David Higginson has recently blogged about the accidental release of information from Hackney Council, in which it revealed that
Internal briefing notes are drafted by some teams within the Council to record progress when responding to the request, and provide context on the request, for the benefit of colleagues assisting with the retrieval of information. In such a circumstance, information may be gathered from the public domain, for example an internet search of the requester’s name and whatdotheyknow.com; ascertaining research interests of the requester can assist the Council in providing additional context to an FOI response, hopefully adding to its intrinsic value.
This process has been termed ‘profiling’ and David has also provided a further piece for the Guardian here. Tim Turner also wrote an interesting piece examining the basis for the profiling under the DPA.
David has taken an example of an FOI officer producing a brief, publically sourced summary of the interests of the requester (and by implication the context of their request) and suggested it highlights a wider problem of a lack of engagement within public authorities with FOI.
His piece for the Guardian went further still , straying into inaccuracy when claiming applicant blind “is the principle that anyone who puts in a freedom of information (FOI) request can expect his or her identity not to be released or examined”. Without wishing to be overly pedantic, I think that’s a slightly inaccurate summary of the principle, which in my opinion is being taken a little too literally by a number of commentators. In anycase, those who don’t wish for their identity to be released would probably be advised not to use a public forum such as whatdotheyknow to make their request, as the delightful Rebecca (“don’t kind regards me”) Hamsley did here.
The principle, in my view, is infact that identity and motives of a requestor should have no bearings on the information disclosed under FOI. Basically, you can’t refuse a request from a journalist because you think they want to write a negative story about you. I honestly don’t think that extends to saying that the format, language and tone of a response should be the same irrespective of whether it’s received from the local crank or the Prime Minister.
The legislation is clear about what is expected in a FOI response, a refusal notice in particular is very prescriptive and surely it’s the end result that we should look at to see a request has been handled correctly. I thus think David misses the mark – widely – by claiming “if ever there’s an example of ignoring applicant blind, it’s this”. As David himself quotes from the ICO guidance “the information someone can get under the Act should not be affected by who they are”.
In this case, Rebecca Hemsley received the exact same information that a journalist, student, foreign individual or
local crank principled campaigner would have received – nothing. To come up with an applicable example of ignoring the applicant blind principle, surely one would be better sourcing an example of how a different level of information was provided because of the identity, or motives of the requestor. The example of a tfl response/handling of a request was also raised on Twitter, but from what I can see, the majority of the discussion was around what additional information to provide outside of the requirements of FOI.
David also implies a breach of the principle by virtue of the fact that requests from the press might be shared with the press office, commenting “in recent years, it’s become commonplace to hear stories of councils briefing press offices about requests from journalists”. I can confirm that request handlers at the ICO were infact asked to let the External Communications team know of any request that might be high profile and/or those from the Press. That wasn’t so they could overrule a decision on what to release, but rather so they could be aware of the potential fallout and be well placed to handle potential queries, the majority of which would of course be from the Press. In short, they needed this information to their job. On at least one occasion I personally also shared the identity of a requestor outside of the ICO when I was consulting with another organisation, where the requestor themselves had placed their request in the public domain.
An FOI handler needs to be independently minded, but that doesn’t mean they can’t consider the consequences of FOI and still safeguard the reputation of their organisation. Effective FOI is rarely about the strict provision of information, without adding some supplementary explanation.
I’d much prefer to see an FOI request where time is taken to provide context at the time of the request. A recent example was the release of Council spending on an IPAD that ended up in the MEN. Stockport Council spent £26,000 on IPAD but later provided the context that it saved them £20,000 in printing costs, so straight away their apparently profligate spending was firmly rebutted and taxpayers could breathe a sigh of relief and aim their anger artillery in a different direction.
A public authority who recognises the motives of someone making the request has the potential to add great value to the process. Recognising that the MEN were gathering information about profligate spending on IPAD’s by Councils, would have allowed Stockport Council to add a context to the request at the time it was made. I do take the point that arguably that context should be provided to all requestors, but if you know the request is from a student who is interested in the use of IPAD’s compared to other tablets, then I’d suggest the specific supplementary explanation quoted above is redundant. As with so many things, context is key.
As I say, information is isolation is less likely to be productive. I’m fairly sure when handled this request for the ICO’s (in)action to the non notification of MP’s that I will have flagged to the relevant department the context of the requestor’s previous posts on the same topic, where he articulated his concerns. I didn’t really know a lot about the thought processes behind my colleagues processes, so by sharing Jonathan’s earlier comments they could at the very least provide me with a supplementary explanation that went to the heart of his concerns. On the back of this scrutiny they might even have decided to do a bit more in their work in this area. I regarded all of this as a healthy outcome, much more positive than ignoring the underlying basis of his concern. I can further share that I will have been allocated Jonathan’s request on the basis that I had previously dealt with a request on non-notification by the same requestor. Strictly this would also run contrary to David’s literal interpreration of applicant/purpose blind, given it was precisely the identitiy and motive that led him to drawing the short straw and having me handle the request.
Crossing the information rights boundary, was this ‘profiling’ of Jonathan a breach of Data Protection, did I have a condition for processing his data? As Tim correctly states in his piece, in the absence of any other condition, I’d agree I would be left to rely upon the condition that
“the processing is necessary for the purposes of legitimate interest pursued by the data controller…except where the processing is unwarranted in any particularly case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject”.
I take a subtly different view to Tim, who in the case of Hackney Borough Council, felt that the Council must demonstrate a) that the profiling is necessary, b) its legitimate and c) that it doesn’t cause unwarranted harm.
I feel that a) the profiling is a legitimate interest b) that the processing of data is necessary for the purposes of that legitimate interest – and we both agree on c). I might be wrong on this, but I feel the legitimate interest is in explaining the context of JB’s request was to help me provide a better response. The processing of his data was necessary to do that. It’s the act of processing, not the legitimate interest, that has to be necessary.
Some have raised the cost involved of the profiling as an additional reason for concern. I think in both the example given by David and in my experience, we aren’t talking about significant work. Even if one dismisses the potential benefits of providing additional context, on the known facts, it still seems difficult to suggest that profiling is something that weighs heavily on the taxpayer.
It seems an accurate but regretful reflection of the adversarial nature of FOI that, in the absence of any evidence and despite the explanation directly to the contrary, the Hackney case is automatically assumed to be an example of not embracing FOI. I’m not naive enough to swallow everything a public authority says, but on the basis of the evidence here I hold considerable sympathy with Hackney for ending up named in the Guardian as an authority who don’t embrace FOI.