New Certificated FOISA Course: What the Tutor Saw

Act Now runs a Practitioner Certificate in the Freedom of Information (Scotland) Act 2002 – the inaugural course has been completed, the second one is currently running, and two more are scheduled for October and December. The course is endorsed by the Centre for FOI based at Dundee university. If you’re considering joining the course, what can you expect?

I wrote the course and I deliver it in Edinburgh (or elsewhere, if you’re interested in us bring the certificate to you). The first thing you can expect is to be in expert company – this is not to blow my own trumpet, but to reflect the high quality of the candidates we’ve welcomed. On both of the Spring courses, we had very strong candidates from a variety of backgrounds. But this mustn’t put off, the FOISA novice. One of the advantages of experience fellow delegates is that you can ask questions and get information from a wide variety of people with different experiences. The course also starts right at the beginning, with a clear explanation of the FOISA nuts and bolts.

More importantly, you get a focus on practicality. If you want an academic focus on the political and philosophical implications of FOI legislation, you may be disappointed. We don’t spend time on the history, and the comparison between FOI 2000 and FOISA is drawn only when it might be helpful for delegates. This course is designed to be for practitioners – people who have to deal with a daily influx of requests, difficult and challenging applicants, and tricky decisions. We look at the Scottish Commissioner’s guidance, useful decisions, and best of all, delegates themselves share their experiences. Some of the best ideas came from those people who work on FOISA every day. Most trainers like to show off, but it’s been good to shut up sometimes and let other perspectives be heard.

One of the chief objectives of the course is to demystify areas that are sometimes shrouded in uncertainty – not every candidate is convinced that they need to know about the Environmental Information Regulations, but many seem to have gone away with the ‘is it FOISA or EI(S)R?’ question slightly higher up their list of priorities. We have also had the traditional ‘what is personal data?’ debate to good effect, despite the risk of exposing who in the room is a real information rights geek (it is usually just me!).

At the end, we have an assessment, and again, the focus is on practicality. The feedback from the first round of delegates has been very positive, and so the format will remain unchanged. Many people who return to the exam room after years working in the office find the transition tricky and the effort of hand-writing an exam exhausting, so we have tried to find an alternative to the traditional 3 hour pressure cooker. The exam is a test of knowledge – candidates have to remember facts, and apply their knowledge to three detailed, list-style questions. Few FOISA professionals benefit from being able to remember specific subsections by rote, so the focus is on providing clear, accurate answers to practical questions. After this, delegates are given projects to choose from, and in 20 working days, they have to pick a request, consider all of the options, and then deliver a full response including a refusal notice.

The aim of the course is to give practitioners confidence, to ensure that they know how FOISA and the EI(S)Rs work, and to improve their ability to do their work. However, anything involving a ‘Certificate’ inevitably comes around to the big question of getting the marks. To pass this course, candidates need at least 50% of the marks on both parts of the assessment – exam and project. The first round of results are in, and everybody passed. The exam results were solid, but all candidates came into their own with the project. Every single one was really impressive, despite our demand for absolute precision on the project side. The results may be flattered by the quality of the candidates, but by giving people the chance to go away, consult other sources and have the time to make their case, we saw superb results.

This is not an easy course – day 1 is straightforward, but days 2 and 3 are hard work, with homework after each and the prospect of an exam shortly after the final day(see the course structure ). However, all candidates seem to have enjoyed it, and more importantly, all of them have shown so far that they are practitioners of a high standard. Roll on October!

Tim Turner is the tutor for the Act Now Practitioner Certificate in FOISA. More details of the course are on our website. Please get in touch if you have any questions (info@actnow.org.uk) 

Disclosure of Staff Names in FOI Refusals

This is an FOI decision from the Information Commissioner that I have planned to blog about for some time, but have now only just got round to blogging about it.  On 11 March 2013 the ICO issued decision notice FS50468600 which involved the Department for Work and Pensions (DWP).  The content of the decision notice is not all that important until we turn to paragraphs 32-36, which are headed up as “other matters”.

In particular paragraph 35 is of note in which it states that his office experienced difficulty in actually speaking to those who were involved in the request at the DWP’s side of things.  It described the DWP’s practice of not providing telephone numbers or contact details within its responses and how this makes it very difficult for the appropriate contact to be located within the organisation.  The public authority advised the Commissioner that it did not include these details so as not to breach the privacy of the non-senior staff involved; it described the staff in question as not being in public-facing roles.

