If you were putting in a claim for benefits, challenging an accusation in court or phoning in sick to your employer, would you expect your local authority to be checking your social media presence?
How do you think a stranger might assess you as a parent, were they to skim over any public posts on your Facebook page? If you’ve been on a protest recently, would you be comfortable knowing that your local council was combing through any photos you’ve shared?
A Freedom of Information investigation by Privacy International, using WhatDoTheyKnow Pro, has discovered that a significant number of local authorities — 62.5% of those responding to their FOI requests — habitually monitor citizens’ Facebook or other social media profiles to gather intelligence.
What’s more, the majority have no policy in place or measurement of how often and to what extent these investigations occur.
If this concerns you, the first thing you should do is check that your social media privacy controls are up to date. Then you might like to go and read Privacy International’s full report, as well as checking how (or whether) your own local authority has responded to their requests for information.
And finally, you can join Privacy International’s call for stronger guidelines from the Investigatory Powers Commissioner.
Just… maybe think twice about putting it in a public Facebook post?
We’re only joking, of course. Or half joking.
Issues like this need to be shared far and wide. But as Privacy International point out, there are already sobering instances from abroad of threats to those following anti-government accounts. With so many completely unexpected changes to the status quo recently, can we say for certain that it could never happen here?
Image: John Schnobrich
The Coronavirus (COVID-19) pandemic is having an impact on response times to Freedom of Information requests. Please see this information from the Information Commissioner’s Office, and the Scottish Information Commissioner. You can contact the WhatDoTheyKnow team if you have any questions about your requests.
Note: There is now an update to this post, which can be found here.
At times of crisis, the need for factual information is clear — and Freedom of Information is the lawful mechanism by which we can demand it. And yet, it is becoming increasingly obvious that across the world, rights to information are being eroded, by design or by circumstance, as governments and authorities deal with the effects of COVID-19.
Rather than restrict access to information, at this time bodies should be moving towards proactive release, and any necessary restrictions that are put in place must be temporary and time limited.
Keeping our rights intact
At WhatDoTheyKnow we are, of course, resolute that we must not allow the current situation to cause lost ground in the right to hold our authorities accountable.
Nonetheless, we do of course recognise the difficulties involved for authorities in keeping a service running at a time when the workforce may be depleted, staff may be working from home and not able to access physical files, and resources may be quite rightly being prioritised on the frontline of the fight to keep the population safe.
We call for a common sense approach that balances this new working environment with the enhanced need for public information:
- A recognition that not all authorities and not all departments will be equally affected by the current crisis. While it is clear that those which are working in the areas of health, policing, and other frontline activities are likely to be the least able to dedicate resources to FOI, other authorities/departments should do all they can to keep their channels of information open and active.
- In the spirit of transparency and public interest, all authorities should commit to the proactive publication of information, without the need for it to be requested. This should especially apply to decisions being made around public health, responses to COVID-19, and changes to rights and freedoms of citizens; and the data informing these decisions. Proactive publication requires fewer resources than responding to individual requests as they arise.
- Measures that are put in place to relax the right to information during this fast-moving environment must be recognised as temporary and reassessed at regular frequent intervals. When the health crisis has passed, they must be removed and the right to information must be restored to the same, or better, status as previously enjoyed by citizens.
Information is vital
More than ever, now is the time to ask questions: what plans do our governments have in place to tackle this unprecedented threat? What research is guiding their actions? How are they meeting targets for testing, for vital equipment, for hospital beds?
Or, just as importantly, as Julia Keseru asks in this piece: how are the most vulnerable in society being impacted by the broad stroke decisions being implemented?
In the UK, the government has stated a commitment to transparency: “In fast moving situations, transparency should be at the heart of what the government does”. But the gaps in existing data are noted by Jeni Tennison here, alongside a call for private companies to do what they can.
And at the same time, we’ve seen a relaxation of authorities’ obligations under the FOI Act in recognition of stretched resources and depleted staff.
These have taken the form of a notification from the ICO that they will be more lenient towards authorities providing late responses, and messages from authorities themselves that they will be providing a cut-down service.
