FOIMan takes a look at the government’s long-awaited draft FOI section 45 Code of Practice.
A long, long time ago, in a galaxy far, far away, before BREXIT, before the last General Election, you may recall that the Government, which was apparently led by some guy called Cameron, set up a Commission to make recommendations on FOI. If you’ve forgotten that, you almost certainly won’t remember that the government responded to the outcome of the Commission with a promise to update the s45 Code of Practice. The Code is required under (you’ve probably guessed) s.45 of the Act. The existing Code was written in 2004 (some bloke called Blair was in charge then, but nobody remembers him), and is, frankly, about as much use as a chocolate teapot (and rather less satisfying to consume).
Since March 2016, when the government made this promise, there have been wars and rumours of wars. In December 2016, the Information Commissioner reported at an FOI event that she’d heard a draft would be released in the new year. Notably, she didn’t indicate which one.
But now here we are. Last week, the Cabinet Office quietly published a new draft Code and consultation paper. So what does this new Code look like?
I’ve only had chance to quickly peruse it, but some observations. Overall, it is a welcome move to a practical guide for public authorities on fulfilling their FOI obligations. It actually addresses many of the crucial questions that arise for practitioners – it is helpful.
That said, there are a few things that leapt out at me.
The first section deals with the making of requests – what’s a valid request, how to carry out searches, that sort of thing. There is an attempt to define what should be treated as an FOI request which seems a missed opportunity. Apparently it is an FOI request unless it is asking for personal data, environmental information or “information given out as part of routine business”. Given that, as we’ll see, the Code calls for authorities to report on numbers of requests received, it would be useful for it to define more precisely which requests ought to be logged, monitored and reported on. I’m not convinced this definition is precise enough for that.
There is a degree of wish fulfilment on display. Information that has been deleted but remains on back-ups is not held, says the Code, in direct contradiction of multiple Tribunal decisions. Requests made in a foreign language will not be valid requests, it claims, which may be a practical reality for the most part (since it would be impossible to know whether or not it was a request in many circumstances), but it would be interesting to know what legal basis there is for this stark statement. (I may well have missed a relevant decision, so please do let me know if I have).
Sections 4 and 5 make clear (as per the Commission’s recommendations) that public interest extensions and internal reviews should normally be limited to 20 working days. Applicants’ complaints can be ignored if submitted later than 40 working days after the response is sent out. The section on internal reviews is particularly welcome given that the Act, of course, doesn’t require a review, so the Code is really the only way to establish a common approach.
There are some useful chapters on vexatious requests and the cost limit, effectively just articulating the approach taken by the Tribunals over the last few years, but nonetheless welcome.
The really interesting developments are in section 8, on publication schemes (no, really). The Code follows the Commission’s recommendations that public authorities with over 100 FTE employees should publish statistics on FOI compliance – numbers received, numbers answered in 20 days, numbers refused, numbers granted, and numbers of internal reviews. It recommends that these be published quarterly. It also calls for senior pay, expenses and “payments in kind” to be reported on.
The next section deals with the controversial matter of outsourced public services. It makes some sensible recommendations, though I doubt this will silence calls for companies delivering such services to be made subject to FOI.
Finally, the datasets Code, now of limited use since the arrival of the Re-use of Public Sector Information Regulations, is now subsumed within the main s45 Code.
The tone of the language in the Code I think does betray the Cabinet Office’s lack of enthusiasm for FOI. However, the approach taken isn’t entirely a bad thing – a clear no-nonsense guide like this is long overdue. One of the common criticisms of FOI is that it is too vague and unclear – this helps address that.
In any case, if you agree or disagree, now’s your chance to say so. The consultation on this draft is open until 2 February so if you have any views on the draft Code, make sure you submit them before then.
Data protection doesn’t require important records to be destroyed
FOIMan explains why any organisation which blames the destruction of important records on data protection rules is being either disingenuous or is ignorant of what the law requires.
In recent weeks The Guardian has drawn attention to the plight of those innocent people who have lived in the UK for many years, only to be told recently by the Home Office that they could face deportation. This week the Home Secretary finally apologised, but many people are still in a legal limbo, unable to prove their status, not realising that they would ever need to.
Now a former Home Office employee has reported that disembarkation cards which might have helped establish the status of many of these people were deliberately destroyed by the Home Office a few years ago. Responding to the claim, the Home Office has conceded that records were destroyed but claims that this was necessary to comply with the Data Protection Act (DPA). The records were, according to them, destroyed:
This argument has a long pedigree. It was cited by a police chief constable at the time of the Soham murders as a reason why records were not retained about Ian Huntley which might have prevented his employment as a caretaker at a school. It was used more recently by the House of Commons to justify the early destruction of MPs’ expenses records.
In both these cases, and in the latest example, this is just plain wrong. If the press officer or whoever drafted this statement had checked with their Data Protection Officer, they would have been able to tell them this.
It is true that one of the data protection principles requires that personal data be kept no longer than necessary, and that data controllers – organisations – are required to put in place procedures to ensure this. However, note that word “necessary”. It places the responsibility fairly and squarely at the door of the organisation that has collected the data to decide what is “necessary” and to justify it. If records are still being used to answer enquiries about individuals’ immigration status (as the Home Office whistleblower has maintained), or are at the centre of one of the biggest scandals to hit modern British politics, I would suggest that it is “necessary” to retain them, and to do so can be easily justified. Data protection laws do not say they must be destroyed.
Furthermore, even if there is a view that it is no longer necessary to retain records for their original purpose, both the DPA 1998 and GDPR permit records to be retained for historical research purposes in a record office. The Home Office whistleblower reports that it was suggested that the cards be offered to a record office, but that they were told that no archive wanted them. As public records, the National Archives would have had first option on these and since these records would seem to be of great value to genealogists and those studying the history of migration and minority ethnic communities in the UK, it is hard to imagine them turning such an offer down. Even if they did, are we to believe that other record offices, including for example Brixton’s Black Cultural Archives (based in Windrush Square), a repository specialising in the history of Britain’s African and Caribbean communities, would have said no? It seems unlikely if they were given the opportunity (and the significance of the cards was explained to them). Data protection rules would have allowed the cards to be retained indefinitely in a record office.
Data protection rules simply do not require records with continuing value to be destroyed. Anyone claiming that they do is being disingenuous or is ignorant of what data protection requires. Let’s hope that organisations – particularly those that should know better – stop churning out this misconception every time that they are criticised for the disposal of records.
References:
Home Office destroyed Windrush landing cards, says ex-staffer, The Guardian, 17 April 2018 https://www.theguardian.com/uk-news/2018/apr/17/home-office-destroyed-windrush-landing-cards-says-ex-staffer
MPs to escape expenses investigations after paperwork destroyed by Parliament, Daily Telegraph, 2 November 2014 https://www.telegraph.co.uk/news/newstopics/mps-expenses/11204405/MPs-to-escape-expenses-investigations-after-paperwork-destroyed-by-Parliament.html
The politics of records management, FOIMan blog, 7 November 2014 https://www.foiman.com/archives/1337
Soham police chief ‘ignored advice’, The Guardian, 26 March 2004 https://www.theguardian.com/uk/2004/mar/26/soham.ukcrime
Share this: