Tuesday, December 24, 2013

How to tell if the FOI response you have received is bullshit. Part 3: personal data, section 40

I am going to concentrate on information about employees of public authorities. When it comes to information about members of the public, you have, quite rightly, pretty much no chance of getting it. After all, what information that you gave your local authority, NHS, police, social care provider, etc, would you be happy with being released into the public domain? None, right? Damn right.

The safeguards on personal data are in the Data Protection Act (DPA), not the FOI Act. S40 of the FOIA is best thought of as pretty much saying 'refer to the DPA'.

The DPA is complicated. People will talk about sections, schedules and prinicples. For the requestor (at this point, all practitioners look away), it is best to think of them as the same sort of thing - they are just bits of, in this case, the DPA.

The DPA says that there are two kinds of information relating to people: personal data and sensitive personal data.

Sensitive personal data is listed in the DPA as race/ethnicity; political opinions; religious belief; membership of a trade union; physical or mental health; sexual life; offences; proceedings relating to an offence.

Personal data is any information that relates to an identifiable individual. This is sometimes harder to spot as it is not so nestly categorised. Almost anything can be personal data (it's not just names). Saying 'a London-based tweeter and blogger on FOI who works in London, who attended a conference on FOI and scientific archives in Rio in 2013' ends up being personal data. This is because although it does not name me, it does give enough unique information about me to identify me. Every element in it can be recombined with information in the public domain (Twitter, my blog) so that a super sleuth, or just you, my dear attentive reader, can work out that this can only refer to me. This is why more than just a name is often redacted redacted.

Two sections are used: s40(2) and, far more rarely, s40(5).

Let's concentrate on s40(2) by looking at examples:

Question: can I please have a list of all staff job titles?

Ok, often an organisation has only 1 strategic head of intelligence training. But the key here is to realise that people can be replaced. A job title does not specifically and indefinitely refer to one person. So, the BBC reply at https://www.whatdotheyknow.com/request/health_staff#incoming-378738 is patently absurd. Job titles, no matter what, cannot be withheld. Unless they relate to a security organisation, where it will simply not be released, you should get this information. Most attempts to withhold this are pretty much nonsense.

Question: can I please have the names of all staff working at your organisation?

Ok, even this can be complicated. The DPA does not list names or the fact that a person works at a particular place as being sensitive personal data. By and large, names are not personal data (although the true story is fiendishly complicated).

So, now you look to two things:

Whether release is 'fair' and whether a schedule 2 condition of the DPA has been satisfied. So, look for a fairness argument and a schedule 2 argument.

Fairness has something to do with the expectations of the employees. Seniority might have something to do with this. Whether staff are already public facing (it would be silly to argue that it would be unfair to release the name of the FOI officer when his/her name is likely already splashed all over Whatdotheyknow.com.

Then there needs to an examination of schedule 2 conditions. Most of the time, this means consent (which public authorities do not have to ask for, so there is almost never consent).

So, mostly, you cannot have the names of everyone.

The key is that staff who are senior or important will have their names released. If you are asking about senior staff (and the definitions vary - generally, it is people earning about £40k and over), they can have few expectations of privacy when it comes to simply being named.

So, if ALL of the information is being withheld, it is likely to be bullshit.

Question: can I have the salaries of all staff at your organisation?

The ICO guidance is that you get these in bands of £5k. That is enough to ensure transparency. After all, if someone is on £70000-£74,999, that is enough to know whether they are paid an appropriate amount. Personally, I cannot see why people might want more.

There was a lovely decision notice against NHS Surrey in Dicker vs ICO there was a question about a NHS senior exec that might have been paid more than the national guidelines, where the Tribunal set out that such senior staff can have pretty much no expectations of privacy. But this is rare (and i still don't agree with it). On the whole, you should get the information.

Question: can I have the numbers of Buddhists at your organsiations?

This is sensitive personal data. But only if you can identify the individuals from the answer. Imagine the answer is 20. If you knew, for example that FOIston Council, which has 20,000 employees has 20 people who have self-identified as Buddhists, this is only personal data if knowing the fact that it employs 20 Buddhists can be recombined with other data that is either in the public domain or might end up in the public domain to work out exactly who they are. Often, the organisation will be risk averse and not release. But if the answer does not provide you with a decent argument about how the data is personal data, how it can be used to work out who the individuals are, then it the answer is likely not to be strong enough (a.k.a., it is bullshit). But, imagine that FOIston Council only has one member of staff who is a Buddhist. Now what? Well, this is more dangerous, but similarly, the council must provide you with a decent argument explaining how it is personal data and how such inormation could be used to identify an individual.

Question: can I have the names of staff against whom there has been more than one complaint?

I guess that the purpose of this question is to see if FOIston Council is carrying any dead weight. Whether it takes people screwing up seriously and gets rid of them.


Going back to our definitions, sensitive personal data, which is more difficult to release, refers to 'offences'. You would, presumably, have to be thought of as committing an alleged offence to get complained about. But we have to bear in mind that complaints are often not proporitionate to a person's competence - often, they are about how difficult the cases are that they are handling, etc. Would every internal review request be a complaint against a FOI officer's decision?

This information should not be released. It simply does not tell you anything about a person's competence. It would be better to ask for the procedure for dealing with staff against whom there have been lots of complaints to see how such people were dealt with.

If the request had been for numbers of people against whom there had been more than one complaint, then again, we come back to whether the figures can be deanonymised.

Conclusion:

I have only looked at one aspect of personal data, but I think that this is the most common. If the request is about data belonging to non-council employees, then similar tests must be applied.

S40 replies often look very convoluted. But make sure they tell a coherent story. If not, everyone asking for internal reviews will eventually force organisations to use plain English.

