Tag Archive for Information Commissioner

Is the ICO fit for purpose?

FOIMan summarises the outcome of the government’s long-awaited Triennial Review of the Information Commissioner’s Office.

The government has finally published its Triennial Review of the Information Commissioner’s Office (ICO). The long-awaited report concludes that:

  • the ICO still has an important role to play
  • it needs to adjust to the challenges of developing technology
  • it should still report to a sponsoring department in government rather than the Commissioner becoming an officer of Parliament
  • its structure should change to a board of commissioners – in line with a recommendation made by the Leveson Inquiry
  • the government and ICO should quickly agree a more sustainable funding approach especially for DP activities.

Along the way, the report highlights criticism from many stakeholders which is familiar to long-term observers in this field – that the ICO aren’t tough enough at enforcement, that they go for the easy targets, and that the quality of guidance and assistance from the ICO can be inconsistent and sometimes poor. Nonetheless the report also discusses the achievements of the ICO in reducing backlogs and providing necessary expertise. It also recognises some of the challenges that the ICO has faced in recent years.

Overall, I suspect the ICO won’t be unhappy with the report and especially the recognition that whilst changes are necessary, government needs to put its hand in its pocket to pay for a more effective regulator. For more details, read the published report.

Source: Triennial Review of the ICO, 8 November 2016

Postscript: the government has rejected the proposal to restructure the ICO as a multi-commissioner board.

Source: statement by Minister of State for Digital and Culture, Matt Hancock MP


News Flash: new Information Commissioner announced

The Department for Culture, Media and Sport has announced that their nomination to take over from Christopher Graham is Elizabeth Denham.

NEWS1Ms. Denham is currently the Information and Privacy Commissioner in British Columbia, Canada. This would be the first time that a UK Commissioner would be appointed from overseas. It won’t be the first time that we will have a female Information Commissioner – Elizabeth France was the Commissioner at the time that both the Data Protection and Freedom of Information Acts received Royal Assent.

The current Commissioner has welcomed the nomination:

“Elizabeth Denham is an inspired choice for Information Commissioner. As commissioner for both privacy and access to information in a similar jurisdiction, Elizabeth has shown independence of judgement and toughness of character. She will be a great leader for the ICO as it adapts to the demands of the new data protection framework – and she’ll be an effective upholder of information rights both in the UK and internationally.”

Ms. Denham will have to go through a pre-scrutiny hearing from the DCMS Select Committee, but if all goes well, the Queen will appoint the new Commissioner by Letters Patent later this year. Once this process is complete, the new Commissioner will take office in June this year. Following changes made by the Protection of Freedoms Act in 2012, Elizabeth Denham can serve a single 7 year term as Information Commissioner.


Industrial use of FOI

FOIMan highlights the difficulty of handling FOI requests at the height of industrial disputes.

Extract from correspondence

Extract from correspondence

Those responsible for managing FOI compliance are in a difficult position at the best of times. I’m sure they wouldn’t quote Stealers Wheel to describe their situation (“clowns to the left of me, jokers to the right”) but nonetheless they are stuck in the middle of two camps, each of which passionately feels it is right. On the one side there is the requester seeking transparency and accountability, for whom often any reticence to disclose is another example of establishment secrecy. On the other, there is the information holder, often more senior than the one responsible for compliance, who sees their job as being to protect the organisation from harm. They know the information and its context much better than the FOI Officer and the poor old FOI Officer therefore has to judge whether their reluctance to disclose is justified by the facts, or whether the information holder is being unnecessarily defensive. Things can be even more complicated if those responsible for answering the request are directly affected by the matter concerned.

Pity then those responsible for answering FOI requests at the Information Commissioner’s Office (ICO). As correspondence disclosed by a member of the PCS union and published over the weekend by FOI Kid (no relation) shows, they are in a very tricky place at present. PCS are taking industrial action over a recent decision to award three senior officials large pay rises, whilst other staff have seen very limited pay increases, in line with the rest of the public sector. Union officials made FOI requests to their employer in order to understand the reasons behind the pay awards. Initially told that information was not held, the ICO appears to have changed its mind at internal review.

