Tag Archive for Michael Gove

GDPR is coming – BREXIT or not

FOIMan points to a comment from a BREXIT campaigner which reinforces the message that a vote to leave the EU would have little effect on the adoption of the new General Data Protection Regulation in the UK.

On my data protection courses I’ve come to expect the obvious question whenever I mention that the General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and will apply across the European Union (EU). Which is, of course:

What happens if we vote to leave the EU on 23 June?

I’m no constitutional expert, but I’ve been reassured by the fact that my usual answer has been in line with what many other commentators have said on this question. GDPR is coming whether we leave the EU or not. The latest comments from the BREXIT camp if anything seem to me to reinforce this view.

Firstly, one of the most likely flavours of BREXIT is that the UK would join the wider European Economic Area (EEA) – the group that Norway is a member of. Nations in this group still have to comply with many EU laws, and this would include GDPR. Result of this option: GDPR would apply.

Secondly, if the UK goes for another flavour of BREXIT, then it wouldn’t have to adopt GDPR itself, but following the European Court’s decision on Safe Harbor last October, if UK businesses were to continue to do business with European companies and public bodies then it would almost certainly have to adopt an “equivalent” level of data protection. Result of this option: a new Data Protection Act that is to all intents and purposes the GDPR by another name.

One complicating factor is that it has previously been assumed that post-BREXIT negotiations would take two years to complete. This would mean that however we vote, the GDPR would apply for a matter of months after 25 May 2018. If businesses and public bodies have to do enough to comply with the regulation for a few months, what would be the point of lowering standards that they have already worked to meet?

Now comments by one of the leading BREXIT campaigners seem to me to make it even more important for businesses to assume that GDPR is on the way – and will be here to stay. Michael Gove recently suggested that negotiations post-BREXIT would be unlikely to be complete by the time of the General Election in 2020. If BREXIT happens more than 2 years after GDPR has been brought into force, it seems less likely than ever that BREXIT would affect GDPR.

The bottom line is: whatever the outcome on 23 June, the GDPR is on the way and organisations need to prepare for it now.

Mr Gove’s Internal Review

FOIMan explains why he is worried for the future of FOI as a result of the Justice Secretary’s comments yesterday.

Ministry of JusticeNews reports over the weekend suggested that the new Justice Secretary, Michael Gove, was planning a renewed attack on FOI. Well now we know for certain.

Speaking in the Commons yesterday, Mr Gove responded to questions from MPs about the media story that he thinks “we do need to revisit the Freedom of Information Act.” I’ve indicated before that I thought FOI would receive more attention this Parliament, but Mr Gove’s comments are particularly concerning as they seem to indicate that he is inclined to go further than the news stories suggested.

Anyone familiar with recent FOI history will have expected that this majority Conservative government would attempt to amend the fees regulations to make it easier for requests to be refused on grounds of cost. Indeed such an intention was expressed nearly three years ago when the government responded to the Justice Select Committee’s post-legislative scrutiny of FOI. The fact that the last government failed to follow through on its intentions appears to have been the result of a rearguard action by Liberal Democrat ministers.

Furthermore, David Cameron indicated after the Supreme Court’s ruling over Prince Charles’ letters to ministers that he wanted to change the law to reinforce the ability of the government to veto FOI disclosures. With the inconvenience of a general election out of the way, it would appear that there is little to stop his Justice Secretary from pursuing this desire now.

When the news stories emerged over the weekend, I paid little attention. As I’ve suggested, these moves were always likely now that internal opposition has been removed. I’m not happy about the idea of an enhanced veto or reduced cost limits, but I had already conceded to myself that such changes were probably inevitable in the current political climate.

However, Michael Gove’s comments yesterday appeared to indicate that he wants to go further than the “two-pronged assault” predicted in the media. He said:

“It is vital that we get back to the founding principles of freedom of information. Citizens should have access to data and they should know what is done in their name and about the money that is spent in their name, but it is also vital that the conversations between Ministers and civil servants are protected in the interests of good government.”

Mr Gove appears to be making a distinction between “data” such as how much is spent by a government department, and “information” which might include correspondence between government officials. This suggests a far more draconian restriction on FOI than we had been expecting. It seems likely that the exemption protecting the formulation of government policy may come under scrutiny. At present, the exemption is subject to a public interest test, which means that on occasion – not regularly – government departments are ordered to disclose such information by the Information Commissioner or the courts. The most likely change therefore is that the exemption may be made absolute – more difficult to overturn. As the Campaign for FOI has commented, this would be bad enough and would chip away at the fundamental principles of our current FOI law. But it is hard to discount anything from Mr Gove’s comments, which appear to suggest that this “review” of FOI may be more comprehensive than many had suspected.

Mr Gove’s comments are particularly ironic bearing in mind that he made them on the same day as a speech in which he argued that:

“The rule of law is the most precious asset of any civilised society. It is the rule of law which protects the weak from the assault of the strong; which safeguards the private property on which all prosperity depends; which makes sure that when those who hold power abuse it, they can be checked; which protects family life and personal relations from coercion and aggression; which underpins the free speech on which all progress – scientific and cultural – depends; and which guarantees the essential liberty that allows us all as individuals to flourish.”

It appears now that we breathed a premature sigh of relief in 2012 when the Justice Select Committee’s report turned out to be more supportive of FOI than we had expected. The biggest threat to the UK FOI Act is here and now.

