The Information Commissioner’s Office (ICO) has a new strategy on Freedom of Information among other things.

ICO25, which launched this morning, sets out what the ICO is hoping to achieve by 2025 with respect to its responsibilities for data protection and freedom of information. Or as the nicely designed PDF puts it: “ICO25 describes why we are here, what we want to achieve and how we want to achieve it”.

Broadly, there are a lot of problems with how public bodies treat FOI (slow responses, poor quality refusals, plenty of timewasting and messing about, many (many!) complaints to the ICO (which generally involve more of the same, and not just from the public bodies). The ICO failed to tackle any of these, and everything got worse.

The new strategy commits to dealing with FOI complaints much more quickly and actually taking some enforcement action.

Why we are here

Because FOI is important, it is a vital way of accessing information on matters of public interest from bodies that serve the public.

And while the ICO has been an absolutely terrible regulator that has previously done nothing to solve the problems we now have to try and solve with this new strategy, unfortunately we’re stuck with it (unless you send requests to Scottish public bodies, in which case you can deal with the more competent Scottish Information Commissioner), so we have to hope this time it means it.

The ICO’s current position can be broadly summed up as ‘has discovered there might be a bit of a problem with operation of the Freedom of Information Act’. It has a ginormous backlog of complaints casework, and the Cabinet Office Clearing House and the use of messaging apps in government highlighted some major problems requesters were facing getting information

This is a step forward of sorts. Previously, it sometimes felt less like the ICO wasn’t taking enforcement action because it hated confrontation and wanted to avoid it at all costs, and more like it really couldn’t see much of a problem with how FOI worked.

The previous strategy Openness by Design made a lot of fairly similar promises of improvements – increase compliance, take enforcement action, share knowledge, yay, proactive disclosure of information. It then didn’t do anything (as I’m not counting boilerplate text in standard complaint response emails as an achievement), got overtaken by the pandemic, then continued to do very little.

It’s notable that I could probably just send the same response to ICO25 as I did to the consultation on Openness by Design, with a note saying ‘these problems? Still not fixed’.

What we want to achieve and how we want to achieve it

I think most requesters would probably like less waiting around – for responses, public interest tests, internal reviews, and the ICO to deal with complaints (not likely when it’s six to nine months wait to be assigned a case officer). Also responses that either answer the question or set out the exemptions relied on for the refusal.

Or in other words, what it says public bodies’ statutory responsibilities are in the FOI Act? It would be an achievement if we could manage that.

How? I don’t know, have you tried doing literally anything?

ICO25 does at least differ from Openness by Design by having some actual concrete goals in it (frankly, it probably wasn’t unfair to describe Openness by Design as fluff).

It says it will

• ensure that less than 1% of our freedom of information caseload is over 12 months old;
• reach a decision and respond to 80% of freedom of information complaints within six months;
• ensure that 66% of freedom of information tribunal hearings are in our favour;
• publish 100% of our freedom of information case outcomes; and
• publish all recommendations made in our freedom of information complaints handling and audit work

On the first two, at the end of June, 7.2% of cases were over a year old, and 67.7% had been issued a decision within six months (as the Section 10 process for overdue requests is now pretty slick, it would probably be useful to know what how big a proportion of quickly resolved cases those make up).

The action plan for October 2022 to October 2023, involves

• Agile approach to FOI appeals – we will move quickly, recognising that it is important to provide a timely outcome, respecting that the Tribunal may not always agree with our decision.
• Prioritising FOI complaints – we will not deal with every FOI complaint or appeal in the same way. We will make objective decisions to prioritise our work based on open and transparent criteria and public interest.
• Better FOI – we will run a programme of activity to ensure our work on FOI is as efficient and effective as possible, with more upstream regulation and systemic enforcement to improve frontline services.

A blog from Warren Seddon, Director of FOI and Transparency, sets out how some of this might work in practice.

Prioritising requests with a clear public interest is a potentially a good idea. One of the complaints is that public bodies (see the Cabinet Office Clearing House) have worked out that they can basically make requests they don’t really want to answer, sort of, go away by delaying and refusing and delaying some more, knowing that when it gets to a complaint to the ICO, it’ll take even longer and the issue will be extremely old news by the time they get ordered to hand over the information.

Prioritising requests where there is a public interest in the information being public, so they’re likely to be resolved while still relevant, will hopefully defuse this tactic a bit. A clear criteria for what kind of requests get prioritised will also be useful.

Trying to get informal, early resolutions to cases isn’t really a new idea (the ICO loves to resolve things informally). It may work for some cases – those, potentially Section 12 cost ones, that could have been resolved with some advice and assistance (and a better refusal notice).

I think it potentially has some limitations – where the ICO is trying to close cases as fast as possible (and they will be “exploring how, as part of the commitments we make in ICO25, we can clear the cases already with our office even quicker than planned”), the risk is the requester gets a still poor response or has to keep pushing the ICO to resolve the problem properly. This may be where the agile approach in the action plan comes in – are we going to be balancing getting it done with getting it right?

The other issue is decision notices can be useful for heading off other refusals because you can refer to them in internal reviews. Fewer decision notices, less up to date guidance. The commitment to publish all freedom of information case outcomes and all recommendations from complaints handling and audit work may help here, if that happens and is detailed enough.

Complimenting this work, we will be improving the way our formal Decision Notices are presented on the ICO website so that they are easier to search though and access by subject matter or exemption quoted. This will help public authorities and requesters see how we have ruled on similar cases before helping to inform public authority responses and helping requesters understand if a decision is likely to be overturned by our office.

The ICO acknowledges decision notices are useful guidance – it plans to improve how they’re presented on its website to make them easier to search and reference, to help inform public authority responses and help requesters understand if a decision is likely to be overturned by our office. Clearer guidance would be good (there are some terrible quality refusals happening), but it may be useful to issue more alongside decision notices (especially if one of the other objectives is reducing decision notices).

Finally, we might actually see some enforcement action. “We are committing to delivering more systemic enforcement action against public authorities that clearly and consistently fail to meet their FOI obligations”, is a big improvement on “where necessary we will take enforcement action to secure compliance and uphold the law” (note: it will never be necessary).

Enforcement action is desperately needed for the worst offenders, because as noted above, plenty have worked out they can just not comply with the FOI Act with very few consequences. Better guidance and quicker informal resolutions are good, but they won’t work if there is no enforcement action to deal with those who don’t want to improve.