CMP’s – what happens next?

The First Tier Tribunal recently overturned the ICO monetary penalty to Scottish Borders and I believe their reasons for doing have left a number of problematic issues. In very brief terms, the initial CMP was issued after former employees’ pension records were found in an over-filled paper recycle bank in a supermarket car park, having been dumped there by data processor. No contract was in place with the data processor and it sounded like the disposal of the files wasn’t really considered by the Council.

In summary, the FTT judgement confirmed that the information that was lost included “name, date of birth, national insurance number and salary. In some cases the files contained bank account details, a signature…”. The Tribunal accepted that there was breach of the 7th principle and that it was a serious breach. They effectively overturned the ICO’s decision on the basis that it wasn’t a breach “of a kind likely to cause substantial damage or substantial distress”. There was some typical legal analysis around the definition of “likely”, that can perhaps be boiled down to their conclusion that “it is insufficient to point to such consequences merely being a possibility”.

The tribunal also concluded that what had happened was a surprising outcome, not a likely one and indeed they further offered that they thought the safe destruction of the files was the likely outcome (“we would not describe any other outcome as likely”). Given the files weren’t actually safely destroyed that’s quite a bold assertion – we can all have our theories but sometimes the facts can speak for themselves.

The tribunal sought to make a clear distinction between the contravention/breach and the trigger incident. This is entirely understandable, indeed myself and others have previously highlighted that the ICO has sometimes appeared to be fining for the incident itself rather than the breach. The breach here was not ensuring they had selected a data processor offering sufficient safeguards and not evidencing that agreement in writing. The trigger incident was the files ending up in Tesco’s car park. It is incidents that the ICO asks to be informed of, not breaches – an incident might not always be a breach of the DPA and of course a breach doesn’t need an accompanying incident. As an aside, it would therefore be fascinating to know how the ICO would react if a Data Controller was to notify them that they hadn’t trained staff in Data Protection, or that they didn’t have a policy for using fax machines – both breaches that have previously been the subject of CMP’s when the breach resulted in a trigger incident.

The problem I have here is the Tribunal appear to be saying that they can only consider the breach itself, yet they still require the ICO to “construct a likely chain of events which would lead to substantial damage or distress”. I think that is a very difficult burden whereby the circumstances flowing from the beach are essentially not allowed to be considered.

If an unencrypted disc containing personal data of millions of people goes missing in the post, one would presume that is a breach, a serious breach and (depending on the data) one of a kind likely to cause substantial damage/distress.  If the disc then turns up a day after the incident is reported to the ICO, that doesn’t make the breach disappear, but it does make the chance of damage/distress all but disappear. To me it is a serious breach that fulfils the criteria irrespective of what harm actually comes from the incident, but I wonder how would the Tribunal assess the likelihood of damage in these circumstances?

It strikes me that the Tribunal overlooked the phrasing “a breach of a kind likely to cause…”, a phrase that I think is significant as it changes the meaning of the sentence.  I interpret the full phrase to essentially be saying “is this the type of breach that has the potential to cause damage/distress”. When you give processers personal data without any safeguards then you have opened the data subjects up to potential damage, so for me it is a breach of a kind likely to cause damage/distress, irrespective of what happens next.

Whether it does or doesn’t cause actual harm is probably always going to be down to the specifics of the incident that flows from the breach. If an unencrypted laptop containing witness details is stolen in a burglary, I would say that fulfils all the criteria. But if the same laptop was discovered by Police searching their colleague’s house, there would be no likelihood of damage/distress to the witnesses. But the breach remains the same and that’s a breach of a kind likely to cause damage. Similarly the chap who had his unencrypted hard drive stolen from his car– the breach occurred when he failed to encrypt his laptop, not when he had it pinched. Obviously now he has had it stolen the likelihood of mis-use is much greater, but again we must recall the assessment is of the breach itself. With breaches like these any number of outcomes could occur, some likley, some probably exceptionally unlikely, but you have no control and are entrusting the data to fate.

Trigger incidents will often flow from a breach – the unencrypted laptop containing witness details might be wiped before it’s sold on in the pub or it might end up on being sold to the local gangster to intimidate the witnesses. I would regard the latter example as extremely unlikely, but I don’t think that’s a sufficient assurance to the people whose data and security has been compromised.

