Live and Let Dai

To say that anything connected with GDPR is the worst example of its kind is a foolhardy business. I’ve read so many terrible articles, LinkedIn posts and Tweets about GDPR, to single any one of them out and say ‘THIS ONE IS THE WORST’ seems pointless. Most of them are bad. However, after watching 33 minutes of waffle, padding and gleefully misinformed bullshit, I am reckless enough to say that the intellectual property lawyer Dai Davis’ talk here is the worst presentation or talk I have seen about the GDPR in any format.

Admittedly, the trainer in me hated it because of the incompetence – Davis has to keep going back to the podium to change slides because he hasn’t brought a remote, and he pads the talk out with protracted questions to the audience that don’t add anything to what he is saying. When someone intelligent-sounding in the audience takes him on by asking a proper question, he runs a mile.

More seriously, a good chunk of the talk is taken up with an attempt to create a formula for how much you should spend on data protection compliance based on the likelihood of being fined. It’s an eye-catching and controversial thing to throw out in a conference, but I don’t believe even Davis knows what point he’s making. Is he really saying that a every organisation should spend a meaningless, averaged-out €2000 to comply with GDPR, or is that just a flourish? Every organisation is different to another, and will have radically different priorities and appetites for risk, so trying to create a standardised methodology is so random and unhelpful, I don’t think it’s a serious point.  Given the number of basic mistakes and baseless assertions he makes in such a short time, however, the only thing I can add to his calculations is that however much you spend on GDPR, you should probably not spend it on advice from him.

I may not have got them all, but here is as full a collection of all the blunders as I could manage:

  • Davis cannot remember how many deputies the Commissioner has, but he knows that it’s between 11 and 13. There are 3 deputies (James Dipple-Johnstone, Paul Arnold and Steve Wood); there have never been more than 3.
  • Davis consistently gets the name of the ICO wrong – it’s almost always the ‘Information Commission Office’, although he varies it at least once with ‘Information Commission Data Protection Officer’ (he wasn’t talking about their DPO). To be charitable, it might be because he’s talking quickly, but the errors are relentless. He clearly thinks that Elizabeth Denham’s job title is ‘ICO’. because he calls her this repeatedly, and talks about what he would do if he was “the ICO“.
  • He asserts that the GDPR is not a ‘step change’ from the old legislation solely because it has lots of words, even though many of those words are very similar to words in the same order in the old version
  • He notes that there has not been a GDPR fine yet. Davis was speaking on May 30th, two days after the first 72 hours to *report* a relevant breach would have elapsed.
  • He asserts several times that in theory “every single breach” has to be reported to the ICO. This is completely false. There is a specific definition of a breach in the GDPR and incidents that do not meet a certain threshold of risk do not have to be reported.
  • He says that telecoms companies had to report breaches to the ICO since 2012. Communications providers have had this duty since 2011, not just telecoms companies.
  • Davis claims that public sector bodies self-report breaches to the ICO because they have no idea about how to take a commercial risk. There is the problem that public sector bodies are not commercial organisations by and large, so that argument makes no sense, but it’s also factually incorrect. To take one example, NHS bodies (the example shouted out by an audience member) have been obliged by the operation of the Information Governance Toolkit to report breaches to the ICO since at least 1st June 2013 (I think it was actually earlier than this, but that’s the one given in a Toolkit document that Davis could have found with a single Google search if facts were something he had any curiosity about).
  • Davis claims that the ICO is not really responsible for prosecutions for S55 offences, despite talking exclusively about prosecutions that the ICO carried out.
  • He includes the prosecutions in his calculations for the risk of being fined by the ICO, seemingly unaware that fines and prosecutions are two entirely distinct activities, with S55 prosecutions being against individuals rather than organisations. Throughout, Davis talks about the ICO enforcing on ‘people’, so I don’t know if he knows that the penalties were issued against data controllers.
  • He says that there were 18000 complaints in 2016 and the ICO has done nothing about nearly all of them. As someone who thinks the ICO is crap, even I have to acknowledge that most of these complaints were resolved informally and the absence of a fine does not mean that nothing happened. In quite a few cases, the complaint would not have been valid, and so no action would be appropriate.
  • He twice says that the maximum penalty for a breach under the DPA 1998 was £5,000,000; it was £500,000.
  • He quotes the head of the ICO’s ‘Breach Notification Division’, which does not exist.
  • He claims that the GDPR contains more loopholes that requires the ICO to hire criminal lawyers. The standard of evidence for a GDPR breach is balance of probabilities, and GDPR removes the requirement to prove damage or distress for a monetary penalty.
  • He says the ICO has 700 staff – they haven’t recruited these staff yet.
  • He tells a story of how he tells his hotel clients (who, if they exist, have my pity) that they cannot claim to be GDPR compliant because they use “mobile telephones” and allow their staff to send text messages. According to Davis, it is impossible to use mobile phones securely.

