The Cabinet Office and FOI

On 2 June 2015 the ICO issued an enforcement notice to the Department of Finance and Personnel for Northern Ireland (DFPNI) that ordered them to answer four outstanding freedom of information requests that are over six months old. This was only the 4th such notice that the ICO has issued relating to poor FOI performance and the first FOI enforcement notice that the ICO has issued since 2010.

The ICO doesn’t publish a set of criteria that it uses to decide whether it is appropriate to issue an enforcement notice, but taking this latest notice as a guide, it seems that the Cabinet Office would almost certainly qualify. Here is a list of 12 FOI requests made via WhatDoTheyKnow where the Cabinet Office seems to be over 500 working days late in responding. In each case, the Cabinet Office has acknowledged receipt of the request:

  1. On 6 April 2010 a request was made asking for information about specific items of Cabinet Office spending. The Cabinet Office acknowledged receipt on 12 April 2010. This request remains unanswered and a response is now 1,268 working days late.
  2. On 26 May 2010 a request was made asking for information about the cost of rebranding government buildings following the 2010 General Election. The Cabinet Office acknowledged receipt on 2 June 2010. This request remains unanswered and a response is now 1,234 working days late.
  3. On 25 June 2010 a request was made asking for information about open source software use by the Cabinet Office. The Cabinet Office acknowledged receipt on 29 June 2010. This request remains unanswered and a response is now 1,213 working days late.
  4. On 19 August 2010 a request was made asking for information about the Cabinet Office’s receipts and spending budgets for 2009 and 2010. The Cabinet Office acknowledged receipt on 24 August 2010. This request remains unanswered and a response is now 1,176 working days late.
  5. On 27 October 2010 a request was made asking for information about the 2010 IT project review. The Cabinet Office acknowledged receipt on 29 October 2010. This request remains unanswered and a response is now 1,127 working days late.
  6. On 24 December 2010 a request was made asking for information about various Cabinet Office services. The Cabinet Office acknowledged receipt on 4 January 2011 and wrote to the requester on 8 February 2011 to say that they hoped to respond to the request “shortly”. This request remains unanswered and a response is now 1,086 working days late.
  7. On 13 February 2011 a request was made asking for information about spending on first class rail travel. The Cabinet Office acknowledged receipt on 14 February 2011 and wrote to the requester on 19 April 2011 to say that they were working on the request and would let the requester have a response “in due course”.  On 23 May 2011 they started an internal review to investigate why their response was delayed. Both the request and the internal review remain unanswered and a response is now 1,054 working days late.
  8. On 1 August 2011 a request was made asking for various information about Civil Service Learning. The Cabinet Office acknowledged receipt on 2 August 2011. This request remains unanswered and a response is now 942 working days late.
  9. On 24 August 2011 a request was made asking for information about radiation monitoring around the UK. The Cabinet Office failed to acknowledge receipt. On 21 October 2011 they wrote to the requester to say that the request has not been logged on the day it was received due to an “unfortunate administrative error, but that the request had now been “assigned to the relevant department” and that it was “being dealt with swiftly”. This request remains unanswered and a response is now 926 working days late.
  10. On 11 October 2011 a request was made asking for information regarding the decision to separate the roles of Cabinet Secretary and Head of the Civil Service. The Cabinet Office acknowledged receipt on 12 October 2011. This request remains unanswered and a response is now 892 working days late.
  11. On 10 February 2012 a request was made asking for the minutes of the Cabinet Sub-Committee on Devolution Scotland, Wales and the Regions. The Cabinet Office acknowledged receipt on 13 February 2012. This request remains unanswered and a response is now 809 working days late.
  12. On 29 April 2013 a request was made asking for information about FOI requests relating to Bradford and Bingley. The Cabinet Office acknowledged receipt on 29 April 2013 and wrote on 31 May 2013 to say that they hoped to respond by 26 June 2013. This request remains unanswered and a response is now 529 working days late.

Of course, some these requests may have been responded to outwith of WhatDoTheyKnow, but there is no evidence to suggest that this is the case. It seems certain that there will many other requests made using other channels where a response will also be significantly overdue.

