Category: Freedom of Information

Lessons On Transparency: The ICO Experian Appeal

The Information Commissioner’s Office recently lost its appeal in the Upper Tribunal in relation to an Enforcement Notice issued to Experian.  

The concerned Experian’s marketing arm, Experian Marketing Services (EMS) which provides analytics services for direct mail marketing companies. It obtains personal data from three types of sources; publicly available sources, third parties and Experian’s credit reference agency (CRA) business. The company processes this personal data to build profiles about nearly every UK adult. An individual profile can contain over 400 data points. The company sells access to this data to marketing companies that wish to improve the targeting of their postal direct marketing communications 

On 20th February 2023, the First-Tier (Information Rights) Tribunal (FTT) overturned an ICO Enforcement Notice issued to Experian. The notice alleged several GDPR violations namely; Art. 5(1)(a) (Principle 1, Lawfulness, fairness, and transparency), Art. 6(1) (Lawfulness of processing) and Art. 14 (Information to be provided where personal data have not been obtained from the data subject). For more detail of the FTT judgement read our earlier blog here

On 23rd April 2024, the Upper Tribunal dismissed the ICO’s appeal against the FTT’s judgment. This can be read here along with a useful press summary. The Upper Tribunal backed the FTT’s conclusions while repeatedly criticising its unclear reasoning. 

The broader value of the judgment lies in its guidance, for the first time at this level, of what the transparency requirement under the UK GDPR involves (see paragraph 95). It also sets out its views on the current data protection landscape more generally. 5 Essex Court have a good summary of the judgement on their website.  

The ICO’s has issued a (“Let’s look on the bright side”) statement stating that: 

“The ICO will take stock of today’s judgment and carefully consider our next steps, including whether to appeal.” 

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. 

Transparency in Health and Social Care: New ICO Guidance 

Within the health and social care sector, new technologies that use large amounts of personal data are being used to support both direct care and secondary purposes, such as planning and research. An example is the the use of AI to provide automated diagnoses based on medical imaging data from patients. 

Transparency is a key principle of UK Data Protection legislation. Compliance with the first data protection principle and Article 13 and 14 of the UK GDPR ensures that data subjects are aware of how their personal data is used, allowing them to make informed choices about who they disclose their data to and how to exercise their data rights. 

On Monday the Information Commissioner’s Office (ICO) published new guidance to assist health and social care organisations to comply with their transparency obligations under the UK GDPR. It supplements existing ICO guidance on the principle of transparency and the right to be informed

The guidance is aimed at all organisations, including from the private and third sector, who deliver health and social care services or process health and social care information. This includes local authorities, suppliers to the health and social care sector, universities using health information for research purposes and others (e.g. fire service, police and education) that use health information for their own purposes. The guidance will help them to understand the definition of transparency and assess appropriate levels of transparency, as well as providing practical steps to developing effective transparency information. 

This and other data protection developments will be discussed by Robert Bateman in our forthcoming GDPR Update workshop. We have also just launched our new workshop, Understanding GDPR Accountability and Conducting Data Protection Audits.   

Experian’s GDPR Appeal: Lawfulness, Fairness, and Transparency

On 20th February 2023, the First-Tier (Information Rights) Tribunal (FTT) overturned an Enforcement Notice issued against Experian by the Information Commissioner’s Office (ICO). 

This case relates to Experian’s marketing arm, Experian Marketing Services (EMS) which provides analytics services for direct mail marketing companies. It obtains personal data from three types of sources; publicly available sources, third parties and Experian’s credit reference agency (CRA) business. The company processes this personal data to build profiles about nearly every UK adult. An individual profile can contain over 400 data points. The company sells access to this data to marketing companies that wish to improve the targeting of their postal direct marketing communications. 

The ICO issued an Enforcement Notice against Experian in April 2020, alleging several GDPR violations namely; Art. 5(1)(a) (Principle 1, Lawfulness, fairness, and transparency), Art. 6(1) (Lawfulness of processing) and Art. 14 (Information to be provided where personal data have not been obtained from the data subject). 