At the point where Davis says “smart lawyers like me“, my jaw did not drop, it fell off.

Leaving aside how garbled and smug Davis’ performance is, you might wish to charitable and take on his central thesis – that you probably won’t get a GDPR fine. He’s right. There have been relatively few penalties under Data Protection thus far and so the risk of getting one is relatively small. I cannot disagree with this banal point because I have made it myself any times. However, I can’t tell if his conclusion is simply that nobody should bother complying or whether there would have been a ‘however, you should comply because…’ moment, because there isn’t a conclusion. Presumably because he has run out of time, Davis just stops. So what, Dai? What’s your point? What should the audience do with this information? Should they just ignore GDPR?  There’s definitely a sense of this when he says that 10 years from now, the owner of a B&B will not know what GDPR is.

If Davis had the guts or the discipline to get to a conclusion that GDPR doesn’t matter, that would have been something. His contempt for detail would still be an impediment, but ‘Ignore GDPR’ is an assertion worth tackling. I could counter by arguing that the threat of a fine isn’t a good reason to comply, but respecting human dignity and avoiding harm to real people though inaccuracy, intrusion and insecurity is, but Davis never stops circling the airport, so I don’t even know if that’s what he’s saying.

If his contention that organisations don’t have the ability to measure risk effectively and need to get GDPR in perspective, that’s actually a good point, but he makes it so incompetently that again I’m not motivated to take him on. I have grudging sympathy for the idea that reputational damage is an overhyped risk (again, it’s not a point he makes clearly), but I know that many in the Data Protection world would passionately disagree, and I suspect that they could use Facebook’s current woes as evidence that public perception over data misuse isn’t something that boardrooms can ignore.

In the end, I think Davis is a clever man pontificating about a subject he neither cares for or understands, but the danger is that people will watch the talk and be contaminated by it. You could argue that I am making it worse by drawing attention to it solely so I can take the piss. All I can say is, the talk is out there. People will see it. As this is the case, if you find his argument (such as it is) attractive, it’s worth pointing out how sloppy and ill-informed his thinking is. It’s worth asking if this is the ‘Ignore GDPR’ guy, why would you listen to him?

The DNs don’t work

I’m going to say it again. I really like Christopher Graham. Anyone would have looked dynamic after Richard “BACKLOG” Thomas, but I believe he’s trying to make a difference in his role. I’m not sure we’d get on personally, but that’s definitely more about me than him. I have absolutely no doubt that he means business. And what’s more, blogger’s hyperbole aside, I don’t really think that everyone who works at the ICO is an idiot. In fact, when I think of all the people at the ICO who I definitely think are idiots, I could count them on the fingers of one hand, if we count thumbs as fingers and I was Anne Boleyn.

But in writing to the Financial Times to refute the claim that the ICO is a toothless regulator, Mr Graham said this: “The record shows that the Information Commissioner’s Office regularly makes difficult decisions that challenge Whitehall”. He pointed out that he has issued a number of Decision Notices against the Cabinet Office and most importantly, he is a regulator with powers of prosecution.  This isn’t fooling anyone. Even FOI Man Paul Gibbons is having his doubts about the Commissioner’s rigour, and he’s so nice he didn’t lose his temper when I suggested he change his name to Paul Chimpanzees.  What’s really strange about Graham’s response – apart from what Paul accurately identified as his eccentrically clear aim at the messenger – is what’s missing. Although I think the quality of ICO FOI casework has generally gone down, I don’t deny that on a good day, Wilmslow is capable of stepping up and making the right calls on individual decisions. What Mr Graham has to answer is whether his office is capable of taking enforcement action; not to deal with individual complaints, but with the wider approach of a Government department that sees FOI as an inconvenience.

