An informed view
As local authorities and other public bodies continue to grapple with freedom of information and data protection, Philip Hoult speaks to Deputy Information Commissioner (and former local government lawyer) Graham Smith about monetary penalties, vexatious litigants, spending cuts and the inexorable rise of requests for information.
What do you think are the main trends in data protection and freedom of information for local authorities and other public bodies?
It is clear that the public have got an appetite for access to information and exercise of their own information rights in a way which is just growing all the time. So public expectations about access to information are increasing. I think it’s fair to say that public authorities, including local authorities, are responding on the whole very positively to that demands although I recognise that there are some burdens associated with compliance.
The key issues which people are most aware of on the data protection side are around information security – keeping information safe in the light of the various security breaches which have been well publicised over the years. I think public authorities and public officials are very conscious now of the risks of security breaches and the need to avoid them, which is positive.
On the freedom of information side, we are seeing – and this has been galvanised by the government’s transparency agenda and, for local authorities particularly, the initiatives of the Secretary of State and the DCLG – a move to get more information published proactively. Of course this was something which the Freedom of Information Act 2000 always provided for, and that the ICO has been advocating really since FOI first came onto the statute book.
That really is the best way to ensure transparency, to not only comply with FOI but to avoid having to deal with numerous similar requests. Councils can say the information is already out there, and point people in the direction where they can find it.
I also think we have seen huge progress over the last ten years with the quality and content of local authority websites, in that the information which is available on the internet is very extensive indeed and tends to get better and better organised. Of course people’s access to the internet is improving all the time, although one does have to be aware of social exclusion issues, where there are some sectors of society who are unable or unwilling to access information via the internet.
You mentioned that the performance of local authorities is improving. Is there a great deal of variation between individual authorities where some are top performers and others are lagging behind?
Overall the general direction is very positive. Local authorities have always been subject to some kind of transparency regime, primarily through access to council and committee meetings and the access to background documents regime. So there has been a form of transparency.
Even so, FOI was somewhat counter cultural for some authorities – it reaches some of the more sensitive and political parts of local authority activity which previous transparency regimes hadn’t reached. But there has been a more positive response and councillors and officers are getting used to FOI and understanding what it means.
I hope they are seeing the positive benefits of greater transparency and the release of information to the public. But, also, if the bottom line is simply understanding legal requirements, then at that level too we are seeing better compliance.
It is fair to say that we very rarely come across any instance now of public authorities deliberately trying to avoid compliance with FOI, or resisting openness. Where we receive complaints and we are persuading local authorities to disclose more information or requiring them to disclose it in a decision notice, usually the local authority has acted in good faith and possibly out of ignorance. They are usually trying to comply with the law and to balance competing demands, very often where there are third parties such as developers or other private individuals involved.
Are delays still a big problem? The ICO has ‘named and shamed’ several organisations in a list of those organisations whose performance it would monitor. Has that paid off?
Delay is really the biggest single issue still, although I think we are seeing some improvements there.
We are coming to the end of the monitoring period now and we will soon be publishing the results of that exercise. But on the whole there has been a very positive response and all public authorities, including local authorities, have certainly raised their game in terms of complying.
In many cases we are going to be happy to sign them off from the monitoring with a clean bill of health. There will be other public authorities, including some more local authorities (who I’m not able to name at this stage), that will be coming on to our monitoring list because we have had evidence of their failure to comply consistently with the time limits.
How do local authorities compare with other bodies? Is there a difference in attitude or approach to, say, NHS Trusts?
I don’t think we can say there is a difference sector by sector. It’s very much a patchy picture. It may come down to the individual authority but we are always aware that we tend to see authorities which are complained about and the complaints are initiated by disgruntled requesters. We therefore don’t necessarily have a full picture of how the performance of an individual authority sits within the whole context of public authority performance.
The law requires people to be put on notice of the complaints channel to us. It’s a free complaints channel and we’re accessible – whether on the phone, by email or through our website – so I would hope that people who are dissatisfied feel able to go the next step and complain to us.
One thing we have increasingly seen is evidence of the internal review process being effective. There are often better quality decisions made at that stage, with more information being released or with much better, clearer and well thought out reasons for refusal being given.
