Cost of everything, value of nothing

FOIMan examines an outburst of enthusiasm for transparency (of a sort) from Staffordshire County Council.

logostopIt must be silly season again. Local authorities are shouting about the cost of FOI. Which wouldn’t be so bad if they did it in an even-handed way that recognised the facts.

Yes, of course FOI costs money. Providing any public service costs money. What other costs are they keen to highlight? Yep, thought so.

This time it’s Staffordshire County Council. And they’ve decided to highlight spending on FOI, broken down by requester.  Of course, they’ve provided no detail as to how these costs are calculated. (Incidentally, Conrad Quilty-Harper of the data journalism site ampp3d puts the figures that are provided in context by claiming that only 0.00003% of the council’s budget goes on FOI, whilst the Chief Executive earns the princely sum of £194,550 a year.)

Top of their league table of resource-grabbing rabble-rousers is WhatDoTheyKnow. Except that WhatDoTheyKnow (WDTK) hasn’t made a single FOI request to Staffordshire. They provide a portal through which individual requesters can make requests. In my experience this is one of the primary ways that ordinary citizens use FOI – ie the local taxpayers that Staffordshire are so concerned about. As one WDTK volunteer put it, it’s like saying that Google have made all the requests submitted using GMail. If you, as I think is a more realistic way of grouping these requests, combine the cost Staffordshire attribute to WDTK with the cost attributed to the public, these look to exceed the cost of dealing with requests from any other group (especially if you break up the bizarre grouping of “Press and Commercial” – which reflect completely different uses of FOI). Mind you, Staffordshire also appears to think that the House of Commons is a political group, so this is not exactly a scientific analysis.

Often the FOI process is used by some commercial organisations to save time and research costs…The same applies to a growing number of FOI requests from the media. This can save companies and the press money by, for example, reducing research costs but only at a significant cost to the Authority which is unfair to Staffordshire tax payers.

Let’s consider “commercial organisations” for a moment. Now, when I was an FOI Officer myself, I admit to occasionally having got frustrated with the number of businesses putting in requests for details of IT contracts. At least one over-enthusiastic such entrepreneur has been blocked from using WDTK as they recognised the resource implication of his methods. But most of the time, the requests were relatively simple to answer, and the Act doesn’t suggest that such a use is “wrongful” – the point of the legislation is that anyone can ask questions for whatever reason.

One of the reasons for that – as was set out when the Act became law – is that it is aimed at improving the accountability of public authorities. Staffordshire is right – it is important to protect the taxes paid by taxpayers and ensure that they are spent responsibly. That’s exactly what FOI is for. And what’s more, those taxpayers INCLUDE the owners and employees of businesses.

Furthermore, central government at least has taken the view that it is a good thing for businesses to use the information already created by public bodies. It boosts the economy. That’s why they amended FOI to ensure that public bodies would make information available in a re-usable form.

Now I come to the most bizarre part of the argument (from my point of view at least). The council statement that:

 We think this is a wrongful use as the information requested is already freely available publicly.

If the information is “freely available publicly”, what the heck are they doing spending their time answering the requests for? FOI doesn’t require them to spend time doing research beyond identifying information they hold and providing it (unless an exemption applies). And there is an exemption in the Act that specifically rules out public officials having to answer requests for information that is publicly available. If it is, they just have to refuse the request and advise the requester as to where the information can be found. Usually, this will be a matter of emailing them a link to the relevant part of the website. This doesn’t seem particularly onerous to me.

The truth is, I actually have some sympathy with local authorities and others dealing with an ever growing volume of FOI requests at the same time as budgets get progressively smaller. I think FOI is a valuable right that does much good, and I don’t want to see it restricted. Apart from advising authorities to make better use of the tools in the Act – refusing costly requests, using the vexatious provisions more, and publishing more information (then refusing to deal with requests for that publicly available information) – I don’t really know what the answer is long-term. But I’m certainly not going to be convinced that FOI needs to be neutered by a council lumping together various costs in a seemingly arbitrary way and labelling perfectly normal use of the legislation as “wrongful”.


FOIMan News to 27 June 2014

FOIMan reports on the week’s key FOI and information rights news stories.

