Bad Policy

On July 19th 2018, Linda McKee made a simple (but admirably polite) FOI request to the Information Commissioner’s Office. McKee asked for a copy of the ICO’s special categories policy document, a requirement of the Data Protection Act 2018 when processing special categories data in certain circumstances. The DPA was passed in early May 2018, but the requirement for special categories policies had been known since the DP Bill was published in September 2017. Policy documents were not required under the previous DP regime, and having run training courses on both the Bill and the Act, I can confirm that many people in the sector were keen to see real life examples of a policy document. McKee’s request made a lot of sense.

On 17 August (maintaining the ICO’s flawless record of replying to FOIs at the last minute), Wilmslow responded. They confirmed that a policy document was held, but as there was a clear intention to publish the policy document in the future, they refused to disclose it. This seemed a bit daft to me; Section 22 of FOI is designed to protect the organisation from early publication of information. The revelation of the ICO’s special categories policy would hardly cause ripples throughout the sector. Staff would not have been diverted from their normal jobs to deal with the torrent of press attention its release would provoke. They should have coughed it up and moved on.

McKee asked for an internal review, and at this point, the Commissioner headed determinedly the wrong way. There is no fixed time limit for an internal review, which is a flaw in the legislation but nevertheless not something that the organisation should exploit, and the ICO dragged it out for MONTHS. I have to be honest, I didn’t really pay attention, aside from using the ICO’s inability to release a relatively simple document as a gag on my DPA courses. Towards the end of 2018, I checked back in on McKee’s woes, to see an interesting suggestion on the What Do They Know thread. It seemed that when the ICO replied in August, the policy hadn’t actually been finalised.

I couldn’t quite believe this, so over Christmas, I made an FOI request to clear the matter up. I asked whether the policy was held in a final approved form when the ICO replied to McKee in August, for any recorded information about whether the ICO should actually have replied that the policy was not held (because it was not finished), and for a summary of why the ICO refused the request.

And here, a brief interlude to consider a section of the FOI Act that has tantalised FOI experts for years without resolution. Section 77 makes it a criminal offence for the organisation to alter, deface, block, erase, destroy or conceal any record held by it with a view to frustrate its disclosure. So if I am working for a public authority and I pretend that a record isn’t held in order to prevent an FOI punter from receiving it, I have committed an offence. If the organisation conspires in this, the organisation can itself be prosecuted by the Commissioner.

Back to my request to the ICO. They replied (once again, remarkably close to the 20 day deadline), and told me two interesting things. First, in answer to my question about whether the policy was held in a final approved form: “The policy was not held in final approved form“. Second, any recorded information about whether any data held constituted the requested information, or whether the ICO should in fact responded that the information was not held: “We do not hold recorded information. As you will be aware the Freedom of Information Act only covers recorded information held by a public authority. However, it may help you to know that there was a verbal discussion in regard to the response to this Freedom of Information request.” So, there was a verbal discussion that people plainly remember, and the ICO thinks it might help me to know this, without even a squeak about what the discussion was about. Thanks, Wilmslow, consider me unenlightened.

I believe that the ICO’s response to McKee’s request is untrue. The correct answer to her request is ‘no information held’, with advice and assistance that the data was in draft. Section 22 applies where the requested information exists but the organisation intends to publish it unchanged in the future; the ICO’s policy wasn’t complete. Look at what McKee asked for all those months ago: she asked for “your Policy designed to show compliance with Schedule 1, Part 4 of DPA 2018“. An incomplete, unapproved policy plainly does not answer the request, and the ICO should have confirmed that. The use of the exemption was a dishonest dodge to avoid admitting the truth.

If the ICO had a policy and pretended that they did not, under Section 77 it would have been a criminal offence for them to conceal its existence once it had been requested. As it happens, the ICO did the opposite – pretending that the information existed and refusing to give it out because it would be published in the future, rather than admitting that several months after the DPA was passed, the policy was not complete. Whoever decided that this was the right approach should think long and hard about a transparency regulator taking such a cynical attitude to legislation they are supposed to uphold and protect.

