Welcome to this November issue of the Information Agenda from P-PACT
It's been a busy few months for practitioners as the new Government has hit the ground with flurry of activity. There's been lots of talk of openness and some decisive actions. The big picture though is the national finances and retrenchment across the public sector as austerity measures kick in. We're all feeling this and many are wondering how demanding compliance requirements can be met adequately from dwindling budgets.
There's certainly no let up from the ICO. Christopher Graham's organisation survived the cull of the quangos and continues to enhance its profile and enforce its rules. Mr Graham has already emphasised that he sees no reason why austerity should lead to the neglect of information rights. It would be foolish not to take him at his word.
We have to mention Tony Blair's headline catching reassessment of FOI a few weeks ago. He described himself as naïve and foolish for letting the FOIA find a way onto the statute books. No politician would dare suggest its repeal now though, not since the expenses scandal. Whatever Tony Blair feels today, FOI is increasingly well established and may turn out to be one of the longer lasting parts of his legacy.
Case law and media watch
Government openness initiatives
It was back in May that the new PM issued his decisive letter to government departments on opening up data: 'Greater transparency across Government is at the heart of our shared commitment to enable the public to hold politicians and public bodies to account'.
The letter required the rapid publication of spending and contract information across central and local government. It also established a new Public Sector Transparency Board within the Cabinet Office to drive transparency initiatives.
The most controversial part of the transparency initiative to date has been the publication of Whitehall salaries. The Government was quick to publish top civil servants' pay and a list of those earning over £150k PA emerged smartly in June. In October personal details of central government earners over £82,900 PA also appeared, along with anonymous information on less senior posts for a number of (though not all) government departments.
It had originally been planned to publish the full personal details of all civil servants earning over £58k but the Transparency Board listened to privacy concerns and rowed back. This wasn't received well in some sections of the media, but as most DP practitioners know it's a dicey road to go down and the decision was probably a sensible one.
The MOD has now written to all suppliers and contractors informing them that details of all payments of £25k and above will be published on a monthly basis from mid November ...... more to follow.
Local government pay will be next under the microscope (by January next year). The agenda here is being supported by the Local Government Group who have set up a website giving guidance.
Public sector pay became something of a fixation prior to the election, but many practitioners have found that enquiries have dried up. Will this initiative draw a line under the issue, or open up a new front?
Whatdotheyknow v House of Commons
For some time now P-PACT's advice to practitioners has been that Whatdotheyknow is here to stay and ignoring it is not an option. It's part of the FOI scene and is seen as a useful tool by a growing number of users. One legal issue over the site has remained unresolved though - does the automatic publication of FOI info to the web (as required by Whatdotheyknow) raise copyright implications?
The ICO considered the question this summer in relation to the House of Commons. The conclusion was that the House was obliged to respond to the requestor in the way that they specified (i.e via Whatdotheyknow) and that release in this way would not, in itself, breach copyright.
A few other public authorities were waiting for a decision here and it will be interesting to see what happens next.
Personal data
Section 40 FOIA (the exemption for personal data) has proved consistently tricky to pin down and the Information Tribunal gave us some new case law to chew over in August with Bryce v IC & Cambridgeshire Constabulary (EA/2009/0083).
The case concerned disclosure of an internal investigation report into the way that Cambridge Police had investigated the death of Ms Bryce's sister. The Police had refused to disclose the report on the grounds that it was composed entirely of personal data - information about Ms Bryce herself, exempted under s40(1) and information about third parties, exempted under s40(2).
The Tribunal identified six different groups of individuals whose data was included in the report. Interestingly, they considered the application of s40 to each group individually. They found it fair to release some data about police officers and the offender but largely unfair to release information about others. What practitioners should note here is the rigour of the Tribunal's approach - when considering s40 and applying a test of fairness, each individual (or groups of individuals) should be considered separately.
Data Protection watchers will be additionally interested to see that the Tribunal cited Durant v Financial Services Authority as its authority in defining personal data. Increasingly rare these days!
Vexatious
September saw a tranche of ICO decision notices relating to FOIA s14 - vexatious and repeated requests. What's interesting is the consistency of the decisions; the ICO has a very clear approach (derived from Gowers v Information Commissioner and LB Camden) which practitioners should pay close attention to.
It's clear that the whole context and history of a requestor's dealings with an authority can be taken into account when deciding whether their request is vexatious - a request needn't be taken entirely in isolation.
When deciding on vexatiousness, the ICO will look at 5 questions:
Could the request be seen as obsessive?