The issue of the Cabinet Office’s poor timeliness is not a new one, (see these posts for more examples) and yet the ICO is still reluctant to take meaningful action. The ICO are certainly well aware of the problems that FOI requesters have in trying to get the Cabinet Office to respond to requests, as these recent decision notices demonstrate:

  1. FS50569096, issued on 26 May 2015, relates to a request for information about the number of honours awarded to serving civil servants made on 15 June 2014. The ICO noted that “By the date of this notice the Cabinet Office had yet to provide a substantive response to the request.” The response to this request was at least 213 working days late.
  2. FS50573978, issued on 18 May 2015, relates to a request for the phone number of the unit/department within the Cabinet Office responsible for handling FOI requests made on 7 February 2015. The ICO noted that “By the date of this decision notice the Cabinet Office has still not issued a response to the request, despite the Commissioner also having notified it of the details of this complaint on 30 March, 17 April and 27 April 2015. ” This request remains unanswered and a response is now 62 working days late.
  3. FS50565962, issued on 8 April 2015, relates to a request about the Cabinet Office’s work with the Behavioural Insights Team made on 29 October 2014. The ICO noted that “At the time of writing the CO had failed to respond substantively to the request.” The response to this request was at least 188 working days late.
  4. FS50566237, issued on 18 March 2015, relates to a request for information about the Public Duty Costs Allowance made on 31 October 2014. The ICO noted that “Three further prompts from the complainant sent to the Cabinet Office on 26 December 2014, 1 January 2015 and 23 January 2015 have failed to elicit any response. To date, a substantive response to the request has not been issued.” The response to this request was at least 73 working days late.
  5. FS50565672, issued on 25 February 2015, relates to a request for information about the Carr Inquiry made on 16 October 2014. The ICO noted that “The Commissioner contacted the Cabinet Office on 5 January 2015 and asked it to provide the complainant with a response to his request within the next 10 working days” but “The complainant contacted the Commissioner on 22 January and again on 9 February 2015, to confirm that he had not received a response to his request.”  Despite this request by the Commissioner, as of the date of the decision notice, no substantive response had been provided. The response to this request was at least 69 working days late.
  6. FS50559560, issued on 25 February 2015, refers to a request for information about awards or titles relating to Cyril Smith made on 28 April 2014. The ICO noted that “By the date of this notice the Cabinet Office had yet to provide a substantive response to the request.” The response to this request was at least 186 working days late.

Perhaps part of the problem is that current Information Commissioner considers decision notices to be meaningful enforcement action even in cases where there are a systematic problems and even where multiple DNs have already been issued.  Perhaps a lack of funding for FOI enforcement is to blame. None of this however, explains why the Cabinet Office can continue to get away with it when the DPFNI cannot. Whatever the reason, I think that it will take a change of Commissioner and a change of attitude in Wilmslow before we see anything done and I fear that this website will not need updating for some time to come.

Data loss incidents.

A few weeks ago, I was fortunate enough to be invited to travel to Madrid to share my experiences as a WhatDoTheyKnow volunteer with those who are running their own online FOI sites around the world. Listening to the stories and experiences of all those present was inspiring – their enthusiasm was infectious. One of the topics that came up was the sort of takedown requests that we have to deal with in the UK, and in particular, a number of people spoke to me about instances where public authorities had released personal data in error.

WhatDoTheyKnow (WDTK) does not yet have a public takedown log. I would very much like to see one published. Until then, and in order to paint a picture of the type of data loss incidents that we’ve had to deal with, I’ve compiled my own list of cases where personal data has been released in error. I am publishing below, in a purely personal capacity, a list of 50 such cases that have remained stuck in my mind:

