freedom of information.co.uk

John Woulds is one of the UK’s leading data protection experts.  Having trained as a physicist, he moved into IT management, before joining the office of the Data Protection Registrar, the forerunner of the Information Commissioner.  Following the introduction of the Freedom of Information Act in 2000 he was appointed Deputy Information Commissioner and held the post until his retirement in 2001.  He is currently Honorary Senior Research Fellow of University College London's Constitution Unit.

Q:  The Data Protection Act (DPA) has been in existence for quite a long time, but a lot of public authorities still seem to have problems with it.  In your view what has gone wrong?

A:  I’m not sure I’d put it quite that way, but there is certainly a problem with the DPA.  In my view, having stood back from it for a couple of years, the Act is too complicated.  What was essentially a simple concept of protecting information has been turned into a complex set of rules, not all of which are consistent with each other.  In some ways the DPA works on the basis of general principles, but in others is very prescriptive about what can and can’t be done. Personally I think it’s an unhappy compromise and it makes it very complex. 

People quite rightly perceive the Act as difficult to understand, so there’s a tendency to either ignore it, or be over-cautious.  The Information Commissioner has launched an initiative about making data protection simple and one of his objectives is to interpret and explain the Act in a way people can understand.  I think it will help, because a lot of people working in data protection have perhaps lost sight of the objective: it becomes more important to tick all the boxes and apply the rules prescriptively than to consider ‘what’s it all about?’   The Information Commissioner has picked that up and has said things like, ‘Data protection shouldn’t stand in the way of people taking a reasonable and common sense approach.’  I think that will help.

Q:  The Freedom of Information Act (FOIA) is the sister act to the DPA, do you fear there will be equivalent problems of interpretation?

A:  I think there will.  Again it’s a complex piece of legislation and to work you way through all the exemptions and the various provisions you need an ice pack on your head.    In some parts of the public sector it is going to involve a real cultural shift: moving from an environment in which the culture is to protect information unless you really have to, to one in which the law obliges you to release information unless there is a good reason not to. 

Q:  Such as Whitehall?

A:  Well, yes, in some areas of Whitehall and I think some areas of the health sector also, in which the handling of information has been based on the need to respect confidentiality.   Suddenly for the health services to be faced with a law that requires the release of information is going to be difficult to adjust to.

Q:  But both Whitehall and the NHS have been subject for a decade to codes of practice on openness.  Although those codes aren’t statutory, in theory under FOIA there won’t be an obligation to release a greater breadth of information than under those codes.

A:  Well, there might be at the edges, but essentially you’re right, they ought to be familiar with the duty to release information.  But you can read the Parliamentary Ombudsman’s annual report on how the open government code has worked and you can see interesting examples, particularly in Whitehall, of how departments have fought hard against the release of information against the Ombudsman’s wishes and recommendations.  Of course the Ombudsman doesn’t have any statutory powers under the codes, but the Information Commissioner will.

Q:  Do you think the combination of statutory force and the fact that FOIA is more user-friendly than the codes will mean that the FOIA’s impact will be much greater than the codes?

A:  It’s hard to say, but I would expect it to be so.  Public authorities subject to the Act are waking up to FOI and are running around arranging training courses for staff.  Another important factor is that, whereas the open government codes required the requester to have a degree of familiarity with the codes, the FOIA does not, so any request for information, even if it comes from someone who knows nothing about the Act, must be dealt with in line with the Act.  There is no legal distinction between what is seen as a casual request and one that is formal and quotes the relevant sections of the Act.  Staff must be trained to recognise this.

Q:  Which of the exemptions do you think will be especially problematic?

A:  That’s a difficult question.  But those to do with the workings of Government (sections 35 and 36) are likely to be problematic.  Also section 40, which deals with personal information and the DPA, could be difficult in relation to the release of such information to third parties.   I think people are going to find requests will be refused on the grounds of protection of personal data, where they should not have been.  Up to now the DPA allowed people access to personal data about themselves, but not about anyone else, but from 1st January next year, the FIOA allows you access to personal data about third parties as long as that information is not protected by the DPA.  So this forces authorities to think about what personal information they can release to third parties, rather than applying a blanket ban.

