Tag Archive for ‘applicant blind’

Don’t Google your requesters

FOIMan explains that searching for FOI requesters is not a great idea – and is ethically (and legally) dubious.

This blog originally aimed to give the practitioner’s view of FOI. Far too often, the important role of FOI officers and public officials in making FOI work has been ignored. So an increasing interest in how FOI really works behind the scenes is to be celebrated.

We’ve seen it in two recent reports on FOI in local authorities. The first from MySociety looked at FOI in local government across the UK. The second, from the Campaign for FOI, focussed on how London boroughs managed their FOI obligations. Interestingly, the findings of the two reports on practices in local councils are broadly in line with my own research which you can read about in the free chapter from The Freedom of Information Officer’s Handbook that I wrote about in my last post.

The Campaign for FOI’s research commented on the London Borough of Lambeth’s practices, and I was reminded of this when my attention was drawn last week to a post by a local blogger who had obtained Lambeth’s internal staff guidance for handling FOI requests. The News from Crystal Palace blog published the guidance pretty much in full, highlighting a number of practices which they felt were of concern.

Having read through it, much of the guidance is pretty standard stuff, and in fact I would go as far as to suggest that there is some very good practice in Lambeth. For example, strict timelines and service standards are a good way to ensure that requests are answered within statutory deadlines.

One particular section is of concern, however. Staff allocated a request are told:

‘You may want to consider all or some of the following when you are assessing a request:

  • Google the requester to understand who is making the request, why and assess the likely impact to the council (e.g. political, media, legal, commercial, personal data).
  • Review previous requests from the requester in iCasework.’

No. I can, at a pinch, understand the human instinct of curiosity that might lead an uninformed member of staff to use a search engine to find out about a requester. But FOI officers should be discouraging this practice, and certainly not making it official policy.

I know all the excuses. Often it is linked to a policy whereby an authority’s Press Office is informed when a journalist makes a request. In principle I don’t have a problem with that, as long as public authorities are open about the fact that they do it. The problem is that some journalists, perhaps suspicious that they will be treated differently, don’t identify themselves as such. The Act doesn’t require them to do so. The argument goes that therefore every requester has to be googled in order to identify the very small percentage of requesters that are unidentified journalists.

I’m going to suggest that this is flawed logic. Firstly, since most public authorities, and certainly councils, are suffering the effects of cuts to their budgets, why are they encouraging staff to waste precious staff time on the off-chance that someone might be a journalist? Even if they are, it shouldn’t make any difference to the outcome of the request, so surely this is a complete waste of time?

Secondly, how does the council know that someone who isn’t a journalist in the formal sense won’t blog or Tweet about disclosed information? Or pass it to a journalist for that matter? Given this, the fact that one or two journalists might not be picked up doesn’t seem that important.

Thirdly, whilst I recognise that Press Officers have a job to do, I don’t see why they necessarily need to know who is making a request. The sensitivity of a request surely ought to be judged on the subject matter, irrespective of who has made it. Lambeth apparently circulate a list of requests to their Press Office and the Leader’s Office. If this just describes the subject matter of the request this should normally be enough for them to identify where they might need to be prepared for controversy (which really should be the limit of their involvement following an FOI request).

There will be a director of public relations somewhere barking “well, why shouldn’t we?”, so here are a few points in answer to that question.

  • what’s your lawful basis? An individual’s FOI request, their identity, biographical information about them is personal data. You need a lawful basis to justify the handling of personal data – including searching for information about someone online. I presume you’ve completed a legitimate interest assessment and successfully justified how your need to know whether or not someone is a journalist outweighs the rights and freedoms of requesters? Even if you decide that you do have such a basis, are you otherwise complying with the requirements of the GDPR? Are you telling requesters that if they make a request it will result in the council looking them up online?
  • they can find out that you’re doing it. If the requester has a website, the most commonly used analytics tools will provide enough information to them so that they will spot unusual spikes in interest from your general location just after they made a request to you. There’s an example of this happening described in my book if you don’t believe me.
  • it’s creepy. Most comment on Twitter in response to revelations about Lambeth’s practice was to the effect that Lambeth were ‘spying’ on their residents. If a public authority is so concerned about its reputation that it employs Press Officers, shouldn’t it be just a little uncomfortable about gaining a public image associated with the fiction of George Orwell?

