Data protection doesn’t require important records to be destroyed

FOIMan explains why any organisation which blames the destruction of important records on data protection rules is being either disingenuous or is ignorant of what the law requires.

In recent weeks The Guardian has drawn attention to the plight of those innocent people who have lived in the UK for many years, only to be told recently by the Home Office that they could face deportation. This week the Home Secretary finally apologised, but many people are still in a legal limbo, unable to prove their status, not realising that they would ever need to.

Now a former Home Office employee has reported that disembarkation cards which might have helped establish the status of many of these people were deliberately destroyed by the Home Office a few years ago. Responding to the claim, the Home Office has conceded that records were destroyed but claims that this was necessary to comply with the Data Protection Act (DPA). The records were, according to them, destroyed:

to ensure that personal data … should not be kept for longer than necessary. Keeping these records would have represented a potential breach of these principles.

This argument has a long pedigree. It was cited by a police chief constable at the time of the Soham murders as a reason why records were not retained about Ian Huntley which might have prevented his employment as a caretaker at a school. It was used more recently by the House of Commons to justify the early destruction of MPs’ expenses records.

In both these cases, and in the latest example, this is just plain wrong. If the press officer or whoever drafted this statement had checked with their Data Protection Officer, they would have been able to tell them this.

It is true that one of the data protection principles requires that personal data be kept no longer than necessary, and that data controllers – organisations – are required to put in place procedures to ensure this. However, note that word “necessary”. It places the responsibility fairly and squarely at the door of the organisation that has collected the data to decide what is “necessary” and to justify it. If records are still being used to answer enquiries about individuals’ immigration status (as the Home Office whistleblower has maintained), or are at the centre of one of the biggest scandals to hit modern British politics, I would suggest that it is “necessary” to retain them, and to do so can be easily justified. Data protection laws do not say they must be destroyed.

Furthermore, even if there is a view that it is no longer necessary to retain records for their original purpose, both the DPA 1998 and GDPR permit records to be retained for historical research purposes in a record office. The Home Office whistleblower reports that it was suggested that the cards be offered to a record office, but that they were told that no archive wanted them. As public records, the National Archives would have had first option on these and since these records would seem to be of great value to genealogists and those studying the history of migration and minority ethnic communities in the UK, it is hard to imagine them turning such an offer down. Even if they did, are we to believe that other record offices, including for example Brixton’s Black Cultural Archives (based in Windrush Square), a repository specialising in the history of Britain’s African and Caribbean communities, would have said no? It seems unlikely if they were given the opportunity (and the significance of the cards was explained to them). Data protection rules would have allowed the cards to be retained indefinitely in a record office.

Data protection rules simply do not require records with continuing value to be destroyed. Anyone claiming that they do is being disingenuous or is ignorant of what data protection requires. Let’s hope that organisations – particularly those that should know better – stop churning out this misconception every time that they are criticised for the disposal of records.

References:

Home Office destroyed Windrush landing cards, says ex-staffer, The Guardian, 17 April 2018 https://www.theguardian.com/uk-news/2018/apr/17/home-office-destroyed-windrush-landing-cards-says-ex-staffer

MPs to escape expenses investigations after paperwork destroyed by Parliament, Daily Telegraph, 2 November 2014 https://www.telegraph.co.uk/news/newstopics/mps-expenses/11204405/MPs-to-escape-expenses-investigations-after-paperwork-destroyed-by-Parliament.html

The politics of records management, FOIMan blog, 7 November 2014 https://www.foiman.com/archives/1337

Soham police chief ‘ignored advice’, The Guardian, 26 March 2004 https://www.theguardian.com/uk/2004/mar/26/soham.ukcrime

FOI and Open Data Developments

FOIMan reports on a new strategy from the ICO and a move for open data (and data sharing) responsibilities in government.