  1. A local council accidentally included car number plate information belonging to 31,378 people who had been issued with parking tickets in a PDF file.
  2. A local council included the names of 75 pupils who had been excluded from local schools in an Excel spreadsheet in error. This meant that other information about them was no longer properly anonymised.
  3. The same local council later accidentally published sensitive personal information about 1,395 children who had had contact with the authority’s social services department. This included the children’s names and information about the reason for the contact e.g. it was suspected that they had been abused.
  4. The same local council also accidentally included the names of 275 council tenants in a spreadsheet, along with other personal information about them.
  5. A local council included sensitive personal data relating to 15,573 individuals in an Excel spreadsheet in error. This included names, addresses, and housing benefit information, along with information about their gender, ethnicity, sexuality and any disability.
  6. A mental health trust accidentally included information in an Excel spreadsheet that could have led to 1,260 patients deemed at risk of suicide being identified.
  7. On a separate occasion, the same trust again included information in an Excel spreadsheet in error that could have led to 647 patients being identified.
  8. A police force included names  and offence details of 188 individuals who had been arrested for indecent assault in an Excel spreadsheet.
  9. A local council sent a PDF file containing highly sensitive medical information about an applicant for supported housing in response to an FOI request.
  10. A university included student numbers and other personal information belonging to over 16,000 students in an Excel spreadsheet by mistake.
  11. A police force published the names of over 2,400 police officers who had been the subject of complaints over a two year period. This information was left in an Excel spreadsheet in error.
  12. A local council included sensitive personal data about 78 children who had been taken into care in an Excel spreadsheet. This included their full names and details about whether they had been victims of abuse or neglect.
  13. A local council accidentally released sensitive personal data relating to 2,376 housing tenants, including their full name, sexuality, ethnicity, age, address, and other information about their circumstances. The information was included in an Excel spreadsheet and no attempt had been made to redact it.
  14. On a previous occasion, the same local council released sensitive personal data belonging to ten individuals who they had decided had made themselves intentionally homeless. The information was again included in an Excel spreadsheet in error. The affected data fields were the same. There have been a further three instances where this council has sent personal data to WhatDoTheyKnow in error.
  15. An NHS trust did not realise that personally identifiable information belonging to over 8,000 patients had been cached by Excel when responding to a request of cancelled operations.
  16. A local council accidentally included the names of 6,781 individuals who had made compensation claims against it in an Excel spreadsheet. The spreadsheet also included details of payouts that they had received and the reasons for the compensation claims being made.
  17. A local council accidentally included the full names of 1,135 applicants for council housing in an Excel spreadsheet. No attempt to redact the information had been made. The spreadsheet also contained details of the outcomes of these applications, housing reference numbers, the dates that the applications were made and the dates which the Council expected the applicants to be made homeless.
  18. A NDPB answered a subject access request via WhatDoTheyKnow. They made no attempt to confirm the identity of the applicant.
  19. A local council accidentally included the name and other sensitive personal data of staff who had been investigated due to child protection concerns in an Excel spreadsheet.
  20. A local council released the names and dates of birth of 810 children who had been taken into care, along with details about why the children had been taken into care. Again, the information had been included in an Excel spreadsheet in error.
  21. A police force released the names and addresses of people who had released speeding tickets. No attempt at redaction had been made.
  22. An executive agency released a PDF document containing the name of a person who it is alleged was sexually assaulted whilst a minor. The document also included names and addresses of offenders and some victims, along with descriptions of charges. No redaction attempt had been made.
  23. The same executive agency sent court papers to a whatdotheyknow request address in error. The correspondence had nothing to do with the original FOI request.
  24. An NHS trust did not realise that the surnames, patient ID numbers and NHS numbers of 488 heart patients had been included in an Excel spreadsheet that they provided in response to a request for general statistics. The spreadsheet contained very detailed descriptions of the surgery that each patient had received.
  25. A university failed to redact the names of staff involved in vivisection from a PDF file. The university believed this would place those individuals at a high risk of harm.
  26. A university combined their response to an FOI request with a response to a subject access request made outside of the site. The university did not take any steps to confirm the identity of the requester.
  27. A police force included the personal information of victims of sex trafficking and possible suspects in an Excel spreadsheet in error.
  28. The same police force had earlier released sensitive personal information belonging to 262 police officers in error. This information was also contained in an Excel spreadsheet.
  29. An executive agency failed to realise that the names and case details of asylum seekers were included in the cache of an Excel spreadsheet that it released in response to a request.