Whatever your interest in FOI, if you believe that it ought to be stronger, not weaker, consider supporting the Campaign for Freedom of Information. Over the coming months there will be other ways to express our views, but ensuring that the Campaign can bring its expert knowledge and determination to bear is a good way to start.

 

Cabinet Office issues new guidance on private email accounts

FOI Man looks at new guidance issued by the Cabinet Office which appears to directly contradict the Information Commissioner.

Email is a fraught subject for information managers. Take this recent (and rather excellent) blog post from records management consultant James Lappin. As James makes clear, few – if any – organisations have really got a handle on how the valuable information held in email should be retained and managed.

And that’s just the email held in corporate accounts. If staff or others use their own private email accounts to conduct organisational business that creates a whole new complication. Especially if you’re a public authority and that business might be subject to the requirements of the Freedom of Information Act.

Now unless you have a very short memory, you will recall that the Coalition Government has had its fingers burnt in this area before. Through clever use of both FOI and the Data Protection Act (and useful leaks), Financial Times journalist Chris Cook established that Education Secretary Michael Gove and some of his special advisers (or Spads) had been using private email accounts to conduct business which appeared to many (eventually including the Information Commissioner) to be Government business. It was suggested that this had been done to avoid potential disclosure of the emails through FOI.

Following this controversy, the Information Commissioner issued guidance to public bodies which confirmed that email held within private email accounts could indeed be subject to FOI, and what his approach to this tricky issue was.

If I were a Government that had been accused of trying to avoid proper and lawful scrutiny through the use of private email accounts to conduct government business, I think I might want to take a “whiter than white” approach to these matters in future. I’d want to make sure that I followed the Information Commissioner’s line on the issue to the letter, so that nobody could put so much as a hair between my approach and that of the regulator. That seems sensible doesn’t it?

So imagine my surprise as I read the Cabinet Office’s new Guidance to Departments on the Use of Private Email, published perhaps less surprisingly late last Friday afternoon. The guidance starts off by pointing out that it should be read in conjunction with the Information Commissioner’s guidance. So, obedient to the last, I’ve done just that. Let’s see what they say, shall we?

Information Commissioner:

“There is a need to have a clear demarcation between political and departmental work.”

Cabinet Office:

“The originator or recipient of a communication should consider whether the information contained in it is substantive discussions or decisions generated in the course of conducting Government business…”

Information Commissioner:

“In order to avoid the complications of requesting searches of private email accounts, and other private media, records management policies should make clear that information on authority-related business should be recorded on the authority’s record keeping systems in so far as reasonably practicable.”

Cabinet Office:

“Civil servants and Ministers are generally provided with access to Government email systems. Other forms of electronic communication may be used in the course of conducting Government business.”

Information Commissioner:

“When a request is received, public authorities should consider all locations where relevant information may be held. This may include private email accounts.”

Cabinet Office:

“As set out above, it is expected that Government business should be recorded on government record systems. It will generally be reasonable to search only within those systems when a request has been received.” [so presumably, any FOI Officer asking a Minister if they have emails relating to Government business in their private email account will be considered unreasonable]

Information Commissioner:

“Public authorities should also remind staff that deleting or concealing information with the intention of preventing its disclosure following receipt of a request is a criminal offence under section 77 of FOIA.”

Cabinet Office:

[Silence falls. Tumbleweed rolls down Whitehall.]

Now to be fair to the Cabinet Office (no, come on), some may see these differences as subtle and perhaps it is only my world-weary cynicism that leads me to see conflict. But the final section of the Cabinet Office guidance dealing with The Freedom of Information Act and searches for information sees the Cabinet Office take a running jump away not just from the Information Commissioner’s guidance, but also from any reasonable interpretation of the legislation itself.

“The FOI Act allows people to request information; it does not give the requester any power to dictate where the department should search for that information. It is for the department to consider where the information might be and to take reasonable steps to find it.”

I’m sure that it’s just a coincidence that Chris Cook has made a spate of requests to the Cabinet Office and Department for Education asking for information sent by individuals on Government business using private email accounts. Surely the Cabinet Office couldn’t be so touchy as to write a policy just to thwart the efforts of a single journalist?

But the point is that FOI doesn’t place any limitations on the way that requesters should ask for information. They merely have to describe “the information requested” (FOI, s.8). If that description happens to include the location that they believe the information can be found in, the only reasons why a public authority would not be obliged to provide that information is if an exemption applies to it, if the request is considered to be vexatious, or if to provide the information in that location would exceed the appropriate cost limit.

But you don’t have to take my word for it. The Information Commissioner’s Office issued a decision notice (not yet available on the ICO website) to the Cabinet Office the week before this guidance was published making exactly the same point.

Chris Cook had made a request for “copies of emails relating to the government’s education reforms, sent between the Prime Minister and a special adviser, using non-GSI email accounts”. Given the events described above in relation to the Secretary of State for Education, it can perhaps be understood why such a request might be made. The Cabinet Office argued (as in their guidance) that FOI did not allow requests for information by reference to a particular location or medium, and that Chris’s request was therefore not a valid request. The Information Commissioner concluded that Chris’s request was indeed valid for the reasons I’ve suggested above.

So the week after the Information Commissioner has explicitly stated to them that a request for information held in a specific location is a perfectly valid request, the Cabinet Office have published official guidance to Government departments contradicting the Commissioner’s view. Not for the first time, this Government appears to be interpreting the law to suit itself in the face of all the facts, and raising a single finger in the direction of the Information Commissioner.