In September, I wrote about the ICO’s generous use of the notorious S36 exemption in a request I made. Immediately after Chris Stokel Walker revealed that the ICO had spent £6000+ on chocolate, a group of What Do They Know regulars made some premature requests about the case. As it was still being investigated, ICO refused. Because they used S36, the decision to do so must have to be referred to and approved by the Commissioner herself.
Months later, I made a request on the same topic and despite the different questions I asked and the passage of time, whoever dealt with it recycled Denham’s opinion on the earlier requests. ICO had decided that any question about the investigation should be dealt with using a blanket S36 refusal, even as simple a question as when the investigation was expected to end, or who was carrying it out. I didn’t / don’t accept that the blanket approach is correct, and I also think the passage of time means that Denham should have revisited her opinion for my request. These are valid issues for complaint, even if the information has now largely been disclosed.
Last week, I submitted a complaint to the ICO in their capacity as FOI regulator. The internal review was defensive, upholding the use of S36 but simultaneously claiming that all was well now that the ICO had issued a statement about the investigation. On Saturday, I received an email from the ICO about my complaint. The email stated that the ICO encourages organisations to be pragmatic and to stop relying on exemptions where the data is no longer sensitive. Had the ICO still been relying on S36, the email confirmed that the grounds of my complaint would be at least arguable, but because of the change, “the Commissioner will not investigate whether a public authority correctly relied upon an exemption at the time it did so when the public authority no longer wishes to rely upon that exemption.”
There are two problems here. First, to be pedantic, the ICO hadn’t withdrawn its reliance on the exemption. The internal review confirmed that the use of S36 was correct. The information was in the public domain, but the use of the exemption was affirmed. You can argue the toss with me about this, but I think without any concession about the appropriateness of the exemption, it’s not exactly ‘withdrawn’.
However, it doesn’t matter if I’m wrong about that, because the Information Commissioner’s refusal to deal with my complaint was unlawful in any case. Section 50 of the FOI Act says: “Any person (in this section referred to as “the complainant”) may apply to the Commissioner for a decision whether, in any specified respect, a request for information made by the complainant to a public authority has been dealt with in accordance with the requirements of Part I.” You can complain about any part of the organisation’s response (or its absence).
The ICO as regulator has four reasons to refuse – any internal review process hadn’t been exhausted, there was an undue delay in making the complaint, the complaint (not the request) was frivolous or vexatious, or the complaint has been withdrawn. I went through the ICO’s review process, there was no undue delay, my complaint was plainly not frivolous or vexatious especially as the person who replied to me acknowledged that my grounds were ‘arguable’ and I was making, not withdrawing my complaint.
In short, the ICO had no legal reason to refuse to deal with my complaint, so I asked them to justify their decision on the basis of some part of the FOI Act. By Monday afternoon, I received a second email from the ICO, acknowledging that my complaint would be dealt with in the usual way (there was no direct reply to my request for them to justify rejecting it).
Let me be clear about what happened here. The ICO refused to do something that they are obliged by law to do. They don’t really think my complaint is invalid; they tried to bat it away without any legitimate reason, presumably as a desperate measure to clear their shameful backlog of FOI requests. And given that the email arrived on a Saturday, they appear to be paying people overtime to do it.
This is Elizabeth Denham’s Information Commissioner’s Office: endlessly chasing headlines to build the Commissioner’s profile while failing at the basic tasks. Denham’s record on Data Protection is incompetent, but her FOI legacy is a scandal. Whether as a regulator or a public authority with a duty to respond to FOI requests, the ICO is shambolic and careless. The work done by Chris Graham and the ICO staff to fix the FOI backlog has been completely reversed, response times have plummeted across government and the wider public sector, and her office’s approach to its own FOI compliance has tanked. This month, the ICO replied to two FOI requests made via the website What Do They Know that were sent in February. There was no explanation of how this happened.
And now we have her staff trying to mislead FOI complainants into accepting bogus refusals to carry out the Commissioner’s statutory obligations. I wonder how many people have fallen for it. My mantra for the last few months is repetitive and probably boring but I will keep going with it. I don’t have any faith in another tourist coming to the UK in a bid to build their international profile. I think the Commissioner needs to have an expert feel for the jurisdiction, especially after five years of an incumbent who cares far more about Americans than she does about people in the UK. But surely it can’t get worse than this. Denham bungled the one big job she had (GDPR implementation) in favour of chasing conspiracy theories and she’s plunged FOI into the dark ages. All John Edwards needs to do is stand in a corner with a lampshade on his head and he will do a better job.