Previously on the 2040 Information Law Blog…
Last September, a former Investigator from the Information Commissioner’s office (subsequently identified as Alec Owens) gave an interview to the Independent, in which he condemned his erstwhile employer for bottling the decision to prosecute journalists who had employed the private investigator Steve Whittamore. The Deputy Information Commissioner, David Smith, refuted Owens’ claims, stating that the ICO received legal advice that the journalists could not successfully be prosecuted. I requested the advice, and the ICO’s response was that it was not held. Shortly after, the ICO supplied legal advice – which included a consideration of issues around prosecuting journalists – to the Leveson enquiry. I asked for an internal review because, to paraphrase, they appeared to be taking the piss.
And now…
Before I continue, gentle reader, let us dally for a moment with a document called ‘Not what we do, but how we do it’. You can find it here, and it describes the values by which all ICO staff should do their job. I’ve mentioned it before, but I don’t think it’s as widely known as it deserves to be. Ernest Hemingway said that every writer needs a built-in bullshit detector. I read page 8 of this document, and my detector nearly gave me a hernia. The Information Commissioner’s Office is supposed to be a ‘model of best practice’. ICO Staff are exhorted not to “ask others to do what we are not prepared to do ourselves”. The ICO expects to be judged by high standards. Please keep this in mind as we proceed.
Last Friday, slightly later than advertised, I received my review response from the other Deputy Commissioner, Mr Graham Smith. Graham was my boss once, but if he recalls what a [expletive deleted] I was at the time, he shows no sign of it.
The apparent contradiction is explained. The advice I asked for, the one David Smith cited, has been disposed of. Graham offers me no explanation why. The explanation of why it was highlighted in the Independent is that David Smith used ‘What Price Privacy’ as a guide for what the advice said. The ICO is not obliged to adopt permanent contextualisation, but Smith’s statement would carry less weight had he said “According to ‘What Price Privacy’, we got some advice that we didn’t keep”. None of this makes the ICO’s statement to the Independent untrue. But I wasn’t convinced by that statement in the first place, hence my FOI request. Take a wild stab in the dark about what I think now.
So what about the other advice, the one supplied to Leveson? Even though he thinks it was irrelevant to my original request, Graham gave me the section of it mentioning journalists, with the other seven pages of advice redacted into inky blackness. Needless to say, the disclosed section isn’t a smoking gun that greenlights a smackdown on hacks, but riddle me this: the advice I received says “I understand that policy considerations have led to the view that enforcement of some sort, rather than prosecution is the way forward”. He even asks for the reasoning not to prosecute. So why did the second lawyer engaged by the ICO think it was a policy matter, when statements given to the Independent cite legal issues based on the first advice?
According to the internal review, the initial search identified this second piece of legal advice. My request clearly was for the advice that David Smith quoted in his statement to the Independent. So if you want to be bloody-minded (and when I was an FOI officer, bloody-minded was my middle name), the fact that the ICO identified advice about prosecuting journalists implicated in Operation Motorman during a search for advice about prosecuting journalists implicated in Operation Motorman is irrelevant, because it wasn’t the advice about prosecuting journalists implicated in Operation Motorman I had asked for. But given what this second piece of advice says, I think I can be forgiven for being cynical about why I didn’t get it.
Moreover, the initial FOI response says this: “In response to your request, we do not hold recorded information in relation to this request. We do not hold a written legal advice in relation to the decision not to prosecute the journalists involved in Operation Motorman.” (in other words, they don’t say ‘the legal advice you asked for’). If Graham Smith’s internal review is correct, the initial response was not. This should be of concern to the ICO and everyone they regulate, even if the only problem is that the initial response was imperfectly expressed.