I’m not sure if it’s a drafting error in the legislation but the idea a breach must carry a likelihood of significant damage or distress, as opposed to “merely a possibility” is a difficult standard to achieve. Further, the CMP is about punishing the lack of compliance, not the incident and therefore I don’t see why the ICO should be expected to speculate about the likelihood of potentially harmful scenarios.

What I also found a little odd is that the judgement didn’t even consider the issue of the significant distress, focussing solely on the question as to whether damage would occur. The issue seemed to solely come down to an assessment of whether identity fraud would be likely to take place – and as someone  who works for a Pension company it’s a surprising and comforting that the tribunal doesn’t seem to hold that names, addresses, NI numbers, bank account details, signatures and salary/pension details are especially problematic fields of data.

The ICO’s amended power to issue a CMP can possibly be traced back to the furore around the infamous HMRC data loss, but based on their reasoning here,  I can’t see the Tribunal would have regarded that as fulfilling the criteria for a CMP either – as effectively they would have been left with the same equation re likelihood of identity fraud.

I’d also imagine Sony and Welcome Finance, amongst others, are kicking themselves for not appealing earlier CMPs involving this type of data given the judgement here. Strangely the ICO appear unmoved by the Tribunal’s logic, as their most recent CMP again quotes the potential for identity theft.

Looking back through the ICO’s CMPs I can’t think of many where there was a real likelihood of substantial damage. The biggest fine, to BSUH being an example where it would be very difficult to construct a likely chain of events leading to damage to the data subject. I doubt the data subjects were ever told their data ended up on Ebay so nor would there technically even be distress. That outcome didn’t become likely when they undertook to destroy hundreds of harddrives without a contract – but it did become a possibility, which I think is enough to justify a CMP – even if the Tribunal doesn’t.

Advertisements
Posted in Uncategorized | 1 Comment

The case for the defence.

As the ex ICO employee who issued the refusal of the names of the 2 Councils in Jon’s blog, I feel there are a number of errors in his analysis. I am infamously constrained by Section 59 of the DPA, but I can of course discuss the significant amount of information already in the public domain, along with the considerably less significant personal views I hold.

The first observation I would offer is that although Jon begins the piece by discussing the regulatory role of the ICO, the decision to which he objects and blogs about was issued in the ICO’s role as a Public Authority under FOI. Of course, the context in which an ICO request handler operates cannot be entirely dismissed, but nor should we forget the guiding principle is the Act itself and in that regard the ICO is simply A.N. Other public authority. Should my decision really have been made with a commitment to ‘transparency at the ICO’, at the expense of the applying what I considered the provisions of the Act? I saw myself as a practitioner working for the ICO, rather than an ICO employee working as a practitioner.

So whilst Jon may have indeed “trusted the ICO to apply the law properly”, he did so in a manner no different to any other request he makes to any other public authority. As he says, the right of an internal review, complaint to the ICO and then the Tribunal were all (thankfu££y) not pursued here, so it was simply my assessment as to whether it was reasonable in the circumstances to disclose the names. If my response here feels a little a prickly, that’s why – because his trust issue (and subsequent public complaint) was with me as a request handler, not the wider functions of the ICO as a regulator. I’m big enough and ugly enough to accept criticism and I know I was representing the ICO, but at the same time I think a sensible critic should recognise there is a degree of autonomy in a first response. Christopher Graham certainly didn’t sign off on my response.

Those who object to the silver standards of the ICO may perhaps reflect upon the bronzed budget which they expect to deliver gold plated results. Such critics are almost certainly more interested in the legislation than I am – and definitely more intelligent, but I would question whether they are more objective. There’s a palpable excitement at any perceived ICO mistake.

Returning specifically to the blogpost, the key point that appears to have been overlooked, is that the decision not to (pro-actively) publish the Undertakings was taken elsewhere in the ICO, which happened at the time the Undertakings were signed. Both the initial request for the Undertakings themselves and follow up for the names, were made in that underlying context. That decision was made outside of FOI and at the ICO’s discretion. I honestly don’t know whether or not there was, as Tim alludes to, a degree of negotiation to get the DC’s to sign, but as I noted it’s a discretion that is rarely exercised, so the idea that the ICO is undermining it’s regulatory functions by delaying publication in a tiny fraction of cases is a little fanciful.

