Year: 2014

Ex Chief Surveillance Inspector (OSC) Joins Act Now Team

Sam_Lincoln_smallAct Now Training is pleased to announce that Sam Lincoln has joined our team of trainers.

Together with, Ibrahim Hasan and Steve Morris, Sam will deliver high quality training and consultancy services in the field of surveillance law particularly on Part 2 of the Regulation of Investigatory Powers Act 2000 (Directed Surveillance, Intrusive Surveillance and CHIS).

Sam was formerly Chief Surveillance Inspector with the Office of Surveillance Commissioners for seven years.

The Chief Surveillance Commissioner said of him:

“He is of complete integrity, hardworking, conscientious, highly intelligent and immensely knowledgeable about the law and practice of covert surveillance by public authorities.”

Sam has a unique perspective on covert surveillance law and practice. During 28 years commissioned service, he served for 18 years in military intelligence in staff, operational command and training appointments many in the covert domain.

Sam’s relevant other work experience includes:

  • Commanding Officer, Defence Human Intelligence training school
  • Editor of the OSC Procedures and Guidance publication
  • Speaker (often keynote) at national and local RIPA conferences
  • Visiting lecturer College of Policing RIPA Authorising Officer course
  • International trainer and consultant, Danish Emergency Management Agency
  • Design and delivery of the European Commission civil protection information management and security courses

Sam is currently working with Act Now to develop an online training module for front line staff on covert surveillance and RIPA. We would be happy to hear from any local authorities who are interested in being a test site for this.

Please get in touch if you would like to engage Sam to deliver in house customised RIPA training. With seven years experience of working for the OSC, conducting and coordinating RIPA inspections, he is in a unique position to be able to help your organisation prepare for an OSC inspection.

PS – Don’t forget, the new RIPA Codes of Practice came into force on 10th December 2014. Read more here.

Information Governance in Health & Social Care Conference

capture-20141210-161914Act Now is pleased to announce that it will be holding a major conference in the new year on the 24th of March entitled ‘Health Now – Information Governance in Health and Social Care – Where are we now?’ Speakers from the ICO, many areas of the NHS, NADPO and Act Now will be meeting in Leeds to discuss the future of information governance and patient care.

If you work in information governance, records management, data protection, freedom of information, IT, compliance, information and compliance management, data & information management then this is for you. Over 100 delegates are expected from Local and Central Government, Health and Social Care and associated sectors.

To download your advance copy of the conference flyer click here. With a delegate fee of only £199 we expect a high demand for places. Book Now for Health Now! See our other courses for the health and social care sector here.

New RIPA Codes come into force on 10th December 2014

file000640591433

On 10th December 2014 revised versions of the two codes of practice under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) will come into force. This will be as a result of two statutory instruments made on 19th November 2014 namely; the Regulation of Investigatory Powers (Covert Surveillance and Property Interference: Code of Practice) Order 2014 and the Regulation of Investigatory Powers (Covert Human Intelligence Sources: Code of Practice) Order 2014.

The revised codes are essential reading for those public authorities, especially councils, who conduct surveillance (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)). They take account of the changes, which took effect on 1st November 2012; namely magistrates’ approval for council surveillance and a new six-month threshold test for Directed Surveillance.

CCTV is a hot topic. Following complaints by Big Brother Watch, the Information Commissioner’s Office (ICO) has taken enforcement action involving both number plate recognition cameras and cameras recording people’s conversations in taxis. On 15th October 2014, the ICO published its 44 page code of practice on surveillance cameras and personal information. Revised paragraph 2.27 of the covert surveillance code draws attention to the importance of complying with the Data Protection Act and consequently the ICO code as well as the Surveillance Camera Code, when using overt CCTV cameras for surveillance. The Surveillance Camera Code, came into force last year and was made pursuant to the Protection of Freedoms Act 2012 (PoFA). It governs the use of surveillance camera systems including CCTV and Automatic Number Plate Recognition (ANPR) and applies to local authorities and policing authorities in England and Wales.

As regards the legal effects of the Surveillance Camera Code:

“A failure on the part of any person to act in accordance with any provision of this code does not of itself make that person liable to criminal or civil proceedings. This code is, however, admissible in evidence in criminal or civil proceedings, and a court or tribunal may take into account a failure by a relevant authority to have regard to the code in determining a question in any such proceedings” (paragraph 1.16 of the PoFA code).