Guy’s Hospital, for example, is understandably responding with a plea for people to consider whether their request is really required; while Bournemouth, Christchurch and Poole Council are auto-responding: “The Council is not currently in a position to respond to your request. This is as a result of ensuring that all available resources are diverted to support the community and we can continue to deliver essential and priority services during the unprecedented crisis presented by COVID19. Please resubmit your request at a later date and not before 8th June“.
Scotland’s emergency bill, voted through yesterday, massively extended the deadline for responses despite intervention from campaigners and MSPs. As a result, WhatDoTheyKnow’s auto-prompts when an authority has not responded within the mandated timeframe are currently wrong, and we’ll be looking at correcting this as soon as we can. [Update: We now account for the new law in Scotland, but there may be a few existing requests or authorities that we’ve missed out, so please get in touch if you have questions about your request.]
Information doesn’t just allow us to hold our governments to account over the actions they take during this crisis. As Newspeak House’s Corona Virus Tech Handbook has vividly demonstrated, shared knowledge allows collaboration, in some cases across borders, that may literally save lives.
A global lapse
Meanwhile, in countries around the world, the reaction has ranged from New Zealand’s ‘pro-transparency’ response, documented along with less hopeful dispatches from other countries in this post from Global Investigative Journalism Network, to Hungary’s worrying move to rule by decree.
At WhatDoTheyKnow, we stand by our international community of friends and colleagues who value the citizens’ right to know.
Access to Information and journalists’ networks are monitoring the erosion or upholding of our rights across the world, and will act to preserve them where we can.
Image: Dimitri Karastelev
Freedom of Information forms the basis of many a campaign that seeks to expose hidden facts, or stories which should be in the public eye.
We spoke to Jen Persson, Director of defenddigitalme, about that organisation’s tireless campaign to get to the truth on the collection, handling and re-use of schoolchildren’s personal data in England.
What emerged was a timeline of requests and responses — sometimes hard fought for — which when pieced together reveal secrecy, bad practice and some outright falsehoods from the authorities to whom we entrust our children’s data. Perhaps most striking of the findings was the sharing of data with the Home Office in support of their Hostile Environment policy.
As Jen describes defenddigitalme’s campaign, “It began with trying to understand how my daughter’s personal information is used by the Department for Education; it became a campaign to get the use of 23 million records made safe”.
It’s a long tale, but definitely worth the read.
December 2012: consultations and changes
The story begins here, although it would still be a couple of years before Jen became aware of the issues around children’s data, “despite — or perhaps because of — having three young children in school at the time”.
Why did no one at all seem to know where millions of children’s personal data was being sent out to, or why, or for how long?
As Jen explains, “During the Christmas holidays, the Department for Education (DfE) announced a consultation about changing data laws on how nationally stored school pupil records could be used, proposing that individual pupil-level records could be given away to third parties, including commercial companies, journalists, charities, and researchers. Campaigners raised alarm bells, pointing out that the personal data would be highly identifying, sensitive, and insecure — but the changes went through nonetheless.”
2014: discovering the power of FOI
Jen came across that change in law for herself when reading about a later, similar data issue in the press: there were plans to also make available medical records from GP practices. This prompted her first foray into FOI, “to answer some of the questions I had about the plans, which weren’t being published”.
I feel strongly that if I am going to ask for information which has a cost in time and capacity in the public sector, then it should mean the answers become available to everyone.
And that first step got her thinking:
“At around the same time I asked the DfE a simple question, albeit through a Subject Access rather than FOI request: What personal data do you hold about my own child?
“My Subject Access request was refused. The Department for Education would not tell me what data they held about my children, and as importantly, could not tell me who they had given it to.
“There was nothing at all in the public domain about this database the DfE held, beyond what the campaigners in 2012 had exposed. It wasn’t even clear how big it was. How was it governed? Who decided where data could be sent out to and why? How was it audited and what were the accountability mechanisms? And why was the DfE refusing its lawful obligations to tell me what they held about my daughter, let me correct errors, and know where it had gone? Why did no one at all seem to know where millions of children’s personal data was being sent out to, or why, or for how long?