It is clear from the refusal notices that the initial decisions were made following representations from the DC’s that the release may have adverse consequences. It is important to remember that is the position that I, as the request handler, inherited. I therefore maintain it was correct to give weight to the fact that (rightly or wrongly) the organisations had been told the Undertakings wouldn’t be publicised in the usual manner. If you think, as Jon appears to, that the initial decision risked damaging the reputation of the ICO and undermining the ICO’s functions, fair enough – but from an FOI perspective, surely that initial agreement requires some further consideration? It appears Jon disagrees, as his own analysis was that if the argument concerning commercial prejudice was unsound, the argument for a Section 22 refusal ‘falls away’. No mention is made of the DCs expectations of confidentiality when signing the Undertaking. For the avoidance of doubt, I repeat that I wasn’t bound by the initial assurance, rather I did not disregard it.

My decision also considered that a Data Controller (or to be precise 2 public authorities) were telling me that if I released their names there was a chance it would damage their commercial interests for the exact same reasons why the ICO had previously agreed not to publish the Undertaking a few months earlier. I would maintain that is a very legitimate consideration to at least take onboard. The word ‘prejudice’ was loosely used in the refusal notices, which in hindsight might be unfortunate given it carries a more specific meaning in FOI terms.

Surprisingly, Jon hasn’t addressed whether he think the News International Undertaking that was also withheld would have prejudiced the linked criminal trial, so in the absence of comment my assumption would be he accepts that particular premise. My own opinion is that I very much doubt it would have done, just like I very much doubt these further Undertakings (or specifically the identity of the DC) would have caused commercial detriment. I’m not short of an opinion, but I’m equally aware it not always the right one and again therefore I needed to be mindful of the strongly held opinions of better placed individuals.

I should also clarify that my analysis wasn’t set against the requirements of Section 43, rather it was simply an assessment of reasonableness and a public interest consideration in relation to Section 22. In other words they didn’t need to totally convince me, rather they flagged a potential risk which helped shape my consideration as to whether disclosure was reasonable in the circumstances. Again, that left me to make a judgement. I don’t think that Ed Milliband will ever be Prime Minister – but I wouldn’t rule it out, so should I make an assessment of what is reasonable based on my opinion, or should I take a more rounded view of the circumstances and opinions of others? In a nutshell, I’m not arguing whether prejudice would occur to criminal or commercial matters, or indeed whether the wrong brother will become PM, but is it at least a reasonable proposition that those things might happen? My view is the same on all accounts, unlikely but not impossible.

The Undertakings themselves are entirely unremarkable and I can fully understand why there is still a lack of understanding surrounding what the commercial impact may have been. I can also share that the end result (i.e. withholding the names) was not the outcome I instinctively expected when taking this request, before I calibrated those entirely fictional public interest scales. But there is a curiosity here in Jon’s position, one on hand accepting he still doesn’t have an appreciation as to what the commercial arguments are, but on the other arguing that the refusal notice(s) show improper weighting of competing rights and interests. To put that another way, he doesn’t know why the Councils objected, he doesn’t know why the ICO Enforcement department agreed, or why I withheld the information – but we were all wrong to do so. By all means disagree, but to disagree (and blog) on the basis you don’t understand is a tough one to swallow, particularly whilst simultaneously confessing “it’s not a big enough thing for me” to request the facts about.

With an acknowledgement that I might be being over analytical, I also find it odd that the refusal notices should be characterised as a ‘fuss’. This was an (FOI) demand driven event and the fuss of having to consult with 3 DC on 2 separate occasions wasn’t of my doing. That was my job, so it’s not a complaint, merely an observation.

Similarly, given the blog was around weighing up competing interests, it’s only fair to highlight the lack of explanation with regard to why it was reasonable to disclose the names of the DC’s or why there was a public interest in releasing simply the identity of the DCs in question? I accept there was some discussion regarding the Communicating Enforcement Activities policy, but I’m not sure this addresses the specific reasons for disclosure under FOI at the time of the request.

By applying Section 22, there was of course a commitment to publish the Undertakings in their entirety. What was the compelling public interest in releasing the names themselves at that time? Where was my incentive to override the aforementioned concerns? Was it reasonable to dismiss the representations and risk a loss to taxpayers money, just to provide their names, which in isolation added very little?

Believe it or not, I’m intensely relaxed at the idea I may have got my decision in this request wrong, I’m sure all practitioners have been overturned at some point. But that doesn’t raise questions of trust, it just shows that request handlers will be a mix of the good, the bad and the ugly – or my case 2 of the 3.