So that is an important stage of the process. As with any complaints procedure, it is better if things are sorted out locally and I feel that is particularly the case where you have a local authority which wants to maintain a good relationship with its citizens and good standing within the community. If they can be seen to get it right without the intervention of a regulator like the ICO, then that has to be better for them.
In terms of attitudes to FOI, do you think all authorities have fully embraced the culture of openness in the Act?
If there is a view that disclosure of information is going to cause problems (of whatever nature), then almost inevitably what sometimes emerges is an approach of what I would call minimum compliance. And the law provides for that – it is really why we are here, as a check and balance in that system.
I know from my own experience of working with local authorities that there are very different attitudes which prevail. It can either be an authority-wide cultural issue, it can be a department by department issue, or it can be driven by certain strong individuals within a particular authority or department who have an impact on the culture, and openness and transparency tends to be an aspect of the culture of any organisation.
The legal framework for FOI is helpful in that it does provide a bottom line of legal compliance. But it is also very positive that the transparency agenda, which we are seeing rolled out at the moment, takes things to a higher level. It is a very positive sign that the agenda now is being driven politically and not just by legislation.
One obvious issue is the cost of the regime. On Local Government Lawyer, we have written about a UCL report which suggested that in 2009 there was a 39% rise in requests. It is easy to imagine that the figures for 2010 will be higher still. What’s your take on that?
Clearly in some ways that is a good thing, but we are all aware of the financial pressures that local authorities and other public bodies are under.
The exponential rise in FOI requests and the commensurate rise in complaints to us are a positive thing in terms of the appetite for information but it can provide and impose burdens on local authorities. We are still going through a phase where public authorities are rising to that demand. The transparency agenda, where organisations push more information out proactively, has to be one way of keeping the cost of compliance down and anticipating the demand.
But it is true to say that there is a resource implication in handling FOI requests. That proportionately reduces as people become more experienced in handling requests. You get more standard responses to requests.
It also helps that we have built up – and we are still building up – a body of jurisprudence on FOI, from the courts, from the tribunal and from the Information Commissioner’s Office as well. So there are reference points now where local authorities’ FOI officers can see how similar cases have been dealt with in the past. That should enable people to deal with requests a lot more quickly in future.
There will always be difficult requests that arise and I appreciate that it is not just the handling of the request in terms of giving an answer. Sometimes it is also a case of handling the fallout and the internal communication that is necessary within the organisation, where things have to be explained to chief officers and politicians because an issue is going to hit the press.
I understand that, but I do think that giving out information is a key part of what local authorities are there to do. It is a key aspect of service delivery and serving the community. It is difficult to avoid some kind of resource implication, but I also think it is an area where people are able to get more efficient.
Clearly all services are at risk of cuts as local authorities set their budgets. Do you fear that resources within authorities to deal with these issues will be “salami-sliced” or even come off worse than other areas?
The front line, back office distinction is invidious in many ways. I would say that – particularly for an organisation like a local authority serving a local community – provision of information is a front line service rather than a back office function.
But, of course, the ability of organisations to respond to FOI and subject access requests [and to meet their data protection responsibilities] is bound to be affected by the spending cuts. The cuts are of such magnitude that it would be naïve to say that they will not affect information rights.
Our concern is that there might be a loss of expertise and experience. This would be a false economy because the bottom line is that these are legal requirements which have to be complied with. Any disappointed requester has an avenue of complaint to the ICO.
So if you don’t handle a request well or efficiently, you will end up incurring more costs than if you had done it properly in the first place?
Exactly. Those arguments I know will be made for a number of different service areas. I’m sure there will be many arguments put forward along the lines that, say, front line social services should be given priority over dealing with FOI requests and subject access requests.
I don’t actually think it is comparing like with like, but I do understand the pressures local authority budgets are under. Nevertheless, I think that if they can get it right first time, then that will be the cheapest and most efficient way of complying with the legal duties that the Act imposes.
What can be done about vexatious complainants? FOI officers suggest this is a real issue.
