ICO is wrong on back-ups

A bout of insomnia drove me to the laptop, but I was too tired to do anything constructive. After some idle Guardian and Telegraph browsing, I gravitated to WhatDoTheyKnow – depending on your role, you may see it as a vital tool for democracy, or a sphincter-clenching irritant. From my lowly perspective in the private sector, I can see both sides, but my main use of WDTK is as the FOI equivalent of Jeremy Kyle. Spend a few minutes browsing, and you’re deep in the demented, the paranoid and the downright strange. What with WDTK’s fey new redesign, I decided that I would pass my sleepless hours with some whimsical musings on the site’s eccentricities for these pages.
And then as always I checked out the most recent requests on the Information Commissioner’s page, and I found something a lot more interesting. A request titled ‘Former ICO Head of Enforcement’ sounded entertaining, with the applicant worrying at the fact that the former head of ICO Enforcement is now working for a legal firm: http://tinyurl.com/6c9q2vp. This is, of course, not secret and not unusual – most people leave the ICO to become either FOI / DP Officers or private sector consultants (been there, doing that). I suspect that the applicant is barking up the wrong tree, but that’s not what really got my attention. It was this phrase, in the internal review, courtesy of Lesley Bett, the ICO’s Head of Internal Compliance (scroll down to the response on 13th October last week):
“I should mention that, in general, ICO takes the view that information on back up will not be regarded as ‘held’ for the purposes of the FOIA”
You’ve just heard the sound from Family Fortunes when the luckless cousin guesses wrong about something you find in the shower – if that answer’s there, I’ll give you the money myself.  In 2005, the Information Tribunal stated in Harper vs Royal Mail (http://tinyurl.com/6zaz5r3) that:
“The extent of the measures that could reasonably be taken by a Public Authority to recover deleted data will be a matter of fact and degree in each individual case. Simple restoration from a trash can or recycle bin folder, or from a back-up tape, should normally be attempted, as the Tribunal considers that such information continues to be held.” (my emphasis)
This case is one of the most well-known in FOI, because it is the one that established that documents that have been deleted from live systems are still held, with big impacts on email. Along with the John Connor Press Associates case about commercial prejudice, it was an early indication of how FOI might really bite.
More importantly, the idea that a certain kind of data is off-limits from FOI is counter-intuitive – the Act does not pick and choose which information is or isn’t covered (except when it grabs information held by other organisations). Thinking that back-up data isn’t covered goes against the way FOI works. Even if the time taken would probably put restoring from back-ups outside the cost limit in most cases, the data is still held. How could anyone in the ICO not know this?
I searched the Information Commissioner’s site for guidance that mention the view that back-ups aren’t covered, and couldn’t find anything. I asked a few people whose opinions I respect, and their view was that Harper undoubtedly applies. My search of the ICO website only turned up several cases where requested information was held on back up tapes – the ICO staff handling the cases did not rule them out as ‘not held’ but dealt with the request as normal (the reference numbers for some of the cases are: FS50169313, FS50092946, FS50121882, and FS50118129).
I did not start this blog purely to bash the Commissioner’s Office, and I enjoy praising their successes almost as much as I enjoy making fun of them. And maybe there is some basis for this new interpretation. Maybe it’s just a mis-statement in one FOI response. But it’s a big mis-statement, and one I can’t reconcile myself with. If it is the ICO’s settled view that back-ups are not covered by FOI, how have they come to this conclusion, contradicting logic, what the Act says, what the Tribunal says, and the conclusions of a brace of their own decisions? And if it is not the ICO’s settled view, why does the person ultimately responsible for the Commissioner’s compliance with FOI think that it is?


UPDATE: No change on back-ups, but the WDTK site is now un-pastellated and back to normal. Is there no end to my powers?

Hardest game in the world

Paul Whitehouse had a Fast Show character called Archie, a pub bore constantly talking about a chosen profession being the “hardest game in the world… done it meself see..”. Whilst I loved (most of) my five years as a local government FOI officer, I have my Archie moments about it, especially when I remember certain vexatious applicants and the occasional officer who thought FOI was a personal slight I had devised for them. The FOI officers of some councils, government departments and universities have clearly inherited the most hemlock-heavy poisoned chalices, stuck with unpopular decisions, controversial work, or the attentions of Phillip Morris. Ladies and Gentlemen, I salute you all (and I am available if you want me to train your staff). Nevertheless, doing FOI for the ICO and regulating its own decisions is probably the hardest game in the FOI world.
I’ve been writing a book over the summer and stopped reading and doing a lot of things to get it finished. Which didn’t work. While ensconced, I missed a Tribunal FOI case in July about the notorious Consulting Association blacklist, which included harsh comments about the Information Commissioner’s handling of FOI requests, and its investigation into its own response.
The decision is here: http://tinyurl.com/3ep22vum, and the relevant section is on page 31, paragraph 99 onwards.
A union official requested information from the ICO about his union and its members on the Consulting Association’s databases. The ICO seized the list in 2009, and subsequently prosecuted its owner Ian Kerr for non-notification (its actions had already effectively put him out of business). They also served Enforcement Notices on many construction companies who bought access to the blacklist. Like the What Price Privacy report, the CA case proves that the ICO really can deliver the goods (and raises the question of why such triumphs are not more common).
However, the Tribunal’s verdict on this request exemplifies something slightly less glorious. The Tribunal draws attention to two aspects of the ICO’s handling of the case. First, the initial refusal of Richie’s request was based on the cost, despite a subsequent admission that the information would always have been refused because of the statutory prohibition on disclosure in Section 59 of the Data Protection Act. They also brought up the personal data exemption at the Tribunal, having not previously mentioned it. In light of the fact that organisations take their cue from the ICO’s handling of its own requests, the Tribunal described the late reference to new exemptions as ‘inexcusable’. Ouch.
The second issue is at the very end, where the Tribunal describes the ICO’s investigation of the case wearing its FOI regulator’s hat as ‘lacking in real challenge’. Ouch again. Ultimately, the union complaint failed because the ICO was entitled to refuse, but the case raises some questions.
Everyone – applicants, public authorities, and journalists – expects ICO staff to be omniscient and infallible. This is probably even more so for the people who provide the service that the ICO is supposed to regulate for everyone else. This is unfair and unrealistic, but it is nevertheless a fact of life. When I worked there long ago, a rather supercilious (now former) senior officer told me that people needed to do as the ICO said, not as they did. This was two Commissioners ago, but it still doesn’t cut it.
The ICO has to be 100% on the ball with its handling of its own FOI and Data Protection, however difficult that is. Anyone dealing with FOI requests made to the ICO, whether answering them or reviewing them needs the time and space to consider not only the straightforward issues of ‘should we give this out?’, but what does our guidance say, how will this look, and have we ever said to someone else that they shouldn’t do what we’re about to do? I hope they get that space. The ICO should have the most well-funded, well-resourced and well-supported FOI and DP compliance team in the UK, precisely because the Tribunal says that they should be an exemplar. I don’t know whether they have, but I doubt it. In every organisation I have ever worked, there have been more PR people than compliance people, and I bet the ICO is the same.
If all this comes across as a criticism of the people involved in the Richie decision, it shouldn’t, and I apologise if it does. I would have hated it as an FOI officer if some private sector know-all sneered at my work from the sidelines, and I have probably never done a job as tricky as regulating a regulator. But smart-arsed bloggers are another symptom of the ICO’s position in the shop window. It’s a dirty job, but somebody’s got to do it.
And anyway, doing health and safety for the HSE, that’s the hardest game in world….