Archive for Comment

Propping open the gate

FOIMan discovers that the government has an answer to ‘legitimate’ concerns over the GDPR and FOI.

One of the concerns of the Information Commissioner and many observers in relation to the General Data Protection Regulation (GDPR), is that it could potentially lead to less information about individuals being disclosed under FOI. Obviously protecting personal data is important but it shouldn’t stop legitimate public debate around things like MPs’ expenses or council Chief Executives’ pay.

The reason this is an issue is that the s.40 exemption for personal data – or at least the part of it that is most often relevant – revolves around the data protection principles set out currently in schedule 1 of the Data Protection Act 1998 (DPA). The first and most relevant of these says that data must be processed fairly and lawfully. In determining whether a disclosure of information is lawful, authorities have to consider whether it is justified by reference to a condition in schedule 2 of DPA. The condition that most often applies to FOI disclosures is that there is a legitimate interest in disclosing the information that can only be met by the disclosure. This has to be balanced against the rights of the individual. It is this condition that has led to lots of personal information about pay, expenses and so much besides entering the public domain.

The problem is that whilst GDPR more or less replicates the first principle, and the conditions as well, it explicitly says that public authorities can’t use the legitimate interests condition. In other words, potentially there could be no legal mechanism to justify disclosures of personal information in the public interest.

Schedule 18 of the Data Protection Bill 2017, the first draft of which was published yesterday, addresses this by the simple expedient of saying that as far as FOI is concerned, the GDPR bar on public authorities using legitimate interests to justify use of data can be ignored. If this survives the passage of the Bill, the gateway for lawful disclosures of personal data under FOI will remain open. Which is good news for public sector accountability.

Local Authority Meetings & Secrecy

FOIMan clarifies the relationship between FOI and local authority meeting rules.

Following the awful tragedy that unfolded at Grenfell Tower, there have been a lot of questions asked of the local council, the Royal Borough of Kensington and Chelsea (RBKC). Yesterday (29 June 2017) the council held a Cabinet meeting which began and ended in controversial circumstances. I was subsequently asked by a follower on Twitter about the relationship between FOI and attendance at council meetings.

The short answer is that there is none. FOI gives a right of access to information held by public authorities. It doesn’t regulate access to meetings.

The longer and more helpful answer is that FOI forms part of a range of legal requirements that ensure that local authorities like RBKC are accountable. I’ve written previously about transparency rules in local government. In relation to meetings of the RBKC cabinet, the Local Authorities (Executive Arrangements) (Meetings and Access to Information) (England) Regulations 2012 are, I believe, the relevant rules. I won’t go into whether RBKC were entitled to exclude the media from the meeting in this case as a) I don’t claim to be an expert in this area, and b) it’s already been dealt with by a legal ruling which ruled that the Press had to be admitted. But if you’re interested in what the rules are, the regulations I mention above may be of interest to you.

From my point of view, one of the most interesting issues is that RBKC are the latest organisation to discover that the perception of secrecy can be just as damaging, if not more so, as the revelation of embarrassing information (interestingly a theme explored by Dr Ben Worthy in his recent book on The Politics of FOI, which I thoroughly recommend). As one MP in their maiden speech said:

The public has the right…to know what its elected representatives are doing…Publicity is the greatest and most effective check against any arbitrary action.

The MP was Margaret Thatcher, and she said this in 1960 in support of a Bill to allow the Press to attend council meetings.

(HT to Alan Travis of The Guardian – @alantravis40 – for providing the quote above from Hansard in a Tweet yesterday)

GDPR’s Duty to Document

FOIMan explains how GDPR puts keeping records well at its very centre.

Back in December, the Information Commissioner, Elizabeth Denham, indicated her wish for a new duty to document law. I’ve written previously about this here and here.

On 28 April, I explored this issue a bit further in a talk to the public sector group of the Information and Records Management Society (IRMS) at a venue in Westminster. I’d been asked to talk about the need to keep records for corporate requirements identified in the FOI s46 Code of Practice.

The s46 Code does spell out the need to keep records to meet legal requirements, to record precedent, to document legal and other rights, and to justify actions taken. It’s worth noting that s.48 of FOIA gives the Information Commissioner the power to issue “practice recommendations” requiring public authorities to bring their practice into line with the Codes of Practice. So the s46 Code establishes a duty to document and the Act gives the Commissioner (admittedly limited) powers to enforce it.

Leaving FOI behind though, I handed delegates postcards of the image above. It illustrates the data protection principles as set out in the General Data Protection Regulation (GDPR). Right at the centre of my image is the accountability principle. It means that organisations will not be able to comply with the other principles without being able to demonstrate their compliance. In other words, they need to keep records to show what they are doing with people’s personal data. What they told those people when it was collected. Whether they gave consent. What their data protection impact assessment concluded. And so on.

Keeping records – and keeping them well – is central to compliance with GDPR. Records management should form a central plank of your GDPR preparations over the next year. Not least because it is very clear that the Information Commissioner is very interested in records management indeed.

Let me know if you need a speaker for your event – I’m always happy to help if I can. If you’re looking for in-house training on GDPR, get in touch for a quote.

References:

s.46 Code of Practice

GDPR

Nothing flopsy about this RoPSI

FOIMan finds the Holy Grail of a first decision under the Re-use of Public Sector Information Regulations.

A rabbit

Careful…it could turn at any minute.

Ever since the first Re-use of Public Sector Information Regulations became law in 2005, I’ve known them as RoPSI. This has always amused me as I envisage them as a cute little bunny rabbit. Flopsy RoPSI. Bless.

But in fact since 2015 they’ve had more teeth – think more of the blood-thirsty fur-ball in Monty Python and the Holy Grail. The 2015 regs require public authorities to allow re-use of information on request in most circumstances. And what’s more, they bring the full range of FOI enforcement options to bear on re-use. Which are of course wielded by the Information Commissioner.