Now that we have got a body of five or six years’ experience, I’d urge local authorities to be more courageous in the use of the vexatious request provisions. We do sometimes see cases where these provisions are invoked too readily and inappropriately, but on the whole we are able to support local authorities which invoke them. Very often we find ourselves looking at a case and thinking, why on earth haven’t they done this a few years earlier.
We have also got, I think, a 100% track record in the tribunal in those cases in which the ICO has backed a public authority in treating a request as vexatious. We can all have greater confidence now in recognising and handling vexatious requests than perhaps we could have had around five years ago.
There are some very helpful judgements from the tribunal, many of which are actually about local authorities and persistent complainants. They recognise that you just have to draw a line under things and that can mean putting an end to the exercise of information rights on this particular topic which somebody’s been banging on about for years.
What causes more difficulties is when I hear people in local authorities saying that they are upset by journalists using the Act.
That was one of the issues that the UCL survey picked up on, that somehow journalists’ use of the Act was an abuse of the spirit of helping local communities.
Yes, I fail to see that. Certainly from our experience, the cases that we tend to see are where journalists are pursuing issues of public interest and are probably asking the sorts of questions which an informed public would ask if they had the wherewithal. I don’t think that’s a fruitful avenue for criticism of FOI personally.
What is the ICO’s view of the government reforms in the Protection of Freedoms Bill?
In terms of the extension of FOI, we welcome that however modest it might appear to be at the moment. In relation to the other provisions, I think they need further kind of scrutiny and careful consideration.
On the whole our response is positive, but as ever with these things the devil is in the detail. It is a very significant Bill; it covers a number of areas which touch on information rights and the ICO’s business. The indication is that it may well take up to a year to work its way through Parliament. I think that in itself is indicative of the fact that there are a number of issues which need careful consideration.
What is your take on the fixed term for the ICO?
That is really a matter for Parliament. The Commissioner is appointed by the Queen and it is a matter for MPs rather than us. We welcome the measures which enhance the Commissioner’s independence and we can certainly recognise the benefits of the single fixed term of office, rather than a renewable term.
Would you have liked the FOI regime to have been extended to other organisations such as housing associations, utilities and the likes of Network Rail?
Our line is that this is also a matter for Parliament. But it is an interesting mix of organisations and there might be some legitimate questions to ask about as to why bodies like housing associations are not included. They are large public sector providers and it is a bit odd they are not included. In Northern Ireland housing associations are included in the act by virtue of the fact that they are under the direct control of a public authority under a different constitutional arrangement.
Are you comfortable with the ICO’s own resources? There was an issue of a backlog of cases a while ago – is there a risk that this could return?
We have done a lot to tackle the backlog and we are continuing to make further progress in dealing with cases more expeditiously. We are, of course, subject to spending cuts in the same way as any other funded organisation and we are trying to deal with those as best we can without there being an impact on our service delivery. What is inevitably going to be difficult for us is if FOI complaints to us continue to rise in the way that they have done over recent years, and our resources are drastically cut.
Last year we were able to close significantly more cases than we received, and I think we are just about managing to maintain closure rates at the same level this year. But it is a bit touch and go as to whether closures will exceed receipts and by how much. The figures will be released at some point in April, but there will be a full analysis in the annual report which will be out in July.
What do you think have been the particularly notable success of the FOI regime? And what further developments do you see?
Some of the notable successes were in the early days. For example, in relation to local authorities you had the food hygiene information – with the ‘scores on the doors’ of environmental health inspections. That was something that was really relevant to consumers, so I think that has made a big difference.
In terms of landmark cases, the ones that hit the headlines tend to be those which have an impact on the government – for example we have ordered the release of some government policy information.
MPs’ expenses was the biggest single case that brought FOI to the attention of all citizens. FOI has certainly increased the appetite for information about senior salaries and bonuses, even though that is an area where we tread a fine line between accounting for public expenditure and protecting the privacy of individuals.
But that is one area where we might see further developments in the future and perhaps more being disclosed in terms of bonus information and early retirement packages – that kind of thing, which in the early days of FOI was certainly regarded as off limits.
Turning to the data protection side, there have been a number of cases of local authorities tripping up – typically because they have failed to use password protection and encryption for key documents.
