Welcome to the March issue of the Information Agenda from P-PACT
2010 is proving to be a crucial year for IG and certainly got off to a flying start. We've seen the abolition of the old Information Tribunal as part of a wider reform of statutory tribunals. The ICO has issued a stern warning on the handling of internal FOI reviews, and data security issues are in the news: DPA monetary penalties are fast approaching and RIPA revisions are on the way. In addition to the usual news roundup, in this edition we've also prepared a short feature on a topic that P-PACT is frequently asked about. However we also want to deal with a request which is causing some concern among many organisations as we publish this edition of the Information Agenda. There is also more news in this edition about the monitoring activities of the ICO in relation to Publication Schemes and about the next meeting of the National Public Sector Information Governance Network.
First ...... the FOI Request
Many of you will have received a request for information relating to colleagues earning more than £100,000 per year. This request has been addressed to organisations across the public sector and I can only imagine the costs associated with dealing with it which must run into many hundreds of thousands of pounds! However we do need to respond to this request and there are some issues around it.
There is little doubt that some of the information which has been asked for is 'personal data' under the DPA. However when you apply the Principles of the DPA and question whether the processing of such data is unfair and unlawful then the answer may well be that it is not. There is a demonstrable and recognised public interest in the salaries of the best paid public servants being disclosed and this has indeed been supported by both the ICO and the Information Tribunal in recent times. The situation is further complicated in that in many cases, in accordance with the requirements of the Definition document which supports the 2009 Publication Scheme you will already proactively publish information relating to salaries of Board Members and Executive Teams which fall below the level of this request i.e. £100,000
My view is that all though I expect many of you will meet with refusals to disclose some information needs to be released. In these circumstances I would use any bandings you already have in place to disclose high level salaries to disclose the numbers of staff falling into those categories by virtue of this request and I would do the same in response to that part of the question which relates to bonus payments etc. However also bear in mind any issues about small number data.
Having said all this - a word of warning - if this goes to the ICO I think we may find that he will support the public interest disclosure argument and we may find ourselves on the losing end and having to disclose identities of those receiving such salaries.
FOI and legal discovery
Public Partners is often asked how FOI fits into the general legal discovery picture. It's common for an FOI request to represent an opening shot by someone with plans to pursue a formal legal action. So, how does FOI operate when litigation is in the air?
The first thing to say is that there is no exemption to protect information that may help someone to put together a legal case against you. As we all know FOI is purpose blind, so the reason behind a request should have no affect on the way that you handle it. Every request has to be dealt with, with a straight bat. If you're applying exemptions, do it strictly on their merits or you're risking intervention by the ICO.
Where a civil action looms, FOI can be a useful though limited tool for litigants. A civil action is a private suit for damages, over the performance of a contract for instance or if someone has injured themselves on your premises. There is already a powerful court-directed discovery regime in place here under the Civil Procedure Rules (CPR). Section 31 of the Rules spells out a formal process for uncovering documentary evidence. Under Section 31 the parties to an action are required to provide lists of relevant documents to each other. The definition of 'documents' is a wide one and includes emails, audio and video. Lists must cover all relevant material whether it supports your own case or helps the other party and they must be completed to a deadline set by the court. Section 31 includes a right to inspect documents and is subject to only a few limited exemptions.
In civil cases then, an FOI request will invariably arrive before the court gets involved and as a precursor to initiating any action. Solicitors have long been used to firing off a SAR to test the evidential waters before proceedings begin; they're increasingly now recognising the value of a well placed FOI request too. FOI can support some very general fishing expeditions for stats, opinions, policies and other kinds of background evidence. Of course, under the FOI regime a public authority is protected by a range of exemptions and a cost limit for requests. Solicitors who demand too much should be pulled up short. FOI is not the same as CPR and some information will only be properly available once a court is managing the case.
FOI has a role to play in applications for judicial review (JR) too. JR is the way that the courts ensure that public authorities stay within the law when they're performing statutory functions. People who are affected by an authority's actions can apply for JR if they feel that the outcome was unjust. There is no formal disclosure and inspection process under the rules of JR, largely because most decisions turn on points of law so legal argument is more relevant than documentary evidence. However, JR puts the decision making of public authorities under the spotlight and the way that decisions are made and the factors that are considered are often captured in documents. FOI can provide a way into this material and can help build and support a case. Do note that the turnaround for JR is very quick as applications must be lodged within three months so FOI requests on JR related matters are likely to arrive hard and fast.