Fair and Transparent Processing: Art 5(1)(a) 

The ICO criticised Experian’s privacy notice for being unclear and for not emphasising the “surprising” aspects of Experian’s processing. It ordered Experian to: 

  • Provide an up-front summary of Experian’s direct marketing processing. 
  • Put “surprising” information (e.g. regarding profiling via data from multiple sources) on the first or second layer of the notice. 
  • Use clearer and more concise language. 
  • Disclose each source and use of data and explain how data is shared, providing examples.  

The ICO also ordered Experian to stop using credit reference agency data (CRA data) for any purpose other than those requested by Data Subjects. 

Lawful Processing: Arts. 5(1)(a) and 6(1) 

All processing of personal data under the GDPR requires a legal basis. Experian processed all personal data held for marketing purposes on the basis of its legitimate interests, including personal data that was originally collected on the basis of consent. Before relying on legitimate interests, controllers must conduct a “legitimate interests assessment” to balance the risks of processing the risks. Experian had done this, but the ICO said the company had got the balance wrong. It ordered Experian to: 

  • Delete all personal data that had been collected via consent and was subsequently being processed on the basis of Experian’s legitimate interests. 
  • Stop processing personal data where an “objective” legitimate interests assessment revealed that the risks of the processing outweigh the benefits. 
  • Review the GDPR compliance of all third parties providing Experian with personal data. 
  • Stop processing any personal data that has not been collected in a GDPR-compliant way. 

Transparency: Art. 14 

Art. 14 GDPR requires controllers to provide notice to data subjects when obtaining personal data from a third-party or publicly available source. Experian did not do provide such notices relying on the exceptions in Art 14. 

Where Experian had received personal data from third parties, it said that it did not need to provide a notice because “the data subject already has the information”. It noted that before a third party sent Experian personal data, the third party would provide Data Subjects with its own privacy notice. That privacy notice would contain links to Experian’s privacy notice.
Where Experian had obtained personal data from a publicly available source, such as the electoral register, it claimed that to provide a notice would involve “disproportionate effort”. 

The ICO did not agree that these exceptions applied to Experian, and ordered it to: 

  • Send an Art. 14 notice to all Data Subjects whose personal data had been obtained from a third-party source or (with some exceptions) a publicly available source. 
  • Stop processing personal data about Data Subjects who had not received an Art. 14 notice. 

The FTT Decision  

The FTT found that Experian committed only two GDPR violations: 

  • Failing to provide an Art. 14 notice to people whose data had been obtained from publicly available sources. 
  • Processing personal data on the basis of “legitimate interests” where that personal data had been originally obtained on the basis of “consent” (by the time of the hearing, Experian had stopped doing this). 

The FTT said that the ICO’s Enforcement Notice should have given more weight to:  

  • The costs of complying with the corrective measures. 
  • The benefits of Experian’s processing. 
  • The fact that Data Subjects would (supposedly) not want to receive an Art. 14 notice. 

The FTT overturned most of the ICO’s corrective measures. The only new obligation on Experian is to send Art. 14 notices in future to some people whose data comes from publicly available sources. 

FTT on Transparency 

Experian had improved its privacy notice before the hearing, and the FTT was satisfied that it met the Art. 14 requirements. It agreed that Experian did not need to provide a notice to Data Subjects where it had received their personal data from a third party. The FTT said that “…the reasonable data subject will be familiar with hyperlinks and how to follow them”.
People who wanted to know about Experian’s processing had the opportunity to learn about it via third-party privacy notices. 

However, the FTT did not agree with Experian’s reliance on the “disproportionate effort” exception. In future, Experian will need to provide Art. 14 notices to some Data Subjects whose personal data comes from publicly available sources. 