“Prior to all this, I’d never even heard of Freedom of Information. But I knew that there was something wrong and unjust about commercial companies and journalists being able to access more personal data about our children than we could ourselves.
I worded some questions badly. I learned how to write them better. And I’m still learning.
“I needed to understand how the database operated in order to challenge it. I needed to be able to offer an evidenced and alternative view of what could be better, and why. FOI was the only way to start to obtain information that was in the public interest.
“I believed it should be published in the public domain. WhatDoTheyKnow is brilliant at that. I feel strongly that if I am going to ask for information which has a cost in time and capacity in the public sector, then it should mean the answers become available to everyone.”
“I tried to ask for information I knew existed or should exist, that would support the reasons for the changes we needed in data handling. I worded some questions badly. I learned how to write them better. And I’m still learning.”
2015: sharing children’s personal data with newspapers
That was just the beginning: at the time of writing, Jen has made over 80 FOI requests in public via WhatDoTheyKnow.com .
Through FOI, defenddigitalme has discovered who has had access to the data about millions of individuals, and under what precepts, finding such astonishing rationales as: “The Daily Telegraph requested pupil-level data and so suppression was not applicable.” The publication “wished to factor in the different types of pupil” attending different schools.
Jen explains: “This covered information on pupil characteristics related to prior attainment: gender, ethnic group, language group, free school meal eligibility (often used as a proxy for poverty indicators) and SEN (Special Educational Needs and disability) status, which were deemed by the Department to be appropriate as these are seen as important factors in levels of pupil attainment.”
But with such granular detail, anonymity would be lost and the DfE were relying only on “cast iron assurances” that the Telegraph would not use the data to identify individuals.
2016: sharing children’s nationality data with the Home Office
In a Written Question put by Caroline Lucas in Parliament in July 2016, the Minister for Education was asked whether the Home Office would access this newly collected nationality data. He stated: “the data will be collected solely for the Department’s internal use […]. There are currently no plans to share the data with other government departments unless we are legally required to do so.”
But on the contrary: defenddigitalme’s subsequent requests would disclose that there was already a data sharing agreement to hand over data on nationality to the Home Office, for the purposes of immigration enforcement and to support the Hostile Environment policy.
Jen says: “As part of our ongoing questions about the types of users of the school census data, we’d asked whether the Home Office or police were recipients of pupil data, because it wasn’t recorded in the public registry of data recipients.
The Home Office had requested data about dependents of parents or guardians suspected of being in the country without leave to remain.
“In August 2016, a FOI response did confirm that the Home Office was indeed accessing national pupil data; but to get to the full extent of the issue, we had to ask follow up questions. They had said that “since April 2012, the Home Office has submitted 20 requests for information to the National Pupil Database. Of these 18 were granted and 2 were refused as the NPD did not contain the information requested.”
“But the reply did not indicate how many people each request was for. And sure enough, when we asked for the detail, we found the requests were for hundreds of people at a time. Only later again, did we get told that each request could be for a maximum agreed 1,500 individuals, a policy set out in an agreement between the Departments which had started in 2015, in secret.
“In the October afternoon of the very same day as the school census was collecting nationality data for the first time, this response confirmed that the Home Office had access to previously collected school census pupil data including name, home and school address: “The nature of all requests from the Police and the Home Office is to search for specific individuals in the National Pupil Database and to return the latest address and/or school information held where a match is found in the NPD.”
The Home Office had requested data about dependents of parents or guardians suspected of being in the country without leave to remain.
“In December 2016, after much intervention by MPs, including leaked letters, and FOI requests by both us and — we later learned — by journalists at Schools Week, the government published the data sharing agreement that they had in place and that was being used”.It had been amended in October 2016 to remove the line on nationality data, and allowed the data to be matched with Home Office information. It had also been planned to deprioritise the children of those without leave to remain when allocating school places, shocking opposition MPs who described the plan variously as “a grubby little idea” and, simply, “disgusting”.
Other campaigners joined the efforts as facts started to come into the public domain. A coalition of charities and child rights advocates formed under the umbrella organisation of Against Borders for Children, and Liberty would go on to support them in preparing a judicial review. ABC organised a successful public boycott, and parents and teachers supplied samples of forms that schools were using, some asking for only non-white British pupils to provide information.
