Spring is around the corner, and what better way to celebrate than by learning something new? Act Now Training are offering a special Spring sale with 10% off on all one day courses until 21/04/23. Plus, we have some exciting discounts on our GDPR certificates!
Our one day courses are designed to provide you with a comprehensive understanding of various information governance topics, including data protection, records management, FOI and information security. Whether you are a beginner or an experienced professional, our courses are tailored to meet your specific needs.
Our Intermediate Certificate in GDPR strengthens the foundations established by our UK GDPR Practitioner certificate. Delegates will cover more challenging topics and gain a deeper awareness of the fundamental data protection principles. It is an excellent option for those with an established knowledge base and experience in data protection who wish to level up their knowledge and sharpen their skills.
Our Advanced Certificate in GDPR course is perfect for those who want to take their GDPR knowledge to the next level. This course covers the more complex aspects of GDPR and provides you with the practical skills needed to manage GDPR compliance effectively. You will learn how to break down complex multi-faceted scenarios and learn how to analyse case law, MPNs, ICO reprimands and Enforcement notices. This course is unlike any other, it challenges delegates with real world complex scenarios and is excellent in showcasing a much higher level of knowledge depth and understanding.
Don’t miss this opportunity to enhance your information governance skills and take advantage of our Spring sale. To take advantage of this offer, simply book your chosen course before 21/04/23 and enter the code SPRING10 at checkout and the relevant discount will be applied.
Act Now Training is celebrating 20 years of delivering training and consultancy in Information Governance. To commemorate this, we will be offering various offers over the next month so watch this space.
To kick things off, we are offering 20% off all in-house course bookings made until Christmas this year. These can be scheduled for delivery anytime in the next 12 months.* Act Now’s in-house training services are very popular for those seeking high quality training customised for their organisation. These can be delivered online or at client locations.
Over 100 inhouse training courses were delivered by our team of associates in the past twelve months. These have been delivered online, as well as at client premises. We have delivered training for a range of organisations including local and central government, political parties, the NHS, and the charitable sector. Course titles include:
SIRO’s and IAOs
RIPA and Surveillance
Handling Subjects Access Requests
Data Sharing
Law Enforcement Directive and Part 3 of the DPA 2018
EIR Exceptions
FOI Exemptions
DPIAs
International Transfers
GDPR Practitioner Certificate
FOI Practitioner Certificate
We have also delivered our very popular certificate courses in GDPR and FOI on an in house basis. The feedback has been very positive with an average Net Promoter Score of 91 for the last twelve months:
“I found the trainer to be both very engaging and interesting and I felt participation was fully encouraged. The conduct of the training was very effective and the trainer made the training and the subject come to life with his engaging and easy manner. He was of course also highly knowledgeable and experienced.”
AB, Isle of Man Government
“Really good training course – I now have a much better understanding of Freedom of Information and Environmental Information Regulations. Tutor was really clear and very knowledgeable in the topic area.”
GS, Environment Agency
“Very knowledgeable trainer pitched at the right level. Interactive elements welcome so officers could discuss real world situations they have encountered making it very practical as well.”
WP, South Ribble Borough Council
Act Now has been providing inhouse training and consultancy services for over 20 years. We pride ourselves on having experienced practitioners in the fields of Data Protection, Surveillance Law, Freedom of Information and Information Management. All have many years of experience of training and advice in this area.
We have trained over 80,000 individuals from different backgrounds. Our strength lies in having a strong client base in all relevant sectors. This means that we are well informed about the most current information management issues in almost every sector. With our education led approach, we are committed to providing measurable training that adds real world value to organisations by promoting and developing participants’ skills, competencies and behaviours.
Feel free to get in touch to discuss your online inhouse training needs. Visit our website for further details. Please quote “20th Anniversary” when enquiring.
*Although scheduled delivery can be anytime in the next 12 months, payment terms will still be as per the usual 30 days from invoice.
The awards ceremony took place on Monday night at the IRMS Conference in Birmingham. Act Now was also nominated for two others awards. Congratulations to all the other winners.
Ibrahim Hasan said:
“I would like to thank the IRMS as well as the Act Now team. This award recognises the hard work of our colleagues who are focussed on fantastic customer service as well as our experienced associates who deliver great practical content and go the extra mile for our delegates. We are committed to helping advance the profession and raising the awareness of the importance of Information Rights as a fundamental Human Right; and enable a culture of respect and trust within organisations.”