FTT on Risks of Processing 

An ICO expert witness claimed that Experian’s use of CRA data presented a risk to Data Subjects. The witness later admitted he had misunderstood this risk. The FTT found that Experian’s use of CRA data actually decreased the risk of harm to Data Subjects. For example, Experian used CRA data to “screen out” data subjects with poor credit history from receiving marketing about low-interest credit cards. The FTT found that this helped increase the accuracy of marketing and was therefore beneficial. As such, the FTT found that the ICO had not properly accounted for the benefits of Experian’s processing of CRA data. 

The ICO’s Planned Appeal 

The FTT’s decision focuses heavily on whether Experian’s processing was likely to cause damage or distress to Data Subjects. Because the FTT found that the risk of damage was low, Experian could rely on exceptions that might not have applied to riskier processing.  

The ICO has confirmed that it will appeal the decision. There are no details yet on their arguments but they may claim that the FTT took an excessively narrow interpretation of privacy harms. 

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. There are only 3 places left on our next Advanced Certificate in GDPR Practice.  

New DP and IG Practitioner Apprenticeship

Act Now Training has teamed up with Damar Training on materials and expertise underpinning its new Data Protection and Information Governance Practitioner Level 4 Apprenticeship.

The apprenticeship, which received final approval in March, will help develop the skills of those working in the increasingly important fields of data protection and information governance. 

With the rapid advancement of technology, there is a huge amount of personal data being processed by organisations, which is the subject of important decisions affecting every aspect of people’s lives. This poses significant legal and ethical challenges, as well as the risk of incurring considerable fines from regulators for non compliance. 

This apprenticeship aims to develop individuals into accomplished data protection and information governance practitioners with the knowledge, skills and competencies to address these challenges.

Ibrahim Hasan, Director of Act Now, said:

“We are excited to be working Damar Training to help deliver this much needed apprenticeship. We are committed to developing the IG sector and encouraging a diverse range of entrants to the IG profession. We have looked at every aspect of the IG Apprenticeship standard to ensure the training materials equip budding IG officers with the knowledge and skills they need to implement the full range of IG legislation in a practical way.

Damar’s managing director, Jonathan Bourne, added:

“We want apprenticeships to create real, long-term value for apprentices and organisations. It is vital therefore that we work with partners who really understand not only the technical detail but also the needs of employers.

Act Now Training are acknowledged as leaders in the field, having recently won the Information and Records Management Society (IRMS) Supplier of the Year award for the second consecutive year. I am delighted therefore that we are able to bring together their 20 years of deep sector expertise with Damar’s 40+ year record of delivering apprenticeship in business and professional services.

This apprenticeship has already sparked significant interest, particularly among large public and private sector organisations and professional services firms. Damar has also assembled an employer reference group that is feeding into the design process in real time to ensure that the programme works for employers.

The employer reference group met for the first time on May 25. It included industry professionals across a variety of sectors including private and public health care, financial services, local and national government, education, IT and data consultancy, some of whom were part of the apprenticeship trailblazer group.

If your organisation is interested in the apprenticeship please get in touch with us to discuss further.

Reflections of an Act Now FOI Trainer

People in a meeting

Susan Wolf writes…

They say time flies when you are having fun. Well, I must have been having fun because I can’t quite believe I have been training with Act Now for over 12 months. Really where has the time gone? During my time at the University of Northumbria I developed the habit of keeping a journal in which I reflected on my teaching. Old habits die hard and I have continued this practice now that I am a regular Act Now training consultant. Looking back over my journal for the last 12 months a number of common themes became apparent. I thought it might be interesting to share these. However before I do, I just want to thank all the delegates I have met for challenging me, keeping me on my toes and reminding me how interesting life can be in Freedom of Information Land.

Training practitioners is not something new to me. For over 11 years I taught FOI practitioners on the Northumbria University LLM in Information Rights Law & Practice Degree. However, the Act Now courses, with their focus on practical training have exposed me to a wider range of people, from a wide range of public sector organisations, all trying to get to grips with broadly similar issues. From the most experienced practitioner who wants a ‘top up course’ to the absolute beginner who has just landed their first job in information rights, all practitioners appear to share some common concerns and worries.

