Archive for FOIMan

Back to the FOIA: FOI, historical records and archives

FOIMan writes about the relationship between FOI and the past.

Way back before I got involved with FOI, I started my career as an archivist. In my latest article for the Freedom of Information Journal, I’ve written about the complex relationship between FOI, historical records and archives. Both archives and FOI provide means to hold public authorities to account. So how do they interact – and is FOI damaging archives?

You can find out by reading the article here.

FOI enforcement developments

FOIMan notes a couple of developments on FOI enforcement.

A brief note of two important enforcement actions taken by the Information Commissioner’s Office (ICO) in the last few weeks.

First off, the Royal Borough of Kensington and Chelsea has been given a Monetary Penalty Notice of £120,000 for accidentally disclosing personal data. The FOI Officer apparently failed to notice that a spreadsheet contained a pivot table which held personal data in it. This is similar of course to a previous MPN given to the London Borough of Islington a few years ago. The council was criticised in particular for failing to train its FOI Officers adequately.

Even more notably, and in a first, it was reported this week that the ICO is prosecuting a councillor with Thanet District Council in Kent under s.77. Whilst this provision has always been there to sanction the destruction, hiding or alteration of records to avoid FOI, it has never been used by the ICO. The case will be heard in September, so one to watch.

Data protection doesn’t require important records to be destroyed

FOIMan explains why any organisation which blames the destruction of important records on data protection rules is being either disingenuous or is ignorant of what the law requires.

In recent weeks The Guardian has drawn attention to the plight of those innocent people who have lived in the UK for many years, only to be told recently by the Home Office that they could face deportation. This week the Home Secretary finally apologised, but many people are still in a legal limbo, unable to prove their status, not realising that they would ever need to.

Now a former Home Office employee has reported that disembarkation cards which might have helped establish the status of many of these people were deliberately destroyed by the Home Office a few years ago. Responding to the claim, the Home Office has conceded that records were destroyed but claims that this was necessary to comply with the Data Protection Act (DPA). The records were, according to them, destroyed:

to ensure that personal data … should not be kept for longer than necessary. Keeping these records would have represented a potential breach of these principles.

This argument has a long pedigree. It was cited by a police chief constable at the time of the Soham murders as a reason why records were not retained about Ian Huntley which might have prevented his employment as a caretaker at a school. It was used more recently by the House of Commons to justify the early destruction of MPs’ expenses records.

In both these cases, and in the latest example, this is just plain wrong. If the press officer or whoever drafted this statement had checked with their Data Protection Officer, they would have been able to tell them this.

It is true that one of the data protection principles requires that personal data be kept no longer than necessary, and that data controllers – organisations – are required to put in place procedures to ensure this. However, note that word “necessary”. It places the responsibility fairly and squarely at the door of the organisation that has collected the data to decide what is “necessary” and to justify it. If records are still being used to answer enquiries about individuals’ immigration status (as the Home Office whistleblower has maintained), or are at the centre of one of the biggest scandals to hit modern British politics, I would suggest that it is “necessary” to retain them, and to do so can be easily justified. Data protection laws do not say they must be destroyed.

Furthermore, even if there is a view that it is no longer necessary to retain records for their original purpose, both the DPA 1998 and GDPR permit records to be retained for historical research purposes in a record office. The Home Office whistleblower reports that it was suggested that the cards be offered to a record office, but that they were told that no archive wanted them. As public records, the National Archives would have had first option on these and since these records would seem to be of great value to genealogists and those studying the history of migration and minority ethnic communities in the UK, it is hard to imagine them turning such an offer down. Even if they did, are we to believe that other record offices, including for example Brixton’s Black Cultural Archives (based in Windrush Square), a repository specialising in the history of Britain’s African and Caribbean communities, would have said no? It seems unlikely if they were given the opportunity (and the significance of the cards was explained to them). Data protection rules would have allowed the cards to be retained indefinitely in a record office.

Data protection rules simply do not require records with continuing value to be destroyed. Anyone claiming that they do is being disingenuous or is ignorant of what data protection requires. Let’s hope that organisations – particularly those that should know better – stop churning out this misconception every time that they are criticised for the disposal of records.

References:

Home Office destroyed Windrush landing cards, says ex-staffer, The Guardian, 17 April 2018 https://www.theguardian.com/uk-news/2018/apr/17/home-office-destroyed-windrush-landing-cards-says-ex-staffer

MPs to escape expenses investigations after paperwork destroyed by Parliament, Daily Telegraph, 2 November 2014 https://www.telegraph.co.uk/news/newstopics/mps-expenses/11204405/MPs-to-escape-expenses-investigations-after-paperwork-destroyed-by-Parliament.html

The politics of records management, FOIMan blog, 7 November 2014 https://www.foiman.com/archives/1337

Soham police chief ‘ignored advice’, The Guardian, 26 March 2004 https://www.theguardian.com/uk/2004/mar/26/soham.ukcrime

FOI and Open Data Developments

FOIMan reports on a new strategy from the ICO and a move for open data (and data sharing) responsibilities in government.

Elizabeth Denham, Information Commissioner

Elizabeth Denham

I’m briefly emerging from my monastic cell to note some recent developments in FOI that may have passed you by amidst frenzied GDPR preparations.

The Information Commissioner recently gave the annual Jenkinson Lecture at University College London. In it, she made intriguing reference to a new ICO FOI strategy. What does this strategy consist of?

