Government departments that fail to respond to Freedom of Information requests adequately could be named and shamed as part of a “report card” system, the data regulator has said.
Elizabeth Denham, the information commissioner, said her office had seen “slippage in terms of timeless and quality of responses” by some government departments to FoI requests, and was considering ways to bring them back into line.
Among the tactics the Information Commissioner’s Office was looking into to tackle this problem was a “report card system for those government departments that are dragging their feet or lagging behind the standard”, she said.
The warning came as Denham said people could also expect to see an “increase in enforcement” on other areas in the coming months. ICO served the Ministry of Justice with an enforcement notice in December for dragging its heels on subject access requests, forcing it to respond requests more quickly. “We will use that tool again for other central government departments,” Denham said.
Speaking at the Institute for Government in London last week, Denham said the draft FoI strategy ICO published last month set out the regulator’s “intention to enforce the law more stringently” when it came to the release of publicly held information.
The draft strategy document, which is out for consultation at the moment, said ICO would push for reform of FoI legislation to ensure it remains fit for purpose. And in its first report to parliament this month, the regulator said it wanted to see the legislation extended to include government outsourcers.
Denham said although some government departments had become complacent about their legal duty to release information when asked, they also faced considerable pressures on their capacity to fulfil that duty.
“There are other reasons, I think, for the higher statistic in the percentage of requests that are withheld at least partly or in full,” She said.
“I think that’s partly because there are fewer resources in the departments assigned to Freedom of Information. I think that’s particularly the case during this year of Brexit, so you see more and more staff that are moving to other areas, but also there are more and more requests for sensitive information relating to Brexit that can be legitimately withheld [because they might compromise] international relations or the negotiating position of government.”
However, she warned this did not absolve departments of their responsibility to comply.
GDPR "not Y2K for data protection”
Budget pressures may also constrain government departments’ ability to fully comply with the General Data Protection Regulation, Denham warned, as she said there was “much more to be done in public bodies” on data protection.
The information commissioner said she was “concerned about the level of resources that are being put into data protection”, following the introduction of GDPR last year.
Denham said departments had “got themselves over the line as of May 25 2018” when the legislation came into force by completing “the minimum work that they needed to do to ensure that they had the right legal basis for the collection, use and sharing of personal data” including training data protection officers and updating their privacy notices.
But these should only be considered the first steps when it came to complying with the regulation, she said.
“GDPR is not Y2K for data protection,” she added, referring to the push to ensure software did not malfunction at the turn of the millennium.
“Getting over the mark isn’t enough to get you all the way there.
“I think what government departments have to do now is ensure they keep their foot on the pedal, because they haven’t done all the work for all the processes that need to be in place to ensure privacy by design, data protection impact assessments, the risk management, the audits that need to be sent to their audit function or the board.”
Denham said ICO was examining how data was being used by several public bodies, including government departments and police forces. It had ongoing investigations into HM Revenue and Customs’ used of an “implied consent” model to collect more than five million people’s vocal data for its voiceprint ID system.
It is also looking at how police forces use facial recognition software and extract mobile phone data, she said.