Category: ICO

Section 36 of FOI: An Appellant’s Perspective

Norman Baird writes:FOI4

The University of London International Programmes offers an LLB degree by distance learning. It is studied by thousands of students worldwide. With such a large number of students, the University relies on a large number of lecturers from a variety of universities to mark the exam scripts. The University provides some academic support – in the form of written guides and recorded lectures – but relies on private institutions to provide face-to-face tuition. I am Academic Director of one such institution. I made an FOI request for the marking guidelines issued to the markers.

My request was declined. The University relied on S.36(2)(c) which is engaged if, in the reasonable opinion of the Qualified Person(QP), disclosure would or would be likely to prejudice the effective conduct of public affairs. If it is engaged it is then subject to a public interest test. The University stated that :

“disclosing the marking guidelines, in this case and as a precedent, would fundamentally affect one of the University’s core functions, that of robust exam assessment”.

And this opinion was arrived at on the basis of three subsidiary claims of particular harms. These are, somewhat confusingly, also described in terms of prejudices.

First, the University contended that “the disclosure of the marking guidelines… would be likely to prejudice the effective operation of the University’s examiners in preparing the most robust and effective guidelines…”

Second, that “disclosure of the marking guidelines would be likely to prejudice the actions and efforts of students, who may try to adapt their essay answers to marking guidelines developed at examiner level for examiners, resulting in mistakes in comprehension and lower attainment scores.”

Third, the University maintained that “disclosure would be likely to prejudice the nature of the guidelines, where a requirement to establish a process to publish marking guidelines will transform them from useful internal assessment tools to just another external facing study aid, of which a wide range of provision already exists.”

The Information Commissioner found in favour of the University and so I appealed to the First Tier Tribunal (Information Rights) on the grounds that the opinion was neither reasonable in substance nor reasonably arrived at. In addition, I contended that the public interest in favour of disclosure outweighed the arguments against. But in the limited space here I only want to look at a couple of my submissions.

My first ground was that the Qualified Person, Vice-Chancellor (V-C) Professor Geoffrey Crossick, had not expressed an opinion as required by the section. This had been added to my grounds of appeal at a late stage as it was only when the University responded to my initial appeal that I first saw the ‘opinion’ signed by the Qualified Person. He had been provided with an ‘evidence pack’ in which he was advised that, in the opinion of the International Academy of the University, disclosure would be prejudicial. He had written:

“I have now reviewed the evidence with respect to the FOI request asking for… the marking guidelines. It is my conclusion that the opinion – that disclosing the marking guidelines, in this case and as a precedent, would fundamentally affect one of the University’s core functions, that of robust exam assessment – is reasonable in substance.

I confirm that, in my capacity as qualified person, that this exemption is engaged with respect to the request for marking guidelines.”

He states that the opinion (of the International Academy) that disclosure would be prejudicial was a reasonable one. Now, it is clear that one person may recognise another’s opinion as reasonable without sharing that opinion. The section requires the QP to express his opinion that prejudice would or would be likely to be caused. The V-C did not do so.

And it is not possible to conclude from his final sentence that he believed that prejudice would result. He appears to have formed the view that, provided he thought the opinion was reasonable, the section was engaged. In effect, he expressed himself in terms consistent with the role of the Information Commissioner and not that required of a Qualified Person.

It is notable that the V-C was not consulted again at the internal review stage and there was no other evidence that, in his opinion, disclosure would be prejudicial. In addition, the advice given in the evidence pack with which the V-C had been provided the advice was ambiguous. Although S.36(2)(c) was reproduced, the V-C had been advised that the University’s opinion was that disclosure would be prejudicial and that he was required to ‘authorise’ the exemption.

My second ground of appeal was that the ‘opinion’ was not reasonably arrived at. There were a number of limbs to this submission including the fact that the subsidiary claims were unsupported by evidence, were barely comprehensible and there was no evidence that anyone involved in making the decision or advising the V-C had actually read the documents.

But I would like to focus on one submission as it appears to me to be central to the way in which the ‘opinion’ and the Decision Notice (DN) should be approached. It is well established that although the opinion need only be a reasonable opinion and not the most reasonable it must be ‘rational’, ‘not illogical’, ‘not arbitrary’. I submitted that there was a lack of logical coherence between the opinion and the subsidiary harms upon which it rests.