While QE2 tries to grab the headlines, demanding that FOI be extended to cover new organisations, her own house is far from being in order. The lack of FOI enforcement against recalcitrant and secretive government departments is an ongoing stain on the ICO’s reputation, while the lazy cynicism and lack of frankness over the office’s own activities suggests that the ICO can talk the talk, but walking the walk is beyond them. Regular readers of this blog are probably inured to my lack of faith in House Wycliffe, but for all Denham’s chasing of headlines, day to day experience of how the ICO carries out the most mundane of its functions suggests carelessness and disarray. Rather than trumpeting the press releases about extending FOI to charities and commercial bodies, more people should ask whether the ICO is capable of doing even those tasks it already has.

A case in point(lessness)

The Information Commissioner did a bit of business in Hendon Magistrates’ Court recently, as SCL Elections was fined £15000 for breaching an enforcement notice. Long ago, Professor David Carroll made a subject access request to Cambridge Analytica. As Cambridge Analytica was based in the US where SARs do not apply, they passed it to SCL Elections, a related company established in the UK, to process his request. Having received a response, Carroll claimed it was inadequate and complained to the ICO. After some correspondence, SCL and Cambridge Analytica went into administration. The ICO then served SCL with an enforcement notice over Carroll’s SAR, and SCL failed to comply with or appeal it.

On the face of it, it’s a win – fines in the Mags for breaches of ICO notices are usually in the low thousands, and after more than a year of a multi-million-pound investigation into data analytics, this seems a rare example of something actually happening. Following the humiliation of the first GDPR enforcement notice against AIQ, which had to be withdrawn and replaced, and the Facebook £500,000 penalty which was immediately appealed, you could argue that it’s a solid result for Team Wilmslow.

But the ICO reaction is weird – their website misleadingly claims that SCL was ‘also known as Cambridge Analytica’. SCL was a shareholder in Cambridge Analytica but the two companies are separate and based in different countries. Moreover, the ICO press release states “In pleading guilty, the company has accepted it should have responded fully to Professor Carroll’s subject access request and the ICO’s notice in the first place” but this is not what reality suggests. SCL’s guilty plea was helpfully tweeted out by Denham’s hagiographer Carole Cadwalladr, and it clearly says that they were pleading guilty to failing to answer the notice, not to any ‘misuse of data’.

Denham seems stuck in the past. This prosecution is, she says, ‘the first against Cambridge Analytica’ and her comment implies it won’t be the last, despite the fact that both SCL and Cambridge Analytica are being wound up. Since May 2018, the ICO’s needle on GDPR has barely twitched beyond that abortive AIQ notice, but the noise on analytics has been deafening. Whatever Cambridge Analytica did back in 2016, a massive change like GDPR requires a Commissioner completely focussed on implementing it. Stories about delays and poor decisions at the ICO are rife in the Data Protection community at the moment; the ICO can’t even keep its website up and running, and yet Denham seems dedicated to fighting old battles like a Japanese soldier lost in the Pacific who doesn’t know WW2 is over.

I can’t see what the SCL case has achieved. Carroll has trumpeted the criminal nature of the prosecution, claiming it proves that CA was a ‘criminal enterprise’, but the case is a relic. Under GDPR / DPA 2018, ignoring an enforcement notice is no longer a criminal offence and so there will never be another case like this. SCL might have pleaded guilty, but the substantive question of whether they gave Carroll all the data he was entitled to remains unresolved. They didn’t admit that they hadn’t, and the court cannot order them to deliver any outstanding data even if the judge thought that they should. The punishment for ignoring an enforcement notice can only ever be a financial one – a fine on conviction under the old rules, a penalty from the ICO under the new. The ICO must have known this going in.