The Innovation of the Year award went to Dapian which is a cloud based programme designed to assist those conducting Data Protection Impact Assessments and Information Sharing Agreements. Act Now helped develop Dapian alongside nine organisations from the public and private sector including the IRMS.
Despite the pandemic, it has been a fantastic year for Act Now. We have delivered over 250 online workshops and launched some great new courses and products. Our Advanced Certificate in GDPR Practice has been really well received by experienced GDPR practitioners who want to enhance their skills and knowledge. We have run eight fully booked courses this year with fantastic reviews. We have also launched our very popular UK and EU GDPR Handbooks.
We have exciting plans for 2022. Watch this space!
It has been a long time since we have delivered our much loved classroom courses. But the wait is over. As the world slowly, blinkingly, comes out in to the post pandemic dawn, Act Now has launched a curated list of Classroom courses in London and Manchester.
Many of our delegates have been requesting the return to classroom for quite some time, and now we can finally start to add some dates to our calendar.
Whether Classroom or Online, our courses deliver the same content whilst ensuring that each medium is catered for specifically resulting in trackable learning outcomes. Take your pick, Online in the comfort of your home or office, or join us in one of our premier locations.
We look forward to having you back. A list of our courses can be found below. Please also check the website for further dates and details. Places will be limited to ensure social distancing so book early to confirm your place.
To see our complete list of of Online and Classroom courses please CLICK HERE
Act Now is pleased to announce that the recently launched online FOI Practitioner Certificate course is fully booked. Delegates from a wide rage of organisations, including the NHS and local government, have booked on the first course which starts in August.
The course has been designed to mirror our classroom based course that was running successfully throughout the country before the Coronavirus lockdown.
Delegates will benefit from the same fantastic features in a live online learning environment.
Susan Wolf, who has designed this new course says:
“This is a very exciting opportunity. Despite the current difficult times and uncertainties, this online course gives FOI practitioners access to high quality training, that is cost effective and safe.”
The next course starts on 11th September 2020. Please book early to avoid disappointment. We can also deliver this course on an in-house basis customised to the needs of your staff. Please get in touch for a quote.
This new course has been designed to mirror our classroom based course that was running successfully throughout the country before the Coronavirus lockdown.
Delegates will benefit from the same fantastic features in a live online learning environment.
Class sizes are 50% smaller to ensure that delegates receives all the attention and support they need to get the best out of the course. They will also have plenty of opportunities to ask questions, test their skills and engage with FOI practitioners from the comfort of their home office.
The four days of training are split up into three online sessions per day. Using our online training platform, delegates will be able to see and hear the course tutors as well as the slides, exercises and case studies. We have also built in 1 to 1 tutor time at the end of each day to provide individual support.
A very comprehensive set of materials, including all legislation, will be posted to delegates in advance of the online sessions. In addition they will have access to our online Resource Lab, which now includes updated videos on key aspects of the syllabus.
This new course builds upon our wealth of experience of designing and delivering online training as well as the delegate feedback from our online GDPR Practitioner Certificate.
Susan Wolf, who has designed this new course says:
“This is a very exciting opportunity. Despite the current difficult times and uncertainties, this online course gives FOI practitioners access to high quality training, that is cost effective and safe.”
The first course starts on 20th August with a special introductory price of £1,995 plus VAT. Places are filling up so book early to avoid disappointment. We can also deliver this course on an in-house basis customised to the needs of your staff. Please get in touch for a quote.
One of the most popular search terms on our blog is “disclosure of names under FOI.” A further question that we were recently asked on a course is whether FOI practitioners should provide their names when they respond to requests.
The names of staff working in public authorities are personal data as defined by Article 4 (1) of GDPR and S. 3 Data Protection Act (DPA) 2018. In addition organisational charts and internal directories that contain staff names are also personal data if they identify individual members of staff. FOI requests may not necessarily be couched as request for staff names. For instance, a requestor may wish to see “ all communications” about a certain subject, but these communications may include the names of those sending and receiving emails. They may wish to find out the names of staff present in specific meetings (which is what happened in the Cox case). The Cox case was the first occasion in which the Upper Tribunal was tasked with considering the principles governing the disclosure of the names of civil servants, but clearly it has wider application to all other public authorities.