There are also some widely shared misconceptions which still seem to cause the odd debate, despite the Freedom of Information Act 2000 being almost 15 years old. For instance, I have heard some delegates say that the ‘clock start’s ticking’ on a FOI request on the day it is received by a public authority. I have also heard delegates talk about fines that the ICO can impose for breaches of the Freedom of Information Act. Those are always good to correct, and it is nice to hear the sigh of relief when they are advised correctly on these points.

However, I also frequently get asked questions that there are, quite simply, no definitive answers to. In good ‘lawyer’ tradition I could say ‘well that depends’ but that isn’t always what people want to hear. For example, I have been asked questions about how far a public authority must go in advising and assisting an applicant, or how many times they need to go back to the applicant to clarify a tricky request. Another question that taxes people is how long it is reasonable to wait between requests before engaging S. 14 (2) for repeated requests. These are always good for some discussion, but often time is limited on a one-day course, particularly when delegates quite rightly expect we cover all the course content.

Other misconceptions or worries centre on issues relating to the redaction of staff names in email correspondence; how to distinguish between ‘business as usual’ questions and FOI requests; or the significance of ‘confidentiality’ markings on information provided by third party contractors. The ‘new’ Freedom of Information 2018 Code of Practice addresses some of these issues. However not all FOI practitioners are necessarily aware of the provisions of the new Code. Of course, it is difficult for practitioners, who are undoubtedly over-burdened, to keep up to date and on top of things, or indeed for us to cover these issues in detail in a one-day course. One way of keeping up to date is to read our Act Now blogs, which are all written by Act Now consultants and which deal with new developments and case law. However, this journey of reflection has made me realise that it would be useful to write some ‘Back to Basics’ blogs that address some of the issues and concerns that I know FOI practitioners share. Over the coming months we will be publishing a series of ‘FOI Basics Blogs’ on the issues raised during our one-day FOI courses starting with a blog on ‘Business as Usual or FOI Request’?

For those FOI practitioners who want to take their training and understanding to the next level, Act Now Training now offer a 4-day FOI Practitioner Certificate this course is modelled on the highly successful GDPR Practitioner Certificate and was launched in May 2019. We have now delivered it seven times and it is absolutely clear this model enables FOI practitioners to develop a more detailed knowledge and understanding of the FOI in practice. It gives delegates the chance to explore the exemptions in far more detail over two days, with Day 3 focussing on the most frequently used exemptions, including Sections 40 and 43. The course also prepares delegates for writing a Refusal Notice which forms part of the final assessment.

Delegates have given very positive feedback:

“The course was very well structured and well timed. The length of the course was ideal as this gave sufficient time to discuss all areas relating to FOI and also gave candidates ample time for discussion and study. The trainer was very supportive and the knowledge that has been imparted has enabled me to develop the FOI function with our organisation. Highly Recommended.”
JW, Heywood Middleton and Rochdale NHS

“The course was excellent and really sets you up for the exam, I would recommend it to others working in the field. I have put what I learned on the course to good use as I am a FOI and DPA Manager in a very busy post with lots of business each and every day; many of the requests are unusual. The course and now passing the exam have given me the confidence to do my job.”
JH, NI Courts and Tribunals Service

“Thank you for a great course – as always all the trainers at Act Now are extremely knowledgeable, approachable and make the learning experience really enjoyable.”
KF, St Helens Council

As you can see Delegates are enjoying the course content and delivery style. Most importantly they are able to take away their gained knowledge and apply it to their everyday role with confidence. After all, that is the purpose and objective of a course such as this. It makes me immensely proud and pleased to be able to be a part of the team that helps delegates in this way everyday and I look forward to the next 12 months.

