FOIMan News to 27 June 2014

FOIMan reports on the week’s key FOI and information rights news stories.

Information Commissioner changes tune on EIR Charges

The cost of staff time can be taken into account if charging for environmental information according to new guidance from the Information Commissioner’s Office. Previously the Commissioner had taken the view that only disbursements (photocopying, postage, etc) could be charged for. The Commissioner has also clarified his position on property searches and EIR.

Tribunal mauls DfE over Steiner Free Schools information

The First-Tier Tribunal (Information Rights) has ordered disclosure of information relating to Steiner Free Schools following a request from the British Humanist Association. In frank terms, the Tribunal dismissed arguments from DfE that there was a public interest in protecting the Free School applicants from disclosure of information under sections 35 and 43 of the Act. The Tribunal was particularly dismissive of the evidence of the Department’s witness which it commented:

“was particularly weak and not at all persuasive in relation to explaining how disclosure would impact upon the ‘safe space’ sought for the formulation of policy”.

ICO Audits identify weaknesses in UK Police Forces’ Handling of Personal Data

The ICO has issued a report on audits it has carried out on police forces in the UK over the last year of their compliance with the Data Protection Act. Records management appears to have been the weakest area in most forces, echoing my observations earlier this week in relation to Barts Health Trust.

Blogpost of the week

The ICO’s blogpost summarising its new guidance on environmental information charging.


Sherlock’s shame

FOIMan suggests that limited assurance for records management at Barts Health NHS Trust means we can have limited faith in records management across the country.

What Moriarty thought of Barts' records management is not recorded. Or is it?

What Moriarty thought of Barts’ records management is not recorded. Or is it?

One of the Information Commissioner’s powers under the Data Protection Act is to carry out audits of organisations that process personal data. So far these have all been done on a consensual basis – the ICO does have the power to carry out compulsory audits on government departments (brought in after the infamous HMRC data loss), but has not yet used this. Executive reports of these audits are published on the ICO website, unless the body concerned asks for it not to be. In which case, you can draw your own conclusions.

I noted yesterday (thanks to a tweet from Jon Baines) that the latest recipient of an ICO audit is Barts NHS Trust. Now I’ve been concerned about Barts’ security arrangements since a private detective and his psychotic arch-enemy were allowed to access Barts’ hospital roof apparently without difficulty a couple of years ago, but leaving that aside, I was curious about the outcome of their audit.

Now, data protection is a large and complex subject, as anyone who’s ever studied for a BCS (ISEB) or other qualification in the subject will know.  So whenever the ICO is planning an audit, it agrees with the subject organisation what areas it should look at. Barts chose information security and records management.

Despite stray detectives and criminal masterminds, you’ll be relieved to hear that Barts performed relatively well on the information security aspect of the audit, receiving “reasonable assurance”. This will have looked at access to IT systems, encryption of portable media, and other measures designed to prevent accidental loss of, or damage to, personal data.

But it was records management that attracted limited assurance (the second lowest grading in the ICO’s assessment scheme). This is concerning. Not just for Barts (though I’m sure they do take this outcome seriously), but for everyone else. Barts has a pretty good reputation for records management. I’m not sure about the situation now, but for many years it actually had records managers (widely respected ones, even outside the health sector), which is certainly not the case universally in hospitals and NHS Trusts across the UK. So if Barts’ records management is considered not up to scratch then I doubt very much that most other NHS Trusts (or indeed local authorities, government agencies, schools, private companies for that matter) would fare any better under ICO scrutiny.

I’m personally sceptical of the desirability, let alone feasibility, of “perfect” records management. What’s important is that organisations can function and protect their most valuable and sensitive information. But it is fair to say that few in the public or private sector give this the priority it deserves. So unless you actually want some ammunition to make the case for more investment in this area, it may be a good idea to avoid asking the Information Commissioner to look at your records management.

The FOI Squad

FOIMan puts together his dream team to fly to the FOIA World Cup.

First, a declaration of interest: I have none. In football, or indeed the World Cup. From what I gather, this is probably a good thing.

However, as with all major events these days, the World Cup has fostered an internet meme. The starting eleven. Here’s BBC One’s which inspired this post.

So I thought I’d have a go at the UK FOI Community Eleven. This turned out to be more difficult than I had imagined. When you start thinking about it, there are rather a lot of lawyers, academics, practitioners and requesters who could qualify. And of course, I’m already a place down as I can’t leave myself out (there has to be some advantage to wasting a Saturday afternoon on this). So with apologies to those who haven’t made the final list (blame my ignorance), here is the starting eleven.

Manager: Frankel M.

Tactician/Stats: Worthy B.

Technology: Steinberg T.

Pitt-Payne, T.

Hopkins, R.    Proops, A.     Hasan, I.     Baines, J.

Gibbons, P.     Wyeth, L.    Ghafoor, B.     Turner, T.