Nobody can ask for an FOI search to include things that the punter hasn’t asked for; my point is that this search turned up something of clear, direct relevance to my request. It seems eccentric to the point of obfuscation not to mention it to me. Friends, my advice is to be as helpful as is practical because (a) that’s clearly in the spirit of the legislation and (b) it’ll almost certainly save you work in the long run. But I wouldn’t advise you to ask for clarification after 14 working days and then start the clock from then, and the ICO did that to me as well. The ICO seems to think that you can take a totally unimaginative reading of the request and ignore anything else, no matter how relevant it might be.
And here’s another thing. The ICO, like all public authorities, is under a duty to provide applicants with advice and assistance. In Graham Smith’s view, the ICO was under no obligation to advise or assist me by telling me even though what I had asked for was no longer held, a closely related document had been found. And no advice or assistance was required to explain where the advice I asked for has gone. The internal review did not accept any requirement to provide advice and assistance about anything.
So what’s my point? Well, I have two of them. Alec Owens accused the ICO of lacking the guts to take on Fleet Street. I believe him now. In another FOI internal review, Graham Smith confirmed to me that the police raid on Owen’s home shortly before his Leveson appearance followed a tipoff from someone at the ICO. Make of that what you will, but Owens’ allegations back up the fact that the ICO has a flimsy track record with big targets: the secret Phorm trials involving BT and the Wi-Fi scraping that Google originally said hadn’t happened are two good examples (if you think an undertaking counts, you’re reading the wrong blog). Even the current wave of fines – for which the ICO deserves credit – is directed only at self-reported public sector targets that largely won’t fight back. Until the ICO fines a big bank or utility company for a DPA breach, or issues an FOI enforcement notice to a central Government department, I see a credibility gap. I don’t believe that the only DP and FOI villains in the UK are Councils, NHS Trusts and similarly local organisations, but only they have anything to fear from the Commissioner right now.
And the other point? I think the ICO’s handling of its own FOI requests needs attention. The first response to my advice request was inadequate and possibly inaccurate – the lack of advice and assistance was abysmal. A glance at the last couple of months of What do they know shows that the ICO has refused to admit which of its senior officers have had training and coaching and which hold its own chosen DP qualification (both overturned on appeal). An applicant asked directly whether the ICO had accidentally disclosed information, and the answer managed to evade the key question almost completely. And just this week, they released a heavily edited version of their security incident log with two entries completely obscured. You can imagine the scorn if this litany of clodhopping decisions were in the ICO’s sights, rather than being made in their building.
The Information Commissioner’s Office can’t have it both ways – either they are a model of best practice (in which case, act like it), or they’re just another FOI public authority (in which case, cut the propaganda). Right now, if “it’s not what we do but how we do it”, then ‘we’ ought to be thoroughly ashamed of ourselves.
Last Friday, slightly later than advertised, I received my review response from the other Deputy Commissioner, Mr Graham Smith. Graham was my boss once, but if he recalls what a [expletive deleted] I was at the time, he shows no sign of it.
The apparent contradiction is explained. The advice I asked for, the one David Smith cited, has been disposed of. Graham offers me no explanation why. The explanation of why it was highlighted in the Independent is that David Smith used ‘What Price Privacy’ as a guide for what the advice said. The ICO is not obliged to adopt permanent contextualisation, but Smith’s statement would carry less weight had he said “According to ‘What Price Privacy’, we got some advice that we didn’t keep”. None of this makes the ICO’s statement to the Independent untrue. But I wasn’t convinced by that statement in the first place, hence my FOI request. Take a wild stab in the dark about what I think now.
So what about the other advice, the one supplied to Leveson? Even though he thinks it was irrelevant to my original request, Graham gave me the section of it mentioning journalists, with the other seven pages of advice redacted into inky blackness. Needless to say, the disclosed section isn’t a smoking gun that greenlights a smackdown on hacks, but riddle me this: the advice I received says “I understand that policy considerations have led to the view that enforcement of some sort, rather than prosecution is the way forward”. He even asks for the reasoning not to prosecute. So why did the second lawyer engaged by the ICO think it was a policy matter, when statements given to the Independent cite legal issues based on the first advice?