More generally, I think there is a point to be made here that practitioners at the ICO are burdened by the same challenges as practitioners elsewhere – unhelpful busy colleagues, private sector stakeholders who don’t understand FOI and requestors who are often baying for someone’s blood – all of which is conducted in an increasingly public glaze and to the soundtrack of a 20day ticking time clock.

Whilst Jon (politely) took issue with the decision not release these 2 undertakings, another observer somewhat over-excitedly thought the decision not to release the NI one was a sign of “collusion, cover up and corruption”. Everyone is entitled to their opinion – mine is that latter individual needs to get out more and learn some manners. If I’d withheld News International’s name and released the names of the 2 Councils, I’m pretty sure that the regular critics would be chiming in with their favorite allegation that the ICO is frightened of big business etc. That’s the tightrope a high profile FOI public authority request handler walks. I enjoyed the work, but it’s nice to have the freedom to explain that the thinking behind the output.

Posted in Uncategorized | 1 Comment

You cannot be serious (can you)?

The First Tier Tribunal recently upheld the ICO’s Civil Monetary Penalty of CLCH, which I think has generally has been taken as an approval of the ICO’s CMP logic and procedures. I’m not convinced, as I think some pretty important questions remain unanswered about the ICO’s handling and thought process in this area. I should share that I previously sat in on CMP meetings so have a little inside knowledge, although my former employers will no doubt be encouraged that I take enough interest in the legislation to know what Section 59 does (and doesn’t) apply to.

Sec59

In anycase, if I was going to share my inside line, I rather follow the lead of the former Head of Enforcement, who went to work for FFW who coincidentally have since pocketed a staggering 168k representing a public authority in single case CMP. Moral of the story – that type of knowledge is to be sold, not to be told (feel free to contact me Sony legal department ahead of your forthcoming appeal).

We know from the recent appeal that the ICO divide CMP’s into 3 categories, Serious, Very Serious and Most Serious, with each category having a financial band. Aside from the slightly inelegant language, that seems a broadly sensible approach.

What has become apparent to me, however, is that 1) there is no consideration of where breaches occur without an associated incident and 2) there is no criteria, explanation or perhaps even logic on how breaches are classified into each band.

In making this analysis, I would accept that I may well be wrong here, because I haven’t made an FOI request for any information held in relation to the above. That’s because I wouldn’t wish to needlessly add to the testing workload of my former colleagues, especially because recent events have shown us how much a team of 12 people can struggle to keep on top of things when the majority are women. Only joking sisters, love you really!

Moving on from the satirical sexism, lets address my first contention, essentially that the ICO’s CMPs only react to data incidents, not DPA breaches. I’d begin by noting that at no point does the CMP guidance introduce the concept of punishing for a particular incident – it’s for the breach of the DPA itself. The ICO isn’t there to provide punitive redress to those who may have been wronged in someway – but to punish for a serious breach of the DPA. As I’ll expand upon below, it’s quite possible for a concerning incident involving personal data  to occur that perhaps doesn’t even equate to a breach of the DPA.

If the ICO was indeed issuing CMP’s for serious DPA breaches, as opposed to punishing incidents, then if I self reported that my organisation didn’t encrypt laptops containing sensitive personal data (we do), would that not be a serious 7th principle breach and one likely to cause damage and distress in the event they were lost/stolen? It would fit each of the criteria required to impose a fine. Yet the ICO hasn’t fined one organisation for a breach where there wasn’t an incident. Why wait for the incident to occur before taking action against a breach? Furthermore, most of the published discussion around CMP’s focuses on the incident, such as the numbers affected and the type of information lost in that particular case. Admittedly it could be argued that where there is not an incident, it is much harder to demonstrate that breach would be of a kind likely to cause damage/distress, but from my anecdotal experience, I don’t think that is how things are looked at.

Similarly, with reference to the second strand of my perspective, the breach appears to be determined to be serious by the ICO almost entirely because of the specifics of the incident. There is minimal consideration of what the Data Controller did wrong in DPA terms.

Over 90% of the ICO CMP’s have been for breaches of the 7th Principle, so I will focus my analysis around that principle. The gist of the principle is basically the greater the amount information and  sensitivity of that information, the more measures should be put into place to protect it – a proportionate approach. 

To breach that principle, you would have failed to have  put ‘appropriate’ measures in place. So for it to be a ‘serious breach’, the ICO should probably establish the deficit between the measures actually in place and the measures that should have been in place. If the gap is significant, one could then move on to looking at whether the breach was of a sort likely to cause substantial damage/distress.

