Regulating the FOIA into obscurity?

This is a guest post from the redoubtable John Slater, whose tireless efforts to hold DWP to account are a lesson in how FOI should be used. John has had real success in wrestling information out of a stubborn and secretive system, but the post describes the hurdles in the way of the applicant, and the shameful way in which the ICO makes things worse. It’s not a quick read but there’s a lot to say. I think anyone with an interest in how the benefits system operates, or how healthy the FOI system is at the moment should give it the time it deserves. I’m very grateful to John for writing it and letting me host it.

I suspect that most people reading this have experience of submitting a request for information (“RFI”) under the FOIA and all the frustrations that can come with it. Some people may have complained to the office of the Information Commissioner (“ICO”) while others may have just given up when their RFI was refused. I suspect that a smaller number of people, who had the time, appealed ICO decisions to the First-Tier and Upper Tribunals.

Via my involvement with the FOIA I have been dealing with the ICO for approximately 6 years. My interaction has ranged from normal FOIA complaints through to appeals to the First-Tier and Upper Tribunals.

Setting aside the minor issues one typically experiences with any large organization I have to say that my experience of dealing with the ICO has been very positive. Even when a decision notice (“DN”) went against me I could understand why and how that decision was reached. In respect of appeals to the First-Tier and Upper Tribunals I have nothing but praise for the people involved, even when I was appealing an ICO decision.

However, approximately 18 months ago things started to change for the worse. The time taken to respond to complaints seems to be inexorably increasing and the quality of the case work is deteriorating. I’ll use 3 of my current complaints to illustrate the problems that I and others are experiencing on a regular basis.

Case 1 – Universal Credit Programme Board Information Packs

In July 2017 I asked the DWP for the 3 most recent packs of information that were given to the Universal Credit (“UC”) Programme Board members at each monthly meeting. Given how controversial UC is and the history of the DWP being less than honest about it, this seemed to be a good route to try to find out what the senior people responsible for UC actually know and what they are doing about it.

For those not familiar with programme management terminology the programme board consists of senior people who are accountable and responsible for the UC programme, defining the direction of the programme and establishing frameworks to achieve its objectives. So apart from Neil Couling (senior responsible owner) and the secretary of state they are about as senior as it gets. The membership of the programme board can be found here:

https://www.whatdotheyknow.com/request/419990/response/1090823/attach/html/2/3044%20IR%20516%20IR%20604%20reply.pdf.html

Unsurprisingly the DWP refused my RFI on 16 August 2017 citing S.36. However it explained that it needed an extension to carry out the public interest test (“PIT”). On 14 September 2017 the DWP did exactly the same thing. This is a tactic that the DWP uses regularly and often issues monthly PIT extensions until the ICO becomes involved.

I complained to the ICO on 14 September 2017. On 22 November a DN was issued giving the DWP 35 calendar days to issue its response. On 3 January 2018 the DWP finally confirmed that it was engaging S.36 and that the public interest did not favour disclosure (I’ve yet to see a public interest test from the DWP that does favour disclosure). I submitted a revised complaint to the ICO on 9 January 2018 challenging S.36 and the public interest decision.

Despite the 5 month delay by the DWP the ICO bizarrely told me that I still had to exhaust the DWP internal review procedure before my complaint could be investigated. I had submitted 4 internal review requests (“IRR”) during the 5 months that the DWP treated the FOIA with such contempt. I know from previous experience that the DWP would use the same PIT ‘trick’ to delay answering my IRR. I explained this to the ICO and asserted that it has the authority to proceed without me having to submit another IRR. On 30 January the ICO accepted my complaint. I know about this from experience but I assume most people would have followed the ICO instruction and been stuck in another loop of 5 months until the DWP was told to issue its response to the IRR.

On 26 April my case was assigned to a case officer, just 3 months short of a year since I submitted my request to the DWP. Despite the DWP clearly citing S.36 the ICO allowed the DWP to get away with numerous delaying tactics and nothing happened for many months. Despite chasing the ICO on a number of occasions there appeared to be no progress. My patience ran out in October 2018 and I complained to the ICO about this and two other cases. On the face of it this appeared to have got things moving.

However, on 18 October 2018 I was told by the ICO that an information notice had been served on the DWP to obtain copies of the information I had requested. The DWP has 30 days to respond to these notices.

Whilst I’m not surprised by this (in fact I even suggested this was the case in my complaint) I struggle to understand how any organisation can investigate a complaint for almost 6 months without having a copy of the requested information. I can only hope that the DN I have been seeking for so long will appear at some point in 2018!