However, in case we need evidence that action might be necessary, let’s consider the decision notices issued to the Cabinet Office in 2013 by the ICO, to bask in the heat of their effectiveness:

Decision FS504279906

The Cabinet Office are revealed to have failed to respond to a previous ICO Decision Notice (that thing that is supposed to be Contempt of Court). They fail to do an internal review in the ICO’s recommended timescale. They claim to the ICO to have disclosed a contract to the applicant, but repeatedly fail to confirm that this has actually happened. They then use the applicant’s complaint to the ICO as an excuse not to disclose anything else. They claim that a disclosure will harm Capita’s commercial interests, even though they haven’t actually asked Capita what they think about the disclosure. The ICO tells the Cabinet Office that “it is essential that the Cabinet Office ensures that there is no repetition of these issues in relation to future requests”. This is the last time in 2013 that the ICO use the word ‘essential’ in this context. It’s January.

Decision FS50435121

The Cabinet Office carefully interpret a request about contacts with Common Purpose so that information they have already disclosed to another applicant is not disclosed. They refuse the request as vexatious (the ICO overturns this).

Decision FS504364434

The Cabinet Office fails to do an internal review in the ICO’s recommended timescale. It claims that the Statistics and Registration Service Act 2007 provides a prohibition on disclosure. It doesn’t. They try to use s22 (information published in the future) but are “unclear and inconsistent” with the ICO about when and by whom the requested information will be published. The Decision Notice states that the ICO normally offers one opportunity to explain the application of an exemption, but in this case, the Cabinet Office has failed to give a satisfactory answer at the third time of asking. One can only wonder why they get special treatment.

Decision FS50445422

The Cabinet Office applies an exemption without specifying which information is covered by the exemption in question. The applicant requests an internal review on 19th January 2012, and the Cabinet Office responds three months later. The ICO no longer uses the word ‘essential’ when discussing how important it is that the Cabinet Office not do this again.

Decision FS50457668

The request in question is made on 1st March 2012. The Cabinet Office respond on 10th May 2012.

Decision FS50461244

An applicant asking about training provided to David Cameron before his appearance at Leveson receives no information because he uses the phrase ‘coaching’ instead of ‘legal assistance’. At first, the Cabinet Office states it holds no information. At internal review, it claims that it holds information, but will publish the information in the future, citing a statement made by Jeremy Hunt about the publication of what turns out to be something else. When the ICO investigates, the Cabinet Office changes its mind again and decides it holds no information. It states that an objective reading of the request to say that the use of the phrase ‘coaching’ can only refer to a specific type of information. However, when the ICO points out that the applicant has asked for information about coaching “or” ‘preparation, the Cabinet Office reverts to a subjective reading of the request, claiming that the applicant uses ‘coaching’ and ‘preparation’ interchangeably, even thought this makes no sense in terms of what the applicant actually asked for.

Remember: I am receiving legal assistance, you are being prepared, he is being coached.

Decision FS50465008

The Cabinet Office refuse to answer a request because an email is not a document [Discuss]. They imply that you cannot request information unless you already know what it is, but at the risk of a Top Shop / Rihanna situation as regards the FT and Chris Cook, I’ll stop there.

Decision FS50465636

The Cabinet Office claim that no information is held based on a restrictive interpretation of the request. You’ll never guess what happens then. The internal review is completed outside the ICO’s recommended timescale.

Decision FS50466327

The internal review is completed outside the ICO’s recommended timescale. I know, me too.

Decision FS50472269

The Cabinet Office maintain a position of holding no information in relation to the applicant’s request until the ICO investigates. Guess what they find then?

Decision FS50474524

The Cabinet Office claim that telling the public how many times a committee on better regulation has met would affect ministerial collective responsibility. The ICO states that their arguments about the harm caused by disclosure are made as if the applicant has asked for other information.

Decision FS50475014

The Cabinet Office claim that they cannot find the requested information within the FOI timescales, but on internal review decide that the request is not valid.