The ‘opinion’ was that disclosure would prejudice robust exam assessment. The subsidiary claims, however, are expressed in terms of likely effects. To conclude that prejudice to the assessment system would occur because prejudice to students and examiners is likely is as illogical and irrational as concluding that consumption of a drug would be fatal on the grounds that it is likely to induce a fatal heart attack and/or terminal cancer.

The response to this argument by the Information Commissioner was that although the University and the Decision Notice had claimed throughout that disclosure ‘would’ cause prejudice the overall tenor of the opinion and the DN was that the ‘would be likely’ limb was being relied on. In effect, the IC is saying that although he said one thing he meant another. As I argued at the Tribunal, if the opinion is to be read so that it is consistent with the subsidiary claims it is impossible for a requester to argue that the opinion and the subsidiary claims are incoherent.

The section is a powerful one for a Public Authority. It has been described as a ‘get out of jail free card’ and so it is submitted that it ought to be construed narrowly and applied strictly. It is not particularly difficult to express the opinion correctly. And although the Decision Notice is not to be read as though it is a judgment of the Court of Appeal, a requester who appeals is at a great disadvantage if all its inconsistencies are smoothed over to ensure the appearance of logical consistency and coherence.

It has been said (and was repeated at the Tribunal) that a requester will find it difficult to establish that an opinion was not ‘ a reasonable opinion reasonably arrived’. That will certainly be true if an opinion can be found when none was expressed and if the central requirements of reasonableness – rationality and logical coherence – are ignored or fudged.

I look forward to reading the opinion of the Tribunal but I am not optimistic.

Norman Baird has been lecturing on Criminal Law and Jurisprudence for approximately 30 years and runs law courses in London and abroad. He also publishes a blog: www.llblondon.com

Ibrahim Hasan will be discussing this and other recent FOI decisions in our FOI Update workshops in 2014.

Do you want an international recognised qualification in FOI? The BCS/ISEB Certificate in Freedom of Information starts in March 2014 in London and Manchester.

Data Sharing Consultation – Do we need new laws?

The Law Commission has opened a consultation on the law around sharing of personal information between public sector organisations. Law Commissioner Frances Patterson QC says:

“It could be that more data sharing would improve public services but, if that is so, we need to understand why data is not being shared.  Is there a good reason to prevent data sharing?  Or is the law an unnecessary obstacle?  Are there other reasons stopping appropriate data sharing?  These are the questions we want to answer in this consultation.”

The legalitiecanstockphoto1632442s of data sharing is a subject which often confuses public sector officials. Local authorities, in particular, are often stumped by the “To Share or Not to Share” question, even if the sharing is for very good reasons (e.g. child protection or crime prevention). In some cases, even internal departments have felt constrained from updating each other about a change of a service user’s address.

More often than not, the Data Protection Act 1998 (DPA) is made the scapegoat for officials’ failure to fully understand the law. It is wrongly perceived as a barrier to data sharing despite offering a range of justifications (e.g. consent, legal obligation, protecting vital interests etc. (Schedule 2)).

Many attempts have been made to resolve this “problem”. In May 2011, the Information Commissioner published a statutory Code of Practice on data sharing. The code explains how the DPA applies to the sharing of personal data both within and outside an organisation. It provides practical advice to the public, private and third sectors, and covers systematic data sharing arrangements as well as one off requests for information. Under Section 52 of the DPA, the code can be used as evidence in any legal proceedings and can be taken into account by the courts and the Commissioner himself when considering any issue.

Despite the clear guidance in the code, the Government has sometimes toyed with the idea of new laws. Last year, according a story in the Guardian newspaper, proposals were to be published by the Cabinet Office minister, Francis Maude, which would make it “easier” for government and public-sector organisations to share confidential information supplied by the public:

“In May, we will publish proposals that will make data sharing easier – and, in particular, we will revisit the recommendations of the Walport-Thomas Review that would make it easier for legitimate requests for data sharing to be agreed with a view to considering their implementation,” said Maude, adding that current barriers between databases made it difficult for public sector workers to access relevant information.

“It’s clearly wrong to have social workers, doctors, dentists, Job Centres, the police all working in isolation on the same problems.”

The Guardian reported that the proposals are expected to include fast-track procedures for ministers to license the sharing of data in areas where it is currently prohibited, subject to privacy safeguards.  I could not find the proposals on the web. Anybody know whether they were ever published?

