Archive for Comment

A new FOI Code for Christmas

FOIMan takes a look at the government’s long-awaited draft FOI section 45 Code of Practice.

A long, long time ago, in a galaxy far, far away, before BREXIT, before the last General Election, you may recall that the Government, which was apparently led by some guy called Cameron, set up a Commission to make recommendations on FOI. If you’ve forgotten that, you almost certainly won’t remember that the government responded to the outcome of the Commission with a promise to update the s45 Code of Practice. The Code is required under (you’ve probably guessed) s.45 of the Act. The existing Code was written in 2004 (some bloke called Blair was in charge then, but nobody remembers him), and is, frankly, about as much use as a chocolate teapot (and rather less satisfying to consume).

Since March 2016, when the government made this promise, there have been wars and rumours of wars. In December 2016, the Information Commissioner reported at an FOI event that she’d heard a draft would be released in the new year. Notably, she didn’t indicate which one.

But now here we are. Last week, the Cabinet Office quietly published a new draft Code and consultation paper. So what does this new Code look like?

I’ve only had chance to quickly peruse it, but some observations. Overall, it is a welcome move to a practical guide for public authorities on fulfilling their FOI obligations. It actually addresses many of the crucial questions that arise for practitioners – it is helpful.

That said, there are a few things that leapt out at me.

The first section deals with the making of requests – what’s a valid request, how to carry out searches, that sort of thing. There is an attempt to define what should be treated as an FOI request which seems a missed opportunity. Apparently it is an FOI request unless it is asking for personal data, environmental information or “information given out as part of routine business”. Given that, as we’ll see, the Code calls for authorities to report on numbers of requests received, it would be useful for it to define more precisely which requests ought to be logged, monitored and reported on. I’m not convinced this definition is precise enough for that.

There is a degree of wish fulfilment on display. Information that has been deleted but remains on back-ups is not held, says the Code, in direct contradiction of multiple Tribunal decisions. Requests made in a foreign language will not be valid requests, it claims, which may be a practical reality for the most part (since it would be impossible to know whether or not it was a request in many circumstances), but it would be interesting to know what legal basis there is for this stark statement. (I may well have missed a relevant decision, so please do let me know if I have).

Sections 4 and 5 make clear (as per the Commission’s recommendations) that public interest extensions and internal reviews should normally be limited to 20 working days. Applicants’ complaints can be ignored if submitted later than 40 working days after the response is sent out. The section on internal reviews is particularly welcome given that the Act, of course, doesn’t require a review, so the Code is really the only way to establish a common approach.

There are some useful chapters on vexatious requests and the cost limit, effectively just articulating the approach taken by the Tribunals over the last few years, but nonetheless welcome.

The really interesting developments are in section 8, on publication schemes (no, really). The Code follows the Commission’s recommendations that public authorities with over 100 FTE employees should publish statistics on FOI compliance – numbers received, numbers answered in 20 days, numbers refused, numbers granted, and numbers of internal reviews. It recommends that these be published quarterly. It also calls for senior pay, expenses and “payments in kind” to be reported on.

The next section deals with the controversial matter of outsourced public services. It makes some sensible recommendations, though I doubt this will silence calls for companies delivering such services to be made subject to FOI.

Finally, the datasets Code, now of limited use since the arrival of the Re-use of Public Sector Information Regulations, is now subsumed within the main s45 Code.

The tone of the language in the Code I think does betray the Cabinet Office’s lack of enthusiasm for FOI. However, the approach taken isn’t entirely a bad thing – a clear no-nonsense guide like this is long overdue. One of the common criticisms of FOI is that it is too vague and unclear – this helps address that.

In any case, if you agree or disagree, now’s your chance to say so. The consultation on this draft is open until 2 February so if you have any views on the draft Code, make sure you submit them before then.

Propping open the gate

FOIMan discovers that the government has an answer to ‘legitimate’ concerns over the GDPR and FOI.

One of the concerns of the Information Commissioner and many observers in relation to the General Data Protection Regulation (GDPR), is that it could potentially lead to less information about individuals being disclosed under FOI. Obviously protecting personal data is important but it shouldn’t stop legitimate public debate around things like MPs’ expenses or council Chief Executives’ pay.