The delay has been so long that I have actually submitted another request for more current programme board packs. At the time of writing the DWP hasn’t provided a response within 20 days so that’s another complaint that I need to send to the ICO!

Case 2 – Aggregation of various RFIs

Between 4 February and 23 April 2018 the DWP aggregated 9 of my requests for information claiming that they were for the “same or similar” information. Well, what it actually said was:

We consider each of the seven requests to be of a similar nature as they all relate to either decision making or performance delivery of disability assessments on behalf of the Department for Work and Pensions.  In particular, all of the requests would be allocated to the same team for response as it falls within their specialised area. 

Under Section 12 of the FOI Act the Department is not therefore obliged to comply with your request and we will not be processing it further.

This seems to suggest that the DWP believes the requested information is the same or similar because they relate to activities it carries out and the teams that do them. This is a crude attempt to rely on the discredited concept of ‘overarching themes’ that was attempted in Benson v IC and the Governing Body of Buckinghamshire New University (EA20110016).  At [29] the Tribunal stated:

Whilst the Tribunal understood the Commissioner’s analysis the Tribunal felt that it was not compelling and relied on concepts that were not actually within the legislation – e.g. ‘overarching theme’. The Tribunal felt that any consequent uncertainty should, on balance, be resolved in the Appellant’s favour.

On 30 March I submitted a complaint to the ICO. My complaint involves 9 requests and deals with an important area of the FOIA, where there is very little precedent. A reasonable person might conclude that the ICO would be keen to act swiftly. On 27 April 2018 my complaint was assigned to a case officer so things were looking good. It is now coming towards the end of October and I have not had a single piece of correspondence from the ICO.

The requests that have been aggregated cover management information about how the DWP runs large controversial contracts that assess the eligibility for employment support allowance and personal independence payment (“PIP”). A previous RFI uncovered numerous problems with the quality of medical reports being produced for PIP assessments. This might explain why the DWP is so keen not to let me have the current information but not why there has been no progress by the ICO.

Case 3 – Datasets & Type of Data Held for Various Benefits About Claimants

On 26 February 2018 I asked the DWP to disclose the datasets and type of data it holds about various social security benefits. I am not asking for the actual data just the type of data and the “groups” or “sets” of data that it holds.

On 17 April 2018 the DWP refused my request citing S.31 (it eventually confirmed it meant section 31(1)(a))  and  S.24. After a further IRR the DWP reconfirmed its position and I complained to the ICO on 15 July. Some 3 months later on 11 October I was finally told that my case had been assigned to a case officer. Does this now mean I wait for a further 6 months before anything actually happens?

Conclusion

I know the ICO is very busy, partially due to the new Data Protection legislation, but the problems that I and others are experiencing can’t just be explained by “being busy”. Based on my previous experience of dealing with them I also don’t believe it is the fault of the case officers. These problems are due to serious organisational failings within the ICO. There doesn’t seem to be the type of business processes / workflow that one would expect to see in an organisation of this size. The line management oversight of case officers appears to be absent. Based on my own experience it seems to be that the line managers focus solely on protecting case officers while actually making matters worse for them as their workloads probably grow faster than they can cope with.

The ICO should have a small set of metrics about how it is dealing with cases. Surely line managers should be looking at cases where nothing has actually happened for 6 months and do something about it? The idea of management by exception has been around for a long time and yet I’m left with the impression that there are no exceptions set within the ICO and senior management have no impartial way of knowing what is actually going on at the case level.

People might wonder why this matters and that in these times of constrained budgets we should expect cases to take longer. I can’t accept this as one of the key drivers for the FOIA is that we get a chance to hold public authorities to account for their actions. For that to happen we need access to information while it is still relatively current.

It is generally known that there are certain large government departments that have very poor history in respect of FOIA. If someone requests information that these departments suspect will be embarrassing they will deliberately play the system to delay disclosure. From personal experience it’s all far too easy to do:

  1. Ignore the request completely until the ICO tells the department to respond (3+ months).
  2. Use the public interest test with impunity to introduce a 5 to 6 month delay before the requester can complain to the ICO about the exemption cited.
  3. 3 months before a case officer is assigned.
  4. At least 3 to 6 months before a DN is issued.

Total possible delay = 14 to 18 months.