In Paragraph 36 of the decision notice the Commissioner states quite clearly that he does not agree with this approach.  The decision notice states that “if such staff are responding to requests made under the FOIA then he considers this to be a public-facing role which is unlikely to attract an expectation of privacy” (Paragraph 36).

The DWP are by no means the only public authority which has adopted similar processes in respect of FOI requests.  I can remember one time trying to get hold of a central Government department (I can’t remember exactly which one, but I have a feeling it was either the Home Office or a connected public authority) to discuss a response that had been issued by them (something that merely wasn’t very clear and, as it later transpired wasn’t in need of an internal review). However, there was no contact details provided for the individual.  I was informed that the FOI team were not public-facing and they wouldn’t speak to members of the public over the telephone.

It was very frustrating and actually resulted in a higher cost to the public authority in my case.  There was just one thing that I wasn’t clear about and I’m sure that had I been able to have a quick telephone conversation with the person who issued the decision then there would have been no need for them to conduct an internal review.  However, the Authority’s attitude and processes meant my only option to get the clarification was to request an internal review.  This will have then required a senior member of staff within the authority to review the entire handling of the request and issue a response to me; far more expensive than 5 minutes on the phone explaining something to the applicant.

Not publishing contact details for those responsible for FOI within the organisation also makes seeking advice and assistance from the public authority almost impossible.  My reading of the Act suggests to me that advice and assistance is not only something to be provided in a refusal notice, but something that should be available to prospective applicants.  I know that I’ve certainly phoned up a public authority and had a chat with them about a request before making it; as a consequence I have been able to frame my request in a way that has made it a much more efficient process for the public authority (and thereby reducing the cost to the taxpayer).  The FOI Officer, knowing the structure of their organisation and how information is generally held, was able to advise as to what information they were likely to hold and how it was likely to be held.

I tend to agree with the commissioner that anyone sending a response out to a FOI request is clearly public-facing; it might be that a particular role was not public facing pre-FOI, but in these post-FOI days anyone could, in theory, be a public-facing member of an authority’s staff.  It should be easy for applicants to contact public authorities, not least because the public authority is obliged to provide advice and assistance, but it can just save public authorities money.  It can help ensure more focused FOIs that are easier to deal with and can prevent expensive internal review requests (or perhaps even more expensive ICO investigations).(Ed – See also Ibrahim Hasan’s blog post on disclosure of staff names under FOI)

Hopefully the ICO’s criticisms of this approach in this decision notice will feed their way round any other public authorities who still adopt a practice of not giving out contact details for someone able to provide advice and assistance.

Alistair Sloan is a 4th year LLB student in Scotland, blogger (http://scotslaw.wordpress.com/about-2/) and FOI proponent. Follow him on Twitter (http://www.sloansonline.me.uk/) 

Ibrahim Hasan will be discussing this and other recent FOI decisions in the FOI Update workshop  on 3^rd June 2012 in London.

Do you want an international recognised qualification in FOI?

The ISEB Certificate in Freedom of Information  starts in Manchester and London in June.

ICO 2013 Conference Review

Roger Bescoby reviews the recent ICO conference…

I was on my travels last week and on Tuesday (5^th May 2013) found myself at the ICO Data Protection Officers’ Conference  in Manchester. Over 800 people present and about 300 ‘waiting outside the door’ as they say. It was, and always is, massively oversubscribed. It is the main event in the ICO calendar and a fantastic opportunity to get a feel for the way the regulators are thinking. Well worth getting on the guest list.

This is the third year I have attended this Conference and once again I found myself pretty much the only representative from the insurance investigation sector. Can you believe that??  Here we are, post Leveson, NOTW and with worrying EU Regulation on privacy coming out of our ears – and only Brownsword Group there from the entire industry. Does that make us ‘anoraks’ or supremely responsible chaps??  Answers on a post card…

I picked up on two main points that I would like to share with you all:

Europe?  You Never Had It So Good…

There are some massive EU reforms on the way in the form of new European Regulation on Data Privacy. By 2016 it’s looking like we are going to be regulated centrally by Brussels on DP. ‘Fine’ you may say, but when you consider the vastly differing attitudes towards Data Protection by the 27 Member States, and that the UK currently has a considerably more liberal attitude than most, it’s time to look at what might be coming our way.  The explosion in social media is being blamed for the need for tougher regulations – an observation difficult to argue with.