Susan Wolf is a trainer for Act Now Training. She has over ten years experience teaching information rights practitioners on the LLM Information Rights Law & Practice at Northumbria University. All our trainers are available to deliver customised in house training, health checks and audits. Please read the testimonials from satisfied clients and get in touch for a quote.

Information Governance Experts Join the Act Now Team

Steven CockcroftCraig Geddesbarry moult

(From Left to Right: Steven Cockcroft, Craig Geddes, Barry Moult.)

Act Now Training is pleased to announce that three new highly regarded information governance experts have joined its team of consultants.

Cyber security is one of the Information Commissioner’s regulatory priorities for the coming year. This is not surprising when you consider the recent Notices of Intent (to fine) issued by the ICO. We are developing a range of cyber security courses for the coming year. First off we have launched an Introduction to Cyber Security workshop led by our new consultant Steven Cockcroft.

Steven holds accredited trainer status from the British Computer Society, PECB and APMG. He is also accredited under the GCHQ Certified Trainer scheme, delivering training in the areas of Cyber Security, Information Security, Data Protection, Business Continuity Management, Audit, Risk Management and Business Continuity Management. Steven has assisted over 30 organisations to become certified to international best practice information security frameworks including the UK Government Cyber Essentials Scheme, ISO 27001 and ISO 22301.

Act Now has been running a full programme of information governance workshops in Scotland for many years. We have boosted our team of Scottish consultants by engaging Craig Geddes who is a qualified archivist and records manager, with 28 years of experience working across the range of information governance activities. He has worked for several Scottish local authorities as Archivist, Records Manager, and Senior Information and Improvement Officer. Craig has developed and delivered training on records management, freedom of information and data protection for a number of years, and is an engaging and entertaining speaker. Craig will help deliver our current Scottish courses, both in house and external, and develop new ones such as the recently launched Public Records (Scotland) Act Now workshop.

Act Now’s portfolio of clients includes many health organisations. With a view to delivering more health focused information governance courses, Barry Moult has joined our team. Barry is a well know IG expert with many years of experience working with and advising NHS organisations. He founded and has chaired the Eastern Region IG Forum since 2003. Until August 2018, Barry was the Chair of the NHS National Strategical Information Governance Network (SIGN) group and continues to sit on the NHS GDPR working group. Prior to that, he was Head of IG and Health Records at two large NHS Acute Trusts and was recently on a secondment to a local STP looking at information sharing and GDPR for Health and Social Care.

Barry will be delivering our health focused workshops on GDPR and the role of SIROs. Barry has also developed a new workshop for Caldicott Guardians to help them understand and apply the Caldicott Principles and the common law duty of confidentiality in a Health and Social Care setting. He will also look at the legislative requirements (e.g. GDPR) how they apply to patients’ records and what to consider when making moral and ethical decisions. There will also be discussion around how the Caldicott Guardian interacts with the Information Governance Lead, the Data Protection Officer and the Senior Information Risk Owner (SIRO).

The latest recruits boost the number of Act Now consultants to thirteen. Ibrahim Hasan, solicitor and director of Act Now Training,  said:

“I am pleased that Steven, Craig and Barry have joined our wonderful team of consultants who all have a reputation for explaining difficult subjects in a simple jargon-free way. Their knowledge of information rights coupled with real world experience will help us expand our services and deliver even more courses to our rapidly expanding client base.”

Act Now Training is now one of the largest information governance training and consultancy companies in the UK with over 17 years of experience in the sector.  Our trainers are available to deliver customised in house training, health checks and audits. Please read the testimonials from satisfied clients and get in touch for a quote.

Blog Footer Blue and White 2

Act Now’s FOI Practitioner Certificate: The Story So Far

FOI Certificate Banner

At the end of 2018 Act Now announced the launch of its new FOI Practitioner Certificate. In keeping with the company’s ethos of delivering on the ground practical training, the new course is designed to meet the needs of practitioners and to enable them to fulfil their roles as FOI Officers.