The reason this is an issue is that the s.40 exemption for personal data – or at least the part of it that is most often relevant – revolves around the data protection principles set out currently in schedule 1 of the Data Protection Act 1998 (DPA). The first and most relevant of these says that data must be processed fairly and lawfully. In determining whether a disclosure of information is lawful, authorities have to consider whether it is justified by reference to a condition in schedule 2 of DPA. The condition that most often applies to FOI disclosures is that there is a legitimate interest in disclosing the information that can only be met by the disclosure. This has to be balanced against the rights of the individual. It is this condition that has led to lots of personal information about pay, expenses and so much besides entering the public domain.

The problem is that whilst GDPR more or less replicates the first principle, and the conditions as well, it explicitly says that public authorities can’t use the legitimate interests condition. In other words, potentially there could be no legal mechanism to justify disclosures of personal information in the public interest.

Schedule 18 of the Data Protection Bill 2017, the first draft of which was published yesterday, addresses this by the simple expedient of saying that as far as FOI is concerned, the GDPR bar on public authorities using legitimate interests to justify use of data can be ignored. If this survives the passage of the Bill, the gateway for lawful disclosures of personal data under FOI will remain open. Which is good news for public sector accountability.

Local Authority Meetings & Secrecy

FOIMan clarifies the relationship between FOI and local authority meeting rules.

Following the awful tragedy that unfolded at Grenfell Tower, there have been a lot of questions asked of the local council, the Royal Borough of Kensington and Chelsea (RBKC). Yesterday (29 June 2017) the council held a Cabinet meeting which began and ended in controversial circumstances. I was subsequently asked by a follower on Twitter about the relationship between FOI and attendance at council meetings.

The short answer is that there is none. FOI gives a right of access to information held by public authorities. It doesn’t regulate access to meetings.

The longer and more helpful answer is that FOI forms part of a range of legal requirements that ensure that local authorities like RBKC are accountable. I’ve written previously about transparency rules in local government. In relation to meetings of the RBKC cabinet, the Local Authorities (Executive Arrangements) (Meetings and Access to Information) (England) Regulations 2012 are, I believe, the relevant rules. I won’t go into whether RBKC were entitled to exclude the media from the meeting in this case as a) I don’t claim to be an expert in this area, and b) it’s already been dealt with by a legal ruling which ruled that the Press had to be admitted. But if you’re interested in what the rules are, the regulations I mention above may be of interest to you.

From my point of view, one of the most interesting issues is that RBKC are the latest organisation to discover that the perception of secrecy can be just as damaging, if not more so, as the revelation of embarrassing information (interestingly a theme explored by Dr Ben Worthy in his recent book on The Politics of FOI, which I thoroughly recommend). As one MP in their maiden speech said:

The public has the right…to know what its elected representatives are doing…Publicity is the greatest and most effective check against any arbitrary action.

The MP was Margaret Thatcher, and she said this in 1960 in support of a Bill to allow the Press to attend council meetings.

(HT to Alan Travis of The Guardian – @alantravis40 – for providing the quote above from Hansard in a Tweet yesterday)

GDPR’s Duty to Document

FOIMan explains how GDPR puts keeping records well at its very centre.

Back in December, the Information Commissioner, Elizabeth Denham, indicated her wish for a new duty to document law. I’ve written previously about this here and here.

On 28 April, I explored this issue a bit further in a talk to the public sector group of the Information and Records Management Society (IRMS) at a venue in Westminster. I’d been asked to talk about the need to keep records for corporate requirements identified in the FOI s46 Code of Practice.

The s46 Code does spell out the need to keep records to meet legal requirements, to record precedent, to document legal and other rights, and to justify actions taken. It’s worth noting that s.48 of FOIA gives the Information Commissioner the power to issue “practice recommendations” requiring public authorities to bring their practice into line with the Codes of Practice. So the s46 Code establishes a duty to document and the Act gives the Commissioner (admittedly limited) powers to enforce it.