Elizabeth Denham, Information Commissioner

Elizabeth Denham

I’m briefly emerging from my monastic cell to note some recent developments in FOI that may have passed you by amidst frenzied GDPR preparations.

The Information Commissioner recently gave the annual Jenkinson Lecture at University College London. In it, she made intriguing reference to a new ICO FOI strategy. What does this strategy consist of?

  1. The Commissioner wants to augment the “request-based, and frankly, reactive” model of FOI. There appears to be a new focus on pro-active disclosure, and linked to this, the Commissioner is interested in giving new impetus to open data initiatives, particularly focussing on making them more sustainable. Self-assessment tools for public authorities are mooted.
  2. She wants FOI to expand to reflect changes in the way that public services are run (not a new call, of course). Housing Associations were particularly singled out for attention.
  3. She remains concerned about compliance with FOI deadlines, and is keen to explore ways to improve these. The publication of FOI statistics proposed by the FOI Commission in March 2016 (and more recently included in the draft s.45 Code of Practice released before Christmas) was highlighted, and it was suggested that the Commissioner could carry out audits even where no specific complaint has been received (or ‘own-motion compliance investigations’).
  4. Access Impact Assessments may be coming your way. Presumably inspired by her office’s preparations for GDPR, the Commissioner suggested that assessments should be made of the “access impact of new systems and initiatives”.

News of such a strategy is interesting in its own right, but I read earlier today of changes to responsibilities in central government (what are known as ‘changes to the machinery of government’). Responsibility for open data policy, together with data sharing, data governance and data ethics has moved from the Government Digital Service (in the Cabinet Office) to the Department for Digital, Culture, Media and Sport (DCMS). Could the Commissioner’s comments on open data be linked to this move, perhaps? And are there moves afoot to move FOI to DCMS as well? It would make sense – but machinery of government changes don’t always appear to be made with good sense in mind.

The Freedom of Information Officer’s Handbook

FOIMan unveils a forthcoming book seeking to define the role of the FOI Officer and provide help to anyone struggling with the management of their organisation’s FOI obligations.

The Freedom of Information Officer's Handbook, Facet PublishingIf you are employed as a FOI Officer, or even just do a job that involves dealing with a lot of FOI requests, one of the problems has always been that there is no manual. Until now. Later this year, Facet Publishing will be bringing you The Freedom of Information Officer’s Handbook, a new book about FOI by…well, me.

Yes, I referred recently to my relative silence online in recent months, explaining that this was partly down to the demand for GDPR training over the last few months (which continues), but also hinted at another mystery time-consuming commitment. I can now reveal that the latter has been (and continues to be), the writing of this book. This will be my first book (and perhaps my last!), which is obviously exciting for me, but hopefully also an interesting development for those of you who have followed this blog over the last few years.

There are plenty of places to find guidance on FOI, and even other books that explore FOI from a legal perspective, focussing on the application of exemptions for example. However, there isn’t anything (to my knowledge at least) that provides a comprehensive guide to how FOI should be managed by public authorities. So whilst you will find useful summaries of the law and how exemptions should be applied in this book, you will also find guidance on best practice when it comes to administering FOI. A chapter on embedding FOI in your organisation will include the development of policies and procedures, and how to assess and address training needs. Another on managing FOI will look at the IT systems that can be used to log requests, and how to improve performance, amongst other things. Some of you will have been lucky enough to receive FOI requests from me over the last year,* and the answers to those requests, together with my own experiences over the last 15 years, and other published research on FOI, will bring a fresh perspective on how FOI should be managed.

A really important thing for me in proposing and writing this book has been to explore the role of the FOI Officer. FOI is still relatively new, and whilst I often refer to FOI Officers in this blog and elsewhere, there aren’t actually that many people who answer requests that are called ‘FOI Officer’ within their own organisation. They often have to fit FOI work around other responsibilities. The work of those involved in FOI management, and the challenge they face, is often hugely underestimated by both requesters and by their colleagues and managers. In this book I hope to cast some light on their work and help those in these roles to be better appreciated by both others and (perhaps more importantly) by themselves.

