Openness by Design – Why the ICO has an (extremely) long way to go on FOI.

So I send a lot of Freedom of Information requests (count for last year was well in the thousands).

Consequently, I get a lot of responses, a lot of refusals, send a lot of internal review requests and make a lot of complaints to the ICO (more than 80 last month).

As such I feel like I’m pretty well placed to comment on what’s working (or not, really not) with the FOI process. And why, while the new Openness by Design strategy sounds lovely, but I don’t have much hope that it will amount to much.

I did send in a comment to the consultation on the strategy – TLDR: Why does everyone suck so much and why don’t you care!? (ps. you also suck).

Current level of commitment to implementing the strategy seems to amount to adding a new paragraph to the ‘we’ve written to the public body that should have replied to you weeks ago, asking them very nicely to please reply to you soon’ email:

We will use intelligence gathered from individual cases to inform our insight and compliance function. This will align with the goal in our draft Openness by design strategy to improve standards of accountability, openness and transparency in a digital age. We aim to increase the impact of FOIA enforcement activity through targeting of systemic non-compliance, consistent with the approaches set out in our Regulatory Action Policy.

(This will in no way get annoying when regularly receiving such emails due to a complete lack of any improvement in timeliness compliance. I do, of course, look forward to FOI’ing the ICO for the intelligence it has gathered in the future.)

But I am happy to act as an accountability buddy for the Commissioner for the task of getting FOI on track (if only so I don’t end up sending so many chase-up/internal review/complaint emails that I begin to lose track of them).

Part of the problem is the ICO is very much about non-confrontation. It likes to resolve things informally. It doesn’t appear to actually want to help public bodies to improve (as long as the request eventually receives a response (of some description), hey, it’s done its job).

As I said, I send a lot of requests and get a lot of responses. And I’m on a bit of a mission to get public bodies to apply Section 40(2) better with regards to small numbers in summarised data (i.e. by giving proper consideration to whether the information asked for actually is identifiable and therefore personal data).

My experience is this exemption is really badly applied – I regularly get responses labelled ‘all information released’ where small numbers are suppressed and no mention of an exemption being applied. Definitely no consideration of the routes by which the release of the information would lead to a person’s identification (always impressive when they can get through an internal review without considering this).

So I may have suggested to the ICO that when public bodies re-assess and release information after a complaint, it might be useful to offer them some guidance on how to avoid doing the same thing again (mainly because I would love to send less complaints because a public body wrote no refusal notice and a one sentence internal review).

I’m not sure the ICO is going to take my suggestion on board.

Response from caseworker:

I note your comment that you consider that the Trust ‘wrongly applied section 40 to small numbers’ but each complaint brought to the Commissioner is considered on its individual merits. If a public authority can explain why the small numbers are personal data and make clear what the route to identification is then the exact number may not need to be disclosed under FOIA.

In cases where small numbers have been suppressed from released data, it is not a straightforward or automatic decision. This can be a very tricky area calling for unique judgements in each case and we advise public authorities to refer to our Anonymisation Code: 
https://ico.org.uk/media/for-organisations/documents/1061/anonymisation-code.pdf

In these cases and following our guidelines, we ask public authorities to provide evidence that they can identify and show the steps that a motivated intruder could take to identify individuals from the suppressed numbers if disclosed. This is in addition to our usual questions on section 40.

So I’m all for public bodies making “unique judgements” on whether small numbers should be suppressed and explaining why they are small numbers and the route to identification. What I feel we might all be best off avoiding is public bodies copying and pasting their policy on suppression of small numbers into refusals without a moment’s thought.

Me:

I appreciate that applying Section 40(2) can be tricky and require careful judgement, and, of course, I may have different views to public bodies on what is and isn’t personal data. You note that a decision on the suppression of small number is not a”straightforward or automatic decision”. But many public bodies appear to act as if it is straightforward and automatic (that if numbers are small they must be redacted in all cases), and in doing this, they are wrongly applying the exemption.

The key point here is that it does requires judgement – this is an exemption that should never be applied as a matter of course or in line with a policy to redact all small numbers, and this is what I’m experiencing over and over again, and that is where the Commissioner needs to step in. Clearly a large number of public bodies need better guidance on this (I currently have around 50 complaints relating to Section 40(2) with the Commissioner, a not insignificant proportion of them offer no or little reasoning as to why the public body feels the information is personal data – as a further example of what I’m regularly experiencing, I am just about to send an internal review request where the refusal in its entirety was: “It is the Education Services Policy not to disclose information where the number is low, in order to protect any individual from being identified and to ensure that all individuals’ privacy is maintained”). 