Confusion around data sharing continues to reign! The tragic case of Daniel Pelka is one example. The recent report into the four-year-old’s death, published by the independent Coventry Safeguarding Children Board identified a number of missed opportunities where professionals across a number of agencies should have done more to protect Daniel. Amongst other things, it concluded that the sharing of information and communications between all agencies was not robust enough.

Ill informed comments about the current law (especially the DPA) do not help. In a recent Daily Telegraph article by Michael Gove, the Education Minister claimed that, whilst tying to understand the underlying causes of child exploitation, he discovered that OFSTED “was prevented by “data protection” rules, “child protection” concerns and other bewildering regulations from sharing that data with us, or even with the police.” There is nothing in the DPA which prevents this. Don’t just take my word for it. Read the Information Commissioner’s riposte to the learned Mr Gove.

Do we really need new laws on data sharing or a better awareness of the existing ones? My view is that the current law is adequate to regulate yet allow responsible data sharing. The DPA and the Data Sharing Code need to be properly understood. They can be a tool allowing responsible data sharing. Most public sector data sharing will be lawful if organisations comply with the Eight Data Protection Principles; particularly the First Principle which requires information to be processed fairly and lawfully. There are also numerous exemptions in the Act including where sharing is required for the purpose of prevention or detection of crime (section 29).

The Law Commission consultation runs until 16 December 2013 and the paper may be accessed at: http://lawcommission.justice.gov.uk/. Responses can be emailed to data.sharing@lawcommission.gsi.gov.uk or sent by post.

More Information: Read our article for a full explanation of the ICO Data Sharing Code or watch this free webinar. We also run full day Multi Agency Information Sharing workshops.

Disclosure of Staff Names in FOI Refusals

canstockphoto0164766This is an FOI decision from the Information Commissioner that I have planned to blog about for some time, but have now only just got round to blogging about it.  On 11 March 2013 the ICO issued decision notice FS50468600 which involved the Department for Work and Pensions (DWP).  The content of the decision notice is not all that important until we turn to paragraphs 32-36, which are headed up as “other matters”.

In particular paragraph 35 is of note in which it states that his office experienced difficulty in actually speaking to those who were involved in the request at the DWP’s side of things.  It described the DWP’s practice of not providing telephone numbers or contact details within its responses and how this makes it very difficult for the appropriate contact to be located within the organisation.  The public authority advised the Commissioner that it did not include these details so as not to breach the privacy of the non-senior staff involved; it described the staff in question as not being in public-facing roles.

In Paragraph 36 of the decision notice the Commissioner states quite clearly that he does not agree with this approach.  The decision notice states that “if such staff are responding to requests made under the FOIA then he considers this to be a public-facing role which is unlikely to attract an expectation of privacy” (Paragraph 36).

The DWP are by no means the only public authority which has adopted similar processes in respect of FOI requests.  I can remember one time trying to get hold of a central Government department (I can’t remember exactly which one, but I have a feeling it was either the Home Office or a connected public authority) to discuss a response that had been issued by them (something that merely wasn’t very clear and, as it later transpired wasn’t in need of an internal review). However, there was no contact details provided for the individual.  I was informed that the FOI team were not public-facing and they wouldn’t speak to members of the public over the telephone.

It was very frustrating and actually resulted in a higher cost to the public authority in my case.  There was just one thing that I wasn’t clear about and I’m sure that had I been able to have a quick telephone conversation with the person who issued the decision then there would have been no need for them to conduct an internal review.  However, the Authority’s attitude and processes meant my only option to get the clarification was to request an internal review.  This will have then required a senior member of staff within the authority to review the entire handling of the request and issue a response to me; far more expensive than 5 minutes on the phone explaining something to the applicant.

Not publishing contact details for those responsible for FOI within the organisation also makes seeking advice and assistance from the public authority almost impossible.  My reading of the Act suggests to me that advice and assistance is not only something to be provided in a refusal notice, but something that should be available to prospective applicants.  I know that I’ve certainly phoned up a public authority and had a chat with them about a request before making it; as a consequence I have been able to frame my request in a way that has made it a much more efficient process for the public authority (and thereby reducing the cost to the taxpayer).  The FOI Officer, knowing the structure of their organisation and how information is generally held, was able to advise as to what information they were likely to hold and how it was likely to be held.

