Tag: Transparency

What Has the Freedom of Information Act Ever Done for Us? 

1st January 2025 marked the 20th anniversary of the Freedom of Information (FOI) Act 2000 coming into force. FOI advocates argue that the Act has transformed the landscape of public information access, empowering citizens, journalists, and organisations to hold public bodies more accountable while fostering a culture of openness. However, some critics consider it a “snooper’s charter” that has impeded government efficiency. Tony Blair, whose government enacted FOI, expressed regret in his memoirs: 

“Freedom of Information. Three harmless words. I look at those words as I write them, and feel like shaking my head till it drops off my shoulders. You idiot. You naive, foolish, irresponsible nincompoop. There is really no description of stupidity, no matter how vivid, that is adequate. I quake at the imbecility of it.” 

With these differing views in mind, let’s take a closer look at some of the FOI Act’s achievements.  

Greater Transparency 

One of the most significant achievements of the FOI Act is its enhancement of transparency in government operations. By granting individuals the right to request information from public authorities, the Act has helped lift the veil on many aspects of governmental and institutional processes. This increased transparency has led to greater scrutiny of decision-making, financial management, and policy implementation. 

A notable example of this was the 2009 MPs’ expenses scandal. FOI requests exposed widespread misuse of public funds by Members of Parliament, leading to resignations, repayments, and reforms in the parliamentary expenses system. Such revelations underscore how the FOI Act has empowered citizens to hold public officials accountable. 

Empowering Citizens and Strengthening Democracy 

The FOI Act has also played a pivotal role in empowering citizens. By democratising access to information, it allows anyone to request details from public bodies without needing to justify their reasons. This access enables citizens to engage more effectively in public debates and advocacy efforts, armed with facts and data obtained through FOI requests. 

One example of this empowerment was seen in 2013 when FOI requests helped expose racial disparities in police stop and search practices. This revelation sparked widespread public concern and contributed to reforms in policing policies.
Similarly, FOI requests uncovered the disproportionate closure of public libraries in deprived areas, prompting national discussions on equitable access to public services. 

Accountability Through Public Scrutiny 

Accountability is a cornerstone of good governance, and the FOI Act has played an instrumental role in ensuring that public officials and institutions are answerable to the people they serve. Numerous FOI disclosures have led to public outcry and prompted subsequent reforms.  

For example, in 2006, widespread concern about knife crime, fuelled by several
high-profile cases, led to a highly publicised knife amnesty by the police.
Tens of thousands of knives were handed in. However, an FOI request later revealed that a statistical evaluation of the amnesty in London found that, just weeks after the operation, knife crime rates were back to pre-amnesty levels. This disclosure, which might otherwise have been suppressed, demonstrated how FOI can provide vital, often inconvenient, truths that drive public policy. 

Promoting Ethical Conduct and Integrity 

The FOI Act has not only exposed wrongdoing but also served as a deterrent against unethical behaviour. Public officials are more likely to act with integrity, knowing that their actions could be subject to public scrutiny. 

In 2021, a BBC Panorama investigation revealed serious patient safety issues buried in confidential hospital reports. FOI requests led to the discovery of 111 reports, authored by medical royal colleges, which NHS trusts were legally obligated to share. Of those, only 26 were published, and 80 had not been shared with regulators at all. The resulting public outcry prompted greater attention to transparency within the NHS. 

Challenges and the Road Ahead 

Despite its successes, the FOI Act has faced several challenges, and notable gaps in the framework still need to be addressed. Currently, it does not extend to private entities performing public functions or receiving substantial public funding. Surprisingly, the Labour General Election manifesto made no reference to FOI despite the Party arguing for many years that private contractors delivering public services should be subject to FOI.  This leaves a significant transparency gap, where key information remains inaccessible. Expanding the scope of the FOI to include these entities would help ensure that transparency and accountability are maintained across all sectors receiving public money. 

Another challenge is the slow or inadequate response to FOI requests by some public authorities. While the Information Commissioner has taken action in recent years to hold public bodies accountable for FOI failures, from police forces to local councils and government departments, response times can still be unacceptably long. 

Although FOI contains exemptions to protect sensitive information, there are instances where these exemptions are applied excessively or inappropriately, leading to the withholding of information that could otherwise be disclosed. This undermines the spirit of the Act and hampers transparency. (See the recent article in the Guardian “Dubious’ use of the Freedom of Information Act stopping access to files on Prince Andrew, researchers say”). In 2021 current and former editors of Britain’s leading newspapers expressed concern over the government’s handling of FOI requests. 
In an open letter, they called for an investigation into a Cabinet Office unit – the Clearing House – which is alleged to have profiled journalists and blocked FOI requests.  