Best practice is to explain why the small numbers are personal data and make clear what the route to identification is, and thus explain why Section 40(2) applies, in the first refusal, and this should definitely be done by the internal review. I should not be getting refusal notices of the poor quality that I currently get. Having to go through an internal review process and complain to the Commissioner because a public body hasn’t given any real consideration to whether or not the requested information is personal data prior to the complaint is a waste of my time, a waste of the public body’s time and a waste of the Commissioner’s time. 

The Commissioner has just released a strategy for FOI. You’ll probably won’t be surprised to find I don’t have huge amounts of confidence in the Commissioner’s ability to improve things in relation to the goals. Responses such as yours add to that feeling. The Commissioner is not proactive enough here (which is a problem, given that Commissioner writes in the foreword that: “the Information Commissioner’s Office (ICO) will be proactive in how we seek compliance with the law and how we hold public authorities to account”). I shouldn’t be repeatedly running into the same poor practice, complaining to the Commissioner, and then running into the same poor practice again. I have concerns about the trust’s FOI practice (the refusal and the internal review for the two recent cases that I complained about to the Commissioner are identical (see below), that is not a public body properly engaging with it responsibilities, and it certainly doesn’t appear to be adequately engaging in a consideration about whether the specific requested information is actually personal data (one was on cancelled operations, the other on assaults on staff, they are not requests for the same data)), and I’m concerned that you don’t. I’m very concerned that if this is the general attitude to poor FOI practice then there is little hope of seeing improvements over the next three years.

Goal one of the strategy states: “We want to encourage and inspire those we regulate to achieve the highest possible standards in their information rights practice.” – currently we’re miles off the “highest possible standards in information rights practice” and the Commissioner doesn’t seem that bothered about helping public bodies improve. While a decision notice may not be appropriate here (although I do feel that they have a use in building a body of work that can be referred to both by public bodies in understanding how FOI exemptions should be applied, and by requesters in understanding where exemptions may have been wrongly applied. There is also an issue here that if public bodies repeatedly refuse to release information and only reassess and release it when a complaint is made to the Commissioner (something that is open to abuse by public bodies seeking to delay or avoid their responsibilities), then continually resolving these cases informally means the public body is not being held publicly accountable for its poor FOI practice), there clearly needs to be an approach by the Commissioner that “encourages and inspires” public bodies that are repeatedly finding that they did not apply an exemption correctly to take stock and make changes so they can hit those highest possible standards. 

Referring public bodies to the anonymisation code here is unhelpful, it implies that small numbers should be anonymised or that there are set rules by which anonymisation should take place, when the first thing that needs to be done is to determine if the requested information is in fact identifiable personal data and then consider anonymisation if needed. You’d be better referring public bodies to the GDPR information on what is personal data that is currently on the website, which is very helpful on how to deal with data that may or may not be personal data (and this is the key test here, and if public bodies are not applying it then they are applying Section 40(2) wrongly). It is clear to me that public bodies are struggling with the application of Section 40(2); the Commissioner should be proactive in helping them with better guidance.

And when I say some public bodies appear to just copy and past refusals/internal reviews, these are responses to two requests from the same public body to two different requests about six months apart:

FS50801486:

Refusal:
The Trust is exempting this information under Section 40 (2) of the Freedom of Information Act as the low numbers involved may allow personal details of individuals to be identified. Please note the Trust is unable to give any further details as to do so may compromise patient and staff confidentiality.

Internal review:
The Internal Reviewer has confirmed the original decision to exempt this information. He took into consideration the information contained in both the UTT decision and the NHS Disclosure review which you helpfully forwarded with your request for an internal review. However, in each case these dealt with aggregated data which minimised the potential for identification of individual patients. His view is that whilst the specific information provided by the Trust might in and of itself not allow such identification to take place, where numbers are small (as in this case) then this information, when triangulated with other information which could be available through a Freedom of Information request to either the Trust or other sources, could allow identification of individual patients.

FS50823652:

Refusal:
The Trust is exempting this information under Section 40 (2) of the Freedom of Information Act as the low numbers involved may allow personal details of individuals to be identified. Please note the Trust is unable to give any further details as to do so may compromise patient confidentiality.

Internal review:
The Internal Reviewer has confirmed the original decision to exempt this information. He took into consideration the information contained in both the UTT decision and the NHS Disclosure review which you helpfully forwarded with your request for an internal review. However, in each case these dealt with aggregated data which minimised the potential for identification of individual patients. His view is that whilst the specific information provided by the Trust might in and of itself not allow such identification to take place, where numbers are small (as in this case) then this information, when triangulated with other information which could be available through a Freedom of Information request to either the Trust or other sources, could allow identification of individual patients.

Leave a Reply