Overall, nationality was not returned for more than a quarter of pupils.
2017: behind the policy making
Through further requests defenddigitalme learned that the highly controversial decision to collect nationality and country of birth from children in schools — which came into effect from the autumn of 2016 — had been made in 2015. Furthermore, it had been signed off by a little known board which, crucially, had been kept in the dark.
“I’d been told by attendees of the Star Chamber Scrutiny Board meeting that they had not been informed that the Home Office was already getting access to pupil data when they were asked to sign off the new nationality data collection, and they were not told that this new data would be passed on for Home Office purposes, either. That matters in my opinion, because law-making relies on accountability to ensure that decisions are just. It can’t be built on lies”, says Jen.
The process of getting hold of the minutes from that significant meeting took a year.
Jen says, “We went all the way through the appeals process, from the first Internal Review, then a complaint to the Information Commissioner. The ICO had issued a Decision Notice that meant the DfE should provide the information, but when they still refused the next step was the Information Rights First Tier Tribunal.
“Two weeks before the court hearing due, the DfE eventually withdrew its appeal and provided some of the information in November 2017. Volunteers helped us with preparation of the paperwork, including folk from the Campaign for Freedom for Information. It was important that the ICO’s decision was respected.”
2018: raised awareness
In April last year, the Department confirmed that Nationality and Country of Birth must no longer be collected for school census purposes.
However, Jen says, “Children’s data, collected for the purposes of education, are still being shared monthly for the purposes of the Hostile Environment. There’s a verbal promise that the nationality data won’t be passed over, but since the government’s recent introduction of the Immigration Bill 2018 and immigration exemption in the Data Protection Act, I have little trust in the department’s ability in the face of Home Office pressure, to be able to keep those promises.
“Disappointingly”, says Jen, “the government has decided instead of respecting human rights to data protection and privacy on this, to create new laws to work around them.
The direction of travel for change to manage data for good, is the right one.
“It’s wrong to misuse data collected for one purpose and on one legal basis entrusted for children’s education, for something punitive. We need children in education, it’s in their best interests and those of our wider society. Everyone needs to be able to trust the system.
“That’s why we support Against Borders for Children’s call to delete the nationality data.
“A positive overall outcome, however”, she continues, “is that in May 2018, the Department for Education put the sharing of all pupil level data on hold while they moved towards a new Secure Access model, based on the so-called ‘5-Safes’. The intention is distribute access to data with third parties, not distribute the data itself. The Department resumed data sharing in September but with new policies on data governance, working hard to make pupil data safer and meet ‘user needs’. The direction of travel for change to manage data for good, is the right one.”
2019: Defenddigitalme continues to campaign
Defenddigitalme has come a long way, but they won’t stop campaigning yet.
People working with FOI is really important, even and perhaps especially when it doesn’t make the press, but provides better facts, knowledge, and understanding.
Jen says, “Raw data is still distributed to third parties, and Subject Access, where I started, is still a real challenge.
“The Department is handing out sensitive data, but can’t easily let you see all of it, or make corrections, or tell you which bodies for sure it was given to. Still, that shouldn’t put people off asking about their own or their child’s record, or opting out of the use of their individual record for over 14s and adult learners, and demand respect for their rights, and better policy and practice. The biggest change needed is that people should be told where their data goes, who uses it for how long, and why.
“Access to how government functions and the freedom of the press to be able to reveal and report on that is vital to keep the checks and balances on systems we cannot see. We rely on a strong civil service to work in the best interests of the country and all its people and uphold human rights and the rule of law, regardless of the colour of government or their own beliefs. People working with FOI is really important, even and perhaps especially when it doesn’t make the press, but provides better facts, knowledge, and understanding.
“FOI can bring about greater transparency and accountability of policy and decision making. It’s then up to all of us to decide how to use that information, and act on it if the public are being misled, if decisions are unjust, or policy and practice that are hidden will be harmful to the public, not only those deciding what the public interest is.
“WhatDoTheyKnow is a really useful tool in that. Long may it flourish.”