The forthcoming PDP FOI Journal will contain an article from me about the horrors of trying to work out what is personal data in things such as reports and emails.











Thursday, December 19, 2013

How to tell if the FOI response you have received is bullshit. Part 2: cost limits, section 12

"We can't tell you because it would cost too much".

It sounds counterintuitive. But it is often not.

The basics: s12 says that if it costs more than the 'appropriate limit' to answer a request, it can be refused. There are regulations that set out the appropriate limit: £450 for most public authorities and £600 for central government.

Although the cost limits are, naturally, given in terms of money, public authorities (PA) mostly refuse the request in terms of time. This is because the formula is to calculate the value of the time spent on a request at £25 an hour. So, for most public authorities, this is £450/25 = 18 hours and for central government £600/£25 = 24 hours.

BUT, the sorts of things and activities that contribute to the cost limits are narrowly defined. At the moment (although there is a danger to FOI that this will change), thinking time is not included.

The activities that are included are: searching, locating, identifying and retrieving the data.

The other costs (but which most public authorities ingnore, unless something exceptional happens) include photocopier costs, etc. But, unless the PA holds the data in some weird way, the other costs are rarely mentioned.

It revolves around time. You will note that the FOI officer's time to log and reply to the case, the time to redact materials, time to get consent from third parties, time to get legal advice, all that sort of internal process does NOT count towards the cost limits.

When you get a reply citing section 12, a good PA will provide:
  • A confirmation of whether the information is held or not (sometimes this is not possible, but they should say something about it).
  • A calculation of how they calculated the time it took to search, locate, identify and retrieve the information.
  • A description of the form in which the information is held, which might be so say they have ten huge boxes of documents that might have the data. 
  • Advice on how to narrow the request.
If you get all of this, you can often put your bullshit klaxon away, although the devil will be in the detail.


Suppose that your local council is thinking of closing your local swimming pool. You bung in a request that asks for all of the records relating to this.


The FOI officer looks at it and thinks "I know, the leisure services dept will have this". But then s/he realises that, because this was raised at council meetings, that councillors will hold stuff. Then s/he remembers that the site is being prepared for selling to a supermarket chain - so estates will have something. Then s/he remembers that a zillion people wrote in to complain, so the customer services team will hold lots of correspondence. The communications team chucked out press releases and the public health team (which is embedded in the council) had concerns about the health impact on the community. Suddenly, the only person who might NOT have something on this is Felicity in food hygiene (but even she might have something, an email from her manager telling her not to bother inspecting the swimming pool cafe in 6 months as it won't be there). And then s/he remembers the social workers who might take their clients to the pool, the teachers and school and the numbers of people that might have something rockets up to about 10,000 (remember, a typical council employs 10k-30k people)...

Whose fault is this? You, dear requestor - you just didn't think it through. But how can you have been expected to work all of this out? Well, if you have never worked for a local council (I haven't, so I made all of this up, but I think it might be a good guess), what can you do? Phone the FOI officer and chat about it. ASK.

Otherwise, the FOI officer will end up having to say:

I can confirm that we hold some information relevant to your request. 

However, your request is very broad. I would need to contact staff in the following departments:

Leisure
Council secretariat
Estates/commercial
Customer Services
Education
Public Health

These, as well as other departments that may hold information relevant to your request mean that up to 10,000 staff would have to be asked to search, locate, identify and retrieve information. Regulations for s12 of the FOIA allow a public authority to refuse a request if compliance would cost more than £450, or on a notional value of £25 per hour, take more than 18 hours. 

If I contacted 10,000 people, each person would have 18 hours/10,000 = 6.48 seconds to undertake this search. It is plain that the search could not take place within this time limit and the 18 hour limit would be exceeded. I am therefore refusing your request. 

However, you may wish to narrow your request. You may wish to only ask for the records of the Leisure department to be searched. Within that, you may wish to ask for minutes of specific meetings or project plans, and within a narrow timescale, so as not to risk exceeding the appropriate limit with any future request. 

I should also advise that further exemptions may apply to information retrieved in reponse to a narrowed request. 

Or, take a simpler scenario. A request comes in for all of the email discussions held by the planning department about a new bill from DCLG, the Infinite Housing Bill during the first quarter of 2013. Looks nice and narrow, huh?

NO.

The FOI officer replies:

I can confirm that we hold information relevant to your request. 

Regulations for s12 of the FOIA allow a public authority to refuse a request if compliance would cost more than £450, or on a notional value of £25 per hour, take more than 18 hours. 

There are 12 members of staff in the planning department. We initiated searches using the following terms:
  • Infinite Housing Bill
  • Housing Bill
  • Housing
However, these yielded 7450 results. While we do not believe these search terms to be exhaustive, they would indicate that housing was being discussed. We took a dip sample and asked two planning staff to read 10 emails each and count how long it took to identify and copy into a MS Word document any relevant discussions. As some of the emails contained significant attachments, it took the first member of staff 34 minutes to read and search 10 emails and it took the second member of staff  22 minutes to read and search email. We therefore think that a reasonable estimate for searching the average email is 2.8 minutes.  

Searching all 7450 emails would take 7450 emails x 2.8 minutes = 347 hours 40 minutes. 

This far exceeds the 18 hour limit and we are therefore refusing your request. 

However, I do note that there were three meetings relating to the new bill. You may wish to request the minutes for these. 

The PA has to tell a good story - a detailed story that shows that they really did try to help. The reply must show the size of the task and give enough information that you can understand how to narrow the request down.

Don't take a reply that just cites the limits without a good narrative. And demand advice and assistance (see s16 of the FOIA) on how to narrow your request.







