Tag Archive for Section 46

GDPR’s Duty to Document

FOIMan explains how GDPR puts keeping records well at its very centre.

Back in December, the Information Commissioner, Elizabeth Denham, indicated her wish for a new duty to document law. I’ve written previously about this here and here.

On 28 April, I explored this issue a bit further in a talk to the public sector group of the Information and Records Management Society (IRMS) at a venue in Westminster. I’d been asked to talk about the need to keep records for corporate requirements identified in the FOI s46 Code of Practice.

The s46 Code does spell out the need to keep records to meet legal requirements, to record precedent, to document legal and other rights, and to justify actions taken. It’s worth noting that s.48 of FOIA gives the Information Commissioner the power to issue “practice recommendations” requiring public authorities to bring their practice into line with the Codes of Practice. So the s46 Code establishes a duty to document and the Act gives the Commissioner (admittedly limited) powers to enforce it.

Leaving FOI behind though, I handed delegates postcards of the image above. It illustrates the data protection principles as set out in the General Data Protection Regulation (GDPR). Right at the centre of my image is the accountability principle. It means that organisations will not be able to comply with the other principles without being able to demonstrate their compliance. In other words, they need to keep records to show what they are doing with people’s personal data. What they told those people when it was collected. Whether they gave consent. What their data protection impact assessment concluded. And so on.

Keeping records – and keeping them well – is central to compliance with GDPR. Records management should form a central plank of your GDPR preparations over the next year. Not least because it is very clear that the Information Commissioner is very interested in records management indeed.

Let me know if you need a speaker for your event – I’m always happy to help if I can. If you’re looking for in-house training on GDPR, get in touch for a quote.


s.46 Code of Practice


Whose Code is it anyway?

FOIMan tries to find out who is responsible for issuing Codes of Practice and discovers it’s not as simple as he thought.

Cups and a ball

Cup…ball. Ball…cup.

Last year the Government announced a number of changes to how FOI, data protection and records management will be managed within government. At the time a few people muttered about what it showed about government attitudes to information rights, but otherwise there was a collective shrug. We all had other things to worry about with the FOI Commission, demise of Safe Harbor and GDPR on the horizon.

It occurred to me last week though that I didn’t now know who was responsible for issuing FOI Codes of Practice. The government had played a big game of Cups and Balls Tommy Cooper-style and I was no longer sure which of the cups the s.45 and s.46 Codes were sitting under. The FOI Commission recommended a revised s45 Code, but who would now be issuing it?

The government announcement had indicated that the Cabinet Office would be responsible for FOI and for records management, taking over from the Ministry of Justice. Section 45 of the Act requires “the Secretary of State” to issue a Code of Practice on compliance with Part I of the Act. I knew that Matt Hancock was the Minister for the Cabinet Office, but he’s not a “Secretary of State”. A bit of digging on gov.uk established that Oliver Letwin, the Chancellor of the Duchy of Lancaster, is the closest equivalent that the Cabinet Office has.

I thought I had an answer to that question, but what about s.46? That section requires “the Lord Chancellor” to issue a Code of Practice on records management. The Lord Chancellor is Michael Gove, but surely it didn’t make sense for Mr Gove at the Ministry of Justice to be issuing a Code on something that was now Cabinet Office-led?

Thankfully, the Campaign for FOI had followed those metaphorical balls around the table with their usual hawk-like attention to detail. After I made a plea for help on Twitter, the Campaign sent me a link to the Transfer of Functions (Information and Public Records) Order 2015, made in December last year. It confirms that the FOI Act has been amended, and that in particular, responsibility for issuing both Codes of Practice now lies with Oliver Letwin. As the Campaign wryly noted, we had other things on our minds at the time. But isn’t that how the Cups and Balls game always works?


It turns out that the Transfer of Functions Order makes things even less clear than I thought. Thankfully, Malcolm Todd of the National Archives has clarified matters for which I’m grateful. You can read Malcolm’s full response in the comments following this post.

So here’s – hopefully – the definitive statement on who’s responsible for what post-2015. The Chancellor of the Duchy of Lancaster (Oliver Letwin currently) is, as I suggested, responsible for issuing the section 45 Code(s). The Secretary of State for Culture, Media and Sport (John Whittingdale) is responsible for issuing the s.46 Code, but must consult the Chancellor of the Duchy.