Dealing with requests in these circumstances is never easy, and any organisation can be forgiven for making mistakes under pressure. That even the regulator’s handling of such a case appears somewhat clunky demonstrates how difficult it can be when employee relations meet FOI.

FOIMan News to 18 July 2014

FOIMan reports on the latest FOI and information rights news stories.

The Information Commissioner's Annual Report was published this week.

The Information Commissioner’s Annual Report was published this week.

Information Commissioner uses launch of Annual Report to call for more resources and powers


The Information Commissioner, Christopher Graham, launched his office’s Annual Report for 2013/14 on Tuesday 15 July. Following on from his reported comments at an internal meeting earlier this year, Mr Graham highlighted the state of funding of his office, saying:

…to do our job properly, to represent people properly, we need stronger powers, more sustainable funding and a clearer guarantee of independence.

Law Commission advises Government to set up a comprehensive review of data sharing law

Last year the Law Commission opened a consultation on data sharing with a view to identifying perceived hurdles to data sharing in the UK. Last week (11 July) the Commission published its report on the consultation. It recommends a “full law reform project”:

…to create a principled and clear legal structure for data sharing, which will meet the needs of society.

It suggests that the project should map, clarify and modernise statutory provisions around data sharing, as well as looking at “soft law” such as guidance, Codes of Practice and sharing of best practice. The report was made to the Secretary of State for Justice, Chris Grayling.

Schools Trust holds information says Tribunal – eventually

In a week when the Education Secretary was removed from office, scrutiny fell on the complicated arrangements behind many academies, and the implications for FOI. Geraldine Hackett, a journalist, wanted to see the employment arrangements of the Chief Executive of the United Learning Trust, a Trust behind a number of academy schools. The Trust argued that they did not hold the information as the Chief Executive was employed by the Trust’s parent body, the United Church Schools Foundation Ltd. This argument had been upheld by the Information Commissioner and the First-Tier Information Tribunal. The Upper Tribunal overturned the FTT decision on a technicality and asked for a new First-Tier Tribunal to reconsider the case.

This time, the FTT found that because the information was held in filing cabinets that the Trust’s staff had access to, the information was held. The decision is in line with the important University of Newcastle Upper Tribunal decision which stated that “[h]old…is an ordinary English word and is not used in some technical sense…”. It also confirms the overall trend of decisions around the definition of “held” since then which suggests that if there is any doubt, the public authority probably holds the information in question. Robin Hopkins has analysed the case in more depth on 11KBW’s Panopticon Blog.

Data retention emergency legislation DRIPs through Parliament

The controversial emergency Bill requiring communications providers to retain data on telephone and internet use received Royal Assent in the same week that it was introduced to Parliament. It followed the European Court of Justice’s decision in April that the existing European Directive was unlawful as it represented a disproportionate intrusion into individuals’ privacy. At the time, the court said that the Directive:

entails an interference with the fundamental rights of practically the entire European population.

DPA without the Lawyer

DPA without the Lawyer

Publication of the Week

In a slight departure, this week I’m going to highlight a new book from The Centre for Investigative Journalism called DPA without the Lawyer. This is the latest in the series of books (including FOIA without the Lawyer and EIRs without the Lawyer) put together by the team at Request Initiative. DPA without the Lawyer is written by Jenna Corderoy and Brendan Montague and explains how journalists can take advantage of the subject access requirements of the Data Protection Act in their investigations.


FOIMan can deliver training in Freedom of Information, Data Protection and other information rights issues in your own premises. Get in touch for further details.

