Tag Archive for Personal information

Who will know if you make an FOI request?

Last week I posted about the NHS Information Governance Toolkit and its FOI requirements. David Higgerson highlighted in his blog on journalism the rules that NHS FOI Officers are expected to follow in relation to ’round robin’ requests. David was particularly concerned that this undermined the principle that requests should be processed in an ‘applicant blind’ manner. It started me thinking about what we circulate internally about requests and, more especially, requesters.

This whole issue of how requesters’ details should be handled is a fraught one for FOI Officers. Many of them are also responsible for Data Protection compliance in their organisations and are only too aware of the importance of protecting personal data. They are also keen to maintain the ‘applicant blind’ principle themselves.

In my experience, this can put them on a collision course with politicians and senior officials in their organisations. I’ve heard of FOI Officers and other staff being bawled at by very powerful people because they refused to provide this information. I’ve also heard of individuals who have decided to leave public bodies after being put under pressure in this way.

My own approach to this tricky issue is to routinely remove names and contact details from requests before circulating them. If someone wants to know who has made a request, I will initially tell them what kind of requester has made the request (eg private individual, journalist, business, etc.). If they insist on having a name, I will consider whether they have a legitimate need.

So what would I consider to be a legitimate need?

I would generally feel that the Press Office have a legitimate need to know the name of a journalist if they ask. The reason for this is that they may well be dealing with the same journalist themselves; it’s their job to oversee relations with the Press.

I routinely provide the Press Office with details of requests received from journalists (though not names unless they specifically ask), and where requested, I will also let them see a draft response. I can understand that might raise eyebrows. But I honestly don’t believe that automatically prevents the request being dealt with in an ‘applicant blind’ manner. The request will still be coordinated by the FOI Officer (or departmental staff in some organisations), the same information will still be sent out. It is just that the Press Office have a ‘heads up’ for any impending news story about the organisation. Even the Information Commissioner recognises that Press Officers will want to (and indeed should) work closely with FOI Officers.

Where I would draw the line would be if the Press Office insisted that the response should be different because of who the request is from. The reality is generally that the Press Office are more likely to change their line if it is out of synch with the FOI response (and by comparing notes, we may actually identify any errors in the response). Any sensible Press Officer is going to realise that they can’t interfere with a legal requirement. They might suggest different ways of saying things, but there is rarely any question (in my experience) of them changing the information that is going out.

It is arguable that it is ‘fair’ (to use the Data Protection Act terminology) to share the names of requesters making requests in a business capacity. Examples would be where it is clear that the request is being made by someone on behalf of the body corporate (eg they use a corporate email address; their signature includes their employer’s details; their letter has a corporate letterhead). I still wouldn’t routinely circulate a name, but I’d feel slightly better about it if asked.

There may be circumstances where individuals within the organisation need to know who has made a request to apply the Act itself effectively. For instance, if the case is being made to aggregate the costs of compliance with a series of requests, or to class a request as vexatious, the history of that individual’s contact with the organisation is likely to be a relevant consideration.

The crisis point for me would come if I felt that it wasn’t ‘fair’ to share the details and that there wasn’t a legitimate need. If the Chief Executive insists on knowing who made a request without providing adequate justification, how do I deal with that? Ultimately, under enough pressure, I know that I am likely to provide the information, as to be frank, I may well not have a choice. But first I would at least try to persuade them that they either don’t need a name, or at least to provide me with some sort of explanation as to why this is justified.

For this reason, I would always advise requesters to assume that their details will be known to anyone in the organisation they make their request to. Most of the time, for most people, that will probably not be a problem. However, I was recently asked for advice by someone who wanted to ask for information held by their employer, and I could only advise them that their best approach would be to use a pseudonym. I don’t generally condone that, but if anonymity is important, then that’s really your best option (and if your pseudonym is credible, the FOI Officer is not going to know – so you can avoid your request being refused under section 8).

Divided by a common language – personal data and openness

A few months ago I was fortunate enough to travel to New York for a few days’ holiday. Sheltered soul that I am, this was my first visit to the USA.

The whole trip was fabulous, but you’re not here to have my holiday snaps inflicted upon you. The only down point really, as many others have found in recent years, was trying to get into the country.