Act Now is pleased to inform readers that in May and June the first two cohorts of delegates attended our fully booked courses in London and Manchester respectively.
The courses were designed and delivered by Susan Wolf, formerly a senior lecturer on the University of Northumbria’s LLM in Information Rights Law.

The course has so far attracted delegates from a range of public authorities, including the Crown Prosecution Service, Department for Environment, Food and Rural Affairs (Defra), Maritime and Coastguard Agency (MCGA), Nursing and Midwifery Council, University of West London, Dudley CCG, Land Registry, Lancashire Council, Cheshire Police and St Leger Homes,

Susan says:

 “I have looked at every aspect of this revised course to ensure it equips FOI officers with the knowledge they need to tackle FOI in a practical way.”

The course uses the same format as our very successful GDPR Practitioner Certificate.
It takes place over four days (one day per week) and involves lectures, discussion and practical drafting exercises. All delegates are encouraged to actively participate and share their experiences, in order to create an inclusive environment.  Over the coming months, further courses will be delivered by Susan, Ibrahim Hasan and Philip Jones.

What’s new?

The new course offers several innovations, which Act Now believes makes the it distinctive and highly relevant to FOI Officers and other practitioners with responsibility for providing access to public information. One innovation is that time is made available each day for delegates to reflect on what they have learned and how it will inform their practice. From her experience of delivering of training the first two cohorts, Susan noted:

Delegates were able to share their experiences and problems, and more importantly offer suggestions for tackling problems.  This was particularly useful for delegates with limited FOI experience, or from smaller organisations, who were able to take away practical suggestions about how to handle requests and deal with the exemptions.

The course also encourages delegates to become independent learners and provides guidance on ‘keeping up to date’ and understanding how cases are handled by the First Tier Information Rights Tribunal.  Susan says:

The law isn’t static; we keep getting new ICO guidance, based on Tribunal and Court decisions. It is important that FOI practitioners understand the importance of keeping up to date, and how to do this.”

The assessment of the course is innovative and modern. The assessment model will be very familiar to people who have undertaken our GDPR Practitioner Certificate. First delegates must complete a one-hour MCQ test. This is  worth 30% of the overall assessment. The remaining 70% involves a written project.  Delegates are given a practical scenario which requires them to draft a Refusal Notice and explain how they would handle the request and their selection of exemptions. All delegates receive detailed feedback on their written projects. Our Scottish FOISA course also now follows the same format.

Susan says:

The assessment has been designed to be relevant and useful; I can see little point in giving delegates a task that has no meaning to their practice.  Instead we want our delegates to feel like the assessment will inform their practice and enable them to enhance and develop their skills. Writing a robust refusal notice is an essential skill for FOI practitioners and lies at the heart of our assessment on this course.”

The delegate feedback so far has been excellent and it seems that this course has plugged a gap in the market:

An excellent course taught by someone with all the relevant knowledge and experience to impart to the delegates. Also very useful course materials which have proved to be helpful to me on a day to day basis in my job. I would really recommend this course to anyone who is dealing with FOI’s in their job.
JC, Department for Environment, Food and Rural Affairs (Defra)

Ibrahim Hasan (Director of Act Now Training) says:

“We are pleased that this new FOI certificate course is meeting the training needs of FOI officers. Because of its emphasis on practical skills, we are confident that it will become the qualification of choice for current and future FOI Officers and advisers.”

More venues have been added for this course including Belfast. All our courses can be delivered at your premises at a substantially reduced cost.

Contact us for more information.

Act Now Launches New FOI Practitioner Certificate

 

FOI Certificate Banner

Act Now is pleased to announce the launch of its brand new FOI Practitioner Certificate.

This course is one of the first of its kind, in a way that only Act Now delivers – practical, on the ground skills to help you fulfil your role as an FOI Officer.

