I’m writing this post in a purely personal capacity and these views are entirely my own and do not constitute the opinions of WhatDoTheyKnow, MySociety Ltd or associated entities. Now that that’s been cleared up, on with the post.
As you may know, Brighton and Hove city council use a MySociety developed system called FOI Register to process FOI requests. This product has its roots in the Alaveteli software, with the idea being that requests and responses made to the Council are published instantly online on their site as well as on WhatDoTheyKnow. This has a number of advantages, including reducing the number of duplicate requests by making information that has been disclosed searchable and removing the temptation that authorities have to only publish responses that are not embarrassing or controversial. This attempt at greater transparency from the Council is to be applauded and it certainly makes a refreshing change from the rarely updated & scarcely populated disclosure logs that you will see from some other authorities. And yet…
Last Sunday I asked for the link between Brighton’s service and WhatDoTheyKnow to be severed. It seems that Brighton & Hove have been publishing the names of FOI requesters who had asked to remain anonymous on their site, and worse, appear to have been uploading the private information of individuals who had decided to make a request to them direct via email. This information was in turn sent automatically to WhatDoTheyKnow. Since becoming aware of this issue I have had to redact personal information from over 130 “anonymous” requests that contained personally identifiable information.
In terms of those who chose to use Brighton’s FOI site, they had not ticked the box to opt in to having their name publicly displayed and so can not be said to have consented to this. Those who contacted the council directly would have had no expectation that their data would be made public in this way and certainly would not expect to find their contact information on WhatDoTheyKnow, which is a third party service.
Last year in response to a similar practice by Staffordshire County Council the ICO said the following (which I agree with):
“Individuals who make freedom of information requests must have their details handled fairly. Many people who have made a request would not expect to have their name linked to published details of the request they have made. If a public authority is considering releasing this information then they must consider why publishing the requester’s name is necessary.”
“While there is a need for authorities to be transparent about the freedom of information process, in most cases this would not extend to revealing names. […]
“At the very least people should be told that their details will be published and given the opportunity to explain to the council why their name should not be disclosed. If having raised it with the authority a person is not happy with the way their details have been handled then we may be able to help.”
In Brighton’s case, their website does not carry an adequate privacy notice. Users of the service are presented with a tick box on the webform labeled “publish my name” next to which is written:
If you choose to publish your name, it will appear online in association with this request and may show up in search engine results.
Ticking this box does result in the requester’s name being hidden, but only if they have not included it in the body of their request. At no point are requesters told that the request itself will be made public either on Brighton’s site or on WhatDoTheyKnow. This has lead to the situation where “anonymous” requests have been displayed on WhatDoTheyKnow as having been made by an “anonymous user” despite the requester’s name, postal address, email and phone number being contained in the body of the request. Other “anonymous” requests have contained information taken directly from email signatures, and have contained messages such as “sent from my iphone”, leading me to believe that these are requests made outside of the FOI Register system. Brighton’s internal guidance states that this information needs to be be removed before publication, but this is not happening in every case.
In addition, whilst looking into this issue I came across a spreadsheet containing large amounts of personal data belonging to very junior employees of the council that had been sent in response to a request in error. This is far from the first time that the council had leaked information in that way. In June 2012 they released a spreadsheet containing the names, ethnicity information, SEN status and other sensitive personal information belonging to children who have been excluded from schools in the area. In March 2014 they released a spreadsheet containing the full names, gender, ethnicity, nationality and other case details of almost 1,400 children who had had contact with the council’s social services department since 2008. In April 2015 they released a spreadsheet containing the full names and addresses of hundreds of housing tenants and their children along with benefit information. This from a council who the ICO made sign an undertaking following an incident in 2011 where an employee’s salary information was emailed to over 2000 council workers by accident.
I do not know if the Council informed the ICO of these incidents or notified the affected data subjects given the risk of harm that the publication of this information could cause. I personally would have liked to see WhatDoTheyKnow report at least two of the incidents, but this was neither discussed properly at the time nor done.
In looking into this issue I came across numerous examples where the Council had redacted information on their own system, yet had not sought to have the same information removed from WhatDoTheyKnow. They have also had possession of a detailed list of over 125 instances where they are continuing to publish the personal information of requesters on their website for over 48 hours now, yet they have still failed to redact the majority of this information. I can not understand why this is the case.
In light of the above, the fact that Brighton’s FOI system is still automatically publishing new requests on WhatDoTheyKnow irks me greatly, though I appreciate that it might not be the easiest thing to switch off. This issue is ongoing and I personally believe very strongly that WhatDoTheyKnow should not be publishing any more until the Council can show that they take the issue of user privacy seriously. This is something that MySociety has always been very strong on in the past, which makes the disappointment that I feel about this even deeper.
As previously stated, the idea behind the system is a good one, but are there changes that could be made to prevent this? There is an argument for implementing a tech solution that delays publication of requests until someone has checked them, but in the vast majority of the cases I have found, someone at the council has read and responded to the request yet not redacted the personal information, so even this would not help. Another alternative would be not to offer the chance for a request to be made anonymously using the system. This would bring it into line with WhatDoTheyKnow where users must use their names to ask for information, and the word public is repeatedly used to ensure that users are clear about what will happen when they make a request. The problem with this approach is that there are situations where individuals have good reason for not wanting their names linked publicly with a particular question or topic and as such, a way of asking for information without their name being linked to it must remain available. This also would not prevent Brighton and Hove’s practice of importing information from outside of the system.
Perhaps the real answer is to simply to ensure that the system is used in a responsible manner.
UPDATE 23/07: The request form is now much improved and makes it much clearer that the request will be public. https://foi.brighton-hove.gov.uk/requests/new. The council removed the remaining personal information from the anonymous requests this afternoon.