The Freedom of Information Officer’s Handbook

FOIMan unveils a forthcoming book seeking to define the role of the FOI Officer and provide help to anyone struggling with the management of their organisation’s FOI obligations.

The Freedom of Information Officer's Handbook, Facet PublishingIf you are employed as a FOI Officer, or even just do a job that involves dealing with a lot of FOI requests, one of the problems has always been that there is no manual. Until now. Later this year, Facet Publishing will be bringing you The Freedom of Information Officer’s Handbook, a new book about FOI by…well, me.

Yes, I referred recently to my relative silence online in recent months, explaining that this was partly down to the demand for GDPR training over the last few months (which continues), but also hinted at another mystery time-consuming commitment. I can now reveal that the latter has been (and continues to be), the writing of this book. This will be my first book (and perhaps my last!), which is obviously exciting for me, but hopefully also an interesting development for those of you who have followed this blog over the last few years.

There are plenty of places to find guidance on FOI, and even other books that explore FOI from a legal perspective, focussing on the application of exemptions for example. However, there isn’t anything (to my knowledge at least) that provides a comprehensive guide to how FOI should be managed by public authorities. So whilst you will find useful summaries of the law and how exemptions should be applied in this book, you will also find guidance on best practice when it comes to administering FOI. A chapter on embedding FOI in your organisation will include the development of policies and procedures, and how to assess and address training needs. Another on managing FOI will look at the IT systems that can be used to log requests, and how to improve performance, amongst other things. Some of you will have been lucky enough to receive FOI requests from me over the last year,* and the answers to those requests, together with my own experiences over the last 15 years, and other published research on FOI, will bring a fresh perspective on how FOI should be managed.

A really important thing for me in proposing and writing this book has been to explore the role of the FOI Officer. FOI is still relatively new, and whilst I often refer to FOI Officers in this blog and elsewhere, there aren’t actually that many people who answer requests that are called ‘FOI Officer’ within their own organisation. They often have to fit FOI work around other responsibilities. The work of those involved in FOI management, and the challenge they face, is often hugely underestimated by both requesters and by their colleagues and managers. In this book I hope to cast some light on their work and help those in these roles to be better appreciated by both others and (perhaps more importantly) by themselves.

The book won’t ignore related legislation either. The Environmental Information Regulations will feature heavily, and a chapter on copyright and re-use will discuss the Re-use of Public Sector Information Regulations and how they interact with FOI. There will also be brief descriptions of how the various FOI laws from around the British Islands (Scotland, Ireland, Isle of Man, States of Jersey) differ from the UK one that is the focus of the book.

Finally, the book offers the opportunity to provide an updated vision of FOI management in the context of the latest developments. In particular, I’ll be looking at what GDPR means for FOI, both in terms of compliance, but also considering what lessons there might be from concepts such as Data Protection Officers and data protection by design. The new s.45 Code of Practice will obviously feature (and I’m hoping the finalised version will be published in time to be referenced!).

The book is obviously aimed primarily at practitioners and others working in public authorities. However, just as this blog has proved to be of interest to a wider audience of journalists, academics, and other users of the Act over the last few years, hopefully the book will also appeal to those outside the public sector curious about how FOI works in practice.

The Freedom of Information Officer’s Handbook will be published by Facet Publishing towards the end of this year. It retails at £59.95, but readers of this blog can pre-order copies direct from the publisher with a 30% discount (resulting in a reduced price of £41.99). To take advantage of the discount, email info(Replace this parenthesis with the @ sign)facetpublishing.co.uk to indicate your interest in ordering a copy and quote the code FOIMAN (do not supply payment card or bank account details by email). The publisher’s distributor will then contact you to arrange payment and discuss despatch instructions. For more details about how your information will be used by Facet, see the privacy policy on their website.

* And more seriously, a very big thank you to everyone who has answered FOI requests from me or helped in any way over the last few months – it is hugely appreciated.

FOI and the General Data Protection Regulation

FOIMan considers how the General Data Protection Regulation (GDPR) affects the Freedom of Information Act (FOI) and its administration.