This new certificate course is ideal for those wishing to acquire detailed knowledge of FOI and related information access legislation (including EIR) in a practical context. It has been designed by leading FOI experts including Ibrahim Hasan and Susan Wolf – formerly a senior lecturer on the University of Northumbria’s LLM in Information
Rights Law.

The course uses the same format as our very successful GDPR Practitioner Certificate. It takes place over four days (one day per week) and involves lectures, discussion and practical drafting exercises. This format has been extremely well received by over 1000  delegates who have completed the course. Time will also be spent at the end of each day discussing what issues delegates may face when implementing/advising on the FOI topics of the day.

The four teaching days are followed by an online assessment and a practical project to be completed within 30 days.

Why is this course different?

  • An emphasis on practical application of FOI rather than rote learning
  • Lots of real life case studies and exercises
  • An emphasis on drafting Refusal Notices
  • An online Resource Lab with links, guidance and over 5 hours of videos
  • Modern assessment methods rather than a closed book exam

 Who should attend?

This course is suitable for anyone working within the public sector who needs to learn about FOI and related legislation in a practical context, as well as those with the requisite knowledge wishing to have it recognised through a formal qualification. It is most suitable for:

  • FOI Officers
  • Data Protection Officers
  • Compliance Officers
  • Auditors
  • Legal Advisers

Susan, says:

“FOI and EIR are almost 14 years old. Since the Act and Regulations came into force there have been many legal developments and court decisions that have given practitioners a much greater understanding of the legal provisions and how they should be applied in practice. With this in mind, we have written this course to ensure that it equips public sector officers with all the necessary knowledge and skills they need to respond to freedom of information requests accurately and efficiently. This course, with its emphasis on the law in practice, will enable trainees to become more accomplished and confident FOI practitioners”

Susan will share her vast experience gained through years of helping organisations comply with their information rights legislation obligations. This, together with a comprehensive set of course materials and guidance notes, will mean that delegates will not only be in a position to pass the course assessment but to learn valuable skills which they will be able to apply in their workplaces for years to come.

This new course builds on Act Now’s reputation for delivering practical training at an affordable price:

This new course widens the choice of qualifications for IG practitioners and advisers. Ibrahim Hasan (Director of Act Now Training) commented:

“We are pleased be able to launch this new qualification. Because of its emphasis on practical skills, we are confident that it will become the qualification of choice for current and future FOI Officers and advisers.”

To learn more please visit our website.

All our courses can be delivered at your premises at a substantially reduced cost.
Contact us for more information.

Revised S.45 Code of Practice under FOI

Filing records

GDPR has taken the limelight from other information governance legislation especially Freedom of Information.  In July 2018, the Cabinet Office published a new code of practice under section 45 of the Freedom of Information Act 2000(FOI) replacing the previous version.

In July 2015 the Independent Commission on Freedom of Information was established by the Cabinet Office to examine the Act’s operation. The Commission concluded that the Act was working well. It did though make twenty-one recommendations to enhance the Act and further the aims of transparency and openness. The government agreed to update the S.45 Code of Practice following a consultation exercise in November 2017.

The revised code provides new, updated or expanded guidance on a variety of issues, including:

  • Transparency about public authorities’ FOI performance and senior pay and benefits, to mandate the FOI Commission recommendations for greater openness in both areas.
  • The handling of vexatious and repeated requests. The FOI Commission specifically recommended the inclusion of guidance on vexatious requests.
  • Fundamental principles of FOI not previously included in the code, e.g. general principles about how to define “information” and that which is “held” for the purposes of the Act.

In the latter section the code makes a number of interesting points:

  • Information disclosed as part of “routine business” is not an FOI request. Section 8of the Act sets out the definition of a valid FOI request. Judge for yourself if this advice is accurate.
  • Information that has been deleted but remains on back-ups is not held. This goes against a Tribunal Decision as well as ICO guidance.
  • Requests for information made in a foreign language are not valid FOI requests. Again refer to section 8 above. It does not say a request has to be in English!