When a public authority receives an information request that includes a request for the names of staff, it needs to consider the third-party personal data exemption in S. 40(2) FOI. This is an absolute exemption if:
Disclosure of the third-party personal data (in this case staff) would contravene any of the data protection principles; or
Disclosure would contravene an objection to processing under GDPR Article 21; or –
The personal data would be exempt if the data subject (member of staff concerned) had made a subject access request.
The data protection principles are listed in GDPR Article 5. The first principle is the most relevant in this context. This requires that the processing of personal data must be lawful, fair, and transparent. Disclosing under the FOI constitutes processing.
Before disclosing any staff names the first question is whether the disclosure is lawful. There are six lawful bases for processing in GDPR Article 6, but only consent or legitimate interests are relevant to disclosure under the FOI or EIR. It may be possible to ask staff for their consent to disclose their names. However, given the particularly high threshold for consent to be valid (see GDPR Article 7) and the imbalance of power in an employer/employee relationship, any consent is not necessarily going to be valid.
Legitimate Interests
The alternative lawful basis is that disclosure is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject which require protection of personal data…” (GDPR Article 6 (1)(f)). Some readers may be concerned because the GDPR specifically states that public authorities cannot rely on the legitimate interests’ lawful basis when processing in the performance of their tasks. However, this restriction is lifted in relation to disclosure under the FOI or EIR by S.40(8) of FOI and Reg. 13(6) of EIR respectively.
The ICO guidance suggests that public authorities answer three key questions when considering this issue, namely:
Question 1: What is the legitimate interest in disclosure (or what is the purpose)?
This includes the legitimate interest of the public authority or a third party, which is likely to be the requestor. A wide range of interests may be legitimate interests. The requestor may have a personal and private reason for wanting to know staff names, but this makes it no less relevant. In the Halpin case, the Upper Tribunal confirmed that a purely private interest was capable of amounting to a legitimate interest. In this case Mr Halpin wanted details of the training undertaken by two social workers because their capacity and skills were relevant in any appeal against a Care Act assessment.
Question 2: Is it necessary to disclose staff names for that purpose?
This requires a public authority to ask whether it is “necessary” to disclose staff names in order to serve the legitimate interests of the requestor. It may be possible to provide the applicant with alternative information, such as the numbers of staff involved in a meeting and information about their roles and levels of seniority without providing names. For example, in McFerran v Information Commissioner EA/2012/0030,the requestor wanted to know the names of the council staff who were present during a police search of a council property. The Tribunal acknowledged that there was a legitimate interest in knowing that the search had been conducted properly but it was not necessary for the requestor to know the names of the council staff involved.
Question 3: Does the legitimate interest outweigh the interest and rights of the staff concerned?
This involves a balancing exercise. Public authorities need to consider the likely impacts or consequences that disclosure of staff names will have on the staff themselves. Names should not be disclosed if disclosure will cause unjustified adverse effects on the staff concerned. It is important to remember when making this assessment, that disclosure of names under the FOI is to “the world at large”. Again, the Upper Tribunal in Halpin was at pains to emphasise that even if the requestor indicates they have no intention of publicising the information, the public authority loses control of the information once it is disclosed. Disclosure under the FOI is not subject to any duty of confidence. This becomes a relevant factor in deciding whether the disclosure will cause unwarranted harm to the named individuals.
The key question when it comes to disclosing names, is what is the harm that will arise from disclosure? There must be a connection between the disclosure and the harm. Even if disclosure may cause distress to a member of staff this doesn’t automatically trump the legitimate interests of the requestor; the public authority must undertake a balancing exercise. When a public authority carries out this balancing exercise it should take the reasonable expectations of the staff concerned into account. For example, just asking whether the member of staff concerned would have a reasonable expectation that their names would be disclosed to the world at large provides a useful starting point. This also enables the public authority to address the question of fairness. In deciding whether to disclose staff names it is important to think about the public facing nature of the role filled by the individual member of staff ; their seniority in the organisation; whether a public authority has a policy on the disclosure of staff names that informs their expectations. The staff privacy notice should also provide staff with some understanding of when their names may be disclosed in response to FOI request.
Clearly a Chief Executive of an organisation should expect that their name is released into the public domain. As the ICO guidance advises:
“The more senior an employee is and the more responsibility they have for decision making and expenditure of public money, the greater their expectation should be that you disclose their names.”
