FOIMan highlights a new enforcement action taken by the ICO in relation to FOI handling by a public authority.
It was predictable. Just as I decided to take a break from being FOIMan for a while, things started happening in UK FOI. A couple of weeks ago the Information Commissioner’s Office (ICO) announced the launch of their FOI self-assessment toolkit. Then last week I read a couple of significant documents that had been published by the ICO, apparently providing conflicting signals as to the regulator’s interest in access to information law.
First of all, on Monday 20 July, the Information Commissioner’s Office (ICO) published their annual report for 2019-20. Aside from the usual statistical information about number of complaints, decision notices and so on, the report summarises the work of the ICO over the course of the last financial year. If you blinked while reading that summary, you might be forgiven for forming the belief that the ICO had nothing to do with FOI. In 41 pages, there are approximately half a dozen paragraphs, together making up no more than a page, that discuss the regulator’s activities in this sphere. There are multiple case studies – all covering the ICO’s data protection work. Recent ICO newsletters, some of which have omitted any mention of FOI at all, have compounded this impression that FOI is far from the top of the Commissioner’s list of current priorities.
So I started the week thinking maybe this was a good time to put FOI on the back burner. After all, everyone else is. And then…on Friday, my attention was drawn to the fact that the ICO had quietly issued the first practice recommendation to a public authority in over a decade. For those who’ve forgotten, if the Commissioner believes that a public authority is not following best practice as described in the two codes of practice (issued under sections 45 and 46 respectively of FOIA), she has the power to issue a practice recommendation outlining what they should do to bring their practices up to scratch. The problem with practice recommendations is that there isn’t anything the ICO can do if authorities decide to ignore them. They’re basically a slap on the wrist. However, in the absence of stronger powers to enforce good practice, they’re better than nothing.
Yet the last time the power was used was to issue two of these notices to the Department of Health in 2009 – one criticising their compliance with the s.45 code and the other, following an audit by the National Archives, compliance with the s.46 records management code (the suggestion being that the failings in the latter were contributing to the shortcomings in the former). After that there were no practice recommendations…until now.
The new practice recommendation criticises the FOI practices of the London Borough of Waltham Forest, suggesting that they fall short of the standards set out in the s.45 code of practice issued by the Cabinet Office in 2018. It follows a series of complaints made by a single persistent individual, but also a string of decision notices relating to late responses and other failings. Reading the practice recommendation, I got the distinct impression that the latest development resulted from a growing frustration amongst case officers at the ICO in their dealings with the borough. You can sense it when the document describes one communication from the authority as a “response”. Those quotation marks are the ICO’s own, not mine, and were clearly intended to convey the fact that the authority’s answer in that case was not worthy of the official terminology.
As a relative novelty, the full practice recommendation is worth a read, especially for practitioners. Effectively it requires the borough to:
- read and understand the scope of requests
- be clear about whether information is held or not (unless neither confirming nor denying)
- be clear about why requests are being refused
- meet applicants’ preferences as to the means of receiving requested information (as per s.11)
- improve the timeliness of responses
- conduct timely internal reviews and to a suitable standard (the ICO gives examples of review responses that failed to pick up simple failures in compliance and cited the wrong legislation)
- ensure that refusals on cost grounds only take into account the permitted activities, and not review and redaction time for example.
In addition, the Commissioner highlights lack of cooperation with ICO case officers and poor record-keeping. It’s clear the Commissioner is not happy with Waltham Forest. Interestingly, a lot of the criticisms listed are not just breaches of the s.45 code but also of the legal requirements under FOIA. On this occasion the practice recommendation seems to be being used as a means to highlight a general pattern of behaviour that can’t necessarily be captured in individual decision notices.
The question is whether this is a sign of the ramping up of FOI enforcement activity from the ICO suggested in an FOI response earlier in the year, which appeared to have been abandoned in the face of COVID-19. Alternatively, is this practice recommendation merely a one-off resulting from the regulator’s growing frustration with a particular public authority? Practitioners – and no doubt regular users of FOI – will be watching the ICO closely for clues as to the future direction of FOI enforcement.