Volume, frequency and character of correspondence will be important here. The ICO has stressed though that obsession is not the same thing as persistence.Does the request harass the organisation or cause distress to specific staff?
Hostile language and accusations are relevant. FOI does not provide a cover for abusive behaviour.Was the request designed to cause disruption and annoyannce?
This is invariably difficult to show as the requestor's intentions are unlikely to be stated specifically. The fact that disruption and annoyance have been caused will not be decisive, the outcome must be intended.Does the request constitute a significant burden?
This includes financial costs and diversion from other work and may include the requestor's entire interactions with the organisation on the same issue, not just the request itself.Does the request have no value and no serious purpose?
The ICO notes in one case that 'there comes a point when the serious purpose of a matter is outweighed by the obsessive and burdensome nature of correspondence and requests...a serious purpose [may] over time...become distorted such that any original objective [is] lost'.
Recent decisions show that the ICO is sympathetic to public authorities and recognises how difficult and demanding some requests can be. It's crucial to look to the five tests above though and (as always) to gather as much evidence as possible before applying s14.
Redaction
Redaction questions never go away and a recent Tribunal decision in Gradwick v IC and the Cabinet Office (EA/2010/0030) adds something new to the debate. In this case the Cabinet Office compiled the information it was prepared to release into a single document, giving no indication of the bits it had removed.
The Tribunal didn't like this approach very much and said:
"Within the practice established by the Tribunal and its users to date, a document characterised as having been redacted has come to mean one in which the extent of the omitted material is indicated by blank spaces and in which, to the extent possible, headings or other indications are retained or inserted to give a fair indication, to both panel members and those presenting submissions, of the broad nature of the information that has been withheld. Annotating the resulting document to indicate the exemption relied on to justify each omission is also a valuable assistance in cases where different exemptions apply to different sections of the document or information".
So there you have it - the black felt tip pen method is still the best!
Compliance update
ICO monitoring
A few weeks ago the ICO went public with a list of public authorities that are being monitored because of their poor performance in responding to FOI requests.
While the the ICO clarified the basis on which monitoring is undertaken in a recent notice we would use the word investigation as being more appropriate. Authorities will find themselves under scrutiny if they're subject to six or more complaints within six months or if they're substantially over time with as few as one. Invesigation involves the ICO's Enforcement Team closely watching processes, procedures and performance. Currently the ICO enforcement team who are undertaking these investigations have really gone back to basics and are concentrating on public authorities where a recognisable pattern has emerged of complaints relating to a failure to respond to applicants within the 20 working day statutory time limit. We understand this is being targeted simply because there are so many complaints about this core requirement of the Act.
Those currently undergoing monitoring include the Cabinet Office, the Home Office, the Ministry of Defence, two police forces, 18 local councils and as some local NHS bodies. They are unlikely to find it a pleasant experience!
This new name and shame approach from the regulator and likelihood of being monitored are something you might bring to your executive team's attention when you're waiting on a response to an FOI query from laggards in Finance or HR!
Finally in relation to FOI and ( perhaps most worryingly EIR) the ICO has decided to extend the existing process relating to legal undertaking already extant for breaches of the DPA to FOI; if you find yourself in a position where the ICO requires your CEO to sign the legally binding undertaking it is a very harsh and expensive process!
You also need to be aware of the initiative being undertaken in relation to DP issues by the ICO - consensual audits. This is a risk based approach to help focus on organisations which might be striving to comply, but where complaints are significant and where intelligence available to the ICO highlights the risk of failure. At the moment this activity is limited to Government Departments but the ICO is looking to extend it to the wider public sector and to private companies.
Action being taken against individual organisations in relation to poor performance should not be confused with monitoring which had been due to take place in relation to the Development and Maintenance Initiative in connection with the Model Publication Schemes introduced in 2009. We understand that such monitoring by the ICO has been frozen until the impact of the Right to Data strategy being implemented by the Cabinet Office has been evaluated and any necessary revision on the definition documents has been taken into account.
Data sharing CoP
It's been a long time coming, but it's finally here, in draft at least. Early October saw the release of the ICO's new statutory Code of Practice on data sharing. Its launch begins a consultation process that will end with a final version being laid before Parliament.
The Code is significant in a number of ways - it establishes a benchmark for best practice; it will be a significant reference for the ICO and the Information Tribunal on data sharing issues; it can be used as evidence in legal proceedings.