Information Commissioner changes tune on EIR Charges

The cost of staff time can be taken into account if charging for environmental information according to new guidance from the Information Commissioner’s Office. Previously the Commissioner had taken the view that only disbursements (photocopying, postage, etc) could be charged for. The Commissioner has also clarified his position on property searches and EIR.

Tribunal mauls DfE over Steiner Free Schools information

The First-Tier Tribunal (Information Rights) has ordered disclosure of information relating to Steiner Free Schools following a request from the British Humanist Association. In frank terms, the Tribunal dismissed arguments from DfE that there was a public interest in protecting the Free School applicants from disclosure of information under sections 35 and 43 of the Act. The Tribunal was particularly dismissive of the evidence of the Department’s witness which it commented:

“was particularly weak and not at all persuasive in relation to explaining how disclosure would impact upon the ‘safe space’ sought for the formulation of policy”.

ICO Audits identify weaknesses in UK Police Forces’ Handling of Personal Data

The ICO has issued a report on audits it has carried out on police forces in the UK over the last year of their compliance with the Data Protection Act. Records management appears to have been the weakest area in most forces, echoing my observations earlier this week in relation to Barts Health Trust.

Blogpost of the week

The ICO’s blogpost summarising its new guidance on environmental information charging.


Sherlock’s shame

FOIMan suggests that limited assurance for records management at Barts Health NHS Trust means we can have limited faith in records management across the country.

What Moriarty thought of Barts' records management is not recorded. Or is it?

What Moriarty thought of Barts’ records management is not recorded. Or is it?

One of the Information Commissioner’s powers under the Data Protection Act is to carry out audits of organisations that process personal data. So far these have all been done on a consensual basis – the ICO does have the power to carry out compulsory audits on government departments (brought in after the infamous HMRC data loss), but has not yet used this. Executive reports of these audits are published on the ICO website, unless the body concerned asks for it not to be. In which case, you can draw your own conclusions.

I noted yesterday (thanks to a tweet from Jon Baines) that the latest recipient of an ICO audit is Barts NHS Trust. Now I’ve been concerned about Barts’ security arrangements since a private detective and his psychotic arch-enemy were allowed to access Barts’ hospital roof apparently without difficulty a couple of years ago, but leaving that aside, I was curious about the outcome of their audit.

Now, data protection is a large and complex subject, as anyone who’s ever studied for a BCS (ISEB) or other qualification in the subject will know.  So whenever the ICO is planning an audit, it agrees with the subject organisation what areas it should look at. Barts chose information security and records management.

Despite stray detectives and criminal masterminds, you’ll be relieved to hear that Barts performed relatively well on the information security aspect of the audit, receiving “reasonable assurance”. This will have looked at access to IT systems, encryption of portable media, and other measures designed to prevent accidental loss of, or damage to, personal data.

But it was records management that attracted limited assurance (the second lowest grading in the ICO’s assessment scheme). This is concerning. Not just for Barts (though I’m sure they do take this outcome seriously), but for everyone else. Barts has a pretty good reputation for records management. I’m not sure about the situation now, but for many years it actually had records managers (widely respected ones, even outside the health sector), which is certainly not the case universally in hospitals and NHS Trusts across the UK. So if Barts’ records management is considered not up to scratch then I doubt very much that most other NHS Trusts (or indeed local authorities, government agencies, schools, private companies for that matter) would fare any better under ICO scrutiny.

I’m personally sceptical of the desirability, let alone feasibility, of “perfect” records management. What’s important is that organisations can function and protect their most valuable and sensitive information. But it is fair to say that few in the public or private sector give this the priority it deserves. So unless you actually want some ammunition to make the case for more investment in this area, it may be a good idea to avoid asking the Information Commissioner to look at your records management.

The FOI Squad

FOIMan puts together his dream team to fly to the FOIA World Cup.

First, a declaration of interest: I have none. In football, or indeed the World Cup. From what I gather, this is probably a good thing.

However, as with all major events these days, the World Cup has fostered an internet meme. The starting eleven. Here’s BBC One’s which inspired this post.

