Thursday, 20 June 2013

End of year report

I attended the ICO annual report launch in London today and it was a good event. There was a different mix of sectors there which I’ve not experienced at other, more practitioner focussed conferences, including plenty of legal firms and private sector organisations.

The question and answer session following the presentation gave a level of interaction and immediacy that the 2012 video presentation obviously lacked. This allowed a dialogue with journalists regarding the CQC story, meaning the report was presented in the context of the latest issues (see the excellent Information Rights and Wrongs blog for a thoughtful DP perspective on CQC).

Every annual report is in some ways a spin or a narrative. Yet I still think the slides after slides of numbers gave a fairly rounded picture: the ICO is, like any other public sector organisation, struggling with funding cuts and juggling resources. The future is also far from certain. Proposed notification changes in the new DP regulation fundamentally challenge the ICO’s funding model and realistically questions the ICO’s future without some serious government support.

The ICO do sometimes get a bit of a battering from campaigners, particularly around FOI enforcement. But I think a bit of credit is due for the speed in turning complaints round, as volume increases and resources shrink, to timescales unrecognisable from those of 3-4 years ago. And this in a context of Freedom of Information getting around only a quarter of the funding that Data Protection gets. 

I was a little disappointed in the dismissive statement that local authorities are making a 'pig's ear' of Data Protection. LAs are one of the soft targets against which the ICO can claim to talk tough around enforcement, whilst everyone knows more formidable Data Controllers lurk in the private sector that the ICO are either unwilling or unable to take on in a really effective way. 

But overall a good event and a thumbs up for the ICO. Some interesting points that I scribbled down from the presentations:
  • Guidance documents, which is a real ICO strength, were added or updated at the rate of around one a week in the last year
  • Their own FOIA compliance is good 98% compliance from 1700 requests a year, which is a big number for an public authority of the ICO’s size
  • As Chris Graham noted, the ICO is sometimes a convenient punch bag for politicians, ignoring ICO action or recommendations on the press and the construction blacklist until it suited them to do so 
  • Whilst I sometimes feel I exist in a fairly small world of FOI/DP ‘geeks’, the DP and PECR enforcement on cold calling / spam texting reaches a much wider world of consumers. 150,000 complaints about this area shows that the public is getting increasingly informed about how to act and who to ask
  • 10-15% of the complaints regarding Cookies came from people hating the way that it has affected their web experience, which provoked a chuckle from those present 

Tuesday, 14 May 2013

The new exemption


The Intellectual Property Bill includes a commitment to develop a 'research data' exemption in the Freedom of Information Act. This outcome is a big success for Universities as a result of their lobbying both at the time of the Protection of Freedoms Bill and in the FOI post-legislative scrutiny.

I think that the exemption is good for Universities and researchers. It provides flexibility and scope for a University to make reasoned, evidence based arguments about how disclosure may prejudice research outcomes or dissemination. 

One could also say that, to an extent, the exemption is good news for FOI campaigners. This exemption does not provide a ‘magic bullet’ to exempt all research data. The public interest will apply and there will be sets of research data that might not fit the criteria as drafted.

There are also wider contexts in academia away from FOIA, where the 'open access' issue is a vital parallel development. The new research exemption also adds another driver for Universities to continue their work on research data management, data management plans and approaches to making research data available.

As leading information law blogger FOIMan noted on Twitter this morning, the new clause mirrors Section 27 (2) of the Freedom of Information (Scotland) Act, which has had a research data exemption since its inception. It is notable that this exemption has never been tested in a Decision Notice. 

I checked a few of the England / Wales ICO Decision Notices around research data and the outcomes have been varied. I'm not sure what difference the new exemption would have made to the outcome of any of them.

1. The QUB 'tree ring data' request is one of the most famous early DNs for Universities. Firstly, this was eventually treated under EIR which has no research exemption. The closest to S22, and therefore the new research exemption, is Regulation 12(4)(d) – unfinished or incomplete information. The ICO was unconvinced:

...the Commissioner considers that the exception at regulation 12(4)(d) cannot be applied in this way. QUB has advised that the raw data was collected over a period of 40 years, and is now being used for research. This does not suggest to the Commissioner that the data is unfinished or incomplete, rather that, whilst the research utilising this data is ongoing i.e. the analysis of the data, the data itself has already been collected and is therefore not unfinished or incomplete. (Para 49)
  
The new exemption's reference to 'ongoing programmes of research' may mean that research could be withheld in similar scenarios. But research data that includes ‘environmental information’ as defined in Section 2 of EIR may be caught in somewhat of a loophole.