Happy new year! 2018 is finally here and only a matter of months remain before the GDPR applies to anyone that processes personal data. You may have noticed that I’ve been fairly quiet online of late, and one reason for that is that I’ve been busy travelling the country delivering GDPR training to a range of organisations. Another reason will become clear in due course…

My first love is (when it comes to information rights anyway), of course, FOI. So given that I’ve been giving so much thought to GDPR, it made sense to think about how the new law affects FOI.

A few months ago I blogged briefly about an obscure schedule of the Data Protection Bill (hopefully soon to become the Data Protection Act 2018) that made amendments to FOI in order to ensure that the exemption for personal data will still work effectively with GDPR. It’s important that these changes happen otherwise there would be a conflict between FOI and the new data protection regime. Not making them could lead to personal data being disclosed when it shouldn’t be, or, as I indicated in my blogpost, to less information being disclosed than might have been in the past.

However, GDPR doesn’t just mean changes to other legislation. It means that any organisation processing personal data has to ensure that that processing meets its requirements. That includes public authorities.

What might be forgotten is that the handling of FOI requests invariably involves the processing of personal data. Some of that processing will be expected by applicants and will be easy to justify; some of it won’t be. When I gave a presentation about this to a group of practitioners in December, there were some audible gasps (of recognition primarily) as I listed some of the things that public authorities routinely do with personal data whilst processing FOI requests, but are often done without much thought. It’s not necessarily that those activities are wrong, you understand; but GDPR (if not the current Data Protection Act) requires all public authorities to give some thought to how they are justified. They’ll also need to ensure that they meet the other requirements of GDPR.

In my latest piece for PDP’s Freedom of Information Journal I’ve looked at the FOI amendments in the Data Protection Bill (at least as it stood in October when this piece was written). I’ve also examined how FOI requests are handled and what practitioners will want to be looking at to prepare for GDPR. A lot of the things I discuss will be relevant for other correspondence processes as well.

Have a read. I hope it gives you some food for thought at the start of what will be a very busy and interesting year.

A new FOI Code for Christmas

FOIMan takes a look at the government’s long-awaited draft FOI section 45 Code of Practice.

A long, long time ago, in a galaxy far, far away, before BREXIT, before the last General Election, you may recall that the Government, which was apparently led by some guy called Cameron, set up a Commission to make recommendations on FOI. If you’ve forgotten that, you almost certainly won’t remember that the government responded to the outcome of the Commission with a promise to update the s45 Code of Practice. The Code is required under (you’ve probably guessed) s.45 of the Act. The existing Code was written in 2004 (some bloke called Blair was in charge then, but nobody remembers him), and is, frankly, about as much use as a chocolate teapot (and rather less satisfying to consume).

Since March 2016, when the government made this promise, there have been wars and rumours of wars. In December 2016, the Information Commissioner reported at an FOI event that she’d heard a draft would be released in the new year. Notably, she didn’t indicate which one.

But now here we are. Last week, the Cabinet Office quietly published a new draft Code and consultation paper. So what does this new Code look like?

I’ve only had chance to quickly peruse it, but some observations. Overall, it is a welcome move to a practical guide for public authorities on fulfilling their FOI obligations. It actually addresses many of the crucial questions that arise for practitioners – it is helpful.

That said, there are a few things that leapt out at me.

The first section deals with the making of requests – what’s a valid request, how to carry out searches, that sort of thing. There is an attempt to define what should be treated as an FOI request which seems a missed opportunity. Apparently it is an FOI request unless it is asking for personal data, environmental information or “information given out as part of routine business”. Given that, as we’ll see, the Code calls for authorities to report on numbers of requests received, it would be useful for it to define more precisely which requests ought to be logged, monitored and reported on. I’m not convinced this definition is precise enough for that.

There is a degree of wish fulfilment on display. Information that has been deleted but remains on back-ups is not held, says the Code, in direct contradiction of multiple Tribunal decisions. Requests made in a foreign language will not be valid requests, it claims, which may be a practical reality for the most part (since it would be impossible to know whether or not it was a request in many circumstances), but it would be interesting to know what legal basis there is for this stark statement. (I may well have missed a relevant decision, so please do let me know if I have).