In summary then, FOI has an increasingly established role in the evidence gathering processes around a variety of actions
Case law and media watch
Clarity on FOI confidentiality exemption
A decision by the Information Tribunal (IT) has added clarity to the interpretation of s41 of the FOIA that's the exemption where disclosure would constitute a breach of confidence. The case concerned access to information held by HEFCE (the Higher Education Funding Council for England). HEFCE maintains a useful database of estates information about UK colleges and universities (HEIs), about the state of their buildings and how they're maintained. Access to the database is highly restricted. A Guardian journalist asked for information via an FOI request and HEFCE refused on the basis that HEIs submitted their estates information voluntarily with every expectation that it would remain confidential. The ICO disagreed and HEFCE appealed the ICO's decision to the IT.
The IT sided with the ICO on this one and made a couple of important observations along the way:
- In applying s41 the public authority must be confident that the breach would be actionable at law and (crucially) that the action would be likely to succeed. An arguable case is not enough. The implication then is that the proper legal test for breach of confidence (set out in the famous Coco v Clark case) must be applied in full before s41 is cited.
- The public authority should also consider the public interest in disclosure, even if an actionable breach would arise. This is a slightly tricky point as s41 is not actually subject to a PIT under FOI. The IT pointed out though that legitimate public interest provides a complete defence to breach of confidence. In this way a breach wouldn't be properly actionable if it could be defeated by the public interest and therefore wouldn't meet the FOI threshold. In other words, there's a defacto PIT requirement for s41 - ignore it at your peril!
Many of us have found that s41 is one of the most difficult exemptions to explain to users. 'Confidential' has a natural meaning for many people (especially senior managers!) that is quite different from the legal one. In taking a strict approach to statutory interpretation in this case the IT has given us some food for thought to take back to our businesses.
Redaction and the appropriate limit
Questions about whether the time spent on redacting documents should count towards the appropriate limit were addressed by the IT in a case just before Christmas. The answer in short is NO!
Under the Appropriate Limit and Fees Regulations no public authority need spend more than £600 on complying with a request, with most having a ceiling of £450 this is called the appropriate limit. The limit is made up of the costs involved in locating, retrieving and extracting information. All the time spent on these activities can be added together at a rate of £25 per hour until the limit is reached. In this case South Yorkshire Police refused to disclose the whole of a 187 page document because redacting intelligence information line by line would cost them well over £450.
The IT ruled very firmly that the Police were wrong. Their decision couldn't be much clearer: "we find that a public authority cannot include the time cost of redaction when estimating its costs". All the Police's arguments were dismissed and the rule now seems conclusive.
Compliance update
Goodbye to the Information Tribunal
On the 18th of January the IT ceased to exist in the form we've come to know over the last few years. From now on FOI, DPA, EIR and PECR appeals will be heard by the Firsttier Tribunal (Information Rights). A second tier tribunal has also been established for dealing with appeals concerning national security matters.
The change is part of a wider reorganisation of statutory tribunals. There's a multitude of them around these days and their different rules and procedures have become confusing. The old IT then has been brought into a new unified structure with a single set of tribunal procedures. Judges and members of the IT remain unchanged; the whole exercise is an administrative one and has no apparent policy implications.
Internal FOI reviews ICO raises the stakes
The ICO announced practice recommendations against two public authorities for long delays in dealing with internal FOI reviews. Under the FOI Section 45 Code of Practice anyone who is unhappy with the way that their FOI request has been handled can ask a public authority to review it again. Reviews should be completed within a 'reasonable' timescale the ICO recommends between 20 and 40 working days depending on complexity. The UK Border Agency (UKBA) and Cardiff County Council have both now been censured for significant delays. In Cardiff's case some reviews were still unresolved after two years, while UKBA consistently strayed over the ICO's upper limit of 40 days.
We all know that internal reviews can be time consuming; evidence and arguments need to be marshalled and senior staff need to be engaged. The ICO action shows though that long delays raise real risks. If these two authorities now fail to improve their practices enforcement notices are next.
