Wednesday, February 17, 2016

Charities: Following made up rules

[Before anyone asks, yes, I did work for a national charity and NO, this is not about it - this is based on several conversations that I had with a network of fundraising staff from other charities - in one case, on a group telecon, I had to put the phone down because they were discussing entirely illegal techniques and how to get away with them].

Once upon a time the headmaster, who knew the rules, told students to follow them.

The students, who did not like the rules, elected a head boy to interpret the rules. They did not bother asking the headmaster.

When it was brought to the headmaster that the rules were not being followed, he moaned. The head boy then amended his interpretation. The students then walked around claiming that the rules had changed.

On Radio 4's You and Yours, some chap called Ben Suffel from QTS (which seems to be a telephone fundraising outfit) handled a question about calling people in the TPS (go to 7 mins 25 sec on the recording). He said "... pre all the changes that came in last year we were allowed to contact people on the TPS if it was deemed that the charity had a relationship with the donor...". He goes on the clarify that the relationship may have been one of being a regular donor.

He then goes on to explain that this is because this is what the Institute of Fundraising had set out as being what they were allowed to do.

Obviously, this is all nonsense. What annoys me off the most is that, even now, charities and fundraising organisations are holding up the Institute to be the authority on this issue. So much so that when the IoF is forced to changed its ridiculous interpretation, that fundraising organisations are still talking about the rules having changed.

But DPA or PECR didn't change, did it? No rules were changed. Only the bizarre interpretation of a thoroughly silly organisation that does not appear to have any understanding of the law changed (although I can see why - clearly, if fundraising is done lawfully, revenues will dip - basically, charities seem to have tried to get away with as much as possible for as long as possible). 

So, my advice is for charities to listen to Information Governance experts when it comes to PECR and DPA and not to an organisation that has been peddling nonsense.

Monday, November 16, 2015

Twitter FOI killer

Unfortunately, the tweets below summarise what happened as a result of my appeal against the ICO's decision:

I did not appeal on whether Twitter was a valid way of making a FOI request - my actual appeal was on what a I perceived to be an illogical consequence of how the DN was written. 

My appeal was on these grounds:

1. whether the ICO was correct in deciding that s.1(1)a obligations are not covered in the same way as s.1(1)b when it comes to the medium of communication
2. Whether the ICO's decision notice means that a public authority can ask for an alternative address for the purposes of fulfilling s1(1)a obligations
3. If a public authority can ask for alternative contact details, how would this not be a breach of the 3rd Data Protection Principle

On this, although my appeal overall was dismissed, the FTT stated at para 33:

We consider that the provisions of the Act are clear, concerning how the public authority should communicate with the applicant in fulfilment of its duty to confirm or deny under s1(1)(a). It should communicate to the ‘address for correspondence’ stated by the applicant in the information request. Thus we agree with Mr Ghafoor that the public authority cannot demand, for carrying out the duty to confirm or deny pursuant to s1(1)(a), an address different from the one stated in the request.

So, it appears that I won on my very narrow point. But it is it a totally pyrrhic victory because both the ICO and got our asses handed to us on a point that was not under appeal - the use of Twitter to make the requests. 

There are two issues here:

  • that the Twitter handle is not an appropriate address as per s8
  • that my name was in the request but only in my profile and that there is no reason to impose a burden on a PA to click on a profile

On the address issue, para 28 states:

In our view Mr Ghafoor’s tweet of 7 August 2014 did not satisfy the requirements of s8. In our judgment a Twitter username is not ‘an address for correspondence’ within the meaning
of s8. A means of communication which is limited to 140 characters is unsuitable for correspondence between the public authority and the requester concerning the request.
[my emphasis]

I agree that it CAN be unsuitable, but I am not sure it IS unsuitable. 

For example, a request like this:

@cabinetoffice can I please have under FOI a copy of meetings of minutes between PM and Putin on 12 Feb 2014?

Can be answered like this in 125 characters:

@FOIkid Not held. To appeal, let us know in 2 months. You can complain to ICO, details at

I cannot see what more this reply needs. 

As pretty much every government department, council, NHS body, etc, has a Twitter account and teams of people spouting propaganda at us all day long, it is deemed a medium where complex ideas are set out. It is also a mistake to think of Twitter as only being about the 140 characters. 

