Archive for Uncategorized

After the flood

FOIMan recalls the impact a flood can have on an organisation’s information – especially if it chooses to store it in a basement.

It’s a terrible sight seeing people wading through their own homes. Those who live along the Thames, in Somerset, and elsewhere are having a terrible time and most of us can’t imagine what that must be like.

Flooded towns are nothing new, so organisations should take appropriate precautions

Flooded towns are nothing new, so organisations should take appropriate precautions

Floods can cause significant problems for information managers and their employers. Back in 2000, the south of England was suffering from a similar surfeit of wet weather. At the time, I was records manager for a council on the south coast. Many if not most organisations use basements as storage for their physical records (and often servers containing their digital records too).

And why not? These spaces are convenient and often very large. They’re otherwise wasted space – too dark and gloomy to accommodate human beings (unless they’re records managers or trogladytes).

Well, I’ll tell you why not. They’re also often damp. Many boxes were starting to show signs of mould. The plaster was peeling away from the wall. After 18 months of buttering up the Facilities Manager I finally got our office replastered and painted. We even got a plush(ish – it was local government after all) new carpet to replace the bare threads and occasional tufts of fabric which I had been assured were once a carpet about 15 years before. Which brings me to the other reason why it’s often a bad idea to store records in the basement.

Because when, like this year, there is so much rain that streets start to look like tributaries of a major river system, the sewers overflow. And the sewers in the area that I worked ran just beneath…you guessed it, the basement of the council offices. So in early 2000, you could find me wading ankle deep around a vast storeroom trying to move boxes of records above an ever-rising flood. It was like a not very exciting Indiana Jones film.

Eventually the waters subsided, and the dehumidifiers begged from the Museums Service chugged away at their heroic (and probably futile) task. A few building plans and housing files that had sunk beneath the waves were collected by a company, Harwell Document Restoration Services, that specialises in rescuing waterlogged papers. A few weeks later they would return, looking better than they had before (which wasn’t saying much). The tiles in the storeroom had lifted under the pressure of water gushing from beneath, and needed replacing. Records were sent off-site temporarily to a commercial storage company in rotation so that the floor could be repaired and retiled. And we got a (slightly less plush) carpet fitted in the office. And things returned to normal. Well, not quite. I’m sure it wasn’t entirely unconnected, but later that year I decided to climb out of the basement and found a job in London as Parliamentary Records Manager. Being based in the Victoria Tower, I figured there was much less chance that I would face another flooded records store.

Shortly after that, in early 2001, I received an email from my successor. The basement had flooded again.

If you are a facilities person, or a chief executive, and you think that you can save money by putting your records (and information managers, come to that) in the basement, you might want to think again. Aside from the fact that waterlogged records tend to make a mess of your lovely leather-embossed desk when you need to access them, there is a very good chance that your organisation will fail to meet its legal obligations. Aside from the many statutory requirements to retain information – auditors are probably going to be less than impressed if they have to don waders to check your receipts – failure to properly protect records will most likely be a breach of information law these days.

Section 46 of the Freedom of Information Act requires the Lord Chancellor to issue a Code of Practice on the management of records. The Code is written by the experts of The National Archives, and one of the requirements of the Code is that:

“Authorities should know what records they hold and where they are, and should ensure that they remain usable for as long as they are required.”

That Code is not statutory (though the Information Commissioner can take it into account in working out whether to take action against a particular authority), so perhaps more important to note is that retaining records – especially those relating to living individuals – in a basement that is prone to flooding is likely to constitute a breach of principle 7 of the Data Protection Act.

It is common knowledge that losing personal data on an unencrypted memory stick or a social worker leaving a file relating to a vulnerable child on a train can land an organisation with a fine of up to half a million pounds. But principle 7 also requires data controllers to take “appropriate technical and organisational measures” against “accidental loss or destruction of, or damage to, personal data”.