The code is not law but the Information Commissioner can issue Practice Recommendations where she considers that public authorities have not complied with it. The Commissioner can also refer to non -compliance with the code in Decision and Enforcement Notices.

As well as giving more guidance on advice and assistance, costs, vexatious requests and consultation, the code places new “burdens”:

  • Public authorities should produce a guide to their Publication Scheme including a schedule of fees.
  • Those authorities with over 100 Full Time Equivalent (FTE) employees should publish details of their performance on handling FOI requests on a quarterly basis.
  • Pay, expenses and benefits of the senior staff at director level and equivalents should be published quarterly. Of course local authorities are already required to publish some of this information by the Local Government Transparency Code.
  • The public interest test extension to the time limit for responding to an FOI request (see S.10(3)) should normally be no more than 20 working days.
  • Internal reviews should normally be completed within 20 working days.

Furthermore, the other S.45 Code covering datasets has been merged with the main section 45 Code so that statutory guidance under section 45 can be found in one place. There is also an annex explaining the link between the FOI dataset provisions and the Re-use of Public Sector Information Regulations 2015.

Public authorities need to consider the new code carefully and change their FOI compliance procedures accordingly.

We will be discussing this and other recent FOI developments in our forthcoming FOI Update webinar.

Freedom of Information: New Draft S.45 Code of Practice

FOI1_thumb.jpg

Amongst all the hype about GDPR it is easy to miss developments in other areas of information law.  In November 2017, the Cabinet Office published the revised code of practice (under section 45 of the Freedom of Information Act 2000) for consultation.

In July 2015 the Independent Commission on Freedom of Information was established by the Cabinet Office to examine FOI’s operation. In its report the Commission concluded that FOI was working well. It did though make twenty-one recommendations to enhance the Act and further the aims of transparency and openness.

In its response to the Commission’s report, the government agreed to update the S.45 Code of Practice. The draft code provides new, updated or expanded guidance on a variety of issues, including:

  • Transparency about public authorities’ FOI performance and senior pay and benefits, to mandate FOI Commission recommendations for greater openness in both areas.
  • The handling of vexatious and repeated requests. The FOI Commission specifically recommended the inclusion of guidance on vexatious requests.
  • Fundamental principles of FOI not currently included in the Code, e.g. generalprinciples about how to define “information” and that which is “held” for the purposes of the Act.

The code is not law but the Information Commissioner can issue Practice Recommendations where she considers that public authorities have not complied with the guidance set out in this Code. The Commissioner can also refer to non -compliance with the Code in Decision and Enforcement Notices.

As well as giving more guidance on advice ad assistance, costs, vexatious requests and consultation the code places new “burdens” on public authorities including the following:

  • Public authorities should produce a guide to their Publication Scheme.
  • Those authorities with over 100 Full Time Equivalent (FTE) employees should, as a matter of best practice, publish details of their performance on handling FOI requests.
  • Pay (salaries over £90,000), expenses and benefits of senior staff at director level and equivalents should be published at regular intervals. Of course local authorities are already required to publish some of this information by the Local Government Transparency Code.

  • The public interest test extension to the time limit for responding to an FOI request should normally be no more than 20 working days.
  • Internal reviews should normally be completed within 20 working days.

Furthermore, the other S.45 Code covering datasets will be merged with the main section 45 Code so that statutory guidance under section 45 can be found in one place. There will also be an annex explaining the link between the FOI dataset provisions and the Re-use of Public Sector Information Regulations 2015.

Public authorities need to consider the draft code carefully and decide whether the additional obligations are workable given pressures on resources, especially due to GDPR’s pending implementation.

The deadline for consultation responses is 2nd February 2018.

 

We will be discussing this and other recent FOI decisions in our forthcoming FOI workshops and webinars. For those wanting an internationally recognised qualification the BCS Certificate in Freedom of Information  starts in February 2018 in Manchester and London.