Brooke, H.     McInerny, L.


Subs: Burgess, M., Cook, C., Higgerson, D., Grant, H., Knight, C., Monkey, F., Rosenbaum, M.

Referee: Graham C.

Officials: Smith, G., Smith, D., Wood, S., Entwistle, S.

The back room staff are clearly important. The manager goes without saying. There’s only one guv’nor in this field – we’d have no FOI without Maurice and the Campaign (@campaignfoi – and whilst we’re on the subject, please do donate here). And every team needs its statto – take a bow Dr Ben Worthy (@benworthy1). These days, technology is a key feature of any successful team, and Tom Steinberg (@steiny), who established (@whatdotheyknow) seems to fit the bill in this context.

High-tech graphics and gadgetry were used in the preparation of this post.

High-tech graphics and gadgetry were used in the preparation of this post.

The players are more difficult. I figured that those of a more legal bent should be in defence. So we’ve got Tim Pitt-Payne (@tpittpayne) in goal, along with Robin Hopkins (@hopkinsrobin) and Anya Proops in the back line (all of whom contribute regularly to the excellent Panopticon Blog, as does Christopher Knight, who is on the subs bench for now). Clearly they’ll have to fight it out over who gets the number 11. Joining them are Ibrahim Hasan, Solicitor and Director of Act Now Training (@actnowtraining) and Jon Baines (@bainesy1969), not technically a lawyer but possessed of much legal knowledge as evidenced by his Information Rights & Wrongs blog.

I decided that we needed people up front who can open up a tight defence with FOI. It had to be effective users of the Act. But who to choose with only two places?

Well, it’s a tough choice. But in the end I went for the maverick but effective style of Heather Brooke (@newsbrooke), whose experience and patience opened up MPs’ expenses, combined with the youthful exuberance of Laura McInerny (@miss_mcinerny), who’s proved herself a valuable player against DfE in the run up to the tournament.

Which brings us to midfield. This belongs to practitioners and bloggers in my view – connecting up the legal knowledge at the back with those making the pace up front. So here we find Lynn Wyeth (@lynnFOI) and Bilal Ghafoor (better known as @FOIKid). Tim Turner (@tim2040), of course, is always right (Tim will just agree with that, ICO staff reading will just smile wryly). And me? I’ll be flying up the wing obviously.

This is a big match, so the choice of subs is important. We’ve got the cream of journalistic talent, ready to replace any absences up front or in midfield. Several lawyers and academics are ready to fill any holes at the back. My thinking is that Matt Burgess, creator of the FOI Directory (@FOIDirectory) could cover either midfield or replace one of our two strikers. And in any case he’ll probably appreciate the time on the bench to work on his book.

Of course, the quality of the match will depend to a great extent on the referee and officials. The manager was hoping for Judge Wikeley, but it will almost certainly be Christopher Graham, supported by his ICO senior team (@iconews). Unfortunately this means that there’s a real risk of either Tim Turner or Chris Cook (@xtophercook – if he’s brought on) being sent off for abusing an official.

If football isn’t your thing, then you can just as easily apply this reasoning to cricket. Just imagine Tim Pitt-Payne as wicket keeper, the defence as seam, fast and spin-bowlers and the strikers as the top of the order. Tim and Jon are useful all-rounders in the middle of the batting. Or you could do something more useful with your weekend.

(You may have noticed that the above nonsense does contain some handy recommended websites and Twitter handles (in brackets) to follow, so there is at least some value to it. Maybe.)

IC trouble ahead

FOIMan argues that funding cuts to the Information Commissioner’s Office are a huge threat to FOI.
Christopher Graham addresses the 2013 ICO Data Protection Officers' Conference

Christopher Graham addresses the 2013 ICO Data Protection Officers’ Conference

Transparency’s a marvellous thing isn’t it? These days we can find out what goes on in all sorts of meetings across the public sector. One example is the way we get to eavesdrop on what the FOI and DP regulator is saying internally.

A couple of weeks ago the minutes of the Information Commissioner’s April Management Board were published in the ICO’s publication scheme. And one thing in particular caught the eye.
The Commissioner stressed in frank terms the financial difficulties his office was facing. At the moment, the ICO is funded by the notification fees that it receives under the Data Protection Act and grant-in-aid that it receives from the Ministry of Justice. The former brings in substantial amounts but is ring-fenced – it can only spend that money on its data protection-related activities. FOI activities are entirely dependent on MoJ funding. That funding has been progressively reduced over the last few years. The Commissioner stated that:

If grant in aid was cut further, action on anything other than routine freedom of information enquiries would be impossible.

