The Information Commissioner has two powers to make FOI and the EIRs work, and a backup power to facilitate the other two. They’re found in FOI but apply to both. Under Section 50, the Commissioner can resolve a complaint about an individual FOI / EIR complaint by issuing a Decision Notice, which determines whether the public authority’s response was partially or wholly right or wrong. Under Section 52, the Information Commissioner can issue an Enforcement Notice, which allows the ICO to order a public authority to put right any failing, and unlike S50 is not linked to an individual complaint. Logically, the Enforcement Notice makes sense as a tool to deal with consistent or corporate FOI failings, as anything identified during an individual complaint can be resolved in a Decision Notice. As regular readers will know, the Enforcement Notice exists in name only as the Commissioner has not issued one since 2010 and seems effectively to have retired it.
In the middle is the S51 Information Notice, which is more specific. Most FOI / EIR complaints are resolved through protracted but willing correspondence, but occasionally an organisation won’t play along and so S51 allows the Commissioner to demand information. It’s a powerful tool, but it’s not an end in itself. “If the Commissioner reasonably requires information“, the Information Notice does the job. This usually happens when a recalcitrant organisation has already been asked for information and either fails to or refuses to supply it. One of the tantalising things about the Information Notice is that it refers to recorded and unrecorded information – the ICO can demand an explanation of what has gone on even if such an explanation has not been written down. But that’s for another time.
Last month, the Information Commissioner published a decision notice about an EIR request to Hackney Council. The applicant wanted to see what turned out to be a lot of information about the planning application for a Free School. Hackney’s handling of the request was – to say the least – inelegant, and I apologise in advance for the way in which I will linger on the case in every EIR training course I run for Act Now Training over the next few years. It’s one of those ‘What Not To Do’ situations. After some delay (Hackney) and hand-wringing (the ICO), Hackney settled on the decision that the request was manifestly unreasonable, and the ICO gave Hackney a deadline to communicate this decision to the applicant. The Decision Notice explains what happened next:
“The Council failed to respond within this deadline and so the Commissioner issued an information notice under section 51 of the FOIA. This obliged the Council to write to the complainant specifying that, if this was now its position, regulation 12(4)(b) was believed to apply, and to write to the ICO with a full explanation of its reasoning for the citing of that exception. In line with the information notice the Council wrote to the complainant on 16 August 2013 and advised him that the Council now relied on regulation 12(4)(b) on account of the time and cost of complying with these requests”. Remarkably, or as the ICO would have it “Regrettably“, the ICO had to chase Hackney for the required explanation.
This is not the usual ICO dithering. This is far worse than that. The Information Commissioner cannot use an Information Notice to require a public authority to do anything except provide it with information. The Commissioner could order Hackney to answer the request, but only by using a Decision Notice under Section 50. Moreover, if the ICO describes the situation accurately, Hackney apparently breached the bit of the Information Notice that might have been valid (the requirement to explain why they thought 12(4)(b) applied), but the ICO did nothing about it other than ‘chasing’. If taken before a judge, a breach of an Information Notice is treated as a contempt of court.
You may be sitting there thinking that this is a molehill. Big deal, you might say. They cited the wrong bit of the legislation. They didn’t follow up on the exercise of their powers. At length, they made a decision and have now ordered Hackney to disclose the information to the applicant. Job done. If that’s what you’re thinking, you’re wrong.
The Information Commissioner’s Decision Notice seems to say that it exercised its powers in an unlawful way. They have announced that even when they use their interim enforcement powers (however incompetently), they will not follow through on it and will limply ‘chase’ rather than prosecute. No aspect of the ICO’s enforcement is entirely successful. The Commissioner has suffered reverses on both Data Protection and PECR enforcement recently. Data Protection enforcement is unfairly skewed towards public sector security and is based too much on unproven assumptions about identity theft and a fixation with the incident, not the underlying breach. But the Commissioner’s reverses on DP and PECR are matters of interpretation, not basic competence – neither recent Tribunal loss was tossed out. The ICO’s antics on the Hackney case suggest that people working on FOI either don’t know how their powers work, or they don’t care.
The best case scenario for the ICO is that somehow, the author of the notice has explained what they did so badly that some kind of strong message to Hackney to answer the request has been conflated with the Information Notice. They could have done it properly but made it sound like they didn’t. But it’s hard to imagine how this is possible when language as concrete as this is used: the Information Notice “obliged the Council to write to the complainant” and Hackney’s response to the applicant was “in line with the Notice“.
The final decision – where the Council was ordered to disclose using S50 – was signed off by a senior manager who, if they didn’t actually write the notice presumably read it and saw no problem with the misuse of the Information Notice it described. Even if the author was deluded, the Group Manager must surely know what an Information Notice is for, and could have cleared up the misunderstanding. Indeed, the notice even comes with the dreaded sanctimonious ‘Other matters’ section where the cock-up is warmed over again. They couldn’t have missed it.
While many ICO decisions sail through clumsily but probably get the right result, the inability to make enforcement decisions against big targets like the Cabinet Office and the Department for Education, and the inability to enforce lawfully against anyone make me think that FOI within the Information Commissioner’s office is broken. They’re so unwilling to enforce, they now don’t actually know how to. Chris Graham has clearly shown a willingness to take enforcement action on DP and PECR, but FOI continues to be a rolling embarrassment, threatening to bring his office into disrepute. Either he sorts this mess out, or he should give FOI up and let someone else do it properly instead.