How to tell if the FOI response you have received is bullshit. Part 1: introduction

There are lots of guides on how to make a FOI request. One of the best is Foiman's at http://www.foiman.com/resources/foiguide1. The ICO guidance is ok too.

But if you are not experienced at using FOI, how do you work out whether the gobbledygook you have received is a good or a bad answer?

I am still irked at how few people ask for internal reviews (and where organisations do not have someone independent and senior in the organisation assessing the internal review, I cannot see how they can have much value), and how rarely people go to the ICO, let alone the Tribunal.

So, I intend to write a series of posts, going through the exemptions, roughly in order of how often they are used, so requestors can learn to spot a bullshit reply. This is not meant for seasoned requestors, but for relative beginners or infrequent requestors.

Do read Paul's guide and the others that he links to - these are excellent starting points.

Wednesday, December 18, 2013

NHS and transparency



A few months ago File on 4 put out something on NHS, privatisation and commercial confidentiality. I was all set to hear lots about FOI (which seems to be the main conduit for getting this information out of NHS organisations on what has been privatised). I was looking to hear about how the whole thing rests on a public interest test. I wanted an examination of how these public interest tests are carried out and how sure they are.

I was disappointed.

So, here are some stats from the ICO website when you look at decision notices:

s43 (all sectors):

complaints not upheld: 175 DNs
complaints partially upheld: 104 DNs
complaints upheld: 279 DNs

s43 (all healthcare bodies):

complaints not upheld: 14 DNs
complaints partially upheld: 6 DNs
complaints upheld: 15 DNs

This means, in general, if you complain to the ICO, you have nearly a 70 per cent chance of getting more info from the public authority.

If you complain about a healthcare organisation, you have a 60 per cent chance of getting more info from the organisation (the NHS sample is tiny, considering how many such organisations exist, so I am less comfortable with this calculation).

That there are only 35 DNs related to healthcare is shocking. Why the hell aren't people complaining when they get silly answers?

It is easier if I slag off now defunct public authorities. Look at:

https://www.whatdotheyknow.com/request/dentists_pay_15#incoming-49792 The refusal is genius:

"We believe that by releasing this information, it is likely to affect the
viability of dental practices and impact on the ability to effectively
provide dental treatment to NHS patients in Westminster. This information
is therefore exempt under s. 40 (2) and (3a), Personal Information and
s.43, Commercial Interests, of the Freedom of Information Act."

Awesome - somehow, dental practices (which are companies) suddenly have personal data - and there is that ridiculous argument - ability to provide services is somehow the basis of something being personal data. Then there is the s43, without any idea as whether it is 43(1) or 43(2) - probably the latter. There is no public interest test. There is no description of how this harm will take place. And, as far as WDTK is concerned, there is no record of a complaint.

That does not mean that commissioning is done with bad intentions.

I will now digress into a political nuance before coming back to the point - feel free to skip this para if you are only interested in FOI. Andrew Lansley is universally acknowledged as a bad communicator. That is probably why he was moved out of health and demoted to Leader of the House. But one message that even he managed to get across about his Health and Social Care Act HSCA) (which actually went through because of Earl Howe's extraordinary abilities in the Lords, which is where any real objections to the Act might have borne fruit, not withstanding Shirley Williams'  disgraceful betrayal of decades of decent public service by supporting the Bill), was that the new clinical commissioning groups (CCGs) would mean that medical practitioners would once again be in charge of commissioning healthcare. He actually managed to convince people of this fact. But, working for a series of Primary Care Trusts (which used to do the health commissioning before CCGs were formed on 1 April 2013), I quickly discovered that, aside from the finance staff, IT and comms, almost all of the people working in core healthcare commissioning teams were ex doctors or nurses. Indeed, I had an outstanding colleague who was paid 5 days a week as a senior manager and who worked several days a month (for far less money) as a nurse. Commissioning was not perfect, but by God, it was done by people who understood the needs of the frontline staff and the community.

Back to FOI: Although commissioning is not done with bad intentions (although, I now think that it is worse than before in the CCGs), there is little transparency about it. There may well be a cry about how so much is farmed out to private companies like Virgin and how there needs to be a change in the law to make them subject to FOI. I have banged on about this before, but I will say it again: the standard NHS contract means that if you send a FOI to Virgin Healthcare about its service in Surrey (worth about £500million), it is CONTRACTUALLY OBLIGED to forward the request onto the service commissioner (one of the Surrey CCGs) to handle. The contract then says that the provider (Virgin in this example) MUST HAND OVER ITS INFORMATION TO THE COMMISSIONER TO ENABLE THE FOI TO BE ANSWERED.

Does this happen, dear armchair auditor?

So, in summary, we are not making enough requests to the NHS, often the NHS is giving out rubbish replies (although probably no more often than other sectors) and people so not seem to access the information on private companies that they can clearly get.




Tuesday, December 17, 2013

Smoke and Rings: Problems with access to scientific data through Freedom of Information and Environmental Information Regulations in the UK


Earlier this year I was lucky enough to be invited to go to Rio to speak at a conference. I have blogged about it at http://www.irms.org.uk/news/entry/6th-conference-of-scientific-archivists-in-rio-de-janeiro.

Below is the paper that I wrote for the conference, which was designed to help a country that is relatively new to FOI to understand the problems we have faced. It does not say much that is new to UK-based practitioners, is not very technical but may be of interest.

Smoke and Rings: Problems with access to scientific data through Freedom of Information and Environmental Information Regulations in the UK

Introduction: 

Transparency is a great disinfectant. But have you ever splashed disinfectant onto a wound? It hurts. Before we see the benefits of disinfecting a wound, we must suffer pain. There is always a period when transparency laws are not adhered to properly by organisations that do not truly understand them, and where requestors are trying to test the limits of any new law. This is the pain of any new transparency law.