The department can then appeal the DN to the First-Tier Tribunal (“FTT”), even if there is little chance of success. I’ve had 2 cases recently that have been appealed and then withdrawn just before the FTT hearing was due to take place. This added another 6 month delay let alone the cost to the public purse. If the DWP had actually gone through with the appeals and lost then that delay would probably be closer to 9 to 12 months.

This means that “playing the system” allows disreputable government departments to delay disclosure of embarrassing information by at least 2 years. Any media interest in the information can then be met with the claim that it is now ‘historical’ and things are better now.

A good example of this is the Project Assessment Review Reports (“PARs”) for the Universal Credit programme. I asked the DWP for these in April 2016 (see URL below):

https://www.whatdotheyknow.com/request/universal_credit_programme_proje#comment-82746

Using the delaying tactics described above and making the ICO issue an information notice to compel the DWP to release the PARs to them, they weren’t disclosed until March 2018. That’s a 2 year delay.

The ICO needs to sort out the internal delays that these government departments seem to be relying on. They also need to make sure there are meaningful consequences for public authorities that “play the system”. Writing strongly worded DNs telling public authorities off for abusing the system is meaningless. The ICO was highly critical of the DWP in its DN for the PARs case. A link to the DN is given below and the criticisms start at [62].

https://ico.org.uk/media/action-weve-taken/decision-notices/2017/2014762/fs50640285.pdf

The criticism has had absolutely no impact on the DWP.  It still regularly doesn’t reply in time and still produces “boilerplate” responses that have little bearing on the case in question.

As a result of the new GDPR and Facebook the Information Commissioner regularly seems to be in the media and was recently named as the most influential person in data-driven business in the updated DataIQ 100 list. I hear talk of the Commissioner being able to issue huge fines for data breaches and serving enforcement notices on organisations that are not complying with the FOIA.

The original white paper “your right to know” stated at [1.1]:

Unnecessary secrecy in Government leads to arrogance in government and defective decision-making. The perception of excess secrecy has become a corrosive influence in the decline of public confidence. Moreover, the climate of public opinion has changed; people expect much greater openness and accountability from government than they used to.”

If public authorities continue to be allowed to easily introduce delays of 2 years before disclosure then the regulator of the FOIA is failing in her role.  Before the FOIA we only had the thirty-year rule (now moving to the twenty-year rule) controlling when information was released to the public.

I suggest that we are rapidly approaching the situation where by default we have the “two-year rule” for information government departments do not want released. Unless the Commissioner does something about it that will slowly increase to the “three-year rule” and then the “four-year rule”. From my perspective its time the Commissioner stopped boasting about all the powers she has and started using them.

Human Wrongs

A few years ago I went to Strasbourg, home of the famous European Court of Human Rights. After admiring the building itself, I noticed a disabled man camping on the other side of the tracks that take visitors to the tram stop named, rather piously, ‘Droits De L’Homme’. He had a huge display in several languages, setting out the appalling injustice that the Court had dealt him by not upholding his case. There were several such men, who would no doubt have treated a ECHR victory as total vindication, but the loss was evidence only of the Court’s bias and corruption. I immediately thought of the notorious FOI applicant and progenitor of vexatious caselaw Alan Dransfield, and wondered if one day, he would be one of the poor souls, earnestly telling his sorry tale to tourists. This is unlikely of course, because Dransfield would spend his time shouting at every passer-by that they were a dickhead.

Nevertheless, the website ‘Amazon News Media’ chose to celebrate International Human Rights Day last month (10th December, diary fans) by publishing an open letter from Dransfield to the Justice Secretary Elizabeth Truss. Fans of Dransfield’s work will be pleased to see a number of familiar themes in the letter. Dransfield claims that the Information Commissioner’s Office is guilty of fraud and theft of public funds. There is ‘tangible evidence‘ that they, along with multiple public authorities, are involved in a conspiracy to pervert the course of justice:

The evidence of complicity between the ICO and Public Authorities seeking to avoid obligations under FOI by consistent misuse and abuse of Section 14/1 vexatious exemption is overwhelming

Dransfield doesn’t specify what the overwhelming / tangible evidence is, beyond asserting that he lost his case at the Court of Appeal, so QED: the fix is in. The letter makes a series of allegations about the ICO and demands that the Commissioner is sacked and replaced by himself. The allegations are a mixture of falsehood (he says that they don’t publish their register of interests when they do) and opinion (he claims it is a breach of an unspecified EU Trade law that the ICO usually uses 11KBW for legal services, ignoring the fact that they are the leading information law chambers in the UK). The only verifiable claim is the conflict of interest in having a council leader act as a manager of a team that deals with complaints about councils and political parties. Dransfield only knows about this because I did an FOI request about it and wrote about it here (inevitably, Dransfield spells his name wrong and the mistake slipped through Amazon News Media’s presumably robust fact checking procedures).

