On 17 July this year, the UK government established an Independent Commission to review the operation of the Freedom of Information Act 2000 (“FOIA”). Since its introduction in 2005, the public right to request information under FOIA has proved to be extremely popular (over 46,000 requests were received by central government departments alone in 2014-15), but that same right has also been an expensive burden for public authorities who have to carefully consider all requests, particularly where sensitive information is concerned. The Independent Commission is tasked with considering whether that balance between the public interest in transparency and the robust protection of sensitive information has been correctly struck.
In the light of this review, there have been two recent developments which will interest FOIA practitioners. First, the Independent Commission published its Call for Evidence, which in its appendices includes some revealing statistics from the Ministry of Justice and the UK’s data protection authority, the Information Commissioner’s Office (“ICO“), about how requests are currently being handled. Second, the ICO published guidance on “disclosing information safely” and removing personal data from information requests.
The FOIA statistics comprise the internal numbers from central government bodies on how they have responded to requests, together with the figures from the ICO on how complaints about responses have been dealt with (all figures are for 2014-15). Some noteworthy statistics are:
- 50% of requests for information were granted in full;
- 33% of requests were withheld in full;
- just 15% of requests were withheld in part;
- the public authority’s decision was upheld in 79% of internal reviews;
- the public authority’s decision was upheld in 81% of ICO appeals;
- when all public bodies are included, the percentage upheld for ICO appeals drops to 62%; and
- the ICO’s decision was itself upheld in 77% of appeals to the First-tier Tribunal.
So what do these statistics tell us? First, that a relatively small number of requests are being redacted (i.e. withheld in part) – the vast majority are either disclosed in full or completely withheld. This is perhaps unsurprising given the volume of requests received, but potentially concerning as it suggests authorities are often struggling to take a nuanced approach. Second, the public authority does normally get it right first time (which is encouraging)! Third, central government seems to be doing a better job compared to public bodies in general – and again, this is perhaps not surprising given the superior resources of, for example, a government department versus a local council.
Something that should help public authorities to respond to FOIA requests (and that will also be useful for companies dealing with data subject access requests) is the new ICO paper which offers guidance on safely disclosing information which has been derived from personal data.
The guide showcases some of the most common types of inappropriate disclosures and ineffective redaction techniques that the ICO has seen in recent years. Examples of “bad practice” include: hiding columns on Excel documents (which can be revealed with a couple of mouse clicks), redacting text by highlighting it black (even once converted to PDF, the hidden text can easily be revealed by copying it into a text editor such as Notepad), and failing to remove the metadata from files (which can reveal details ranging from the name of the document’s author to the location where a person was when a photograph was taken).
Thankfully the guide also offers plenty of guidance on best practice, including the use of CSV files, image editing tools and even straightforward “print and scan” techniques. The guide can be used in conjunction with the detailed National Archives Redaction Toolkit, which, although not FOIA or Data Protection Act specific, is a useful practical resource which the ICO has referenced in previous guidance.