1. Using WhatDoTheyKnow to uncover how schoolchildren’s data was used to support the Hostile Environment

    Freedom of Information forms the basis of many a campaign that seeks to expose hidden facts, or stories which should be in the public eye.

    We spoke to Jen Persson, Director of defenddigitalme, about that organisation’s tireless campaign to get to the truth on the collection, handling and re-use of schoolchildren’s personal data in England.

    What emerged was a timeline of requests and responses — sometimes hard fought for — which when pieced together reveal secrecy, bad practice and some outright falsehoods from the authorities to whom we entrust our children’s data. Perhaps most striking of the findings was the sharing of data with the Home Office in support of their Hostile Environment policy.

    As Jen describes defenddigitalme’s campaign, “It began with trying to understand how my daughter’s personal information is used by the Department for Education; it became a campaign to get the use of 23 million records made safe”.

    It’s a long tale, but definitely worth the read.

    December 2012: consultations and changes

    The story begins here, although it would still be a couple of years before Jen became aware of the issues around children’s data, “despite — or perhaps because of — having three young children in school at the time”.

    Why did no one at all seem to know where millions of children’s personal data was being sent out to, or why, or for how long?

    As Jen explains, “During the Christmas holidays, the Department for Education (DfE) announced a consultation about changing data laws on how nationally stored school pupil records could be used, proposing that individual pupil-level records could be given away to third parties, including commercial companies, journalists, charities, and researchers. Campaigners raised alarm bells, pointing out that the personal data would be highly identifying, sensitive, and insecure — but the changes went through nonetheless.”

    2014: discovering the power of FOI

    Jen came across that change in law for herself when reading about a later, similar data issue in the press: there were plans to also make available medical records from GP practices. This prompted her first foray into FOI, “to answer some of the questions I had about the plans, which weren’t being published”.

    I feel strongly that if I am going to ask for information which has a cost in time and capacity in the public sector, then it should mean the answers become available to everyone.

    And that first step got her thinking:

    “At around the same time I asked the DfE a simple question, albeit through a Subject Access rather than FOI request: What personal data do you hold about my own child?

    “My Subject Access request was refused. The Department for Education would not tell me what data they held about my children, and as importantly, could not tell me who they had given it to.

    “There was nothing at all in the public domain about this database the DfE held, beyond what the campaigners in 2012 had exposed. It wasn’t even clear how big it was. How was it governed? Who decided where data could be sent out to and why? How was it audited and what were the accountability mechanisms? And why was the DfE refusing its lawful obligations to tell me what they held about my daughter, let me correct errors, and know where it had gone? Why did no one at all seem to know where millions of children’s personal data was being sent out to, or why, or for how long?

    “Prior to all this, I’d never even heard of Freedom of Information. But I knew that there was something wrong and unjust about commercial companies and journalists being able to access more personal data about our children than we could ourselves.

    I worded some questions badly. I learned how to write them better. And I’m still learning.

    “I needed to understand how the database operated in order to challenge it. I needed to be able to offer an evidenced and alternative view of what could be better, and why. FOI was the only way to start to obtain information that was in the public interest.

    “I believed it should be published in the public domain. WhatDoTheyKnow is brilliant at that. I feel strongly that if I am going to ask for information which has a cost in time and capacity in the public sector, then it should mean the answers become available to everyone.”

    And so Jen went on a crash course to learn about FOI, reading books by Heather Brookes and Matthew Burgess, and WhatDoTheyKnow’s own guidance pages.

    “I tried to ask for information I knew existed or should exist, that would support the reasons for the changes we needed in data handling. I worded some questions badly. I learned how to write them better. And I’m still learning.”

    2015: sharing children’s personal data with newspapers

    That was just the beginning: at the time of writing, Jen has made over 80 FOI requests in public via WhatDoTheyKnow.com .

    Through FOI, defenddigitalme has discovered who has had access to the data about millions of individuals, and under what precepts, finding such astonishing rationales as: “The Daily Telegraph requested pupil-level data and so suppression was not applicable.” The publication “wished to factor in the different types of pupil” attending different schools.

    Jen explains: “This covered information on pupil characteristics related to prior attainment: gender, ethnic group, language group, free school meal eligibility (often used as a proxy for poverty indicators) and SEN (Special Educational Needs and disability) status, which were deemed by the Department to be appropriate as these are seen as important factors in levels of pupil attainment.”