You may remember I highlighted last year that current proposals in Brussels suggest that personal data can only be shared if it falls into one of the new proposed exemptions. Sharing of data by insurers for the purposes of fraud prevention is NOT currently listed amongst the exemptions. This seems to be a glaring omission and now evidently an oversight.  The Association of British Insurers (ABI) and the Financial Services Authority (FSA), amongst others, have been lobbying hard on this very point and seem to have now made some headway. The issue is currently now under review by no less that 5 COMMITTEES in Brussels, all presumably deliberating on what has to be the most obvious decision they will ever have to make – but remember – this is the EU Parliament we are talking about!

During the mass Q&A in the afternoon, Assistant Commissioner David Smith answered a question put by a delegate in a grey suit and Salford accent, on the very point. He admitted that there were several points within the current EU proposals with which the ICO had issues and that this was a typical example. He went on to say that he felt confident that data sharing would always be justified if it was being done for the purposes of the ‘legitimate interests’ and for the ‘prevention and detection of crime’ and that he had not seen anything in the new proposals that changed that.

So, on the face of it, good news but it really is worth keeping an eye on the EU proposals. Wouldn’t we all feel happier if the insurance fraud world was specifically recognised by way of an exemption?

And what does the EU think of secret filming? If the UK were forced to adopt even some of the tough regulations on covert surveillance that exist across much of mainland Europe we would see the biggest upheaval in recent history in our sector. I detected an insatiable appetite from the regulators on the issue of ‘consent’ to processing. The nightmare scenario of having to say to a surveillance subject,  “Hi Mr Smith, is it OK if I film you next Tuesday in relation to your claim?” may not be as farcical as it seems. I kid you not!

I also heard one opinion from a senior ICO official that he favoured following the RIPA example, that of seeking Magistrates’ approval if you wish to put somebody under surveillance in non Public Authority scenarios…you have been warned! (Certainly some form of written authorisation for non-RIPA surveillance is favoured by the Office of Surveillance Commissioners and others – Ed)

‘Unmanned’ Surveillance – Too Risky??

There were two excellent breakout sessions at the conference dealing specifically with surveillance.  The way covert video evidence was captured, and in particular the justification for filming individuals, was discussed at length. The point was made most emphatically by the ICO officials that they would only condone the covert processing of personal data (i.e. filming) if it was evidently targeted upon the data subject, and of course that the intrusion could be justified.

They then made the further point that such covert data processing must be discriminate and that every attempt must be made to avoid the inadvertent capture of footage of ‘un-connected’ individuals. They went on to say that whilst some ‘collateral intrusion’ was inevitable, the installation of static unmanned covert cameras, vehicle based or otherwise, was absolutely  ‘unfair and excessive processing’ and breached basic DPA principles.

I know that some surveillance companies out there openly recommend and market such tactics – suffice to say it is not a route The Brownsword Group will be going down. The thought of maybe two dozen ‘friends and neighbours’ of a legitimate surveillance target bringing privacy actions against our client is a risk we will not be taking – and that’s before the ICO themselves come down like a ton of bricks.

And Finally – Something Else……..The FSA and a ‘Thematic Review’ of the Use Of Private Investigators

I can advise that the FSA Conduct Business Unit have embarked upon what they are calling a ‘Thematic Review’.   They are “seeking information from  firms about the controls, oversight and due diligence procedures operated by insurance companies regarding the use of private investigators.”

I understand that specific attention is being paid to TCF, the payment of any inducements or incentives, the frequency and success of investigator involvement and also whether the 2007 ABI Guidelines are being adhered to. It is not surveillance specific.

Insurers can expect a visit in the coming months. Brownsword Group have written to the FSA offering help, assistance and guidance in the production of the review, hopefully providing a view from the ethical  investigator’s side of the fence.

