What do they know?

A few months ago, a dispute arose between the popular / reviled* FOI request website What Do They Know and a landlord in Bournemouth, after his address was inadvertently included in an FOI response. The landlord asked for his address to be removed, and What Do They Know refused. WDTK volunteer Richard Taylor described all this on the site, drawing attention to the fact that the address was still there. I can see no evidence that WDTK informed the landlord that they would publicise the fact that he had complained; my guess is that they did not.

The landlord complained to the ICO. Replying to the ICO on behalf of the charity, Taylor claimed that there was a legitimate interest in continued publication, but hedged his bets by stating that WDTK was exempt under DP’s S32 journalistic purposes exemption. The ICO rejected both arguments and asked WDTK to remove the original spreadsheet. Again, Taylor wrote in detail about this on the site, revealing in the process that the landlord had complained to the ICO. It’s worth noting that the ICO never reveals the identity of those who make complaints to it, and I can find no evidence that the complaint was made public anywhere else. None of my correspondence with the charity has revealed any.

A similar issue arose last year. Another council published the name of a Unison official (apparently in error) and What Do They Know refused to take it down. Again, Taylor revealed the fact that the individual had complained to the ICO, although on this occasion the ICO chose to take no action. Taylor also researched the complainant and published information about his wife on the WDTK page. Though the information Taylor gathered was clearly in the public domain, at best, it suggests an unsympathetic attitude to those who raise concerns when their data gets published on the site.

The first Data Protection principle requires Data Controllers to process data fairly, lawfully and according to a set of conditions. In this case, the data controller is UK Citizens Online Democracy, the charity which runs My Society. Data Protection requires that people must be told how their data will be used, while the only condition available to What Do They Know is legitimate interest, which must be balanced against any prejudice to the rights and freedoms of data subjects. If you complain to What Do They Know, or to the ICO about What Do They Know, they’ll make this public and a volunteer may research your family relationships and publish that too. As Taylor’s comments are always couched in terms of ‘we’ and ‘us’, I believe that that this approach is endorsed by the charity as a whole. This blows the legitimate interest argument out of the water: if a person cannot complain to either What Do They Know or the ICO without the matter being published by What Do They Know, there is clearly prejudice to their rights and freedoms.

The doomed use of S32 piqued my interest, so last month I asked What Do They Know for copies of: “any procedures or guidance available to control how personal data is obtained and published by My Society in the context of the What Do They Know website”. Of course, the charity isn’t covered by the Freedom of Information Act, but for an organisation whose public commitment to FOI and transparency verges on the obsessive, it’s not unreasonable to ask them to apply FOI standards to themselves. A month later, I received a reply:

“Personal data generally comes from users and public bodies and the site, and emails sent by it, contain lots of warnings when material is to be published online. We do our best to ensure our users, including those responding to requests at public bodies, are fully aware of what we do with the information we obtain.

NB: if you’re writing a blog post, please note how we write mySociety.”

That’s right – they didn’t give me the guidance, but Heaven Forbid I get the branding wrong. I persisted, pointing out they’d dodged the request for procedures in favour of a vague narrative answer. This time, I received a reply from Mark Cridge, the Chief Executive, setting out the decision-making process for What Do They Know (there was an opportunity for him to distance the charity from Taylor’s actions here, and he didn’t take it). On the specific request for procedures, despite the fact I’d pointed out that my request had been sidestepped, this was his reply:

We also have policies on our private internal wiki, which volunteers can refer to which provide more detailed guidance on our established policies, specific data protection guidance and key learnings from our experience of running the service for the past eight years

But he didn’t provide them, though this was what I had asked for twice. Yes, the charity is not covered by FOI and can do what it likes when annoying people like me ask them questions. No, this approach is not consistent with the values of an FOI campaigning organisation. In any case, it doesn’t matter, because I already know what the Private Wiki says about Personal Data:

Personal data in general

  1. We only consider takedown requests when we get them. We don’t pre- or post-moderate the site.
  2. The source of personal data is irrelevant, whether it is inadvertent, leaked with intent, or from someone who later develops “Google remorse”. The source of complaint/takedown request is also irrelevant, whether it comes from the data subject or a third party.
  3. Our responsibilities are therefore about deciding whether to continue to publishing or not, in line with our obligations as Data Processors, when a complaint about personal data drawn to our attention, i.e. on a case-by-case basis
  4. We have DPA Section 32 on our side, so we look at the PCC code and weigh up the public interest