So I thought I’d have a go at the UK FOI Community Eleven. This turned out to be more difficult than I had imagined. When you start thinking about it, there are rather a lot of lawyers, academics, practitioners and requesters who could qualify. And of course, I’m already a place down as I can’t leave myself out (there has to be some advantage to wasting a Saturday afternoon on this). So with apologies to those who haven’t made the final list (blame my ignorance), here is the starting eleven.

Manager: Frankel M.

Tactician/Stats: Worthy B.

Technology: Steinberg T.

Pitt-Payne, T.

Hopkins, R.    Proops, A.     Hasan, I.     Baines, J.

Gibbons, P.     Wyeth, L.    Ghafoor, B.     Turner, T.

Brooke, H.     McInerny, L.


Subs: Burgess, M., Cook, C., Higgerson, D., Grant, H., Knight, C., Monkey, F., Rosenbaum, M.

Referee: Graham C.

Officials: Smith, G., Smith, D., Wood, S., Entwistle, S.

The back room staff are clearly important. The manager goes without saying. There’s only one guv’nor in this field – we’d have no FOI without Maurice and the Campaign (@campaignfoi – and whilst we’re on the subject, please do donate here). And every team needs its statto – take a bow Dr Ben Worthy (@benworthy1). These days, technology is a key feature of any successful team, and Tom Steinberg (@steiny), who established (@whatdotheyknow) seems to fit the bill in this context.

High-tech graphics and gadgetry were used in the preparation of this post.

High-tech graphics and gadgetry were used in the preparation of this post.

The players are more difficult. I figured that those of a more legal bent should be in defence. So we’ve got Tim Pitt-Payne (@tpittpayne) in goal, along with Robin Hopkins (@hopkinsrobin) and Anya Proops in the back line (all of whom contribute regularly to the excellent Panopticon Blog, as does Christopher Knight, who is on the subs bench for now). Clearly they’ll have to fight it out over who gets the number 11. Joining them are Ibrahim Hasan, Solicitor and Director of Act Now Training (@actnowtraining) and Jon Baines (@bainesy1969), not technically a lawyer but possessed of much legal knowledge as evidenced by his Information Rights & Wrongs blog.

I decided that we needed people up front who can open up a tight defence with FOI. It had to be effective users of the Act. But who to choose with only two places?

Well, it’s a tough choice. But in the end I went for the maverick but effective style of Heather Brooke (@newsbrooke), whose experience and patience opened up MPs’ expenses, combined with the youthful exuberance of Laura McInerny (@miss_mcinerny), who’s proved herself a valuable player against DfE in the run up to the tournament.

Which brings us to midfield. This belongs to practitioners and bloggers in my view – connecting up the legal knowledge at the back with those making the pace up front. So here we find Lynn Wyeth (@lynnFOI) and Bilal Ghafoor (better known as @FOIKid). Tim Turner (@tim2040), of course, is always right (Tim will just agree with that, ICO staff reading will just smile wryly). And me? I’ll be flying up the wing obviously.

This is a big match, so the choice of subs is important. We’ve got the cream of journalistic talent, ready to replace any absences up front or in midfield. Several lawyers and academics are ready to fill any holes at the back. My thinking is that Matt Burgess, creator of the FOI Directory (@FOIDirectory) could cover either midfield or replace one of our two strikers. And in any case he’ll probably appreciate the time on the bench to work on his book.

Of course, the quality of the match will depend to a great extent on the referee and officials. The manager was hoping for Judge Wikeley, but it will almost certainly be Christopher Graham, supported by his ICO senior team (@iconews). Unfortunately this means that there’s a real risk of either Tim Turner or Chris Cook (@xtophercook – if he’s brought on) being sent off for abusing an official.

If football isn’t your thing, then you can just as easily apply this reasoning to cricket. Just imagine Tim Pitt-Payne as wicket keeper, the defence as seam, fast and spin-bowlers and the strikers as the top of the order. Tim and Jon are useful all-rounders in the middle of the batting. Or you could do something more useful with your weekend.

(You may have noticed that the above nonsense does contain some handy recommended websites and Twitter handles (in brackets) to follow, so there is at least some value to it. Maybe.)