It is likely that at this stage the FSA will have little first hand knowledge of the vital working relationships that exist between Insurers and investigators. This, and in the light of current suspicious attitudes from certain regulators towards the investigation sector, may suggest that a degree of education may be necessary from insurers and investigators alike.

Hopefully, in the fullness of time, the FSA will interact with us on this and we will be able to explain the value of the investigators support role to the insurance sector.

I hope you found the above of interest, comments and questions welcomed.

Roger J Bescoby is Director of Strategic Development at the Brownsword Group. Visit www.brownsword.com & www.talk-safe.co.uk

Data Protection Update workshop – Analysis of the latest DPA cases, developments and news from the ICO. Our next workshops are in Manchester on the 28th May and in London on the 31st May.

Doing BCS (ISEB) Courses? Top Tips from a Successful Candidate

I have been asked to write a blog on what I had learned from recently taking – and thankfully passing – the ISEB/BCS courses in FOIA and DPA. Maybe I internalised the legislation too much, but for some reason I could only think of addressing it in terms of 8 principles:

1. Start from scratch

Whilst you may have a lot of knowledge and experience in FOI/DPA, try and go back to square one and approach the Acts like new legislation. You may find that, due to the demands of your sector and your role, you know different areas of the relevant Act much better than others. The syllabus leans towards no sector in particular so picking up the legislation again and starting from scratch can really help. Some of the areas I knew least about at the start of the course became the basis of my strongest essay answers.

2. The pen is mightier hard to write with than the keyboard

Writing legibly is one thing. Writing legibly for three hours is a whole different matter. If like me, you are so used to rattling away on a keyboard that you get cramp scrawling a shopping list, then it is time to do some training a good few weeks before your course starts. Start by trying to write a few pages of longhand, even if it is just copying some text. It is worth the effort. Investing in a couple of decent pens really helped my writing, which has never been the neatest.

3. Do your homework!

…as my mum used to shout! This is tough. You may feel inspired by the session and then find yourself back in a hectic day job, and suddenly training day comes round again. Try and find time for it, either over lunch at work or blocking time in the evenings. I knew people who wrote essays perfectly well on the tube – I don’t know how! The homework essay questions are essential to get back into that mode of constructing an argument and recalling facts. Avoid the ‘I did the essay in bullet points’ approach; presenting the argument in paragraphs and prose is as much part of the exercise as knowing the key points. It helps with principle 2 aswell.

4. Expand your mind

Many of us will make use of the ICO’s website or the JISC lists to pick up the latest information. For your exam and for your overall working knowledge it is really worth doing some ‘wider reading’. For matters FOI/DPA there is luckily a thriving blogosphere and twitterati (is that even a word?) to follow the latest developments. This is especially important for the DPA ISEB, where knowledge of the case law is vital. I found the following really useful (in no particular order) – there are many more:

Act Now Training http://www.actnow.org.uk/

Information Rights and Wrongs http://informationrightsandwrongs.com/

FOI Man http://www.foiman.com/

2040Information Law Blog http://2040infolawblog.com/

Panopticon http://www.panopticonblog.com/

Amberhawk http://amberhawk.typepad.com/amberhawk/

Data Protector http://dataprotector.blogspot.co.uk/

David Higgerson http://davidhiggerson.wordpress.com/

whatdotheyknow.com https://www.whatdotheyknow.com/

Campaign for Freedom of Information http://www.cfoi.org.uk/

5. Enjoy the group

In both the DPA and FOI ISEBs, I have been really lucky to be in with a friendly and supportive group of co-students. The benefits of this go way beyond the practicalities of preparing for the exam. It is re-assuring to meet others who have faced the same challenges and problems. They may have tried different approaches to policy or procedural questions. Chat to the person next to you!

6. Don’t mock it

The mock exam is one of the most important parts of the whole course and invaluable in preparing you for the big day. You can do an essay question for homework under exam conditions but it won’t prepare you for starting the same question with only half an hour left on the clock and 25 pages of writing behind you. Treat it as much as possible like a real exam. Even going through the basics in the mock helped (e.g. how to fill out the multiple choice paper). It means that on the exam proper you can focus your stress on the questions themselves. I also learnt that eating an entire packet of mints in 3 hours would not necessarily enhance my exam performance.