The guidance proves that Taylor’s use of S32 isn’t just a randomly clutched straw. S32 is an immense exemption – it removes more or less every Data Protection requirement except security. The fact that it doesn’t apply to What Do They Know (and we know that this is the ICO’s position) isn’t the only problem. The reference to What Do They Know being ‘Data Processors’ is even more stupid. Data Processors have no data protection responsibilities – they are merely agents of someone else. There are two problems here. First, it’s impossible for the charity to be simultaneously a data controller using S32 and a data processor – they’re either one or the other. Second, the subtext of both positions is that the operation of What Do They Know exists in a vacuum – whether it’s because they’re journalists or data processors, they’re not answerable for DP issues.

The absurdity of the charity thinking it’s a data processor is plain as soon as you try to work out on whose behalf they would be operating. They’re definitely not data processors for the public authorities, who have no option but to send data to the website. It’s equally ridiculous for the charity to think that they’re Data Processors for the applicants. If this was true, UKCOD wouldn’t be allowed to remove material from requests without the applicants’ permission, applicants would be the ones dealing with the ICO over complaints, and every What Do They Know user would need a binding legal contract with the charity, or find themselves in breach of the Data Protection Act’s seventh principle.

Guidance like this could easily create a sense of immunity and entitlement – whatever happens, we’re not covered. Worse that that, the volunteer who seems to take the lead on Data Protection issues is Taylor, an anti-privacy zealot who films people without their permission, without properly identifying himself and publishing the results despite their explicit requests for him not to. When I contacted him about this intrusive behaviour earlier this year, he justified his antics with similarly vague S32 arguments. He also compared himself to Channel 4 News and Roger Cook, although I don’t think they ever stood in the rain filming a meeting through a window despite being invited inside. He also told me that he didn’t need to provide a Data Protection notification for his website because he claims the ICO says that ‘personal websites’ are exempt. They’re not, and the ICO doesn’t say so. I can’t prove that Taylor wrote the WDTK guidance, but I think it’s a safe assumption.

Whenever I write a blog like this about people who perceive themselves to be doing the right thing for the right reasons, one of the criticisms that is thrown back at me is that I am being deliberately negative. Why can’t I offer something constructive? Indeed, the last time I criticised What Do They Know, this is exactly what the former Director of My Society Tom Steinberg said. I did write a blog with some helpful suggestions of how What Do They Know could be improved, but none of my suggestions were taken up. This time around, I put my money where my mouth is. Last year, long before I corresponded with UKCOD or Taylor about these matters, I offered free Data Protection training to the volunteers at a time and venue of their convenience. I didn’t want any PR; indeed, I would have asked them to keep it a secret. Of course, I am not a cheerleader for What Do They Know – I think it can be an unhelpfully ideological enterprise, sometimes showcasing the worst aspects of FOI – but the offer was genuine and it fell by the wayside for reasons that were never explained.

So here we are. Cridge told me that the policies and procedures he didn’t want to show me will be reviewed, but how long has the above-quoted nonsense held sway? A What Do They Know volunteers can shame complainants and dig into their backgrounds, while the organisation fails to be transparent over its flawed guidance. Of course, I didn’t tell anyone at What Do They Know that I knew what the guidance said, but if transparency is such an unalloyed positive, why couldn’t I prise it out of them?

It’s impossible to blame UKCOD for the fact that public authorities sometimes inadvertently disclose information in response to FOI requests. It would be unacceptable if data was accidentally sent to a single applicant. Nevertheless, What Do They Know magnifies the problem by publishing all responses and failing to moderate what goes onto the site. I’m not convinced Richard Taylor is qualified to be involved in complex decisions about the publication or removal of personal data on behalf of a charity. I certainly don’t have confidence in a system based on wildly illogical guidance, and which allows volunteers to publish information about complainants and research their backgrounds. Complainants must be treated with respect, even if their complaints fail.

UKCOD’s management and trustees cannot hide behind the volunteer nature of What Do They Know – the website is not a naturally occurring phenomenon, and it needs to be managed and controlled. They created it, they run it, knowing that they lack the resources to proactively moderate it. In the light of this, if it is in the public interest for FOI requests to be broadcast, exactly the same approach should be taken for how What Do They Know is run.