I tend to agree with the commissioner that anyone sending a response out to a FOI request is clearly public-facing; it might be that a particular role was not public facing pre-FOI, but in these post-FOI days anyone could, in theory, be a public-facing member of an authority’s staff.  It should be easy for applicants to contact public authorities, not least because the public authority is obliged to provide advice and assistance, but it can just save public authorities money.  It can help ensure more focused FOIs that are easier to deal with and can prevent expensive internal review requests (or perhaps even more expensive ICO investigations).(Ed – See also Ibrahim Hasan’s blog post on disclosure of staff names under FOI)

Hopefully the ICO’s criticisms of this approach in this decision notice will feed their way round any other public authorities who still adopt a practice of not giving out contact details for someone able to provide advice and assistance.

Alistair Sloan is a 4th year LLB student in Scotland, blogger (http://scotslaw.wordpress.com/about-2/) and FOI proponent. Follow him on Twitter (http://www.sloansonline.me.uk/

Ibrahim Hasan will be discussing this and other recent FOI decisions in the FOI Update workshop  on 3rd June 2012 in London.

Do you want an international recognised qualification in FOI?

The ISEB Certificate in Freedom of Information  starts in Manchester and London in June.

ICO 2013 Conference Review

Roger Bescodpoc2013website.ashxby reviews the recent ICO conference…

I was on my travels last week and on Tuesday (5th May 2013) found myself at the ICO Data Protection Officers’ Conference  in Manchester. Over 800 people present and about 300 ‘waiting outside the door’ as they say. It was, and always is, massively oversubscribed. It is the main event in the ICO calendar and a fantastic opportunity to get a feel for the way the regulators are thinking. Well worth getting on the guest list.

This is the third year I have attended this Conference and once again I found myself pretty much the only representative from the insurance investigation sector. Can you believe that??  Here we are, post Leveson, NOTW and with worrying EU Regulation on privacy coming out of our ears – and only Brownsword Group there from the entire industry. Does that make us ‘anoraks’ or supremely responsible chaps??  Answers on a post card…

I picked up on two main points that I would like to share with you all:

Europe?  You Never Had It So Good…

There are some massive EU reforms on the way in the form of new European Regulation on Data Privacy. By 2016 it’s looking like we are going to be regulated centrally by Brussels on DP. ‘Fine’ you may say, but when you consider the vastly differing attitudes towards Data Protection by the 27 Member States, and that the UK currently has a considerably more liberal attitude than most, it’s time to look at what might be coming our way.  The explosion in social media is being blamed for the need for tougher regulations – an observation difficult to argue with.

You may remember I highlighted last year that current proposals in Brussels suggest that personal data can only be shared if it falls into one of the new proposed exemptions. Sharing of data by insurers for the purposes of fraud prevention is NOT currently listed amongst the exemptions. This seems to be a glaring omission and now evidently an oversight.  The Association of British Insurers (ABI) and the Financial Services Authority (FSA), amongst others, have been lobbying hard on this very point and seem to have now made some headway. The issue is currently now under review by no less that 5 COMMITTEES in Brussels, all presumably deliberating on what has to be the most obvious decision they will ever have to make – but remember – this is the EU Parliament we are talking about!

During the mass Q&A in the afternoon, Assistant Commissioner David Smith answered a question put by a delegate in a grey suit and Salford accent, on the very point. He admitted that there were several points within the current EU proposals with which the ICO had issues and that this was a typical example. He went on to say that he felt confident that data sharing would always be justified if it was being done for the purposes of the ‘legitimate interests’ and for the ‘prevention and detection of crime’ and that he had not seen anything in the new proposals that changed that.

So, on the face of it, good news but it really is worth keeping an eye on the EU proposals. Wouldn’t we all feel happier if the insurance fraud world was specifically recognised by way of an exemption?

And what does the EU think of secret filming? If the UK were forced to adopt even some of the tough regulations on covert surveillance that exist across much of mainland Europe we would see the biggest upheaval in recent history in our sector. I detected an insatiable appetite from the regulators on the issue of ‘consent’ to processing. The nightmare scenario of having to say to a surveillance subject,  “Hi Mr Smith, is it OK if I film you next Tuesday in relation to your claim?” may not be as farcical as it seems. I kid you not!

I also heard one opinion from a senior ICO official that he favoured following the RIPA example, that of seeking Magistrates’ approval if you wish to put somebody under surveillance in non Public Authority scenarios…you have been warned! (Certainly some form of written authorisation for non-RIPA surveillance is favoured by the Office of Surveillance Commissioners and others – Ed)

‘Unmanned’ Surveillance – Too Risky??

