In June 2013, the Information Commissioner's Office ("ICO") announced that planned amendments to the Freedom of Information Act 2000 ("FOIA") made by the Protection of Freedoms Act 2012 ("POFA") are due to commence in August 2013. The Protection of Freedoms Act 2012 (Commencement No.8) Order 2013/1906 now makes clear that the following amendments will be in force from 1 September 2013:
- Information datasets: The release of electronic information datasets (a collection of raw information such as spend and postcodes) must be made in a re-usable format (section 102 POFA). Coinciding with this amendment coming into force, the ICO has warned against inadvertently disclosing hidden personal data (see below for more information).
- The definition of "publicly owned companies": The definition has been widened to include companies that are wholly owned by one or more bodies from the "wider public sector" or owned by such bodies in conjunction with the Crown or government departments (section 103 POFA). This is a departure from the previous position, where the definition covered just companies wholly owned by the Crown, any government department or another single public authority. A company is "wholly owned by the wider public sector" if every member of that company is a (i) a "relevant public authority" as defined in Schedule 1 of FOIA (or a company wholly owned by the wider public sector); or (ii) a person acting on behalf of a relevant public authority or of a company wholly owned by the wider public sector. This somewhat circular definition essentially defines "publicly owned company" as any company that is wholly owned by Crown ministers; government departments; public authorities in Schedule 1 of FOIA; or any combination thereof.
- Tenure of the Information Commissioner: Changes to the appointment and tenure of the Information Commissioner (Commissioner) include; the grounds for the Commissioner's removal, requiring the appointment of the Commissioner to be made on the basis of a fair and open competition, stating that the Commissioner can only serve a single term in office and cannot be reappointed and extending the duration of the Commissioner's term in office from five to seven years (section 105 POFA).
- The role of the Secretary of State: The Commissioner no longer requires consent from the Secretary of State before charging for services under FOIA and the Data Protection Act 1998 ("DPA"), appointing staff or issuing guidance, assessment notices or penalty notices under the DPA (sections 106, 107 and 108 POFA).
The changes will be accompanied by a new section 45 code of practice on datasets and new fees regulations for the re-use of data sets.
ICO considers enforcement action over disclosure of 'hidden' personal data in datasets
In accordance with changes to FOIA, datasets must be provided in a reusable format. However, the ICO has advised organisations that inadvertently disclosing personal data that is hidden in datasets (usually within pivot tables in spreadsheets) could be a breach of the DPA. In a blog entry dated 28 June 2013, the ICO warned that it is "actively considering a number of enforcement cases on this issue" in relation to FOI responses by public bodies that contained information in pivot tables that, when clicked on, revealed the "underlying data". The blog gives advice to organisations on how to avoid inadvertently disclosing hidden data. The guidance recommends:
- Avoiding the use of pivot tables for any disclosures or data sharing involving personal data. Plain text formats are recommended, such as CSV, as they remove many of the risks of hidden data, as the spreadsheet formatting is taken away making it clear what information has been included.
- Checking file sizes before disclosure – larger than expected file sizes should be a trigger for further checks.
- Ensuring an organisation has the right procedures and checklists in place for staff involved in disclosing data.
- Training staff who are responsible for anonymising data for release.
Once the enforcement cases have been completed, the ICO is likely to issue more detailed guidance.
The ICO's blog is available here.