Decision FS50478062

The Cabinet Office claim that ongoing investigations into the conduct of Jimmy Savile will be harmed because those involved will be less candid if information about why Savile received honours is released, an argument that the ICO regards as ‘highly speculative’. I agree that the use of the word ‘horseshit’ would probably have been unbecoming.

Decision FS50478062

The applicant makes their request on 9th July 2012. The Cabinet Office responds on 27th September 2012. The applicant requests an internal review on the same day. The Cabinet Office respond on 26th November 2012.

Decision FS50481901

The request is made on 28th November 2012. No response has been received by 21st January 2013. The ICO intervenes on March 6th 2013, and the Cabinet Office then ask the applicant for clarification, which he provides the same day. The Cabinet Office fail to answer and the Decision Notice is necessary simply to oblige them to do so.

Decision FS50490256

The Cabinet Office fail to give a valid response to an FOI request, and the Decision Notice is necessary to oblige them to provide an internal review.

Decision FS50498628 (22nd July 2013)

A Decision Notice is necessary to oblige the Cabinet Office to respond to this FOI request.

Decision FS5050001 (24th July, just over a week before Christopher Graham writes to the FT)

The applicant makes their request in September 2012, and only after being prompted on 8th March 2013 does the Cabinet Office promise on 10th April 2013 to reply by 8th May 2013. On 10th of June 2013, the ICO tells the Cabinet Office to respond by July 8th (nearly a year after the request was originally made). The Cabinet Office tell the ICO on the 17th July – less than three weeks before Christopher Graham’s stout defence of the ICO’s approach on the FT’s letter’s page – that they cannot possibly respond without the appropriate clearance. Which, I hope you’ll agree, is like slapping your buttocks heartily as you moon the policeman who is trying to arrest you.

I have no doubt that the ICO will continue to make variable FOI Decisions, many good, some appalling. But the FOI Act will remain unenforced, because someone in the Commissioner’s Office is apparently afraid of the Cabinet Office and is apparently obliging the boss to pretend that the Decision Notices as described above are going to to do the trick. They haven’t and they won’t. The Cabinet Office would fight tooth and nail to protect disclosures about the Schleswig-Holstein Question. They have learned nothing from FOI’s introduction. Moreover, every public authority, every quango, every council, every NHS Trust, every police force, every college, every last one of them from Walberswick Council up is entitled to point to the Cabinet Office and say, if you didn’t do them, you’re not going to do us. So why should anyone take the ICO seriously on FOI?

Chris Graham’s letter to the FT characterised the ICO as an FOI watchdog unafraid to bark when it needed to. The finest manager I have ever had (much love and respect to you, Kevin) once characterised the ICO as being the kind of hound who could at worst give you a nasty suck. These days, I’m not even sure Wilmslow could run to a love bite.

FOI is dead; long live the Cabinet Office.

The Cabinet Office & FOI, A Retrospective, 2010-2011

As you know, FOI is under threat from a disparate coalition of interest groups, all of whom profess strong support for the idea of FOI and transparency in principle, but who object strongly when it applies to them. As I have already blogged, it’s the FOI equivalent of saying ‘I’m not racist but..” With friends like ACPO – who ask in their Justice Committee evidence for an absolute exemption for all investigations data, a charge for every FOI and vast restrictions on the time taken per request – FOI doesn’t need enemies.

However, the real cuckoo in the nest might be closer to the centre, with a more seductive and plausible message that could still plunge a stiletto into FOI’s back. Led by the Coalition’s answer to George Sanders, Francis Maude, the Cabinet Office wears what looks like a bulletproof vest when it comes to openness. Why, they’re the champions of Transparency, the sponsors of Open Data. One could mistake the Cabinet Office for a shining beacon of openness in the murky fog of secretive government. George Francis Maude promises a quantum leap in transparency and goes around the world promoting openness. He must be OK: in some of these photos, he’s rocking that smart jacket / jeans combo that says, I’m here for business, but a party’s definitely not out of the question.

