Response to the consultation on the ICO’s Openness by Design strategy

Do you agree with the vision we have set out for the regulation of access to information rights?

Yes, it sounds lovely, and a great thing for the ICO to aim for. 

However, the problem is, very little the ICO has done in recent years suggests it has any ability to implement this, mostly because it is doing a fairly poor job of implementing its responsibilities as is.

What if anything would you like to change in the proposed vision?

As a heavy and regular user of the FOI Act, I currently have little trust and confidence in the openness and accountability of public authorities. Frankly, a lot of the time getting 

information out of them is a seemingly never-ending and frustrating battle – and I know the Act well and know what to do when public bodies don’t respond to requests in a useful manner. If I didn’t, I imagine, I would quickly give up, rather than using the Act to try to access information I should be able to access.

So in terms of the ICO being more proactive, we’re starting from a very low base, as currently the environment out there is pretty lawless, public bodies that don’t want to engage with FOI don’t, there’s huge amounts of poor practice and the ICO is incredibly slow to respond, often does a poor job of responding, and does very little that is useful to improve the implementation of the FOI Act.

At the moment dealing with intransigence when it comes to breaches of Section 10 seems to involve issuing decision notice after decision notice (for example, to the Hone Office), which is clearly ineffective. If this is how the ICO currently deals with public bodies that have very poor timeliness, how will the vision improve this. 

There is a lot of work to be done and this draft strategy is welcome, but it needs to be backed up with concrete action, rather than just nice words. 

‘Some challenges around compliance’ probably undersells the scale of the problems facing FOI at the moment. Generally poor practice can be divided into attempts to reduce the burden of FOI by putting barriers in the way of requesters and poor quality responses. 

There appears to be a real trend for some local authorities to attempt to place barriers in the way of requesters in an attempt to make dealing with FOIs easier for the local authority (but more complicated for the requester).

The first way in which this is apparent are attempts to force requesters to use online forms to submit FOI requests. While for some requesters these forms may be easier to use, others may prefer to use email as it offers greater control over tracking correspondence (something likely to be important if a complaint is later made to the Commissioner)

One such example comes from South Holland District Council:

Thank you for your enquiry. We are unable to accept FOI requests via this method. Please resubmit your request on our website at www.sholland.gov.uk/Feedback

Kind regards,

Customer Contact Team

I am someone who is happy to quote chunks of the Act at people, but this is the kind of nonsense that is likely to put less experienced requesters off from exercising their rights:

Obviously, Section 10(6) of the FOI Act, “the date of receipt” means the day on which the public authority receives the request for information, where ICO guidance makes it clear that this means “The day on which the request is physically or electronically delivered to the authority, or directly into the email inbox of a member of staff” (Pars 26 & 27, https://ico.org.uk/media/1165/time-for-compliance-foia-guidance.pdf).

For an FOI request to be valid, it must be in writing, include the requester’s real name, include an address for correspondence, and describe the information requested (https://ico.org.uk/for-organisations/guide-to-freedom-of-information/receiving-a-request/).

It doesn’t require the request to be sent to the authority by a method of their choice.

So the request is already valid, and the auto-responder, by definition, shows that the request as been received and therefore must be dealt with by the authority, but for inexperienced requesters, this is potentially putting an extra, completely unnecessary step in the way of someone seeking to access information.

Trying to pre-empt refusals of requests is also an issue. 

I have complained to the Commissioner about Barnsley Hospitals NHS Trusts auto-responder repeatedly, but it is still being used. This is exactly the kind of thing the Commissioner should be taking informal action on, by offering advice and guidance, to come up with an auto-responder that isn’t actively trying to discourage requests.

Camden Council now responds to clearly marked FOI requests by saying it is “dealing with this as a routine request rather than formally as a Freedom of Information Act request so we can provide you with a faster and less formal response”, which sounds like lovely customer service, but is really a clear attempt to evade its responsibilities under the Act.

The council’s way of dealing with requests outside of the FOI Act is to direct requesters to it’s FOI disclosure log with a few suggestions of things to search. Obviously, if these items were actual answers to the request in question, the council would have simply issued a Section 21 refusal (it would take the same amount of time), that it is trying to do this outside of the statutory framework, it should come as no surprise that the suggestions do not answer the request in any way, requiring the requester to spend time chasing the council to actually answer the request through the FOI process, a process Camden council is clearly trying to frustrate by acting to discourage requesters from accessing the information they have asked for.

The second problem is with the incredibly poor quality of some responses, and even more worryingly, of internal reviews. This then necessitates complaints to the ICO that could have been avoided if public bodies put more effort into how they apply exemptions. 

A current FOI to all unitary and county councils has led to more than 80 internal review requests and, at current count, 16 complaints to the ICO. The most commonly cited exemption is Section (40)2, although in several cases it isn’t mentioned at all or only vaguely hinted at by a line saying small numbers have been suppressed. 

Public bodies often take it as read that exemptions apply, rather than clearly setting out the reasoning behind the application of the exemption. That this level of reasoning continues through an internal review is worrying. Often, once a complaint is made to the ICO, the public body realises it has little basis for applying the exemption, something that would have been apparent if it had applied it properly in the first place, which would have saved time and resources. 