After much hard campaigning, Brazil brought in Federal Law 12.527/2011, which brought in time limits and exemptions for transparency laws. Brazil is now embarking on a journey that the UK started only 8 years earlier. This paper seeks to discuss the problems that the UK has experienced with information law and access to scientific information, including medical data, climate change data and other areas of vital research that are funded by taxpayers. 

I will first set out a brief account of transparency legislation in the UK. Following this, a description of the process of making a request and, where the requestor is unhappy with the reply, making a complaint. This mechanism is significantly different from the Brazilian model and will inform an important conclusion. 

I will then turn to three interesting and high profile case studies. These were information requests for scientific data that threw up fascinating questions: details of how they were dealt with; the conflict between researchers’ rights to control their work and the public right to know about projects they are ultimately funding through taxation; and how to manage the public impact of information that might be released. I will examine these cases only in as far as they provide a useful guide to problems that Brazilian colleagues may experience.

I will then draw all of these issues together before providing a brief account of what the UK has learned and how it will practice information releases in the future. Of interest will be a recent investigation by a Parliamentary committee into how well such laws have worked, and amendments to the law designed to deal with requests for scientific information. 

Medieval cartographers, when reaching the limits of the world known to them would often mark these unknown areas with fierce dragons, to say that beyond the limits of their experience, danger lurked. ‘Hic sunt dracones’ (‘here be dragons’) might be written on the blank spaces of the map.
This paper will be successful if I show Brazilian colleagues the wounds that another country has experienced from the dragon, so they can prepare for those same attacks – that, depending on how interpretation of Federal Law 12.527/2011 evolves, the world of transparency, if managed well, can be a safe and fascinating journey. 

Transparency laws in the UK:

The Freedom of Information Act 2000 (FOI Act) came into force in England, Wales and Northern Ireland in January 2005. Scotland, with a devolved administration, has very similar legislation, which came into force the same year. With apologies to Scottish FOI experts, I will mainly discuss the Act as applicable to England, Wales and Northern Ireland, although it is notable that Scottish law has been more advanced in bringing in safeguards specifically for academic data. 

The FOI Act gives anyone the right to ask any public authority for any recorded information and, unless an exemption applies, to be told whether that information is held by the public authority and to receive it within 20 working days. 

The Environmental Information Regulations 2005 (EIR) also came into force in 2005. These regulations are derived from European law and provide a similar right of access as the FOI Act, but to environmental information. This could cover anything to whether a council is using an efficient heating system to the dumping of toxic chemicals in rivers. 

These two laws, but particularly the FOI Act have changed the relationship between the state and the citizen. Recently, a committee of Parliament examined FOI and concluded that “The Freedom of Information Act has been a significant enhancement of our democracy... the Act was working well... but its secondary objective of enhancing public confidence in Government has not been achieved, and was unlikely to be achieved."

When there was legislation to support the asking of questions, people naturally asked those that they had always wanted answers to, such as about the pay and expenses of civil servants and politicians. In Brazil, something similar is happening and it is noteworthy that of the thirteen cases that have been to court as a result of access to information law 12.527/2011, twelve have been about salaries.
When news of FOI spreads, it soon becomes a valuable tool to start asking other questions. In the UK, as we have had FOI and EIR for more than 8 years, we have experienced those other questions. People are no longer just asking about salaries or policies – they are asking challenging questions about scientific and research data, often with very difficult consequences, which must be dealt with properly.

Features of making a FOI request in the UK:
FOI and EIR differ slightly, so it will be easiest if I concentrate on FOI, which accounts for more than 95 per cent of all requests. Again, for the sake of simplicity, I will be concentrating on England, Wales and Northern Ireland, although Scotland has its own, similar (and in some respects, more advanced) system. A request must have a name, an address (an email address is sufficient) and must describe the information that is desired. There is no need to prove identity, or to say why the information is wanted. Also, there is no fee. 

Within 20 working days, a reply must be given, which states whether the information is held or not (there are some exceptions, where the legislation allows a public authority to neither confirm nor deny that information is held), and to provide this, unless an exemption applies. Even where an exemption applies, this must be stated precisely. 

A lot of exemptions require a ‘public interest test’ (which is an important feature of UK law). Any harm in release must be considered against any benefits to the public in release. If the harm of release is smaller than the benefits to the public in releasing, then the information cannot be withheld. 
In a striking case, an organisation, People for the Ethical Treatment of Animals (PETA) made an FOI request to Oxford University for information about scientific experiments done on a monkey. The UK has a strong tradition of animal rights. Groups such as PETA are very active in trying to persuade people exploiting animals for food, clothing or experimentation. However, the UK has also had extensive experience of groups such as the Animal Liberation Front, which has been associated with violence against scientists and institutions that carry out experiments on animals. There has been a significant history of threats against scientists, with arson attacks, death threats and bombs left in institutes where such work is carried out. 

Oxford University withheld a substantial amount of information citing an exemption relating to the safety of individuals. It argued that the public interest in general transparency was strong as such information would better inform the public debate about such experiments. However, it also argued that this was outweighed by the danger to its staff, given the threats that had already started to circulate on the internet against its staff, and cited the history of attacks that had taken place in other such institutions. It concluded that the public interest was not in releasing the information. All of this would have been made explicit in the letter refusing the request. All good refusal letters where a public interest is balanced should go into this sort of detail. 