Practitioners haven't had much to say about it yet, largely because there are no real surprises. One area that may raise issues in future though is around Information Sharing Protocols. These types of arrangements are encouraged by the Code but are still rare in some parts of the public sector and are rarer still in the private sector.
Information security news
More data breaches...
Scan the ICO's press releases for any month and data breaches feature heavily. It seems that no matter how advanced technology gets, personal data remains vulnerable while staff are uninformed about risks and procedures and processes are inadequate.
Over the summer a Midlands hospital trust lost an unencrypted CD of PID at a bus stop and a major retailer slipped up by putting customer records in a skip rather than shredding them.
Including a huge one!
September saw a new benchmark set in data breaches when ACS:Law exposed the personal data of at thousands of people on its public website.
ACS:Law acts for a number of clients in pursuing internet users for illegal file downloading and sharing. The data that was exposed included the personal details of pornographic file-sharers. Although it was only online for a short period of time it was downloaded by anti-copyright activists and apparently posted to The Pirate Bay, a prominent BitTorrent website and platform for peer-to-peer file sharing.
It's all still a bit murky to be honest and the ICO has weighed in to investigate. Practitioners are already asking the question - will this be the first six-figure fine? We'll wait and see.
P-PACT Website
Our revamped website has been launched this week and you can find it at www.publicpartners.org.
We hope you find it useful but there is one way in which you can help us and your fellow information governance practitioners. We are aware of a significant number of single and cross sector networks across the UK which we would like to feature on our Network Page. We had a similar feature on the previous version but it is now really out of date so we would like to start again...... If you are a member of an information governance network or know of one we would be really grateful if you would send us details so that we may share this information through our website. Details to Paula.Fallows@publicpartners.org
FOI+
For subscribers to our advice network we will be introducing a new feature in January - a regular teleconference supported by an on-line meeting centre through which you will be able to access advice and guidance in real time not only from the P-PACT team but also from expert speakers. The first in this series will be an on - line discussion with Dawn Monaghan from the Office of the Information Commissioner. FOI+ members will be sent personal invites to join this great new facility which of course enables you to keep up-to-date at a time when there is little money available for attendance at training courses or events.
If you want more information about how to join FOI+ contact Paula Fallows.
What's next?
MOJ consultation
Data protection law can be a minefield. Even the most seasoned practitioners can be found scratching their heads from time to time at the anomalies and differing interpretations that it throws up.
The Ministry of Justice opened up a major consultation on the DPA and the EU Directive that lies behind it this summer. The review raised key questions around the definitions of 'personal data', 'data controllers' and 'data processors'; asked about the concept of consent, the scope of exemptions and about the business burdens of dealing with SARs.
This consultation is important as it will form a background to EU discussions on revising the data protection directive in 2011. Practitioners will be hoping for an approach that looks to clarity and common sense.
FOI Charges
FOI charges briefly became a hot topic a few weeks ago when it was revealed that the Commissioner of the Metropolitan Police had lobbied the new Home Secretary for the introduction of a flat FOI fee to match the DPA one.
The Campaign for FOI (and a few politicians) came out against charges very quickly and the topic didn't gain much traction. The question won't go away though, especially in straightened economic times.
While we're on the topic of the CFOI, the Campaign hosted a fringe meeting at the Lib Dem conference, attracting speakers from the Ministry of Justice and the House of Commons Justice Committee. There were warm words all round regarding FOI's success but little to report on its future.
Mandatory breach reporting
A quick final note on a topic that we've been monitoring for some time - mandatory DP breach reporting. NHS colleagues are always keen to stress that reporting serious breaches to the ICO is a requirement for them and equally keen to ask when everyone else will be doing the same!
The ICO has long supported mandatory notification for high-impact breaches, where the Walport data sharing review moved away from this. Now the MoJ consultation (above) has raised the question again. The consultation has specifically asked whether it should be mandatory to notify data subjects themselves if their information has been compromised. We await the consultation's findings here with special interest.
National Public Sector Information Government Network
As part of our commitment to support best practice within the public sector we established the NPSIGN Network which is chaired by Dominic Povey from the NHS. We share best practice and expertise and provide advice and guidance on current issues. Membership of the Network is free as are the events which members attend the latest of which featured presentations by Dame Fiona Caldicott, Dawn Monaghan from the ICO, Simon White from Brown Jacobsen and Moosa Patel from East Midlands SHA.
For further details of the Network and future events contact Julie Macey.
With very best wishes,
Christine
Christine Gifford and the team at P-PACT