Sections 4 and 5 make clear (as per the Commission’s recommendations) that public interest extensions and internal reviews should normally be limited to 20 working days. Applicants’ complaints can be ignored if submitted later than 40 working days after the response is sent out. The section on internal reviews is particularly welcome given that the Act, of course, doesn’t require a review, so the Code is really the only way to establish a common approach.

There are some useful chapters on vexatious requests and the cost limit, effectively just articulating the approach taken by the Tribunals over the last few years, but nonetheless welcome.

The really interesting developments are in section 8, on publication schemes (no, really). The Code follows the Commission’s recommendations that public authorities with over 100 FTE employees should publish statistics on FOI compliance – numbers received, numbers answered in 20 days, numbers refused, numbers granted, and numbers of internal reviews. It recommends that these be published quarterly. It also calls for senior pay, expenses and “payments in kind” to be reported on.

The next section deals with the controversial matter of outsourced public services. It makes some sensible recommendations, though I doubt this will silence calls for companies delivering such services to be made subject to FOI.

Finally, the datasets Code, now of limited use since the arrival of the Re-use of Public Sector Information Regulations, is now subsumed within the main s45 Code.

The tone of the language in the Code I think does betray the Cabinet Office’s lack of enthusiasm for FOI. However, the approach taken isn’t entirely a bad thing – a clear no-nonsense guide like this is long overdue. One of the common criticisms of FOI is that it is too vague and unclear – this helps address that.

In any case, if you agree or disagree, now’s your chance to say so. The consultation on this draft is open until 2 February so if you have any views on the draft Code, make sure you submit them before then.

WhatDoTheyKnow About Refusing Requests?

FOIMan reviews refusal notices issued via the WhatDoTheyKnow.com website.

FOI is all about transparency. Most of the time that is demonstrated by disclosing requested information. On occasion though, public authorities have to refuse requests, and where this is the case, transparency should extend to the reasons why the requested information cannot be disclosed.

The Act itself (and the Environmental Information Regulations as well) sets out the requirement to issue a notice explaining the refusal and what must be included in it. Not surprisingly, the Information Commissioner has provided guidance over the years on how this obligation ought to be met as well.

Public authorities should therefore have a pretty clear idea of what to tell applicants when they refuse requests. Well, perhaps…

In my latest article for PDP’s FOI Journal, I examine 250 responses to requests made via the WhatDoTheyKnow.com website. Unfortunately I find that many responses leave a lot to be desired. You can read the article here.

Propping open the gate

FOIMan discovers that the government has an answer to ‘legitimate’ concerns over the GDPR and FOI.

One of the concerns of the Information Commissioner and many observers in relation to the General Data Protection Regulation (GDPR), is that it could potentially lead to less information about individuals being disclosed under FOI. Obviously protecting personal data is important but it shouldn’t stop legitimate public debate around things like MPs’ expenses or council Chief Executives’ pay.

The reason this is an issue is that the s.40 exemption for personal data – or at least the part of it that is most often relevant – revolves around the data protection principles set out currently in schedule 1 of the Data Protection Act 1998 (DPA). The first and most relevant of these says that data must be processed fairly and lawfully. In determining whether a disclosure of information is lawful, authorities have to consider whether it is justified by reference to a condition in schedule 2 of DPA. The condition that most often applies to FOI disclosures is that there is a legitimate interest in disclosing the information that can only be met by the disclosure. This has to be balanced against the rights of the individual. It is this condition that has led to lots of personal information about pay, expenses and so much besides entering the public domain.

The problem is that whilst GDPR more or less replicates the first principle, and the conditions as well, it explicitly says that public authorities can’t use the legitimate interests condition. In other words, potentially there could be no legal mechanism to justify disclosures of personal information in the public interest.

Schedule 18 of the Data Protection Bill 2017, the first draft of which was published yesterday, addresses this by the simple expedient of saying that as far as FOI is concerned, the GDPR bar on public authorities using legitimate interests to justify use of data can be ignored. If this survives the passage of the Bill, the gateway for lawful disclosures of personal data under FOI will remain open. Which is good news for public sector accountability.