  1. The Commissioner wants to augment the “request-based, and frankly, reactive” model of FOI. There appears to be a new focus on pro-active disclosure, and linked to this, the Commissioner is interested in giving new impetus to open data initiatives, particularly focussing on making them more sustainable. Self-assessment tools for public authorities are mooted.
  2. She wants FOI to expand to reflect changes in the way that public services are run (not a new call, of course). Housing Associations were particularly singled out for attention.
  3. She remains concerned about compliance with FOI deadlines, and is keen to explore ways to improve these. The publication of FOI statistics proposed by the FOI Commission in March 2016 (and more recently included in the draft s.45 Code of Practice released before Christmas) was highlighted, and it was suggested that the Commissioner could carry out audits even where no specific complaint has been received (or ‘own-motion compliance investigations’).
  4. Access Impact Assessments may be coming your way. Presumably inspired by her office’s preparations for GDPR, the Commissioner suggested that assessments should be made of the “access impact of new systems and initiatives”.

News of such a strategy is interesting in its own right, but I read earlier today of changes to responsibilities in central government (what are known as ‘changes to the machinery of government’). Responsibility for open data policy, together with data sharing, data governance and data ethics has moved from the Government Digital Service (in the Cabinet Office) to the Department for Digital, Culture, Media and Sport (DCMS). Could the Commissioner’s comments on open data be linked to this move, perhaps? And are there moves afoot to move FOI to DCMS as well? It would make sense – but machinery of government changes don’t always appear to be made with good sense in mind.

The Freedom of Information Officer’s Handbook

FOIMan unveils a forthcoming book seeking to define the role of the FOI Officer and provide help to anyone struggling with the management of their organisation’s FOI obligations.

The Freedom of Information Officer's Handbook, Facet PublishingIf you are employed as a FOI Officer, or even just do a job that involves dealing with a lot of FOI requests, one of the problems has always been that there is no manual. Until now. Later this year, Facet Publishing will be bringing you The Freedom of Information Officer’s Handbook, a new book about FOI by…well, me.

Yes, I referred recently to my relative silence online in recent months, explaining that this was partly down to the demand for GDPR training over the last few months (which continues), but also hinted at another mystery time-consuming commitment. I can now reveal that the latter has been (and continues to be), the writing of this book. This will be my first book (and perhaps my last!), which is obviously exciting for me, but hopefully also an interesting development for those of you who have followed this blog over the last few years.

There are plenty of places to find guidance on FOI, and even other books that explore FOI from a legal perspective, focussing on the application of exemptions for example. However, there isn’t anything (to my knowledge at least) that provides a comprehensive guide to how FOI should be managed by public authorities. So whilst you will find useful summaries of the law and how exemptions should be applied in this book, you will also find guidance on best practice when it comes to administering FOI. A chapter on embedding FOI in your organisation will include the development of policies and procedures, and how to assess and address training needs. Another on managing FOI will look at the IT systems that can be used to log requests, and how to improve performance, amongst other things. Some of you will have been lucky enough to receive FOI requests from me over the last year,* and the answers to those requests, together with my own experiences over the last 15 years, and other published research on FOI, will bring a fresh perspective on how FOI should be managed.

A really important thing for me in proposing and writing this book has been to explore the role of the FOI Officer. FOI is still relatively new, and whilst I often refer to FOI Officers in this blog and elsewhere, there aren’t actually that many people who answer requests that are called ‘FOI Officer’ within their own organisation. They often have to fit FOI work around other responsibilities. The work of those involved in FOI management, and the challenge they face, is often hugely underestimated by both requesters and by their colleagues and managers. In this book I hope to cast some light on their work and help those in these roles to be better appreciated by both others and (perhaps more importantly) by themselves.

The book won’t ignore related legislation either. The Environmental Information Regulations will feature heavily, and a chapter on copyright and re-use will discuss the Re-use of Public Sector Information Regulations and how they interact with FOI. There will also be brief descriptions of how the various FOI laws from around the British Islands (Scotland, Ireland, Isle of Man, States of Jersey) differ from the UK one that is the focus of the book.

Finally, the book offers the opportunity to provide an updated vision of FOI management in the context of the latest developments. In particular, I’ll be looking at what GDPR means for FOI, both in terms of compliance, but also considering what lessons there might be from concepts such as Data Protection Officers and data protection by design. The new s.45 Code of Practice will obviously feature (and I’m hoping the finalised version will be published in time to be referenced!).

The book is obviously aimed primarily at practitioners and others working in public authorities. However, just as this blog has proved to be of interest to a wider audience of journalists, academics, and other users of the Act over the last few years, hopefully the book will also appeal to those outside the public sector curious about how FOI works in practice.

The Freedom of Information Officer’s Handbook will be published by Facet Publishing towards the end of this year. It retails at £59.95, but readers of this blog can pre-order copies direct from the publisher with a 30% discount (resulting in a reduced price of £41.99). To take advantage of the discount, email info(Replace this parenthesis with the @ sign)facetpublishing.co.uk to indicate your interest in ordering a copy and quote the code FOIMAN (do not supply payment card or bank account details by email). The publisher’s distributor will then contact you to arrange payment and discuss despatch instructions. For more details about how your information will be used by Facet, see the privacy policy on their website.

* And more seriously, a very big thank you to everyone who has answered FOI requests from me or helped in any way over the last few months – it is hugely appreciated.