The idea, of course, is a data controller will comply with an enforcement notice rather than face the possible punishment, but when the ICO served the notice on SCL, they were already in administration, so they were unlikely to respond in the normal way. Indeed, as the administrators confirmed, the prosecution was only possible because they gave ICO permission to take it forward. In a bizarre twist, the administrators’ guilty plea also revealed that data relating to Carroll isn’t in their possession – it is stored on the servers seized by the ICO on the celebrated Night of the Blue Jackets. So we’re in the bewildering position of the ICO starting enforcement on a defunct company, aware that the enforcement in question cannot result in any personal data being disclosed, and in the full knowledge that any relevant information is actually in their possession. It’s DP enforcement designed by MC Escher. You have to wonder why ICO didn’t just give Carroll his data themselves.

Underneath the surface froth, there are some interesting issues. SCL’s approach to the ICO (as set out in the enforcement notice) is an exemplar in how not to deal with a regulator. In my former life as a Data Protection Officer, I was guilty of a ‘make them blink first’ approach to ICO case officers, but I never did anything as stupid as to make comparisons to the Taliban in my correspondence, or to demand that the ICO stop harassing my employer. More importantly, SCL committed a glaring tactical mistake by switching their approach mid-race. Initially, they answered Carroll’s request, but then u-turned into a claim that his request was invalid because he was a US citizen (hence the remark that he was no more entitled to make a request than a member of the Taliban). In my opinion, had they stuck to their guns and argued that there was no more data, the case would have been less appealing as an enforcement issue. In deciding to change tack, the onus is on them to convince the ICO of the change, rather than getting all holier-than-thou.

Equally interesting is Carroll’s claim that he should be treated as a creditor of the business, which he outlined to the FTProf Carroll argues that the data originally held by Cambridge Analytica actually belongs to the users and should be returned to them, despite the insolvency. “I am a data creditor — just like the financial creditors,” he says. “There are outstanding obligations to me.”

I think this argument is nonsense, but the idea that data subjects own their data is a popular myth (revived with enthusiasm by the introduction of the GDPR). The problem / advantage with personal data is that it can be easily and quickly replicated; I can take a copy of your data without your permission, but unlike a conventional theft, you still have it. You can get access to the data I hold about you under a SAR or portability, but once again, I give you a copy and keep my version. Only in limited circumstances can you request that I delete it, and there are many exceptions.

Admittedly, GDPR gives the subject more control over their data than before, but it doesn’t give them ownership. It’s misleading to suggest that a data controller doesn’t really own personal data when there are so many circumstances where they can obtain, disclose, retain or destroy it without the permission of the subject, and when the opportunities for the subject to object are so limited. I don’t think Carroll understands this, but it would be interesting to see his ‘creditor’ notion tested.

Teasing this out might have been a justification for the ICO to enforce on SCL, except for the obvious fact that these issues would never be raised by doing so. If SCL hadn’t pleaded guilty, the question for the court would be whether SCL breached the notice and nothing else. Because SCL made no attempt to comply with or appeal the notice, they never had much to argue about. The enforcement notice was remarkably misguided considering ICO actually holds the data, but it is a tribute to SCL’s ineptitude that they didn’t choose to highlight this by appealing.

According to Carroll, the fight goes on with other cases, so his beef with SCL / Cambridge Analytica might one day result in something interesting, but there’s nothing here. I don’t believe that the ICO has any business enforcing Data Protection on behalf of Americans when they’re so lackadaisical about doing so on behalf of people in the UK, and so this case is an almost offensive waste of resources. But even if you disagree, all they’ve achieved here is given the corpse of SCL a good kicking, with a result that doesn’t tell us anything about the future or very much about the past.

 

Immigrant song

With the sensitivity for which they are rightly renowned, the Home Office chose to celebrate Christmas by tweeting a cheery video full of beaming millennials, promoting the new ‘settled status’ registration scheme for EU nationals who want to stay in the UK after Brexit. People who have made their home in the UK have to register and pay for the privilege. Setting aside the crass, thoughtless way in which the scheme was promoted, concerns have been expressed on social media about the Data Protection implications, especially as regards how data is used and whether it complies with GDPR and the DPA 2018. There is an interesting sentence in the documentation: “we may also share your information with other public and private organisations in the UK and overseas“. The people behind the @the3million twitter account made an FOI request about this, and the Home Office have refused to confirm the identity of the organisations in question. They relied on S31 of the FOI Act, which allows information to be withheld if (among other things) disclosure would or would be likely to prejudice “the operation of the immigration controls“.