    But with such granular detail, anonymity would be lost and the DfE were relying only on “cast iron assurances” that the Telegraph would not use the data to identify individuals.

    2016: sharing children’s nationality data with the Home Office

    In a Written Question put by Caroline Lucas in Parliament in July 2016, the Minister for Education was asked whether the Home Office would access this newly collected nationality data. He stated: “the data will be collected solely for the Department’s internal use […]. There are currently no plans to share the data with other government departments unless we are legally required to do so.”

    But on the contrary: defenddigitalme’s subsequent requests would disclose that there was already a data sharing agreement to hand over data on nationality to the Home Office, for the purposes of immigration enforcement and to support the Hostile Environment policy.

    Jen says: “As part of our ongoing questions about the types of users of the school census data, we’d asked whether the Home Office or police were recipients of pupil data, because it wasn’t recorded in the public registry of data recipients.

    The Home Office had requested data about dependents of parents or guardians suspected of being in the country without leave to remain.

    “In August 2016, a FOI response did confirm that the Home Office was indeed accessing national pupil data; but to get to the full extent of the issue, we had to ask follow up questions. They had said that “since April 2012, the Home Office has submitted 20 requests for information to the National Pupil Database. Of these 18 were granted and 2 were refused as the NPD did not contain the information requested.

    “But the reply did not indicate how many people each request was for. And sure enough, when we asked for the detail, we found the requests were for hundreds of people at a time. Only later again, did we get told that each request could be for a maximum agreed 1,500 individuals, a policy set out in an agreement between the Departments which had started in 2015, in secret.

    “In the October afternoon of the very same day as the school census was collecting nationality data for the first time, this response confirmed that the Home Office had access to previously collected school census pupil data including name, home and school address: “The nature of all requests from the Police and the Home Office is to search for specific individuals in the National Pupil Database and to return the latest address and/or school information held where a match is found in the NPD.”

    The Home Office had requested data about dependents of parents or guardians suspected of being in the country without leave to remain.

    “In December 2016, after much intervention by MPs, including leaked letters, and FOI requests by both us and — we later learned —  by journalists at Schools Week, the government published the data sharing agreement that they had in place and that was being used”.

    It had been amended in October 2016 to remove the line on nationality data, and allowed the data to be matched with Home Office information. It had also been planned to deprioritise the children of those without leave to remain when allocating school places, shocking opposition MPs who described the plan variously as “a grubby little idea” and, simply, “disgusting”.

    Other campaigners joined the efforts as facts started to come into the public domain. A coalition of charities and child rights advocates formed under the umbrella organisation of Against Borders for Children, and Liberty would go on to support them in preparing a judicial review. ABC organised a successful public boycott, and parents and teachers supplied samples of forms that schools were using, some asking for only non-white British pupils to provide information.

    Overall, nationality was not returned for more than a quarter of pupils.

    2017: behind the policy making

    Through further requests defenddigitalme learned that the highly controversial decision to collect nationality and country of birth from children in schools — which came into effect from the autumn of 2016 — had been made in 2015. Furthermore, it had been signed off by a little known board which, crucially, had been kept in the dark.

    “I’d been told by attendees of the Star Chamber Scrutiny Board meeting that they had not been informed that the Home Office was already getting access to pupil data when they were asked to sign off the new nationality data collection, and they were not told that this new data would be passed on for Home Office purposes, either. That matters in my opinion, because law-making relies on accountability to ensure that decisions are just. It can’t be built on lies”, says Jen.

    The process of getting hold of the minutes from that significant meeting took a year.

    Jen says, “We went all the way through the appeals process, from the first Internal Review, then a complaint to the Information Commissioner. The ICO had issued a Decision Notice that meant the DfE should provide the information, but when they still refused the next step was the Information Rights First Tier Tribunal.

    “Two weeks before the court hearing due, the DfE eventually withdrew its appeal and provided some of the information in November 2017. Volunteers helped us with preparation of the paperwork, including folk from the Campaign for Freedom for Information. It was important that the ICO’s decision was respected.”

    2018: raised awareness

    In April last year, the Department confirmed that Nationality and Country of Birth must no longer be collected for school census purposes.

    However, Jen says, “Children’s data, collected for the purposes of education, are still being shared monthly for the purposes of the Hostile Environment. There’s a verbal promise that the nationality data won’t be passed over, but since the government’s recent introduction of the Immigration Bill 2018 and immigration exemption in the Data Protection Act, I have little trust in the department’s ability in the face of Home Office pressure, to be able to keep those promises.

