Number crunching

At least according to Wikipedia, St Basil of Caeseria is the patron saint of hospital administrators, while lighthouse keepers enjoy the patronage of both St Dunstan and St Venerius the Hermit. In the light of such specificity, it seems unjust that Freedom of Information Officers have no more appropriate option that St Thomas More, who covers the broad spectrum of politicians, statesmen, lawyers, civil servants, and court clerks. My vote would go to St Jude, who sponsors lost or hopeless causes, although a case could possibly be made for St Alban, who as well as converts and refugees, is the patron saint of torture victims.

St Albans Council hit the local headlines in September, when the St Albans and Harpenden Review reported the huge burden on the council represented by FOI requests. Councils bleating about the cost of FOI is not a new story, and I have complained about it repeatedly. But fans of the genre will have enjoyed some novel twists among the usual invented cost totals and reassurances that the Council takes FOI seriously. For one thing, the Council Leader Julian Daly aimed his fire at commercial companies rather than the public: “what makes me particularly annoyed are requests from businesses using FOI to get detailed information for commercial gain, instead of investing in market research“. Paul Bradshaw has already beaten me to the observation that businesses, like the public, are taxpayers anyway, but more importantly, it’s hard to imagine how a company would get market research data in any other way than FOI, unless the information was already published.

A second element was even more intriguing. In breaking down the percentages for April to June, St Albans claimed that as well as the whopping 57% of requests from commercial applicants, 13% of requests were from the Metropolitan Police. The technical term for this is bollocks, but I didn’t want to say so without checking. I made an FOI request to St Albans Council after the story resurfaced in the Herts Advertiser in October, and the results were interesting.

One question I asked was: “Did any of these police requests mention ‘Freedom of Information’ or ‘FOI’?“. Although they devoted several paragraphs to explaining their FOI process, St Albans did not actually answer, so I am going to assume that none of them did. It is true that an FOI applicant does not need to specify that they are making an FOI request, and St Albans drew my attention to a section on the Information Commissioner’s website which says that any request for information that is plainly not an EIR or a subject access request should be treated as an FOI: “Any other non-routine request for information you hold should be dealt with under the Freedom of Information Act“. It is always unwise to rely on the ICO’s website, which is generally written as if the reader is a nine-year-old; complexity and subtlety are studiously avoided. Nevertheless, even on the face of it, the ICO’s text does not support St Albans’ interpretation. A request from the police as part of an investigation is plainly ‘routine’ – St Albans received more of such requests than they did FOI requests from the public, a total of 35 in one three month period.

More importantly, when I asked how many of the Met Police requests were made under Section 29 of the Data Protection Act (i.e. made explicitly under completely separate legislation), they admitted that all of them were, and any data was disclosed under that section. It’s not clear (and I probably should have asked) whether St Albans formally refused these requests under FOI before disclosing under the DPA, but I bet that they didn’t. The police were using the Data Protection Act for what the ICO’s Data Sharing Code of Practice calls a ‘disclosure’, and what is more commonly (though less accurately) known as a data sharing request. They were asking not that the data be disclosed under FOI, but that it be disclosed one data controller to another, for the purposes of conducting a criminal investigation. The idea that anyone could think that this was an FOI request is nonsense.

It’s entirely logical for the same people who process FOI and EIR request to also handle subject access and DPA disclosures. Indeed, given that there is currently no formal obligation in England, Wales and Northern Ireland to collate and report FOI statistics to anyone, there is no reason why St Albans’ information requests team shouldn’t lump all of their workload into one system to keep track of it all. It would be nobody else’s business if they did. It’s possible that when the issue came up, the police requests were included by mistake.

The problem comes in the way that St Albans have tried to use the volume and cost of their requests as part of the FOI burden narrative that local government is still enthusiastically engaged in. A statistically significant portion of the requests they complained about were nothing to do with FOI at all. If St Albans Council can afford to stage free PR events for Eastenders Actors, then local taxpayers of any type making FOIs should pass without comment. However, if we are to have a debate about the FOI burden, it has to be conducted honestly. The Herts Advertiser version of the story remarked that St Albans received markedly more than surrounding authorities, and I can only conclude that this is because Dacorum and Watford don’t count electricity bills and stuff written on toilet walls in their FOI totals.

I don’t blame the FOI officers for this; I assume that most of the anti-FOI propaganda is generated by PR teams, senior officers and politicians. But given that it is certain that the St Albans figures have been exaggerated by the inclusion of police requests, any assertion they make about the total cost, the average cost to households, even the total number of requests that they have received, is meaningless. If public authorities want to talk about FOI, they have to start by getting their facts straight.

Tales from the Crypt

If you don’t work in local government, you may never have encountered the Local Government Ombudsman, an organisation devoted to giving nutcases somewhere to grind their axes investigating possible maladministration in councils. The scope of the LGO’s work includes everything that councils do, but inevitably many complaints are about the most sensitive areas: child protection, looked after children, adoption, and adult social care. In dealing with complaints from the public, the LGO gets access to genuinely and (in Data Protection terms) legally sensitive information. Inevitably, given that councils have been the target of more ICO civil monetary penalties than any other sector, largely because councils are dumb enough to keep dobbing themselves in to Wilmslow, many are keen to use the most secure way of sending this confidential data to the Ombudsman.

It may seem odd, therefore, that the LGO sent an email to councils last month, containing the following message:

Encrypt or not to encrypt – that is the question …..

We’ve had a number of issues accessing encrypted emails which have been sent to us by councils. Whilst we appreciate that your information security policy may dictate how you send information to us, if there is any discretion please only send encrypted emails when it’s absolutely necessary.

Someone mentioned the gist of it to me, but I made an FOI request to the LGO to be certain that they really were sending out such a daft message. The LGO’s Information and Records Manager rather sweetly explained in their response to me that “our intention in sending this request was discourage councils encrypting emails that contain no sensitive personal or confidential data. Of course, if councils are sending sensitive personal data we would expect them to encrypt it – as we would do ourselves“. This is a useful piece of context for someone asking for the information under the auspices of FOI. However, this isn’t what they said to the numerous council link officers who received the email, and who were expected to act upon its contents. It’s almost the opposite.

Encrypting devices within an organisation is an easier proposition, as all the devices and connecting software are already part of the same system. The problem with encrypting email is undoubtedly that it involves different systems and protocols butting heads in the attempt to make a connection. The LGO pointed out to me that their case management system contains its own email system which can make receipt of an encrypted email difficult. But this is the LGO’s problem and nobody else’s. Councils have no choice about whether to supply data – one of the ‘key facts’ about the LGO on their website is that “We have the same powers as the High Court to obtain information and documents“. Given the ICO’s historic fondness for fining the sector for data security lapses, if councils opt for encryption by default, they should be applauded, especially by the organisation set up to investigate their conduct.

This will inevitably pose problems for the LGO internally, but the solution to this is not to encourage councils to reverse sensible changes in behaviour that another regulator has been pushing them into. They are a regulator whose job it is to deal with a diverse and multilayered sector with widely disparate cultures and practices, and they have to be capable of swallowing the inconvenient implications of it this. However difficult it might be to cope with, especially without the clarification provided to me in my FOI response (and as far as I know, to no-one else), the LGO’s current advice is damaging and unsafe. Councils should ignore it, and the LGO should withdraw it.