If you’re not familiar with it, the scale of the Dransfield conspiracy is breathtaking – construction companies including Balfour Beatty, multiple councils, the Health and Safety Executive, Dransfield’s MP Ben Bradshaw, the previous and current Information Commissioners and many of their staff, West Ham United, the Olympic Delivery Authority and various other Olympic bodies, former secretary of state Chris Grayling, myself, the Upper Tribunal, the Court of Appeal, the Supreme Court and the House of Lords, all working tirelessly to cover up the construction of a network of unsafe buildings and bridges across the UK. Only Dransfield has the insight to see the conspiracy in all its Byzantine complexity, and the entire UK legal system is ranged against him to stop his crusade.

There is, of course, another perspective, but Amazon News Media have seemingly backed Dransfield with gusto. The accompanying editorial hails “Mr Dransfield’s long experience as a social watchdog” and complains of his “extensive scapegoating” but demonstrates a slender grasp on the facts. For example, it claims that vexatiousness was planted at the second, Upper Tier Tribunal, rather than being a feature of the original refusal dealt with by the ICO. Moreover, like Dransfield, Amazon News Media make big play of the fact that it was the ICO who appealed to the Upper Tribunal and Court of Appeal, describing it as an “abuse” of the system. When Dransfield went to the First Tier Tribunal, he was appealing the ICO’s decision, not Devon’s original refusal. If the ICO disagrees with the FTT, it is they (and not Devon) who must take forward the appeal. The appeal process is not open only to the applicant – public authorities and applicants can challenge the Commissioner, but the Commissioner is entitled to challenge decisions that they think are wrong. This is how the system is designed, and Dransfield chose to use that system. Complaining about the result of a process you initiated is acting like the men outside the ECHR.

I put a comment on the Amazon News Media blog, pointing out that I had made 100s* of FOI requests without ever being refused as vexatious (the issue of Alex Ganotis’ role at the ICO just being one of many), pointing out that Dransfield’s hostility and abusive character is probably part of the problem. An unnamed representative of the organisation dismissed this – apparently, when Dransfield called the Information Commissioner Elizabeth Denham a ‘useless cow’ on Twitter, this was just “colourful language [that] perhaps reflects the insult of having your name unreasonably scape-goated for half a decade“. So perhaps the insult is Denham’s fault for not giving Dransfield the face-to-face meeting he’s been demanding since July. It’s an odd perspective, because Dransfield has been calling me a prick and a dickhead for disagreeing with him ever since this mess started.

I can’t work out who runs the Amazon News Media site – it describes itself as “an evidence-based website practising freelance written and video journalism“, but the website, Twitter account and Facebook page are all somewhat anonymous. The site itself is registered to a David Hodgson in New Zealand, but the nameless person who runs the Twitter account told me that it is based in Swansea. Whoever they are,

UPDATE: I know who they are. I’ve read all 59 pages of the judgement.

They have made a fatal error in their analysis of Dransfield’s case. The editorial states that Dransfield enjoys “superior knowledge of lighting protection systems, and Health and Safety regulations” – the problem is that this is irrelevant to the case. S14 of FOI has no public interest test – it’s not about the information, but the process.

The Information Commissioner, the two Tribunals and the Court of Appeal are not supposed to decide whether Dransfield is right about the unsafe buildings. For the record, I think the conspiracy is a complete fantasy, and Dransfield’s requests are the result of a grudge against his former employer, Balfour Beatty. None of Dransfield’s blood-curdling predictions about fatal lightning strikes have come true, and I am not aware of anyone in the UK Health and Safety sector who backs his theories (I’m famously an arsehole and lots of people agree with me about Data Protection despite this impediment).

None of this matters. The question in play is not one about Health and Safety. The question is whether Dransfield’s torrent of requests, complaints and other correspondence were an abuse of the FOI system. Dransfield had every opportunity to put his case before four independent bodies – one of them agreed with him, and the others did not. It’s not impossible for Dransfield to be right about the buildings (as unlikely as this may seem) and yet, because of his hostility, his stubbornness and the sheer weight of his requests, they tip into vexatiousness.