According to the internal review, the initial search identified this second piece of legal advice. My request clearly was for the advice that David Smith quoted in his statement to the Independent. So if you want to be bloody-minded (and when I was an FOI officer, bloody-minded was my middle name), the fact that the ICO identified advice about prosecuting journalists implicated in Operation Motorman during a search for advice about prosecuting journalists implicated in Operation Motorman is irrelevant, because it wasn’t the advice about prosecuting journalists implicated in Operation Motorman I had asked for. But given what this second piece of advice says, I think I can be forgiven for being cynical about why I didn’t get it.
Moreover, the initial FOI response says this: “In response to your request, we do not hold recorded information in relation to this request. We do not hold a written legal advice in relation to the decision not to prosecute the journalists involved in Operation Motorman.” (in other words, they don’t say ‘the legal advice you asked for’). If Graham Smith’s internal review is correct, the initial response was not. This should be of concern to the ICO and everyone they regulate, even if the only problem is that the initial response was imperfectly expressed.
Nobody can ask for an FOI search to include things that the punter hasn’t asked for; my point is that this search turned up something of clear, direct relevance to my request. It seems eccentric to the point of obfuscation not to mention it to me. Friends, my advice is to be as helpful as is practical because (a) that’s clearly in the spirit of the legislation and (b) it’ll almost certainly save you work in the long run. But I wouldn’t advise you to ask for clarification after 14 working days and then start the clock from then, and the ICO did that to me as well. The ICO seems to think that you can take a totally unimaginative reading of the request and ignore anything else, no matter how relevant it might be.
And here’s another thing. The ICO, like all public authorities, is under a duty to provide applicants with advice and assistance. In Graham Smith’s view, the ICO was under no obligation to advise or assist me by telling me even though what I had asked for was no longer held, a closely related document had been found. And no advice or assistance was required to explain where the advice I asked for has gone. The internal review did not accept any requirement to provide advice and assistance about anything.
So what’s my point? Well, I have two of them. Alec Owens accused the ICO of lacking the guts to take on Fleet Street. I believe him now. In another FOI internal review, Graham Smith confirmed to me that the police raid on Owen’s home shortly before his Leveson appearance followed a tipoff from someone at the ICO. Make of that what you will, but Owens’ allegations back up the fact that the ICO has a flimsy track record with big targets: the secret Phorm trials involving BT and the Wi-Fi scraping that Google originally said hadn’t happened are two good examples (if you think an undertaking counts, you’re reading the wrong blog). Even the current wave of fines – for which the ICO deserves credit – is directed only at self-reported public sector targets that largely won’t fight back. Until the ICO fines a big bank or utility company for a DPA breach, or issues an FOI enforcement notice to a central Government department, I see a credibility gap. I don’t believe that the only DP and FOI villains in the UK are Councils, NHS Trusts and similarly local organisations, but only they have anything to fear from the Commissioner right now.
And the other point? I think the ICO’s handling of its own FOI requests needs attention. The first response to my advice request was inadequate and possibly inaccurate – the lack of advice and assistance was abysmal. A glance at the last couple of months of What do they know shows that the ICO has refused to admit which of its senior officers have had training and coaching and which hold its own chosen DP qualification (both overturned on appeal). An applicant asked directly whether the ICO had accidentally disclosed information, and the answer managed to evade the key question almost completely. And just this week, they released a heavily edited version of their security incident log with two entries completely obscured. You can imagine the scorn if this litany of clodhopping decisions were in the ICO’s sights, rather than being made in their building.
The Information Commissioner’s Office can’t have it both ways – either they are a model of best practice (in which case, act like it), or they’re just another FOI public authority (in which case, cut the propaganda). Right now, if “it’s not what we do but how we do it”, then ‘we’ ought to be thoroughly ashamed of ourselves.