@FOIManUK on Records management – Just Do It!

At the 2012 Information and Records Management Society (IRMS) Conference, Northumbria University academic Julie McLeod asked the audience a simple question. She asked how many of those present worked for an organisation that had articulated a vision for electronic records management. Less than 10% of the audience raised their hands.

On first sight, that’s a pretty startling statistic. The IRMS is the main industry body for records managers. If anyone could be expected to have articulated a vision for electronic records management, it was the people in that room.

But the truth is, I’m not that surprised by Julie’s experience.

Firstly, I think it’s partly to do with what Julie asked. If she’d asked whether those present had a records management policy, I suspect a much bigger proportion would have put their hands up. And many records management policies probably include a statement saying how the organisation aspires to manage electronic records. That’s a vision – but those present probably didn’t think of it as such.

But what about those who just don’t have any statement? I suspect a lot of people in that room didn’t have anything – no policy, no strategy, no vision. And I think I know why.

The people responsible for records management in a lot of organisations are nervous of getting it wrong. And all the talk of visions, strategies and programmes isn’t helping. All the competing theories and evolving attitudes are hard to keep up with. 10 years ago, public bodies were being encouraged to adopt electronic document and records management systems. Now it’s rare to hear a success story about such systems, and hardly anyone thinks they’re a good idea. How do you come up with a vision for the future operation of your organisation when the future keeps changing?

What’s more, in most organisations, the person responsible for records management may be relatively junior. Often they will be someone who was drafted into the role; it might only be part of their job.

But it is important that records management is addressed. Any business needs to manage its information. Back at the start of my career I worked for a pharmaceutical company. Our records management unit ensured that they were able to prove that they discovered their marketed drugs first – some of those records were worth billions to the business.

And it is necessary for compliance with legislation. For example, if you look at many civil monetary penalties issued by the Information Commissioner’s Office, you will find that poor records management played a part.

And public authorities of course are subject to the Freedom of Information Act. Section 46 of the Act requires the Lord Chancellor to issue a Code of Practice on the management of records. The Code of Practice was written by the National Archives and sets out the features that they expect to see in public authorities’ records management.Whilst not a statutory requirement, the Information Commissioner is unlikely to look kindly on a public authority that fails to meet its FOI obligations due to records management failings. Indeed he has been known to issue a practice recommendation to an authority insisting that they improve their records management.

So organisations – especially public sector ones – need to do something about records management. But what?

We can start by using the Code of Practice as a guide. What do the experts at the National Archives think should be in place?

And we can stop letting “the best be the enemy of the good”. Julie McLeod’s straw poll, as well as the more detailed research she was reporting on at the conference showed that many organisations had done very little. What actually needs to happen is something. We should improve records management one step at a time. We must be pragmatic.

That’s what I’m going to attempt to do in my new course for Act Now Training on Records Management and the Section 46 Code of Practice. I’ll explain the different requirements of the Code and practical things you can do to meet them. That’s obvious. But I’ll also tell you not to panic. Don’t try to do it all at once. What are the key things you can do that will improve your records management almost overnight? You will leave with an action plan for your organisation – so you’ll instantly be ahead of 90% of those conference delegates I mentioned. The key words are “Just Do It.”

Paul Gibbons (aka FOIMan) blogs at http://www.foiman.com. He also delivers our Practical FOI course.

The Law of Employee Surveillance

Decreasing public sector budgets and increasingly affordable technology mean that more and more employers are turning to surveillance to catch errant or work shy employees. But this area is a legal minefield. Mistakes can end up with adverse headlines in the media or worse still legal action. In August, West Yorkshire Fire Service was criticized in the papers when a 999 operator, who was on sick leave, found a GPS tracker planted on her car by a private detective hired by her bosses.

A public sector employer wanting to conduct lawful staff surveillance must first ask the question, which legislation applies? If the surveillance involves covert techniques or equipment, it is easy to assume that Part 2 of the Regulation of Investigatory Powers Act 2000 (“RIPA”) applies and that the surveillance must be the subject of an written authorisation by a senior officer and, in the case of a local authority employer, Magistrates’ approval. However, the Investigatory Powers Tribunal has ruled in the past that not all covert surveillance of employees is regulated by RIPA.

In C v The Police and the Secretary of State for the Home Department (14th November 2006, No: IPT/03/32/H), a former police sergeant (C), having retired in 2001, made a claim for a back injury he sustained after tripping on a carpet in a police station. He was awarded damages and an enhanced pension due to the injuries. In 2002, the police instructed a firm of private detectives to observe C to see if he was doing anything that was inconsistent with his claimed injuries. Video footage showed him mowing the lawn. C sued the police claiming that they had carried out Directed Surveillance under RIPA without an authorisation. The Tribunal first had to decide if it had jurisdiction to hear the claim. The case turned on the interpretation of the first limb of the definition of Directed Surveillance i.e. was the surveillance “for the purposes of a specific investigation or a specific operation?”

