Central government’s sharing of Freedom of Information requester’s names doesn’t meet privacy standards and shouldn’t happen, the regulator has said.
When an FOI request is suspected of being sent to more than one department simultaneously it is added to a ’round robin list,’ with the name of the requester, and the request details, being shared with government departments and hundreds of staff.
Following a complaint the Information Commissioner’s Office, the data regulator, has said it doesn’t believe the sharing of names and personal information is “fully compliant with the Data Protection Act” (DPA).
In an email to this website the ICO said it’s “not satisfied” that those making requests are notified that their personal information is being processed – as required by the “first principle” of the DPA.
The ICO said:
“We do not consider the general public sufficiently aware of the Cabinet Offices’s circulation of the Round Robin list for it to be presumed that all requestors whose details are included on the Round Robin list are going to be aware of the Round Robin list and the possibility that their details may be both passed to the Cabinet Office by the public authority to whom they made their request, and then be added to the Round Robin list to then be circulated around particular public authorities.”
The Cabinet Office, which runs the list, must now reconsider how it works and come up with a way to appropriately inform requesters that their details may be shared on the list, the ICO has said. The ICO has asked the Cabinet Office to tell it of its new position.
It’s likely that government departments, which pass individual request details to the Cabinet Office to be included on the list, will have to inform the requester that their details will be shared on the list.
When the details of the list were made available last year FOI requester details were being sent to more than 70 government departments and organisations: these included the Prime Minister’s office, Foods Standards Agency, High Speed 2, and the Civil Aviation Authority.
The requests included questions on civil servants meeting with lobbyists, whistle blowing, the diaries of officials, and information on use of RIPA powers. 95 requests were passed between the bodies between March and April 2015.
Cabinet Office officials, in their discussions with the ICO, said it has “significantly reduced to include only core ministerial and non-ministerial departments”. The Office said it has considered, before and during its interaction with the ICO, whether the list is compliant with the DPA and believes it is. As well the government department says the list is needed so it can carry out its FOI oversight.
“In our view no prejudice will occur to the rights, freedoms, or legitimate interests of data subjects as a result of this practice,” it told the ICO.
It also conceded that it no longer includes the name and profession or employer of the person making it request when it is shared between departments; entries are also being removed from the list after “40 days”. Public authorities have 20 working days to respond to FOI requests.
Despite names and reduction in list size the ICO still said it wants the Cabinet Office to “revisit the fair processing measures in place around the Round Robin list”.
The ICO’s full response on the issue:
Our aim is to improve information rights practices. We do this by taking an overview of all concerns that are raised about an organisation with a view to improving its compliance with the Data Protection Act 1998 (‘the DPA’).
We cannot look into every concern we receive. We will put most of our effort into dealing with matters we think give us the best opportunity to make a significant difference to an organisation’s information rights practices.
Depending on the circumstances, we may give an organisation advice about handling personal information, provide guidance, or ask it to review its procedures.
Please see our website for further information:
We initially approached the MOJ about your concern in November 2015. The MOJ responded to us, promptly, advising that we should approach the CO instead, as the CO had taken responsibility for the Round Robin list – as part of the supervision of the functioning of the FOIA – since July 2015 and many of the relevant MOJ staff had moved with the transfer of responsibilities between the departments. A delay of around 3 months then elapsed before we then approached the CO over your concern in early February 2016, we apologise for this delay.
In February 2016 we approached the CO over your concern. We received the CO’s response on 21 April 2016. We also apologise for the time it has then taken us to fully consider the CO’s response and revert back to you.
In response to our approach, the CO considered the data protection compliance of the Round Robin list.
The CO considers the Round Robin list an essential part of the oversight (by the CO) of the functioning of the FOIA across central government. The list relates specifically to FOIA requests that are sent, by the applicant, to multiple public authorities. It explains that:
“Departments are asked to send details of such requests to the Cabinet Office for inclusion in the round robin list. This is circulated on a daily basis to help departments meet their obligations under FOIA. Departments need to be made aware that such requests exist (i.e. so they are aware that a request they have received has been sent to other departments), and who has received them, so they can discuss how best to approach them in a FOIA-compliant and appropriately consistent way. The list also helps departments with policy interests in particular issues identify those FOI requests about which they may want to offer guidance to other departments, and to ensure that information is not inappropriately withheld or disclosed by a department that is not aware a) that the request has been sent to other departments, or b) that the information sought, while perhaps not immediately obviously sensitive to one department, may be particularly sensitive for another department’s policy interests.”