But here’s the problem. Maude’s top-down Transparency (always capital T) is geared towards an open-source, re-use model which is intrinsically positive, but totally separate from the accountability / scrutiny aim of FOI. Transparency agenda is skewed heavily towards a technocentric, app-designing, economic model. It will probably create jobs. This is great and puts the previous government to shame. Public bodies who bleat about the commercial reuse of their data forget that the private sector pays its taxes and funds their activities. But this Transparency has little to do with the kind of transparency that FOI offers. Real (small t) transparency is about letting everyone come in and scrutinise what is going on. FOI should not be mediated, except by sensible harm thresholds like the public interest test and an even-handed regulator. If you see one of those, let me know. Maude is keen to order disclosure, but this is still the exercise of power by the elite. If you want to know something that the Coalition doesn’t want you to know or simply hasn’t thought of, Maude’s Transparency will not help.

Transparency could be used as a Trojan Horse to justify curbs on FOI. You don’t need FOI, we’ll be told, because look at these shiny Transparency jewels we’ve decided to give you. This will be a fiction. The point of FOI is that you get to ask about what you want to know, not what The Nice Man Wants To Tell You

In June 2011, the Cabinet Office signed an undertaking for the Information Commissioner, promising to make improvements to its approach to FOI. So let’s ignore the siren lure of Transparency and look behind it to see how the  openness champions deal with FOI. I have read all of the Information Commissioner’s Decision Notices issued to the Cabinet Office in the past twelve months. It’s a roll call of shame that spits in the face of the fine folk who work on Open Data and Transparency. You can read the highlights at the end of this post, and I encourage you to use the reference numbers to find and read some of the decision notices in full here.

Most of these decision notices cover requests received before that undertaking was signed, but all cover the period of the Coalition, when Maude and others were trumpeting Transparency and Openness like it was going out of fashion. They might claim it’s all change since the undertaking, but these requests are an insight into what the Cabinet Officer were doing while the Ministers were hyping their Transparency agenda. How could this all happen on their watch if their commitment to openness is real?

In 2010-11 (as before), the Cabinet Office routinely extended the time taken to consider the public interest test, and frequently missed its own distended deadlines. Applicants who made entirely legitimate requests were refused because their requests were said to have no serious purpose or value (and the ICO overturned these refusals). On several occasions, the Information Commissioner’s Office was forced to order the Cabinet Office to make a decision, in cases that had been running for many months.

Two issues are particularly damning. There are several cases where the Cabinet Office issued a formal refusal for data that they had not searched for, and which ultimately turned out not to be held. In other words, they’re saying no rather than actually looking for the information. Worse still, in numerous cases, the ICO remarks that the Cabinet Office has advanced inadequate arguments for refusals that they then have to overturn. In some cases, the Cabinet Office fails to respond to the ICO altogether.

