FOI Man summarises the key developments in a busy week in the information law arena.

You would think that this time of year would be a quiet one in the information law arena, but apparently not. Last week saw the publication of new fees regulations and Information Commissioner’s Office (ICO) guidance to support new FOI requirements in relation to datasets which come into force on 1 September; a new Code of Practice from the ICO on handling subject access requests under the Data Protection Act; and a draft Code of Practice on conducting privacy impact assessments. That’s leaving aside criticism of the Information Commissioner – and a forthright response from him – over the way he has reacted to the Cabinet Office’s apparent attitude to FOI. Here I’ve summarised the key developments last week and provided some links in case you want to read more about them.

FOI and Datasets

The Protection of Freedoms Act 2012 amended the Freedom of Information Act to oblige public authorities to release “datasets” in a reusable format. I’ve written about what these changes mean in a previous post. Late last month it was announced that the changes would come into force on 1 September this year, and a special datasets Code of Practice under section 45 of the Act has already been published by the Ministry of Justice. On Friday new regulations setting out the circumstances under which public authorities can charge to licence re-use of datasets were published, as was new guidance on these provisions from the Information Commissioner. Steve Wood, the ICO’s Head of Policy Delivery, has blogged about what these changes mean for public authorities and the ICO.

Data Protection and Subject Access Requests

Probably the most well known provision of the Data Protection Act 1998 (DPA) is the right of individuals (or “data subjects”) to ask organisations for information held about themselves. Earlier this year the ICO consulted on a Code of Practice on the handling of such requests, and this week the finalised Code was published. Anya Proops of 11KBW has given her reaction to the new Code, and has highlighted an apparent conflict between case law and the Commissioner’s approach in respect of the requester’s purpose. Meanwhile, DPA and subject access requests were considered in a High Court case. It has proved a rarity for DPA to be tested in the courts, certainly at that level, so this was an important ruling.

Data Protection and Privacy Impact Assessments

The ICO likes a good Code of Practice these days, so no sooner has the ink dried on its subject access Code of Practice, than it has published a new draft Code on privacy impact assessments. Privacy impact assessments have been promoted by the ICO for many years as a form of risk assessment to be carried out at an early stage of projects that are likely to involve, or relate to processes that involve, the processing of personal data. The ICO wants to know what individuals and organisations think of the draft Code.

ICO publishes statistics on data breach reports

Breaches of DPA have become big news these days, often featured in the national media. Last week the ICO began to publish statistics on data breach reports made to them, starting with the period from 1 April to 30 June 2013. In a welcome move, they have also put together a spreadsheet listing details of all civil monetary penalties issued and this can be accessed on their website. Sally-Anne Poole, Group Enforcement Manager at the ICO, has blogged about the thinking behind these latest developments.

Three more organisations to be monitored over FOI response times

The ICO has announced that the Home Office, Sussex Police and South Tyneside Council will be monitored for three months due to concerns over delays in responding to FOI requests. At the same time, the results of the January to March monitoring period have been reported. They have now cleared the Departments for Education and Work and Pensions, but have remaining concerns about the Office of the First Minister and Deputy First Minister of Northern Ireland. The Chief Executive of another public authority, Wirral Borough Council, has had to sign an undertaking promising to make improvements.

Mr Cook, the teeth, Cabinet Office strife and some bother

The start of last week saw a newspaper editorial criticise the Information Commissioner himself for failing to enforce FOI in respect of failings by the Cabinet Office. This follows the FT’s Chris Cook’s investigations into use of private email accounts by government ministers and special advisers. In a typically robust response, Christopher Graham made clear that he felt these criticisms unfair. I commented here that I thought the Commissioner’s defensiveness misplaced. Others – Jon Baines and Tim Turner – highlighted evidence of the Cabinet Office’s shortcomings and missed opportunities for ICO action. This one will run and run.



  1. I ‘m surprised that this didn’t make the cut: Section 6 change so that FOI covers “… not only companies wholly owned by one public authority, as is the position at present, but also those wholly owned by more than one “relevant public authority.” (quoted from ICO newsletter).

    This is a really big deal particularly given the increase in joint working between health (NHS) and social care (local authority) services – “and about time too”.

    Disclaimer: I say this as someone who has been co-ordinating answers for FOI requests relating to joint working between a PCT and local authority for quite some time. “No, in theory we don’t have to answer it. In practice, it’s public funds so we should.” Grateful to colleagues “both sides” for helping to meet the spirit of the Act.

    S Jones
    1. Hi Sandre
      Thanks for the comment. My understanding is that the s6 change comes in on 1 September – this piece was about developments last week, which included the publication of the datasets guidance. But you’re right that it’s an important development, and interested to hear about your experience.

Comments are closed.