    “The Bill includes a blanket sweeping away of privacy rights, highlighted by the 3 Million campaign, again thanks to FOI: Every EU citizen applying for Settled Status to accept its Privacy Policy that allows it to share all data with “public and private sector organisations in the UK and overseas.”

    “Disappointingly”, says Jen, “the government has decided instead of respecting human rights to data protection and privacy on this, to create new laws to work around them.

    The direction of travel for change to manage data for good, is the right one.

    “It’s wrong to misuse data collected for one purpose and on one legal basis entrusted for children’s education, for something punitive. We need children in education, it’s in their best interests and those of our wider society. Everyone needs to be able to trust the system.

    “That’s why we support Against Borders for Children’s call to delete the nationality data.

    “A positive overall outcome, however”, she continues, “is that in May 2018, the Department for Education put the sharing of all pupil level data on hold while they moved towards a new Secure Access model, based on the so-called ‘5-Safes’. The intention is distribute access to data with third parties, not distribute the data itself. The Department resumed data sharing in September but with new policies on data governance, working hard to make pupil data safer and meet ‘user needs’. The direction of travel for change to manage data for good, is the right one.”

    2019: Defenddigitalme continues to campaign

    Defenddigitalme has come a long way, but they won’t stop campaigning yet.

    People working with FOI is really important, even and perhaps especially when it doesn’t make the press, but provides better facts, knowledge, and understanding.

    Jen says, “Raw data is still distributed to third parties, and Subject Access, where I started, is still a real challenge.

    “The Department is handing out sensitive data, but can’t easily let you see all of it, or make corrections, or tell you which bodies for sure it was given to. Still, that shouldn’t put people off asking about their own or their child’s record, or opting out of the use of their individual record for over 14s and adult learners, and demand respect for their rights, and better policy and practice. The biggest change needed is that people should be told where their data goes, who uses it for how long, and why.

    “Access to how government functions and the freedom of the press to be able to reveal and report on that is vital to keep the checks and balances on systems we cannot see. We rely on a strong civil service to work in the best interests of the country and all its people and uphold human rights and the rule of law, regardless of the colour of government or their own beliefs. People working with FOI is really important, even and perhaps especially when it doesn’t make the press, but provides better facts, knowledge, and understanding.

    “FOI can bring about greater transparency and accountability of policy and decision making. It’s then up to all of us to decide how to use that information, and act on it if the public are being misled, if decisions are unjust, or policy and practice that are hidden will be harmful to the public, not only those deciding what the public interest is.

    “WhatDoTheyKnow is a really useful tool in that. Long may it flourish.”

  2. Now you’re even more secure on FixMyStreet

    All mySociety websites have strong security: when you think about some of the data we’re entrusted with (people’s private correspondence with their MPs, through WriteToThem, is perhaps the most extreme example, but many of our websites also rely on us storing your email address and other personal information) then you’ll easily understand why robust privacy and security measures are built into all our systems from the very beginning.

    We’ve recently upped these even more for FixMyStreet. Like everyone else, we’ve been checking our systems and policies ahead of the implementation of the new General Data Protection Regulation in May, and this helped us see a few areas where we could tighten things up.

    Privacy

    A common request from our users is that we remove their name from a report they made on FixMyStreet: either they didn’t realise that it would be published on the site, or they’ve changed their mind about it. Note that when you submit your report, there’s a box which you can uncheck if you would like your report to be anonymous:

    FixMyStreet remembers your preference and applies it the next time you make a report.

    In any case, now users can anonymise their own reports, either singly or all at once. When you’re logged in, just go to any of your reports and click ‘hide my name’. You’ll see both options:

    report of puddles on the undercliff walk on FixMyStreet

    Security

    Security for users was already very good, but with the following improvements it can be considered excellent!

    • All passwords are now checked against a list of the 577,000 most common choices, and any that appear in this list are not allowed.
    • Passwords must now also be of a minimum length.
    • If you change your password, you have to input the previous one in order to authorise the change. Those who haven’t previously used a password (since it is possible to make a report without creating an account), will receive a confirmation email to ensure the request has come from the email address given.
    • FixMyStreet passwords are hashed with an algorithm called bcrypt, which has a built in ‘work factor’ that can be increased as computers get faster. We’ve bumped this up.
    • Admins can now log a user out of all their sessions. This could be useful for example in the case of a user who has logged in via a public computer and is concerned that others may be able to access their account; or for staff admin who share devices.


