GDPR’s Duty to Document

FOIMan explains how GDPR puts keeping records well at its very centre.

Back in December, the Information Commissioner, Elizabeth Denham, indicated her wish for a new duty to document law. I’ve written previously about this here and here.

On 28 April, I explored this issue a bit further in a talk to the public sector group of the Information and Records Management Society (IRMS) at a venue in Westminster. I’d been asked to talk about the need to keep records for corporate requirements identified in the FOI s46 Code of Practice.

The s46 Code does spell out the need to keep records to meet legal requirements, to record precedent, to document legal and other rights, and to justify actions taken. It’s worth noting that s.48 of FOIA gives the Information Commissioner the power to issue “practice recommendations” requiring public authorities to bring their practice into line with the Codes of Practice. So the s46 Code establishes a duty to document and the Act gives the Commissioner (admittedly limited) powers to enforce it.

Leaving FOI behind though, I handed delegates postcards of the image above. It illustrates the data protection principles as set out in the General Data Protection Regulation (GDPR). Right at the centre of my image is the accountability principle. It means that organisations will not be able to comply with the other principles without being able to demonstrate their compliance. In other words, they need to keep records to show what they are doing with people’s personal data. What they told those people when it was collected. Whether they gave consent. What their data protection impact assessment concluded. And so on.

Keeping records – and keeping them well – is central to compliance with GDPR. Records management should form a central plank of your GDPR preparations over the next year. Not least because it is very clear that the Information Commissioner is very interested in records management indeed.

Let me know if you need a speaker for your event – I’m always happy to help if I can. If you’re looking for in-house training on GDPR, get in touch for a quote.

References:

s.46 Code of Practice

GDPR

Down the rabbit hole – the EIRs

FOIMan begins an exploration of the Environmental Information Regulations.

The rabbit hole in question is also known as section 39 of the UK FOI Act (and also of the Scotland Act, for that matter), which leads, of course, to the Environmental Information Regulations 2004 (EIRs). It always seems to me that the EIRs are somewhat neglected so I’ve chosen to devote a series of articles for PDP’s Freedom of Information Journal to an exploration of them.

In the first in the series – available here – I look at why there are separate regulations covering environmental information at all, and what exactly is environmental information. The next piece will look at the main differences between FOI and the EIRs, whilst the last piece will examine the exceptions. You can read the whole series by subscribing to the Freedom of Information Journal (external link) or just by keeping an eye out for the later articles here on the FOIMan website (and you can ensure you don’t miss them by subscribing to FOIMan posts via the box in the column on the right).

If you want training on the EIRs, I can provide this in-house – just get in touch for a quote. Or you can attend one of the courses I’m running for Act Now Training (external link) later this year.

Nothing flopsy about this RoPSI

FOIMan finds the Holy Grail of a first decision under the Re-use of Public Sector Information Regulations.

A rabbit

Careful…it could turn at any minute.

Ever since the first Re-use of Public Sector Information Regulations became law in 2005, I’ve known them as RoPSI. This has always amused me as I envisage them as a cute little bunny rabbit. Flopsy RoPSI. Bless.

But in fact since 2015 they’ve had more teeth – think more of the blood-thirsty fur-ball in Monty Python and the Holy Grail. The 2015 regs require public authorities to allow re-use of information on request in most circumstances. And what’s more, they bring the full range of FOI enforcement options to bear on re-use. Which are of course wielded by the Information Commissioner.

That said, we haven’t seen the Commissioner use these powers in anger – until now. The first decision notice has been issued in relation to RoPSI. It criticises Cambridgeshire County Council for imposing unnecessary restrictions on the applicant for re-use of right of way data.

Cambridgeshire had allowed the re-use of the data under a licence which was limited to one year, and appeared to limit re-use to the applicant alone. These were problems for the applicant as the intention was to use the data on an open mapping website where it might then be further re-purposed by others. They had also reserved the right to charge for re-use but had waived the charge on this occasion.

One of the council’s concerns was that the intellectual property of the Ordnance Survey (OS) would be breached, which was soon dismissed when the OS told the ICO that they had no problem with rights of way data being re-used under the Open Government Licence (OGL). Another was that the data itself would soon be updated. The council was imposing the one year licence so that the applicant would be forced to update their map after a year. The ICO pointed out that the OGL requires those reusing data to publish data with a caveat warning that the data might not be accurate. This should be sufficient to meet the council’s concerns.

The council’s position was also undermined by the fact that other councils allowed re-use under the OGL. Taking all this into account, the Commissioner concluded that the licence terms were unnecessarily restrictive. It appears that when it comes to licensing of public sector data, public authorities will need good reasons not to apply the OGL.

Unfortunately the issue of whether the council could charge for re-use wasn’t examined because the council hadn’t charged in this case. I suspect that if it had been looked at, the Commissioner would not have been sympathetic to a charge. Under RoPSI, in many circumstances, only “marginal costs incurred in respect of the reproduction, provision and dissemination of documents” can be charged for re-use. Take note those tempted, like Cambridgeshire, to adopt the National Archives’ “Charged Licence” when responding to re-use requests.