Businesses and public authorities in flood-hit parts of the country will have other – and perhaps more urgent – things on their minds at present. But all organisations should think very carefully about whether bargain basement storage really is the opportunity it appears.

Image by Keith Moseley (Drybridge Street Flooded, Monmouth) [CC-BY-SA-2.0 (], via Wikimedia Commons. 

Seriously, I just want to hear both sides

FOI Man wants a balanced and calm debate on sharing of personal data. Is that really too much to ask?

At the end of last week I posed two questions. Firstly, are we assuming the worst of any proposal to share data? And secondly, if this is the case, is it damaging to society?

I was aiming to start a debate, and to an extent I was successful. It generated a lot of heat, but for me at least, not much light.

Let me just reiterate what I was not saying. I wasn’t saying that it should be easier for organisations to share data. I wasn’t saying that the Data Protection Act or confidentiality law should be weakened. I wasn’t saying – necessarily – that I agree with any of the examples I gave, including the care:data programme (the plan that will allow a central NHS body to extract data about patients from GPs’ patient records, and then share that data with other approved bodies). My mind is open on this, which is why I wanted the debate – I wanted to be persuaded one way or the other.

The problem I have is that whilst there are lots of blog posts and newspaper articles telling us to opt out of care:data and describing the risks in emotive terms, I’ve seen very little explaining why, therefore, it is being done. Presumably if NHS England are pressing ahead with this, somebody is giving them alternative advice. Somebody thinks this sharing is legitimate. But I can’t find anything about this. I get told to opt out or my data will be sold to companies (though NHS England deny this, so what am I to believe?), and if I want to know more, I’m given a link to Mail Online (which obviously has a reputation for balanced reporting of these matters). Interestingly, none of these articles or posts appear to link to the relevant website provided by the Health & Social Care Information Centre. They all point to other articles which subscribe to the same view.

This is exactly what I was referring to in my last post – the debate about sharing of personal data is marked by hyperbole and polarised opinions. That’s not how I want to make my mind up about important issues.

A lot of the fault – probably most of the fault – for this lies with NHS England, who could, as has been pointed out, have communicated the aims and implications of this project far better. But a lot is down to the tone of the debate. Just raising the possibility that there is another side to the argument attracted pretty strong criticism.

I have friends outside the information rights profession (if there is such a thing) who don’t understand why there is such opposition to this proposal. Scientists in particular who can see the potential for life saving discoveries through analysis of data. To them this looks like scaremongering. These are not stupid people. They can be persuaded by reason and evidence. They’re not going to be persuaded by just telling them there are risks. They, like me, want to know all the arguments for and against, see the evidence, and then reach a reasoned decision.

At the start of next month I hope to attend a meeting of the National Association of Data Protection (and FOI) Officers. One of the speakers is a representative of MedConfidential who have been vocal in opposing care:data. I’ll be interested to hear what they have to say, but I’d really like to hear someone from NHS England or the Health & Social Care Information Centre give the other side before deciding whether to opt out and encourage others to do the same.



Is a disproportionate fear of “Big Brother” preventing us from seeing the big picture?

FOI Man asks if we’re in danger of throwing the baby out with the bathwater through an increasingly negative portrayal of the use of personal data.

It’s easy to see why many of us have concerns over the possibility of the security services accessing our email or listening in to our phone calls. What I’m increasingly worried about is what appears to be a widely held and instinctive view that any sharing of personal data – and even data that has been anonymised – is necessarily a “bad thing”.

The Liberal Democrats in particular were highly critical of the last government’s use of technology. One development which David Laws, now a Minister, criticised as “intrusive” was a national database called ContactPoint. It had been developed as a result of a recommendation by Lord Laming in his report on the death of Victoria Climbie. It allowed doctors, social workers and police to access details of any child, thereby helping to prevent situations where abuse of children went undiscovered because of poor communication between these services. When the current Government came to power, the system was scrapped.