UK FOI law sets out that where a requestor is unhappy with a reply, they can ask for an internal review. Some competent organisations have a process whereby someone unconnected with the original decision looks at it again and reconsiders whether the arguments to withhold information are strong. This can sometimes lead to release of more information. Anecdotally, this is relatively rare in most organisations, as most of the FOI expertise usually resides with a sole FOI officer, who originally advised on withholding the material and who usually then briefs the ‘impartial’ internal reviewer. But this process can work well where there is a genuine commitment to transparency and senior staff are willing to take the time to understand arguments and learn some FOI law. 

If the requestor is still unhappy, he or she can complain to an organisation called the Information Commissioner’s Office (ICO). The ICO is the regulator for FOI and EIR. It is small, independent, and produces a vast amount of guidance on how to apply transparency legislation. Where a dispute arises between a requestor and a public authority, the ICO will intervene and try to resolve the matter informally by discussing the issues with both sides, usually by phone and email. Where a resolution cannot be reached, the ICO makes a decision and publishes a report. Importantly, the report has a step by step account of how it arrived at its decision. These are called ‘decision notices’. Every FOI reply must set out this right to ask for an internal review and then redress through the ICO. 

Not only does this promote transparency, but it is a critical aid in helping FOI officers understand how to apply the law. Most competent FOI officers will put time aside every week to read the latest decision notices and will track changes in interpretation. These are, in turn, mentioned on Twitter, analysed in blogs and debated by the FOI and EIR community. Without this, institutions’ understanding of FOI would be much poorer. But the most significant aspect of having a regulator such as the ICO (which, by law, can demand to see the information that an organisation is refusing to release, and so make a good assessment of whether the law has been applied well) is that it is cheaper and faster than a court. That people can genuinely complain to a regulator and be heard and taken seriously without the expense and trouble of going to court is a massive boost to transparency and democracy. 

A similar aid in promoting transparency is a website called What Do They Know. This is a portal where people can submit their requests, and to which a public authority will reply. All questions and answers are automatically published for everyone to see. Brazil has a similar site, Queremos Saber, which is built on the same technology. At the time of writing this paper, it had just under 900 requests on it. This will become a more and more important resource. Where there is inconsistency, and one organisation refuses, say, to release the salaries of its staff, but another organisation releases them, where these two requests are up for the public to see, there can be a huge amount of learning to see how the law should be applied, both for members of the public and organisations. 

Once the ICO has published a decision notice, the requestor may still be unhappy about the decision to withhold information. At this point he or she can go to the First Tier Information Tribunal. To save money and speed up judgments, for certain kinds of disputes, there is a system of being able to go to a tribunal. There are employment tribunals, which judge on employers sacking staff unfairly, land tribunals, which judge on property ownership and so forth. We are lucky to have an excellent tribunal system which, similarly to the ICO, publishes its decisions with a very great level of detail as to how it arrived at its decision. 

The Oxford University case, about the experiments on the monkey, which cited the personal safety exemption, eventually went to the First Tier Tribunal, where the decision to withhold the information was again upheld. From the transparency point of view, the thing to note is that access to the tribunal is free (there is a proposal to charge in the future). Of course, public authorities tend to turn up to such tribunals with legal support that often costs thousands of dollars, but for the citizen defending him or herself, money is no bar. As a significant proportion of citizens argue their own cases, from the judgements of the tribunals, there is often a huge amount of effort to listen to the citizen and to make sure that they are given the opportunity to provide a focused argument. So, although most people (including me) are unlikely to outwit a great lawyer on a point of law, where the argument is strong, the tribunal often does go against the public authority that will have invested heavily in legal support. 

Worth mentioning in brief is that a further appeal can be made to the upper tier tribunal, which is similarly free. It is when one goes to the High Court that costs can start. 

There are no precise statistics, but from experience of busy organisations with a lot of FOIs, of every 1000 FOIs, about 100 come back to the organisation for internal review. Of the 100 internal reviews, perhaps two or three go to the ICO. And then, about every couple of years, one goes to a tribunal. Sometimes, not even that. I have only known one case that I worked on to go the High Court, but by the time it got that far, I had moved to another job. But the mechanisms to complain and to have justice are accessible, although it can be argued that they are not perfect. 

Introduction to case studies:

Every public authority that I have known has handled some requests badly, just as every employer will, at some time have treated an employee badly. Both are avoidable, but happen. I will be discussing three prestigious academic institutions, and will be presenting aspects of how a particular case was handled. This is not meant to be representative of how they handle cases in general. The way in which I discuss the cases is not supposed to be fair, as I am only highlighting those elements that serve best to illustrate issues of concern. Like any member of the public, I only have access to public documents and blogs and newspapers for these illustrations.

For an outline of how these institutions work in general, one could look at www.whatdotheyknow.com and read how they successfully answer other cases.

Case Study 1: Smoke, or how to win the argument outside of the law.

Smoking cigarettes is bad for you. Smoking is the largest cause of preventable deaths in Europe. So there were concerns when Philip Morris International (PMI), one of the largest tobacco companies in the world, made a FOI request to Stirling University in Scotland for its research data on young people and smoking habits. A very interesting feature of this case is that Stirling did not use any of the obvious exemptions in the Scottish FOI Act to withhold the information. It is also noteworthy that although the legal aspects of the case give all the appearance of being handled badly, that the public relations campaign was a triumph.

PMI asked for data and research in relation to Stirling’s research (which was being funded by a very prestigious cancer charity) on the attitudes of young people to smoking and tobacco companies’ advertising and branding.

It can easily be seen that this is the sort of research that a tobacco company would not be able to carry out in some parts of the world. It can also be guessed that such research would be very useful to it in being able to improve its appeal to young smokers, who might then go on provide a tobacco company with a (shortened) lifetime of revenue.

