also be said that it is being sent from one place (the sender’s computer) to another (the recipient’s computer).  It could be said that sending a tweet is not too dissimilar to sending an E-mail.  Is it by electronic means?  I think that it is clear that it is, for obvious reasons such as without electronics there wouldn’t be the hardware to enable a tweet to be sent.  Is a tweet being broadcast or sent out?  The dictionary gives an example of an electronic signal or a radio/television programme.  What is a tweet?  It is essentially a series of digits which put together displays on the screen as an image – it might be said to be similar to a TV programme.  Whether it meets the second definition or not, I do think that it is safe to say it meets the first.

Is it received in a legible form? 

Well it’s certainly not going to be illegible because it is typeface rather than handwritten.  One might be of the view that this was perhaps to cover a handwritten note sent by fax and so probably isn’t relevant here – I think we can tick this box as well.

Is it capable of being used for subsequent reference?

This is where things get slightly more difficult! The Act doesn’t say who has to be capable of referencing it subsequently.  Obviously, the Public Authority will have to be able to reference it subsequently in order to check that it is complying with the request made.  Furthermore, the requester has to be able to subsequently reference it should they need to make a complaint to the ICO – the ICO will usually want to see the request and where possible evidence of the request having been sent.  However it does not seem to be as straight forward as that.

If I tweet a public authority’s official account, my tweets are not protected and I don’t do anything else then it is possible for both the public authority and I to subsequently reference the tweet.  On the face of it, this would clearly meet the requirement.  Whether or not they know it is there is probably an irrelevant question in the same way someone missing a request in their E-mail inbox doesn’t matter.

The issue becomes slightly more complicated if I protect my tweets later and the public authority is not following me – then only I can subsequently reference the tweet – or if I delete my tweet altogether.  In the first of these two situations (protecting my tweets where the authority is not following me) the tweet is clearly capable of being referenced subsequently, but only by me.   Does this meet the requirements of the Act?  Well I would suggest that in order to establish that we need to understand why Parliament included it.  What situations were Parliament envisaging when they enacted this part of the Act?  The explanatory notes do not provide any illumination on that question.  I don’t have time to, at this stage, wade through the many lines of debate in Handsard on the Bill in the hope that there is an explanation here.  I can’t immediately think of a situation which Parliament would have had in its mind when enacting this section.  On that basis I don’t think that really takes us any further forward.

The question that immediately springs to mind is for how long does the request have to be capable of being subsequently referenced by the authority?  If I protect my tweets on the 20th working day following sending the request is that different to if I protect them immediately following the sending of the request?  After all, by the 20th working day the authority should be in a position to respond, or at least have gathered all of the information in scope and simply be conducting the public interest balancing exercise.  I’d suggest there is a difference.  Quite where the ‘cut off is’ would most probably be a question of looking at the circumstances in each individual case – not an ideal situation though.

What about if I delete the tweet?  That might cause problems when making an application to the Commissioner – although taking a screenshot of the tweet prior to deleting it might cure that.  Again is it dependent upon when I delete the tweet – e.g. on the 20th working day or immediately after it was sent?

These are difficult questions and ones that don’t have clear answers.  However, in at least one case (the first – where the tweet was and remains public after it is sent and is not at any stage deleted or becomes inaccessible to the public authority by way of an individual’s tweets become protected) a tweet appears to meet all of the requirements set out in section 8(2) of the Act.

However, as mentioned earlier section 8(2) does seem to be more of a ‘for the avoidance of doubt’ subsection – a request can be in writing in other ways and it would appear that this has most probably been included so as to ensure that public authority’s treat requests received by E-mail as being valid requests – it would not appear to be the ‘be all and end all’ of the matter.

At the end of the day, what does ‘in writing’ mean? I don’t think we could realistically argue that a tweet is not ‘in writing’ even if it does not meet all of those tests – after all, a letter sent by mail doesn’t meet the requirements of section 8(2) and nobody would sensibly argue or find that such a request is not ‘in writing’ and so section 8(2) is clearly not the complete definition of what is meant by ‘in writing’ within section 8(1).