I’d already had to complete my ESTA (electronic entry visa), and on the plane I was given a Customs Declaration form to fill in. On arrival I stood in line for about an hour whilst we were herded through the cramped arrivals hall and towards one of the immigration officials, sat in their cubicles of bullet-proof glass. Despite the posters promising friendly and courteous staff, when the time came for me to stand in front of one of these officials, he glowered at me suspiciously (fair enough, some might say), barked instructions and interrogated me as to my intentions. I’ve never been on trial, but my first experience of the US made me feel a little like I suspect I would as a defendant in the dock.

Things improved immeasurably from that point on. But the point is that throughout the process of entering the US, I was asked for a great deal of personal information. Now, it may cause you to roll your eyes heavenwards, but I found myself entertained during my long wait in the queue by contemplating a passage of small print on the back of the Customs Declaration form. It read:

“PAPERWORK REDUCTION ACT NOTICE: The Paperwork Reduction Act says we must tell you why we are collecting this information, how we will use it, and whether you have to give it to us…The estimated average burden associated with this collection of information is 4 minutes per respondent or record keeper depending on individual circumstances. Comments concerning the accuracy of this burden estimate and suggestions for reducing this burden should be directed to US Customs and Border Protection…”

This was in exactly the position that UK or European forms would place a Data Protection notice. What I thought was interesting is this. Here in the UK (and across Europe) we are increasingly concerned with what government and other organisations do with the data that they hold about us. We reacted with horror when HMRC lost two CD-ROMs containing details of 25 million families. It seems not a month goes past without the ICO issuing press notices about the latest NHS Trust data breaches, and they can now fine organisations up to half a million pounds in the worst cases. And the metaphorical and political blood that has been spilt over proposals for ID card and NHS patient databases could fill the country’s blood banks for the next decade.

Yet in the US, the equivalent concern is for bureaucracy. All very well and good, we’d all like to see less of that (yes, even us public employees). But that’s apparently the concern that takes priority over privacy. Of course, in limiting paperwork, a side effect may well be that less personal data is collected, but this or the protection of that data, is not the driver over there.

I was reminded of my post-plane perusals this week when I happened across a news article about a US court case reviewing an FOI appeal. In the US they don’t have an Information Commissioner, so anyone appealing against a public authority’s decision has to take the case to court.

The request was from a civil liberties group who wanted to have copies of the images taken by airport scanners. This has become quite a concern of late in the US (as here), as the latest scanners are reputed to reveal in intimate detail the contours of the human body. The judge in the court case upheld the authority’s decision not to disclose the images.

Now this in itself didn’t surprise me. I’d have assumed that if the images really do allow the sort of insight that most people only allow their intimate partner, then there’d be a reasonable argument to withhold the information on personal data or privacy grounds. But the story appeared to suggest that they’d been refused not for those reasons, but on the grounds of national security, as potential terrorists might be able to find ways to fool the scanners through analysis of the images.

This looks like another example to me of where US culture, law and politics is subtly, perhaps significantly, different to ours. They don’t have data protection laws. UK organisations are only allowed to exchange data with US businesses because of something called ‘Safe Harbor’. This means that US businesses can register with the US authorities promising to handle personal data in line with principles similar to our Data Protection Principles. But the only reason they do this is because otherwise they wouldn’t be able to do business with European bodies, public or commercial. Importantly, it’s voluntary. It’s a completely different mindset.

So why is this significant? And why am I talking about Data Protection on a blog about FOI?

Well-known freedom of information campaigner and freelance journalist Heather Brooke has a new book out called The Silent State. I’ll be up front and say that I haven’t had chance to read it yet. But by all reports it repeats something that she has said on many occasions before.

Heather is from the US and began her journalistic career there. One of her biggest complaints about public authorities in the UK is that they are secretive about the names and contact details of public employees. Apparently, in her native state the names, job titles, contact details and salaries of all public employees are published on-line. Not just senior executives. Everyone, from the street sweepers to the Chief Executive.

Her argument is that the UK’s culture of secrecy makes it inefficient and bureaucratic. That people hide their ineptitude behind the high crenellated walls of their particular public employer. And of course that things are much better in the US where they are open about who is doing what.

Conservative commentator Peter Oborne has written gushingly about Heather’s agenda. He comments that her connection of secrecy and inefficiency:

“…is a Tory insight and if David Cameron has real courage he should make Heather Brooke’s radical agenda his own.”