The Surveillance Camera Commissioner has been appointed by the Home Secretary but has no enforcement or inspection powers unlike the ICO. He “should consider how best to ensure that relevant authorities are aware of their duty to have regard for the Code and how best to encourage its voluntary adoption by other operators of surveillance camera systems” (paragraph 5.3 of the PoFA code). (see our workshop on the Surveillance Camera Code)

The Chief Surveillance Commissioner in his annual report, published on 4th September 2014, drew special attention to the use of the Internet for investigations, particularly involving social networking sites. He suggests that a RIPA authorisation may be required for some online investigations. (See our detailed blog post on the OSC report.) Paragraph 2.29 of the revised covert surveillance code states:

“2.29 The use of the internet may be required to gather information prior to and/or during an operation, which may amount to directed surveillance. Whenever a public authority intends to use the internet as part of an investigation, they must first consider whether the proposed activity is likely to interfere with a person’s Article 8 rights, including the effect of any collateral intrusion. Any activity likely to interfere with an individual’s Article 8 rights should only be used when necessary and proportionate to meet the objectives of a specific case. Where it is considered that private information is likely to be obtained, an authorisation (combined or separate) must be sought as set out elsewhere in this Code. Where an investigator may need to communicate covertly online, for example contacting individuals using social media websites, a CHIS authorisation should be considered.”

Paragraph 4.32 of the revised CHIS code states:

“4.32 The use of the internet may be required to gather information prior to and/ or during a CHIS operation, which may amount to directed surveillance. Alternatively the CHIS may need to communicate online, for example this may involve contacting individuals using social media websites. Whenever a public authority intends to use the internet as part of an investigation, they must first consider whether the proposed activity is likely to interfere with a person’s Article 8 rights, including the effect of any collateral intrusion. Any activity likely to interfere with an individual’s Article 8 rights should only be used when necessary and proportionate to meet the objectives of a specific case. Where it is considered that private information is likely to be obtained, an authorisation (combined or separate) must be sought as set out elsewhere in this Code.”

We have a workshop on investigating E – Crime and Social Networking Sites, which considers all the RIPA implications of such activities.

On the keeping of records both revised RIPA codes state that, although records are only required to be retained for at least three years, it is desirable, if possible, to retain records for up to five years. Finally both revisions confirm that local authorities are no longer able to orally authorise the use of RIPA techniques and that “Out of hours arrangements should be in place with HMCS to deal with out of hours applications.”

These are the main changes to the RIPA codes. We have prepared a detailed document setting out all the changes. Please e-mail us (info@actnow.org.uk) if you would like a copy.

Act Now will be revising its RIPA Policy and Procedures Toolkit to take account of the RIPA codes. The toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance. Now is the time to consider refresher training for RIPA investigators and authorisers. We have a full program of RIPA Courses and can also deliver these at your premises, tailored to the audience.

When emails attack

clip_image002

It’s a simple error which most of us will have encountered, and usually it is more of an irritation than anything else. But last week’s data breach at NHS Greater Glasgow impacted on a highly sensitive area of healthcare.

A clinic flyer was sent out to 86 NHS service users by email. However, their email addresses were entered in the “To:” field rather than the “BCC:” (Blind Carbon Copy) field and therefore visible to all recipients. And the service users in question were patients of a transgender clinic. http://www.bbc.co.uk/news/uk-scotland-glasgow-west-29804901

Given the nature of email addresses, in many cases names and year of birth were identifiable in addition to the contact email. And this is a group of service users where simply being identified with that specific clinical service area constitutes highly sensitive sexual and health personal data under the DPA. Coupled with this is the specific prohibition on disclosure under s22 of the Gender Recognition Act 2004 for those individuals who have applied for a gender recognition certificate. The impact on individuals is real and the reputational damage to the NHSGG&C considerable.

The Health Board cites “human error” in this instance, and most will be thinking “There but for the grace…”

But this area of risk can be mitigated. Look at your own organisation and ask:

· Is there a clear policy on how group emails are managed and who is authorised to send them?

· Are relevant staff trained or given guidance on how to appropriately manage group communications?

· Has the organisation assessed the risk to identify particularly sensitive business areas of groups of service-users (such as in this case) where additional controls may be necessary?

· Have alternative tools been explored and, where appropriate, provided to staff and mandated for use? This could be a specific email marketing tool (such as Mailchimp) or simply requiring staff to use a mail-merge function to send out multiple individually-addressed emails with the same content.