Ironically, despite Dransfield’s antipathy towards the ICO (and his misogyny towards the new Commissioner), his demand that the ICO sort out the vexatious issue is completely wide of the mark. Even if Denham accepted that he was right, she is powerless to reverse the Dransfield decision. If Wilmslow executed a volte face tomorrow, the Court of Appeal decision would still stand. Public authorities could use the CoA judgement against the ICO in the Tribunals who would be bound by it. Only the courts can change the decision – it is out of the Commissioner’s hands. It’s tempting to believe that Dransfield knows this, and he directs his rage toward the ICO solely because he enjoys it, rather than knowing it will change the outcome.

In the end, Amazon News Media grew tired of my interventions and refused to publish my final comment unless I edited out all of the mansplaining, repetition and “snark”. Instead of being censored, you can – if you wish – read the comments on ANM, and then, by way of a conclusion to all this, I reproduce the comment that they found so objectionable.

You can twist what I have said in any direction that suits you. The decisions that the ICO makes are, obviously, about the public interest (where that applies, and with some exemptions, it doesn’t). Sometimes they get those decisions wrong, sometimes they get them right. When a decision has been tested at several levels, and then looked at subsequently by differently constituted tribunals, you have two choices. Either you can believe that there is an enormous conspiracy to subvert the FOI Act, or you can look at the particular case and decide that maybe the system got it right. There is no inner truth here – you believe what you want to believe based on your own prejudices.

What I said above is that Mr Dransfield’s letter, your publication of it and your conspiracy theories about the legal system will have no practical effect. Truss will not intervene because it isn’t her place to intervene in legal cases. The European Court of Human Rights will not intervene, because Mr Dransfield has been refused leave to appeal there. These are facts – you can put a political / paranoid spin on them if you like, but the spin doesn’t change the facts. If you want to stop vexatious decisions being made under Dransfield, someone needs to take a case all the way to the Court of Appeal and get Dransfield overturned. Alternatively, the FOI Act will have to be amended in Parliament. Given that you think the entire legal system is corrupt, I assume you’re not much keener on MPs. Which makes all of the above a monumental waste of time. But at least it gives you and Dransfield something to do.

* ANM refuse to believe that I have made 100s of FOI requests without proof. Given that they are willing to turn an abusive blowhard into a Human Rights champion without any justification, I am content to say that I have, and if they or you don’t believe me, I don’t care.

** It has been suggested to me that in my comment above, I said that the Court of Appeal can overturn Dransfield, whereas the suggestion is that actually, only the Supreme Court can do it i.e. the court *above* the Court of Appeal. If this is right (and I suspect that it is), the difficulty of reversing Dransfield is greater.

Any last requests?

A month ago, the redoubtable information rights expert and blogger Jon Baines wrote about an odd change on the ICO’s website. Just after the EU referendum vote, the ICO published a bold statement, calling for Data Protection standards in the UK to be equivalent to those in the EU. Shortly after, the statement disappeared. Around a week later, it was replaced by something more bland. Jon wondered why the ICO had resiled from their original position. He was, however, fortunate to receive a comment from an ICO spokesman:

“We noted the debates about different options that emerged following the referendum result and we decided to move to a simpler statement to avoid being too closely associated to any one particular position”

I believe that this statement is untrue.

After a conversation with Jon, I made an FOI request to the ICO for “Any recorded information on the decision to remove the statement, including who made the decision to remove it, and why it was removed“. Remarkably, the ICO claims to hold just one email that is relevant to my request (I’m not convinced, so I am following this up), but I think it’s reasonable to conclude that the ICO did not change the statement because they “noted the debates“. They changed the statement because the Department for Culture, Media and Sport, the government department responsible for Data Protection, asked them to.

A DCMS official emailed Christopher Graham, the former Information Commissioner, directly on 28th June:

Screen Shot 2016-08-26 at 09.07.02

The revised version is identical to the statement that you’ll find here on the ICO website.

The DCMS position is understandable – a few days after an unexpected vote, it’s not hard to imagine that they hadn’t reached a final position on GDPR. I’d be surprised if they were certain now, frustrating as that might be for the likes of me. But when the DCMS talks about it being far to early for “us” to be so definitive, they are not talking about the ICO, which is legally separate from and independent of Government. If the former Commissioner and his staff believed that the DPA is out of date and not fit for purpose, they were right to say so. Bear in mind that the statement in question was made after the vote, not when the ICO view could in any way have influenced its outcome (or when such an allegation could be made). DCMS are free to disagree with them, and indeed to ignore them if they so choose. I think GDPR-lite is a terrible idea, but they can pursue if they think it’s right. I’m not even sure I want to criticise the DCMS request – it’s quite clearly not an instruction.