The request states the name of the applicant and an address for correspondence

Assuming that we have a request made via twitter that meets the definition of being ‘in writing’ the next requirement is that the request must state the name of the applicant and an address for correspondence.  If we accept that a public authority’s twitter accounts is an address capable of having correspondence (not necessarily just a FOI request, but any type of correspondence) sent to it, then equally an individual’s twitter account must also be an address for correspondence.  If an individual does not need to, for example, include within the body of their E-mail their E-mail address (i.e. it appearing in the ‘From’ field is sufficient) then I don’t see why someone would have to include their own twitter handle in their request – it is there for the authority to see in its mentions.

However, the name issue is more problematic.  It is the view of the Commissioner (and I believe that it is the correct one) that the name of the applicant must be their real name – lots of people don’t use their real name (or indeed any of the acceptable forms thereof for the purposes of FOI) in their twitter profile; so there we could have a problem.  If it’s not on their profile, then it’s not a valid request – even if we’ve managed to overcome the ‘in writing’ issue.

Describes the information requested

The final requirement is that the request describes the information requested.  That has to be in enough detail to enable the authority to identify what is sought.  That could be difficult in 140 characters.  However with services such as twitlonger it can be done.  It could also be possible to send the request over a number of tweets (as was done in the Metropolitan Police case linked to at the outset of this blog post).  I don’t see that as being any different to sending it in a number of letters or in a number of separate E-mails.  Indeed, when an authority seeks clarification because it is unable to identify what information is being requested it is looking at a request over at least two pieces of separate correspondence, if not more, to create a valid request.

Conclusion

The ICO does not say in its guidance that all requests made via twitter will be valid, only that a request made via Twitter may not necessarily be invalid.  I would certainly have to agree: it is possible to make a valid request by twitter.  Is it a good idea?  I would say that it’s not, and that it is probably best to stick to more conventional methods such as letter or E-mail.

Princes, letters and Freedom of Information

Yesterday the Court of Appeal issued its judgment in the continuing saga that is the bid by Guardian Journalist Rob Evans to obtain the information contained in a variety of letters sent by HRH Prince Charles, the Prince of Wales to a number of departments of Central Government between 1 September 2004 and 1 April 2005.

The saga has been a long one in which the Information Commissioner agreed with the Government.  However, the Upper Tribunal disagreed and ordered a number of the letters to be released.  The Upper Tribunal found that the letters fell into two categories: those which were about the Prince of Wales preparing to become Monarch and those which were him advocating in respect of causes which were close to him.  It was this latter category of letters that the Upper Tribunal found after determining that they were not covered by the constitutional convention which provides that the heir to the throne be educated in Government business in order to prepare him (or her) for becoming King (or Queen) and that correspondence pertaining to that be confidential and not be released.

After the Upper Tribunal issued its decision the Attorney General issued a certificate under section 53 of the Freedom of Information Act 2000 (FOIA) which sets aside the decision of the Upper Tribunal.  Mr Evans judicially reviewed that decision and the Administrative Court upheld the certificate.  Mr Evans then appealed to the Court of Appeal which quashed the Attorney General’s certificate.

There are two separate issues to the certificate.  The first one that I shall deal with here, is the EU dimension to the case.  Some of the information contained within the letters amounts to Environmental Information which falls to be governed by the Environmental Information Regulations 2004 (EIRs).  Those Regulations exists to transpose into domestic law a EU Directive on access to Environmental Information which in turn exists to bring into EU law the provisions of the Aarhus Convention.  Therefore the principles of EU law apply to the Environmental Information and the domestic law cannot be incompatible with it.  In its judgment the Court of Appeal held that the existence of the veto was incompatible with EU law.  This effectively means that the veto contained in section 53 of the FOIA cannot be used in respect of information which is environmental in nature (as defined by the Directive and the Regulations).