In relation to whether the processing of peoples’ personal data by way of the Round Robin list is fair the CO submits that: “The Cabinet Office’s
(and before it the Ministry of Justice’s) coordinating role in central government FOI compliance is commonly known. Therefore where an applicant submits the same request to a range of departments or where departments have a common interest in the information subject to a request, it would reasonable for the applicant to expect departments to discuss them; the round robin list facilitates such discussion.”
The CO is of the view that the processing of personal data involved in the Round Robin list falls within the terms of Paragraph 6(1) of Schedule 2 of the DPA.
The CO has recently taken specific time to consider the DPA compliance of the Round Robin list. It explains: “Following the transfer of responsibility for FOI to the Cabinet Office (and prior to Mr Burgess’s complaint), we considered whether this practice was compliant with our obligations under the DPA, and came to the view that it was. As part of these deliberations, we considered whether it is necessary to include requesters’ names on the list circulated. In order to test this point, we trialled a new version of the round robin list which did not include applicants’ names, instead identifying the requests only by the text of their requests. This was unsuccessful. Departments were not able to identify the cases they had received easily, as the requester’s name is the most basic feature common to a request no matter which department has received it. Departments found that this change severely limited the usefulness of the round robin list. One department explained to us that it had increased the time necessary to read the list and cross reference to their current cases from a few minutes to over an hour. It is imperative that departments engage fully with the round robin list to ensure that the Cabinet Office’s oversight function is carried out effectively. As a result, a decision was taken to maintain the practice of including the requester’s name in the round robin list. We consider that this is necessary for the effective operation of the FOI Act oversight within central government, which is a legitmate interest pursued by the Cabinet Office and recipients of the list. We do not consider that this practice constitutes an unwarranted interference with the rights of the data subjects. In our view no prejudice will occur to the rights, freedoms, or legitimate interests of data subjects as a result of this practice. The purpose of the list is not to single particular requests or requesters out for special treatment, but simply to help central government departments comply with their obligations under the FOI Act.”
In relation to the circulation of the Round Robin list amongst relevant public authorities, the CO went onto advise that: “The circulation list has been significantly reduced to include only core ministerial and non-ministerial departments. We will also now only include the requester’s name and not, as occasionally occurred before, their profession or employer. Entries are removed from the list after 40 days.”
Having considered the CO’s response, we are not of the opinion that the processing being considered in this case is fully compliant with the DPA in relation to the requirements of the first data protection principle .
In particular, we are not satisfied that the current arrangements satisfy the ‘first principle’ requirement set out in Paragraph 2 of Part II of Schedule 1 of the DPA. This is the requirement that individuals be notified at the commencement of the processing, or a suitable point soon afterwards, of the processing of their personal data and the identity of the data controller.
We do not consider the general public sufficiently aware of the CO’s circulation of the Round Robin list for it to be presumed that all requestors whose details are included on the Round Robin list are going to be aware of the Round Robin list and the possibility that their details may be both passed to the CO by the public authority to whom they made their request, and then be added to the Round Robin list to then be circulated around particular public authorities.
We have therefore asked the CO to revisit the fair processing measures in place around the Round Robin list. We have expressed the opinion that we consider it likely to be necessary for the public authorities – when notifying the CO of requests for inclusion on the Round Robin list – to inform the requestor, in the PA’s acknowledgment of the FOIA request involved, of the passing of the details of the request to the CO for inclusion on the Round Robin list, as then circulated to other public authorities.
It is now the CO’s responsibility to explain to us how it intends to improve its information rights practices in this area.
We will write to you further once we have received the CO’s response to our assessment of its compliance with the DPA.