    Image: Timothy Muza (Unsplash)

     

     

     

     

  3. UK public bodies accidentally release private data at least once a fortnight

    Private data, containing personal details of the general public, is accidentally released by public authorities at least once a fortnight, say mySociety.

    The volunteer team behind WhatDoTheyKnow, mySociety’s freedom of information website, have dealt with 154 accidental data leaks made by bodies such as councils, government departments and other public authorities since 2009, and these are likely to represent only the tip of the iceberg.

    On the basis of this evidence, we are again issuing an urgent call for public authorities everywhere to tighten up their procedures.

    How WhatDoTheyKnow works

    Under the Freedom of Information act, anyone in the UK may request information from a public body.

    WhatDoTheyKnow makes the process of filing an FOI request very easy: users can do so online. The site publishes the requests and their responses, creating a public archive of information.

    Public authorities operate under a code of conduct that requires personal information is removed or anonymised before data is released: for example, while a request for the number of people on a council housing waiting list may be calculated from a list including names, addresses and the reason for housing need, the information provided should not include those details.

    Accidental data releases become particularly problematic when the data requested concerns the details of potentially vulnerable people.

    Hidden data is not always hidden

    When users request information through WhatDoTheyKnow, it’s often provided in the form of an Excel spreadsheet. But unfortunately, private data is sometimes included on those spreadsheets, usually because the staff member who provides it doesn’t understand how to anonymise it effectively.

    For example, data which is in hidden tabs, or pivot tables, can be revealed by anyone who has basic spreadsheet knowledge, with just a couple of clicks.

    By its very nature, data held by our public authorities can be extremely sensitive: imagine, for example, lists of people on a child protection register, lists of people who receive benefits, or as happened back in 2012, a list of all council housing applicants, including each person’s name and sexuality.

    Our latest warning is triggered by an incident earlier this month, in which Northamptonshire County Council accidentally published data on over 1,400 children, including their names, addresses, religion and SEN status. Thanks to the exceptionally fast work of both the requester and the WhatDoTheyKnow volunteers, it was removed within just a few hours of publication, and the incident has been reported to the Information Commissioner’s Office. Concerned residents should contact the ICO or the council itself.

    Advice for FOI officers

    Back in June 2013, we set out the advice that we think every FOI officer should know. That advice still stands:

    • Don’t release Excel pivot tables created from spreadsheets containing personal information, as the source data is likely to be still present in the Excel file.
    • Ensure those within an organisation who are responsible for anonymising data for release have the technical competence to fulfil their roles.
    • Check the file sizes. If a file is a lot bigger than it ought to be, it could be that there are thousands of rows of data still present in it that you don’t want to release.
    • Consider preparing information in a plain text format, eg. CSV, so you can review the contents of the file before release.

    Part of a larger picture

    Not every FOI request is made through WhatDoTheyKnow—many people will send their requests directly to the public authority. Moreover, we can only react to the breaches that we are aware of: there are, in all probability, far more which remain undiscovered.

    But because of WhatDoTheyKnow’s policy of making information accessible to all, by publishing it on the site, it’s now possible to see what an endemic problem this kind of treatment of personal data is.

    When we come across incidents like these, we act very rapidly to remove the personal information. We then inform the public authority who provided the response. We encourage them to self-report to the Information Commissioner’s Office, and where the data loss is very serious, we may make an additional report ourselves.

    Image: Iain Hinchliffe (CC)

  4. Another private data leak, this time by Hackney Council

    News has just hit the press of a leak of a significant amount of private data by Hackney Council in a Freedom of Information response to our WhatDoTheyKnow website.

    This is a problem we have been warning about for some time. Islington Council were fined £70,000 for a similar incident in 2012. In light of this fresh incident we again urge all public authorities to take care when preparing data for release.

    Note: we understand all affected residents should have received a letter from Hackney Council. If you have any concerns please contact them or the Information Commissioner’s Office.

    As with the Islington incident, the information was in parts of an Excel spreadsheet that were not immediately visible. It was automatically published on 14th November when Hackney Council sent it in response to a Freedom of Information request, as part of the normal operation of the WhatDoTheyKnow website. All requests sent via the website make it clear that this will happen.

    This particular breach involved a new kind of hidden information we hadn’t seen before – the released spreadsheet had previously been linked to another spreadsheet containing the private information, and the private information had been cached in the “Named Range” data in the released spreadsheet.