The Directive which the EIRs transpose into domestic law provide that there should be an independent and impartial tribunal to decide upon whether a  public authority has complied with its obligations, and that the decision of this independent and impartial body must be final. The EIRs have, by virtue of the application of the FOIA, an extensive appeals structure which begins with a complaint to the Information Commissioner and subsequent appeal to a specialist tribunal followed thereafter by appeals on points of law potentially all the way to the Supreme Court.  While there is no single independent or impartial tribunal whose decision becomes binding, at some stage a decision will be made by an independent or impartial tribunal which is final and binding upon the public authority.  However, by virtue of section 53 of the Freedom of Information Act, it can be side-stepped by someone within the Executive (in this case the Attorney General).  The Divisional court, in its decision, held that the existence of the right to judicially review the decision to issue a certificate under section 53 of the FOIA.  However, the Court of Appeal disagreed.  The Master of the Rolls said at paragraph 55:

A judicial review of the certificate of an accountable person is substantively different from a review by a court or other independent body of the acts or omissions of “the public body concerned”. The focus of the two reviews is different.

The Court of the Appeal was of the view that as judicial review was focussed on the act of the person who issued the certificate, rather than on the public authority’s compliance with the EIRs, it was in breach of the requirements of European law; therefore it was unlawful.

The Court of Appeal also considered the Attorney General’s use of the ‘veto’ under section 53 in respect of the information contained in the letters which was covered by the Freedom of Information Act.  The Court held that in order for a section under section 53 to be valid, it had to be based on reasonable grounds.  The Court of Appeal decided that for the grounds to be reasonable there would have to be something more than simply disagreeing with the decision.  The Master of the Rolls gave some examples of what ‘something more’ might mean in paragraph 38 of the Court of Appeal’s decision:

a material change of circumstances since the tribunal decision or that the decision of the tribunal was demonstrably flawed in fact or in law.

Such an interpretation of the law clearly significantly affects the power of ministerial veto and its effectiveness.  It is also clearly against the intention of Parliament when it passed the Freedom of Information Act.  The veto was placed in the Act by the Labour Government that passed it as a central element of the Act – something to act as backstop to protect central government from inappropriate releases.  It was intended to place central Government in the position of being the final arbiter of what central government information is released under FOI.  It is a constitutional aberration as described by both the Divisional Court and the Court of Appeal, but that is what Parliament determined when it passed the law with section 53 in it.

The Court of Appeal quashed the Attorney General’s certificate which makes the Upper Tribunal’s decision requiring release of certain letters effective again.  It held that his certificate was unlawful in terms of all of the information it was intended to cover.  This is certainly a key judgment and is very interesting.  It engages with some important issues in respect of the ministerial veto, and it is a Court of Appeal decision.  However, as much as I agree in principle with the Court of Appeals decision, I think in terms of the legal matters I suspect that it is vulnerable to being overturned, at least in part, on appeal.

I am of the view that the Court of Appeal’s decision should be treated with a bit of caution.  In respect of the application of the veto  on Environmental Information, the Court of Appeal’s decision appears to be entirely correct.  The existence of the veto does not sit well with the requirements of the Directive and is most probably unlawful in terms of European law.  However, I suspect that the Court of Appeal has fallen into error in its interpretation of section 53 insofar as it relates to information covered by the Freedom of Information Act.  The veto was clearly intended to be used in the way the Attorney General used it when passed by Parliament.  It was Parliament’s clear will and it would be inappropriate to read things into the legislation that as so clearly against the will of Parliament.

The Attorney General has been given permission to appeal the Court of Appeal’s decision to the Supreme Court and it will be interesting to see what the Supreme Court has to say.  I suspect there will be a great deal of discussion around the meaning of the words ‘reasonable opinion’ in section 53.

Public authority contact details and FOI

This is an FOI decision from the Information Commissioner that I have planned to blog about for some time, but have now only just got round to blogging about it.  On 11 March 2013 the ICO issued decision notice FS50468600 which involved the Department for Work and Pensions (DWP).  The content of the decision notice is not all that important until we turn to paragraphs 32-36, which are headed up as “other matters”.