  30. A police force sent an attachment unrelated to the request about disclosing information on named or identifiable children in response to a court order.
  31. A government department released sensitive personal data belonging to 160 convicted criminals in error. The information had been included in an Excel spreadsheet in error.
  32. A local council included the personal data of 50 consultants employed by the council’s social services department in an Excel spreadsheet in error. As well as names and addresses, the spreadsheet also included details of the outcomes of CRB checks.
  33. A local council released full names, gender, age, ethnicity and client ID of 3,023 applicants for council housing who applied to the council between May 2010 and March 2014, as well as details of the outcomes of their applications. The information was contained in hidden columns in an Excel spreadsheet.
  34. An NHS trust released an Excel spreadsheet that contained the sensitive personal data of 2,302 employees. The information had been cached within the document when the trust had used it to create a pivot table.
  35. A local council made the same mistake and accidentally released personal data belonging to more than 800 members of its staff.
  36. Another local council failed to realise that sensitive personal data concerning the health of named employees had been included in an Excel spreadsheet that they released. This information had again been cached when creating a pivot table.
  37. A local council released data on fees for residential care for younger adults in an Excel spreadsheet that was sufficiently detailed that there was a real risk of individuals being identified.
  38. An NHS trust included medical information about the requester in their response to that individual’s request. The Trust took no steps to verify that the requester was the same person as their patient.
  39. A local council sent an unredacted copy of complaints made to the Standards Committee in error when replying to a request for minutes. The reports contained sensitive personal data belonging to complainants, as well as their names, addresses and email addresses.
  40. An independent executive NDPB accidentally included the names of people who had made complaints against police officers in a response to a request.
  41. An NHS trust failed to properly redact a PDF file that they sent in response to a request allowing sensitive personal information belonging to 7 patients to be easily viewed. The unredacted text could simply be copied from behind the black boxes and pasted into a fresh document.
  42. A local council failed to release that sensitive personal data belonging to 40 autistic children had been cached by Microsoft Excel when they created a pivot table. The information included details of their school placements and their full dates of birth.
  43. A local council accidentally included sensitive personal data relating to 70 employees who had been made redundant in an Excel spreadsheet.
  44. An NHS trust accidentally released the names and care details relating to 255 Children. The information had been cached when they created a pivot table in an Excel spreadsheet and included medical information and details of any disabilities that the children had.
  45. A local council sent highly sensitive personal information belonging to a child in their care to a WDTK email address in error. This information was completely unrelated to the original request.
  46. A local council sent a scanned complaint form relating to a social work case to a WDTK email address by mistake. No attempt had been made to redact the document, which contained sensitive personal data belonging to 3 individuals.
  47. A local council accidentally included personal information belonging to 619 members of staff in an Excel spreadsheet, some of which was sensitive personal data.  The document contained over 47,500 hidden rows of data.
  48. A local council accidentally published the names, National Insurance numbers, date of birth and salary information of 732 employees.
  49. A local council did not realise that the names of 726 people who had been issued a fixed penalty notice for littering had been cached by Microsoft Excel when they created a pivot table. The document also included full details of each case.
  50. A local council accidentally included sensitive personal information belonging to 130 care users in an Excel spreadsheet. The information included their names, ages, and information about the cost of their care.

The incidents above represent around a third of the number of data loss incidents that I know about involving FOI responses sent to WhatDoTheyKnow. I fear that the number of such incidents occurring outside of WhatDoTheyKnow will inevitably be much higher still. Since I became a WhatDoTheyKnow volunteer, I have become much less trusting of anyone who is asking for my personal data and I no longer complete the optional diversity questions on forms. The very worst thing about most of the cases that I have described above is that the affected data subjects are usually some of the most vulnerable people in society, who have little choice but to share their information with the state in order to access essential services or to receive justice. They deserve better.

So to public authorities, please think for a moment before you click send. Please check that the file size of your Excel workbook is not significantly larger than you would expect. If you have imported data from an external data source or created a chart or pivot table, check that that data is not cached within the document. Check that you have not embedded any PDF files in your spreadsheet by accident. Know that hiding cells/rows/columns/sheets is not the same as proper redaction. Know that hidden cells can be unhidden with one click and that the password on protected sheets are just as easy to remove. Most of all, if the sensitive personal data of your service users is stored in a system that allows it to be easily exported by junior members of staff who don’t know to do all of the above… then do not be surprised to find your organisation on the next version of this list.