As the ex ICO employee who issued the refusal of the names of the 2 Councils in Jon’s blog, I feel there are a number of errors in his analysis. I am infamously constrained by Section 59 of the DPA, but I can of course discuss the significant amount of information already in the public domain, along with the considerably less significant personal views I hold.
The first observation I would offer is that although Jon begins the piece by discussing the regulatory role of the ICO, the decision to which he objects and blogs about was issued in the ICO’s role as a Public Authority under FOI. Of course, the context in which an ICO request handler operates cannot be entirely dismissed, but nor should we forget the guiding principle is the Act itself and in that regard the ICO is simply A.N. Other public authority. Should my decision really have been made with a commitment to ‘transparency at the ICO’, at the expense of the applying what I considered the provisions of the Act? I saw myself as a practitioner working for the ICO, rather than an ICO employee working as a practitioner.
So whilst Jon may have indeed “trusted the ICO to apply the law properly”, he did so in a manner no different to any other request he makes to any other public authority. As he says, the right of an internal review, complaint to the ICO and then the Tribunal were all (thankfu££y) not pursued here, so it was simply my assessment as to whether it was reasonable in the circumstances to disclose the names. If my response here feels a little a prickly, that’s why – because his trust issue (and subsequent public complaint) was with me as a request handler, not the wider functions of the ICO as a regulator. I’m big enough and ugly enough to accept criticism and I know I was representing the ICO, but at the same time I think a sensible critic should recognise there is a degree of autonomy in a first response. Christopher Graham certainly didn’t sign off on my response.
Those who object to the silver standards of the ICO may perhaps reflect upon the bronzed budget which they expect to deliver gold plated results. Such critics are almost certainly more interested in the legislation than I am – and definitely more intelligent, but I would question whether they are more objective. There’s a palpable excitement at any perceived ICO mistake.
Returning specifically to the blogpost, the key point that appears to have been overlooked, is that the decision not to (pro-actively) publish the Undertakings was taken elsewhere in the ICO, which happened at the time the Undertakings were signed. Both the initial request for the Undertakings themselves and follow up for the names, were made in that underlying context. That decision was made outside of FOI and at the ICO’s discretion. I honestly don’t know whether or not there was, as Tim alludes to, a degree of negotiation to get the DC’s to sign, but as I noted it’s a discretion that is rarely exercised, so the idea that the ICO is undermining it’s regulatory functions by delaying publication in a tiny fraction of cases is a little fanciful.
It is clear from the refusal notices that the initial decisions were made following representations from the DC’s that the release may have adverse consequences. It is important to remember that is the position that I, as the request handler, inherited. I therefore maintain it was correct to give weight to the fact that (rightly or wrongly) the organisations had been told the Undertakings wouldn’t be publicised in the usual manner. If you think, as Jon appears to, that the initial decision risked damaging the reputation of the ICO and undermining the ICO’s functions, fair enough – but from an FOI perspective, surely that initial agreement requires some further consideration? It appears Jon disagrees, as his own analysis was that if the argument concerning commercial prejudice was unsound, the argument for a Section 22 refusal ‘falls away’. No mention is made of the DCs expectations of confidentiality when signing the Undertaking. For the avoidance of doubt, I repeat that I wasn’t bound by the initial assurance, rather I did not disregard it.
My decision also considered that a Data Controller (or to be precise 2 public authorities) were telling me that if I released their names there was a chance it would damage their commercial interests for the exact same reasons why the ICO had previously agreed not to publish the Undertaking a few months earlier. I would maintain that is a very legitimate consideration to at least take onboard. The word ‘prejudice’ was loosely used in the refusal notices, which in hindsight might be unfortunate given it carries a more specific meaning in FOI terms.
Surprisingly, Jon hasn’t addressed whether he think the News International Undertaking that was also withheld would have prejudiced the linked criminal trial, so in the absence of comment my assumption would be he accepts that particular premise. My own opinion is that I very much doubt it would have done, just like I very much doubt these further Undertakings (or specifically the identity of the DC) would have caused commercial detriment. I’m not short of an opinion, but I’m equally aware it not always the right one and again therefore I needed to be mindful of the strongly held opinions of better placed individuals.