In particular paragraph 35 is of note in which it states that his office experienced difficulty in actually speaking to those who were involved in the request at the DWP’s side of things.  It described the DWP’s practice of not providing telephone numbers or contact details within its responses and how this makes it very difficult for the appropriate contact to be located within the organisation.  The public authority advised the Commissioner that it did not include these details so as not to breach the privacy of the non-senior staff involved; it described the staff in question as not being in public-facing roles.

In Paragraph 36 of the decision notice the Commissioner states quite clearly that he does not agree with this approach.  The decision notice states that “if such staff are responding to requests made under the FOIA then he considers this to be a public-facing role which is unlikely to attract an expectation of privacy” (Paragraph 36).

The DWP are by no means the only public authority which has adopted similar processes in respect of FOI requests.  I can remember one time trying to get hold of a central Government department (I can’t remember exactly which one, but I have a feeling it was either the Home Office or a connected public authority) to discuss a response that had been issued by them (something that merely wasn’t very clear and, as it later transpired wasn’t in need of an internal review). However, there was no contact details provided for the individual.  I was informed that the FOI team were not public-facing and they wouldn’t speak to members of the public over the telephone.

It was very frustrating and actually resulted in a higher cost to the public authority in my case.  There was just one thing that I wasn’t clear about and I’m sure that had I been able to have a quick telephone conversation with the person who issued the decision then there would have been no need for them to conduct an internal review.  However, the Authority’s attitude and processes meant my only option to get the clarification was to request an internal review.  This will have then required a senior member of staff within the authority to review the entire handling of the request and issue a response to me; far more expensive than 5 minutes on the phone explaining something to the applicant.

Not publishing contact details for those responsible for FOI within the organisation also makes seeking advice and assistance from the public authority almost impossible.  My reading of the Act suggests to me that advice and assistance is not only something to be provided in a refusal notice, but something that should be available to prospective applicants.  I know that I’ve certainly phoned up a public authority and had a chat with them about a request before making it; as a consequence I have been able to frame my request in a way that has made it a much more efficient process for the public authority (and thereby reducing the cost to the taxpayer).  The FOI Officer, knowing the structure of their organisation and how information is generally held, was able to advise as to what information they were likely to hold and how it was likely to be held.

I tend to agree with the commissioner that anyone sending a response out to a FOI request is clearly public-facing; it might be that a particular role was not public facing pre-FOI, but in these post-FOI days anyone could, in theory, be a public-facing member of an authority’s staff.  It should be easy for applicants to contact public authorities, not least because the public authority is obliged to provide advice and assistance, but it can just save public authorities money.  It can help ensure more focused FOIs that are easier to deal with and can prevent expensive internal review requests (or perhaps even more expensive ICO investigations).

Hopefully the ICO’s criticisms of this approach in this decision notice will feed their way round any other public authorities who still adopt a practice of not giving out contact details for someone able to provide advice and assistance.

The importance of FOI training in public authorities

A decision notice published by the Scottish Information Commissioner yesterday (7 March 2013) highlights why it is important that all staff within public authorities have at least a basic working knowledge of the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004.

Decision 032/2013 concerned an information request made to NHS Fife.  The applicant made an information request to NHS Fife on 2 August 2012 to which NHS Fife responded on 5 October 2012.  This represents a significant delay on the 20 working days permitted by section 10(1) of the Freedom of Information (Scotland) Act 2002.  The decision notice does not give any reason as to why it took NHS Fife so long to respond to the information request.

On 18 October 2012 the applicant wrote to NHS Fife requesting a review of their decision.  The request for review was sent directly to a particular member of staff with whom the applicant had been having protracted correspondence.  Unfortunately for NHS Fife that member of staff did not “recognise the significance” of the request for review under the Freedom of Information (Scotland) Act 2002 and consequentially did not take the action required to ensure that NHS Fife was able to respond within the timeframe permitted by section 21(1) of the Act (which is 20 working days).