7. Revise!

Forget DVD box sets or the football on TV for a few weeks – you have to make the revision count. Go for everything you can fit in: practice questions, podcasts, online seminars. I personally had a lot of difficulty with the Section B ‘bullet point’ questions, which rely on memorising information (e.g. the headings of the FOIA s45 Code of Practice). I found refuge in the humble index card to get the basics down and had friends or family test me. Make the time for yourself – you will reap the benefit come the exam.

8. Treat it as more than just a certificate

Education is becoming increasingly seen as a commodity, something you pay for and get a return from. Fair enough, the ISEB works like this. Work hard and get your certificate. And yet, like all education it does so much more than that. It fills you with ideas to take back to your workplace, makes you think about where you can take your new-found or rediscovered study skills (more part-time education or qualifications?) and develops contacts and networks with other practitioners.

Good luck!

Kit Good is University Records Manager and FOI Officer at the University of London. He has successfully completed both BCS (ISEB) courses with Act Now. Follow Kit on Twitter: @kit_urm and read his blog: http://allabouttherecords.blogspot.com/

Our next BCS (ISEB) courses start in June.  Delegates can now make use of our online resources page  with exclusive access to guidance notes, quizzes and over four hours of videos.

More advice about BCS ISEB and how to pass here:

http://actnowtraining.wordpress.com/2012/05/23/do-you-want-to-be-certified/

http://actnowtraining.wordpress.com/2012/01/31/how-to-pass-the-iseb-certificate/

The £200 taxi and the 4 inch fish.

It was December. I’d spent a day training in Edinburgh and the following day was doing a morning in Reading. Bad planning I know but all I had to do was take a train from Edinburgh to London then on to Reading and I’d make the hotel in time for a pizza and a beer. I’d booked in advance and found a first class advance ticket from Edi to Lon for just £31. I was looking forward to a pleasant journey and maybe a quality snack or two.

Things started badly. There was flooding in the air. I know it’s usually on the ground but we live in interesting times.

The booked train was cancelled. I took the following one and settled down to a slightly delayed journey but ultimately a stuffed crust and a kronenbourg. Then we arrived at Darlington. The floods meant that we had to sit still for 3 hours. It wasn’t much fun. The relief train crew from Newcastle, contrary to all expectations, had forgotten to load the pies so first class refreshments were down to cans of speckled hen and Dolmen peanuts. They were free which did ease the pain.

Further delays as we were re routed meant a very late arrival in London. As the clock ticked round to midnight I started to get worried. Tubes would stop; most busses would stop; I suppose there would be taxis but would Paddington be open this late…

Out of the blue at 0115 in the morning as we crawled though north London an announcement came over the tannoy. “Passengers needing assistance for their onward journey should contact East Coast staff at Kings Cross who would help with taxis.”

Wow…

I walked through the train to get to coach M so I was first off and strode boldly up to an East Coastie.

“Where are you going to sir?”

“Reading”

“Follow me sir”

Minutes later I was in a large taxi with 5 other fellow travellers sliding westwards through slick rain covered streets. My companions were  going to Ealing, Heathrow and other points west but I was the Marathon man so I snickered silently to myself.

Eventually at 3am we arrived at my hotel. For the last 30 minutes I chatted to the driver and he set out a wonderful life enjoyed by London mini cab drivers on the evenings when trains were delayed. They knew from experience and watching the media when the pickings would be rich. When they arrived at the terminus they would have no idea where they would end up but they knew it was a large guaranteed fare.

My driver said he’d done Kings Cross to Portsmouth; Victoria to Leeds, Kings Cross to Bath. The best nights were when Eurostar was delayed. He’d once has a trip to Edinburgh from St Pancras. He didn’t tell me the exact meter reading but the phrase “Four figures guv” said a lot. Some weeks in the winter he did two or three nights like this.

It had been a full train due to the earlier cancellations. There had been standing in first class. I estimated several hundred grumpy and tired passengers had disembarked at Kings Cross and been squeezed in to taxis to finish their journeys. Even with 5 in a taxi at least 100 taxis had been used on that train at £200 a taxi. I wonder how much that cost?

They also refunded the cost of the ticket as it was waaaaaaaaay over their expected arrival. I expect the other several hundred passengers had theirs refunded as well.