I should also clarify that my analysis wasn’t set against the requirements of Section 43, rather it was simply an assessment of reasonableness and a public interest consideration in relation to Section 22. In other words they didn’t need to totally convince me, rather they flagged a potential risk which helped shape my consideration as to whether disclosure was reasonable in the circumstances. Again, that left me to make a judgement. I don’t think that Ed Milliband will ever be Prime Minister – but I wouldn’t rule it out, so should I make an assessment of what is reasonable based on my opinion, or should I take a more rounded view of the circumstances and opinions of others? In a nutshell, I’m not arguing whether prejudice would occur to criminal or commercial matters, or indeed whether the wrong brother will become PM, but is it at least a reasonable proposition that those things might happen? My view is the same on all accounts, unlikely but not impossible.
The Undertakings themselves are entirely unremarkable and I can fully understand why there is still a lack of understanding surrounding what the commercial impact may have been. I can also share that the end result (i.e. withholding the names) was not the outcome I instinctively expected when taking this request, before I calibrated those entirely fictional public interest scales. But there is a curiosity here in Jon’s position, one on hand accepting he still doesn’t have an appreciation as to what the commercial arguments are, but on the other arguing that the refusal notice(s) show improper weighting of competing rights and interests. To put that another way, he doesn’t know why the Councils objected, he doesn’t know why the ICO Enforcement department agreed, or why I withheld the information – but we were all wrong to do so. By all means disagree, but to disagree (and blog) on the basis you don’t understand is a tough one to swallow, particularly whilst simultaneously confessing “it’s not a big enough thing for me” to request the facts about.
With an acknowledgement that I might be being over analytical, I also find it odd that the refusal notices should be characterised as a ‘fuss’. This was an (FOI) demand driven event and the fuss of having to consult with 3 DC on 2 separate occasions wasn’t of my doing. That was my job, so it’s not a complaint, merely an observation.
Similarly, given the blog was around weighing up competing interests, it’s only fair to highlight the lack of explanation with regard to why it was reasonable to disclose the names of the DC’s or why there was a public interest in releasing simply the identity of the DCs in question? I accept there was some discussion regarding the Communicating Enforcement Activities policy, but I’m not sure this addresses the specific reasons for disclosure under FOI at the time of the request.
By applying Section 22, there was of course a commitment to publish the Undertakings in their entirety. What was the compelling public interest in releasing the names themselves at that time? Where was my incentive to override the aforementioned concerns? Was it reasonable to dismiss the representations and risk a loss to taxpayers money, just to provide their names, which in isolation added very little?
Believe it or not, I’m intensely relaxed at the idea I may have got my decision in this request wrong, I’m sure all practitioners have been overturned at some point. But that doesn’t raise questions of trust, it just shows that request handlers will be a mix of the good, the bad and the ugly – or my case 2 of the 3.
More generally, I think there is a point to be made here that practitioners at the ICO are burdened by the same challenges as practitioners elsewhere – unhelpful busy colleagues, private sector stakeholders who don’t understand FOI and requestors who are often baying for someone’s blood – all of which is conducted in an increasingly public glaze and to the soundtrack of a 20day ticking time clock.
Whilst Jon (politely) took issue with the decision not release these 2 undertakings, another observer somewhat over-excitedly thought the decision not to release the NI one was a sign of “collusion, cover up and corruption”. Everyone is entitled to their opinion – mine is that latter individual needs to get out more and learn some manners. If I’d withheld News International’s name and released the names of the 2 Councils, I’m pretty sure that the regular critics would be chiming in with their favorite allegation that the ICO is frightened of big business etc. That’s the tightrope a high profile FOI public authority request handler walks. I enjoyed the work, but it’s nice to have the freedom to explain that the thinking behind the output.