To make the issue even more contentious, at that time the UK government was considering stopping tobacco companies from carrying branding on cigarette packets, forcing them all to have beige packets with health warnings. No more the gold of Benson & Hedges or the cool red of Marlboros.
Initially, Stirling refused the request as being vexatious. Although the guidance on what a ‘vexatious’ request is has been recently updated, when the request was handled, ‘vexatious’ had a very specific meaning within FOI law. It must not have a serious purpose, or must be designed to annoy or harass the public authority or must be unreasonable. In general, there has been a reluctance to use this exemption as most public sector organisations have tried to commit themselves to at least the appearance of transparency. Indeed, the ICO has recently tried to encourage organisations to use the exemption where it is merited. But the bar is high and it is not an easy ‘get out of jail free’ card. It is used exceptionally, as it should be.

After an initial refusal and internal review, PMI complained to the Scottish Information Commissioner. After an investigation, the Commissioner ruled against Stirling and told them that that they had not been able to prove vexatiousness. 
I am puzzled that Stirling, which was so concerned about any release of its data to a tobacco giant, which would probably use it to inform its future marketing strategy, did not make full use of the Scottish FOI Act. 
There is a specific exemption in Scottish FOI law (as does not exist in the rest of the UK) that says that information that is intended for future publication can be exempt if: the information is obtained in the course of, or derived from, a programme of research; and if disclosure of the information before the date of publication would, or would be likely to, prejudice substantially the programme or the authority that holds the information. Stirling did not advance this as an exemption.

There are also implications of personal data – the information was provided by young people about their attitudes. If any of the information could have led to identification of any individual, that would have been personal data and there would have been an absolute prohibition on release. Stirling did not use this exemption.

The information was also probably gathered with an expectation of confidence. Although this is more complicated to use, this was not advanced as an argument.

The harm to Stirling generally could probably have been covered by an exemption that was designed to prevent the prejudice to the effective conduct of public affairs.  Again, this was not cited.
Depending on the details of the information, the agreements between the researchers and their the young people that they were collecting data from, and the type of data that was being collected, some of the exemptions that I have outlined above could have worked. Certainly, the exemption that they did use, that of being vexatious, was used very weakly, and was overturned by the Commissioner.
Why did this happen? To understand, it may be helpful to look at the public relations campaign that accompanied this incident.

Big tobacco companies are regarded as villains in most of the world. They provide jobs and prosperity but they are about getting people addicted to a drug and killing them off slowly, reducing life expectancy and adding gravely to the healthcare budget. So it was not surprising that when news of the request was made public, major newspapers and bloggers picked up on the story. The story was often told in terms of David versus Goliath, of poor Stirling University doing research to help guard young people against smoking and how a tobacco giant was trying to take advantage of it.

With newspapers such as the left wing Guardian and the right wing Telegraph running stories about the injustice, pressure was mounting. Staff from Stirling seemed to be happy to give newspaper interviews where they firstly set out the harm that would come of releasing the information and secondly their opinions of tobacco companies. On reading these interviews and then looking at the legal grounds that Stirling cited, it is clear that they had good arguments but chose not to use them in the legal arena. The real fight was taking place in newspapers and on blogs, where PMI was being painted as an aggressor. And this is where the fight was won. Although PMI won its cases with the Commissioner, who said that the requests could not be treated as vexatious, PMI just dropped the requests, presumably due to the pressure from newspapers and blogs, where its attempt to ask for information was being talked about as a further attack on the health of children. This saved Stirling having to write a proper refusal letter and cite proper legal arguments to withhold the information. So, why did Stirling go down the route of deeming the requests vexatious?

The FOI Acts in the UK are clear – it is the request and not the requestor that are deemed to be vexatious. But I believe the implication was clear – Stirling was trying to paint PMI as bad people and the University clearly got away with it. It was the power of propaganda.

There were some isolated voices of reason in the public arena, such as Heather Brooke (a transparency campaigner) and Maurice Frankel (if FOI in the UK had to be attributed to one person, he would be that person – he worked on the campaign to create the legislation and has worked tirelessly since then to defend it). Brooke and Frankel argued that FOI was supposed to be applicant-blind and that a public authority deciding that they did not want to release information to a particular person was a slippery slope. Perhaps, next a public authority would try to argue that it did not want to release information to other groups that they did not like. Such as journalists trying to uncover corruption. They also argued, as I do, that there are plenty of ways of withholding information legitimately, if there are reasons, such as those that its staff gave in interviews. I am not sure that I will ever know why Stirling chose not to. Most of us are not fans of tobacco companies, but they pay taxes and are legitimate enterprises. And even if they were not – FOI is a release of information into the public domain, and these sorts of politics, while successful in this instance, do not serve it well. If there is sensitive data, a good FOI act and a good FOI practitioner will help it to be withheld.

Case Study 2: Rings, or how to fire all your bullets at a target and miss.

There was nothing in our old academic contracts about data and responsibility for data”. This is what an eminent professor, who was at the heart of the Queen’s University, Belfast’s (QUB’s) FOI incident, said to a journalist.

Climate change is one of the most important issues of our time, as denizens of the city that hosted the conference in 1992 will know. Climate change divides opinions, with those who believe in it and those who are sceptical. The battles are being fought in legislatures around the world, by coastal communities who are trying to live in the face of changes to their fragile ecosystems, and on a new front – that of transparency laws.

QUB, which is a leading research institute in the field, received a request for its tree ring data for the last 40 years. As trees grow, they leave an annual ring, which can be seen in cross section when the tree is cut down. Measurement of the ring can give insight into the climate for that year’s growth. So, if you cut down a 500 year old tree and start examining the 400th ring from the outside, this should tell you something about the climate in 1613.