Contrast that with the 1703 north from Kings Cross on an equally cold and wet day in February. I’d done another day’s training and was looking forward to my first class offering. (Senior rail card otherwise I’d be in second err…standard class).

The complimentary glass of alcohol. OK. The complimentary peanuts. OK. The hot dish was a disappointment. Fish & Chips. Nonetheless I ordered it.

What a disaster. When it arrived 5 minutes later as we crawled past Finsbury Park there it was on a small plate in front of me.

A four inch fish  and with 6 square cut chips beautifully arranged three on top of three others. I looked at it for too long before eating as the waiter asked if I was alright.

“A bit small isn’t it?”

“You can have another afterwards if you want Sir, we’re not busy today”

I declined. There was cheese & biscuits to follow or so I thought.

Wrong. Like the Filet ‘o’ Fish I had just eaten it was a load of pollocks.

“Cheese is on the 1733 Sir”

So there you have it. Phenomenal customer service on a late running train at enormous expense. Very poor first class food on the 1703. Who decides how this train company spends its money? Whose money is it anyway? Would an FOI request elicit this information? If it was a public body we could find out.

Hang on a minute….

 

Trainer under Surveillance! – RIPA required or even obtainable?

About 5pm I arrive at a small hotel ready to deliver training the next day. There is no car park at the hotel so I park on the large pay and display opposite. I check the charges, and buy the minimum – one hour, while I go into the hotel to check-in and see about parking for the night. As I buy the ticket from the machine I hear the CCTV camera above as it moves like something from War of the Worlds, scanning the car park.

The receptionist is very helpful, and asks if I have parked on the pay and display car park. She goes on to say that unfortunately there is no car park at the hotel, but 6pm until 8am is only £2.50 pay and display. But beware, she says, you must be sure to have moved your car before 8am or paid more for the day rate, since during the night a council employee drives around this and other similar car parks, checking parking tickets displayed and recording vehicle registration numbers and the make and model, and exactly where they are parked. Then, during the morning the CCTV cameras are manned and used to check if each car has moved or if anyone has bought a day ticket. If not, a fine is posted to the address of the registered keeper. She knew this because of reports from previous customers who had been caught out by only a few minutes.

What do you think about this type of activity? Good use of resources? Is it directed surveillance that would require a RIPA if it met the recently introduced crime threshold. – Small wonder some generally law abiding citizens are even opposed to overt surveillance when we hear the purpose it is adapted to pursue

Don’t want the police and other public protection services to watch you because they care!

As I get older I make Victor Meldrew seem like a party animal. I object to anyone knowing anything about me, and I get very aggressive when I realise someone or some organisation who I have never communicated with knows something about me.

I hear lots of people ranting about the police or others that protect us from harm, breaching our right to privacy as they try to counter ever-more devious and resourceful individuals who would do us harm or cause us some loss. I deliver open source internet courses, and delegates learn how to find what others put about themselves or their family and friends on Facebook, or organisations and blogs and forums that provide contact and other information about those who contribute. This is scary enough for delegates who attend the courses and realise how vulnerable they are by virtue of what is posted publicly on the internet or uploaded in pictures they display to all and sundry.

But there is a far more sinister threat to our right to privacy than these public web pages and the on-line hackers and scammers. Every click, every place visited, and everything we do is recorded, analysed, and disseminated between the internet service providers, search engines such as Google, and other interested parties. This data is sold and re-sold, and used and re-used. Each of us on the internet is generating data and therefore income for businesses monitoring our activity for financial gain, and targeting our ‘type’ for some particular purpose.

Add to this the technical vulnerabilities that no one seems bothered to address. The ‘savvy’ users work hard on ensuring their privacy settings on social networking sites such as Facebook only ensure those allowed can see their private information, and details of friends and family etc. Then they use their device on public WiFi networks drinking coffee or eating a burger, smug that their accounts are actively communicating with others but they are too clever to let fraudsters see their information. However, there is at least one freely available add-on that can be downloaded legitimately, and the user can connect to the same coffee or burger shop WiFi network, and using the add-on, identify every single user account on devices connected to the WiFi network, and then focus on a particular account and see as much as the account user can – username, private messages – everything public and hidden by privacy settings. So as we walk blindly into a surveillance society with our data available to so many, either through the internet, or our own activity, or the techniques and equipment, surely, supported by checks and balances, public protection bodies should be allowed to at least catch up with the rest!