 

(*delete as appropriate)


 

Walk the walk

Chris Graham gave an impressive interview to the Guardian which is published today. It’s nice to see the Information Commissioner standing up for the principles of transparency and Freedom of Information in the face of what everyone can see is an establishment backlash. As the article says:

There are some very powerful voices saying it [the act] has all been a horrible mistake. Specifically, Tony Blair, Gus O’Donnell [the former head of the civil service] and the prime minister himself,” he said before adding the name of Simon Jenkins, the former Times editor and Guardian columnist.

To that list, we can also add Francis Maude, who imagines that he can make FOI redundant, and various slippery ministers who have allegedly been using private emails to get around legitimate scrutiny of their activities. Graham makes a compelling case, arguing that those who talk down FOI set the tone for everyone else. It cannot be a coincidence that the Cabinet Office’s record on FOI is dismal, given that it was until recently run by O’Donnell. The former Cabinet Secretary’s public antipathy towards FOI reared its head only when he decided to retire, but it’s probably a safe assumption that he wasn’t privately cheerleading for it before that.

Graham also skewered Maude’s patronising line on transparency, by arguing that “Sometimes the full story is in the background papers and minutes of meetings rather than just raw data.

Graham’s analysis is right. People don’t always pay attention to the people at the top (just look at what happened to poor Bob Diamond, an honest man undone by a tiny number of unruly minions), but if they are given any excuse to be lazy, or to misbehave by the example set higher up, they’ll do it (just look at what happened…). I know of an organisation where the head of IT complains that having to remember a password to activate their Blackberry is too onerous and makes them look daft. The person responsible for Data Security might as well quit for all the good their efforts will do. If David Cameron was the politician he claimed to be – the one who offered ‘the most open and transparent government ever‘ – then his approach to FOI would be very different. No-one would have believed Cameron if he pretended he was a big fan of the legislation, but a respectable politician would acknowledge it as an inconvenient but necessary part of an accountable democracy. Instead he whinges about FOI furring up the arteries of government while the Cabinet Office holds secret information on plans to charge for FOI requests that they at first claim does not exist.

Graham’s aplomb at dealing with the media draws a sharp and creditable contrast with his hesitant predecessor. Occasionally, there is misjudgement (as I said before, “wake up and smell the CMP” was an awful headline and whoever came up with it should be made to sit a corner for a while). Nevertheless, the Commissioner is saying the right things and anyone who supports FOI should be happy that he isn’t congratulating himself for not taking on the big targets, which is what Richard Thomas did at Leveson.

The problem for Graham is clearly not a lack of ambition or self-belief. In one sense, the problem of doing the job of championing transparency is that you have to do it in a world shrouded in bullshit and euphemism. I listened to less than an hour of of BBC Radio 4’s Today programme this morning, and as well as all the usual spin and lies, even the language was dishonest. After John Humphrys took someone to task for describing G4S as a ‘partner’ instead of a ‘contractor’, I started to hear the word everywhere, and never in a truthful context. Corporations bankrolling the Olympics were ‘partners’ rather than ‘advertisers’; TV companies screening Scottish Premiership Football were ‘partners’ rather than well, TV companies. Everyone wanted to wrap professional and commercial relationships in a blanket that implied a shared and personal endeavour, rather than each side being interested only in getting what they could out of the deal with minimum effort. The same circumlocutions infect politics and government, national and local. Doing the FOI job in these circumstances is like wading through custard.

However, one thing he can do is keep his own house in order. The Tribunal often has to criticise the ICO for their handling of FOI compliance – read paragraph 25 of this recent decision for a good example. The ICO ignores its own guidance on FOI by challenging an FOI applicant using an obvious pseudonym for no real reason, and then exemplifies the inherent flaw in that guidance by backing down the moment the fake-named applicant pushes back. More seriously, a certain blogger asked a sensible question about information notices and ended up finding out that the ICO doesn’t know how many information notices they have issued under FOI. As well as the clear implication that ICO staff are not following their own procedures (if they were, it would not exceed the FOI cost limit for the ICO to find all of the notices), there is a bigger point that whoever is corporately responsible for FOI strategy within the Office doesn’t have all of the information they need to do their job. How can they look for patterns of underlying problems (which multiple info notices would suggest) if they don’t even know how many they’ve issued?

