Thursday, March 28, 2013

Section 12 and Records Management

Sometimes I see a request and it looks massive. Often “can I please have all of the documents about x”.
The heart sinks. The answer is likely to be that the cost limits kick in. You send the FOI on to the relevant colleagues and ask them to assess how long it will take to locate, identify and retrieve.  If the cost limits are breached, you tell them that they need to put together a sensible estimate of how long it would take to answer the question in its present form and to describe how the information is held and give name of files, just so the requestor, when s/he comes back with a narrowed request has the best chance to ask something that will result in a release of information.
So, you wait for colleagues to get back to you. And they do (to be fair, they’re usually overstretched and busy doing things like ensuring that vital services are running).
Because you have trained them beautifully, they give you something delightful like:
“There are 12 people in the team. We looked for emails with the following search terms and discovered there are 4,500 emails and documents. We then looked on the shared drive and a search showed that there are 250 documents. As sampling showed that the length averages 20 pages.
We think that it would take a minute per email (some of these contain attachments and some of the email trails are long) to read them and see if they are relevant. That is 4,500 mins.
We think that it would take 5 mins per document. That is 5minsx250docs=1250 mins.
This totals 96 hrs.”
They might even send me a lovely list of file names and dates so that the requestor can narrow that way. It all looks beautiful. I am all set to refuse under section 12.
Then I notice the end of the email that I have been sent:
“We archived a lot of stuff about this project, but we are not sure where the exact files went. We know that they were filed into boxes relating to the directorate that was reorganised about 3 years ago but when we called the archive, there are apparently about 80 box files that we would have to search through. We can’t even estimate how long this would take to go through because we have no idea what’s in them. The only person that knows anything about that directorate is Bob, as everyone else has moved jobs, but Bob says he never worked on this, so doesn’t know. He offered to call Beatrice, whom he is still mates with, and who retired as she might remember something. Please advise.”
There is no way Beatrice is going to be able to tell us anything useful. No one ever remembers where they put stuff. So I am left having to do a reply that points out the inadequacy of our records management, which is bad for us. Worse still, there is simply no way that if the relevant record is in one of those boxes, that anyone will ever be able to request it. S12 will always kick in.
They might as well destroy the records and stop paying the records archive company a fabulous amount of money every year for holding them.
This is not to say that I blame the records managers. I have sat next to one for a year and can see that they work really hard. But there is usually one of them in a vast organisation that will produce an unbelievable amount of paper. And no one listen to them.
So, why am I writing this now? Because with PCTs closing and an NHS reorganisation so big that “you can see it from space” (according to David Nicholson, formerly Chief Exec of the NHS and now Chief Exec of the NHS Commissioning Board), I might just FOI every CCG and CSU and DH and local authority public health team to ask the boxes in all of their archives are labelled and what they are called.
And the catch is that I bet that there is no spreadsheet or comprehensive central log and that my question will also be covered by section 12.  

Tuesday, March 26, 2013

A FOI practitioner's view of DPA/privacy

Whenever I say that I know almost nothing about DP and anonymisation, work and FOI colleagues laugh this off. Of course, I know loads about section 40 of the FOIA and of course, I have done loads of cases where I have made judgements about release of data relating to individuals (whether remuneration of senior staff or, in an 'anonymised' form, healthcare stats). I have read the ICO guide on anonymisation. Studied for hours the Department of Health case where abortion stats for young people were requested, which ended up in court.

And that is what is significant. A few days ago I would have written "...anonymised form..." rather than what I have only just learnt (in this respect, I seem to be years behind everyone else) should be "...'anonymised' form...".

Although I have heard privacy experts rumble on about the horrors and dangers of releasing data without what looks like identifiers, I have never really understood what they were talking about - which is my fault - I should have read something to understand the basics.

Now that I have, my faith in anonymisation has been shaken.

I hope people do throw rotten cabbages and tomatoes at me - I should have learnt this a long time ago. But it seems to be a secret, at least, among my peers who practice FOI but also know little of DP and privacy: you cannot really anonymise personal data in a useful way.

The article that I read, that was referred to by Professor Douwe Korff, at a recent National Association of Data Protector Officers (NADPO) seminar was Paul Ohm's 'Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization'.

In this paper, which is available here, Ohm refers to data administrators and their faith in anonymisation. He then shows the dangers.

When I handled a FOI about abortion stats, colleagues from neighbouring organisations shuddered at the thought of releasing the data. I spent most of a month arguing with them but they had no arguments to give, as they seemed to know even less about it than me - they seemed to think that it would not be safe, but nothing more rooted in reason. At the end of the day, we did not release the data, but not for any good reason that I was aware of.

I am so glad that I followed the line of people that I did not really believe.

So, for you FOI practitioners out there, who routinely spend time managing the release of data, if you are anything like me, please read Ohm's paper and take, as I have done, the first few steps towards understanding the dangers.