Archive for Comment

Data protection doesn’t require important records to be destroyed

FOIMan explains why any organisation which blames the destruction of important records on data protection rules is being either disingenuous or is ignorant of what the law requires.

In recent weeks The Guardian has drawn attention to the plight of those innocent people who have lived in the UK for many years, only to be told recently by the Home Office that they could face deportation. This week the Home Secretary finally apologised, but many people are still in a legal limbo, unable to prove their status, not realising that they would ever need to.

Now a former Home Office employee has reported that disembarkation cards which might have helped establish the status of many of these people were deliberately destroyed by the Home Office a few years ago. Responding to the claim, the Home Office has conceded that records were destroyed but claims that this was necessary to comply with the Data Protection Act (DPA). The records were, according to them, destroyed:

to ensure that personal data … should not be kept for longer than necessary. Keeping these records would have represented a potential breach of these principles.

This argument has a long pedigree. It was cited by a police chief constable at the time of the Soham murders as a reason why records were not retained about Ian Huntley which might have prevented his employment as a caretaker at a school. It was used more recently by the House of Commons to justify the early destruction of MPs’ expenses records.

In both these cases, and in the latest example, this is just plain wrong. If the press officer or whoever drafted this statement had checked with their Data Protection Officer, they would have been able to tell them this.

It is true that one of the data protection principles requires that personal data be kept no longer than necessary, and that data controllers – organisations – are required to put in place procedures to ensure this. However, note that word “necessary”. It places the responsibility fairly and squarely at the door of the organisation that has collected the data to decide what is “necessary” and to justify it. If records are still being used to answer enquiries about individuals’ immigration status (as the Home Office whistleblower has maintained), or are at the centre of one of the biggest scandals to hit modern British politics, I would suggest that it is “necessary” to retain them, and to do so can be easily justified. Data protection laws do not say they must be destroyed.

Furthermore, even if there is a view that it is no longer necessary to retain records for their original purpose, both the DPA 1998 and GDPR permit records to be retained for historical research purposes in a record office. The Home Office whistleblower reports that it was suggested that the cards be offered to a record office, but that they were told that no archive wanted them. As public records, the National Archives would have had first option on these and since these records would seem to be of great value to genealogists and those studying the history of migration and minority ethnic communities in the UK, it is hard to imagine them turning such an offer down. Even if they did, are we to believe that other record offices, including for example Brixton’s Black Cultural Archives (based in Windrush Square), a repository specialising in the history of Britain’s African and Caribbean communities, would have said no? It seems unlikely if they were given the opportunity (and the significance of the cards was explained to them). Data protection rules would have allowed the cards to be retained indefinitely in a record office.

Data protection rules simply do not require records with continuing value to be destroyed. Anyone claiming that they do is being disingenuous or is ignorant of what data protection requires. Let’s hope that organisations – particularly those that should know better – stop churning out this misconception every time that they are criticised for the disposal of records.

References:

Home Office destroyed Windrush landing cards, says ex-staffer, The Guardian, 17 April 2018 https://www.theguardian.com/uk-news/2018/apr/17/home-office-destroyed-windrush-landing-cards-says-ex-staffer

MPs to escape expenses investigations after paperwork destroyed by Parliament, Daily Telegraph, 2 November 2014 https://www.telegraph.co.uk/news/newstopics/mps-expenses/11204405/MPs-to-escape-expenses-investigations-after-paperwork-destroyed-by-Parliament.html

The politics of records management, FOIMan blog, 7 November 2014 https://www.foiman.com/archives/1337

Soham police chief ‘ignored advice’, The Guardian, 26 March 2004 https://www.theguardian.com/uk/2004/mar/26/soham.ukcrime

FOI and Open Data Developments

FOIMan reports on a new strategy from the ICO and a move for open data (and data sharing) responsibilities in government.

Elizabeth Denham, Information Commissioner

Elizabeth Denham

I’m briefly emerging from my monastic cell to note some recent developments in FOI that may have passed you by amidst frenzied GDPR preparations.

The Information Commissioner recently gave the annual Jenkinson Lecture at University College London. In it, she made intriguing reference to a new ICO FOI strategy. What does this strategy consist of?

