Local Authority Meetings & Secrecy

FOIMan clarifies the relationship between FOI and local authority meeting rules.

Following the awful tragedy that unfolded at Grenfell Tower, there have been a lot of questions asked of the local council, the Royal Borough of Kensington and Chelsea (RBKC). Yesterday (29 June 2017) the council held a Cabinet meeting which began and ended in controversial circumstances. I was subsequently asked by a follower on Twitter about the relationship between FOI and attendance at council meetings.

The short answer is that there is none. FOI gives a right of access to information held by public authorities. It doesn’t regulate access to meetings.

The longer and more helpful answer is that FOI forms part of a range of legal requirements that ensure that local authorities like RBKC are accountable. I’ve written previously about transparency rules in local government. In relation to meetings of the RBKC cabinet, the Local Authorities (Executive Arrangements) (Meetings and Access to Information) (England) Regulations 2012 are, I believe, the relevant rules. I won’t go into whether RBKC were entitled to exclude the media from the meeting in this case as a) I don’t claim to be an expert in this area, and b) it’s already been dealt with by a legal ruling which ruled that the Press had to be admitted. But if you’re interested in what the rules are, the regulations I mention above may be of interest to you.

From my point of view, one of the most interesting issues is that RBKC are the latest organisation to discover that the perception of secrecy can be just as damaging, if not more so, as the revelation of embarrassing information (interestingly a theme explored by Dr Ben Worthy in his recent book on The Politics of FOI, which I thoroughly recommend). As one MP in their maiden speech said:

The public has the right…to know what its elected representatives are doing…Publicity is the greatest and most effective check against any arbitrary action.

The MP was Margaret Thatcher, and she said this in 1960 in support of a Bill to allow the Press to attend council meetings.

(HT to Alan Travis of The Guardian – @alantravis40 – for providing the quote above from Hansard in a Tweet yesterday)

Same thing, different gravy? The EIRs Part II

FOIMan examines the similarities and differences between FOIA and the Environmental Information Regulations.

A few months ago I started a series in PDP’s Freedom of Information Journal on the Environmental Information Regulations (EIRs), starting with an examination of the definition of environmental information. Here I bring you the second instalment in the series which looks at how FOIA and the EIRs differ.

I’ve just written the third and final part in the series which covers the exceptions in the EIRs. You’ll be able to read that in the next issue of the journal or right here on the FOIMan site later in the summer. Once they’re all available, I’ll put them all in one place in the Resources section so they will act as a comprehensive guide to the EIRs.

GDPR Guide: Portability

GDPR GuideFOIMan examines a new right to access information about yourself that will become law next year, and considers what organisations will be obliged to do to comply with it.

Summary

We’re constantly submitting information about ourselves to companies and other organisations. Everytime we sign up for a new energy deal, we have to input our details. The same if we want to move bank, or credit card. Even if we want to be able to listen to music or watch films from a streaming service. And  everytime we have to re-input those details, even though they’re more or less the same. Imagine if you could just get Apple to transfer the details you gave them to Spotify. Or ask your credit card provider to give your transaction history to their rival so you can find out if you can get a better deal.

Well…from next year you will be able to. The General Data Protection Regulation (GDPR) introduces a new “right to portability” (not potability, as it’s often misspelled – it’s not a right to your own personal drinking water). What does it involve?

What does it do?

It gives data subjects (individuals) a right to be provided with information they have provided to data controllers (businesses and other organisations) in a machine-readable and re-usable format. If the data subject prefers, data controllers will have to transfer their data directly to another data controller.

What does it cover?

Data provided by the data subject that is being processed by automated means (i.e. this won’t apply to data held in paper files) where the data controller relies on consent or a contract with the data subject to justify collection and use of the data (from the list of conditions at Article 6).

According to the Article 29 Working Party (A29WP), data which the data subject has “provided” will include both the information supplied directly by the data subject, but also raw data collected from observation such as smart meter data, activity logs, web usage or search history. It won’t cover any data that results from analysis of the observed data.