    Although it was not straightforward to access the information directly using Excel, it was directly visible using other Windows programs such as Notepad. It had also been indexed by Google and some of it was displayed in their search previews.

    The breach was first hit upon by one of the data subjects searching for their own name. When they contacted us on 25th November to ask about this, one of our volunteers, Richard, realised what had happened. He immediately hid the information from public view and notified the council.

    We did not receive any substantive response from the council and therefore contacted them again on 3rd December. The council had investigated the original report but not understood the problem, and were in fact preparing to send a new copy of the information to the WhatDoTheyKnow site, which would have caused the breach to be repeated.

    We reiterated what we had found and advised them to consult with IT experts within their organisation. The next day, 4th December, we sent them a further notification of what had happened, copying the Information Commissioner’s Office (ICO). As far as we are aware, this was the first time the ICO was informed of the breach.

    From our point of view it is very disappointing that these incidents are still happening. Freedom of Information requests made via WhatDoTheyKnow are a small fraction of all requests, so it is very likely that this kind of error happens many more times in private responses to requesters, without the public authority ever becoming aware.

    Our earlier blog post has several tips for avoiding this problem. These tips include using CSV format to release spreadsheets, and checking that file sizes are consistent with the intended release. Either of these approaches would have averted this particular breach.

    We would also urge the ICO to do as much as possible to educate authorities about this issue.

  5. Simply Secure: launching a new brand in just four weeks

    Simply Secure Simply Secure is a new organisation, dedicated to finding ways to improve online security – in ways so accessible and useful that there will be no barrier to their use.

    It will bring together developers, UX experts, researchers, designers and, crucially, end users. The plan is to ensure the availability of security and privacy tools that aren’t just robust – they’ll be actively pleasing to use.

    Fascinating stuff

    Now, you may be thinking that online privacy and security aren’t the most fascinating subject – but this month, the chances are that you’ve actually been discussing it down the pub or with your Facebook friends.

    Remember the iCloud story, where celebrities’ personal photographs were taken from supposedly secure cloud storage and put online? Yes, that. If you uttered an opinion about how those celebrities could have kept their images more safely, you’ve been nattering about online security.

    Simply Secure  is founded on the belief that we’d all like privacy and security online, but that up until now, solutions have been too cumbersome and not user-centred enough. When implementing them becomes a hassle, even technically-literate people will choose usability over security.

    How we helped

    Simply Secure knew what their proposition was: now we needed to package this up into a brand for them. Crucially, it needed to transmit a playful yet serious message to launch the organisation to the world – within just four weeks.

    Our designer Martin developed all the necessary branding and illustration. He created a look and feel that would be carried across not just Simply Secure’s website, but into the real world, on stickers and decoration for the launch event.

    Meanwhile, mySociety Senior Consultant Mike helped with content, page layout and structure, all optimised to speak directly to key audience groups.

    Down at the coding end of things, our developer Liz ensured that we handed over a project that could be maintained with little to no cost or effort, and extended as the organisation’s purpose evolves.

    “mySociety are brilliant to work with. They did in a month what I’ve seen others do in six, and they did it better” – Sara “Scout” Sinclair Brody, Simply Secure

    What did the client think? In their own words: “We approached [mySociety] with a rush job to build a site for a complex and new effort.

    “They were able to distill meaning from our shaky and stippled examples, and create something that demonstrated skill not only as designers and web architects, but as people able to grasp nuanced and complicated concepts and turn those into workable, representative interfaces”.

    Always good to hear!

    Something different

    People who know mySociety’s work might have noticed that we don’t typically work on purely content-driven sites. Generally we opt to focus on making interactions simple, and data engaging, so why did we go ahead with the Simply Secure project?

    Well, there were a couple of factors. Firstly, we genuinely think that this will become an invaluable service for every user of the internet, and as an organisation which puts usability above all else, we wanted to be involved.

    Second, we believe in the people behind the project. Some of them are friends of mySociety’s, going back some time, and we feel pretty confident that any project they’re involved in will do good things, resulting in a more secure internet for everyone.

    Take a look

    Simply Secure launches today. We’ll be checking back in a couple of months to report on how it’s going.

    For now, do yourself a favour and visit Simply Secure now. If you have expertise or opinions in any area of online privacy and security, why not get involved?