As we celebrate the 20th anniversary of the Freedom of Information Act, it is clear that the Act has been a game-changer for transparency, accountability, and democratic engagement in the UK. While there have been notable achievements, the journey is far from complete. To maximise its potential, the FOI Act should be strengthened in key areas, including expanding its coverage and ensuring that public authorities are adequately resourced to handle requests in a timely and efficient manner. The next 20 years will be critical in determining whether the FOI can continue to serve its intended purpose: fostering an informed, engaged, and accountable public. 

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

Are you an experienced FOI officer wishing to advance your career in 2025. Our FOI Intermediate Certificate strengthens the foundations established by our FOI Practitioner Certificate. It will help you become an adept FOI practitioner by delving deeper into the intricacies of the FOIA, equipping you with the skills and confidence to navigate its complexities. 

Common FOI Requests By Sector

Despite the General Election, its business as usual for FOI practitioners. In fact many will report an increase in FOI requests. Understanding what requestors are interested in can help FOI practitioners to consider whether proactive publication of this information would benefit their organisation and help to reduce information requests. 

Working with WhatDoTheyKnow (WDTK), the ICO have analysed a sample of more than 150,000 requests made during 2022 and identified common themes in the information that has been requested. This has been broken down into 5 sectors:

Health

  • Meetings, committees, and minutes
  • Data and statistics
  • Complaints 
  • Recruitment and staffing information, including fuel allowance and travel costs
  • Policies
  • Mental health care

Local Government 

  • Highways, roads and parking  
  • Bus lanes and bus services
  • Children, schools and care
  • Housing and planning
  • Contracts
  • Internal correspondence
  • Asbestos

Education 

  • Admissions
  • Grades, scores and results 
  • Management and finances 
  • Economics, law, engineering, science and medicine courses.

Central Government 

  • Data and statistics
  • Correspondence and communications
  • Meetings
  • Covid-19
  • Costs

Emergency Services 

  • Statistical information
  • Hate crimes, crimes of a sexual nature, assault, and stalking
  • Vehicle and fleet 
  • Roads and speed limits

The ICO says that understanding the public’s information needs can better equip public authorities to meet one of the challenges set out in their recent open letter to senior leaders: ‘… look at what people are asking you about and actively publish it.’ Proactive publication also leads to greater transparency and could decrease the number of information requests public authorities receive.

Our FOI Exemptions workshop is ideal for FOI Officers who want to develop their knowledge of the exemptions and sharpen their Refusal Notice writing skills.

Lessons On Transparency: The ICO Experian Appeal

The Information Commissioner’s Office recently lost its appeal in the Upper Tribunal in relation to an Enforcement Notice issued to Experian.  

The concerned Experian’s marketing arm, Experian Marketing Services (EMS) which provides analytics services for direct mail marketing companies. It obtains personal data from three types of sources; publicly available sources, third parties and Experian’s credit reference agency (CRA) business. The company processes this personal data to build profiles about nearly every UK adult. An individual profile can contain over 400 data points. The company sells access to this data to marketing companies that wish to improve the targeting of their postal direct marketing communications 

On 20th February 2023, the First-Tier (Information Rights) Tribunal (FTT) overturned an ICO Enforcement Notice issued to Experian. The notice alleged several GDPR violations namely; Art. 5(1)(a) (Principle 1, Lawfulness, fairness, and transparency), Art. 6(1) (Lawfulness of processing) and Art. 14 (Information to be provided where personal data have not been obtained from the data subject). For more detail of the FTT judgement read our earlier blog here

On 23rd April 2024, the Upper Tribunal dismissed the ICO’s appeal against the FTT’s judgment. This can be read here along with a useful press summary. The Upper Tribunal backed the FTT’s conclusions while repeatedly criticising its unclear reasoning. 

The broader value of the judgment lies in its guidance, for the first time at this level, of what the transparency requirement under the UK GDPR involves (see paragraph 95). It also sets out its views on the current data protection landscape more generally. 5 Essex Court have a good summary of the judgement on their website.  

The ICO’s has issued a (“Let’s look on the bright side”) statement stating that: 

“The ICO will take stock of today’s judgment and carefully consider our next steps, including whether to appeal.” 

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. 

Experian’s GDPR Appeal: Lawfulness, Fairness, and Transparency

On 20th February 2023, the First-Tier (Information Rights) Tribunal (FTT) overturned an Enforcement Notice issued against Experian by the Information Commissioner’s Office (ICO). 