· Are appropriate controls in place? At the simplest level, this could be setting system limits on the number of recipients permitted in an email, or more sophisticated tools to conditionally monitor outgoing emails and automatically challenge non-compliant communications.

Author Frank Rankin is a consultant and speaker who recently joined the Act Now team. He’s based in Scotland and has over 20 years experience as an information governance practitioner. A former chair of the NHS Scotland FOI forum and member of the Scottish Records Advisory Council, Frank has designed and delivered pragmatic training in FOI, Privacy and Records Management across a range of sectors.

Post Script. This isn’t the only case where major organisations have managed to pass hundreds or thousands of personal email addresses to hundreds or thousands of strangers. A Police and Crime Commissioner in northern England, A large council in Essex bizarrely informing its suppliers that they were required to pass data about them to the National Fraud initiative and a cheap and cheerful airline telling all its frequent flyers the email addresses of all their frequent flyers. Do you know when you haven’t been BCC’d? Do you remember when you didn’t BCC? Let us know.

Click here to see a full schedule of Frank Rankin’s courses in Scotland.

Image Credit. knowhacking.wordpress.com

Brunei or Bust

mosque-84493_1920

In January 2015 the Act Now team will be flying out to Brunei to deliver data protection audit training to staff working for the Government of Brunei.

Negara Brunei Darussalam, to give Brunei its full name, is a small country located in Southeast Asia. It is surrounded by Malaysia and has two parts physically separated by Malaysia. Here is the BBC’s guide to the country.

This is phase 2 of our Brunei consultancy project. Phase 1 involved developing a Data Protection Audit Manual based on the Data Protection Policy released by the Brunei Government. This included guidance on DP audit planning, preparation and the use of DP audit templates.

Ibrahim Hasan and Paul Gibbons, well known experts and trainers in this field, will lead the Brunei training project. Ibrahim said:

“I am looking forward to going out there to showcase our training expertise to an international audience. As more countries enact data protection legislation, we hope to be at the forefront of developing products and services that will enable those working in this field to develop their skills.”

This is one of many recent consultancy projects. Last year Act Now won a tender to deliver information rights consultancy services to The Rural Payments Agency. We were tasked with reviewing the RPA’s information rights handling policies and procedures in the light of best practice and legislative developments.

This latest project enhances our reputation as one of the UK’s leading providers of in-house training and consultancy in information law and information management. We pride ourselves on having the most well known experts who have all worked in the public sector for many years. We particularly specialise in:

  • Conducting information management audits
  • Writing policies, procedures and protocols
  • Conducting information risk assessments
  • Providing best practice advice on handling requests for information
  • Writing reports for senior managers and decision makers

Please take a moment to browse our in-house training and consultancy pages. Feel free to get in touch to discuss your requirements in this area.

Scottish Information Commissioner’s Annual Report

bridge-192982

In September the Scottish Information Commissioner, Rosemary Agnew, published her annual report for 2013/14.  Ms Agnew enforces the Freedom of Information (Scotland) Act 2002 (FOISA). In her own words, “The report documents our achievements and challenges across the year, while also providing a snapshot of the wider picture of FOI in Scotland.”

Key facts are as follows:

  • Appeals to the Commissioner fell slightly during 2013/14, with 578 appeals received compared to 594 in 2012/13.  The slight fall appears to be due to a fall in the number of appeals made because an authority had failed to respond within the statutory time limits.
  • The Commissioner received the highest number of enquiries to date, at 2,008.  This was an 11% rise on last year.
  • 62% of appeals were from members of the public.
  • In 67% of decisions the Commissioner found wholly or partly in favour of the requester.
  • Public awareness of FOISA in Scotland is at 78%.
  • Scottish public authorities reported that they received over 60,000 FOISA requests in 2013/14.
  • 75% of appeals took less than 4 months to resolve.
  • There were no appeals to the Court of Session against decisions issued by the Commissioner in 2013/14.
  • The Commissioner launched a new programme of regional “roadshows” , which saw the Commissioner and her staff deliver FOISA training to over 200 participants from a range of backgrounds.

In an excellent example of Open Data, the Commissioner has also published detailed information on the appeals received since 2005, broken down by public authority, region and sector, in Excel spreadsheets on her website.

The Commissioner is currently working on a Special Report on the scope of FOISA and whether all the right organisations are covered. The report will be laid in the Scottish Parliament in early 2015, to coincide with the 10th anniversary of the Act coming into force.