That said, we haven’t seen the Commissioner use these powers in anger – until now. The first decision notice has been issued in relation to RoPSI. It criticises Cambridgeshire County Council for imposing unnecessary restrictions on the applicant for re-use of right of way data.

Cambridgeshire had allowed the re-use of the data under a licence which was limited to one year, and appeared to limit re-use to the applicant alone. These were problems for the applicant as the intention was to use the data on an open mapping website where it might then be further re-purposed by others. They had also reserved the right to charge for re-use but had waived the charge on this occasion.

One of the council’s concerns was that the intellectual property of the Ordnance Survey (OS) would be breached, which was soon dismissed when the OS told the ICO that they had no problem with rights of way data being re-used under the Open Government Licence (OGL). Another was that the data itself would soon be updated. The council was imposing the one year licence so that the applicant would be forced to update their map after a year. The ICO pointed out that the OGL requires those reusing data to publish data with a caveat warning that the data might not be accurate. This should be sufficient to meet the council’s concerns.

The council’s position was also undermined by the fact that other councils allowed re-use under the OGL. Taking all this into account, the Commissioner concluded that the licence terms were unnecessarily restrictive. It appears that when it comes to licensing of public sector data, public authorities will need good reasons not to apply the OGL.

Unfortunately the issue of whether the council could charge for re-use wasn’t examined because the council hadn’t charged in this case. I suspect that if it had been looked at, the Commissioner would not have been sympathetic to a charge. Under RoPSI, in many circumstances, only “marginal costs incurred in respect of the reproduction, provision and dissemination of documents” can be charged for re-use. Take note those tempted, like Cambridgeshire, to adopt the National Archives’ “Charged Licence” when responding to re-use requests.

The Commissioner was also critical of the council’s tardiness in responding to ICO enquiries (and indeed considered whether they had failed to deal with the original request ‘promptly’). The decision notice threatens that in future the Commissioner will be prepared to require information under her statutory powers at s51 of FOIA, and suggests that the council should consider whether sufficient resources are in place. It’s clear the Commissioner has been less than impressed with the way that Cambridgeshire have dealt with her enquiries and this request for re-use.

This first decision notice under RoPSI sends out a signal that, as with FOIA and data protection, the ICO means business under their new Commissioner.

Should Cambridgeshire disagree with the Commissioner, they need only appeal to the First Tier Tribunal. Unless they have access to the Holy Hand Grenade of Antioch, of course.


I’ll be covering re-use and the Re-use of Public Sector Information Regulations on my Practical FOI Skills and Transparency Requirements course for Act Now Training.

References:

Decision notice FS50619465 (Cambridgeshire County Council)

Re-use of Public Sector Regulations 2015

Open Government Licence v.3

University FOI Stats 2016

FOIMan reviews JISC’s latest report on FOI in higher education.

There aren’t that many sources of information on FOI performance. Central government of course publishes statistics on its own compliance, but outside of Whitehall, the availability of statistics on how public bodies apply FOI is ironically pretty limited. If you want to know more about sources for FOI statistics, I wrote about it for the FOI Journal last year. One of the sectors that does publish information every year is the higher education sector.

Every year, JISC, the higher education information and research body, conducts a survey of universities on their experiences with FOI, EIR and data protection subject access requests. The data is collated into handy charts which are made available online and can be downloaded in reusable form for further number crunching. It always provides quite a detailed insight into FOI handling and this year’s is no different.

Amongst the highlights of this year’s report:

  • universities received an average of 264 requests (mostly – 232 – FOI requests) in 2016 – after a drop last year, requests were up 10%;
  • 51% of requests were granted in full – 17% were partly fulfilled;
  • only 9% were fully withheld due to exemptions;
  • most requests (27%) were about “student issues”;
  • journalists were the most common type of requester – 23% (though it should be noted that 22% of requesters were not identified);
  • only 4% were not answered within 20 working days;
  • the most time-consuming parts of handling an FOI request were “locating and accessing information”, “reviewing information” and “considering exemptions”.

We have to remember that these figures are self-reported and the survey is voluntary – many universities didn’t report at all. However, what we do have is some very useful data on how FOI is working in these public bodies.

Although JISC introduce the report by commenting that the rise in FOI requests represents a “seven-fold increase” since reporting began in 2005, it should be noted that this started from a very low base. Most local authorities would kill to have FOI request rates as low as 232.

Despite the common complaint about FOI requests from IT companies trying to get hold of procurement intelligence, only 7% of requests are about procurement (though its possible these requests were counted in the 9% of requests about IT provision). Only 13% of requests are recorded as coming from “commercial organisations”.

A note on use of exemptions. There was quite a bit of commentary when the Institute for Government published a report last month suggesting that the government’s stats indicated that government departments were becoming less open as they were using more exemptions, and failing to meet deadlines more often. There’s nothing to suggest this is a problem in Higher Education in JISC’s stats, and in any case I’m not at all sure that you can make that conclusion from raw statistics. After 12 years of FOI, it may just be that government departments have already disclosed all the “low-hanging fruit”, and that what remains now are the difficult cases that are more likely to be refused or take longer to answer. What’s really needed if we want to understand changing attitudes to FOI in public bodies is research involving a qualitative analysis of the types of requests being refused – are they the ones that would have been answered in the early days of FOI? Or are the questions being asked more challenging these days? One for the academics in our higher education institutions. Statistics are helpful, but they only provide part of the picture.

If public authorities want tips on how to improve their performance under FOI, just a reminder that you can join me for one of my training courses on FOI for Act Now Training, starting with an intensive look at the FOI Exemptions on 24 April in London. Details on the Act Now Training website.