The CMP for Sony typically sidesteps this issue of ‘seriousness’, instead concluding

“The contravention is serious because the measures taken by the data controller did not ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing and the nature of the data to be protected”.

I find that analysis exceptionally weak. Firstly, where the measures don’t match the risk, it is by definition a breach – where does the increased severity to a serious breach derive from? The ICO’s summary here appears to be saying that because it is a breach, it is a serious breach. I’m not saying it’s not serious, simply highlighting that there is no explanation offered by the ICO. Further, given we know that this case has ended up with a £250k fine, the ICO have in their mind infact held this to be a very serious breach. Shouldn’t the language used be comparable to the conclusion formed?

When considering the aggrevating factors, it does mention that the “contravention was particularly serious because of the nature and amount of personal data”, but that again is weak because of the implication that any breach involving large amounts of data is a serious one. Again,the incident might be serious, but I’m not convinced it makes the breach itself serious, not least because there might be a case where the data controller just made one small mistake and that led to an incident that would be likely to cause damage and distress for a large number of people. Is that more, or less of a serious breach than a data controller being completely reckless with 1 person’s data thus causing huge damage?

The FTT commented in the CHC appeal that they thought the ICO could have classified that case as “very serious” on the basis of the number of organisational failings – essentially judging the seriousness of the breach against the failings against the 7th principle. The ICO has not stated in it’s written guidance that such factors will be considered at all and it’s missing from the CMP’s, again suggesting they are more focussing more on the incident and working backwards from there. 

For example, information could be lost or accidentally disclosed as a result of an error by a data processor. Where the data controller is considered to have followed all the appropriate steps for selecting and monitoring the data processor, it might be the case that technically a breach of the DPA at all – or perhaps more accurately not the 7th principle. If you select a specialist data processor, ensure you have a watertight contract and audit them regularly, would you not be well placed to argue you had taken appropriate measures to keep information secure, even where an incident then occured? Or likewise if you train staff regularly and have the best policies in the country but an employee decides to leave sensitive papers stuffed in a hedge?

Had the data controller followed all of the correct steps but not carried out regular audits of the Data Processor, then in my mind that would be a breach of the 7th principle – but not a serious one in the sense the gap between what they should have done and what they did do was relatively small. A serious breach would be just flinging out the outsourcing to the cheapest provider, with no contract and no checks. The reality is that incidents usually occur as a result of a breach, but the extent to which the incident has been caused by technical and organisational failings will of course differ and that’s where I feel the ICO is somewhat blinkered.

To again take the example of Sony, they had online security, it just wasn’t sufficient enough to withstand a targeted and sophisticated criminal attack. It strikes me that the breach itself was at the lower end of the spectrum, in terms of assessing the difference between what they should have done, and what they actually did. What would the fine have been if they had no security at all?

I’m not suggesting that the numbers affected and level the (potential) damage/distress should be ignored, as that would be a bit perverse. Indeed, I would like to see those factors considered in conjunction with the severity of the DPA breach by the data controller (e.g. severity of breach x numbers affected x potential damage/distreess). But above all, I’d like to see those handing out the fines being clear about their reasoning.

On a slightly different note, something also caught my attention about the recent CMP to the Nursing and Midwifery Council. Incidentally, whilst it might be a bit of a pipedream to think I might catch the eye of the Sony Appeal lawyers, it’s more of a lifelong dream to catch the eye of a gaggle of Nurses. They were essentially subject to be a CMP because they didn’t have a policy to encrypt DVD’s containing evidence sent to a fitness to practice hearing. The guidance in such matters is very clear, so in some ways there is no debate, but it did cross my mind that had they sent the very same information (apparently witness interviews) in paper form, then would they have faced similar action? Sending personal information on a disk shouldn’t really be considered more insecure than sending the same information in paper form. If a bundle of papers had vanished having using a courier, would that have seen a 6 figure fine?

I’m not setting out to be a vocal critic of the ICO, as aside from anything else I think that market is saturated, so I should perhaps balance my criticism of the ICO by acknowledging that on the whole the CMP’s seem to be broadly consistent, reflective of a logical precedent based approach. I just feel that it would also be good to take a step back and think about the basis behind some of the fines – admittedly easier said than done when faced with a constant stream of breaches (sorry, incidents) to invesitgate. Hopefully my analysis will therefore help. If so I seek no plaudits – although I wouldn’t mind of those generous free dinners (page 7) the Commissioner manages to get through the expenses policy(page 14), disproving the old adage that there’s no such thing as a free lunch (page 1).