There were two excellent breakout sessions at the conference dealing specifically with surveillance.  The way covert video evidence was captured, and in particular the justification for filming individuals, was discussed at length. The point was made most emphatically by the ICO officials that they would only condone the covert processing of personal data (i.e. filming) if it was evidently targeted upon the data subject, and of course that the intrusion could be justified.

They then made the further point that such covert data processing must be discriminate and that every attempt must be made to avoid the inadvertent capture of footage of ‘un-connected’ individuals. They went on to say that whilst some ‘collateral intrusion’ was inevitable, the installation of static unmanned covert cameras, vehicle based or otherwise, was absolutely  ‘unfair and excessive processing’ and breached basic DPA principles.

I know that some surveillance companies out there openly recommend and market such tactics – suffice to say it is not a route The Brownsword Group will be going down. The thought of maybe two dozen ‘friends and neighbours’ of a legitimate surveillance target bringing privacy actions against our client is a risk we will not be taking – and that’s before the ICO themselves come down like a ton of bricks.

And Finally – Something Else……..The FSA and a ‘Thematic Review’ of the Use Of Private Investigators

I can advise that the FSA Conduct Business Unit have embarked upon what they are calling a ‘Thematic Review’.   They are “seeking information from  firms about the controls, oversight and due diligence procedures operated by insurance companies regarding the use of private investigators.”

I understand that specific attention is being paid to TCF, the payment of any inducements or incentives, the frequency and success of investigator involvement and also whether the 2007 ABI Guidelines are being adhered to. It is not surveillance specific.

Insurers can expect a visit in the coming months. Brownsword Group have written to the FSA offering help, assistance and guidance in the production of the review, hopefully providing a view from the ethical  investigator’s side of the fence.

It is likely that at this stage the FSA will have little first hand knowledge of the vital working relationships that exist between Insurers and investigators. This, and in the light of current suspicious attitudes from certain regulators towards the investigation sector, may suggest that a degree of education may be necessary from insurers and investigators alike.

Hopefully, in the fullness of time, the FSA will interact with us on this and we will be able to explain the value of the investigators support role to the insurance sector.

I hope you found the above of interest, comments and questions welcomed.

Roger J Bescoby is Director of Strategic Development at the Brownsword Group. Visit www.brownsword.com & www.talk-safe.co.uk

Data Protection Update workshop – Analysis of the latest DPA cases, developments and news from the ICO. Our next workshops are in Manchester on the 28th May and in London on the 31st May.

Leveson: What future for Data Protection?

LevesonThe Leveson Report has finally been published.

The Report recommends that a tougher form of self-regulation backed by legislation should be introduced to uphold press standards. Much has already been written (http://www.bbc.co.uk/news/uk-20543936) and will continue to be written about this central recommendation and whether it is good or bad for democracy and a free press. But amid the furore about whether the Prime Minister should or should not accept the central recommendation, it is easy to forget that the report will also have implications for Data Protection Act and the Information Commissioner.

One of the areas that Lord Justice Leveson was required to consider was ‘the extent to which the current policy and regulatory framework has failed, including in relation to data protection’.

I started writing a blog post on the way back from London, and got as far as the above, when an e mail from the good people at 11KBW  (Panopticon Blog) landed in my inbox.

On well if you can’t beat them, read them! Here is their excellent analysis of the DP recommendations of Leveson:

http://www.panopticonblog.com/2012/11/29/leveson-inquiry-report-spotlight-on-proposed-data-protection-reforms/

I was only training round the corner and passed the QE2 centre where LJ Leveson was giving his press conference. Perhaps, I should have camped out overnight to beat the Panopticon Team?

NEW FOI Podcast – Episode 27

In this episode Ibrahim Hasan discusses FOI developments and decisions during September and December 2011. This includes Commissioner and Tribunal decisions on:

  • Information in private e mails
  • Section 11 and providing summaries
  • Vexatious requests
  • Empty properties
  • The Qualfied Person’s Opinion
  • And disclosure of statistics

There is also a quick review of recent developments in the world of transparency and FOI. Click here to listen.

We have a few places left on our upcoming ISEB courses in Birmingham.

Those Were the Days!

Martin Gibson, of Buckinghamshire County Council, reflects on the challenges facing a Data Protection Officer and how relationships with the Information Commissioner’s Office have changed over the years.

Read more here