  1. The Commissioner wants to augment the “request-based, and frankly, reactive” model of FOI. There appears to be a new focus on pro-active disclosure, and linked to this, the Commissioner is interested in giving new impetus to open data initiatives, particularly focussing on making them more sustainable. Self-assessment tools for public authorities are mooted.
  2. She wants FOI to expand to reflect changes in the way that public services are run (not a new call, of course). Housing Associations were particularly singled out for attention.
  3. She remains concerned about compliance with FOI deadlines, and is keen to explore ways to improve these. The publication of FOI statistics proposed by the FOI Commission in March 2016 (and more recently included in the draft s.45 Code of Practice released before Christmas) was highlighted, and it was suggested that the Commissioner could carry out audits even where no specific complaint has been received (or ‘own-motion compliance investigations’).
  4. Access Impact Assessments may be coming your way. Presumably inspired by her office’s preparations for GDPR, the Commissioner suggested that assessments should be made of the “access impact of new systems and initiatives”.

News of such a strategy is interesting in its own right, but I read earlier today of changes to responsibilities in central government (what are known as ‘changes to the machinery of government’). Responsibility for open data policy, together with data sharing, data governance and data ethics has moved from the Government Digital Service (in the Cabinet Office) to the Department for Digital, Culture, Media and Sport (DCMS). Could the Commissioner’s comments on open data be linked to this move, perhaps? And are there moves afoot to move FOI to DCMS as well? It would make sense – but machinery of government changes don’t always appear to be made with good sense in mind.

A new FOI Code for Christmas

FOIMan takes a look at the government’s long-awaited draft FOI section 45 Code of Practice.

A long, long time ago, in a galaxy far, far away, before BREXIT, before the last General Election, you may recall that the Government, which was apparently led by some guy called Cameron, set up a Commission to make recommendations on FOI. If you’ve forgotten that, you almost certainly won’t remember that the government responded to the outcome of the Commission with a promise to update the s45 Code of Practice. The Code is required under (you’ve probably guessed) s.45 of the Act. The existing Code was written in 2004 (some bloke called Blair was in charge then, but nobody remembers him), and is, frankly, about as much use as a chocolate teapot (and rather less satisfying to consume).

Since March 2016, when the government made this promise, there have been wars and rumours of wars. In December 2016, the Information Commissioner reported at an FOI event that she’d heard a draft would be released in the new year. Notably, she didn’t indicate which one.

But now here we are. Last week, the Cabinet Office quietly published a new draft Code and consultation paper. So what does this new Code look like?

I’ve only had chance to quickly peruse it, but some observations. Overall, it is a welcome move to a practical guide for public authorities on fulfilling their FOI obligations. It actually addresses many of the crucial questions that arise for practitioners – it is helpful.

That said, there are a few things that leapt out at me.

The first section deals with the making of requests – what’s a valid request, how to carry out searches, that sort of thing. There is an attempt to define what should be treated as an FOI request which seems a missed opportunity. Apparently it is an FOI request unless it is asking for personal data, environmental information or “information given out as part of routine business”. Given that, as we’ll see, the Code calls for authorities to report on numbers of requests received, it would be useful for it to define more precisely which requests ought to be logged, monitored and reported on. I’m not convinced this definition is precise enough for that.

There is a degree of wish fulfilment on display. Information that has been deleted but remains on back-ups is not held, says the Code, in direct contradiction of multiple Tribunal decisions. Requests made in a foreign language will not be valid requests, it claims, which may be a practical reality for the most part (since it would be impossible to know whether or not it was a request in many circumstances), but it would be interesting to know what legal basis there is for this stark statement. (I may well have missed a relevant decision, so please do let me know if I have).

Sections 4 and 5 make clear (as per the Commission’s recommendations) that public interest extensions and internal reviews should normally be limited to 20 working days. Applicants’ complaints can be ignored if submitted later than 40 working days after the response is sent out. The section on internal reviews is particularly welcome given that the Act, of course, doesn’t require a review, so the Code is really the only way to establish a common approach.

There are some useful chapters on vexatious requests and the cost limit, effectively just articulating the approach taken by the Tribunals over the last few years, but nonetheless welcome.

The really interesting developments are in section 8, on publication schemes (no, really). The Code follows the Commission’s recommendations that public authorities with over 100 FTE employees should publish statistics on FOI compliance – numbers received, numbers answered in 20 days, numbers refused, numbers granted, and numbers of internal reviews. It recommends that these be published quarterly. It also calls for senior pay, expenses and “payments in kind” to be reported on.