Alongside several UK organisations, we’re campaigning against the proposed changes to the Freedom of Information Act.
Now, the changes are just that – proposed ones – so you might think that it’s hard to do more than speculate over what they might mean for Freedom of Information in this country.
But wait! Here at mySociety, we are in touch with people and organisations who run Freedom of Information websites all over the world. Many of them have seen the introduction of such restrictions (and some have successfully challenged them).
So in this post, we gather together their experiences along with existing research, to provide evidence and context to the changes currently being discussed.
Perhaps you’d like to use some of the following examples when you write to your MP.
For a government to desire such restrictions is nothing new: a 2011 report by Toby Mendel for the World Bank* examines several countries which have been through exactly that (and, more cheerfully, lists those where the law was changed to extend FOI rights). One statistic stands out from that report:
Emily O’Reilly, the Irish information commissioner, noted that the impact of the amendments had been to reduce the rate of requests by 50 percent, to decrease requests (other than those for personal information) by 75 percent, and to cause a drop of 83 percent in requests by the media—all within one year.
Ireland introduced fees for initial requests, and also for any subsequent internal and independent reviews. They also extended protection to some government records showing the workings of civil servants, and to documents referring to security, defence and international relations. The decision was later reversed in order to “restore the balance”.
*Amending Access to Information Legislation: Legal and Political Issues by Toby Mendel, 2011
In Germany, we are told by Arne from the FOI website Frag den Staat, bodies may charge up to 500 € for the processing of information requests.
Fair enough, you might think — but let’s look at a couple of examples.
Like when the Ministry of Transport charged the maximum fee for the provision of data on railway infrastructure. They said that the fee covered the required inspections; they didn’t mention that the data could be found in PDFs that already existed internally.
Similarly, the Federal Office of Consumer Protection charged 500 € for answering eight questions about their website, asking about costs, usage and data protection: it’s hard to comprehend how that could have required quite so much effort.
Arne points out that the fee isn’t applied consistently, either: the same request made to a number of similar institutions (for example universities) will result in some information being provided for free, while others charge.
Finally, he says it’s clear that some people are intimidated by the mere possibility of being charged. Auto-replies from the Foreign Office include details of possible costs, whether or not they apply, which can be very off-putting for inexperienced users.
In response, FOI-championing website Atlatszo.hu got together with other NGOs to put together this damning assessment:
The new law gives state institutions the option to deny information requests [..] if they involve preparation for “future decision”, but most importantly, it introduces a requirement that those who approach various institutions for information may have to pay for their queries.
The various state bureaus may charge a fee if they decide that the request for information places an unwarranted additional workload on the staff. Besides being highly arbitrary grounds for denial, the financial costs are a natural deterrent to even attempting to find out important information.
The organisation also predicts that fees will lessen the will of average people to file requests. Here’s an excerpt from a recent interview with Atlatszo.hu’s Editor-in-Chief :
“They are charging fees so people won’t file so many requests,” says Bodoky, adding that while Atlatszo isn’t very happy with the situation, it won’t be deterred. “We will pay the small fee and continue to make requests, but citizens and activists who have started to use freedom of information quite a lot may not want or be able to.”
Richard Hunt, who runs the FOI site Informace Pro Všechny, as well as actively using FOI here in the UK, tells us that in the Czech Republic, there is no statutory charge for requests. However a clause states that costs can be recovered.
There have been high profile cases reported by the press, because the press were the requesters.
When HN (a leading financial daily newspaper) asked the finance ministry to provide the details under the Freedom of Information Act of the Kč 6.2bn in tax payments and penalties that have been forgiven since 2006, the ministry asked for processing fees of more than Kč 250,000. (£6,500).
Richard also tells us that the costs requirement both adds to the bureaucracy around requests, and acts as a disincentive for people making requests. In order to collect the money, public bodies require the name, address and date of birth of all requesters.
In a post-communist society people remain wary of showing themselves, especially in causing potential trouble for the authorities.
In the USA, fees may be levied based on the amount of work required, as calculated by the public body receiving the FOI request.