The Cabinet Office has a lamentable track record on FOI – this could be explained in part by the outgoing Cabinet Secretary was outspoken in his criticism of the legislation and his belief that it should be restricted. However, the Cabinet Office appear not to have taken the Information Commissioner seriously either, which should be unthinkable. Nevertheless, by not taking formal enforcement action against the Cabinet Office, Chris Graham has gambled that asking them to sign an undertaking to comply with legal obligations will have the effect that dozens of formal decision notices issued since 2005 have not. He may have fettered his discretion on all future FOI enforcement – if he doesn’t enforce against this level of compliance, when will he ever do so? Who could possibly be worse? If he goes after a Parish Council with an enforcement notice, the circle will be complete – like DPA, the big fish swim away while the minnows get netted. But more importantly, if the Coalition try to argue that FOI is safe in their hands, that any changes are just to reflect the austere times we are all in together, that their Transparency is a worthwhile alternative, take a look at this list and decide what you think of that idea. We desperately need a more agile, more entrepreneurial approach to public sector data. But we also need the opportunity to ask awkward questions, and up to now, the Cabinet Office hasn’t even paid lip service to that principle.
  • FS50371317 (02/02/2012): the applicant asks for copies of unpublished photographs taken by named Cabinet Office photographer. Cabinet Office refuse on the basis of Section 36 (prejudice to the effective conduct of public affairs). The refusal is automatically invalid because the qualified person (who has to be a minister) was not involved. When the ICO investigated, they discovered that no such photographs were held, and S36 had been cited instead of actually searching for the picture.
  • FS50379301 (16/11/11): Applicant asking about minister’s meetings about setting up of statutory register of lobbyist asks for internal review on 8/11/10. The Cabinet Office do not respond until 20/4/11. ICO complains that Cabinet Office ignores repeated refusals to supply data to them so that it can consider complaint, and later remarks that no exceptional circumstances explain the delay in providing an internal review.
  • FS50348732 (03/11/11): In response to FOI requests about the refurbishment of Downing Street, Cabinet Office claims that information will be published in future. They then change the claim to no information held. The Information Commissioner finds that information is indeed held. “The Commissioner is particularly concerned that the response to the Information Notice appeared to contradict the previous response from the public authority that no searches had been necessary, suggesting that no searches had been carried out.”
  • FS50362049 (03/10/2011): Cabinet Office refuses to confirm or deny whether Government discussed the Nestle takeover of Rowntree in 1988 (which the ICO orders them to do).
  • FS50341963 (08/09/2011): The applicant’s asks for meeting records of a committee which hasn’t met, and the Cabinet Office fail to explain this. They use an exemption to refuse information that does not exist. The ICO comments: “The initial refusal notice provided to the complainant by the Cabinet Office was insufficient and unduly briefthe Commissioner would also note his disappointment that the Cabinet Office failed to avail itself of the opportunity, during the Commissioner’s investigation, to voluntarily disclose to the complainant the specified non-exempt information
  • FS50392356 (4/8/2011): The applicant asks about Andy Coulson’s legal fees on 20 December 2010. Request acknowledged, but no response received at the time of the decision notice (i.e. three months after the undertaking). ICO warns the Cabinet Office that the absence of a response would be referred to Enforcement. The Cabinet Office do not respond. The ICO issues a Decision Notice solely to order them to answer the request.
  • FS50366824 (19/07/2011): Applicant makes meta-request for correspondence about a previous request (re: compensation paid by Libya to IRA victims). Cabinet Office claims request lacks serious purpose or value. Internal review requested on 2/1/2011, but no response is received. The Cabinet Office fail to respond to the ICO, and do not provide evidence for why the request represents a serious burden. “The Commissioner is concerned that in this case the internal review has yet to be completed despite the public authority having taken over 160 working days thus far in which to complete the review, despite the publication of his guidance on the matter.”
  • FS50362370 (19/07/2011): Response to internal review was only received after intervention of the ICO. The applicant wants to know the make and model of printers used for comparison purposes in Sir Phillips Green’s study of government efficiency. Cabinet Office does not want to prejudice negotiations with or to identify supplier. This is the same cabinet office that wants all organisations to publish all spending over £500. Did someone say bullshit?
  • FS50347053 (20/06/2011): On the 28 February, 13 May and 23 May 2011 the Commissioner wrote to the public authority asking it to provide a detailed explanation of its refusal of the complainant’s request for information as amended and a copy of the withheld information. ICO ends up ordering Cabinet Office to disclose salaries of those who earn £150,000.
  • FS50368481 (23 May 2011): Requests are submitted on 24/07/10 and (in expanded form) 6 January 2011. There is no response, though the requests were acknowledged. ICO contacted Cabinet Office on 10 Feb 2011 asking for response in 10 days. This does not happen. ICO forced to issue decision notice solely to force Cabinet Office to answer the requests.
  • FS50354351 (21/03/2011): Request about weapons of mass destruction. The Cabinet Office extends public interest deadline twice, and twice fails to respond to an IC request to resolve the case.
  • FS50310716 (8/3/11) Request for Job descriptions for the employees who support the Government Chief Whip, his deputies and assistants and for funding allocations. ICO had to intervene to get an internal review completed.
  • FS50318536 (17/3/2011): Cabinet Office says they hold data but disclosure would prejudice international relations claimed extra 20 days, then went vexatious despite him having made, then said it should have refused to confirm or deny under Section 40. They held no information. “On 13 December 2010 the Commissioner wrote to the Cabinet Office asking it to provide its arguments in support of its application of section 14. Following several telephone calls from the Commissioner seeking the Cabinet Office’s response to his investigation, the public authority provided its response on 2 March 2011.”
  • FS50300732 (15/2/11): Applicant requests “unredacted minutes” and is sent a link to webpage featuring redacted minutes. Applicant asks for internal review in Nov 2009 and ICO has to intervene in May 2010 to force internal review, threatening to issue an information notice if the Cabinet Office does not respond. They take 150 days to respond, and ICO is forced to take them to task.“During the course of his investigation, the Commissioner has encountered considerable delay on account of the Cabinet Office’s reluctance to meet the timescales for response set out in his letters. Furthermore, the Commissioner has been met with resistance in his attempts to understand the Cabinet Office’s reasons for handling the request as it did and for invoking particular exemptions. The delays and resistance were such that the Commissioner was forced to issue an Information Notice in order to obtain details relevant to his investigation