I am, of course, assuming that someone is doing this, rather than everyone frenetically trying to keep the backlog on a leash. If they’re not, Graham’s words turn to ash in his mouth. Things are better than they were. Graham’s profile is bigger. The frenetic backlog bashing does at least mean that organisations cannot rely simply on the passage of time to escape accountability. I don’t imagine ministers slept easy in their beds when the ICO stood its ground on private email (and ministers should never sleep easy). For all of these things, Chris Graham deserves credit. But talk is cheap. Until the ICO can show that its own FOI and records management practice is exemplary, it cannot lecture anyone else. Until it shows that the most recalcitrant government departments will be brought to heel on FOI, every council and NHS trust will be justified in saying that they’re busy and under-resourced, and FOI is a burden they don’t need.

So two cheers for being a great advocate – the third is reserved for delivery.

WDTK: Comment from Andrew Ecclestone

I think one of the issues is that which also affects Internet Service Providers (ISPs).  ISPs argue that, like the post and telephone companies, they can’t be held liable for what is transmitted via the communication channel that they provide.  They are simply neutral providers of a communications facility, and do not – and should not be required to – act in any kind of pre-emptive editorial manner.  There has, of course, been plenty of litigation and legislation around this topic.

MySociety (and those that have subsequently built sister platforms in other jurisdictions based on the Alaveteli code) are when they refer to being analgous to Hotmail attempting to put themselves in the same category as ISPs, phone and postal companies; at least that’s how it appears to me.  There are good reasons for this, not the least of which is that if MySociety were the people from whom all these 100,000 FOI requests came from, they’d be the ones liable for fees, blocking of requests on the grounds of vexatiousness, and potential breach of copyright when publishing disclosed information.

However, by taking certain editorial positions on FOI policy and law (such as the scope of the law and providing civil servants’ contact details), they step away from the position of being able to reasonably claim ‘common carrier’ status, and towards that of being a publisher.  It is also clear that online publishers can be held liable for things that appear on their website, which is why there is already some moderation of the site.

As is clear from the discussion above, MySociety could go one of two ways in response to the issues highlighted in this blog post.  It could abandon all moderation (except in response to takedown requests that comply with the usual requirements), with the risks highlighted by Tim in terms of official sentiment towards the site.  Or, it could step up its moderation of the site, to try and reduce the unnecessary friction caused by some users.  This has a higher resource requirement, and would also result in some requesters becoming frustrated with MySociety instead of the public authority that was not disclosing the information they are after.

Tom has indicated, in his comment above, that MySociety are likely to go down the latter route, but that:

The challenge is developing policies to minimise abuse or nonsense that doesn’t discourage legitimate, politically inexperienced and low-skilled users from using the power that FOI can offer: these are the core beneficiaries of our charity.

Such policies have to be balanced, nuanced and allow for the fact that our volunteers have limited hours in the day. “

My contribution to this debate would be to endorse the call for more active moderation, but that rather than relying on volunteers, MySociety should employ people to do this.  If the Government wants to endorse WDTK as a tool for making FOI requests and they clearly do this on the Beta of the new www.gov.uk site – then they should fund MySociety to employ such a moderator: link.

Alternatively, instead of endorsing e-tools built by civil society, the government or the Information Commissioner could build their own request making site.  An example of just such an alternative already exists in Mexico, where the Federal Information Commissioners run the Infomex portal.  That even allows anonymous requesters to pay any fees they’re liable for without revealing their identity, as well as linking disclosures into a disclosure log and enabling the integration of appeals into the Commissioners’ own complaints management systems.

Given the current economic situation, and ideological inclindation of the current government, it is unlikely that we’ll see the government or the Commissioner building such a tool, even if the Mexican Commissioners are willing to hand over the code for their tool for free (which I understant they are).  MySociety are well placed (especially given Tom’s position on the Transparency Board) to make a case to government that it can more cost-effectively provide this e-government service by funding more active moderation of WDTK.

This would, of course, raise issues about whether the government-funded moderator was blocking requests that were politically inconvenient rather than genuinely vexatious or abusive.  But it seems to me that could be dealt with by transparently publishing (but not transmitting to the intended public authority) those requests that the moderator had blocked.  (An analogy would be Google’s Transparency Report.)  The public and public authorities could see whether the MySociety moderators were trustworthy, and the tool as whole might be more acceptable to hard-pressed officials who have to handle production of responses to FOI requests.

Such funding might also have the benefit of seeing more requests on the site ‘classified’ more quickly, resulting in production of more reliable statistics about use of the tool.