Our friends at Muckrock highlight two cases where the costs would have been at levels far beyond the reach of ordinary requesters: $270,000 for details of contracts between the FBI and a contractor, and $452,000 for summary information on a mail surveillance program.
While we imagine that the cost structure would differ here in the UK, these cases serve as an extreme example of how, if bodies wish to, they can use restrictions to ensure that their information remains inaccessible.
A similar story comes from RightToKnow in Australia, who were stymied by this move when trying to investigate the treatment of immigrants in detention centres:
While the authorities did not simply refuse to respond to requests for information, they found a way to evade their duties, deciding that 85 varied requests (pertaining to different events and detention centres all across the country) could be counted as one. Then, having rolled them into a single request, they were able to declare that it fell under the banner of ‘an unreasonable amount of effort’ required to respond.
In Australia, the exact clause is “the work involved in processing the request would substantially and unreasonably divert the resources of the agency from its other operations”—and we’re told that this is one of the most-commonly used reasons for refusing access.
Sometimes it’s used fairly but more often than not it’s used by agencies to interpret the request in such a way as to create the “practical refusal reason”.
In the UK, we’re looking at a lowering of the threshold for requests to be refused because of cost, which equates to the effort, or manhours, involved.
Fees are not applicable across all kinds of request in Australia, but where they are, they can be used in a way that’s contrary to the spirit of the law:
At the state level there are application fees across every state and territory (except the ACT). RightToKnow has a number of examples where it appears agencies are deliberately using application fees to frustrate requesters.
The Spanish site Tu Derecho A Saber tells us that costs and bureaucratic processes have a severely dampening effect on the number of citizens who are willing to make requests. They draw a parallel with WhatDoTheyKnow: in our first year of operation, we processed over 19,000 FOI requests. But in the same time period, Tu Derecho A Saber saw just 3,400 requests.
Spain’s FOI law also protects internal discussions, along with drafts, communications and papers considered before writing up any regulation.
They’re also fighting against a general lack of adherence to the FOI laws by public bodies. The result of all of these impediments? A drop in the number of requests processed, which have gone from 160 a week, to around 6.
Inevitably such restrictions have an effect on how FOI is perceived:
Frustration makes people see FOI laws as useless or too relaxed.
- In Israel, requests are limited to whatever can be gathered within four hours’ work. This effectively limits responses to information which has already been prepared.
- In Ukraine, the ability to mark information as ‘for internal use only’, and a highly bureaucratic system for making requests, led to a culture of concealed corruption.
Why this matters
But there are wider implications, too. At AlaveteliCon, we learned that other countries look to the UK (and WhatDoTheyKnow) as a shining example of how things could be. Any change in our laws will have an effect far beyond our own boundaries.
If we’re to keep what, as became evident when we listened to the stories of others, for all its faults is a world-class FOI system, we need to take action now. See below for how you can do that.
Changes to the UK Freedom of Information Act are not a foregone conclusion. We can win the fight against the proposed restrictions — and we have examples to prove it.
At AlaveteliCon the Freedom of Information technologies conference, we heard of successful protests in:
Australia and Uruguay, where bodies were obliged to accept requests via email
Hungary, where the government’s attempts to label requests as ‘vexatious’ was overturned
If you feel strongly that your right to information should not be impeded, check these simple actions you can take right now.
1. If you have 60 seconds: sign a petition
Sign the 38 Degrees petition to Protect FOI laws.
If you’re a journalist, you can sign the Hands Off FOI petition, too.
2. If you have 5 minutes, write to your MP
Use WriteToThem.com to tell your MP why Freedom of Information is important and how restrictions would affect you, or society as a whole.
3. If you have 10 minutes, submit an FOI story
SaveFOI are collecting stories of how Freedom of Information has made a difference to individuals and organisations. Here’s how to contribute.
Ireland: Brad Herman; Germany: Roger Matthewes; Hungary: Xavi; Czech Republic: Abejorro34; USA Hien Nguyen; Australia: Andrea Ferrera; Spain: Javi Muro; Elsewhere: Ilya Grigorik; Why this matters: Anders Sandberg; Successes: Joãokẽdal (all CC)