Tag Archive for ICO

News Flash: new Information Commissioner announced

The Department for Culture, Media and Sport has announced that their nomination to take over from Christopher Graham is Elizabeth Denham.

NEWS1Ms. Denham is currently the Information and Privacy Commissioner in British Columbia, Canada. This would be the first time that a UK Commissioner would be appointed from overseas. It won’t be the first time that we will have a female Information Commissioner – Elizabeth France was the Commissioner at the time that both the Data Protection and Freedom of Information Acts received Royal Assent.

The current Commissioner has welcomed the nomination:

“Elizabeth Denham is an inspired choice for Information Commissioner. As commissioner for both privacy and access to information in a similar jurisdiction, Elizabeth has shown independence of judgement and toughness of character. She will be a great leader for the ICO as it adapts to the demands of the new data protection framework – and she’ll be an effective upholder of information rights both in the UK and internationally.”

Ms. Denham will have to go through a pre-scrutiny hearing from the DCMS Select Committee, but if all goes well, the Queen will appoint the new Commissioner by Letters Patent later this year. Once this process is complete, the new Commissioner will take office in June this year. Following changes made by the Protection of Freedoms Act in 2012, Elizabeth Denham can serve a single 7 year term as Information Commissioner.


Industrial use of FOI

FOIMan highlights the difficulty of handling FOI requests at the height of industrial disputes.

Extract from correspondence

Extract from correspondence

Those responsible for managing FOI compliance are in a difficult position at the best of times. I’m sure they wouldn’t quote Stealers Wheel to describe their situation (“clowns to the left of me, jokers to the right”) but nonetheless they are stuck in the middle of two camps, each of which passionately feels it is right. On the one side there is the requester seeking transparency and accountability, for whom often any reticence to disclose is another example of establishment secrecy. On the other, there is the information holder, often more senior than the one responsible for compliance, who sees their job as being to protect the organisation from harm. They know the information and its context much better than the FOI Officer and the poor old FOI Officer therefore has to judge whether their reluctance to disclose is justified by the facts, or whether the information holder is being unnecessarily defensive. Things can be even more complicated if those responsible for answering the request are directly affected by the matter concerned.

Pity then those responsible for answering FOI requests at the Information Commissioner’s Office (ICO). As correspondence disclosed by a member of the PCS union and published over the weekend by FOI Kid (no relation) shows, they are in a very tricky place at present. PCS are taking industrial action over a recent decision to award three senior officials large pay rises, whilst other staff have seen very limited pay increases, in line with the rest of the public sector. Union officials made FOI requests to their employer in order to understand the reasons behind the pay awards. Initially told that information was not held, the ICO appears to have changed its mind at internal review.

Dealing with requests in these circumstances is never easy, and any organisation can be forgiven for making mistakes under pressure. That even the regulator’s handling of such a case appears somewhat clunky demonstrates how difficult it can be when employee relations meet FOI.

Finding information on gov.uk and ico.org.uk

FOIMan reviews the Information Commissioner’s latest website revamp via a grumble about gov.uk.

Classifying information is not easy

Classifying information is not easy

The way people prefer to find information is subjective. On my Records Management training courses I illustrate this by giving delegates a pack of headings on strips of paper and asking them in groups to create a logical filing plan. There are two main results of this:

  • each group comes up with an entirely different structure
  • each group has perfectly rational explanations as to why they’ve chosen to structure their plan the way they have.

So anyone designing any information management system has a real challenge on their hands. Adding to this challenge is the fact that most people are wary of change. As a result, any new structure or mechanism to find information is going to meet resistance.

I say all this as a preamble to a comparison of the government website, gov.uk and the ICO’s new website, which you can also read about on their blog. I was initially concerned when the ICO stated that they wanted their site to be more like gov.uk for reasons which I’ll outline, but my impression at this stage is that those fears were misplaced.

The parts of gov.uk that work best for people are those which allow them to conduct specific transactions. So, for example, they can apply for a driving licence online. This works well for these kind of activities. It takes you through the process step-by-step. If you’re someone who isn’t used to computers, I’m guessing that it is quite reassuring, and I’m sure that is the aim. If government wants to get more people conducting transactions online, that’s what they need to do.

The problem is that gov.uk appears to be solely concerned with the delivery of services in this way. For those of us who want to get at policies, procedures, statistics, reports – we’re stuffed.

Gov.uk has replaced lots of government websites with one interface. And lots of people – myself included – are mostly interested in using government websites to find information about policy. Sometimes that information is readily located through a search – for example I had little trouble recently locating information about Eric Pickles’ reforms of local government transparency. But far too often it is simply impossible to locate information using either the structure of gov.uk or its search engine. As others have suggested, it is sometimes because the information simply hasn’t been transferred – it isn’t there. But very often it is because there is so much information now on gov.uk that the information I do want is just buried.