If you are new to FOI in Scotland or want to boost your career through gaining a qualification, our FOISA Practitioner Certificate  is ideal for you. The four day course is endorsed by the Centre for FOI , based at Dundee University.

If you’re considering enrolling on the course, what can you expect? Read what the tutor has to say and have a go at the FOISA test.

Yet Another CCTV Code

picture camCCTV is a hot topic. Following complaints by Big Brother Watch, the ICO has taken enforcement action involving both number plate recognition cameras and cameras recording people’s conversations in taxis.

On 20th May 2014, the Information Commissioner’s Office (ICO) launched a consultation on a revised Code of Practice on CCTV. The previous version was published in 2008. On 15th October the ICO published the 44 page code of practice on surveillance cameras and personal information. Jonathan Bamford, Head of Strategic Liason at the ICO, states in his blog post launching the code:

“Today’s updated CCTV code is one that is truly fit for the times that we live in. The days of CCTV being limited to a video camera on a pole are long gone. Our new code reflects the latest advances in surveillance technologies and their implementation, while explaining the key data protection issues that those operating the equipment need to understand.”

There are no major changes in the code when compared with the previous version. The ICO once again emphasises fundamental Data Protection Act (DPA) principles e.g. informing people about the information being collected about them, keeping data collected secure and having effective retention and disposal schedules.

The new and emerging technologies section of the code covers the key surveillance technologies that the ICO believes will become increasingly popular in the years ahead. Jonathan Bamford says:

The days of CCTV being limited to a video camera on a pole are long gone. Our new code reflects the latest advances in surveillance technologies and their implementation, while explaining the key data protection issues that those operating the equipment need to understand.”[A1]

The code emphasises the importance of conducting a privacy impact assessment before undertaking surveillance using CCTV, especially when fitted to drones e.g. broadcasters seeking to gather footage for production purposes, police forces conducting surveillance on suspects, or construction companies monitoring job progress. Concerns have been expressed about the legal use of drones. The BBC reports, “Drones which could seriously injure or kill are being flown over cities and towns across England, despite laws designed to protect the public.” The code refers to drones as ‘unmanned aerial vehicle’ (UAV) and the overarching systems in which UAV’s are used as ‘unmanned aerial systems’ (UAS). Key points include:

· Organisations should ensure there is an on/off button for recording in UAS’ and have “strong justification” for continuously recording via the system.

· Continuous recording must be both “necessary and proportionate” for the purpose the business is pursuing.

· The Fair Processing Code under Principle 1 of the DPA must be complied with. Website notices, social media, highly visible clothing and signage telling the public about the use of drones for filming in the area can help to do this.

Many councils now use body worn cameras to, amongst other things, help deal with combating anti-social behaviour or to help gather evidence for parking enforcement. These small inconspicuous devices can record both sound and images. This can mean that they are capable of being much more intrusive than traditional town centre CCTV. The code states that the use of such cameras needs to be justified. Safeguards must be put in place to ensure they are only used when needed. Strong security is essential in case the devices fall into the wrong hands. The code identifies other practical steps to help users of these devices stay on the right side of the law.

The new ICO code is said to complement the Surveillance Camera Code (PoFA code) which came into force last year. Made pursuant to the Protection of Freedoms Act 2012 (PoFA) the latter governs the use of surveillance camera systems including CCTV and Automatic Number Plate Recognition (ANPR).

The ICO code applies to all data controllers (public and privacy sector) throughout the UK but the PoFA code currently only applies, in the main, to local authorities and policing authorities in England and Wales. The Scottish Government has produced its CCTV Strategy for Scotland. The strategy provides a common set of principles that operators of public space CCTV systems in Scotland must follow. The principles aim to ensure that these systems are operated fairly and lawfully and are using technologies compatible with the DPA.

As regards the legal effects of the PoFA Code:

“A failure on the part of any person to act in accordance with any provision of this code does not of itself make that person liable to criminal or civil proceedings. This code is, however, admissible in evidence in criminal or civil proceedings, and a court or tribunal may take into account a failure by a relevant authority to have regard to the code in determining a question in any such proceedings” (paragraph 1.16).

The Surveillance Camera Commissioner (SCC) has been appointed by the Home Secretary but has no enforcement or inspection powers unlike the ICO. He “should consider how best to ensure that relevant authorities are aware of their duty to have regard for the Code and how best to encourage its voluntary adoption by other operators of surveillance camera systems” (paragraph 5.3). The ICO says of its revised CCTV code:

“This code is consistent with the [Home Office] code and therefore following the guidance contained in this document will also help you comply with many of the principles in that code”.

