Yes, we have no bananas

by | Nov 4, 2013 | FOI, ICO

Earlier in the year, I made an FOI request to the Metropolitan Police about their proposed purchase of data from IPSOS Mori. It took months for the Met to provide a somewhat unsatisfactory response; so long in fact, that I ended up complaining to the Information Commissioner’s Office about the delay. Shortly after my complaint was allocated (and possibly after the case officer had contacted the Met), I finally received the response. The ICO case officer then contacted me to say: “It is my intention to log the delay for enforcement monitoring purposes but to close this complaint as a response has now been provided”.

Especially as the Met haven’t properly responded to my request (using the popular technique of dealing with an awkward question by answering a different, less awkward question and hoping I don’t notice), it’s quite likely I will end up complaining to the ICO again, so I agreed. All that the ICO would do would be to issue a decision notice after protracted hand wringing. That ‘enforcement monitoring’ has always sounded a bit phoney as the ICO hasn’t done any FOI enforcement since 2010, and precious little overall since 2005. I thought ‘Enforcement monitoring’ sounds like a fig leaf; they monitor, but never quite get around to enforcing.

But it turns out I was wrong. An FOI request to the Information Commissioner on What Do They Know reveals a much more straightforward picture. There is no FOI enforcement. There are no FOI enforcement cases, no staff dealing with FOI enforcement issues. There is nothing at all.

The applicant asked about the three teams that make up the ICO’s Enforcement Department and tried to find out which one deals with FOI enforcement. The Civil Investigations Team deals with the DPA breaches (so that would be CMPs, Enforcement notices etc), the Criminal Investigations Team does criminal breaches of DPA (investigations for s55, i.e. data theft) and the PECR Investigations Team does the PECR breaches, logically enough. The response does confirm that the Criminal Investigations Team deals with FOI enforcement, but only cases of a very particular kind: s77 cases, where there is an allegation that data has been deliberately destroyed or concealed to frustrate an FOI request, something which would be a criminal offence.

Nobody in the Information Commissioner’s Enforcement team is responsible for investigating whether the Cabinet Office, or the Department for Education or any other recalcitrant organisation is abusing FOI. There is no infrastructure, nobody within Enforcement tasked to deal with such cases should they arise: “No civil investigations are undertaken for FOIA within the ICO Enforcement team.” At this point, certain people might start jumping up and down about the FOI monitoring and resulting undertakings. An undertaking is not enforcement – an organisation is not obliged to sign an undertaking, it is requested to do so. It can refuse. If it signs an undertaking and then breaches it, there are no immediate consequences. An undertaking is the enforcement equivalent of farting in a lift – not pleasant, but with no lingering effects.

The ICO response isn’t even defensive, there is no flannel, no misdirection. If it is someone’s else’s job within the ICO to enforce FOI other than the, erm, Enforcement team, you might have expected the response to say so. But they didn’t. What other explanation could there be? The ICO does not see strategic enforcement of FOI as one of their functions. They issue guidance, they make decisions on individual cases, but on the evidence of this response, they have no staff in place to do anything else. Staff nominated to do it with no current cases to deal with and thus doing something else would be a different story. But they have 15 people to deal with DPA breaches and 6 people to deal with PECR, and nobody is in place to do FOI. Consciously or not, the ICO is sending a powerful message to all public authorities – FOI is not part of Enforcement and vice versa. The next time an organisation receives a demand from the ICO to undergo FOI monitoring, say no. See what they do.

Every now and again, I am reminded of this charming little website: But it is pointless, as there will be no Enforcement Notices against anyone, no matter how richly deserved they might be.