  6. mySociety response to the Heartbleed security incident

    You may have heard that a widespread security problem – ‘Heartbleed’ – has been found that affects a large proportion of all websites on the Internet.

    Here is one of the many explanations about the nature of the problem.

    Members of the mySociety team have reviewed our potential exposure to the vulnerability.

    We have no indication that our sites have been attacked, or that any information has been stolen, but the nature of the vulnerability would make an attack difficult to detect, and we prefer to be reasonably cautious.

    What does this mean for you? The advice from around the web has been for people to change passwords, especially on sites they use that contain a lot of very important information (e.g. your email account).

    We think the risk that passwords have been compromised is low, but as changing passwords occasionally is always a good idea anyway, now might be a good time.

    For those of you interested in the technical detail of our response, we have:

     

    • Upgraded the SSL software
    • Installed new SSL certificates based on a new private key
    • Revoked the old SSL certificates
    • Replaced the secrets used for security purposes in the affected sites
    • Removed active sessions on affected sites, so that users will need to log in again
    • Required that users with administrative access to affected sites reset their passwords
    • Required that staff users reset their passwords
    • Notified affected commercial clients so that they can take appropriate action
  7. A Private Data Leak by Islington Council – mySociety’s Statement

    The local press in Islington has just reported the accidental release of quite a bit of sensitive personal data by Islington council.

    One of our volunteers, Helen, was responsible for spotting that Islington had made this mistake, and so we feel it is appropriate to set out a summary of what happened, to inform journalists and citizens who may be interested.

    Note – Concerned residents should contact Islington Council or the Information Commissioner’s Office.

    On 27th May a user of our WhatDoTheyKnow website raised an FOI request to Islington Borough Council. On the 26th June the council responded to the FOI request by sending three Excel workbooks. Unfortunately, these contained a considerable amount of accidentally released, private data about Islington residents. In one file the personal data was contained within a normal spreadsheet, in the two other workbooks the personal data was contained on four hidden sheets.

    All requests and responses sent via WhatDoTheyKnow are automatically published online without any human intervention – this is the key feature that makes this site both valuable and popular. So these Excel workbooks went instantly onto the public web, where they seem to have attracted little attention – our logs suggest 7 downloads in total.

    Shortly after sending out these files, someone within the the council tried to delete the first email using Microsoft Outlook’s ‘recall’ feature. As most readers are probably aware – normal emails sent across the internet cannot be remotely removed using the recall function, so this first mail, containing sensitive information in both plain sight and in (trivially) hidden forms remained online.

    Unfortunately, this wasn’t the only mistake on the 26th June. A short while later, the council sent a ‘replacement’ FOI response that still contained a large amount of personal information, this time in the form of hidden Excel tabs. As you can see from this page on the Microsoft site , uncovering such tabs takes seconds, and only basic computer skills.

    At no point on or after the 26th June did we receive any notification from Islington (or anyone else) that problematic information had been released not once, but twice, even though all mails sent via WhatDoTheyKnow make it clear that replies are published automatically online. Had we been told we would have been able to remove the information quickly.

    It was only by sheer good fortune that our volunteer Helen happened to stumble across these documents some weeks later, and she handled the situation wonderfully, immediately hiding the data, asking Google to clear their cache, and alerting the rest of mySociety to the situation. This happened on the 14th July, a Saturday, and over the weekend mySociety staff, volunteers and trustees swung into action to formulate a plan.

    The next working day, Monday 16th July, we alerted both Islington and the ICO about what had happened with an extremely detailed timeline.

    The personal data released by Islington Borough Council relates to 2,376 individuals/families who have made applications for council housing or are council tenants, and includes everything from name to sexuality. It is for the ICO, not mySociety, to evaluate what sort of harm may have resulted from this release, but we felt it was important to be clear about the details of this incident.

  8. Harassment problem leads to FOI strangeness

    Today we have a strange story about a department that appears to think that it has a duty not to release information under FOI if it makes people angry.

    It all starts in January 2009 the Department for Children, Schools and Families (DCSF) appointed an expert by the name of Graham Badman to conduct a review of elective home education in England. It probably goes without saying that this is an issue far from our concerns, and an issue that mySociety has no views on – what makes us interested is the process that followed.

    Shortly after the publication of the report, Elaine Walton, a user of mySociety’s freedom of information website WhatDoTheyKnow.com requested copies of communications between the Department for Children, Schools and Families and Nektus Ltd. the company through which it appears Mr Badman was paid for his work.