It is essential that all CCTV operators, both in the public and private sector, read the new ICO code and revise their policies and procedures accordingly. Whilst the code is not legally binding, it will be taken into account by the Commissioner and the courts in deciding whether the DPA has been complied with.

Steve Morris will explain the new code and the wider law on CCTV surveillance in our full day workshop. Want a new practical qualification for the modern Data Protection Officer? Click here

 

Peter Paul and Mayhem.

 

clip_image002

A story of email marketing gone wrong. Surnames have been deleted to protect the guilty.

On 20 Sep 2014, at 12:53, Peter wrote:

Hi Paul,

I have seen your CV details on one of the job boards and I am very keen to discuss an OLE Design opportunity with you. 

What is the best number to contact you on?  Are you currently looking for opportunities?

The CV I can see for yourself is out of date so if you could forward me your updated CV that would be great.

Look forward to hearing from you.

Regards,

Cameron

Senior Consultant

A recruitment gency

A posh address in London

First time in my life I’ve been headhunted but as I’m nearly on the final lap of the 10,000 metres of life I don’t really want to be employed. Strange how the email address is different to the name of the sender. But I felt aggrieved enough to reply.

From: Paul


Dear Peter/Cameron

Nice to know you’ve seen my CV on a job board. I am currently 62 years old and not seeking work of any nature so I suspect you are being economical with the truth in your marketing approach. The out of date CV you talk about is not just out of date – it doesn’t exist. I don’t have a CV as my V is based on not working. I am not on any jobs boards (whatever they are).

I presume you acquired my email from a third party as I have no relationship with you at all and that you never considered the PECR 2003 which forbid cold emailing unless the soft opt in exists which it doesn’t so you are in breach of these regulations and liable to a monetary penalty of up to £500,000 if the regulator feels it appropriate.

An apology would be nice but I’m not expecting one. Have a nice day.

I did consider copying in the ICO and asking for them to consider it as a complaint under PECR but decided to be lenient.

On 1 Oct 2014, at 09:45, Peter wrote:

Dear Paul,

Many thanks for your email.  Thank you advising that you are not looking for work.  I can confirm we are not being “economical” in our approach.   I can confirm your CV does exist & the existence is on Railway People (www.railwaypeople.com) which was last updated in August 17th 2012.

As proof I felt best to show you a copy of the CV that is currently on Railway People.  As you will see the CV does exist.  As your details are on Railway People we wanted to check your current situation and whether a contract opportunity would be of interest, but you have confirmed you are now retired.  May I also confirm that we do not use any third party sources and did not acquire your details from any such source.

I can also confirm we are not in any breach of any regulations as your details are on the site.  Apologises if you feel aggrieved by the approach but we were only contacting you as your details are on the site.

Have a nice day.

At this point I looked at the website Railwaypeople.com and couldn’t enter the site on account of not having an account with them so rang the sales team. I met a nice young man who was sympathetic and very helpful. A few facts exchanged with him revealed that candidates who were looking for work in the railway industry uploaded their CVs (carefully fulfilling schedule 2,1 condition) and recruitment consultants would download CVs they thought looked interesting. (I suspect money changed hands here). There was person on the site with same name as me but he lived in Derby and had a different birthdate. Craig agreed to confirm this in writing.

On 1 Oct 2014, 09:45, Craig wrote:

Hello Paul,

As discussed, I can confirm that we hold no contact details for you on our RailwayPeople.com database.

I’m able to tell you that Peter from xxx Recruitment downloaded the CV of a candidate by the name of Paul xxxx with a similar email address to your own.

I’m assuming you have been emailed in error by Peter so I would double check with the agency if you still have concerns.

Regards,

Craig
Account Manager

From: Paul

Hi Peter

I’ve been in touch with Railway people and they have confirmed in writing that they do not have any CV for me (checking my home address and a few other key facts). They do have a Paul xxx based in Derby and linked to the railway industry and with a similar email address and told me you had viewed this.

All I can surmise is that somewhere between you picking up this person’s data you managed to turn his email address into mine. 

Regards

Paul (not the Derby one)

Hi Paul,

I can see where the confusion lies.  Apologise for the confusion & the email in the first place.