S31 requires the Home Office to demonstrate a causal link between disclosure and prejudice, and has a public interest test that allows for disclosure if the public interest in doing so outweighs the public interest in withholding. So while the Home Office picked the right exemption, their decision to refuse could be challenged. The ICO doesn’t have a strong record of overturning these kinds of decisions, so the fate of any complaint is hard to predict.

But what’s that? Surely individuals subject to this process have GDPR rights, and can find this out for themselves via a subject access request? Two elements of GDPR would appear to assist – Article 13 requires the Home Office to specify “the recipients or categories of recipients” to which personal data will be disclosed in order to be transparent, while Article 15 gives the subject a right to the same information on request as part of a subject access request.

Except they don’t. I’m certain that the wording I have seen doesn’t comply with Article 13 because even the ‘categories’ bit would only work if it was clear what types of recipients are involved, and it’s plainly not. However, the GDPR allows for exemptions, and there is an exemption that the Home Office managed to get through Parliament in the DPA 2018 which allows them to keep the identity of the recipients secret. Schedule 2, Pt 1, (4) says that both transparency and subject access rights can be set aside if applying them would or would be likely to “undermine the maintenance of effective immigration controls“. If the Home Office don’t want to tell people going through the process who their data will be shared with, this exemption allows to do so. They have to believe that transparency will undermine effective immigration control, but this is the Home Office – they probably do believe that.

So what recourse do EU citizens have? They could, of course, challenge the Home Office approach by either taking them to court or complaining to the Information Commissioner. The Commissioner could decide that the application of the exemption was incorrect (as they could with S31 of FOI), and they have powers to enforce that decision. Aside from Elizabeth Denham’s obsession with data analytics in politics (especially when allegedly deployed by the Leave side), the ICO does not have a strong track record of taking on big organisations. Admittedly, the ICO recently took on the Metropolitan Police over their Gangs Matrix database, but the problem with that is the Gangs Matrix was a mess and the Met more or less acknowledged that.

The problem here is that if the Home Office maintain their position, the ICO would have to substitute their judgment for their’s. This wouldn’t be a mistake or a cock-up; if the Home Office use the DPA exemptions in the same way as they have the FOI ones, the only way that people can get better transparency is for the ICO to tell them that they’re wrong. This is often when Wilmslow bottles it. It’s straightforward to enforce on an organisation that has just lost thousands of people’s data (I’m sure it takes a lot of graft, but the decision to do it isn’t as hard). It’s much more difficult when the data controller hasn’t made a mistake, but is using the exemptions as described. Even if the ICO believes that the exemptions have been wrongly applied (and they might not), the Home Office is likely to ignore any recommendations and appeal any enforcement action.

The alternative is the courts, which is just as much of a roll of the dice as a complaint to the ICO, with the added complexity and cost of actually going to court. I have confidence that a court would test the Home Office’s arguments more robustly that the ICO would, but the Home Office wouldn’t be acting irrationally or unreasonably, and a judge might agree with them. These exemptions made it through Parliament and are on the statute book; the Home Office can plainly use them, and it’s not a breach of the GDPR unless the ICO or a court says that they have been applied unfairly.

Personally, I doubt that knowing who is receiving your data will undermine this process sufficiently justify the secrecy that the Home Office has already imposed using FOI, and which I expect they will use under DP, but it doesn’t matter what I think. This is where the hype around the GDPR runs into the brick wall of reality. The Home Office doesn’t need consent to gather, use and disclose personal data in this process, as long as it has another lawful basis to do so (legal obligation or official authority will certainly kick in here). The DPA gives them exemptions to keep the nature of that processing opaque, and if they choose to use them, challenging that decision is difficult and the outcome is uncertain. This leaves an odd situation but a lawful one – if they wish to live in a country they have already made their home, it seems that EU citizens have to submit to a closed, secretive process and they cannot find out what happens to their data during that process, who gets to see it, and for what purpose.