Q:  So, in theory some personal information will be available to third parties, which wouldn’t previously have been available.

A:  I think so yes.  I’ve been aware of a number of situations where, under the DPA, the tendency has been not to release information to someone, unless it’s absolutely clear the person is entitled to have it.  I’ve come across situations where a request has been made for information about a third party and it has been refused simply on the grounds of the DPA, when in fact that information could have been released. 

Now at the moment it’s the authority’s decision whether they should release it or not – they’re under no obligation to release under the DPA.  But FOIA gives them the obligation to release, so they’ll have to think harder about releasing the information and not hide behind the DPA. 

I’ve been doing some training for MPs’ office staff, who handle a lot of case work.  They tell me that time and again they try to access information from local authorities and health trusts on behalf of constituents, but the requests are refused on DPA grounds.  Usually in those situations the MP has written consent from the constituent to act on their behalf, but even so some authorities won’t accept that.   They simply won’t be able to do that in future.

Q: What sort of personal information might be released under the FOIA which might previously not have been.  Could it include personal information about an official’s public role?

A:  Yes, it could, in fact one of the Information Commissioner’s advice notes says that.

Q:  Could you explain in simple terms how the FOIA extends the DPA’s definition of personal data.

A:  If you look at the DPA at the moment there are a number of elements to the definition of personal data, including manual files to the extent that they are in a ‘relevant filing system.’  What the FOIA does is extend that definition to cover information held by public authorities that doesn’t fall into any of the previous definitions.  It means that any personal data held by the public authority, in whatever form, is data for the purposes of the Act.  It does away with, or reverses, one of the major consequences of the Durant decision, it widens the scope of personal data.  It also introduces the concept of ‘unstructured data’, which I have a bit of a problem with.  And it has different provisions in relation to the access of that unstructured data.

[Editor’s note.  The ‘Durant decision’ refers to a December 2003 Appeal Court judgment in the case of Durant v the Financial Services Authority.  Regarded as highly significant, it significantly narrowed the definition of ‘personal data’ and a ‘relevant filing system’ both of which are key concepts in the DPA.]

Q:   What are those provisions?

A:  In responding to a request for personal data which includes unstructured data, the public authority isn’t obliged to provide unstructured data unless it is given a description by the person who has asked for it, and it is also not obliged to provide the information if it will exceed a cost limit.  It seems to me that what was in the mind of those who drafted the amendment was that there should be a right of access to unstructured personal data, but that there might be a huge burden on a public authority if it effectively has to do a free text search through masses of files.  

Q:  So if, after January 1st 2005, you were to make an application under the DPA for personal data, if you wanted unstructured data, you’d have to specify what you wanted, for example, memos and hand-written notes.  You couldn’t just say ‘I’d like everything please.’

A:  Yes, that’s right.  Remember that the concept of unstructured data only applies to manual files.  Computer files are already covered by the DPA regardless of their structure.

Q:  So, in order to ask for unstructured data, you’d have to know what exists wouldn’t you. 

A:  You would, yes.  You would have to be able to categorise what you want in such a way that, even if you don’t know exactly what is contained in the information, you know what sort of information it is.

Q:  Does the amendment to the DPA mean that, as from January 1st 2005, the Durant judgment is effectively dead?

A:  No.  There were two important elements to the Durant judgment.  One was to do with the content of a ‘relevant filing system’ in other words, what manual files were covered by the DPA.  That bit is dead as far a public authority’s are concerned, but not private companies, because from January 1st the DPA covers unstructured manual data, as well as formally organised files. 

The second element was its interpretation of what constitutes personal data.  It ruled that the data has to focus on the individual and must be something that affects their private life.  So, incidental mention of an individual’s name in the context of information that doesn’t really focus on the individual at all isn’t personal data.  So, for example, minutes of a meeting in which I was mentioned in passing, but nothing much was said about me, I could previously have claimed was personal data, because my name crops up in it, but now the Court of Appeal has said, no that’s not right, because the information doesn’t focus on me and doesn’t affect my privacy.  I think that reduces the burden on authorities, so that they don’t have to search for casual mentions of someone’s name. 