However, for the ICO to change their statement (and by default, their official position on the GDPR) is a significant and worrying step. The ICO’s position can be identical to the DCMS one, but only if that’s because the ICO thinks DCMS is correct. It would be in no-one’s interests for the ICO to challenge and contradict DCMS merely to show that they’re nobody’s poodle. But Wilmslow’s reaction to the Brexit vote was clear, and now it’s not. Was the original position wrong? Is there any reason why the ICO cannot be allied to one particular position if they think it’s the right one?

Equally, if the ICO is going to change its public position, it should be honest with the public about why it is doing so. The statement on the ICO website says

At the annual report launch on 28 June 2016, Information Commissioner Christopher Graham updated the ICO statement

Whereas, what it should say is:

At the request of the DCMS, at the annual report launch on 28 June 2016, Information Commissioner Christopher Graham updated the ICO statement

As embarrassing as this might be, if the ICO is content to follow the debate about the future of the GDPR in the UK rather than leading it, it should be honest enough to admit that this is their position. I’ve already blogged about the bizarre situation that the ICO team that deals with complaints about political parties and councils are managed by a serving Labour Council leader. Here is another situation where the ICO’s ability to make robust, independent decisions appears to be compromised.

This depressing episode happened in the dying days of the previous Commissioner’s tenure; more than ever, I am glad that he is gone. We have a new Commissioner about whom I have seen and heard nothing but encouraging things. I can only hope that when faced with decisions like this in the future, Elizabeth Denham takes an more independent approach.

Wanted

Many of today’s newspapers report (once again) that police forces are refusing to name wanted suspects because of Data Protection and Human Rights. It’s tempting to assume that by now, everyone knows that the Data Protection Act does not prevent the disclosure of wanted suspects’ names and photos, so when another newspaper makes an FOI request for the most wanted, the inevitably craven and risk-averse responses don’t really need to be debunked. Surely we all know that the cops either don’t want to get into nuanced conversations about the operational reasons not to name the suspects, they are too cowardly to use Data Protection to justify disclosure, or they just plain don’t understand the process? Is it really worth pointing out why the decision is so knuckle-headed?

Admittedly, without seeing all of the responses, I can’t be certain how bad they really are – all we have are selected quotes. I must also acknowledge that my judgement is clouded by having recently made FOI requests to a number of police forces, an experience that makes me assume that everything these forces have done is wrong. Nevertheless, it doesn’t look good – Humberside Police apparently told the Daily Mail that it wasn’t in the public interest to disclose sensitive personal data, despite the DP exemption in FOI not having a public interest test. Meanwhile, Leicestershire Police claimed a suspected murderer and rapist, could not be named because it went against the ‘principles of fairness’, while Staffordshire said its response was “processed in line with individuals’ rights”, which means either that Staffordshire have received a valid Section 10 notice from each of the suspects in question, or they don’t know what they are talking about. 18 other forces are cited by the Mail as having claimed that Data Protection prevents disclosure.

The only force who appear to have a leg to stand on are Nottinghamshire, who used Section 30(1) of FOI. S30 applies to investigations, so presumably Nottinghamshire are arguing that if they haven’t already named the suspects, it isn’t in the public interest to release them in response to an FOI. I can’t say for certain if this decision is correct, but the use of S30 suggests that Nottinghamshire’s decision is based on operational reasons related to their ongoing investigation. On that basis alone, they deserve the benefit of the doubt in a way that any force using S40 does not.

Rather than spend another 500 words calling police FOI and DP decision makers an assortment of rude names (which was my original plan for this blog), permit me to explain exactly why the use of Data Protection is always nonsense in these situations.

HOW DOES SECTION 40 WORK?

Section 40 of FOI defers entirely to the Data Protection Act when the request is for personal data about someone else. Essentially, if a disclosure of personal data would breach any of the Data Protection principles, if it would breach a valid Section 10 notice issued by the data subject, or if it would be exempt from subject access (i.e. the subject would not receive it themselves if they asked for it). In practice, the Information Commissioner considers that if the disclosure will not breach the first Data Protection principle, S40 is not a barrier. The forces must be arguing that disclosure of the wanted suspect’s data breaches the first principle.