Compensation culture

We’ve had years of headlines about Cambridge Analytica and Facebook which have captured the public’s imagination like never before, and generated huge publicity for the Information Commissioner’s Office and their army of blue-jacketed enforcers. Action, on the other hand, has been slightly less forthcoming. No action has been taken against Cambridge Analytica itself – there is the prosecution of SCL Elections over a subject access request made by an American (David Carroll), but if anyone can explain why prosecuting the now defunct company when the best outcome is a fine that will never be paid because it will be buried at the bottom of the pile of creditors, comment below. The ICO issued their first GDPR enforcement notice against AIQ, and it was so clumsy it had to be withdrawn and replaced (it’s astonishing that the ICO’s mishandling of this landmark action has gone virtually unnoticed). There is the famous Facebook fine of course, but that is already under appeal. Given that the Commissioner’s case changed radically from the Notice of Intent (published against all normal ICO practice) to final penalty, I don’t think that the ICO should count any chickens on the outcome.

The other issue haunting the case is a number of legal firms mounting ambitious compensation claims on behalf of those who believe themselves to be affected. Just as I am sceptical about the ICO’s track record, some odd assertions in a story in the Independent about David Carroll’s own attempt to sue Cambridge Analytica make me wonder whether the compensation road will be any less rocky. The claim is happening under the old Data Protection Act, and so Carroll and his solicitors will have to prove some kind of damage. Carroll’s solicitor Ravi Naik from ITN Solicitors is quoted as saying payouts could spiral to as much as £43 billion if only 10% of the possible affected pool of people claimed successfully.

Even if one conservatively uses the lowest end of the range, both in number and value of each claim, and calculates on the basis of 10 per cent of the estimated 87 million affected Facebook users only, with claims of £5,000 each against Cambridge Analytica, that still implies a total potential claim value of £43.5bn

I think his claims are optimistic at best, and at worst, comically exaggerated. Facebook did claim that up to 87 million people’s data may have been affected, but they’ve wavered since – to the extent that the ICO now admit that UK data wasn’t used by Cambridge Analytica in their final penalty on Facebook, despite building their NOI around that very claim. Carroll is claiming between £5000 and £20000, but he won’t get a penny unless he can show evidence of the breach in the first place, and then evidence of the damage. Claiming compensation for non-material damage is tricky. You can’t show something concrete like lost wages or business – the money won’t be awarded just because Carroll says he’s upset or annoyed, and the courts have shown scepticism in the past about claims of damage or distress (look at the Tetrus case that ICO lost on the issue of distress a few years back).

That 87 million number is a maximum, not a certainty, and the UK courts have shown themselves to be unmoved by generic class action claims of damage. Look at Richard Lloyd’s failed claim against Google, where the court said that different people will react to the use of their data in different ways. Perhaps Carroll has made a good case about the harm he says was done to him, but even if he has, that is not to say that all claimants are in the same position. If my data was abused by Facebook, my reaction would be numb resignation at worst. I can’t get outraged about Facebook abusing my data, any more than I can get upset by rain being wet. This is why I don’t use Facebook.

The consensus on LinkedIn seems to be that a possible breach is automatically accompanied by a ringing cash register – but that’s not a safe assumption, backed by any evidence. Lloyd lost his Google claim. Everyone who wrote excited Tweets and LinkedIn posts about the outcome of the recent Morrisons case – where the supermarket was found vicariously liable for a breach committed by an employee – ignored the fact that even if Morrisons lose their planned appeal to the Supreme Court, the issue of how much each claimant gets hasn’t been considered yet. Admittedly, Morrisons is a claim for misuse of private information and breach of confidence, but even so, we haven’t got to the bit about the money yet. The claimants may each get a big payout; they may get bus fare. There hasn’t been a case in the UK where multiple people received a big payout because their personal data was abused.