Some facts about portability

  • you’re expected to remind people of this right whenever you collect data directly from them, and also tell them if you start collecting data by “observation” within a month
  • requests for data to be “ported” will have to be processed “without undue delay”, and normally no later than a month after receipt of the request
  • fees can only be charged where a request is “manifestly unfounded or excessive”; the A29WP comment that this is going to be rare with portability requests as the data should be relatively easy to extract, prepare and disclose given that the right only applies to automated data
  • data must be disclosed “in a structured, commonly used and machine-readable format”; the A29WP interprets this as a format supporting re-use and suggests commonly used open formats should be used for release such as CSV, XML or JSON
  • where there are reasonable doubts about the identity of a requester, proof of ID can be requested; this is perhaps less likely to be an issue with portability requests than with, say, subject access requests, as in most cases there will be existing methods to authenticate a person’s identity (e.g. username and password)
  • when a data controller complies with a request to transfer data, they are responsible for its security during transfer – for example, by using end-to-end encryption. Once it gets to its destination however, the recipient is responsible for it – whether that be the data subject or another data controller to which the data has been transferred
  • generally data being ported is still subject to the data protection principles and other GDPR rules; e.g. data subjects should be able to restrict what data is transferred and data controllers in receipt of data should not process more of it than they need
  • contracts with other companies that process data on the data controller’s behalf (i.e. data processors) should specify requirements to facilitate portability requests
  • Article 20 specifies that the right to portability shall not adversely affect the rights of others; third parties have rights too.
    • This doesn’t mean that, for example, where someone crops up in the data subject’s bank account as a payee, a bank would have to redact their details before transferring the data.
    • However, in certain cases (A29WP cite social networks as an example) it will be appropriate to seek third parties’ consent at any point where they transact with the data controller (e.g. Facebook’s privacy permissions might indicate that a “friend” could seek to export their account data including data about their friends; the privacy permissions portal might allow individuals to indicate that they don’t want their data to be included in such exports).
    • Where data is transferred to another data controller, that organisation won’t be able to extract the details of third parties from the data and, for example, send them marketing using those details.
  • it’s worth noting that many companies already provide facilities to “port” data; a government initiative in the UK called “MiData” has been working towards developing an industry standard here for some years. If you’ve ever downloaded your bank statement as a spreadsheet, you’ve effectively made a data portability request. GDPR, though, now makes this a right, and potentially there will be many businesses in particular who haven’t worried about this that will now have to prepare for the possibility of receiving such a request.

Further reading

The above are just my notes and thoughts on how portability will work. For further (and more authoritative) information, consult the following:

Note: I’ll be delivering a webinar on the portability right for Act Now Training on 23 June 2017. Visit their website for further details.

GDPR’s Duty to Document

FOIMan explains how GDPR puts keeping records well at its very centre.

Back in December, the Information Commissioner, Elizabeth Denham, indicated her wish for a new duty to document law. I’ve written previously about this here and here.

On 28 April, I explored this issue a bit further in a talk to the public sector group of the Information and Records Management Society (IRMS) at a venue in Westminster. I’d been asked to talk about the need to keep records for corporate requirements identified in the FOI s46 Code of Practice.

The s46 Code does spell out the need to keep records to meet legal requirements, to record precedent, to document legal and other rights, and to justify actions taken. It’s worth noting that s.48 of FOIA gives the Information Commissioner the power to issue “practice recommendations” requiring public authorities to bring their practice into line with the Codes of Practice. So the s46 Code establishes a duty to document and the Act gives the Commissioner (admittedly limited) powers to enforce it.

Leaving FOI behind though, I handed delegates postcards of the image above. It illustrates the data protection principles as set out in the General Data Protection Regulation (GDPR). Right at the centre of my image is the accountability principle. It means that organisations will not be able to comply with the other principles without being able to demonstrate their compliance. In other words, they need to keep records to show what they are doing with people’s personal data. What they told those people when it was collected. Whether they gave consent. What their data protection impact assessment concluded. And so on.

Keeping records – and keeping them well – is central to compliance with GDPR. Records management should form a central plank of your GDPR preparations over the next year. Not least because it is very clear that the Information Commissioner is very interested in records management indeed.

Let me know if you need a speaker for your event – I’m always happy to help if I can. If you’re looking for in-house training on GDPR, get in touch for a quote.

References:

s.46 Code of Practice

GDPR

Down the rabbit hole – the EIRs

FOIMan begins an exploration of the Environmental Information Regulations.

The rabbit hole in question is also known as section 39 of the UK FOI Act (and also of the Scotland Act, for that matter), which leads, of course, to the Environmental Information Regulations 2004 (EIRs). It always seems to me that the EIRs are somewhat neglected so I’ve chosen to devote a series of articles for PDP’s Freedom of Information Journal to an exploration of them.

In the first in the series – available here – I look at why there are separate regulations covering environmental information at all, and what exactly is environmental information. The next piece will look at the main differences between FOI and the EIRs, whilst the last piece will examine the exceptions. You can read the whole series by subscribing to the Freedom of Information Journal (external link) or just by keeping an eye out for the later articles here on the FOIMan website (and you can ensure you don’t miss them by subscribing to FOIMan posts via the box in the column on the right).

If you want training on the EIRs, I can provide this in-house – just get in touch for a quote. Or you can attend one of the courses I’m running for Act Now Training (external link) later this year.