I don’t doubt that some public authorities are too secretive, and should be prepared to make more information available (and be less defensive when they receive FOI requests). And personally, I have no problem with my details being made available on my organisation’s website (they are). I could even accept my salary being published.

But I equally understand that some people don’t feel comfortable with that. Perhaps they resent the idea of such a degree of openness. They may see this as yet another ‘punishment’ for the ‘crime’ of taking a job in the public service. But they also may have very good, personal, reasons. Should the individual who has moved on to a new life after escaping an abusive relationship be forced to work in the private sector because they don’t want their former partner to track them down? Should anyone who fiercely defends their privacy be restricted in this way?

Most would agree that publishing details of the most senior and public facing officials is a good thing. But in reality, why would you want to know the name of the street cleaner? If you’re not happy with their work, your local council presumably provides a mechanism to report that. Is the idea that you should be able to directly confront them, vigilante style, if you find a cigarette stub on the pavement outside your house?

We have a tradition in this country of respecting individual freedoms. Our culture and our law recognises the importance of privacy and particularly of how personal data should be handled. There may well be virtue and value in publishing more details about public officials. But before we start to bash public authorities over the head with their perceived secrecy over their employees, we ought to consider what it is that we really want. Do we want our current model which balances the need for government openness with the need for individual privacy? Or do we want to make a significant shift to a US model where protecting personal data is much lower down the agenda?

Is it always right to disclose public servants’ details?

Our friendly minister Francis is back again (that’s a scary sentence to anyone who read or saw House of Cards and its sequels). This time Mr Maude is announcing the publication of charts for each government department naming senior civil servants and giving their salaries. We’ll gloss over the fact that much of this has been available for some time if you could be bothered to look, and that the charts are far from complete.

Personally, I’m relaxed about my contact details and even pay grade being disclosed. I think being an FOI Officer and not being open to that prospect would be even more ironic than writing a blog about FOI anonymously. But I can understand colleagues who feel uneasy about their details being disclosed. It is easy to imagine some very good reasons why individuals may not wish to be found via an authority’s website – perhaps they have been the victim of stalking, or are trying to leave behind a love affair that went badly wrong. But some people just feel very strongly that they are entitled to some privacy, and shouldn’t be deprived of that just because they accepted a job with an organisation that happens to be in the public sector.

There are practical reasons why in some cases it just isn’t appropriate in my view to publish contact details for officials. Why, for instance, should the names and contact numbers of doctors or pharmacists in hospitals be easily available to anyone who asks? Surely they have better things to do than spend their time dealing with drug company reps who have obtained their contact details through FOI. My view is that FOI Officers have to consider the context that they work in, and that the benefits of openness should be balanced against the actual and potential inconvenience that could result. Is openness for its own sake really appropriate in every case?

Of course it is important that those members of staff that deal directly with the public are identified, and that those responsible for the most important and expensive decisions are accountable. And equally, it is important that there is openness about expenditure. But often those needs can be met by means other than naming specific members of staff and publishing their individual salaries.

Another concern public employees have when it comes to salaries is that there is little context provided when these details are reported. Not least because the private sector isn’t subject to the same demands of openness. It’s all very well knowing that someone earns £47,000, but what would someone in that position earn in the private sector? That’s generally not printed alongside newspaper reports and government press releases disclosing public sector salaries. This point was made much more eloquently in a great article I read this week by Chris Blackhurst of the London Evening Standard.

I often find myself wondering when requesters criticise public officials for reticence in these areas how keen they would be for information about them to be disclosed in the same detail. (And yes, you can argue that there is added justification through the expenditure of public money, but when it comes down to it, public servants are employees just like anyone else with a job. Who employs you doesn’t change how you feel about your own privacy).

I’m absolutely not against publishing names, contact details and even salaries where it is appropriate. But I just want to set out why it’s not always as straightforward as those making FOI requests or demanding publication of officials’ details might believe. Beyond the moral and practical issues raised above, there are conflicting legal requirements (which I’m planning to come back to at a later date).

I realised whilst drafting this post that I have a lot to say about this, so I will come back to this subject very soon. Is it right for all public officials to be named, and for their salaries to be published? Or are there boundaries? Should there be different approaches for different parts of the public sector? As ever, I’m interested to hear your views through commenting here or via Twitter. And if you enjoy this blog, please do tell others about it.