On the other hand somebody with responsibility for cleaning offices will have a real expectation that their name remains confidential. FOI practitioners are familiar with this assessment, which is based on ICO guidance and an earlier case of Home Office v Information Commissioner EA/2011/0203. This said that the names of junior civil servants are generally protected from disclosure unless they occupy a public-facing role. However the decision in the Cox case makes it clear that each case will depend on its own facts and context. There is no blanket presumption in favour of disclosure of the names of senior officials, each case must be considered carefully and with regard to the legitimate interests of the requestor.
Disclosing Names of FOI practitioners
The question of whether a public authority should disclose the name of a person handling an FOI request raises all of the above considerations. First, what is the legitimate interest in a FOI requestor knowing the name of the person who handled their request? Second, is it necessary to know that person’s name to serve that legitimate interest? Finally does the legitimate interest of the requestor outweigh any harm that may be caused to the member of staff handling the request. There is no legal obligation to disclose staff names and a public authority could refuse under S 40(3) FOI if all of the above are satisfied.
In the interests of transparency many public authorities disclose the names of the person who has handled their request. Given the public facing role and the work that FOI practitioners do it is arguable that their expectation is that their names may be disclosed. However in some organisations FOI requests are dealt with by many different staff at various levels rather than via a single FOI point of contact. In these circumstances more junior staff who have handled requests may have a greater expectation of privacy.
This and other developments will be discussed in our FOI and EIR workshopswhich are now available as an online option. If you are looking for a qualification in freedom of information, our FOI Practitioner Certificate is ideal. It will soon be available as an online option. Please get in touch to learn more.
A recent decision of the Upper Tribunal, under the Freedom of Information Act 2000 (FOI), provides a useful reminder of what a public authority needs to do when applying the public interest test.
FOI practitioners will be familiar with conducting public interests tests when considering whether to apply one of the qualified FOI exemptions and the exceptions in the Environmental Information Regulations 2004 (EIR). Both sets of exemptions/exceptions require a public authority to weigh the public interest in maintaining the exemption against the public interest in disclosure. A public authority can only withhold the information if the public interest in maintaining the exemption outweighs the public interest in disclosure.
Public interest arguments in favour of withholding the information must relate specifically to that exemption. In addition, the public authority must consider all the circumstances of the case. This means that two identical requests to different public authorities may result in different disclosure decisions if the circumstances of the case are different.
Practitioners should be particularly cautious about relying on other cases to help decide where the public interest lies and must not apply blanket refusals to certain types of information. In one of its earlier decisions, the First Tier Tribunal (Information Rights) made it clear that a public authority may have a general policy that the public interest is likely to be in favour of maintaining an exemption in respect of a specific type of information, but any such policy must be flexibly applied, with genuine consideration being given to the circumstances of the particular request (see Guardian Newspaper and Heather Brooke v Information Commissioner (EA/2006/0011)).
Essentially, this ‘weighting’ exercise requires a public authority to consider, in the specific circumstances of each case, whether it is in the public interest to disclose the information or to withhold it. Arguments against disclosure must focus on the factors associated with the particular exemption in question and the interest it seeks to protect (see Oxford City Council and Hogan v Information Commissioner EA/2005/0026). Where, an exemption is about prejudice (under FOI) or adverse effect (under the EIR) then there is an inherent public interest in avoiding that prejudice or adverse effect.
The Ryan Case
The recent Upper Tribunal decision, in Ryan v Information Commissioner [2020] UKUT 54 (AAC), involved a request by Mr Ryan to Kent County Council for information about the Council’s negotiations with Tesco in relation to the sale of council land to Tesco in 2004. Mr Ryan wanted to see the correspondence between the Council, the Council’s agent and Tesco. The land in question was a two-acre site that included an Adult Education Centre and car park. As part of the sale contract, Tesco agreed to provide a shop unit for community use to be leased back to the Council at a nominal rent, with the Council paying the costs of constructing the building. However, in 2015 Tesco decided that it would not proceed with its development plans and subsequently sold the land on to a company for residential development. Consequently the community lost the use of the adult education centre that had to be relocated elsewhere. The health and social care centre that was supposed to have been based in the community shop was forced to move into a smaller space inside a library. Mr Ryan argued that there was a strong public interest in knowing what the Council’s negotiation strategy had been, since the failure of the negotiations with Tesco had clearly caused “ongoing pain” to the community through the loss of these community services.