2. A more recent DN involved a request for data used to produce a report into “Alcohol Involved Deaths” was withheld under Section 41. The date of future publication was therefore irrelevant. This case shows that other exemptions (personal data, information provided in confidence, commercial interest) will still apply to research data and will probably provide a stronger basis for not disclosing in many cases.

3. This request concerned chronic fatigue syndrome research data. Section 22 was claimed and the ICO agreed it was engaged. The Commissioner, however, felt the public interest favoured disclosure. This would arguably still apply even if the s22 'research data' clause was engaged, as it remains a qualified exemption.

The ICO will now have to revisit and update its guidance for Higher Education and for Section 22. 

NOTE - I’ve blogged previously on FOI and research data and Universities and FOI 

Tuesday, 15 May 2012

The thawing effect? – the ICO and Universities


Apologies for not having posted anything on this blog for ages. I have been writing at various points here and here and matters as diverse EU cookie legislation and Huddersfield Town’s promotion push have been dominating my thoughts.

The FOIA post-legislative scrutiny sessions close this week.

From a Universities perspective, as it stands, there are both positives and negatives.

On the negative side, the MOJ memorandum barely mentioned Universities and the unique characteristics of the University / FOI experience - research data, public/private funding - may not get the legislative amendments at this stage. The ICO has been dismissive, both in print and in his own verbal evidence to the committee of the Universities' case.

On the positive side, I think that the keen participation in the process has raised awareness of some of the more University-specific challenges in terms of the Act. This may be resulting in a more sympathetic ear from the ICO in Decision Notices (DNs) going forward, especially as the ICO’s position on Universities is that the current exemptions are sufficient.

They will now have to prove this and three recent DNs bear this out. They concern research data and course material, fundamental areas for Universities and FOI.

Research data
The discussions around ‘draft research’ in this DN from February 2012 is a good start:

The Commissioner considers that whilst there is a strong public interest in the disclosure of information which could further public understanding of climate change, the University has provided very strong arguments to demonstrate that disclosure of the information withheld in relation to point 1 of the request would have a significant chilling effect upon the sharing of draft research in the peer review process. The Commissioner considers that as the withheld draft in this case is significantly different to the later published version this adds considerable weight to this argument and therefore adds significant weight to the public interest in favour of maintaining the exception. (Para. 44)

This request and decision notice was conducted under the Environmental Information Regulations 2004 (EIR), which some of the high profile research data request cases have been (the other example being ‘tree ring’ data at Queen’s University Belfast). EIR, of course, is not currently under scrutiny.

A request for research data made under Freedom of Information has been the subject of a DN from April 2012:

The complainant requested information which was used to produce a particular report entitled “Alcohol Involved Deaths”. Bangor University (‘the University’) refused to provide the information on the basis that it had been provided to it in confidence and it was therefore exempt under section 41(1) of the FOIA. The Commissioner’s decision is that the University correctly relied on section 41 of the FOIA for the non disclosure of the requested information. (Summary)

I think that UniversitiesUK is right to raise some of the specifics around research data. But, with a research data exemption unlikely any time soon, there is clearly still mileage in the exemptions we already have.

Course material
One of the other great worries for Universities and FOIA is the potential for course material to be requested. The DN involving the University of Central Lancashire (UCLAN) and ‘homeopathy’ course materials made a big impact on University sector’s perception of FOIA.  Yet a much newer DN from April 2012 finds the Information Commissioner upholding a University’s reliance on section 43 ‘Commercial interests’ to exempt the disclosure of course material. The nature of the courses in this DN are, in many ways, as distinct and specialist as the ‘homeopathy’ course in the UCLAN decision. Yet the following paragraph from the Decision Notice is likely to be a comfort to any University worried about FOIA and course material:

In this case the Information Commissioner is satisfied, for the reasons given above, that disclosure of the requested information would be likely to prejudice the commercial interests of the university. In particular, disclosure of the courses and modules (over which it held intellectual property rights) would provide competitors with a clearer picture of its teaching and delivery, and this would potentially damage the public authority’s position as a distinctive provider, with a consequent effect on its attractiveness to students. The exemption is therefore engaged. (Paragraph 19)

I would guess that the growth in private HE providers and a more competitive environment can only strengthen the Section 43 case for Universities in these cases.

Conclusion
It is part of the rhetoric of every FOI officer that the ICO will judge each case on its merits and the onus is on every public authority to demonstrate a strong ‘case’ for each exemption it applies.

However, these Decision Notices surely make encouraging reading for those in the University sector with concerns about FOIA. It is unlikely that they will make the headlines. The successful use of exemptions, in many cases examples of the act working well, rarely does.

They also tend to back up the ICO’s view that the existing exemptions may be appropriate, if effectively argued and evidenced – are Universities getting better at arguing their case? Could it be that the ICO is warming – slightly – to some of the FOIA concerns of the University sector?