The next section deals with the controversial matter of outsourced public services. It makes some sensible recommendations, though I doubt this will silence calls for companies delivering such services to be made subject to FOI.

Finally, the datasets Code, now of limited use since the arrival of the Re-use of Public Sector Information Regulations, is now subsumed within the main s45 Code.

The tone of the language in the Code I think does betray the Cabinet Office’s lack of enthusiasm for FOI. However, the approach taken isn’t entirely a bad thing – a clear no-nonsense guide like this is long overdue. One of the common criticisms of FOI is that it is too vague and unclear – this helps address that.

In any case, if you agree or disagree, now’s your chance to say so. The consultation on this draft is open until 2 February so if you have any views on the draft Code, make sure you submit them before then.

Propping open the gate

FOIMan discovers that the government has an answer to ‘legitimate’ concerns over the GDPR and FOI.

One of the concerns of the Information Commissioner and many observers in relation to the General Data Protection Regulation (GDPR), is that it could potentially lead to less information about individuals being disclosed under FOI. Obviously protecting personal data is important but it shouldn’t stop legitimate public debate around things like MPs’ expenses or council Chief Executives’ pay.

The reason this is an issue is that the s.40 exemption for personal data – or at least the part of it that is most often relevant – revolves around the data protection principles set out currently in schedule 1 of the Data Protection Act 1998 (DPA). The first and most relevant of these says that data must be processed fairly and lawfully. In determining whether a disclosure of information is lawful, authorities have to consider whether it is justified by reference to a condition in schedule 2 of DPA. The condition that most often applies to FOI disclosures is that there is a legitimate interest in disclosing the information that can only be met by the disclosure. This has to be balanced against the rights of the individual. It is this condition that has led to lots of personal information about pay, expenses and so much besides entering the public domain.

The problem is that whilst GDPR more or less replicates the first principle, and the conditions as well, it explicitly says that public authorities can’t use the legitimate interests condition. In other words, potentially there could be no legal mechanism to justify disclosures of personal information in the public interest.

Schedule 18 of the Data Protection Bill 2017, the first draft of which was published yesterday, addresses this by the simple expedient of saying that as far as FOI is concerned, the GDPR bar on public authorities using legitimate interests to justify use of data can be ignored. If this survives the passage of the Bill, the gateway for lawful disclosures of personal data under FOI will remain open. Which is good news for public sector accountability.

Local Authority Meetings & Secrecy

FOIMan clarifies the relationship between FOI and local authority meeting rules.

Following the awful tragedy that unfolded at Grenfell Tower, there have been a lot of questions asked of the local council, the Royal Borough of Kensington and Chelsea (RBKC). Yesterday (29 June 2017) the council held a Cabinet meeting which began and ended in controversial circumstances. I was subsequently asked by a follower on Twitter about the relationship between FOI and attendance at council meetings.

The short answer is that there is none. FOI gives a right of access to information held by public authorities. It doesn’t regulate access to meetings.

The longer and more helpful answer is that FOI forms part of a range of legal requirements that ensure that local authorities like RBKC are accountable. I’ve written previously about transparency rules in local government. In relation to meetings of the RBKC cabinet, the Local Authorities (Executive Arrangements) (Meetings and Access to Information) (England) Regulations 2012 are, I believe, the relevant rules. I won’t go into whether RBKC were entitled to exclude the media from the meeting in this case as a) I don’t claim to be an expert in this area, and b) it’s already been dealt with by a legal ruling which ruled that the Press had to be admitted. But if you’re interested in what the rules are, the regulations I mention above may be of interest to you.

From my point of view, one of the most interesting issues is that RBKC are the latest organisation to discover that the perception of secrecy can be just as damaging, if not more so, as the revelation of embarrassing information (interestingly a theme explored by Dr Ben Worthy in his recent book on The Politics of FOI, which I thoroughly recommend). As one MP in their maiden speech said:

The public has the right…to know what its elected representatives are doing…Publicity is the greatest and most effective check against any arbitrary action.

The MP was Margaret Thatcher, and she said this in 1960 in support of a Bill to allow the Press to attend council meetings.

(HT to Alan Travis of The Guardian – @alantravis40 – for providing the quote above from Hansard in a Tweet yesterday)