I just spent a minute looking through DWP's timeline - I cannot see any instances where they are purely using 140 characters rather than also embedding graphics or linking to documents. I am sure that there are SOME such tweets, but they are the exception. Twitter is commonly and clearly used in a more sophisticated way than the FTT thinks. I think that it can be suitable. In fact, I almost think that the way in which some organisations are linking to their own documents, that it is probably nearly always suitable (aside from some parish councils, etc). 

Turning to the second issue, on whether my name was in the tweet - I agree, it was not there. Para 29 states:

A Twitter user’s real name may or may not be stated in the user’s Twitter profile. We acknowledge that on the facts of this case Mr Ghafoor’s name was readily available to the public authority; in this case it was a simple matter for the authority to look at his profile. But there is a question of principle here. Section 8 does not entitle a requester to impose on a public authority the task of looking elsewhere than the request itself to discover the requester’s real name. On the contrary, s8 explicitly requires the request to state the name of the applicant. Mr Ghafoor’s request did not do so. The fact that, in the particular circumstances of this case, ascertaining the applicant’s real name could not have been easier, did not convert a request not meeting the requirements of s8 into a compliant request. 

It is good that the Tribunal accepts that it is really easy to ascertain my name - I would add that you don't even need to click on the profile - just a hover on the handle is enough. While s.8 does not explicitly lay this burden on the public authority, it is true that they interact with members of the public through Twitter all the time - this task is undertaken all the time. 

With Twitter having become such a common mechanism for communication, the wording of the act is slightly behind (fair enough, Twitter was created six years after the Act was drafted). However, the way in which Twitter is used by all regular users is so clear and the 'task' to looking up the name of the requestor is so slight, that this interpretation is too theoretical and does not take account of how we all use this medium. 

So, here are my next steps...

I wonder if the ICO will appeal - this makes its guidance on Twitter requests out of date... wouldn't it be a total hoot if we both appealed. That would almost be cute. 

Update 18/11/15 9.40pm: I have been thinking about appealing this decision notice and have been getting lost in the arguments - but the killer argument I got was courtesy of @foimonkey in the pub this lunchtime who pointed out that since I made my initial request Twitter's fuctionality has been changed in two critical ways: DMs have become open and have no word limit. 

If I appeal my case, they will look at the facts of the case as Twitter was functioning at the time of the request - which means that I have no fall back position on arguing that a public authority can DM a longer reply

So, I think that I will have to leave this.

I do feel bad as I am sure that the FTT is wrong, but I am equally sure that I will lose on the facts of this case. I think that you can continue to use Twitter for requests, so long as you insert your name or your handle is your name. You can also ask them to DM you the reply if they need more space. 

Obviously, if they end up refusing you, and you need it, I would be happy to help with any appeals.   

Thursday, June 18, 2015

Using Twitter to make FOI requests (revisited)

The Department for Work and Pensions made a bold claim some months ago on Twitter about how 99 per cent of the jobs on Universal Jobsmatch are genuine. I felt that this was probably nonsense given that they still do not have an effective way of vetting jobs that I am aware of.

So I tweeted a FOI request to them asking them for: 
...copy of internal report or assessment, including all data considered and method, for this assertion...
They not only failed to give me the information, but their denial about the lateness of the reply was arrogant (a simple 'sorry' would have won me over).  

The decision notice has been published at

This is the same sort of DN that the ICO issues in these circumstances, saying that requests via Twitter as valid, and that yes, my name was in the profile, blah, blah.

The only interesting thing is in relation to my complaint over section 11 - whether I could force them to tweet the reply (on principle, when a public authority tweets something that is likely to be nonsense, it would make sense to want it to use the same medium to provide evidence):
16. Section 11(1)(a) of the Act allows the applicant to express a preference for the form (or format) that the requested information should be communicated in, not the communication of whether information is held. The Commissioner finds that the DWP did not breach section 11.
Now, the error I made was that when I got no joy via Twitter, I emailed them to chase. Consequently, they had a mechanism for replying to me off Twitter. Had I not chased, but had gone to the ICO, I could have said that asking for an email address was against the 3rd Data Protection Principle, in that it was excessive - they had a mechanism for replying - by publishing the reply on the disclosure log and tweeting me a link.

I suppose that I could ask them to stop processing my email address, but it unlikely to succeed. More broadly, this DN is hard to understand in relation to section 11. Does this mean that if I email my FOI request, that a public authority can demand a postal address to confirm or deny whether it holds the information? That makes no sense.

I am toying with FTT... but I need to think... comments/free advice appreciated (although I have to say, this is hardly the most important FOI issue in the world and I don't really want to waste anyone's time).