The last government also tried to introduce central medical records for all NHS patients, which would mean that when you turned up at a hospital far from home, as I have done myself, doctors would have access to your medical records and history. Believe me, when you are in pain and desperate to be treated, the last thing that you want to do is to answer questions about your medical history. And that’s if you are in a position to answer those questions. This project was scuppered by its complexity and expense fundamentally, but there was a big campaign by critics to encourage patients not to allow their doctor to upload their details.

One aspect of recent NHS reforms is that GPs will be asked to share data about their patients’ care with a central body called the Health and Social Care Information Centre. Patients can choose to opt out if they wish by writing to their GP. The data will be shared with approved partners, for example the Department of Health. It will be used, for example, by medical researchers trying to find out what treatments are effective. The data is invaluable to such researchers – it could well save more lives than donating organs or the odd litre of blood. It will normally be shared in anonymised form unless the research concerned requires more information to be effective.

There has been the predictable outcry against this. And that’s really my point. It has become fashionable to criticise any sharing of personal data, even if anonymised, no matter what the purpose. It’s all about big brother.

I can understand some of the concerns. There are risks in building up big central datasets. There are lots of stories of individuals abusing access to personal data. Police workers who misuse the Police National Computer to check up on a neighbour, or GPs’ receptionists who read their ex-husband’s new wife’s medical records. But firstly, where this is discovered staff can be – and should be – disciplined and/or prosecuted. Protection of this data is what the Data Protection Act is all about, and breaches should be taken seriously. And secondly – we’re surely not saying that the Police National Computer should be shut down as a result of breaches. The greater good of being able to solve crimes through linking a large pool of data is generally accepted as justification. Indeed police were criticised following the Soham murders for not keeping data on there. Instead what we really want is a proportionate use of this data, and for effective safeguards to be put in place.

One popular claim is that there is no such thing as “anonymised data”. Academic studies are widely cited showing that it is possible to identify individuals within large datasets. However, what isn’t so widely reported is that there are other academics who argue that there are deficiencies in those studies and that they are, in any case, being misreported.

As a Data Protection Officer (as well as an FOI Officer), I would certainly want any organisation to assess the impact on individuals’ privacy of any proposed plan involving their personal data. I would expect them to consider which condition of the Data Protection Act justified this processing of the data. But it does worry me that we seem to be moving to a position where we assume that any processing of our data must be wrong by its very nature. Where organisations are discouraged from innovating or using data to potentially save lives because there is a risk, however small, that an individual might be identified (and an even smaller risk that that would actually have any real impact on the individual concerned).  What’s more, because this has become a political issue, there are few in government now prepared to champion the use of personal data for the benefit of all.

In my view, the current trend is damaging. If we continue to portray all use of personal data as wrong, it will become more and more difficult to offer public as well as private sector services. It will certainly become more difficult to improve them. Contributing personal data to society is at least as important as paying our way financially. Data Protection shouldn’t be about saying “no” all the time.



Do information practitioners need to get out of the way?

FOI Man reviews a seminar hosted by the University of Winchester’s Centre for Information Rights and questions whether those of us who are information practitioners are helping or hindering attempts to protect the vulnerable.

Back at the end of April I attended a seminar hosted by the University of Winchester’s excellent new Centre for Information Rights. The title for the seminar was “Data Sharing and the Vulnerable”, and given recent scandals around Jimmy Savile and Winterbourne View, it was timely.

The first speaker was Sue Gold, who is a solicitor with Osborne Clarke, but had previously worked for the Disney Corporation. Sue highlighted the difficulties not so much of sharing data, but of collecting data – specifically from children. If you asked most organisations whether they collect data from children, their automatic response would be no. But Sue pointed out that most websites will, even if their owners don’t intend them to, at some point collect data (eg registration data) from those who are much younger than their target audience. Most companies have some form of “age gating” to try to prevent children accessing products or services, but as Sue demonstrated, very few – if any – of these are effective. Frankly if you can think of a way to prevent children from accessing your site, they will have already thought of a way to bypass it. And if you have a system that requires parental consent…well, you probably remember what happened when you had to get someone to sign your homework diary.