Transparency, according to Mr Maude

The Cabinet Office, run by the urbane and slightly saturnine Francis Maude, champions the Government’s Transparency agenda. Transparency is the process of publishing (or obliging others to publish) data on a wide variety of subjects. Although Transparency and FOI are clearly nodding acquaintances, they don’t spend a lot of time together socially. Transparency is about what the Government want people to know, especially about other parts of the public sector; FOI is about what the public, journalists and companies want to know. The former is ordered and political, the latter is wayward and occasionally deranged. I know which of the two I would rather have a drink with.
The Cabinet Office’s lack of assurance (let’s call it that, anyway) with FOI is nevertheless confusing, given their throat-clearing devotion to Transparency. A decision from a week or so ago ( exemplifies this.
The applicant wants information about the Special Advisers Remuneration Committee between May 12 2010 and July 10 2010, when the request is made. Questions are about how many times the committee has met, what it knows about Spads’ previous pay, how many now get more than a 5% uplift, and all minutes. The Cabinet Office’s refusal is somewhat less than fulsome:
The exemption which applies to this information is section 36 of the Freedom of Information Act. The public interest test determines that the release of such information would prejudice the purpose of the exemption.”
Slow down, Cabinet Office, or you will blind us with detail. Inevitably, there is an internal review. At this point, they’re more forthcoming, and evidence is provided about the prejudice test, the involvement of the qualified person (Mr Maude) and a bit of public interest just to be polite. They also reveal just what the applicant can’t have – the committee’s terms of reference, two emails about a Spad, plus their CV and job description. The committee hasn’t met in the specified period, so that’s all.
The terms of reference and emails are withheld under Section 36(b) – prejudice to free and frank exchange of advice and views, while the CV and job description are withheld under Section 40 (personal data).
The emails are held to be exempt by the ICO, so we’ll leave that to one side. I’m quite prepared to believe that the Cabinet Office provides or receives advice that can reasonably be kept secret under Section 36. It’s the surrounding facts that make me think that the Cabinet Office’s relationship with FOI is not as transparent as it could be. The first refusal does not make it clear what they hold and what they don’t hold (the applicant’s main interest is meeting records of a committee which hasn’t met, and they don’t make this at all clear). As the Commissioner finds, the idea that a committee’s terms of reference will inhibit free and frank discussion if disclosed is antithetical to the principle of FOI – we might not be entitled to know exactly what people are saying, but if government is to be transparent, we need to know what they’re supposed to be doing. Disclosing terms of reference is essential for that (this isn’t, needless to say, a body doing security or investigation work, where secrecy might be assumed).
The decision notice doesn’t go into the job description as that was considered separately. However, while a CV is definitely personal data and probably exempt (unless like a lot of people, this particular person has put it on the internet), but a job description is not. A JD relates to a job, not the person doing it. In every job I have ever done, I have been the only person doing the job and so the JD relates solely to me, but that doesn’t make it personal. The ICO has been saying this for years, and yet apparently, the Cabinet Office hasn’t heard.
And finally, perhaps most depressingly, there is an implication that the Cabinet Office just won’t play along. The narrative describes the Commissioner’s finding that information (the terms of reference) isn’t exempt, and asking the Cabinet Office to volunteer it. They refuse, and won’t give out anything unless ordered to.
If the Cabinet Office is supposed to be championing openness for everyone else, the occasional glance in the mirror might help.