Apologies for the confusion, but if you take a look at the Transfer Order, I’m sure you’ll understand the problem. Imagine the fun we’ll have when people refer to “the Chancellor’s Code” in future!

What are FOI Officers for?

I’ve been meaning to write this post for some time, but there’s always been something topical getting in the way. But as the data deluge begins to subside (?), here are my observations on the role of FOI Officers in the UK.

When FOI was passed (and I am dismayed to recall that I missed the FOI Act’s 10th birthday on 30th November), public authorities preparing for its impact had little to go on. Each authority came up with its own way of handling requests or alternatively, failed to, and reaped the consequences in January 2005. As a result, each public authority has its own way of processing FOI requests, and each FOI Officer has a different job.

In one organisation I’ve worked in, the FOI Officer is very much an advisor – they only get involved in the answering of individual requests if there are concerns about disclosing information. Most requests are answered by staff working on the subject area of the request. My impression is that this is characteristic of central government’s handling of FOI requests (generalising broadly). In these bodies, the person answering your request may well not know very much about the Act (so may use the wrong terminology/make odd statements about their obligations under the Act), but should be knowledgeable about the subject that is being asked about.

In other organisations, including my current one, the FOI Officer receives, acknowledges and responds to the request. Departments are asked to provide relevant information, and advise if they have any concerns with the information being disclosed (I wrote about this process in more detail in my post Being Human last month). This is probably characteristic of FOI procedures in sectors outside central government (again, generalising – many may not). This is an approach probably favoured additionally by smaller organisations.

As well as differences in the way that FOI requests are processed, there are also variations in attitude and approach amongst practitioners. There isn’t a single FOI Officer profession – we’re a range of individuals, with different backgrounds, skills and attitudes. There isn’t a professional body for FOI Officers – though the Records Management Society (RMS) recently became the Information and Records Management Society (IRMS), partly I suspect in an attempt to fill this vacuum (logical, since many FOI Officers started out as Records Managers, and the Section 46 Code of Practice makes the link clear).

Often we have many other responsibilities in addition to FOI. Commonly this includes records management and Data Protection Act compliance (with significant workloads attached to both) but often very many other duties as well.

This means that there is no single understanding of what an FOI Officer is for. Some, I’m sure, see their role as to do as they’re told – if they’re told to withhold information by a senior officer, then they find a way to do so, no matter how weak the basis. And who can blame them? I know of one FOI Officer who was casually threatened with redundancy for themselves and a junior colleague if they couldn’t be “more helpful” (for which read “find ways to avoid answering uncomfortable requests”).

A few FOI Officers, I believe, take common cause with the FOI critics in their organisation and set out, in their view, to defend their employer. Without much persuasion, they will seek out ways to thwart requesters. They will complain loudly about ‘abuse’ and ‘misuse’ (sometimes justifiably, but perhaps on occasion not) of the legislation. Their advice and decisions may not be based on available case law, but on their own view of what is reasonable. They will shout loudly – and in fairness, correctly – that the Information Commissioner’s decisions do not set precedent.

Then there are those that take the view that they are there to challenge the status quo, to promote the principles underlying the legislation. In practice, this means not just accepting it when a colleague or a manager asks them to find an exemption to apply, but asking the difficult questions. Why can’t it go out? What harm will result? How likely is that harm? Will it really cost this much to provide the information? This approach is strongly influenced by the decisions of the Information Commissioner, Tribunal and higher courts.

In my view, this is the right approach, however unpopular it may be with managers and colleagues. There is, after all, a statutory presumption (Environmental Information Regulations) or assumption (FOI, as established through case law) to disclose, and in my experience it is often difficult for those closest to information to take an approach consistent with that. The FOI Officer is there to make that assumption or presumption for the public authority. They might ultimately decide that it is right to withhold the information, or they may be overruled, but they have to ask the questions.

In truth, of course, we’re all on a scale covering all of those approaches. I certainly recognise myself in all three scenarios. It’s not wrong of FOI Officers to seek to defend their employer, but we do that better by minimising the risk of referral to the Commissioner, or at least increasing the likelihood of the Commissioner upholding the decision made. I’d also argue that by basing our approach around case law and available guidance, FOI Officers will be seen to be professional, even if they don’t belong to a profession.