The book won’t ignore related legislation either. The Environmental Information Regulations will feature heavily, and a chapter on copyright and re-use will discuss the Re-use of Public Sector Information Regulations and how they interact with FOI. There will also be brief descriptions of how the various FOI laws from around the British Islands (Scotland, Ireland, Isle of Man, States of Jersey) differ from the UK one that is the focus of the book.

Finally, the book offers the opportunity to provide an updated vision of FOI management in the context of the latest developments. In particular, I’ll be looking at what GDPR means for FOI, both in terms of compliance, but also considering what lessons there might be from concepts such as Data Protection Officers and data protection by design. The new s.45 Code of Practice will obviously feature (and I’m hoping the finalised version will be published in time to be referenced!).

The book is obviously aimed primarily at practitioners and others working in public authorities. However, just as this blog has proved to be of interest to a wider audience of journalists, academics, and other users of the Act over the last few years, hopefully the book will also appeal to those outside the public sector curious about how FOI works in practice.

The Freedom of Information Officer’s Handbook will be published by Facet Publishing towards the end of this year. It retails at £59.95, but readers of this blog can pre-order copies direct from the publisher with a 30% discount (resulting in a reduced price of £41.99). To take advantage of the discount, email info(Replace this parenthesis with the @ sign)facetpublishing.co.uk to indicate your interest in ordering a copy and quote the code FOIMAN (do not supply payment card or bank account details by email). The publisher’s distributor will then contact you to arrange payment and discuss despatch instructions. For more details about how your information will be used by Facet, see the privacy policy on their website.

* And more seriously, a very big thank you to everyone who has answered FOI requests from me or helped in any way over the last few months – it is hugely appreciated.

FOI and the General Data Protection Regulation

FOIMan considers how the General Data Protection Regulation (GDPR) affects the Freedom of Information Act (FOI) and its administration.

Happy new year! 2018 is finally here and only a matter of months remain before the GDPR applies to anyone that processes personal data. You may have noticed that I’ve been fairly quiet online of late, and one reason for that is that I’ve been busy travelling the country delivering GDPR training to a range of organisations. Another reason will become clear in due course…

My first love is (when it comes to information rights anyway), of course, FOI. So given that I’ve been giving so much thought to GDPR, it made sense to think about how the new law affects FOI.

A few months ago I blogged briefly about an obscure schedule of the Data Protection Bill (hopefully soon to become the Data Protection Act 2018) that made amendments to FOI in order to ensure that the exemption for personal data will still work effectively with GDPR. It’s important that these changes happen otherwise there would be a conflict between FOI and the new data protection regime. Not making them could lead to personal data being disclosed when it shouldn’t be, or, as I indicated in my blogpost, to less information being disclosed than might have been in the past.

However, GDPR doesn’t just mean changes to other legislation. It means that any organisation processing personal data has to ensure that that processing meets its requirements. That includes public authorities.

What might be forgotten is that the handling of FOI requests invariably involves the processing of personal data. Some of that processing will be expected by applicants and will be easy to justify; some of it won’t be. When I gave a presentation about this to a group of practitioners in December, there were some audible gasps (of recognition primarily) as I listed some of the things that public authorities routinely do with personal data whilst processing FOI requests, but are often done without much thought. It’s not necessarily that those activities are wrong, you understand; but GDPR (if not the current Data Protection Act) requires all public authorities to give some thought to how they are justified. They’ll also need to ensure that they meet the other requirements of GDPR.

In my latest piece for PDP’s Freedom of Information Journal I’ve looked at the FOI amendments in the Data Protection Bill (at least as it stood in October when this piece was written). I’ve also examined how FOI requests are handled and what practitioners will want to be looking at to prepare for GDPR. A lot of the things I discuss will be relevant for other correspondence processes as well.