The Commissioner was also critical of the council’s tardiness in responding to ICO enquiries (and indeed considered whether they had failed to deal with the original request ‘promptly’). The decision notice threatens that in future the Commissioner will be prepared to require information under her statutory powers at s51 of FOIA, and suggests that the council should consider whether sufficient resources are in place. It’s clear the Commissioner has been less than impressed with the way that Cambridgeshire have dealt with her enquiries and this request for re-use.

This first decision notice under RoPSI sends out a signal that, as with FOIA and data protection, the ICO means business under their new Commissioner.

Should Cambridgeshire disagree with the Commissioner, they need only appeal to the First Tier Tribunal. Unless they have access to the Holy Hand Grenade of Antioch, of course.


I’ll be covering re-use and the Re-use of Public Sector Information Regulations on my Practical FOI Skills and Transparency Requirements course for Act Now Training.

References:

Decision notice FS50619465 (Cambridgeshire County Council)

Re-use of Public Sector Regulations 2015

Open Government Licence v.3

University FOI Stats 2016

FOIMan reviews JISC’s latest report on FOI in higher education.

There aren’t that many sources of information on FOI performance. Central government of course publishes statistics on its own compliance, but outside of Whitehall, the availability of statistics on how public bodies apply FOI is ironically pretty limited. If you want to know more about sources for FOI statistics, I wrote about it for the FOI Journal last year. One of the sectors that does publish information every year is the higher education sector.

Every year, JISC, the higher education information and research body, conducts a survey of universities on their experiences with FOI, EIR and data protection subject access requests. The data is collated into handy charts which are made available online and can be downloaded in reusable form for further number crunching. It always provides quite a detailed insight into FOI handling and this year’s is no different.

Amongst the highlights of this year’s report:

  • universities received an average of 264 requests (mostly – 232 – FOI requests) in 2016 – after a drop last year, requests were up 10%;
  • 51% of requests were granted in full – 17% were partly fulfilled;
  • only 9% were fully withheld due to exemptions;
  • most requests (27%) were about “student issues”;
  • journalists were the most common type of requester – 23% (though it should be noted that 22% of requesters were not identified);
  • only 4% were not answered within 20 working days;
  • the most time-consuming parts of handling an FOI request were “locating and accessing information”, “reviewing information” and “considering exemptions”.

We have to remember that these figures are self-reported and the survey is voluntary – many universities didn’t report at all. However, what we do have is some very useful data on how FOI is working in these public bodies.

Although JISC introduce the report by commenting that the rise in FOI requests represents a “seven-fold increase” since reporting began in 2005, it should be noted that this started from a very low base. Most local authorities would kill to have FOI request rates as low as 232.

Despite the common complaint about FOI requests from IT companies trying to get hold of procurement intelligence, only 7% of requests are about procurement (though its possible these requests were counted in the 9% of requests about IT provision). Only 13% of requests are recorded as coming from “commercial organisations”.

A note on use of exemptions. There was quite a bit of commentary when the Institute for Government published a report last month suggesting that the government’s stats indicated that government departments were becoming less open as they were using more exemptions, and failing to meet deadlines more often. There’s nothing to suggest this is a problem in Higher Education in JISC’s stats, and in any case I’m not at all sure that you can make that conclusion from raw statistics. After 12 years of FOI, it may just be that government departments have already disclosed all the “low-hanging fruit”, and that what remains now are the difficult cases that are more likely to be refused or take longer to answer. What’s really needed if we want to understand changing attitudes to FOI in public bodies is research involving a qualitative analysis of the types of requests being refused – are they the ones that would have been answered in the early days of FOI? Or are the questions being asked more challenging these days? One for the academics in our higher education institutions. Statistics are helpful, but they only provide part of the picture.

If public authorities want tips on how to improve their performance under FOI, just a reminder that you can join me for one of my training courses on FOI for Act Now Training, starting with an intensive look at the FOI Exemptions on 24 April in London. Details on the Act Now Training website.

Delving Deeper into Denham’s Drive for a Duty to Document

FOIMan examines the Information Commissioner’s proposals for a new duty to document.

In December, the Information Commissioner, Elizabeth Denham, gave a speech at an event celebrating 250 years of freedom of information. During the speech Ms. Denham indicated that she wanted the government to legislate for a “duty to document”.

I wrote briefly about this at the time. But in my latest piece for PDP’s Freedom of Information Journal (available here), I’ve looked further into the Information Commissioner’s proposals.

Amongst the issues explored are:

  • what effect FOI has had on public sector records management;
  • how the Information Tribunals have dealt with the issue of records management;
  • what problems is the Commissioner seeking to resolve;
  • what tools are available to the Commissioner now;
  • and finally, are there any existing duties to document along the lines that Elizabeth Denham suggests?