This case relates to Experian’s marketing arm, Experian Marketing Services (EMS) which provides analytics services for direct mail marketing companies. It obtains personal data from three types of sources; publicly available sources, third parties and Experian’s credit reference agency (CRA) business. The company processes this personal data to build profiles about nearly every UK adult. An individual profile can contain over 400 data points. The company sells access to this data to marketing companies that wish to improve the targeting of their postal direct marketing communications. 

The ICO issued an Enforcement Notice against Experian in April 2020, alleging several GDPR violations namely; Art. 5(1)(a) (Principle 1, Lawfulness, fairness, and transparency), Art. 6(1) (Lawfulness of processing) and Art. 14 (Information to be provided where personal data have not been obtained from the data subject). 

Fair and Transparent Processing: Art 5(1)(a) 

The ICO criticised Experian’s privacy notice for being unclear and for not emphasising the “surprising” aspects of Experian’s processing. It ordered Experian to: 

  • Provide an up-front summary of Experian’s direct marketing processing. 
  • Put “surprising” information (e.g. regarding profiling via data from multiple sources) on the first or second layer of the notice. 
  • Use clearer and more concise language. 
  • Disclose each source and use of data and explain how data is shared, providing examples.  

The ICO also ordered Experian to stop using credit reference agency data (CRA data) for any purpose other than those requested by Data Subjects. 

Lawful Processing: Arts. 5(1)(a) and 6(1) 

All processing of personal data under the GDPR requires a legal basis. Experian processed all personal data held for marketing purposes on the basis of its legitimate interests, including personal data that was originally collected on the basis of consent. Before relying on legitimate interests, controllers must conduct a “legitimate interests assessment” to balance the risks of processing the risks. Experian had done this, but the ICO said the company had got the balance wrong. It ordered Experian to: 

  • Delete all personal data that had been collected via consent and was subsequently being processed on the basis of Experian’s legitimate interests. 
  • Stop processing personal data where an “objective” legitimate interests assessment revealed that the risks of the processing outweigh the benefits. 
  • Review the GDPR compliance of all third parties providing Experian with personal data. 
  • Stop processing any personal data that has not been collected in a GDPR-compliant way. 

Transparency: Art. 14 

Art. 14 GDPR requires controllers to provide notice to data subjects when obtaining personal data from a third-party or publicly available source. Experian did not do provide such notices relying on the exceptions in Art 14. 

Where Experian had received personal data from third parties, it said that it did not need to provide a notice because “the data subject already has the information”. It noted that before a third party sent Experian personal data, the third party would provide Data Subjects with its own privacy notice. That privacy notice would contain links to Experian’s privacy notice.
Where Experian had obtained personal data from a publicly available source, such as the electoral register, it claimed that to provide a notice would involve “disproportionate effort”. 

The ICO did not agree that these exceptions applied to Experian, and ordered it to: 

  • Send an Art. 14 notice to all Data Subjects whose personal data had been obtained from a third-party source or (with some exceptions) a publicly available source. 
  • Stop processing personal data about Data Subjects who had not received an Art. 14 notice. 

The FTT Decision  

The FTT found that Experian committed only two GDPR violations: 

  • Failing to provide an Art. 14 notice to people whose data had been obtained from publicly available sources. 
  • Processing personal data on the basis of “legitimate interests” where that personal data had been originally obtained on the basis of “consent” (by the time of the hearing, Experian had stopped doing this). 

The FTT said that the ICO’s Enforcement Notice should have given more weight to:  

  • The costs of complying with the corrective measures. 
  • The benefits of Experian’s processing. 
  • The fact that Data Subjects would (supposedly) not want to receive an Art. 14 notice. 

The FTT overturned most of the ICO’s corrective measures. The only new obligation on Experian is to send Art. 14 notices in future to some people whose data comes from publicly available sources. 

FTT on Transparency 

Experian had improved its privacy notice before the hearing, and the FTT was satisfied that it met the Art. 14 requirements. It agreed that Experian did not need to provide a notice to Data Subjects where it had received their personal data from a third party. The FTT said that “…the reasonable data subject will be familiar with hyperlinks and how to follow them”.
People who wanted to know about Experian’s processing had the opportunity to learn about it via third-party privacy notices. 

However, the FTT did not agree with Experian’s reliance on the “disproportionate effort” exception. In future, Experian will need to provide Art. 14 notices to some Data Subjects whose personal data comes from publicly available sources. 