That has been something of a wake-up call, not just for local authorities but for all of those who are handling data and it all goes back to the first high profile case involving HMRC a few years ago.
What we see is almost a kind of complacency where public authorities and public officials have become used to dealing with information electronically. Emails have become commonplace. Portability of data is really what has triggered this new risk area and there have been a number of high profile cases where there have been some significant data losses, where the consequences have been potentially very serious indeed.
Is one of the problems for authorities that they can only do so much training and put in place so many policies, and people just forget or fail to comply? Or do you think that in most cases it is not just down to human error, but rather that at the end of the day there have been reasons why that human error has been allowed to happen?
We recognise of course that human errors occur. But we will always examine the context and the measures taken, such as the training implemented to support the policies. We will do this before deciding on any enforcement action, whether it is a monetary penalty or an enforcement notice. You can say that you can never rule out human error, but sometimes, people haven’t been made sufficiently aware of the importance of data security. For example, if a policy doesn’t require encryption of data which should be encrypted, then clearly that is something which we are going to take into account when we consider the action that should be taken.
The ICO’s use of its power to levy monetary penalties has grabbed the headlines, not least because the four cases so far have all involved either public authorities or a company that was providing effectively a public service. What criteria do you consider when choosing what level of penalty, if any, to set?
This is not my particular area, but the information is on the ICO website. Certainly we look at some of the things I was talking about earlier – the policies that are in place, what has been done to try to avoid a breach of the Act, the circumstances of the particular incident that has given rise to the complaint.
We look at the extent to which it was just down to human error or whether there is some kind of systemic failure that has brought about the incident or increased the likelihood of it happening. And we look at the nature of the breach, and its potential or actual consequences.
We do look at mitigating factors and we have a dialogue with the public authority or the data controller concerned. Obviously we take all their representations into account and there is an appeal mechanism against a monetary penalty once it’s actually awarded.
There are some who say that if you are fining public bodies – say a county council – quite considerable sums, the amount in question might pay for two social workers. How do you square that?
If it is put in that particular language, then it is difficult to square. But, as I said earlier, you are not really comparing like with like. You need to look at the potential consequences for individuals as to what might have happened if some of the information that we are talking about has got into the wrong hands. And if we are talking for example about child abuse cases, if you look at the cost and the fallout for some organisations where child abuse issues have gone horribly wrong with tragic consequences…..then I think our monetary penalties pale into insignificance.
It is important to recognise that the main purpose of a monetary penalty is to be a deterrent. It is not a punishment – it is to deter all data controllers from making the same mistakes. So whilst I know that there have been many eyebrows raised in local authorities by the size of the monetary penalties, I know equally that an awful lot of local authorities and local authority officers will be saying, “well that could very easily have been us and what are we doing to make sure that it’s not us”.
[People will be looking at how they can] make sure that these kind of mistakes aren’t made and if somebody does make a mistake, how they could demonstrate to the ICO that they did all that they could to prevent this kind of thing happening. So there will be some childcare litigation departments around the country looking at their systems after the penalty levied on Hertfordshire County Council.
The risk – and I know this myself because I have worked in that area – is that it is your stock in trade. You are used to handling information of this sensitivity on a day-to-day basis and when people are dealing with high volumes of cases and deadlines to meet (often imposed by the courts), the pressure is on. But you should always remember the sensitivity of the information that you are dealing with and the respect that it deserves. You should remember the appropriate security measures that should be in place to make sure that it doesn’t get inappropriately disclosed.
The penalties so far have been imposed on public organisations. What do you say to those who suggest that the public sector is a soft target? Or that major companies will just call in the big City law firms and give the ICO a hard time?
Obviously I couldn’t tell you about any action against a private company until it is announced. But I can certainly say that there is no kind of policy distinction in the mind of the ICO. [It is not the case that] we are looking for these things in the public sector rather than the private sector – quite the opposite, if anything.
The cases are where they have arisen – our work is complaint led and where matters are brought to our attention. But we tend to have quite a good track record with big City law firms are on the other side. We are not easily intimidated at the ICO, I can assure you.
Philip Hoult is editor of Local Government Lawyer.