Q:  The two elements you describe elements play on each other don’t they, because if information falls within the Durant judgment’s definition of personal data, then it’s likely to be in a relevant filing system anyway.

A:  Well you’d expect so wouldn’t you.  But if you think about, for example, a local authority social work case file, there are likely to be all sort of documents in that file which mention, in passing, other individuals.  Typically they might be family members, who are nothing really to do with the case at all, but just happen to be mentioned in passing. 

Q:   So, if a family member was applying for that information under the DPA, he or she would have to say, ‘I would like all the unstructured personal data, including material from the social services file of my relative X.’

A: Yes, but the local authority would say ‘We don’t have to give you that because it’s not personal data relating to you, because you’re only mentioned in passing.’

Q:  Ok, but if in my relative’s file there was a report about me, which obviously does fall within the definition of personal data, could I have that?

A:  Yes.  I think it’s probably going to need some decisions by the commissioner to establish what you have to do in terms of providing a description of the unstructured data for the authority to be able to release it to you.  There’s no guidance at the moment, so authorities might be in limbo for a while.

Q:  Going back to the FOIA exemptions, is the exemption for information provided in confidence designed mainly to protect commercially sensitive information?

A:   Yes.

Q:  But the sensitivity of that information can diminish with time can’t it?

A:  Yes.  It might be sensitive, for example, when a company is bidding for a contract, but once the contract has been awarded it’s less so.

Q:  And there are some fairly strong precedents from the Parliamentary Ombudsman and other jurisdictions for the release of commercial information.  If the information Commissioner doesn’t order the release of such information when it is no longer sensitive he’ll be going against the grain rather won’t he?

A:  Yes.  I’m sure the Information Commissioner will pay a lot of regard to the decisions in other jurisdictions in establishing his own jurisprudence.  It’s clear that the exemption for information provided in confidence is not going to allow companies to just write ‘confidential’ on the top of a letter.

Q:  Under the FOIA Code of Practice issued by the Lord Chancellor, public authorities are expected to, if you like, stand up to companies that demand confidentiality for all their documents.  In your experience are public authorities aware of this obligation and geared up for it?

A:  I think so, certainly the large ones.  It may not be as much of an issue to the smaller ones.

Q: What obligation does the FOIA place on public authorities to establish and maintain proper record management systems. 

A:  There is a code of practice on records management issued by the Lord Chancellor under section 46 of the Act.  Public authorities are obliged to comply with the code and that’s enforceable by the Information Commissioner.  And there’s an indirect obligation as well in that the Commissioner will say ‘you cannot fulfil your obligations under both the DPA and the FOIA unless you have a proper system for managing your records.’ 

Q:  But, given that some organisations will be more efficient than others, is there not a danger that organisations that are reluctant to release certain information will be able to hide behind poor records management and say, ‘We can’t meet this information request because to do so would take too long and therefore be too costly’? 

A: I think they’ll get short shrift from the Information Commissioner if they do that.  I don’t think he will accept those arguments and authorities that make them will find themselves in trouble and will be required to put their records management in order. 

Q:  Do you think email will cause the greatest headaches in that it is often neither stored in formally structured computer files, nor printed out and placed in formally organised manual files. Is that a concern among those in public authorities you have contact with?

A:  Email is a concern, for a number of reasons, one of them being that people are not disciplined in the way they use it and people commit things to email they wouldn’t dream of putting in a letter or a memo.  Well you might say that that’s ok as long as they’re deleted once they’ve been read, but of course, they’re not and they’re often stored indefinitely.

Q:  Often nowadays email can contain important decisions. Discussions might occur at a board meeting, then senior management go away to think about the issue and then one of them reaches a decision, which is transmitted by email.  So email can be critical.

A:  That’s right.  If that’s the case, and the only record of an important decision is lurking somewhere in the email system then there’s something wrong.  That information ought to be better managed, for example by running off a copy and putting it in a manual file.

Q:  Many thanks answering these questions.

A: My pleasure.