Of course, such data could be invaluable, both to climate change believers and to climate change sceptics, for supporting their points of view. Because it was reported so heavily, I will mention that the requestor was someone with a reputation for intellectual attacks on climate change sceptics. I must emphasise that this is irrelevant, for the reasons that I set out in the previous case study. Any release of information is into the public domain. You look at the data and decide whether it is fit for release. It would make no sense for an institution to release more than it should because the requestor was ‘friendly’ to it, as the information could be made public, and then used by its ‘enemies’.

The QUB case is noteworthy because the case was lost due to the institution not having prepared enough for transparency laws and then the scientists and legal teams not being able to work together well enough to put strong arguments forward about how its data should have been handled.

QUB participates in an international study and publishes a lot of its research automatically. However, when it received a request for its database, the request ran into trouble. An initial problem was that it could not decide which legislation to use – FOI or EIR. From documents made public, it is clear that the ICO, which is supposed to be the expert body, could not decide either. In any case, although the details of the two laws are different, the general aims, of transparency, are the same.

Initially, QUB answered late. This is never helpful, and often creates more problems as the requestor assumes the public authority has an unhelpful attitude. There have been times when I have been late in replying to something and a short, polite letter has probably prevented relations souring and the requestor becoming hostile and creating more work.

QUB cited cost limits. There is an exemption in FOI that sets out that a request does not have to be complied with if it would take more than 18 hours (24 hours for central government) to locate, identify and retrieve the information. The University upheld this verdict when it reviewed the decision. The requestor went to the ICO.

After much investigation, QUB changed its position and set out that it was withholding the information for three other exemptions that are not related to the cost limits. As a requestor, I would have been very irritated by this. It means that the arguments that the University presented and upheld at review about how much time it would take to do the work were incorrect. And, meanwhile, months have passed in complaining and referring to the ICO.

The first new exemption that was used was to say that the research was not complete. The ICO did not agree. He said that although the analysis was ongoing, that the data collection for the 40 year period was complete. The ICO decision notice simply states “…it appears to the Commissioner that QUB does not fully understand how this exception is engaged…”.

Section VI of Article 23 of 12.527/2011 appears to be relevant. But what does it mean to prejudice a scientific project? I have no doubt that as cases are taken to court, that clarity will develop. But the nuances of interpretation are key, as we will see in the QUB case.

The ICO was interpreting the law to say that once the data collection was complete (which is often only a small part of the overall research project – often the analysis can take years), that there could be no reason to withhold under EIR. As others have pointed out, this is not how universities function. 

When a paper is published, reputable scientists and researchers will try to make as much of the raw data accessible so that peer review can fully assess their work. But premature publication can often harm the analysis. In any case, what is important is that QUB was not aware of this and had not thought to tell its staff and change its data storage processes in line with this new understanding. It is also interesting that the ICO said that QUB did not provide strong enough evidence to support its point of view. This problem looked to be the size of a pebble, but it had the potential to create an avalanche – potentially, anyone’s research data (so long as it related to the environment) would have to be released as soon as the data collection was complete.

It is hard to guess what legal advice QUB took. But the fact that the arguments were weak and the ICO said that QUB did not understand the law makes me wonder whether it consulted with other organisations and whether it realised the implications of the case it was about to lose.

QUB also argued that the research was its own intellectual property. While the ICO agreed that any analysis or reports that it published were certainly its intellectual property, it stated that the raw data from measurements could not be intellectual property. It referenced Article 2, paragraph viii of the World Intellectual Property Convention (WIPO) Convention (1967), which is the standard by which most of the world operates. This is another instance where what seems intuitive to most, does not stand up to scrutiny before the law. But although FOI and EIR had been in place for years, it seems that no one in QUB had thought through the implication of the new law and was not prepared for such requests to be made.

Without even knowing what these sections mean, we can see the extent of QUB’s failure in the ICO’s concluding paragraph:

The Commissioner’s decision is that the public authority did not deal with the request for information in accordance with the Environmental Information Regulations in the following respects:
       The public authority wrongly applied the exceptions at regulations 12(4)(b), 12(4)(d), 12(5)(c) and 12(5)(e) in relation to the withheld information. The public authority failed to comply with the requirements of regulations 5(2), 11(4), 14(3)(a) and (b) and 14(5)(a) and (b).

 And so we come back to the quotation from the head of the department at QUB: “There was nothing in our old academic contracts about data and responsibility for data”. It will be a hard labour, but all staff will have to get to grips with the new law and spend some time considering the impact and how they carry out their work. It may even be that human resources will have to look at job descriptions and make it clear that knowing something about transparency legislation is now part of the whole job.

Case Study 3: Delete, delete, delete

One of the most famous cases in the UK relates to a series of FOI requests to the University of East Anglia (UEA) about climate change. Once again, climate change had reared its head. I will not describe the requests or the way in which the case was handled. I will, instead, dwell on two aspects: those of deletion and ownership.

The UK FOI Acts make it an offence to delete information once it has been requested if the aim is to prevent it from being released. After the requests went to UEA, and they were refused, someone hacked the email system and uncovered emails where colleagues had been telling each other to delete requested data, to not tell anyone that the data was held, to obstruct the case in every way. Naturally, these found their way in to the newspapers and the fallout was weeks of embarrassing news stories. 

More importantly, the reputations of the scientists and the work that they were doing, was undermined. Newspapers and people who were sceptical of climate asked why, if climate change were real, were they deleting information? Aside from the fact that computers can be hacked and such embarrassing emails be released, one of the reasons why transparency laws work well in the UK (in general) is that to lie about something needs a conspiracy of silence from everyone. And you can’t trust everyone to lie. One of your team might be honest. Again, it is easier to learn the law and to make it work for you.