FOI is a right. Full stop. If people choose to exercise it, that is their business. If a public authority has good reason to believe that someone is misusing this right – perhaps harassing a member of staff, for instance – there are mechanisms for dealing with that. It is not usually necessary for a public authority to snoop on people to identify this kind of misuse.

Don’t google requesters. There’s usually no good reason, and it has the potential to do a lot of harm.


Who will know if you make an FOI request?

Last week I posted about the NHS Information Governance Toolkit and its FOI requirements. David Higgerson highlighted in his blog on journalism the rules that NHS FOI Officers are expected to follow in relation to ’round robin’ requests. David was particularly concerned that this undermined the principle that requests should be processed in an ‘applicant blind’ manner. It started me thinking about what we circulate internally about requests and, more especially, requesters.

This whole issue of how requesters’ details should be handled is a fraught one for FOI Officers. Many of them are also responsible for Data Protection compliance in their organisations and are only too aware of the importance of protecting personal data. They are also keen to maintain the ‘applicant blind’ principle themselves.

In my experience, this can put them on a collision course with politicians and senior officials in their organisations. I’ve heard of FOI Officers and other staff being bawled at by very powerful people because they refused to provide this information. I’ve also heard of individuals who have decided to leave public bodies after being put under pressure in this way.

My own approach to this tricky issue is to routinely remove names and contact details from requests before circulating them. If someone wants to know who has made a request, I will initially tell them what kind of requester has made the request (eg private individual, journalist, business, etc.). If they insist on having a name, I will consider whether they have a legitimate need.

So what would I consider to be a legitimate need?

I would generally feel that the Press Office have a legitimate need to know the name of a journalist if they ask. The reason for this is that they may well be dealing with the same journalist themselves; it’s their job to oversee relations with the Press.

I routinely provide the Press Office with details of requests received from journalists (though not names unless they specifically ask), and where requested, I will also let them see a draft response. I can understand that might raise eyebrows. But I honestly don’t believe that automatically prevents the request being dealt with in an ‘applicant blind’ manner. The request will still be coordinated by the FOI Officer (or departmental staff in some organisations), the same information will still be sent out. It is just that the Press Office have a ‘heads up’ for any impending news story about the organisation. Even the Information Commissioner recognises that Press Officers will want to (and indeed should) work closely with FOI Officers.

Where I would draw the line would be if the Press Office insisted that the response should be different because of who the request is from. The reality is generally that the Press Office are more likely to change their line if it is out of synch with the FOI response (and by comparing notes, we may actually identify any errors in the response). Any sensible Press Officer is going to realise that they can’t interfere with a legal requirement. They might suggest different ways of saying things, but there is rarely any question (in my experience) of them changing the information that is going out.

It is arguable that it is ‘fair’ (to use the Data Protection Act terminology) to share the names of requesters making requests in a business capacity. Examples would be where it is clear that the request is being made by someone on behalf of the body corporate (eg they use a corporate email address; their signature includes their employer’s details; their letter has a corporate letterhead). I still wouldn’t routinely circulate a name, but I’d feel slightly better about it if asked.

There may be circumstances where individuals within the organisation need to know who has made a request to apply the Act itself effectively. For instance, if the case is being made to aggregate the costs of compliance with a series of requests, or to class a request as vexatious, the history of that individual’s contact with the organisation is likely to be a relevant consideration.

The crisis point for me would come if I felt that it wasn’t ‘fair’ to share the details and that there wasn’t a legitimate need. If the Chief Executive insists on knowing who made a request without providing adequate justification, how do I deal with that? Ultimately, under enough pressure, I know that I am likely to provide the information, as to be frank, I may well not have a choice. But first I would at least try to persuade them that they either don’t need a name, or at least to provide me with some sort of explanation as to why this is justified.

For this reason, I would always advise requesters to assume that their details will be known to anyone in the organisation they make their request to. Most of the time, for most people, that will probably not be a problem. However, I was recently asked for advice by someone who wanted to ask for information held by their employer, and I could only advise them that their best approach would be to use a pseudonym. I don’t generally condone that, but if anonymity is important, then that’s really your best option (and if your pseudonym is credible, the FOI Officer is not going to know – so you can avoid your request being refused under section 8).