HOW DOES THE FIRST PRINCIPLE WORK?

The first principle says that the processing of data – here, the disclosure – must be FAIR, LAWFUL, and ACCORDING TO A SET OF CONDITIONS.

FAIR

Fair means what it says in the dictionary, and it also means that the data subject must be informed of how their data will be used. The ICO is fond of the notion of ‘reasonable expectations’ – you don’t need to tell people how their data will be used if it’s obvious. This would plainly apply in these circumstances; a suspect cannot expect that their data will be suppressed while they are being hunted. In any case, S29 of Data Protection removes the requirement to use data fairly in any situation where doing so would prejudice the apprehension or prosecution of offenders. Therefore, if disclosure of the suspects’ identities would assist in their capture, fairness is no barrier.If disclosure will prejudice attempts to recover them, the FOI S30 exemption used by Nottinghamshire is the right exemption. The problem that would motivate the police is the effect on their investigation rather than the personal data issue.

LAWFUL

Lawful means that police forces cannot breach *other* laws by the processing of personal data. This could be why Human Rights were cited by some of the forces. If disclosure of the personal data would breach a suspect’s Article 8 rights to privacy, the disclosure would be unlawful, and so DP would be a barrier. But this is nonsense. The right to privacy is not an absolute right, and can be interfered with in a variety of circumstances, including where it is necessary in the interests of national security, public safety, for the prevention of disorder or crime. You can, if you like, argue that naming the suspects interferes with their privacy (I don’t think it does) but even if it does, if publication of the names will assist in their capture, the interference would clearly be necessary to protect public safety or prevent crime. It’s lawful, unless the police argue that disclosure will impair their investigation. If they thought that, they would use Section 30 of FOI.

CONDITIONS

The data in question is sensitive personal data, as it relates to the alleged commission of crime. This means that each force has to meet two conditions in order to disclose: once from Schedule 2  and one from Schedule 3.

Schedule 2 is easy – we can pick from 5 (the processing is necessary for the administration of justice or the processing is necessary for the exercise of public functions in the public interest) or 6 (the processing is necessary for legitimate interests that do not cause unwarranted prejudice to the rights and freedoms or interests of the subject). The first two might be preferable to the balancing exercise required by the third, but if you really think that disclosing the name of a wanted man causes unwarranted prejudice to their rights, you are a moron.

Schedule 3(7)(1)(a) gives us administration of justice again while 3(7)(1)(b) gives us exercise of functions conferred on any person. The DPA was amended in 2000, which also allows any disclosure of sensitive data necessary to prevent or detect an unlawful act.

The only problem here would be if the force believed that disclosure would prejudice their ability to catch the wanted suspects. For the third time, if this is the case, Data Protection is not what they are worried about. They may have good operational reasons not to want to disclose, but they are choosing instead to hide behind Data Protection, which has the dual problem of making them look like politically correct idiots, and damaging the reputation of Data Protection which, as I have demonstrated, can easily be used to justify the disclosure. It took me 30 minutes to write this, and I would happily use it as a justification to disclose personal data; the only reason not to would be an operational reason, and FOI provides much better exemptions to protect the integrity and effectiveness of police investigations.

The only possible explanation I can think of for why the police cling to this idea that DP is a barrier to disclosure is that someone is feeding them terrible advice and guidance about how DP really works, and nobody is willing to stick their necks out and question it. This paints a terrible picture of the information rights culture in policing, and someone needs lay down the law as a matter of urgency.

 

A Company of Wolves

In November 2015, the Managing Director of Wolverhampton Council, Mr Keith Ireland, gave his considered verdict on Freedom of Information:

The vast majority of requests come from media across the country, be that the BBC, local media, or media in general. They come from people who are out to create trouble for councils and students who are too lazy to do their own research. Others come from big companies who can’t be bothered to look up the data and want to know when contracts are on for re-evaluation. It is a really costly exercise. The original principal (sic) of FOI is not what is happening in reality.

Although the council has previously estimated that it cost them £199,200 to process last year’s FOI requests, Mr Ireland told his council’s scrutiny committee that the cost was more like £500,000.

Mr Ireland is no stranger to the expensive burdens of running a modern local authority or FOI requests designed to make trouble for councils. In July 2011, while he was acting as an interim Big Cheese at Northumberland Council, an FOI request made by a local councillor revealed that his services had cost the council £131,600 in six months, a rate of £1175 per day. It’s possible that the consultancy firm Gatenby Sanderson (currently recruiting the new Information Commissioner) might have trousered some of that money, but Mr Ireland was apparently not pleased by the revelation, sending a “scathing email” to the councillor in question.