NHS Fife’s explanation that the member of staff who received the request did not recognise the significance of a request for review under FOISA would suggest that something has went wrong procedurally and most probably around staff training.  All staff within a public authority should be able to spot information requests and requests for review.  Having identified an information request of request for review all staff should know what to do with such correspondence.  When staff are not able to perform these tasks it can lead to problems such as in this case where a requirement for review went unanswered beyond the statutory deadline.  As a consequence an application was made to the Commissioner and a decision notice has been issued.

This decision notice should serve as a reminder as to how important that all staff (whether they routinely deal with information requests or not) should have at least a basic knowledge of information access rights to ensure that public authorities comply with their obligations under the various access regimes.

IPCC v The Information Commissioner

The First Tier Tribunal (Information Rights) has issued a very strongly worded judgment in an appeal by the Independent Police Complaints Commission (IPCC) against the decision of the Information Commissioner.

The decision relates to the application of s.14(1) of the Freedom of Information Act 2000 which provides that a public authority does not need to comply with a request for information made pursuant to the FOIA if the request is repeated or vexatious.  It is important to note though that the Act requires the request to be repeated or vexatious and not the person making the request.  A person could quite conceivably make two requests to an authority on the one day and have one deemed as vexatious and the other not.

The Tribunal made some important comments in its decision, particularly in the current climate arising out of the post-legislative scrutiny of the FOIA.  The Tribunal, quite correctly, said:

Abuse of the right to information under s.1 of FOIA is the most dangerous enemy of the continuing exercise of that right for legitimate purposes. It damages FOIA and the vital rights that it enacted in the public perception.

 Those who use FOIA rights to harass public authorities and to continue a campaign going against a particular authority (or group of authorities) damage the information access rights that have become so vital to our democracy.  It frustrates the public authority which can in turn lead to a culture against FOIA in an authority (which can be seen in some of the recent comments and submissions surrounding the post-legislative scrutiny of the FOIA).  Not only that, but it can lead to a tightening up of the Act which may have a damaging effect on those who use the rights responsibly.  It does come to mind that perhaps the Tribunal has had the post-legislative scrutiny of the Act in its mind when writing this decision.

The Tribunal continued:

In our view, the ICO and the Tribunal should have no hesitation in upholding public authorities which invoke s.14(1) in answer to grossly excessive or ill – intentioned requests

 The frustration felt by public authorities who deem requests to be vexatious, and are then subsequently told by the ICO or the Tribunal to deal with the request is quite understandable.  Some authorities are perhaps not using the s.14(1) exemption as much as they ought to while others are perhaps using it inappropriately.  While it is important that Public Authorities feel confident in using the s.14(1) exemption and that the ICO and Tribunal will support them it must not get to the point where public authorities feel over-confident in using the exemption because the ICO and the Tribunal will always support them.

It has always been a fundamental principle of FOI that the requester and their reasons are largely irrelevant in the consideration of a request for information.  Anything which harms that in turn harms FOI.  Some people may make repeated and frequent requests to a public authority, but that does not mean that those requests should automatically be exempt by virtue of s.14(1): the s.14(1) exemption must not become a way for authorities to keep matters that ought to be released secret.  In the context of this decision the Tribunal was clearly correct to hold that the requests were vexatious.  Making roughly one request every month for two years to one authority, some of which are wide and indiscriminate in nature, is clearly an abuse of the FOIA and the IPCC were entirely correct in applying s.14(1) to Mr Andrew’s requests.  It is hard to imagine a legitimate purpose that would result in such a large volume of requests being made to a single authority.

It is good that the Tribunal issued such a strongly worded judgment in this case and hopefully it will begin to go some way to alleviating fears mong authorities in relation to being unable to deal with people who place a significant burden on the authority with what can on occasions appear to be a complete obsession with the authority.  One only needs to look at the WhatDoTheyKnow website to see examples of people who have an unhealthy obsession with uncovering corruption that really doesn’t exist (as an example of vexatious requests in action).