The final aspect of the UEA incident that I would like to highlight is that of ownership. Some of the scientists working at UEA were members of panels and other organisations. When these other organisations were conducting discussions, the scientists used UEA email addresses. Therefore, information that was really the property of the Intergovernmental Panel of Climate Change (IPCC) ended up on UEA computers. The FOI Act refers to ‘information held’, not to ‘information owned’. In the world of science, where people will often work for and consult with several different bodies, it is imperative that they are taught to use information technology appropriately, so information does not end up being held by the wrong organisation. What of a biologist who works at a university, but who also sits on the editorial board of an independent biology journal? If he or she uses the university computers to discuss his work on the journal, to receive draft papers, will the university’s computer systems not end up holding this information? It is best to avoid this problem altogether with more awareness of which email addresses to use for which work.

Consequences for FOI in the UK:

One of the results of these debacles was that the ICO issued detailed guidance to universities, particularly on raw data and sharing data.

The other result was that when a committee of the UK Parliament, the Justice Select Committee, reviewed how well FOI was working in the UK after seven years, it made a specific recommendation that a particular exemption should be amended to specifically address concerns that academics have about publishing their data. There has been much comment on this in the UK, with one of the most well respected bloggers on FOI saying “whilst I’m sceptical of the need for such an exemption, I can’t really see much harm resulting from it”. This all points to a lack of understanding of transparency laws and through this, a lack of confidence in the law from academics, which will only be solved by even more efforts to educate them – where appropriate, their work is safe, but it is better to share and publish.  

Conclusion and lessons:

The universities listed are reputable organisations, which, at various points had huge problems with transparency. Partly, they did not seem used to the idea, partly they did not prepare themselves for it. I will list some key points from the case studies and lessons that can be learned by any institution working with any transparency laws. But I will start by outlining the importance of an information commissioner and set out why I think that transparency laws cannot work without them.

The UK’s two commissioners, the Information Commissioner’s Office (covering England, Wales and Northern Ireland) and the Scottish Information Commissioner are a cornerstone of transparency. There is much heckling about their work (I have tweeted about their imperfections on occasion) but the idea of a specialist, independent body, to which a citizen can complain for free, which will look at cases and make detailed judgements is imperative. There is clearly little appetite to resolve these matters in courts, with the attendant costs and delays. In the first year of FOI and EIR, the ICO published about 150 decision notices and the Scottish Information Commissioner published nearly 90. These are just the ones that they could not resolve by email and phone and upon which had to make a decision.

If we compare that with Brazil’s 13 cases in courts, it can be seen that the UK’s commissioners arbitrated nearly 20 times as often in public decisions. UK understanding of the law as a result of these arbitrations will have grown 20 times as fast in that first year. The commissioners issue guidance on every aspect of FOI and EIR. The ICO even has its own channel on You Tube, which has a ten minutes video showing the basics of the law. Without such an organisation, access to arbitration becomes expensive and an elitist pastime, whereas transparency should be for everyone.

We saw that Stirling University managed to pull off a public relations coup to safeguard its data. But that data may not be safe. I wonder what would happen if I put in a similar request to the one that tobacco company did. Transparency laws are usually too conservative, if anything. They are drafted by governments who do not want to give everything away. There is sure to be a safeguard for the data that you are worried about, if the concern is legitimate. In my experience, when I encounter a concerned colleague who does not want to release something, I will ask several times what the actual and specific harm is, only to discover that there is none. It is usually a case of ‘we’ve never done it before’. Nothing more. I assuage the concerns and help release the information.

Learning the law can be difficult. Especially when specialist scientists may not handle many of these requests. Most public authorities in the UK have dedicated FOI and EIR specialists working for them, who can manage the release of information or advise on how to withhold. These sorts of posts are much cheaper than using lawyers. If your organisation is too small, it may be worth contacting others to see if you can all part fund one such post. Or combine the post with another job.

It is important that research organisations start auditing themselves to prepare for requests. As the UK FOI Act is about to be amended to include release of raw data sets in a specific format, I did an audit at my place of work. I now know where everything is and what the concerns are about release. I am prepared for questions. This sort of audit, which takes into account questions such as who owns the data, what data sharing agreements are in place, what intellectual property there is, what it is used for and what concerns there might be about release, are very helpful.

As part of any such audit, it would be good to review the organisation’s policy on how to use information technology. What happens under Brazilian law if an academic uses the organisation to write something that has nothing to do with the organisation? Whether it be a speech for a conference for an unrelated organisation, or supermarket shopping list for personal reasons? The law may mean that this material does not have to be disclosed, but it is better to prevent it being written on the organisation’s computer systems in the first place. Even this paper – I am editing it over lunch in my office, but I am using my personal laptop, which I had to go through the hassle of getting out of my bag and switching on, although on my desk is a perfectly adequate work machine.

Publish! At a FOI seminar I was at, someone in the audience remarked that all of the money spent on employing transparency experts was money spent on withholding information. I now encourage organisations to publish as much information as possible. In some ways, publishing something is the best guarantee that it will never be read.

Customer service is incredibly important. Where there are delays or problems, even if the legal deadline is being breached, a polite letter of apology can often stop the matter being escalated further. In some organisations, I have handled cases that have been late stage complaints because former staff did not send clear replies, or did not explain why information was not being released. When someone was complaining that we were not releasing numbers of complaints against individual members of staff (this is in line with UK law and guidance), the requestor was becoming irritated. By giving an example, setting out that the numbers of complaints did not necessarily reflect bad work on behalf of the employee, but may reflect that they do more difficult work, or have more challenging clients, the requestor was satisfied and the matter went no further.

And finally, science and scientists have a good name and do important work. Just a few requests handled badly will harm reputations and undermine the whole academic sector. Share your work, where possible. It will benefit all of society and increase the understanding of science.