This was followed by Helen James, Winchester’s Head of Law, who talked about the limitations of the UK’s whistleblowing legislation in a culture where 80% of nurses in a survey thought they would be victimised if they blew the whistle on their employer. Helen pointed out that there are hints that the mood is changing following Winterbourne View and the Mid-Staffordshire NHS Foundation Trust inquiry.

Finally, Jerry Brady of Dorset County Council’s Children’s Services looked at information sharing in services for vulnerable children. Jerry pointed out that following the Laming Report into the circumstances surrounding the death of Victoria Climbie, there had been a new emphasis on the importance of sharing data to protect vulnerable children. The aim was to integrate services, but limited progress has been made, not least because of political arguments over information sharing. There has been a shift away from integration towards alignment of services.

One of the important points that Jerry made was that the key to ensuring that data is shared where it needs to be is the development of trust between frontline team members. Noticing that he hadn’t mentioned the role of data protection officers or information governance staff, I asked him what his experience of working with information professionals was. His response was a little disheartening for me as one of those information professionals. His experience has been that if you ask an information professional for advice, you get an information professional’s answer – a cautious one. This isn’t helpful for frontline staff who need to feel confident that they are doing the right thing.

But Jerry was far from dismissive of data protection. One of his 7 golden rules for information sharing is:

“Remember that the Data Protection Act is not a barrier to sharing information but provides a framework to ensure that personal information about living persons is shared appropriately.”

Information sharing is very contentious. This week we’ve been hearing about data sharing in a very different context – between technology companies and the US security services. Not so long ago we were debating whether GPs’ surgeries should be sharing data with the Health and Social Care Information Centre. All of this adds to the difficulty for us as supposed “experts” when asked to advise whether data sharing is appropriate, even in circumstances where there seem clear benefits for data subjects. I know from my own experience how difficult it can be to balance my own concerns with data protection compliance (which is after all the expertise I’m paid for) with the desire to help an employer achieve its – usually well-intentioned – aims. But it seems to me that if practitioners like me are seen by Jerry and his peers as being barriers to protecting the vulnerable, then we need to find a better way of working.

Information Commissioner signals new approach to vexatious requests

FOI Man reviews new guidance from the Information Commissioner around the controversial issue of vexatious requests.

Ever since the important decisions made by Judge Wikeley in the Upper Tribunal earlier this year, it has been inevitable that the Information Commissioner would have to change his approach to the use of the vexatious provision within FOI. Combined with suggestions in the post-legislative scrutiny last year that it should be easier for public authorities to refuse vexatious or frivolous requests, the Commissioner’s relative reticence in his guidance and decisions appeared out of step with political and legal developments.

So today, the Information Commissioner’s Office (ICO) has published new guidance on Dealing with Vexatious Requests (section 14(1)), as well as on the related subjects of Manifestly Unreasonable Requests (regulation 12(4)(b) of the Environmental Information Regulations) and Repeat Requests (section 14(2)). And the approach of the Commissioner appears to have changed fairly radically. The guidance starts strongly by stating that:

 “…public authorities ought not to regard Section 14(1) as something which is only to be applied in the most extreme circumstances, or as a last resort. Rather, we would encourage authorities to consider its use in any case where they believe the request is disproportionate or unjustified.”

The emphasis now is on requests which “cause a disproportionate or unjustified level of disruption, irritation or distress”. Out have gone the Commissioner’s notorious 5 questions. In their place come 13 – count ‘em – 13 “indicators” based on the ICO’s experience of dealing with section 14. These aren’t “qualifying criteria” and authorities are discouraged from spending too much time trying to fit the facts to them. It is stressed that they are there purely as a handy guide.