While the ICO does have some very useful guidance documents on its website, many of them are out of date (failing to take into account more recent information rights cases), so it would be good to see them more regularly updated and better signposted. 

The consequences of lack of easily accessible guidance can be extremely serious – I have twice been sent sensitive personal data on pivot tables. I have previously seen guidance from the ICO on this issue but it clearly isn’t widely known. 

Some public bodies seem keen to have more guidance that can inform their decision making. 

For example, from Redcar and Cleveland Council:

“On behalf of the Reviewing Officer I thank you for supplying notification of this decision. The reasoning behind the decision gives extremely helpful clarity to the area and will benefit the Council in its approach to future Freedom of Information Requests.” – referring to Upper Tribunal decision in The Information Commissioner v Miller (2018) UKUT 229 (AAC)

Surely it is the role of the Commissioner to update public bodies on decisions, particularly at UTT level that may have an impact on how they apply exemptions?

The Panoptican blog is excellent on summer using decisions in information rights cases, but it isn’t an official or possibly widely known source. The Scottish Information Commissioner publishes a regular round-up of useful insights from recent decisions that may be a good template for something similar from the ICO. 

Clearer guidance and summaries of decisions would not just help public bodies but also requesters in challenging refusals. 

The ICO is incredibly slow at dealing with complaints – I realise it is very busy, but at least some of this is likely to be self-inflicted, where if you fail to enforce the powers that you have, public bodies may feel they can get away with poor compliance, especially around timeliness, increasing the number of complaints.

Improving the process for dealing with timeliness complaints should be improved – they are straightforward as mostly only the date of the valid request needs to be established, so it should be possible to issue warnings on outstanding requests within a couple of days rather than several weeks as is currently the case. 

The document mentions that the Commissioner has powers to certify to the High Court if a public authority fails to comply with them. As far as I’m aware these powers have never been used. Maybe the time has come to start using them, to at least remind public bodies that failures to comply have consequences.

When I had a request that was still outstanding after the deadline given in the decision notice, the caseworker was incredibly reluctant to pass on the case to the ICO’s solicitors to begin the process, even after I called them to make it clear that is what I expected to happen next. While trying to resolve issues amicably may be admirable, where compliance is falling apart, it’s possibly not the best approach. 

Where a more proactive approach to sorting things informally would be useful is in dealing with concerns that full short of a formal request for a review. 

As noted above, there are some absolutely terrible practices out there, and in a lot of cases it would be useful for the ICO to step in to explain how public bodies can do better (I try to copy in the ICO on some of the more ridiculous examples, but Barnsley Hospital NHS Trust appears to still be using it’s awful auto-responder).

I would suggest that Section 21 should not require an internal review but like Section 10 can be appealed straight to the ICO. Unlike other exemptions where the application is based on the judgement of officers at the public body, whether this exemption has been applied properly is much more straightforward – either the provided information answers the request or it doesn’t – and this something that is best judged by the applicant. 

The concern, and in my experience, a valid one, is that Section 21 is abused by public bodies to try to fob off applicants by linking to, at best, information vaguely related to their request, in the hope that the case can be closed. Even if the applicant persists, this is an unnecessary delay in getting the information they’ve requested. 

Allowing a direct appeal to the ICO for this exemption would allow the ICO to monitor which public bodies persistently misuse Section 21, and encourage better practice. 

As well as being slow, responses from the ICO can also be extremely poor. More training of caseworkers is clearly needed. 

I’ve had a complaint that went all the way to an FTT missing the key issue of Section 40 (we did manage to get completely confused over how Section 22 works and take a huge detour around how substantial changes like new legislation could change how exemptions are applied over time, this wasn’t relevant). 

In another Section 22 related example, the plan to release a non-related report containing some similar terms in the future caused issues. And I nearly ended up at an FTT because both the public body and the ICO couldn’t distinguish between e.g. and i.e.

All of these were a huge waste of time for both me and the ICO, and could be easily avoided if caseworkers took more care in dealing with cases. 

Extending the FOI Act to more public and private bodies and moving towards ‘a duty to document’ approach are both excellent ideas, which I fully support. 

However, there is another change that needs to be prioritised. Internal reviews need a statutory time limit. 

This is a key change that must be made to the FOI Act as soon as possible. If you think public bodies have a timeliness problem when it comes to answering requests (and they really do), it’s nothing compared to their timeliness problem when it comes to answering internal reviews. As there is no statutory requirement to complete a review in a set time period, many public bodies appear to make them a low priority meaning the get delayed or missed (some may be actively avoiding completing them). 

Setting a statutory time limit for internal reviews to be completed would not be a big change, it would simply mean giving the current guidance a statutory basis, making it easier for applicants to complain about delays, and for the ICO to take action on those complaints. 

It would not be an additional burden to public bodies – those with good FOI practice already complete internal reviews in a timely manner, most likely because they took time to put together their reasoning for applying the exemption in the first place. Those that do not currently complete internal reviews in a timely manner could do with an additional incentive. 

Overall, the FOI Act is fantastic, using it helps bring to light vital issues of public importance. But it’s not a priority for public bodies, and, often it seems, the ICO. It needs a strong champion, I hope this is the start of it getting one. 

Leave a Reply