Thursday, 10 November 2011

Clouds on the horizon

The Data Protection Act (DPA), in its current form, was made law in 1998. I didn't notice at the time. Well, that was the year The Good Will Out by Embrace was released, Peter Jackson was in charge of Town and I got my first email address, accessible through the green screen of, presumably, a UNIX operating system on a University network. Happy days.

Whilst I haven't listened to Embrace for ages, and even Peter Jackson's second stint as Town manager is years ago, the DPA is very much on my mind now. I like the DPA because, as one ICO rep said at a conference I went to, you can fit it on the back of a postcard. The EU may feel that the UK DPA is falling short, but I like the way the 8 prinicples can still ask tough questions of the current advances in technology.

With the advent of 'cloud computing', Data Protection is more relevant than ever. Though the way information is stored, shared and managed across the internet was unimaginable in 1998, I challenge anyone to argue that the first 7 of the 8 DP principles do not still apply to personal data held in the cloud. Whether my details are held by an organisation in a server room a mile away or a virtual server space on the other side of the world, I'd want them to be managed according to those 7 principles.

The 8th principle - Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data - is the crunch issue when it comes to cloud providers.

As information compliance officers we can often be cornered into a 'No, you can't do this' approach with DPA, when the Act should be an enabler - i.e. how to do it safely and properly - rather a barrier to technical change. With that in mind, I attended the 'Data Protection Jurisdiction in Cloud Computing and International Data Transfers' lecture at the Institute of Advanced Legal Studies last week. The QMUL 'Cloud Legal' project is looking in depth at the DP issues around cloud computing.

The main conclusions I drew from it were that EU Data Protection law provides no easy answers to the cloud at the moment. The predictable fact that law moves slower than technology, coupled with a range of DP attitudes to the cloud amongst member states, means that there is no definitive 'DPA stance' on cloud computing.

However, this does not stop the consideration of the first 7 principles with any moves we might make into the cloud. The lecturers stressed the importance of contractual negotiations with providers, transparency around what is to be done with data effectively.

The move from the macro-approach ('all cloud is good/bad') to the micro ('how can this cloud provider enhance our services whilst managing our data effectively and efficently') is crucial, especially as the instances of how cloud can work (user, integrator, solutions provider, provider, sub-provider, "lights out establishment") are so complex as to make any single position or stance problematic.

The US Patriot Act was mentioned, but whilst it is emblematic of EEA concerns around data, I think it is something of a red herring in this whole debate. After all, we'd be naive to assume that the exemptions Section 28 'National Security' and Section 29 'Crime and taxation' in the UK act did not implicitly enable the sharing of personal data with non-EEA states anyway. And have you seen The Bourne Ultimatum? I didn't see much consideration of DPA exemptions when they were hacking into CCTV and phone lines!

1998 was such a long time ago and whilst technology changes, principles often last. In terms of the cloud and DPA, let's not fixate on the eighth and lose sight of the other seven.

Thursday, 27 October 2011

Ask the archivist

In the last year, as a records manager, I've been increasingly drawn to the work of digital archivists. It's a vibrant global community where projects range from digitizing family photo albums to making priceless cultural treasures available online.

I sometimes look enviously at these projects. They are positive, cultural contributions that enrich and educate our society. Records managers, by necessity, often work in more prosaic areas. The really interesting 'culture' stuff we know we will have to pass to the archivist.

The digital archivist projects often involve a scenario where a collection has been deposited in a perilous electronic state - old electronic formats, no metadata on photographic records etc.
Whereas this is usually the beginning of the story for the archivist I always can't help thinking 'what did the records manager tell the owner of the collection when he created the records?' It has impressed on me the need to apply lessons learnt from archivists to inform how I advise my organisation on how they work today.

For example, I really liked the recent Signal blog post which discussed whether the digital record is an 'artifact' and 'information'. The illustrative examples were a medieval manuscript and a 'Copyright Office card catalog'. Part of the user experience with the medieval record, as well as reading the text, was to see how the manuscript was presented. Therefore the challenge was to create as accurate as possible digital image of the pages. With the copyright cards, it was the information that was paramount. Optical Character Recognition (OCR) was scanned onto the cards to allow quick searching. The principle was that each record aims for a high 'information' score. The 'artifact' value, however, varies according to the nature of the record.

It made me think about simple scanning projects often carried out in organisations. There are some oppressive 'legal admissibility' standards out there (0008) which can often intimidate organisations so much they often keep the paper copies and its accompanying storage space (which loses half the intended benefits of the project) or don't undertake any scanning at all. In most cases with these records (invoices, forms, project documentation), the 'information' value is the key - the 'artifact' value is low. These records are often only likely to kept for a finite period anyway, so why jump through hoops to ensure the shadow from the staple is authentic?