Have a read. I hope it gives you some food for thought at the start of what will be a very busy and interesting year.

A new FOI Code for Christmas

FOIMan takes a look at the government’s long-awaited draft FOI section 45 Code of Practice.

A long, long time ago, in a galaxy far, far away, before BREXIT, before the last General Election, you may recall that the Government, which was apparently led by some guy called Cameron, set up a Commission to make recommendations on FOI. If you’ve forgotten that, you almost certainly won’t remember that the government responded to the outcome of the Commission with a promise to update the s45 Code of Practice. The Code is required under (you’ve probably guessed) s.45 of the Act. The existing Code was written in 2004 (some bloke called Blair was in charge then, but nobody remembers him), and is, frankly, about as much use as a chocolate teapot (and rather less satisfying to consume).

Since March 2016, when the government made this promise, there have been wars and rumours of wars. In December 2016, the Information Commissioner reported at an FOI event that she’d heard a draft would be released in the new year. Notably, she didn’t indicate which one.

But now here we are. Last week, the Cabinet Office quietly published a new draft Code and consultation paper. So what does this new Code look like?

I’ve only had chance to quickly peruse it, but some observations. Overall, it is a welcome move to a practical guide for public authorities on fulfilling their FOI obligations. It actually addresses many of the crucial questions that arise for practitioners – it is helpful.

That said, there are a few things that leapt out at me.

The first section deals with the making of requests – what’s a valid request, how to carry out searches, that sort of thing. There is an attempt to define what should be treated as an FOI request which seems a missed opportunity. Apparently it is an FOI request unless it is asking for personal data, environmental information or “information given out as part of routine business”. Given that, as we’ll see, the Code calls for authorities to report on numbers of requests received, it would be useful for it to define more precisely which requests ought to be logged, monitored and reported on. I’m not convinced this definition is precise enough for that.

There is a degree of wish fulfilment on display. Information that has been deleted but remains on back-ups is not held, says the Code, in direct contradiction of multiple Tribunal decisions. Requests made in a foreign language will not be valid requests, it claims, which may be a practical reality for the most part (since it would be impossible to know whether or not it was a request in many circumstances), but it would be interesting to know what legal basis there is for this stark statement. (I may well have missed a relevant decision, so please do let me know if I have).

Sections 4 and 5 make clear (as per the Commission’s recommendations) that public interest extensions and internal reviews should normally be limited to 20 working days. Applicants’ complaints can be ignored if submitted later than 40 working days after the response is sent out. The section on internal reviews is particularly welcome given that the Act, of course, doesn’t require a review, so the Code is really the only way to establish a common approach.

There are some useful chapters on vexatious requests and the cost limit, effectively just articulating the approach taken by the Tribunals over the last few years, but nonetheless welcome.

The really interesting developments are in section 8, on publication schemes (no, really). The Code follows the Commission’s recommendations that public authorities with over 100 FTE employees should publish statistics on FOI compliance – numbers received, numbers answered in 20 days, numbers refused, numbers granted, and numbers of internal reviews. It recommends that these be published quarterly. It also calls for senior pay, expenses and “payments in kind” to be reported on.

The next section deals with the controversial matter of outsourced public services. It makes some sensible recommendations, though I doubt this will silence calls for companies delivering such services to be made subject to FOI.

Finally, the datasets Code, now of limited use since the arrival of the Re-use of Public Sector Information Regulations, is now subsumed within the main s45 Code.

The tone of the language in the Code I think does betray the Cabinet Office’s lack of enthusiasm for FOI. However, the approach taken isn’t entirely a bad thing – a clear no-nonsense guide like this is long overdue. One of the common criticisms of FOI is that it is too vague and unclear – this helps address that.

In any case, if you agree or disagree, now’s your chance to say so. The consultation on this draft is open until 2 February so if you have any views on the draft Code, make sure you submit them before then.