Come along to one of the internet research courses and see just what information is available and how to find it. And discuss these issues and many others with Steve Morris the trainer.

This article was written by Steve Morris who was formerly a detective with the West Midlands Police Force. Steve is now a full time trainer in relation to various law enforcement and investigation subjects to the public and private sector.

Disclosure of Staff Names under FOI

When considering request for information under the Freedom of Information Act 2000(FOI) public authorities often face a dilemma about disclosing names of staff.

Names are generally considered to be personal data, being information relating to living identifiable individuals (as defined by the Data Protection Act 1998 (DPA)). (Although one Information Tribunal (as it was known then) decision, Harcup v Information Commissioner and Yorkshire Forward (EA/2007/0058), ruled they are not. (See episode 11 of my FOI Podcasts for a full discussion of this decision). Therefore the exemption under section 40(2) (third party personal data) will have to be considered.

For this exemption to be engaged a public authority must show that disclosure of the name(s) would breach one of theData Protection Principles. Most cases in this area focus on First Principle and so public authorities have to ask, would disclosure be fair and lawful? They also have to justify the disclosure by reference to one of the conditions in Schedule 2 of the DPA (as well as Schedule 3  in the case of sensitive personal data). In the absence of consent, most authorities end up considering whether disclosure is necessary for the applicant to pursue a legitimate interest and, even if it is, whether the disclosure is unwarranted due to the harm caused to the subject(s) (condition 6 of Schedule 2)?

The seniority of the staff, whose names are being requested, will of course be a key factor in deciding whether disclosure is fair. The first Information Tribunal decision on this issue, back in 2007, (Ministry of Defence v Information Commissioner and Rob Evans (EA/2006/0027)) concerned a request made by a journalist for a staff directory which included the names and contact details of individuals working for the Defence Exports Services Organisation. The MoD refused to disclose the information citing, amongst others, the exemption under section 40(2).

The Tribunal ruled that that the MoD could only withhold names of staff if they are particularly junior (below Civil Service B2 Level), not immediately responsible for the requested information and their name is not already available elsewhere (or would be expected to be through their performing a public-facing duty); or there is a clear and demonstrable threat to that individual’s health and safety if their name is made public.

As is clear from the MoD decision, seniority is just one factor to be taken into account. Public authorities should avoid the blanket non-disclosure of the names of all officers below a certain level of seniority. When it comes to the disclosure of names, what matters is what work the individuals are doing, rather than their seniority or grade. If a person is in a front facing role and his/her name is already in the public domain, then it will be difficult to withhold it.

In 2008 another Tribunal decision (The Department for Business, Enterprise and Regulatory Reform v Information Commissioner and Friend of the Earth (EA/2007/0072) examined whether names of private sector employees attending a meeting should be disclosed as well as those of civil servants. The request was for information about meetings and correspondence between Ministers and senior civil servants in the Department of Business, Enterprise and Regulatory Reform and employees from the Confederation of British Industry. Some of the documents relevant to the request included references to individuals who had attended such meetings as spokespersons or as note takers or bystanders. The Tribunal summarised the position as follows:

a. Senior officials of both the government department and lobbyist attending meetings and communicating with each other can have no expectation of privacy. The officials to whom this principle applies should not be restricted to the senior spokesperson for the organisation. It should also relate to any spokesperson.

b. Recorded comments attributed to such officials at meetings should similarly carry no expectation of privacy.

d. In contrast junior officials, who are not spokespersons for their organisations or merely attend meetings as observers or stand-ins for more senior officials, do have an expectation of privacy. This means that there may be circumstances where junior officials who act as spokespersons for their organisations are unable to rely on an expectation of privacy;

e. The question as to whether a person is acting in a senior or junior capacity or as a spokesperson is one to be determined on the facts of each case.

f. The extent of the disclosure of additional information in relation to a named official will be subject to usual test i.e. is disclosure necessary for the applicant to pursue a legitimate interest, and, even if it is, is the disclosure unwarranted due to the harm caused to the individuals by disclosure? This will largely depend on whether the additional information relates to the person’s business or professional capacity or is of a personal nature unrelated to business.