Following an investigation by the Information Commissioner’s Office (ICO), the Council disclosed the majority of the information requested but continued to withhold one section of a document (“Negotiating Strategy”) relating to its negotiations with Tesco. The Council claimed that disclosure would prejudice its commercial interests and used EIR regulation 12 (5)(e) to withhold this one section. This permits a public authority to refuse a request for environmental information to the extent that its disclosure would adversely affect the confidentiality of commercial or industrial information where such confidentiality is provided by law to protect a legitimate economic interest.
In her Decision Notice (FER0713831) the Commissioner concluded that disclosing the requested information would highlight a tactic used by the council in the negotiations which might well be used in similar circumstances in the future. She decided that the exception was engaged and that the public interest favoured withholding this one piece of information.
The First Tier Tribunal (Information Rights) agreed that the exception was engaged (Ryan v Information Commissioner EA/2018/019). Although the negotiations with Tesco had ended some time ago, the Tribunal decided that disclosure of the relevant tactic may lead parties considering future negotiations with the Council to change their negotiating strategy and that the confidentiality of this commercial information would be adversely affected by disclosure. The Tribunal decided that there was a significant public interest in understanding what happened with the deal and why attempts to obtain the adult education centre and the health and social care centre failed. Disclosure of information about how and why the situation had happened would further the public interest in holding the Council to account for its conduct of this matter and could help to ensure that the same thing does not happen again. On the other hand the Tribunal considered that there was a clear public interest in allowing the Council to approach negotiations on a level playing field; that disclosure would the undermine its negotiating position in future similar negotiations and this would prevent it from obtaining the best value in its land deals, with a consequential effect on the public purse. On balance the Tribunal decided that taking into account the specific information, the public interest arguments and the amount of information that had already been disclosed, that the public interest favoured withholding the small amount of information regarding negotiating tactics. In particular the Tribunal noted that the disputed information would not greatly further the public’s understanding of what had happened, and disclosure would cause substantial damage to the public interest.
On appeal the Upper Tribunal decided that the First Tier Tribunal’s approach was wrong. The latter had not taken into account the content of the disputed information, which in the Upper Tribunal’s view contained nothing “unique or unusual”. The Upper Tribunal stated that the information was about the sort of advice that a local authority would generally be given in the circumstances and that it was also the sort of advice that would be anticipated by the other side. In its view disclosure would not adversely affect the Council in the ways identified by the First Tier Tribunal. However, the Upper Tribunal has remitted the case back to a differently constituted First Tier Tribunal for reconsideration of the public interest.
It is important to look at the disputed information and consider whether its disclosure would further the public interest. In this case the Upper Tribunal suggests that if the information regarding tactics is well known to anyone advising on development issues, disclosure would not do much to further the public interest in disclosure. If the disputed information is not particularly informative then it is important to explain what the public interest in disclosure is that will outweigh the public interest in maintaining an exemption.
The test for the balance of public interests is a comparative one; so that the weaker the case for one side, the less public interest is needed on the other side to outweigh it.
Under the EIR it is necessary to show how the presumption in favour of disclosure has been factored into the consideration. This applies to public authorities, the Commissioner, and the First Tier Tribunal.
This case concerned a qualified exception under EIR and therefore technically only provides a precedent in relation to that legislation. When a public authority is applying one of the EIR exceptions it must show how it has factored the presumption in favour of disclosure into its considerations. A public authority would be well advised to explain how it has done this in the Refusal Notice.
The FOI does not include an expressly stated presumption in favour of disclosure, so this aspect of the judgment has no bearing on it. However, this case provides some useful lessons for practitioners when dealing with qualified exemptions under the FOI. The first two observations listed above have equal force when dealing with qualified exemptions under the FOI and serve to remind us that it is always necessary to consider whether and how disclosure of the disputed information will further the public interest, and to deal with each case on its own set of facts.
This and other developments will be discussed in our FOI and EIR workshopswhich are now available as an online option. If you are looking for a qualification in freedom of information, our FOI Practitioner Certificate is ideal.
Section 77 of the Freedom of Information Act 2000 (FOI) makes it a criminal offence for a person to do anything with the intention of preventing the disclosure of information pursuant to an FOI request. This offence is often briefly discussed in our FOI workshops. We say “briefly” because nobody has ever been prosecuted and our delegates reliably assure us that “that sort of thing never happens.” However, in March 2020, a town clerk became the subject of the first successful criminal prosecution under section 77 of FOI.