Posted in Uncategorized | 1 Comment

What Price Frivolity and Freedom?

The blogosphere is full of well written and impressively articulated arguments in support – or perhaps more accurately in defence – of FOIA, but I’ve always found it surprising that those who have spent time at the coalface don’t feel greater frustration with the legislation and it’s wider cost. I write this as someone who spent 2 and a half years dealing with information requests, many of which were frivolous by any reasonable interpretation of the word. I’m a fan of FOI but feel that misuse of the Act weakens it’s reputation and subsequently it’s wider effectiveness – whilst also diverting valuable resources in tough times.

The current legislation makes no allowance for the use of frivolous requests, the bar is instead set considerably higher at ‘Vexatious’, meaning that sarcastic requests about Zombies, are afforded a level of respect and attention that most sensible observers would find a matter of regret. Ok, not all silly questions take long to deal with, but the fact remains that such requests have to be formerly responded to, can then be subject of an internal review, complaint to the ICO and referral to the Information Tribunal – all at no cost to individuals who often appear to use the Act as simply a continuation of a complaint.

On a similar basis, the cost of FOI is something that usually attracts huge criticism by those who defend it. Ironically, those who seek transparency of public spending recoil in horror when the costs of FOI are openly examined or discussed. Let me be clear, and let us all be honest, Freedom of Information does not come cheaply – so whilst it might be free at the point of sale, we are collectively still paying for it.

Those who make a disproportionate number of requests clearly have the most to lose from a proposed charging regime. So we should perhaps consider very carefully the motives of an individual who admits to making around 700 requests a year whilst aligning himself to the campaign to resist charging. He may well be a principled campaigner raising issues of great importance and identifying significant costs savings – but clearly self interest is also in engaged.

By way of example I was expected to do circa 180 requests a year, with my modest salary hovering around £25,000. Sure, I had some ad hoc Governance project work to carry out as well, but a crude starting calculation takes it to around £140 a request. The cost of employing me was probably morelike well over £40k+ when you factor in pension and NI contributions etc. My calculation also doesn’t consider the cost of colleagues time in providing input to a response (think how much time alone is spent on Section 36 considerations by senior/expensive staff?). I don’t know how one would ever arrive at an calculation, as the Justice Committee have just suggested, but the ballpark figures are interesting nonetheless. So Mr Benson’s 700 requests a year are costing probably costing considerably over £100,000 – thats before any costs of his Internal Reviews and other stages of complaint are factored in.

I was one of 6 dedicated request handlers in an organisation employing around 350 people. Some may argue that being transparent in times of recession saves money, but even if others believes that, I don’t. Let me put it this way, if you ran a private company with 350 employees, would you really shell out for 6 full time staff (plus managers) to allow people to scrutinise you in the belief it would save you money and identify cost savings? I wouldn’t. Loyalists argue that there is a cost limit (essentially implying a £450 limit on the cost of a request) but the time spent considering, redacting and preparing a response are not considered, hence a position where requests can take 5 months to process .

A Nottingham City Councillor claimed FOI was costing his Council £500,000 a year and came under strong attack for his statement. He may or may not have been overegging the pudding, but to suggest that the true figure was just £64,000 is equally wide of the mark, given it takes no account of printing costs, preparing and attending ICO Complaints and Tribunal hearings, the management of a disclosure log etc. For the record, my money is firmly on the £500,000 being alot more accurate than the £64,000, but in both cases it appears the authors are letting their respective opinions on FOI dictate the figures.

Meanwhile, Nottingham’s rivals down the Brian Clough way, Derby City Council, somehow managed to spend just £31,500 apparently responding to 939 requests, which suggests that either a) they were a damn sight more hardworking than me, b) that figure is bollocks or my own vote c) both of the above.

A more sensible argument would surely be that whilst it costs, FOI is a necessary cost of democracy. That’s certainly my take on it. But the point I have been clumsily fumbling around with here is that if you have confidence in your position, you shouldn’t be afraid of facts and nor should you avoid any criticism of the current legislation. Those with such an interest in FOI should be amongst the first to want to know what it costs and find ways to cut the crap. Nor should they attack those who wish to prioritse caring for the elderly (councils), dealing with more crime (the police) or rising pupil numbers  over providing information about student wanking pranks.

Posted in Uncategorized | 1 Comment