Naik’s extravagant claims and ambitious maths make for an impressive headline, but it’s speculation. I’m uncomfortable about the idea of tempting people into joining litigation (which is presumably the point of Naik’s claim) using hyped-up numbers in this way. The words sound sensible, and Naik effectively describes his estimate as conservative, but it’s a fantasy. Carroll will lose unless he can persuade the court that a breach occurred, that he experienced damage, and that there is a figure that will compensate him for that harm. We have had a few interesting and successful compensation claims in the past, but the idea that we’re looking at lottery jackpots for DP claimants is, so far, Fake News.

 

Regulating the FOIA into obscurity?

This is a guest post from the redoubtable John Slater, whose tireless efforts to hold DWP to account are a lesson in how FOI should be used. John has had real success in wrestling information out of a stubborn and secretive system, but the post describes the hurdles in the way of the applicant, and the shameful way in which the ICO makes things worse. It’s not a quick read but there’s a lot to say. I think anyone with an interest in how the benefits system operates, or how healthy the FOI system is at the moment should give it the time it deserves. I’m very grateful to John for writing it and letting me host it.

I suspect that most people reading this have experience of submitting a request for information (“RFI”) under the FOIA and all the frustrations that can come with it. Some people may have complained to the office of the Information Commissioner (“ICO”) while others may have just given up when their RFI was refused. I suspect that a smaller number of people, who had the time, appealed ICO decisions to the First-Tier and Upper Tribunals.

Via my involvement with the FOIA I have been dealing with the ICO for approximately 6 years. My interaction has ranged from normal FOIA complaints through to appeals to the First-Tier and Upper Tribunals.

Setting aside the minor issues one typically experiences with any large organization I have to say that my experience of dealing with the ICO has been very positive. Even when a decision notice (“DN”) went against me I could understand why and how that decision was reached. In respect of appeals to the First-Tier and Upper Tribunals I have nothing but praise for the people involved, even when I was appealing an ICO decision.

However, approximately 18 months ago things started to change for the worse. The time taken to respond to complaints seems to be inexorably increasing and the quality of the case work is deteriorating. I’ll use 3 of my current complaints to illustrate the problems that I and others are experiencing on a regular basis.

Case 1 – Universal Credit Programme Board Information Packs

In July 2017 I asked the DWP for the 3 most recent packs of information that were given to the Universal Credit (“UC”) Programme Board members at each monthly meeting. Given how controversial UC is and the history of the DWP being less than honest about it, this seemed to be a good route to try to find out what the senior people responsible for UC actually know and what they are doing about it.

For those not familiar with programme management terminology the programme board consists of senior people who are accountable and responsible for the UC programme, defining the direction of the programme and establishing frameworks to achieve its objectives. So apart from Neil Couling (senior responsible owner) and the secretary of state they are about as senior as it gets. The membership of the programme board can be found here:

https://www.whatdotheyknow.com/request/419990/response/1090823/attach/html/2/3044%20IR%20516%20IR%20604%20reply.pdf.html

Unsurprisingly the DWP refused my RFI on 16 August 2017 citing S.36. However it explained that it needed an extension to carry out the public interest test (“PIT”). On 14 September 2017 the DWP did exactly the same thing. This is a tactic that the DWP uses regularly and often issues monthly PIT extensions until the ICO becomes involved.

I complained to the ICO on 14 September 2017. On 22 November a DN was issued giving the DWP 35 calendar days to issue its response. On 3 January 2018 the DWP finally confirmed that it was engaging S.36 and that the public interest did not favour disclosure (I’ve yet to see a public interest test from the DWP that does favour disclosure). I submitted a revised complaint to the ICO on 9 January 2018 challenging S.36 and the public interest decision.

Despite the 5 month delay by the DWP the ICO bizarrely told me that I still had to exhaust the DWP internal review procedure before my complaint could be investigated. I had submitted 4 internal review requests (“IRR”) during the 5 months that the DWP treated the FOIA with such contempt. I know from previous experience that the DWP would use the same PIT ‘trick’ to delay answering my IRR. I explained this to the ICO and asserted that it has the authority to proceed without me having to submit another IRR. On 30 January the ICO accepted my complaint. I know about this from experience but I assume most people would have followed the ICO instruction and been stuck in another loop of 5 months until the DWP was told to issue its response to the IRR.