IC trouble ahead

FOIMan argues that funding cuts to the Information Commissioner’s Office are a huge threat to FOI.
Christopher Graham addresses the 2013 ICO Data Protection Officers' Conference

Christopher Graham addresses the 2013 ICO Data Protection Officers’ Conference

Transparency’s a marvellous thing isn’t it? These days we can find out what goes on in all sorts of meetings across the public sector. One example is the way we get to eavesdrop on what the FOI and DP regulator is saying internally.

A couple of weeks ago the minutes of the Information Commissioner’s April Management Board were published in the ICO’s publication scheme. And one thing in particular caught the eye.
The Commissioner stressed in frank terms the financial difficulties his office was facing. At the moment, the ICO is funded by the notification fees that it receives under the Data Protection Act and grant-in-aid that it receives from the Ministry of Justice. The former brings in substantial amounts but is ring-fenced – it can only spend that money on its data protection-related activities. FOI activities are entirely dependent on MoJ funding. That funding has been progressively reduced over the last few years. The Commissioner stated that:

If grant in aid was cut further, action on anything other than routine freedom of information enquiries would be impossible.

It’s not as though the Office is profligate with its money. Whenever the ICO advertises a post, I am horrified at the level of salary on offer (and I’m not alone). Employees that will be responsible for considering high-profile and influential cases are apparently joining the office on salaries of less than £20,000.
ICO salaries are far from excessive

ICO salaries are far from excessive

Even taking into account that the North West is cheaper to live in than London and the South East, salaries are very low. To put it in perspective, I once considered joining the ICO and the only job that matched my then salary would have involved managing 60 staff. As an FOI Officer in a high-profile London-based public body, I was reasonably remunerated, but not THAT reasonably. It’s not unknown for privacy or information security roles in the private sector to attract starting salaries of £70,000 or more, so it is faintly ridiculous to think that they would be explaining themselves to ICO Case Officers earning around a third of their income.

Bearing in mind how poorly paid many of its staff appear to be, and its increasing struggle for funding, it must be said that the ICO punches above its weight. The constant churn of new guidance, Codes, initiatives, decisions, undertakings, penalties suggests an organisation that is working hard and effectively. Much of my work as a trainer and consultant (not to mention blogger) is informed by their publications.  I know from my own experience that the work the Commissioner’s Office has done to raise awareness of data protection and privacy issues is making a difference, and monetary penalties are focussing minds. The progress made by the Commissioner was noted last year by the Justice Select Committee. Christopher Graham, whilst occasionally rubbing people up the wrong way (and perhaps this is actually a symptom of his success) has achieved wonders in reducing the backlog of complaints.

Nobody’s saying it is perfect – I’ve occasionally criticised it. All organisations make mistakes – they are, after all, staffed by human beings. The sheer volume and scale of the ICO’s work means that statistically they’re occasionally going to call something wrong. And given that much of information rights law is open to interpretation, it is inevitable that there will be differences as to how the law should be applied at times.  (And of course, it’s much easier to criticise from the boundary – harder to be the team out there playing the game).

Now Mr Graham says that the regulation of FOI is under threat due to successive cuts in funding. This is a major limitation on the effectiveness of FOI. We often forget that before 2005, most commentators expected FOI to be a damp squib. That it hasn’t been is at least partly due to a regulator prepared to challenge the status quo. Remember it was the Information Commissioner that ruled in favour of Cabinet minutes, risk registers and Prince Charles’ correspondence being disclosed, and often used his resources to argue the case further through lengthy appeal processes in the courts.

If the ICO is not properly funded, it is in my view at least as great a threat to FOI as attempts to water down the legislation (which are at least subject to a degree of Parliamentary scrutiny). Political parties that claim to support FOI and transparency (ie all of them, publicly at least) must commit to properly fund the office if elected to govern next year.

Things could get worse. The European Union’s proposed Data Protection Regulation would end the requirement to notify the Commissioner each year, and more importantly the annual fee that currently involves. If that happens, the ICO may be completely dependent on funding from Government in future. Given the current state of affairs, that is not an encouraging thought.