Nicola Young worked for Whitchurch Town Council in Shropshire. After pleading guilty to the charges, she was fined £400 and ordered to pay £1,493 costs and a victim surcharge of £40. The facts of the case are that a person had made an FOI request to Whitchurch Town Council for a copy of an audio recording of a council meeting.
They believed that the written minutes of the meeting had been fabricated and so they wanted to listen to the recording of the meeting. Ms Young deliberately deleted the audio recording a few days later and then advised the requestor that the audio file had been deleted as part of the council’s destruction policy. The Information Commissioner became involved when the requestor complained to her office. Readers may think that the fine is very low but it is important to remember that Ms Young now has a criminal conviction that will almost certainly affect her career prospects.
The Section 77 Offence
The S.77 offence requires three things to be proven:
The information was requested by an applicant and they would have been entitled to receive the information (subject to the payment of any fee). If the deletion or alteration occurs before the information request is received, then no offence is committed.
The person charged with the offence did one of the following things to the information; namely altered it, defaced it, blocked it, erased it or destroyed it.
And the person charged, intended to prevent the public authority from disclosing some or all of the information to the applicant. In other words their actions were deliberate.
Section 77 does not provide any statutory defence. However, a prosecution will fail if the prosecution cannot prove that the defendant had the necessary intent (what lawyers call “mens rea”). Prosecutions are brought by the Information Commissioner or by or with the consent of the Director of Public Prosecutions. Cases can only be tried in the magistrates’ court. The offence can be committed by any public authority and any person who is employed by, is an officer of, or is subject to the direction of a public authority. Regulation 19 of the Environmental Information Regulations 2004 creates an identical offence, albeit with slightly different provisions governing government departments.
Why is this the First Prosecution?
There are two main reasons why we have not seen successful prosecutions under S.77 of FOI before this case.
Firstly, the ICO only has six months to bring a prosecution. This period runs from the date that the offence is committed, not from the date that the ICO becomes aware of it. In practice the ICO will not be called to investigate a complaint until an applicant has exhausted a public authority’s internal review procedures. The Act doesn’t specify how quickly a public authority should complete an internal review, but the S.45 Code of Practice states that this should normally be within 20 working days. This effectively means that the ICO is unlikely to be investigating a complaint until at least a month, or probably two, has elapsed since the request. That assumes that the ICO can investigate as soon as the complaint is received, which is not normally the case.
Secondly, for a successful prosecution under S.77 there must be proof of intent to destroy, conceal, deface etc. Given that this is a criminal offence the proof must be “beyond reasonable doubt.” This may be difficult to do so long after the event and if there is insufficient evidence to prove that the destruction etc was deliberate. During an investigation, the ICO will almost certainly want to see a public authority’s information disposal schedule. Its guidance notes that a disposal schedule will also offer an authority a defence to any suggestion that a S.77 offence has been committed. It will be able to explain that a record containing the requested information was destroyed as part of its routine disposal process.
This is the first prosecution in 15 years under S.77 of FOI which demonstrates the difficulties mentioned above. It does not necessarily mean that offences have not been committed before, but more likely that the ICO’s investigations have not been conclusive within the six-month period.
It is worth noting that the Data Protection Act 2018 introduces a new criminal offence in almost identical terms. Under S.173 DPA a person commits an offence where they, upon receiving a data subject access request, alter, deface, block, erase, destroy or conceal personal data with the intention of preventing disclosure. There are two defences available. Firstly it is a defence if the alteration, defacing, etc would have occurred in the absence of a subject access request. For example, if the information is destroyed as part of an organisation’s data destruction schedule. The second defence is where a person can prove that they acted in the reasonable belief that the person making the request was not entitled to receive the information. To the best of our knowledge there have been no prosecutions under S.173 to date. It remains to be seen whether the Information Commissioner will face the same problems, as under S.77 FOI, in relation to bringing proceedings. However, she has brought a successful prosecution under S.170 DPA 2018 which relates to the unlawful obtaining of personal data.
This and other FOI developments will be discussed in our FOI workshops which are now available as an online option. If you are looking for a qualification in freedom of information, our FOI Practitioner Certificate is ideal.