FTT on Risks of Processing 

An ICO expert witness claimed that Experian’s use of CRA data presented a risk to Data Subjects. The witness later admitted he had misunderstood this risk. The FTT found that Experian’s use of CRA data actually decreased the risk of harm to Data Subjects. For example, Experian used CRA data to “screen out” data subjects with poor credit history from receiving marketing about low-interest credit cards. The FTT found that this helped increase the accuracy of marketing and was therefore beneficial. As such, the FTT found that the ICO had not properly accounted for the benefits of Experian’s processing of CRA data. 

The ICO’s Planned Appeal 

The FTT’s decision focuses heavily on whether Experian’s processing was likely to cause damage or distress to Data Subjects. Because the FTT found that the risk of damage was low, Experian could rely on exceptions that might not have applied to riskier processing.  

The ICO has confirmed that it will appeal the decision. There are no details yet on their arguments but they may claim that the FTT took an excessively narrow interpretation of privacy harms. 

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. There are only 3 places left on our next Advanced Certificate in GDPR Practice.  

The WhatsApp GDPR Fine 

mika-baumeister-uKdkh25_wc0-unsplash

On 2nd September, the instant messaging service WhatsApp was fined €225 million by the Irish Data Protection Commission (DPC) under GDPR. It is the largest fine issued by the DPC and the second highest in the EU (In July Luxembourg’s National Commission for Data Protection fined Amazon €746 million after finding that the way the e-commerce giant handles people’s personal data, especially around personalised ads, was not GDPR compliant).

The background to the WhatsApp fine is an investigation by the DPC, which started in December 2018. WhatsApp users are required to provide the company with all their contacts’ phone numbers. Some of these will inevitably belong to non-WhatsApp users.
The DPC found that these numbers were also personal data because the subjects were identifiable and consequently WhatsApp was the data controller in relation to such data.

The DPC then evaluated WhatsApp’s compliance with the transparency obligations set out in Articles 14 and 12(1) of GDPR. WhatsApp argued that it took “appropriate measures” to inform non-users of the “very limited ways” in which it processed their personal data.
This was supposedly done by stating users provide the company with all their contacts’ phone numbers in their privacy policy. 

The DPC rejected this argument, pointing to the lack of a discoverable and accessible “public notice” that would provide non-users of WhatsApp services with the information they are entitled to under Article 14. For example, they should be provided with details about the “circumstances in which any non-user personal data is shared with any of the Facebook Companies”(Facebook bought WhatsApp in 2014). It emphasised that the burden of providing such information is outweighed by “the role and utility of the right to be informed”.

The DPC also ruled that WhatsApp had not complied with Article 13 in relation to the privacy information it provided to users. It specifically assessed the extent to which WhatsApp explained its relationship with the Facebook companies and any consequent sharing of data. It criticised the manner in which the information is spread out “across a wide range of texts”, and how a significant amount of it is so high level as to be meaningless. It pointed out how the Facebook FAQ is only linked to WhatsApp’s privacy policy in one place. The information being provided was “unnecessarily confusing and ill-defined”. 

In addition to the fine, the DPC has also imposed a formal reprimand (under GDPR Art. 58(2)(b)) along with an order (under GDPR Art. 58(2)(d)) for WhatsApp to bring its processing into compliance by taking a eight specified remedial actions.  WhatsApp has 3 months to comply. One of the remedial actions is to remind users of their GDPR rights which will lead to substantially more work for WhatsApp in meeting these requests.

Data Controllers need to assess how well their privacy policies and notices comply with Article 13 and 14. This cases shows that regulators are willing to enforce GDPR transparency obligations on data controllers even where the obligations are difficult to meet because, like WhatsApp, they have millions of non-service user data subjects with whom there is no direct relationship.

WhatsApp has confirmed that it will appeal the decision. 

Most of our courses are now available as both classroom and online options. The GDPR Practitioner Certificate is our most popular certificate course with may courses filling up fast. We have added more dates.

Veni, Veto, Vici : Court of Appeal FOI Veto Case and its Implications

Image

What effect will the Court of Appeal’s recent decision on the FOI – and EIR – ministerial veto have on another recent case – the vetoing of the decision to require disclosure of the High Speed Rail assessment review?