In January 2011, the First Tier Tribunal (Information Rights) considered disclosure of names in Dun v IC and National Audit Office (EA/2010/0060). The disputed information concerned the NAO’s enquiry into the FCO’s handling of employee grievances of a whistleblowing variety. The Tribunal was clear that no blanket policy should apply, and that fairness depends on the particular responsibilities and information with which the case is concerned. This decision is discussed in detail in episode 21 of my FOI Podcasts.

Where there is a risk to staff safety if their names are disclosed, then the public authority will be right to err on the side of caution. In Wild v IC and Chief Constable of Hampshire Constabulary (EA/2010/0132) the Appellant requested the dates of pre-hunt meetings in the last five years and the names of police officers attending pre-hunt meetings with organisers of the Isle of Wight Hunt. The Police responded, providing dates, but refusing to disclose the names of the officers in attendance.

The Commissioner considered the section 40(2) exemption and concluded that the disclosure would result in a breach of the First Data Protection principle.  He accepted that the disclosure may lead to the harassment of the officers identified and consequently the disclosure would be unfair to those officers. The Tribunal upheld the Commissioner’s decision.

Don’t forget condition 6 of schedule 2 of the DPA. A public authority will have to consider whether disclosure of a name is necessary for the applicant to pursue a legitimate interest, and, even if it is, whether the disclosure is unwarranted due to the harm caused to the individual by the disclosure.

A more recent Tribunal decision (January 2013), McFerran v IC (EA/2012/0030) involved a police search of a property owned by Shropshire County Council. At the police’s request, two junior council officers were present, but they had not been involved in any of the decision-making. The requester wanted the names of the council officers as well as their immediate superior. The council refused, relying on s. 40(2).

The Commissioner ordered disclosure of the name of the more senior officer, but not of the two juniors. The Tribunal agreed with this decision and dismissed the requester’s appeal, observing that:

“although… there is clearly a legitimate public interest in transparency of activity by public authorities, which impinges on the personal freedom of householders, there is insufficient information provided to add significant weight to the general public interest in transparency in public affairs. The Appellant has not satisfied us, either, that his attempts to have the matter investigated are being thwarted by the absence of the names of the individuals in question. If there is sufficient information about the event to interest those responsible for an investigation the absence of names will not deter them.”

This decision illustrates that, when it comes to junior officials, the requestor will have to show that there is legitimate interest in knowing the names of officers where they are junior. A general argument about openness and transparency will not suffice.

In Armit v IC and Home Office (EA/2012/0041) the UKBA redacted the names of the officials in a document entitled ‘Tourist Selection Indicators and Selection Techniques’ which fell within the scope of the request. The Tribunal agreed with this approach, taking account of the requester’s failure to identify a legitimate interest in public disclosure of the names of those officials:

“We do not accept the argument that the officials would not have expected their names within the document to be made public and were not given compelling evidence of this. We were given no information as to their specific grading but they were described in the document as ‘lead contributer’ and ‘lead postholder’. They clearly have some responsibility in relation to the work.  We were given no compelling evidence that disclosing their names would result in victimisation, insult or any form of danger.  However, we do accept that the officials would prefer not to have their names identified and that might in itself represent a certain right and freedom or legitimate interests in itself. In any event, to process personal data, it needs to be necessary to pursue the purposes of legitimate interests pursued by others.  In this case, we do not find that the Appellant has shown any legitimate interest in the names of the officials being disclosed to the public under FOIA. We conclude that the information is therefore exempt from disclosure.”

Another recent Tribunal decision on the disclosure of names is Roberts v IC and Dyfed Powys Police Authority (EA/2012/0032).

The issue of disclosure of names pursuant to an FOI request is a difficult one. As can be seen from this discussion of Tribunal decisions, a number of different factors have to be weighed in the balance. A blanket approach will not work.

Whilst on the subject of names, does an FOI requestor have to give his/her real name? Read the answer here  as well as a really bad joke!

Ibrahim Hasan will be discussing this and other recent FOI decisions in the FOI Update workshop  on 13^th March 2013.

Do you want an international recognised qualification in FOI?                           The ISEB Certificate in Freedom of Information  starts in Birmingham on 26^th March 2013.