    According to email replies to Ms Walton, the DCSF located two relevant invoices which show how much money was paid, but refused to disclose them.  Strangely, though, they were not refused on grounds of commercial confidentiality, but rather on something more unusual. Here are the exemptions they cited:

    • Section 40 – Personal Information
    • Section 38 – Health and safety

    Health and Safety? A little investigation reveals more.

    When Ms Walton appealed against this decision, an internal review was carried out within the DSCF.  The internal review’s findings stated that Mr Badman was likely become a victim of harassment if certain personal details were made public, hence a health and safety concern, and hence no publication of these invoices. Fair enough – nobody would be in favour of revealing private, sensitive information that would endanger anyone’s life or family, especially in the presence of a known threat.  But take a look at this:

    “That the Department had initially been drafting a response that included the release of invoices with only personal data redacted. But before the draft was complete it was apparent that there was a campaign of harassment and vilification against Graham Badman and other individuals/organisations that had contributed to the Report. In the light of this, at the weekly review meeting of FOI cases, it was considered that the balance of public interest might have shifted towards withholding.”

    What is very curious here is the admission that the department had been thinking of releasing the invoices with personal data hidden (ie no home address, bank details etc).  But then because of a campaign of harassment, it was decided that they wouldn’t publish anything at all. So not just no personal information, but no dates, no amounts of money, nothing.

    What is so unease-making about this FOI decision is that it appears to be saying that departments may conceal information on how much public money has been spent on something because releasing that information will make some angry people even angrier. Surely this can’t be right – if it were every budget would be conducted in complete secrecy. We would encourage the Information Commissioner’s Office to take a look.

  9. Behind the Scenes at WhatDoTheyKnow

    mySociety’s Freedom of Information website WhatDoTheyKnow is designed to appear simple and straightforward to users. That appearance belies the fact that behind the scenes a significant amount of effort goes into making sure both those making freedom of information requests and those answering them have a positive experience of the site. While the site is almost entirely automated sometimes human involvement is necessary. This article highlights those key “edge cases” which are dealt with by the staff and volunteers who make up the WhatDoTheyKnow team.

    In the last year 15,233 freedom of information requests have been made via WhatDoTheyKnow.

    Message Delivery
    444 messages on 360 requests (2.3%) had to be manually placed on the correct request as a result of authorities not sending replies to the email address given. The errors are introduced as authorities apparently manually transcribe email addresses from incoming email into correspondence management systems. There have been suggestions some may even print out and scan-in emails into such systems. WhatDoTheyKnow’s code has been improved in light of experience, common errors are now detected automatically and in many cases the system suggests which request the message was intended to be directed to.

    In terms of outgoing messages just 52 (0.3%) requests over the course of the year were marked as receiving an error message in response and users marked 94 (0.6%) as requiring administrator attention. These are generally either transient errors which simply require a message to be resent or prompt us to check and update the contact details we hold for a particular organisation. Regularly there are problems with authority’s spam filters and we have to encourage them to change the way their filters are set up to allow messages from WhatDoTheyKnow.com through.

    Gone Postal
    119 (0.8%) requests were at some point marked as “Handled by Post”. In many of these cases users eventually persuaded authorities to release the information in electronic form. Where information is supplied outside the site users can add annotations describing the information released, then can link to copies of the data they have posted online, or as has been done in respect of 14 requests (0.1% of the total, 11% of those handled by post) they can supply the information to WhatDoTheyKnow to upload manually. When the site was being designed there was a worry that authorities would reply to many requests by post. This has not occurred, in part perhaps because the freedom of information act contains a provision (section 11) requiring the requestor’s preferred means of communication to be used where it is reasonable. A requestor using an @whatdotheyknow email address is clearly expressing a preference for a reply to be made electronically via the site.

    Libel
    One of the major challenges facing the site is keeping it operating in the face of the UK’s libel laws. Unlike in other countries, such as the US, we cannot publish statements on our users’ behalf without taking the risk of being sued for libel ourselves. Even simply republishing FOI responses from public authorities is not without risk in the UK. While we don’t actively police the site a lot of administrator time is taken up dealing with cases where potentially libelous or defamatory comments have been brought to our attention. Cases can be very complicated and involve a great deal of correspondence. mySociety is lucky to have the services of a specialist internet and technology barrister with expertise in libel who provides his services free of charge. We try and act in such a way as to maximise transparency while ensuring that the existence of WhatDoTheyKnow and mySociety are not threatened by legal risks.