IC trouble ahead

FOIMan argues that funding cuts to the Information Commissioner’s Office are a huge threat to FOI.
Christopher Graham addresses the 2013 ICO Data Protection Officers' Conference

Christopher Graham addresses the 2013 ICO Data Protection Officers’ Conference

Transparency’s a marvellous thing isn’t it? These days we can find out what goes on in all sorts of meetings across the public sector. One example is the way we get to eavesdrop on what the FOI and DP regulator is saying internally.

A couple of weeks ago the minutes of the Information Commissioner’s April Management Board were published in the ICO’s publication scheme. And one thing in particular caught the eye.
The Commissioner stressed in frank terms the financial difficulties his office was facing. At the moment, the ICO is funded by the notification fees that it receives under the Data Protection Act and grant-in-aid that it receives from the Ministry of Justice. The former brings in substantial amounts but is ring-fenced – it can only spend that money on its data protection-related activities. FOI activities are entirely dependent on MoJ funding. That funding has been progressively reduced over the last few years. The Commissioner stated that:

If grant in aid was cut further, action on anything other than routine freedom of information enquiries would be impossible.

It’s not as though the Office is profligate with its money. Whenever the ICO advertises a post, I am horrified at the level of salary on offer (and I’m not alone). Employees that will be responsible for considering high-profile and influential cases are apparently joining the office on salaries of less than £20,000.
ICO salaries are far from excessive

ICO salaries are far from excessive

Even taking into account that the North West is cheaper to live in than London and the South East, salaries are very low. To put it in perspective, I once considered joining the ICO and the only job that matched my then salary would have involved managing 60 staff. As an FOI Officer in a high-profile London-based public body, I was reasonably remunerated, but not THAT reasonably. It’s not unknown for privacy or information security roles in the private sector to attract starting salaries of £70,000 or more, so it is faintly ridiculous to think that they would be explaining themselves to ICO Case Officers earning around a third of their income.

Bearing in mind how poorly paid many of its staff appear to be, and its increasing struggle for funding, it must be said that the ICO punches above its weight. The constant churn of new guidance, Codes, initiatives, decisions, undertakings, penalties suggests an organisation that is working hard and effectively. Much of my work as a trainer and consultant (not to mention blogger) is informed by their publications.  I know from my own experience that the work the Commissioner’s Office has done to raise awareness of data protection and privacy issues is making a difference, and monetary penalties are focussing minds. The progress made by the Commissioner was noted last year by the Justice Select Committee. Christopher Graham, whilst occasionally rubbing people up the wrong way (and perhaps this is actually a symptom of his success) has achieved wonders in reducing the backlog of complaints.

Nobody’s saying it is perfect – I’ve occasionally criticised it. All organisations make mistakes – they are, after all, staffed by human beings. The sheer volume and scale of the ICO’s work means that statistically they’re occasionally going to call something wrong. And given that much of information rights law is open to interpretation, it is inevitable that there will be differences as to how the law should be applied at times.  (And of course, it’s much easier to criticise from the boundary – harder to be the team out there playing the game).

Now Mr Graham says that the regulation of FOI is under threat due to successive cuts in funding. This is a major limitation on the effectiveness of FOI. We often forget that before 2005, most commentators expected FOI to be a damp squib. That it hasn’t been is at least partly due to a regulator prepared to challenge the status quo. Remember it was the Information Commissioner that ruled in favour of Cabinet minutes, risk registers and Prince Charles’ correspondence being disclosed, and often used his resources to argue the case further through lengthy appeal processes in the courts.

If the ICO is not properly funded, it is in my view at least as great a threat to FOI as attempts to water down the legislation (which are at least subject to a degree of Parliamentary scrutiny). Political parties that claim to support FOI and transparency (ie all of them, publicly at least) must commit to properly fund the office if elected to govern next year.

Things could get worse. The European Union’s proposed Data Protection Regulation would end the requirement to notify the Commissioner each year, and more importantly the annual fee that currently involves. If that happens, the ICO may be completely dependent on funding from Government in future. Given the current state of affairs, that is not an encouraging thought.