If I want to find information on “freedom of information policies”, a search brings up a few random policies from government agencies, some answers to FOI requests, and FOI stats. It doesn’t take me to any government-wide policies that would previously have been on the Ministry of Justice’s website. There’s enough anecdotal comment on Twitter and elsewhere to suggest that I’m not alone in my frustrations.

If government had said that they would develop a single site for delivery of services but maintain departmental sites so that people could get at the information ABOUT government, that would have kept us all happy. But no.

The revamped ICO website

The revamped ICO website

Which brings me to the new design for the ICO site. They appear to have gone for a similar transactional style to gov.uk though delivered more effectively (of course, there isn’t as much material so it should be an easier task). If you’re a novice FOI Officer or you are considering making a request, you will probably like it, as it will take you through how to deal with or make a request step-by-step.

One thing that initially worried me was that if you’re reasonably experienced, and you just want to double check something in a piece of ICO guidance – say, how to carry out a public interest test – you would have to wade through the process to get at the guidance you want. Lists of links might well be considered old-fashioned in web design circles, but they are easy to use. And usability should be near the top of requirements in any specification for a public website. So I was relieved to discover that the “Guidance Index” remains on the ICO website – albeit hidden away at the bottom of the page.

This is a relief as in my experience the ICO’s search function suffers in much the same way as the gov.uk one. A search for a particular subject brings up a range of minutes, presentations, decision notices and so on, rarely including the document you want. It has improved somewhat, with more ability to filter searches, but a search on “public interest test guidance”, even restricted to the “For Organisations” section of the site, delivers a long list of results which fails to include the specific guidance the ICO provides on the public interest test. The decision notices database works reasonably well if searching on a single keyword, but appears to struggle with phrases.

A few grumbles aside (I’d still like a separate list of the Data Protection Codes of Practice, for example), I think the ICO changes have improved their site. I’m pleased that by retaining features like the guidance index, they’ve found ways to cater for those of us old hands who were used to finding information in a particular way, whilst providing a helpful step-by-step approach for new users. The gov.uk site could certainly learn a thing or two from this – trying to make digital services accessible to new groups is a noble aim, but the needs of existing users of online resources should be taken into account as well.

IC trouble ahead

FOIMan argues that funding cuts to the Information Commissioner’s Office are a huge threat to FOI.
Christopher Graham addresses the 2013 ICO Data Protection Officers' Conference

Christopher Graham addresses the 2013 ICO Data Protection Officers’ Conference

Transparency’s a marvellous thing isn’t it? These days we can find out what goes on in all sorts of meetings across the public sector. One example is the way we get to eavesdrop on what the FOI and DP regulator is saying internally.

A couple of weeks ago the minutes of the Information Commissioner’s April Management Board were published in the ICO’s publication scheme. And one thing in particular caught the eye.
The Commissioner stressed in frank terms the financial difficulties his office was facing. At the moment, the ICO is funded by the notification fees that it receives under the Data Protection Act and grant-in-aid that it receives from the Ministry of Justice. The former brings in substantial amounts but is ring-fenced – it can only spend that money on its data protection-related activities. FOI activities are entirely dependent on MoJ funding. That funding has been progressively reduced over the last few years. The Commissioner stated that:

If grant in aid was cut further, action on anything other than routine freedom of information enquiries would be impossible.

It’s not as though the Office is profligate with its money. Whenever the ICO advertises a post, I am horrified at the level of salary on offer (and I’m not alone). Employees that will be responsible for considering high-profile and influential cases are apparently joining the office on salaries of less than £20,000.
ICO salaries are far from excessive

ICO salaries are far from excessive

Even taking into account that the North West is cheaper to live in than London and the South East, salaries are very low. To put it in perspective, I once considered joining the ICO and the only job that matched my then salary would have involved managing 60 staff. As an FOI Officer in a high-profile London-based public body, I was reasonably remunerated, but not THAT reasonably. It’s not unknown for privacy or information security roles in the private sector to attract starting salaries of £70,000 or more, so it is faintly ridiculous to think that they would be explaining themselves to ICO Case Officers earning around a third of their income.

Bearing in mind how poorly paid many of its staff appear to be, and its increasing struggle for funding, it must be said that the ICO punches above its weight. The constant churn of new guidance, Codes, initiatives, decisions, undertakings, penalties suggests an organisation that is working hard and effectively. Much of my work as a trainer and consultant (not to mention blogger) is informed by their publications.  I know from my own experience that the work the Commissioner’s Office has done to raise awareness of data protection and privacy issues is making a difference, and monetary penalties are focussing minds. The progress made by the Commissioner was noted last year by the Justice Select Committee. Christopher Graham, whilst occasionally rubbing people up the wrong way (and perhaps this is actually a symptom of his success) has achieved wonders in reducing the backlog of complaints.

Nobody’s saying it is perfect – I’ve occasionally criticised it. All organisations make mistakes – they are, after all, staffed by human beings. The sheer volume and scale of the ICO’s work means that statistically they’re occasionally going to call something wrong. And given that much of information rights law is open to interpretation, it is inevitable that there will be differences as to how the law should be applied at times.  (And of course, it’s much easier to criticise from the boundary – harder to be the team out there playing the game).