On 26 April my case was assigned to a case officer, just 3 months short of a year since I submitted my request to the DWP. Despite the DWP clearly citing S.36 the ICO allowed the DWP to get away with numerous delaying tactics and nothing happened for many months. Despite chasing the ICO on a number of occasions there appeared to be no progress. My patience ran out in October 2018 and I complained to the ICO about this and two other cases. On the face of it this appeared to have got things moving.

However, on 18 October 2018 I was told by the ICO that an information notice had been served on the DWP to obtain copies of the information I had requested. The DWP has 30 days to respond to these notices.

Whilst I’m not surprised by this (in fact I even suggested this was the case in my complaint) I struggle to understand how any organisation can investigate a complaint for almost 6 months without having a copy of the requested information. I can only hope that the DN I have been seeking for so long will appear at some point in 2018!

The delay has been so long that I have actually submitted another request for more current programme board packs. At the time of writing the DWP hasn’t provided a response within 20 days so that’s another complaint that I need to send to the ICO!

Case 2 – Aggregation of various RFIs

Between 4 February and 23 April 2018 the DWP aggregated 9 of my requests for information claiming that they were for the “same or similar” information. Well, what it actually said was:

We consider each of the seven requests to be of a similar nature as they all relate to either decision making or performance delivery of disability assessments on behalf of the Department for Work and Pensions.  In particular, all of the requests would be allocated to the same team for response as it falls within their specialised area. 

Under Section 12 of the FOI Act the Department is not therefore obliged to comply with your request and we will not be processing it further.

This seems to suggest that the DWP believes the requested information is the same or similar because they relate to activities it carries out and the teams that do them. This is a crude attempt to rely on the discredited concept of ‘overarching themes’ that was attempted in Benson v IC and the Governing Body of Buckinghamshire New University (EA20110016).  At [29] the Tribunal stated:

Whilst the Tribunal understood the Commissioner’s analysis the Tribunal felt that it was not compelling and relied on concepts that were not actually within the legislation – e.g. ‘overarching theme’. The Tribunal felt that any consequent uncertainty should, on balance, be resolved in the Appellant’s favour.

On 30 March I submitted a complaint to the ICO. My complaint involves 9 requests and deals with an important area of the FOIA, where there is very little precedent. A reasonable person might conclude that the ICO would be keen to act swiftly. On 27 April 2018 my complaint was assigned to a case officer so things were looking good. It is now coming towards the end of October and I have not had a single piece of correspondence from the ICO.

The requests that have been aggregated cover management information about how the DWP runs large controversial contracts that assess the eligibility for employment support allowance and personal independence payment (“PIP”). A previous RFI uncovered numerous problems with the quality of medical reports being produced for PIP assessments. This might explain why the DWP is so keen not to let me have the current information but not why there has been no progress by the ICO.

Case 3 – Datasets & Type of Data Held for Various Benefits About Claimants

On 26 February 2018 I asked the DWP to disclose the datasets and type of data it holds about various social security benefits. I am not asking for the actual data just the type of data and the “groups” or “sets” of data that it holds.

On 17 April 2018 the DWP refused my request citing S.31 (it eventually confirmed it meant section 31(1)(a))  and  S.24. After a further IRR the DWP reconfirmed its position and I complained to the ICO on 15 July. Some 3 months later on 11 October I was finally told that my case had been assigned to a case officer. Does this now mean I wait for a further 6 months before anything actually happens?

Conclusion

I know the ICO is very busy, partially due to the new Data Protection legislation, but the problems that I and others are experiencing can’t just be explained by “being busy”. Based on my previous experience of dealing with them I also don’t believe it is the fault of the case officers. These problems are due to serious organisational failings within the ICO. There doesn’t seem to be the type of business processes / workflow that one would expect to see in an organisation of this size. The line management oversight of case officers appears to be absent. Based on my own experience it seems to be that the line managers focus solely on protecting case officers while actually making matters worse for them as their workloads probably grow faster than they can cope with.