The guidance suggests a process for establishing if a request causes a disproportionate or unjustified level of work. Authorities should:

  1. consider the purpose of the request if apparent and any wider public interest
  2. balance this against the impact on the authority
  3. take the context and relevant history into account

The ICO have taken some key areas of contention and talked about how they might be affected by this new change in emphasis.

Burdensome requests should if possible be refused under section 12 (the acceptable cost limit). However, following on from last year’s Salford City Council v Information Commissioner Tribunal decision, the ICO now accept that section 14 could be used to ‘plug the gaps’ in the fees regulations, for example, where redaction would take a long time (redaction can’t be included in cost estimates for the purpose of section 12). It is clear though that the ICO will take some convincing in particular cases before accepting this use.

Round Robins, requests sent to several authorities at once, are mentioned. Public authorities can point to the fact that a request has been sent to other organisations, but the judgment as to whether a request is vexatious must only be made on the basis of the burden on themselves.

Controversially, perhaps, “fishing expeditions” are singled out, and journalists identified as the main perpetrators. This common tactic – where a requester makes a very broad request in the hope of catching a juicy titbit in their net – is widely criticised by public bodies, and one senses that the Commissioner has finally found a way to offer a modicum of reassurance to authorities on this issue. Whilst the Commissioner stops short of saying that all such requests will be vexatious (and indeed adds the usual caveats), it is interesting that the practice is highlighted as an area that might legitimately attract the use of section 14.

The guidance isn’t all one way. Authorities are warned that they need to “absorb” a certain amount of disruption and annoyance. And the guidance often seems to go out of its way to persuade public bodies to try just about anything else to avoid section 14. A whole section is dedicated to “Alternative approaches”. Nonetheless, the guidance does seem to indicate a significant change of emphasis from the ICO, and one that will be welcomed by many public authorities.

If you’re still hungry for more after all 37 pages on section 14(1) of FOI, there is still the guidance on manifestly unreasonable and repeated requests to digest. Handily for both the ICO and busy FOI Officers, Judge Wikeley found that the exception for manifestly unreasonable requests in the EIR should be interpreted in the same way as section 14(1) of FOI. So the first part of the ICO guidance says just that – if you think a request for environmental information is effectively vexatious, you should follow the guidance on vexatious requests under FOI.

It does however spend more time considering how the exception should be applied to requests that would be expensive to answer. In a nutshell, there will be circumstances where it is appropriate to refuse burdensome environmental requests under this provision (as Judge Wikeley noted in Craven), and section 12 (and the related fees regulations) of FOI may provide some pointers, but authorities should expect to provide more environmental information than they would other information.

The guidance on repeated requests (FOI section 14(2)) uses new improved examples to make the same points that have been made before. There is nothing fundamentally new here to take on board.

Interestingly, tied in with all this new guidance for public authorities is a guide for requesters on How should I word my request to get the best result? How can I describe it? It’s…it’s…well, it’s a sort of Code of Practice for requesters on the best ways to avoid being labelled as vexatious. That reminds me of something…. (see Recommendation 7)

Anyway, the guide contains some handy dos and don’ts and advises requesters that their request will be more effective if it is CLEAR, SPECIFIC, FOCUSED, UNTHREATENING. Whilst those are the ICO’s capitals, many FOI Officers would probably add SPARSELY CAPITALISED. Seriously though, it will be helpful if more prospective requesters can be pointed towards guidance like this.

So overall this new guidance will be welcomed by FOI Officers, though with some reservation. Whilst it answers a lot of questions, some may well ask how a single sentence in the Act can require so many pages of explanation. There are points where the ICO appear to want to have their cake (to be seen to encourage public authorities to utilise this provision) and to eat it as well (to be seen to discourage its use). One can understand why the regulator has difficulty here, but it limits the comfort that might be offered to authorities by this guidance. And until we see decisions of both Commissioner and Tribunals backing the approaches spelt out here, many will remain nervous of using this provision. But this is a significant step in the right direction.