Responding to the Covid-19 pandemic is stretching our public services. Most obviously the NHS is diverting all the resources it can to meeting critical health needs. But local authorities are also struggling to maintain vital services in the face of unprecedented demands and staff who, if not already ill and self-isolating, are obliged to comply with social distancing measures. Other public authorities are facing logistical challenges in maintaining services and some are even having to put some staff on HMRC-funded furlough.
In such challenging circumstances, where does dealing with information requests under Freedom of Information and DataProtection laws sit in the scheme of priorities? Many authorities who are fortunate enough to have staff dedicated to handling FOI requests or data subject access requests will have re-tasked them to undertake more business-critical roles. Where staff have information request handling as only part of their role, other more pressing duties are likely to trump FOI and DP timescales. And where staff are working from home and access to premises either discouraged or forbidden, manual records may remain inaccessible for weeks or months to come. Where requests are made by post, they may be delivered to offices which will not be staffed for some time.
The response of the Scottish Government has been robust. On 1 April 2020, the Scottish Parliament passed the Coronavirus (Scotland) Bill which, while retaining the statutory requirement to “respond promptly”, extends the timescale for responding to requests under the Freedom of Information (Scotland) Act 2002 from twenty to sixty working days. Moreover, Part 2 of Schedule 6 provides a mechanism for the Scottish Ministers to allow Scottish public authorities to extend the timescale, subject to providing written notice to the applicant, by a further forty working days, where the authority “determines that it is not reasonably practicable to respond to the request within the relevant period because of… (a) the volume and complexity of the information requested, or (b) the overall number of requests being dealt with by the authority at the time that the request is made.”
The emergency legislation also allows the Scottish Information Commissioner to find that a public authority has not failed in their duties under FOISA if he is satisfied that the failure to respond within timescales was due to the impact of coronavirus and reasonable in the circumstances. The Scottish Information Commissioner for his part is keen to remind public authorities that their duty to respond promptly remains, that the measures are temporary, and that they do not extend to the Environmental Information (Scotland) Regulations 2004 (EISR).
Of course, the Scottish Parliament cannot legislate with regard to data protection (where EU and UK legislation applies) nor can it amend the timescales for requests under the EISR as they implement the obligations of the Aarhus Convention. But as far as they can do so, the Scottish Government and Parliament have sought to relax the demands of information requests in the face of the pandemic.
For data subject access requests under GDPR (or s 45 of the Data Protection Act 2018 where they relate to law enforcement processing) and requests under the Freedom of Information Act 2000, there is no relaxation of the law. This was despite the call to do so from some quarters, including the Local Government Association who called on Parliament to include measures “temporarily relaxing the requirements on councils in regard to GDPR and FOI”. We rely instead on flexibility from the Information Commissioner as regulator.
While the UK Government did not take the opportunity of the Coronavirus Act to take extend time limits(and would be unable to do so in any case with regard to GDPR as we are still in the transition period), the ICO has made clear they will not penalise organisations who have made understandable decisions to prioritise other tasks. As they state on their website, “We are a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with information rights work when assessing a complaint brought to us during this period, we will take into account the compelling public interest in the current health emergency.”
Organisations should therefore be reassured that they are unlikely to face official censure or significant public criticism if they make reasonable decisions to prioritise other tasks to protect and serve the public ahead of normal levels of service for FOI requests and subject access requests. If your organisation, almost inevitably, is finding it difficult to meet the timescales at this difficult time, we would suggest you take a common-sense and measured approach:
Make a record of your decisions to re-allocate resources from handling information rights requests to other service-delivery priorities;
Document the practical challenges (such as inaccessibility of manual records or post, and unavailability of key colleagues) which mean that it is “reasonable in all the circumstances” that the organisation is not able to meet normal levels of performance;
Manage the expectations of applicants through your website and in your acknowledgements of requests and your automated email responses, and continue to communicate with applicants as far as you are able to do so;
At the point at which your organisation, and the rest of humanity, is beginning to recover from the Covid-19 emergency, develop and document an action plan for addressing any backlog of requests which has built up.
At Act Now, we are passionate about the importance of information rights: They are at the heart of our democracy and our human rights. But the right to life must take priority over others, and we would be the first to recognise that organisations and individuals must make decisions which put people first, particularly at a time of global emergency.
Be kind and stay safe.
More on this and other developments in our FREE GDPR update webinar. Looking for a GDPR qualification from the comfort of your home office? Our GDPR Practitioner Certificate is now available as an online option.