The Tribunal ruled that this was not the type of surveillance that RIPA was enacted to regulate. It made the distinction between the ordinary functions and the core functions of a public authority:

“The specific core functions and the regulatory powers which go with them are identifiable as distinct from the ordinary functions of public authorities shared by all authorities, such as the employment of staff and the making of contracts. There is no real reason why the performance of the ordinary functions of a public authority should fall within the RIPA regime, which is concerned with the regulation of certain investigatory powers, not with the regulation of employees or of suppliers and service providers.”

The Tribunal also stated that it would not be right to apply RIPA to such surveillance for a number of reasons:

1. RIPA does not cover all public authorities, and there was no sense in police employee surveillance being conducted on a different legal footing than, for example, the Treasury, which does not have the same surveillance rights under RIPA.
2. The Tribunal has very restrictive rules about evidence, openness and rights of appeal. The effect of these would lead to unfairness for employees of RIPA authorities when challenging their employers’ surveillance as compared to those who were employed by non RIPA authorities.

This case suggests that, even where employee surveillance is being carried out for the purpose of preventing or detecting crime, the question has to be; is it for a core function linked to one of the authority’s regulatory functions? In the local authority context this would include, amongst others, trading standards, environmental heath and licensing. If the surveillance is not being done for one of these purposes it will not be Directed Surveillance and consequently will not be regulated by RIPA.

Of course just because RIPA may not apply, it does not mean that the employer can do what it likes. Whatever type of surveillance is conducted, the right to privacy, under Article 8 of the European Convention on Human Rights, protects employees within the work environment.  This means that the surveillance must be carried out in a manner that is in accordance with the law and is necessary and proportionate. There have been a number of cases where employers have been criticised by the courts for failing to take account of the human rights issues when doing surveillance of employees e.g. Copland v UK (3^rd April 2007 ECHR) concerning communications surveillance and Jones v Warwick University ((2003) 3 All ER 760) concerning a claim for personal injury. Compliance with the Data Protection Act 1998 (DPA) will be evidence that the surveillance has also been done in compliance with Article 8.

All employers, be they public or private sector, have to comply with the DPA when doing surveillance, as they will be gathering and using personal information about living individuals. The Information Commissioner has published the Data Protection Employment Practices Code, which sets out rules to be followed when dealing with employees’ personal data.

Part 3 of the code covers all types of employee surveillance from video monitoring and vehicle tracking to email and Internet surveillance. Indeed those public authorities who are doing surveillance of their employees which now, in the light of the above Tribunal case, cannot be authorised under RIPA also have to pay special attention to the code. Whilst the code is not law, it can be taken into account by the Information Commissioner and the courts in deciding whether the DPA has been complied with.

One of the other main recommendations of the code is that senior management should normally authorise any covert surveillance of employees. They should satisfy themselves that there are grounds for suspecting criminal activity or equivalent malpractice. They should carry out an impact assessment and consider whether the surveillance is necessary and proportionate to what is sought to be achieved i.e. the same considerations that public sector employers subject to RIPA would have to consider when doing a RIPA authorisation. This assessment is best done in writing using a “Non-RIPA” surveillance form (Our RIPA Policy and Procedures Toolkit contains such a form).

If covert surveillance of an employee results in his/her dismissal, the matter will usually end up before the Employment Tribunal in the form of unfair dismissal proceedings. Here the Tribunal will also have to consider whether evidence has been gathered fairly and lawfully. In City And County Of Swansea v Gayle UKEAT 0501_12_1604 (16 April 2013) Swansea Council conducted covert video surveillance on the claimant, when he was for good reason suspected of playing squash during work time, whilst claiming payment for being at work at the time.  The surveillance confirmed he was seen at the sports centre on a succession of Thursdays when he should have been at work.

The Employment Tribunal upheld a claim for unfair dismissal (though awarding nil compensation, for contributory conduct) because of the Tribunal’s distaste for the employer’s use of covert surveillance. Its view was that Article 8 (right to privacy) was engaged and broken in doing so. It took account of the council’s lack of awareness of its obligations under the DPA and the Code.

These views were rejected on appeal to the Employment Appeal Tribunal. The appeal was allowed with a substituted finding that the dismissal was not unfair. The Tribunal did not accept that here there was any breach of Article 8(1) so as to require the Tribunal to consider the requirements of 8(2) at all.  If, however, the Tribunal had done so it would have been bound to consider the legitimate aim which the Council claimed to have.  Here one of two such aims might have been identified.  The first was the prevention of crime, the second the protection of the rights and freedoms of others, the “others” here being the employers whose money was at stake and who had contractual rights in agreement with the claimant that he would behave in a way in which as it happened he did not.