Monitoring of Publication Schemes
It would appear that the NHS is the next on the Information Commissioner's list to be monitored and the process will start in the next few weeks. Strategic Health Authorities are reviewing their schemes as we publish this bulletin but it is essential that all PCTs take urgent action in respect of their schemes. Help and assistance is available via individual SHAs or get in touch with Paula Fallows at Public Partners.
National Public Sector Information Governance Network
The next meeting will take place in Leeds at The NHS Information Centre on 9th June 2010. This free event is always oversubscribed so if you would like to attend please email Paula Fallows as soon as possible. We are currently working on the Programme for the day but don't wait for that to register!
Information security news
Data breaches the bad news and the good...
The news on data breaches shows no signs of drying up. In January the ICO published revised stats on reported incidents alongside a press release highlighting continuing security risks to personal data. Of the 800 incidents reported to the ICO nearly a quarter involved data loss through the theft of hardware. This will come as no surprise to IG practitioners.
In the same press release the ICO took the opportunity to stress the importance of reporting significant breaches to his office at the earliest opportunity, noting that a lack of candour may lead to 'tougher regulatory sanctions'. The NHS topped the list for the number of reported incidents, but this doesn't necessarily reflect badly on the Service. The fact is that NHS bodies are more inclined than most to report openly and many Trusts have a strong dialogue with the ICO on security issues.
Those of us in local government know that security issues persist. Lancashire County Council for one was censured recently for inappropriate disposal of social care records. Paper files were left in a filing cabinet that was subsequently sold; a reminder that old-fashioned paper records continue to pose just as much risk as digital data.
Alongside all this comes some welcome good news. Sir Gus O'Donell has just followed up his seminal 2008 report on data handling procedures in government with an update. The update speaks of significant progress and much improved awareness. There are positive words in the report from the ICO too, though his parting sentence is worth bearing in mind, to quote... "there is no room for complacency".
Having said this our experience in Public Partners is that while SIROs may have been appointed there is little recognition of the importance of the role and as for Information Asset Owners in the wider public sector...if anyone finds one can you let us know! Don't forget that information risk must be included in the Statement of Control currently being prepared by most public sector organisations - this is a mandatory requirement and has been since last year!
Encryption the bar is raised
Sobering news from the techies has recently made the headlines. A team of academic researchers published a paper on how they successfully cracked the 798-bit RSA encryption standard. The team harnessed the power of clustered PCs (hundreds of them) to complete the task showing how raw processing strength can be deployed to crack a code.
Although most organisations now use 1024-bit RSA encryption for data in transit (for online credit card transactions for instance) the race to keep ahead of the code crackers is an ongoing one.
What's next?
RIPA revisions now due
We noted last time that new RIPA materials were due to be laid before Parliament to address some of the issues arising from the Home Office's recent consultation on the application of the Act. A number of draft Orders have been published and are due to come into force on the 6th of April.
At the same time a range of new RIPA Codes of Practice will also come into force. These set out the detailed context for covert surveillance, property interference and communications interception and disclosure. They recommend (amongst other things) that RIPA authorities appoint a Senior Responsible Officer to oversee the use of powers and that RIPA policy and activities are actively reviewed by local Councillors.
DPA monetary penalties draw closer
The 6th of April is shaping up as a big day as DPA monetary penalties should come into force then too. This didn't look especially likely when the last Agenda went to press, but things move quickly in IG! A draft SI and ICO guidance on the application of monetary penalties have now been published and look set fair to become law.
This is a significant new development in the DP regime and P-PACT will have more for you on this in the next Information Agenda.
FOI and wholly owned companies addressing a grey area
A long-standing grey area in FOI compliance is the position of companies that are wholly owned by two or more public authorities. The position for wholly owned subsidiaries of a single authority is clear they're covered and are required to deal with access requests and have publication schemes, but these other bodies slip through the net. The Campaign for Freedom of Information amongst others have called this a loophole and moves are afoot to close it. Conservative MP Peter Bottomley tabled an early day motion (EDM) to this effect.
It's a long way from an EDM to a change in legislation, but it's worth noting that a number of MPs have the issue in their sights.
With best wishes,
Christine Gifford and the team at P-PACT