Mr Ireland is clearly keen for a debate on the costs of council activities, so I decided to dust off a favourite old FOI request – how much money does Wolverhampton spend on FOI staff, and how much does it spend on PR? FOI and PR are a good match – both are concerned with delivering information to journalists and the wider public, both are delivered by a small core of dedicated staff, but involve a huge variety of council officers on occasion, including senior officers. There are two main differences: FOI is statutory and PR is not, and while many happily participate in PR (here’s Mr Ireland involved in a completely pointless photo-op marking his appointment at Wolverhampton), they resent FOI.

This is what I asked for:

For the most recent financial year for which figures are available, the total number of staff working on public relations and communications, and the total salaries paid to those staff. I do not want to request a breakdown of the figures per member of staff.

For the most recent financial year for which figures are available, the total number of staff working on freedom of information, and the total salaries paid to those staff. I do not want to request a breakdown of the figures per member of staff.

You can pick apart the way that I phrased it, but one thing you cannot deny: the two questions are the same. However you interpret the first question, you must interpret the second one in the same way. FOI and PR are not done simply by those who have FOI or PR / communications in their job title. All sorts of people get roped into both activities – the Leader of the Council will even stand outside the Council offices to shake Mr Ireland’s hand. So even if you read that question and think “I have to tell this guy about all the extra work FOI involves, even though it’s not what he’s asked for”, you’d surely have to think the same for the PR question.

There are two possible answers; either Wolverhampton gives me the total salaries of the PR staff and the FOI staff, or they assume that I want to know the total cost of both activities, given that I have asked for both activities in exactly the same way. It would be really weird if they gave me the total salaries for the PR people, but made an assumption based on absolutely nothing in my request that I wanted the total cost of FOI compliance.

But that is what they did.

The PR answer was:

For the period 2014/2015 there were nine people working on public relations and communications with a combined annual salary of £431,062.

But the FOI answer was

The total estimated cost of responding to Freedom of Information (FOI) requests in 2014/15 was £490,000. This comprises an element of process management and administration and is based on six people working on FOI requests for a percentage of their time. This figure also comprises an assessment of respondent time across the organisation based upon the number of requests received last year (1245) broken down into categories of complexity; but does not include any costs associated with Councillors or Strategic Directors.” Several paragraphs follow about how they cannot be any more specific about the total costs for all the process management and administration I didn’t ask about. The effect, needless to say, was to ensure that the FOI figure was higher than the PR figure, and perhaps coincidentally, it was remarkably close to the £500,000 figure brandished by Mr Ireland.

Needless to say, I asked for an internal review, pointing out that they hadn’t answered my question, and asking why it was that they had approached my two identical questions in two completely different ways. I didn’t expect them to say “We deliberately massaged the figures so that you wouldn’t be able to say that our Managing Director moans about FOI while spending double on PR”, though that would have been fabulous. Instead, I was told that the Council assumed my “focus” was on the “total cost of overall compliance with the provisions of the Act“. The reviewer said that “the actual answer to your query based upon your most recent email” was £242,280, a little under half the figure for the PR staff. The implication that somehow they only realised what my original request meant when I explained it to them bears no scrutiny at all.

If I had wanted the total cost of overall compliance with FOI, I would have asked for, I don’t know, the total cost of overall compliance with FOI. I asked about staff “working on freedom of information” – even if an estimate of the total costs of all the people who might get involved in FOI was available (an estimate I wouldn’t handle with gloves on), it was plainly not what I had asked for. If there had been any doubt about what I wanted, they could have asked for clarification at the outset, something which the reviewer begrudgingly acknowledged when I emailed them again.

There are various arsehole things I could do at this point – complain to the ICO, do a meta-request to see all of the correspondence that led to this,  dig deeper into how the additional £247,720 was calculated, or even ask how much it cost to stage this surreal crossover of weather warnings and football mascots – but I have my answer, so I am done. As is usually the case, PR is given a higher priority in Mr Ireland’s council than FOI, so I don’t care what he says about FOI and neither should you. PR is what the organisation wants to tell you; FOI is what you want to know. FOI is the law. The only other thing that I can say is that he cares so much about the expense associated with FOI, maybe Mr Ireland should ensure that his Council answers reasonable questions first time round, rather than making people ask twice. Imagine the savings.