Leaving FOI behind though, I handed delegates postcards of the image above. It illustrates the data protection principles as set out in the General Data Protection Regulation (GDPR). Right at the centre of my image is the accountability principle. It means that organisations will not be able to comply with the other principles without being able to demonstrate their compliance. In other words, they need to keep records to show what they are doing with people’s personal data. What they told those people when it was collected. Whether they gave consent. What their data protection impact assessment concluded. And so on.

Keeping records – and keeping them well – is central to compliance with GDPR. Records management should form a central plank of your GDPR preparations over the next year. Not least because it is very clear that the Information Commissioner is very interested in records management indeed.

Let me know if you need a speaker for your event – I’m always happy to help if I can. If you’re looking for in-house training on GDPR, get in touch for a quote.

References:

s.46 Code of Practice

GDPR

Nothing flopsy about this RoPSI

FOIMan finds the Holy Grail of a first decision under the Re-use of Public Sector Information Regulations.

A rabbit

Careful…it could turn at any minute.

Ever since the first Re-use of Public Sector Information Regulations became law in 2005, I’ve known them as RoPSI. This has always amused me as I envisage them as a cute little bunny rabbit. Flopsy RoPSI. Bless.

But in fact since 2015 they’ve had more teeth – think more of the blood-thirsty fur-ball in Monty Python and the Holy Grail. The 2015 regs require public authorities to allow re-use of information on request in most circumstances. And what’s more, they bring the full range of FOI enforcement options to bear on re-use. Which are of course wielded by the Information Commissioner.

That said, we haven’t seen the Commissioner use these powers in anger – until now. The first decision notice has been issued in relation to RoPSI. It criticises Cambridgeshire County Council for imposing unnecessary restrictions on the applicant for re-use of right of way data.

Cambridgeshire had allowed the re-use of the data under a licence which was limited to one year, and appeared to limit re-use to the applicant alone. These were problems for the applicant as the intention was to use the data on an open mapping website where it might then be further re-purposed by others. They had also reserved the right to charge for re-use but had waived the charge on this occasion.

One of the council’s concerns was that the intellectual property of the Ordnance Survey (OS) would be breached, which was soon dismissed when the OS told the ICO that they had no problem with rights of way data being re-used under the Open Government Licence (OGL). Another was that the data itself would soon be updated. The council was imposing the one year licence so that the applicant would be forced to update their map after a year. The ICO pointed out that the OGL requires those reusing data to publish data with a caveat warning that the data might not be accurate. This should be sufficient to meet the council’s concerns.

The council’s position was also undermined by the fact that other councils allowed re-use under the OGL. Taking all this into account, the Commissioner concluded that the licence terms were unnecessarily restrictive. It appears that when it comes to licensing of public sector data, public authorities will need good reasons not to apply the OGL.

Unfortunately the issue of whether the council could charge for re-use wasn’t examined because the council hadn’t charged in this case. I suspect that if it had been looked at, the Commissioner would not have been sympathetic to a charge. Under RoPSI, in many circumstances, only “marginal costs incurred in respect of the reproduction, provision and dissemination of documents” can be charged for re-use. Take note those tempted, like Cambridgeshire, to adopt the National Archives’ “Charged Licence” when responding to re-use requests.

The Commissioner was also critical of the council’s tardiness in responding to ICO enquiries (and indeed considered whether they had failed to deal with the original request ‘promptly’). The decision notice threatens that in future the Commissioner will be prepared to require information under her statutory powers at s51 of FOIA, and suggests that the council should consider whether sufficient resources are in place. It’s clear the Commissioner has been less than impressed with the way that Cambridgeshire have dealt with her enquiries and this request for re-use.

This first decision notice under RoPSI sends out a signal that, as with FOIA and data protection, the ICO means business under their new Commissioner.

Should Cambridgeshire disagree with the Commissioner, they need only appeal to the First Tier Tribunal. Unless they have access to the Holy Hand Grenade of Antioch, of course.


I’ll be covering re-use and the Re-use of Public Sector Information Regulations on my Practical FOI Skills and Transparency Requirements course for Act Now Training.

References:

Decision notice FS50619465 (Cambridgeshire County Council)

Re-use of Public Sector Regulations 2015

Open Government Licence v.3