It’s not as though the Office is profligate with its money. Whenever the ICO advertises a post, I am horrified at the level of salary on offer (and I’m not alone). Employees that will be responsible for considering high-profile and influential cases are apparently joining the office on salaries of less than £20,000.
ICO salaries are far from excessive

ICO salaries are far from excessive

Even taking into account that the North West is cheaper to live in than London and the South East, salaries are very low. To put it in perspective, I once considered joining the ICO and the only job that matched my then salary would have involved managing 60 staff. As an FOI Officer in a high-profile London-based public body, I was reasonably remunerated, but not THAT reasonably. It’s not unknown for privacy or information security roles in the private sector to attract starting salaries of £70,000 or more, so it is faintly ridiculous to think that they would be explaining themselves to ICO Case Officers earning around a third of their income.

Bearing in mind how poorly paid many of its staff appear to be, and its increasing struggle for funding, it must be said that the ICO punches above its weight. The constant churn of new guidance, Codes, initiatives, decisions, undertakings, penalties suggests an organisation that is working hard and effectively. Much of my work as a trainer and consultant (not to mention blogger) is informed by their publications.  I know from my own experience that the work the Commissioner’s Office has done to raise awareness of data protection and privacy issues is making a difference, and monetary penalties are focussing minds. The progress made by the Commissioner was noted last year by the Justice Select Committee. Christopher Graham, whilst occasionally rubbing people up the wrong way (and perhaps this is actually a symptom of his success) has achieved wonders in reducing the backlog of complaints.

Nobody’s saying it is perfect – I’ve occasionally criticised it. All organisations make mistakes – they are, after all, staffed by human beings. The sheer volume and scale of the ICO’s work means that statistically they’re occasionally going to call something wrong. And given that much of information rights law is open to interpretation, it is inevitable that there will be differences as to how the law should be applied at times.  (And of course, it’s much easier to criticise from the boundary – harder to be the team out there playing the game).

Now Mr Graham says that the regulation of FOI is under threat due to successive cuts in funding. This is a major limitation on the effectiveness of FOI. We often forget that before 2005, most commentators expected FOI to be a damp squib. That it hasn’t been is at least partly due to a regulator prepared to challenge the status quo. Remember it was the Information Commissioner that ruled in favour of Cabinet minutes, risk registers and Prince Charles’ correspondence being disclosed, and often used his resources to argue the case further through lengthy appeal processes in the courts.

If the ICO is not properly funded, it is in my view at least as great a threat to FOI as attempts to water down the legislation (which are at least subject to a degree of Parliamentary scrutiny). Political parties that claim to support FOI and transparency (ie all of them, publicly at least) must commit to properly fund the office if elected to govern next year.

Things could get worse. The European Union’s proposed Data Protection Regulation would end the requirement to notify the Commissioner each year, and more importantly the annual fee that currently involves. If that happens, the ICO may be completely dependent on funding from Government in future. Given the current state of affairs, that is not an encouraging thought.

I used to say “no”. Now I say “FOI”.

FOIMan considers whether a council handling an employee’s enquiry under FOI is unreasonable.

logolayeredOne of the recurrent complaints made by journalists is that public bodies treat routine press enquiries as FOI requests. They see this as a way for awkward questions to be kicked into the long grass.

The latest piece in this mould comes from David Higgerson who often writes about FOI on his journalism blog. His FOI Friday thread highlighting use of FOI by local media is essential reading for journalists and others interested in how FOI is used in practice.

David reports that Derby City Council treated an enquiry from an employee about its pay review approach as an FOI request. The council refused the request. The employee ended up appealing this decision to the Information Commissioner who apparently forced the council to disclose the information.

David’s complaint with this is that the enquiry was treated as an FOI request in the first place, commenting that “sometimes, you just can’t make it up.” Well, I beg to differ.

Obviously, if an enquiry is straightforward and there are no concerns with disclosure, then it makes sense for a public authority to treat it as “business as usual”. But even where that happens, the enquiry – if in writing – is by the definition of an FOI request at section 8 of the Act, an FOI request, and importantly, subject to the requirements of the Act. It has to be answered PROMPTLY, and in any case within 20 working days.

The point I would make here is that whilst the council appears to have made the wrong decision in respect of whether or not to disclose the information, it is not handling the enquiry under FOI that has caused this. In fact, FOI’s role here has been to allow the employee to successfully challenge the council’s refusal to disclose the information. In other words, without FOI, the employee might never have received the information he wanted.

I do think this is an important point. Whilst the timescales in FOI might not be to journalists’ (and indeed others’) liking, the fact of FOI’s existence has led to, and will continue to lead to, information reaching them that would never have done before FOI became law. Before FOI, Derby Council’s employee would never have been able to find out how he and his colleagues’ pay was calculated. And journalists would have had no way to force the release of information that public authority Press Officers were unwilling to provide freely.

No doubt Press Officers do tell journalists to use FOI when they don’t want to tell them something. And HR departments may well do the same when they have a concern about disclosing information to employees. Before FOI they’d have just said “No”.