Regards,

Peter

So Peter found a CV on an internet site despite him assuring me in an email that “May I also confirm that we do not use any third party sources and did not acquire your details from any such source. It wasn’t my CV. He then emailed what he thought was a person in Derby but managed to spell the email address wrong and reached me. Not having any relationship with me and ignoring the soft opt in exemption (or maybe not even knowing of its existence) means he breached PECR.

First class service from Craig at Railway People. He acted quickly and correctly.

Missed the connection at Crewe for Peter. Emailed without consent; breached principle 4 DPA; argued he was right; breached regulations about electronic marketing (which is his day job) but had enough guts to apologise at the end.

All in a day’s work for a DPA/PECR nerd.

When is wifi free?

clip_image002

Free (friː/) – adjective: free; without charge, free of charge, for nothing, complimentary, gratis, gratuitous, at no cost; for free, on the house.

adverb: free; without cost or payment. (Avoid freely)

Seems obvious when you ask Google for the definition. No payment of any sort means the goods or service is free. It’s an invitation to enter into a contract but nothing is to be given in exchange for the service of providing wifi. But what if you were asked for something in exchange? What if a shop said wifi is free if you give me an ice cream? Would that make the wifi no longer free? An ice cream certainly exists in a solid form (OK I’ll concede that it has a specific half life) but what if the price was a big kiss or a promise to buy something. Do they exist? Are they tangible? Do they have any value? Does it matter? What if the price was your email address? What if the price was your consent to receive marketing material?

I stayed in a hotel recently that presented me with a card on arrival with my free wifi code. Not even bothering to switch on the TV or use the bathroom (usual bored, middle aged businessman preoccupations) I fired up the laptop.

clip_image004

It’s not an easy screen to read but the word free appears four times. All I had to do is tell them my details.

Why?

If no payment is required no bill will be sent. I could use the code without them knowing anything about me. Starbucks manage to do this without any problems but many purveyors of “free” items need to know your name. Worse they need to know my email. Worse than that they had pre-ticked the yes to Marketing box. I unticked it and tried to subscribe without agreeing to terms and conditions but the system prompted me to a) agree the T&C and b) tick the Marketing box.

I complained to reception saying this wasn’t free. No problems Sir. Click on the Conference button at the top of the screen as you’re in a conference here tomorrow aren’t you (wink, wink) and they won’t ask those questions.

I did but just to be sure I decided to read the T&C. First line said by accepting them I would agree to receiving marketing. Trying to buy without ticking them wouldn’t work.

I told reception and she pointed out that all I had to do was use a code and a password and not give any identifiers (like the ones she had taken on the piece of paper I filled in at reception where the code and password was stored next to my personal details).

Feel free to like this article. Just don’t send money. Or ice creams.

Yet Another Local Government Transparency Code – A Gift for Armchair Auditors?

SwordThe Coalition Government likes “armchair auditors”.

Within weeks of coming to power in 2010, it released all items of local authority expenditure over £500. The Secretary of State for Communities and Local Government, Eric Pickles, said at the time that the move would “unleash an army of armchair auditors and quite rightly make those charged with doling out the pennies stop and think twice about whether they are getting value for money”.

Section 3 of the Local Government, Planning and Land Act 1980 gives the Secretary of State the power to issue a code of practice about the publication of information by local authorities relating to the discharge of their functions. Back in May, Eric Pickles used this power to issue (what was then) a new Local Government Transparency Code. (See my earlier blog post.)

Now, an updated version of the Code , dated October 2014, has been issued. It applies in England only and replaces the previous version. The code requires councils (as well as, amongst others, National Park Authorities, Fire and Waste Authorities and Integrated Transport Authorities) to proactively publish certain categories information (in Part 2 of the code) whilst also recommending that they go beyond the minimum (in part 3 of the code). It follows last year’s consultation on Improving Local Government Transparency: “Making ‘The Code of Recommended Practice for Local Authorities on Data Transparency ’ enforceable by regulations.”

Ministers will imminently make and lay regulations (The Local Government (Transparency Requirements) (England) Regulations 2014)) to make it a legal requirement for local authorities to publish the data specified in Part 2 of the code. Subject to Parliamentary processes, Part 2 should become mandatory by 7 November 2014.