The ICO should have a small set of metrics about how it is dealing with cases. Surely line managers should be looking at cases where nothing has actually happened for 6 months and do something about it? The idea of management by exception has been around for a long time and yet I’m left with the impression that there are no exceptions set within the ICO and senior management have no impartial way of knowing what is actually going on at the case level.

People might wonder why this matters and that in these times of constrained budgets we should expect cases to take longer. I can’t accept this as one of the key drivers for the FOIA is that we get a chance to hold public authorities to account for their actions. For that to happen we need access to information while it is still relatively current.

It is generally known that there are certain large government departments that have very poor history in respect of FOIA. If someone requests information that these departments suspect will be embarrassing they will deliberately play the system to delay disclosure. From personal experience it’s all far too easy to do:

  1. Ignore the request completely until the ICO tells the department to respond (3+ months).
  2. Use the public interest test with impunity to introduce a 5 to 6 month delay before the requester can complain to the ICO about the exemption cited.
  3. 3 months before a case officer is assigned.
  4. At least 3 to 6 months before a DN is issued.

Total possible delay = 14 to 18 months.

The department can then appeal the DN to the First-Tier Tribunal (“FTT”), even if there is little chance of success. I’ve had 2 cases recently that have been appealed and then withdrawn just before the FTT hearing was due to take place. This added another 6 month delay let alone the cost to the public purse. If the DWP had actually gone through with the appeals and lost then that delay would probably be closer to 9 to 12 months.

This means that “playing the system” allows disreputable government departments to delay disclosure of embarrassing information by at least 2 years. Any media interest in the information can then be met with the claim that it is now ‘historical’ and things are better now.

A good example of this is the Project Assessment Review Reports (“PARs”) for the Universal Credit programme. I asked the DWP for these in April 2016 (see URL below):

https://www.whatdotheyknow.com/request/universal_credit_programme_proje#comment-82746

Using the delaying tactics described above and making the ICO issue an information notice to compel the DWP to release the PARs to them, they weren’t disclosed until March 2018. That’s a 2 year delay.

The ICO needs to sort out the internal delays that these government departments seem to be relying on. They also need to make sure there are meaningful consequences for public authorities that “play the system”. Writing strongly worded DNs telling public authorities off for abusing the system is meaningless. The ICO was highly critical of the DWP in its DN for the PARs case. A link to the DN is given below and the criticisms start at [62].

https://ico.org.uk/media/action-weve-taken/decision-notices/2017/2014762/fs50640285.pdf

The criticism has had absolutely no impact on the DWP.  It still regularly doesn’t reply in time and still produces “boilerplate” responses that have little bearing on the case in question.

As a result of the new GDPR and Facebook the Information Commissioner regularly seems to be in the media and was recently named as the most influential person in data-driven business in the updated DataIQ 100 list. I hear talk of the Commissioner being able to issue huge fines for data breaches and serving enforcement notices on organisations that are not complying with the FOIA.

The original white paper “your right to know” stated at [1.1]:

Unnecessary secrecy in Government leads to arrogance in government and defective decision-making. The perception of excess secrecy has become a corrosive influence in the decline of public confidence. Moreover, the climate of public opinion has changed; people expect much greater openness and accountability from government than they used to.”

If public authorities continue to be allowed to easily introduce delays of 2 years before disclosure then the regulator of the FOIA is failing in her role.  Before the FOIA we only had the thirty-year rule (now moving to the twenty-year rule) controlling when information was released to the public.

I suggest that we are rapidly approaching the situation where by default we have the “two-year rule” for information government departments do not want released. Unless the Commissioner does something about it that will slowly increase to the “three-year rule” and then the “four-year rule”. From my perspective its time the Commissioner stopped boasting about all the powers she has and started using them.