FOIMan reviews refusal notices issued via the WhatDoTheyKnow.com website.
FOI is all about transparency. Most of the time that is demonstrated by disclosing requested information. On occasion though, public authorities have to refuse requests, and where this is the case, transparency should extend to the reasons why the requested information cannot be disclosed.
The Act itself (and the Environmental Information Regulations as well) sets out the requirement to issue a notice explaining the refusal and what must be included in it. Not surprisingly, the Information Commissioner has provided guidance over the years on how this obligation ought to be met as well.
Public authorities should therefore have a pretty clear idea of what to tell applicants when they refuse requests. Well, perhaps…
In my latest article for PDP’s FOI Journal, I examine 250 responses to requests made via the WhatDoTheyKnow.com website. Unfortunately I find that many responses leave a lot to be desired. You can read the article here.
FOIMan completes his exploration of the EIRs with an article on the reasons why requests for environmental information can be refused.
Just as with FOIA, requests for environmental information held by public authorities can be refused in specified circumstances. For the last few issues of PDP’s Freedom of Information Journal, I have been writing about the EIRs, and in the last of the series (available here) I look at the exceptions that can be used to justify withholding environmental information.
I’ve brought all three articles together to form a Guide to the Environmental Information Regulations so that you can easily access them at any time. This can be found in the drop down list under the ‘Free Resources’ section of the FOIMan site. All my PDP articles can also be found there on the ‘Articles’ page.
FOIMan examines the similarities and differences between FOIA and the Environmental Information Regulations.
A few months ago I started a series in PDP’s Freedom of Information Journal on the Environmental Information Regulations (EIRs), starting with an examination of the definition of environmental information. Here I bring you the second instalment in the series which looks at how FOIA and the EIRs differ.
I’ve just written the third and final part in the series which covers the exceptions in the EIRs. You’ll be able to read that in the next issue of the journal or right here on the FOIMan site later in the summer. Once they’re all available, I’ll put them all in one place in the Resources section so they will act as a comprehensive guide to the EIRs.
FOIMan examines a new right to access information about yourself that will become law next year, and considers what organisations will be obliged to do to comply with it.
We’re constantly submitting information about ourselves to companies and other organisations. Everytime we sign up for a new energy deal, we have to input our details. The same if we want to move bank, or credit card. Even if we want to be able to listen to music or watch films from a streaming service. And everytime we have to re-input those details, even though they’re more or less the same. Imagine if you could just get Apple to transfer the details you gave them to Spotify. Or ask your credit card provider to give your transaction history to their rival so you can find out if you can get a better deal.
Well…from next year you will be able to. The General Data Protection Regulation (GDPR) introduces a new “right to portability” (not potability, as it’s often misspelled – it’s not a right to your own personal drinking water). What does it involve?
What does it do?
It gives data subjects (individuals) a right to be provided with information they have provided to data controllers (businesses and other organisations) in a machine-readable and re-usable format. If the data subject prefers, data controllers will have to transfer their data directly to another data controller.
What does it cover?
Data provided by the data subject that is being processed by automated means (i.e. this won’t apply to data held in paper files) where the data controller relies on consent or a contract with the data subject to justify collection and use of the data (from the list of conditions at Article 6).
According to the Article 29 Working Party (A29WP), data which the data subject has “provided” will include both the information supplied directly by the data subject, but also raw data collected from observation such as smart meter data, activity logs, web usage or search history. It won’t cover any data that results from analysis of the observed data.
Some facts about portability
- you’re expected to remind people of this right whenever you collect data directly from them, and also tell them if you start collecting data by “observation” within a month
- requests for data to be “ported” will have to be processed “without undue delay”, and normally no later than a month after receipt of the request
- fees can only be charged where a request is “manifestly unfounded or excessive”; the A29WP comment that this is going to be rare with portability requests as the data should be relatively easy to extract, prepare and disclose given that the right only applies to automated data
- data must be disclosed “in a structured, commonly used and machine-readable format”; the A29WP interprets this as a format supporting re-use and suggests commonly used open formats should be used for release such as CSV, XML or JSON
- where there are reasonable doubts about the identity of a requester, proof of ID can be requested; this is perhaps less likely to be an issue with portability requests than with, say, subject access requests, as in most cases there will be existing methods to authenticate a person’s identity (e.g. username and password)
- when a data controller complies with a request to transfer data, they are responsible for its security during transfer – for example, by using end-to-end encryption. Once it gets to its destination however, the recipient is responsible for it – whether that be the data subject or another data controller to which the data has been transferred
- generally data being ported is still subject to the data protection principles and other GDPR rules; e.g. data subjects should be able to restrict what data is transferred and data controllers in receipt of data should not process more of it than they need
- contracts with other companies that process data on the data controller’s behalf (i.e. data processors) should specify requirements to facilitate portability requests
- Article 20 specifies that the right to portability shall not adversely affect the rights of others; third parties have rights too.
- This doesn’t mean that, for example, where someone crops up in the data subject’s bank account as a payee, a bank would have to redact their details before transferring the data.
- However, in certain cases (A29WP cite social networks as an example) it will be appropriate to seek third parties’ consent at any point where they transact with the data controller (e.g. Facebook’s privacy permissions might indicate that a “friend” could seek to export their account data including data about their friends; the privacy permissions portal might allow individuals to indicate that they don’t want their data to be included in such exports).
- Where data is transferred to another data controller, that organisation won’t be able to extract the details of third parties from the data and, for example, send them marketing using those details.
- it’s worth noting that many companies already provide facilities to “port” data; a government initiative in the UK called “MiData” has been working towards developing an industry standard here for some years. If you’ve ever downloaded your bank statement as a spreadsheet, you’ve effectively made a data portability request. GDPR, though, now makes this a right, and potentially there will be many businesses in particular who haven’t worried about this that will now have to prepare for the possibility of receiving such a request.
The above are just my notes and thoughts on how portability will work. For further (and more authoritative) information, consult the following:
Note: I’ll be delivering a webinar on the portability right for Act Now Training on 23 June 2017. Visit their website for further details.
FOIMan begins an exploration of the Environmental Information Regulations.
The rabbit hole in question is also known as section 39 of the UK FOI Act (and also of the Scotland Act, for that matter), which leads, of course, to the Environmental Information Regulations 2004 (EIRs). It always seems to me that the EIRs are somewhat neglected so I’ve chosen to devote a series of articles for PDP’s Freedom of Information Journal to an exploration of them.
In the first in the series – available here – I look at why there are separate regulations covering environmental information at all, and what exactly is environmental information. The next piece will look at the main differences between FOI and the EIRs, whilst the last piece will examine the exceptions. You can read the whole series by subscribing to the Freedom of Information Journal (external link) or just by keeping an eye out for the later articles here on the FOIMan website (and you can ensure you don’t miss them by subscribing to FOIMan posts via the box in the column on the right).
If you want training on the EIRs, I can provide this in-house – just get in touch for a quote. Or you can attend one of the courses I’m running for Act Now Training (external link) later this year.