Part 2.1 of the code sets out information, which must be published at least quarterly. This includes:

  • Each individual item of expenditure exceeding £500 e.g. invoices, grant payments, expense payments, rent etc.
  • Government Procurement Card transactions
  • Procurement information which includes details of every invitation to tender for contracts to provide goods and/or services with a value that exceeds £5,000, together with any contract, commissioned activity, purchase order, framework agreement and any other legally enforceable agreement, also with a value that exceeds £5,000.

Part 2.2 of the code sets out nine sets of data which must be published annually. This includes local authority land, grants to voluntary bodies , trade union facility time, parking information and senior salaries. In relation to trade union facility time, authorities should publish the amount spent on providing support and facilities to trade unions within their workforces, and specify which unions. In relation to parking charges, categories include the number of off-street parking places and the revenue raised from them; the number of on-street parking places and the revenue they raise; as well as the revenue from parking fines and the number of free parking spaces available.

The main difference between the May and October codes is that the latter has added three datasets to the list of information which must be published: namely information about how the authority delivers waste services, uses the parking revenue it collects and tackles fraud.

On salaries the code requires publication of more information than is currently required under the Accounts and Audit (England) Regulations 2011. Local authorities must now place a link on their website to these published data or place the data itself on its website, together with a list of responsibilities (for example, the services and functions they are responsible for, budget held and number of staff) and details of bonuses and ‘benefits in kind’, for all employees whose salary exceeds £50,000. The key differences between the requirements under this new code and the Regulations referred to above is the addition of a list of responsibilities, the inclusion of bonus details for all senior employees whose salary exceeds £50,000 and publication of the data on the authority’s website. What effect will this have on FOI requests for salary information? Certainly senior figures will find it hard to claim that they have an expectation of privacy when it comes to FOI requests for similar information. (More on salaries here.)

Part 3 of the new code sets out the information, which is recommended to be published, but there is no requirement to do so. This is about providing more detail to information already published under the required category in Part 2, e.g. more details about expenditure, procurement, grants etc. For example instead of just publishing details of expenditure over £500 on a quarterly basis, local authorities are encouraged to publish expenditure over £250 on a monthly basis or better still in real time.

Existing restrictions on disclosing information still apply though. Paragraph 14 of the code states:

“Where information would otherwise fall within one of the exemptions from disclosure under the Freedom of Information Act 2000, the Environmental Information Regulations 2004, the Infrastructure for Spatial Information in the European Community Regulations 2009 or falls within Schedule 12A to the Local Government Act 1972 then it is in the discretion of the local authority whether or not to rely on that exemption or publish the data.”

However where a qualified exemption under FOI applies, the appearance of the requested information in one of the categories set out in the code will have a big impact on the public interest in support of disclosure.

How should data under the new code be published? The code states that it should be in a format and under a licence that allows open re-use, including for commercial and research activities, in order to maximise value to the public. The Open Government Licence, published by the National Archives, should be used as the recommended standard. Where any copyright or data ownership concerns exist with public data these should be made clear. Data covered by Part 2 of the code must be published in open and machine-readable formats.

The DCLG has also published an accompanying FAQ Guide which gives further guidance on how to practically apply the new code.

Despite Part 2 of the code being legally enforceable soon (see above), does the code have any teeth? The code does not have an enforcer like the Information Commissioner under FOI. Indeed the DCLG has pointed out in the FAQs that it is not the Commissioner’s role to enforce the code. It does though suggest that complainants can issue a judicial review claim in the High Court (unlikely with public funding of such cases being virtually ceased) or complain to the Local Government Ombudsmen. It also suggests they make an FOI request for the same information!

It will also be interesting to see how this new code works with the new dataset obligations under the FOI, which came into force on 1st September 2013 via the Protection of Freedoms Act.

On 10 March 2014 the Government launched the consultation on a draft transparency code for parish councils with a turnover not exceeding £25,000, which will act as a substitute from routine external audit. The Government published its response to the consultation on 6th August and intends to lay regulations to make the code mandatory later on this year. (More for those advising Parish Councils here.)

The Government believes that transparency about how local authorities spend money and deliver services, and how decisions are made within authorities, gives local people the information they need to hold their local authority to account and participate in local democratic processes. It claims that the availability of data can also help secure more efficient and effective local services and open new markets for local business, the voluntary and community sectors, and social enterprises to run services or manage public assets.

Will armchair auditors make use of this new information? Time will tell but readers would be right to be sceptical.

Give your career a boost by gaining an internationally recognised qualification in FOI. No time/budget to attend courses? Keep up to date with all the latest FOI decisions by viewing our live one-hour web seminars.

%d