Following news of a Freedom of Information (FOI) disclosure revealing a lack of public reprimands issued over GDPR breaches in the public sector, we take a closer look at the FOI, what it can be used for, and how it’s linked to the ICO.
What Is The Freedom of Information Act?
The Freedom of Information Act (FOIA) and Freedom of Information (Scotland) Act (FOISA) are the UK laws that cover the public’s general right of access to information held by public authorities.
Public authorities include government departments, devolved administrations, other public bodies and committees, local councils, schools, colleges and universities, the NHS, publicly owned companies publicly funded museums, galleries and theatres, the police and fire services, and the National Archives.
Who Can Make One … And How?
The FOI Act gives everyone a legal right to see information held by public bodies/authorities. A Freedom of Information (FOI) request can be made in writing by letter, email, social media or online form. Those making an FOI request need to include (not needed for environmental information) a contact postal or email address and a detailed description of the information required, e.g. all information held on a subject, or just a summary. The information can be requested in a particular format, e.g. paper or electronic copies, large print, or audio.
The Information Commissioner’s Office (ICO) is the UK’s independent, non-departmental public body set up to uphold information rights in the public interest.
The ICO should also promote openness by public bodies and data privacy for individuals. The ICO plays a key role in administering the FOI because it is the regulator for Data Protection and Freedom of Information, with key responsibilities under the Data Protection Act 2018 (DPA) and Freedom of Information Act 2000 (FOIA), as well UK GDPR, and other acts. The ICO also has a Regulatory and Enforcement Activity Policy, and its “default position” under this policy is to publish all formal regulatory outcomes such as reprimands issued under GDPR, which can include reprimands issued to private companies. Formal reprimands, fines and other enforcement notices, for example, can be issued to organisations by the ICO where GDPR has been contravened.
A week ago, it was reported that following a FOI request by Jon Baines, a senior data protection specialist at law firm Mishcon de Reya, there appears to have been failings in the disclosure by the ICO of reprimands it had issued to public authorities under GDPR. The FOI request by Mr Baines revealed that although the ICO had issued 42 reprimands between 25 May 2018 (when the UK GDPR came into effect) and 15 November 2021, most were not publicly disclosed.
Considering that the ICO’s default position should be disclosure of the outcomes, the failure to do so in most cases over more than 3 years has led to criticism that the ICO has been failing in this area.
The FIO request revealed that reprimand recipients included some very large organisations, and not just those in the public sector. For example, the supermarket chains Asda and Morrisons, healthcare provider BUPA, apps like Houseparty and Zoom, and EasyJet are reported to have received reprimands. Other recipients are reported to include West Midlands Police (twice), The Home Office (twice), Oxford University, NHS health boards, schools, and some local councils. Mishcon de Reya, the company whose data protection specialist made the FOI request, reports that the Digital Service (part of the Cabinet Office), UKIP, and the CPS were also recipients of reprimands under GDPR. However, the ICO has (according to Mishcon de Reya) withheld the identity of one of the recipients because the information relates to a body dealing with national security and intelligence or serious organised crime.
Mishcon de Reya reports that the ICO has confirmed that in the future, when it publishes its online datasets of casework outcomes, these will include reprimands.
A new Information Commissioner, John Edwards, took over from Elizabeth Denham CBE on 3 January 2022. John Edwards has been New Zealand’s Privacy Commissioner since February 2014, and has practiced law in Wellington, New Zealand for more than 20 years (specialising in information law). The hope is that this area around publishing details of reprimands will be given more attention under his leadership.
Data privacy is an important matter to individuals and businesses, and it could be strongly argued that it is in the public interest to see, through reports of reprimands under GDPR, which organisations may not be acting responsibly with their data. This could influence whether consumers choose to use the services of particular company (a matter of trust). It may also be very disappointing to many businesses that have been paying close attention to complying with GDPR to see that the regulator appears not to have been paying attention to its own policy and appears to have been failing in an important area for 3 years. For those companies whose reprimands weren’t made public, the apparent failure of the ICO in this area has been an unexpected let-off that they are likely to have been glad of in terms of protecting their reputations. This story also illustrates how important and powerful the right to make FOI requests can be and how this right should be valued.