Now Mr Graham says that the regulation of FOI is under threat due to successive cuts in funding. This is a major limitation on the effectiveness of FOI. We often forget that before 2005, most commentators expected FOI to be a damp squib. That it hasn’t been is at least partly due to a regulator prepared to challenge the status quo. Remember it was the Information Commissioner that ruled in favour of Cabinet minutes, risk registers and Prince Charles’ correspondence being disclosed, and often used his resources to argue the case further through lengthy appeal processes in the courts.

If the ICO is not properly funded, it is in my view at least as great a threat to FOI as attempts to water down the legislation (which are at least subject to a degree of Parliamentary scrutiny). Political parties that claim to support FOI and transparency (ie all of them, publicly at least) must commit to properly fund the office if elected to govern next year.

Things could get worse. The European Union’s proposed Data Protection Regulation would end the requirement to notify the Commissioner each year, and more importantly the annual fee that currently involves. If that happens, the ICO may be completely dependent on funding from Government in future. Given the current state of affairs, that is not an encouraging thought.

News Bulletin – week to 9 August 2013

FOI Man summarises the key developments in a busy week in the information law arena.

You would think that this time of year would be a quiet one in the information law arena, but apparently not. Last week saw the publication of new fees regulations and Information Commissioner’s Office (ICO) guidance to support new FOI requirements in relation to datasets which come into force on 1 September; a new Code of Practice from the ICO on handling subject access requests under the Data Protection Act; and a draft Code of Practice on conducting privacy impact assessments. That’s leaving aside criticism of the Information Commissioner – and a forthright response from him – over the way he has reacted to the Cabinet Office’s apparent attitude to FOI. Here I’ve summarised the key developments last week and provided some links in case you want to read more about them.

FOI and Datasets

The Protection of Freedoms Act 2012 amended the Freedom of Information Act to oblige public authorities to release “datasets” in a reusable format. I’ve written about what these changes mean in a previous post. Late last month it was announced that the changes would come into force on 1 September this year, and a special datasets Code of Practice under section 45 of the Act has already been published by the Ministry of Justice. On Friday new regulations setting out the circumstances under which public authorities can charge to licence re-use of datasets were published, as was new guidance on these provisions from the Information Commissioner. Steve Wood, the ICO’s Head of Policy Delivery, has blogged about what these changes mean for public authorities and the ICO.

Data Protection and Subject Access Requests

Probably the most well known provision of the Data Protection Act 1998 (DPA) is the right of individuals (or “data subjects”) to ask organisations for information held about themselves. Earlier this year the ICO consulted on a Code of Practice on the handling of such requests, and this week the finalised Code was published. Anya Proops of 11KBW has given her reaction to the new Code, and has highlighted an apparent conflict between case law and the Commissioner’s approach in respect of the requester’s purpose. Meanwhile, DPA and subject access requests were considered in a High Court case. It has proved a rarity for DPA to be tested in the courts, certainly at that level, so this was an important ruling.

Data Protection and Privacy Impact Assessments

The ICO likes a good Code of Practice these days, so no sooner has the ink dried on its subject access Code of Practice, than it has published a new draft Code on privacy impact assessments. Privacy impact assessments have been promoted by the ICO for many years as a form of risk assessment to be carried out at an early stage of projects that are likely to involve, or relate to processes that involve, the processing of personal data. The ICO wants to know what individuals and organisations think of the draft Code.

ICO publishes statistics on data breach reports

Breaches of DPA have become big news these days, often featured in the national media. Last week the ICO began to publish statistics on data breach reports made to them, starting with the period from 1 April to 30 June 2013. In a welcome move, they have also put together a spreadsheet listing details of all civil monetary penalties issued and this can be accessed on their website. Sally-Anne Poole, Group Enforcement Manager at the ICO, has blogged about the thinking behind these latest developments.

Three more organisations to be monitored over FOI response times

The ICO has announced that the Home Office, Sussex Police and South Tyneside Council will be monitored for three months due to concerns over delays in responding to FOI requests. At the same time, the results of the January to March monitoring period have been reported. They have now cleared the Departments for Education and Work and Pensions, but have remaining concerns about the Office of the First Minister and Deputy First Minister of Northern Ireland. The Chief Executive of another public authority, Wirral Borough Council, has had to sign an undertaking promising to make improvements.

Mr Cook, the teeth, Cabinet Office strife and some bother

The start of last week saw a newspaper editorial criticise the Information Commissioner himself for failing to enforce FOI in respect of failings by the Cabinet Office. This follows the FT’s Chris Cook’s investigations into use of private email accounts by government ministers and special advisers. In a typically robust response, Christopher Graham made clear that he felt these criticisms unfair. I commented here that I thought the Commissioner’s defensiveness misplaced. Others – Jon Baines and Tim Turner – highlighted evidence of the Cabinet Office’s shortcomings and missed opportunities for ICO action. This one will run and run.