    In the last year there have been only seven significant cases where requests have been hidden from public view on the site due to concerns relating to potential libel and defamation. Three of those cases have involved groups of twenty or so requests made by the same one or two users. While actual number of requests we have had to hide is around 70 (0.4% of the total) even this small fraction overstates the situation due to the repetition of the same potentially libellous accusations and comments in different requests. In all cases we have kept as much information up on the site as possible. Our policy with respect to all requests to remove information from the site is that we only take down information in exceptional circumstances; generally only when the law requires us to do so.

    Personal Information
    Sometimes people accidentally post personal information to the site; for example they make a request which is not a Freedom of Information request but a subject access request under the Data Protection Act. We are happy to remove such requests. On occasion we get requests from both our users and public sector employees asking us to remove their names from the site. As we are trying to build up a FOI archive we are very reluctant to remove information from the site, our policy is only to remove names in exceptional circumstances. Often information, such as an out of office reply, which a public body or civil servant considers irrelevant and asks to be removed is in fact critical to the correspondence thread and timeline of a response.

    Copyright and Control of Information Released
    The fact information is subject to copyright and restrictions on re-use does not exempt it from disclosure under the Freedom of Information Act (though there is a closely related exemption relating to “commercial interest”). Occasionally public bodies will offer to reply to a request, but in order to deter wider dissemination of the material they will refuse to reply via WhatDoTheyKnow.com. Southampton University have released information in protected PDF documents and the House of Commons has refused to release information via WhatDoTheyKnow.com which it has said it would be prepared to send to an individual directly.

    Mantaining and Expanding The List of Authorities
    WhatDoTheyKnow lists around 3,000 public authorities, there is a regular turnover of changes in contact details. Our coverage, while large, is not comprehensive so we have requests to add bodies such as parish councils, schools, and doctors surgeries which we have not yet attempted to add in a systemic manner based on official sources of information.

    We have also had to carefully consider what we do when for handling the various situations where an authority becomes defunct and its responsibilities are taken over by another body for example as a result of reorganisations of local government and the creation and merging of government departments.

    Providing Advice and Assistance
    The team at WhatDoTheyKnow.com often provide advice to users. We encourage users to keep their requests focused so as to reduce the chance of any problems due to libel or requests being classed vexatious. On occasion we suggest appropriate authorities for users to direct requests to, provide advice to those unhappy with the response to their request, and answer a broad range of other queries as they arise such as if particular bodies are subject to the act or not. Increasingly we link to authority’s publication schemes which are intended to let people know what information an authority has and how it can be accessed.

    Spam
    Lastly, like all websites which allow people to post content online WhatDoTheyKnow.com occasionally suffers from spam in various forms. Most is dealt with automatically but some has to be removed by hand. With spam, like the other aspects of running the site, the site’s code and processes are constantly being developed and improved to reduce the fraction of cases requiring any manual intervention.

    This article was prompted in part by a team in New Zealand considering launching their own version on the site asking us what’s involved.

  10. TheyWorkForYou nothing to do with this sacked civil servant story

    Update: The Telegraph posted a retraction yesterday.

    You may have seen coverage on various websites saying that a civil servant was sacked after posting a comment on TheyWorkForYou.

    We’ve no idea what this story is about, but we’re pretty certain it has nothing whatsoever to do with TheyWorkForYou. No journalist bothered to contact us before running the story.

    • There is no comment on TheyWorkForYou containing the text quoted in that article, nor anything like it, nor has there ever been. Nor in fact (as we’ve checked), on HearFromYourMP, WriteToThem, or WhatDoTheyKnow.
    • Only one comment has been left on any contribution by Hazel Blears in 2009, and it’s definitely not related to this.
    • 27 comments were left on 13th May, the date the comment was apparently posted; we’ve read them all and they’re all nothing to do with this.

    So frankly, we’ve no idea what’s going on.

    What we do know is that the implication that mySociety would merrily hand over sensitive personal data that ends up in getting someone sacked, without fighting tooth and nail for their privacy every inch of the way, is a complete misinterpretation of the way we work and the things we hold most dear. No-one has ever contacted us to ask us to hand over such data, nor have we ever done so.

    We think what might have happened is a simple mis-remembering of the website that contained the problematic comment. We’re hoping to get in touch with Lisa Greenwood so we can get full details before asking the various media companies that have run with this for a correction.