On 6 June 2013 the Information Commissioner (IC) served a Decision Notice under the Environmental Information Regulations 2004 (EIR). Section 50(4) of the Freedom of Information Act 2000 (FOIA) gives the IC the power to do so (those powers being extended to the EIR by Regulation 18). The Decision Notice required the Cabinet Office to disclose a Project Assessment Review (“PAR”) report concerning the high-speed rail link, High Speed Two (HS2).  On 30 January 2014 Patrick McCloughin, Secretary of State for Transport, signed a certificate pursuant to section 53 of FOI and Regulation 18(6) of the EIR. The effect of this certificate was that the Cabinet Office was no longer required to comply with the IC’s Decision Notice:

“the decision taken by the Cabinet Office not to disclose the PAR report in response to the relevant request was fully in accordance with the provisions of the EIR, or the Act, as appropriate”

Of course, this exercise of ministerial veto – described as a “constitutional aberration” by the Lord Chief Justice (Evans, R (on the application of) v HM Attorney General & Anor [2013] EWHC 1960 (Admin)), is not unprecedented; the power has now been wielded seven times (twice by the Labour government and five times by the coalition). The minister, notably, was minded to disagree with the IC that the request had fallen to be determined under the EIR, rather than FOIA:

“there is considerable force in the Cabinet Office’s position that the information within the PAR report was insufficiently proximate to the environmental impact of the HS2 project itself to amount to “environmental information” for the purposes of the EIR”

However, he went on to say that:

“it is not necessary for me to determine whether the PAR report is environmental information, because I take the view that the Cabinet Office was entitled to withhold it from disclosure, whether or not it consisted of environmental information”

This is perhaps surprising, because at the time he issued that veto certificate there was an argument, being aired in the Court of Appeal, that the power to exercise the veto does not exist under the European law to which the EIR give domestic effect.

Now, the Court of Appeal has handed down judgment (Evans, R (on the application of) v HM Attorney General & Anor [2014] EWCA Civ 254). The case is being recognised, correctly, as primarily about the specific lawfulness of the vetoing of the disclosure of private correspondence on policy matters between the Prince of Wales and government departments. However, as in the Divisional Court beforehand, one point which fell to be determined was about the general status of the veto power in relation to environmental information. On this point the Court of Appeal held that

“the certificate is incompatible with EU law in so far as the information to which it relates is environmental information”

The court’s reasoning was that, although, the EIR, by Regulation 18, provide for a ministerial veto no such power exists in the Directive 2003/4/EC of the European Parliament and of the Council of 28 January 2003 on public access to environmental information (“the Directive”) which is implemented in domestic legislation by the EIR. Moreover, Article 6(2) of the Directive says, crucially

Member States shall ensure that an applicant has access to a review procedure before a court of law or another independent and impartial body established by law, in which the acts or omissions of the public authority concerned can be reviewed and whose decisions may become final

And this requirement to have a “final” review before a court or independent and impartial body could not be satisfied by the availability of judicial review of a ministerial veto. Article 6(2) and (3) should be given their natural and ordinary meaning: the right is to have the acts or omissions of the public authority reviewed, but in judicial review proceedings the question becomes whether the accountable person had reasonable grounds for forming the opinion that the public authority had in fact complied with its EIR obligations and, “that difference is not a mere matter of form”. Moreover, and for broadly similar reasons, the veto power offended Article 47 of The EU Charter of Fundamental Rights which provides:

“Everyone whose rights and freedoms guaranteed by the law of the Union are violated has the right to an effective remedy before a tribunal in compliance with the conditions laid down in this Article”

So what does this mean for the veto on the HS2 “PAR” request? It certainly appears at the moment that following the Court of Appeal’s ratio in Evans, and to the extent that the HS2 request was for environmental information, that the veto may be unlawful, if (as has been suggested, it is challenged). However, there are two caveats to that. Firstly, the Attorney General has been given permission to appeal Evans to the Supreme Court: it seems highly likely that the general EIR point will be appealed, as well as the overarching specific point about the public law validity of the veto (if the former is not appealed, then it would mean in effect that the government accepts that the EIR fail properly to implement the Directive). Secondly, we must look back to the suggestion by the Minister when issuing the certificate in the HS2 veto that he tended to disagree with the IC that the information in question was environmental. Much, despite what he implied about the lack of need to determine this point, may now turn on this: if the information was environmental then Evans, providing the EIR point is not overturned by the Supreme Court, may well lead to the veto being struck down. If, however, the information was not environmental, and FOIA applied, then any appeal of it will presumably be on domestic public law grounds.

At this point it is probably otiose to start speculating on what will happen with requests which are classed as hybrid ones – namely, those which seek information which is a mix of environmental and non-environmental (as, indeed, those in both Evans and the HS2 case arguably are). All these matters are by no means yet resolved.

Jon Baines, who is Chairman of the National Association of Data Protection Officers (NADPO) and works in local government.

Ibrahim Hasan will be discussing this and other recent FOI decisions in the FOI Update workshops and online webinars.