This is an interesting case for employers. Dismissals will not necessarily be unfair when covert surveillance is used as part of the dismissal process. Employees acting fraudulently on employer’s time cannot expect their actions to be kept private from the employer. However, employers would be well advised to tread with caution. Following the correct procedures and being mindful of their obligations under the DPA (as well as Human Rights) will inevitably put an employer in a better position.

Employee surveillance may not always engage RIPA. However data protection and human rights laws will always have to be carefully considered. In cases of surveillance of staff e-mail and internet usage Section 4 of RIPA and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 will also need to be considered. For more on the latter please see our online training course (Email and Internet Monitoring: How to do it lawfully).

Act Now can help you get to grips with this difficult area. Please see our full program of surveillance law courses which can also be customised and delivered at your premises. If you want a quick update try our forthcoming webinars.

Listen to Ibrahim Hasan’s interview on BBC File on Four on Secrecy and Surveillance: of http://www.bbc.co.uk/programmes/b03bdsyk

Data Sharing Consultation – Do we need new laws?

The Law Commission has opened a consultation on the law around sharing of personal information between public sector organisations. Law Commissioner Frances Patterson QC says:

“It could be that more data sharing would improve public services but, if that is so, we need to understand why data is not being shared.  Is there a good reason to prevent data sharing?  Or is the law an unnecessary obstacle?  Are there other reasons stopping appropriate data sharing?  These are the questions we want to answer in this consultation.”

The legalities of data sharing is a subject which often confuses public sector officials. Local authorities, in particular, are often stumped by the “To Share or Not to Share” question, even if the sharing is for very good reasons (e.g. child protection or crime prevention). In some cases, even internal departments have felt constrained from updating each other about a change of a service user’s address.

More often than not, the Data Protection Act 1998 (DPA) is made the scapegoat for officials’ failure to fully understand the law. It is wrongly perceived as a barrier to data sharing despite offering a range of justifications (e.g. consent, legal obligation, protecting vital interests etc. (Schedule 2)).

Many attempts have been made to resolve this “problem”. In May 2011, the Information Commissioner published a statutory Code of Practice on data sharing. The code explains how the DPA applies to the sharing of personal data both within and outside an organisation. It provides practical advice to the public, private and third sectors, and covers systematic data sharing arrangements as well as one off requests for information. Under Section 52 of the DPA, the code can be used as evidence in any legal proceedings and can be taken into account by the courts and the Commissioner himself when considering any issue.

Despite the clear guidance in the code, the Government has sometimes toyed with the idea of new laws. Last year, according a story in the Guardian newspaper, proposals were to be published by the Cabinet Office minister, Francis Maude, which would make it “easier” for government and public-sector organisations to share confidential information supplied by the public:

“In May, we will publish proposals that will make data sharing easier – and, in particular, we will revisit the recommendations of the Walport-Thomas Review that would make it easier for legitimate requests for data sharing to be agreed with a view to considering their implementation,” said Maude, adding that current barriers between databases made it difficult for public sector workers to access relevant information.

“It’s clearly wrong to have social workers, doctors, dentists, Job Centres, the police all working in isolation on the same problems.”

The Guardian reported that the proposals are expected to include fast-track procedures for ministers to license the sharing of data in areas where it is currently prohibited, subject to privacy safeguards.  I could not find the proposals on the web. Anybody know whether they were ever published?

Confusion around data sharing continues to reign! The tragic case of Daniel Pelka is one example. The recent report into the four-year-old’s death, published by the independent Coventry Safeguarding Children Board identified a number of missed opportunities where professionals across a number of agencies should have done more to protect Daniel. Amongst other things, it concluded that the sharing of information and communications between all agencies was not robust enough.

Ill informed comments about the current law (especially the DPA) do not help. In a recent Daily Telegraph article by Michael Gove, the Education Minister claimed that, whilst tying to understand the underlying causes of child exploitation, he discovered that OFSTED “was prevented by “data protection” rules, “child protection” concerns and other bewildering regulations from sharing that data with us, or even with the police.” There is nothing in the DPA which prevents this. Don’t just take my word for it. Read the Information Commissioner’s riposte to the learned Mr Gove.

Do we really need new laws on data sharing or a better awareness of the existing ones? My view is that the current law is adequate to regulate yet allow responsible data sharing. The DPA and the Data Sharing Code need to be properly understood. They can be a tool allowing responsible data sharing. Most public sector data sharing will be lawful if organisations comply with the Eight Data Protection Principles; particularly the First Principle which requires information to be processed fairly and lawfully. There are also numerous exemptions in the Act including where sharing is required for the purpose of prevention or detection of crime (section 29).