When we start to think about some of the more high-risk records (health, social care, educational) then the 'artifact' value rises - we do need to have a feel for the authenticity and integrity of a digital document. It is these records that we need to invest the time. Traditionally these type of records are also kept for much longer, so the long-term preservation of the records needs to be a big part of the discussion at the scoping stage of the project. How many digital archivists get involved this early?

I get on well with our archivists and try and corner them for coffee every now and then to discuss our respective challenges. The good news is that I've collaborated on a little feasibility project bid regarding the long term preservation of electronic records. Luckily, we were successful. As Allabouttherecords is my personal blog, I've set up a separate blog for this project, which you can view here if you are interested.

Wednesday, 5 October 2011

Keeping records til Domesday...

The preservation of electronic records is one of the major challenges for records managers. The user expectation, intensified by Google, of instant access and retrieval of electronic information makes the old style 'request for file 2 in box C on shelf 3 in bay 16' seem like something from another world, akin to the workplace tobacco and scotch bottles in an episode of Mad Men.

And yet paper is much more resilient. I know that, if the building stays standing, that file 2 in box C will still be accessible in 10 years time. I can't say this with certainty about my blog, my tweets, my word documents, my spreadsheets. I still have the floppy disks I did my thesis on but it would probably require a supplier search of 'JR Hartley Yellow Pages' proportions to find someone who could open the files. And would the format even be readable? Was it Word 95? Or - gulp, Wordperfect? My bound copy of the thesis, however, sits on my shelf impervious to technological change and threatened only by dust or toddlers with crayons.

What happened with the Domesday project is an excellent example why these challenges need to be looked at with electronic records.

The Domesday Book, completed in 1086, was probably the most ambitious 'information audit' - to use the records management terminology - ever undertaken.

For the 900th anniversary of the Domesday book the BBC undertook a nationwide project to undertake a similar exercise. As a 'knights and castles' obsessed schoolboy at the time, I loved the Domesday projects we did at my primary school, knocking on village doors and interviewing residents. The results would be stored on fabulous new computer media. We would occasionally get a chance to glimpse the school's BBC computer but I'm not sure it was ever actually switched on while I was there.

The original 1086 Domesday book sits in National Archive and will be quietly awaiting its 930th anniversary around the time of the Olympics in Rio. Anxieties about the obsolesence of the 1986 files grew, and in the early 2000s a massive project to convert them from their huge laser discs into a readable web based format ensued. In 2011 it was made largely accessible in a web based format. Until the next upgrade or major technical change...

Luckily, digital preservation issues are being debated and discussed across the globe and there are many useful blogs available. I'm a particular fan of Future Proof from Australia, which combines some good technical overviews with some useful posts about training and awareness. There are some excellent discussions on the Unversity of London Digital Archiving Blog. I've just discovered the Library of Congress blog The Signal which has several posts a week from lots of contributors. The National Archives have some good generic guidance around digital continuity and are doing some interesting stuff around archiving Government websites. Practical E-Records is more on the technical side of things and has recently been posting some really interesting stuff on email preservation.

This issue is something as records manager we need to keep working on. Especially important is the need for records managers to be the bridge between the user and the archive. Surely the whole thing needs to connect, not just when archivists find a collection on their doormats? Otherwise we're doomed. Or 'Domed', as the Normans would say.

Wednesday, 28 September 2011

'Right to know' day

Happy 'Right to Know' day. It's easy to forget as an FOI officer to recognise that you're part of a global network of people engaged in information rights. In many ways in this country we often take our Freedoms - not least that of information - for granted so its worth observing.

The last month has seen a few notable Freedom of Information stories.

'Govegate' is still running and running so I'll hold back from any comment on this at the moment, save remembering the Daily Show's Jon Stewart's comment about Gordon Brown's 'Bigotgate' disaster: "Gate?! You don't get to call that gate!"

The Hillsborough petition brought FOI out of the compliance officer/campaigner dialogue and into the mainstream.

The Camden 'empty properties' tribunal decision has the feel of a 'landmark' in terms of local government FOI. Ultimately the case hung over the Tribunal's judgement in the public interest in the empty properties 'issue' being made higher profile by the disclosure of the property addresses. Does the disclosure of exact property addresses really advance the debate further in a way that the non-address-specific statistical data provided by Camden would not? I'm a bit sceptical about this outcome of this one.

And finally, just to show that the 'right to know' means requests of all shapes and sizes, I give you Decision Notice FS50384351. Someone asked the British Library for an electronic copy of a book. The BL rightly refused under section 21 exemption 'You can get it on Amazon/Information accessible to applicant by other means'. This must have been one of the quickest ICO decisions ever.