The Law Commission consultation runs until 16 December 2013 and the paper may be accessed at: http://lawcommission.justice.gov.uk/. Responses can be emailed to data.sharing@lawcommission.gsi.gov.uk or sent by post.

More Information: Read our article for a full explanation of the ICO Data Sharing Code or watch this free webinar. We also run full day Multi Agency Information Sharing workshops.

The 2013 Surveillance Commissioner Report – Key Points

The Chief Surveillance Commissioner published his 2013 annual report (covering the period from 1^st April 2012 to 31^st March 2013) on 18^th July 2013. It is important reading for those public authorities who conduct surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA).

The report details statistics relating to the use of Part 2 of RIPA by public authorities and information about how the Office of the Surveillance Commissioner (OSC) conducts its oversight role. Non-law enforcement agencies (including councils) authorised Directed Surveillance on 5,827 occasions. This continues a downward trend over the last few years.

The report highlights a number of important issues some of which are listed below:

• Common errors by RIPA authorities include miscommunication or failure to communicate the details of an authorisation; failure to conduct thorough reviews, renewals or cancellations; ignorance on the part of officers; or poor administration or processes.

• The Commissioner says that all public authorities have struggled with the use of the Internet for investigations, particularly social networking sites. At paragraph 5.7 he advises caution on conflating the offline word with the online world. There may be cases where RIPA authorisation is required when doing research about a person on the Internet. He goes on to say, “… it is important to bear in mind that it is not always possible to give a definitive answer as to whether a particular activity requires authorisation: facts are infinitely variable. Where there is doubt authorisation is prudent.”  Act Now has developed a course on E-Crime and Social Networking Sites which examines all the relevant RIPA and wider legal issues.

• Too many tactics requested by investigating officers are unused. Authorising officers and Senior Responsible Officers should monitor whether applicants are lazily requesting tactics out of habit rather than necessity.

• Too many cancellations provide an insufficient record of surveillance actually conducted and the details of collateral intrusion. Rarely does guidance on the retention or destruction of product go beyond an inadequate reference to policy. It is vital that surveillance product that does not match the objectives stated in the authorisation is not retained on databases.

• At paragraph 5.5, the Commissioner reiterates his view that RIPA is permissive legislation and there may be occasions where surveillance outside the scope of RIPA may be required. He points to the recent IPT decision in BA and others v Cleveland Police (IPT/11/129/CH). This is in keeping with Ibrahim Hasan’s view as explained on this blog.

• Where there is an invasion of privacy and RIPA does not apply, due to all conditions not being met, then the Commissioner recommends use of a similar written authorisation mechanism where Article 8 issues (privacy) are considered.

• The Commissioner also considers the changes, which took effect on  1st November 2012; namely magistrates’ approval for council surveillance and a new six month threshold test for Directed Surveillance.  On the whole they are working well. There were 142 approval requests made to a Magistrate in the reporting period of which only two were rejected.

• Finally the Commissioner fires a shot across the bows of those authorities who drag their feet in accepting his recommendations. At paragraph 5.18 he says, “I expect the recommendations of my reports to be followed whether or not individual officers agree with them. Continued failure to do so – especially on the ground that current practices have been unchallenged in court proceedings – may result in publication of my guidance or recommendations to a wider audience.”

Now is the time to consider refresher training for RIPA investigators and authorisers. Please see our full program of RIPA Courses which have been revised to take account of all the latest developments. We can also deliver these courses at your premises, tailored to the audience. Finally, if you want to avoid re inventing the wheel, our RIPA Policy and Procedures Toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance. Over 200 different organisations have bought this document (available on CD as well).

At Last! A Certificated Course for Scottish FOI Practitioners

For years Scottish Freedom of Information practitioners did not have a Scottish FOI qualification that they could study for. Unlike their counterparts in England and Wales, the BCS (formerly ISEB) FOI course is not suitable as it concentrates on the Freedom of Information Act 2000.

Seeing this unmet training need, Act Now Training has now designed a new certificated course; the Practitioner Certificate in the Freedom of Information (Scotland) Act 2002. The course is endorsed by the Centre for FOI based at Dundee University.

The course is suitable for the FOISA novice as well as the experienced practitioner. The course structure is designed to thoroughly examine the law as well as the practical aspects of dealing with FOISA (and EI(S)R) requests on a day-to-day level

Two courses were completed in the Spring/Summer season. Two more are scheduled for October and December. Thus far we have had very strong candidates from a variety of backgrounds. All have said how useful they have found the course.

If you’re considering joining the course, what can you expect? Read what the tutor has to say.

Think you know about FOISA? Have a go at the FOISA test.

Download the course flyer here