BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
 |
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | |
United Kingdom Information Tribunal including the National Security Appeals Panel |
||
|
You are here: BAILII >> Databases >> United Kingdom Information Tribunal including the National Security Appeals Panel >> King v Department for Work and Pensions [2008] UKIT EA_2007_0085 (20 March 2008) URL: http://www.bailii.org/uk/cases/UKIT/2008/EA_2007_0085.html Cite as: [2008] UKIT EA_2007_85, [2008] UKIT EA_2007_0085 |
||
[New search] [Printable PDF version] [Help]
|
|
||
|
|
||
|
Information Tribunal Appeal
Number: EA/2007/0085
Information Commissioner’s
Ref: FS50140350
Heard at Procession House,
London, EC4 Decision
Promulgated
On 21ST February
2008
20th March
2008
BEFORE
CHAIRMAN
Fiona
Henderson
And
LAY MEMBERS
Paul Taylor
And
Steven Shaw BETWEEN MR. M. P. KING
Appellant
and
THE INFORMATION COMMISSIONER Respondent and
DEPARTMENT FOR WORK AND PENSIONS Additional Party Decision
The Tribunal allows the appeal in
part and substitutes the following decision notice in place of the decision notice dated 14TH August 2007. |
||
|
|
||
|
1 |
||
|
|
||
|
|
||
|
|
||
|
Appeal Number: EA/2007/0085
SUBSTITUTED DECISION
NOTICE
Dated 18th March 2008 Public authority:
Department for Work and Pensions
Address of Public authority:
The Adelphi,
1-11 John Adam
Street,
London WC2N
6HT
Name of Complainant: Mr. M. P. King
The Substituted Decision
For the reasons set out in the
Tribunal’s determination, Decision Notice
FS50140350 is amended to the following extent by substituting the paragraphs set out below for those in the original Decision Notice: 29 Whilst much of the information
withheld is outside the scope of Mr
King’s request, some of the information withheld does fall within the scope of the complainant’s request. However, the exemption set out at section 31(1)(a) FOIA is engaged and the balance of public interest lies in withholding the information. 31–32 DWP have now complied with
the request and supplied to the complainant all the information that they are required to under section 1 FOIA. |
||
|
|
||
|
39 The public authority did not
deal with the following elements of the
request in accordance with the requirements of the Act: i)
Breach of section 1 of the Act as the requested
information that fell to be
disclosed was not provided to |
||
|
|
||
|
2 |
||
|
|
||
|
|
||
|
the complainant until after the
complaint had been lodged
with the Commissioner. Action
Required
No steps are required to be
taken
Dated this 19th day of March 2008 Fiona Henderson
Deputy Chairman, Information Tribunal |
||
|
|
||
|
3 |
||
|
|
||
|
|
||
|
Reasons for Decision
Introduction
1. This is an appeal by the
Appellant (Mr King) to the Information Tribunal
under section 57 of the Freedom of Information Act 2000 (FOIA) in relation to the Information Commissioner’s Decision Notice FS50140350 dated 14th August 2007, which considered his request for information from Jobcentre Plus, a part of the Department for Work and Pensions (DWP). The request for information
2. The background to the
appeal arises out of Mr King’s concern that a
policy had been adopted by Jobcentre Plus whereby people wishing to make a benefit application were expected to do so by telephone to a call centre rather than by handing in a written application. Mr King expressed the concern that personal information provided over the telephone could be misused and on 8th May 2006 wrote to Miss D.K.Riyait of the District Correspondence Team stating: “Finally, in view of the
increasing risk of identity theft I am
concerned about providing personal information over the public telephone to your Contact Centre. The public telephone system is not secure and could result in personal information being appropriated for illegal purposes. Please let me know what other arrangements you have in place for the provision of personal and sensitive information in support of a claim”. 3. On 30th May
2006, Mrs Kay Jackson (District Communications
Manager) responded by letter stating: “Our Contact Centre network
has been set up in collaboration with both British Telecom and our own Department’s security specialists. A comprehensive risk assessment has been completed to identify and counter any potential security threats to our telephony system.” |
||
|
|
||
|
4 |
||
|
|
||
|
|
||
|
4. In response to this
information, Mr King wrote a letter to the DWP on
5th June 2006 which included the following: “Although your Contact Centre
telephone network may be secure,
customers are telephoning from insecure public telephone networks which would not be a secure environment for personal and sensitive information… “Finally, I would be
interested to see the risk assessment carried out of
your telephone system to which you refer, and I should be obliged if you would make it available to me”. 5. Mr King wrote to Mrs
Jackson twice in order to chase the progress of
this request. Firstly on 10th July 2006, making plain that this was a request under the Freedom of Information Act 2000 (FOIA); and again by letter on 16th August 2006 when he noted that although he had had a response to other questions, his request for “the risk assessment carried out on your telephone system to which you referred in your letter of 30th May” was still outstanding. 6. Mr King’s request was
refused in a letter from Sharon Fenwick
(Communications Manager) on behalf of the DWP on 30th August 2006. In this refusal she explained that: “The information you requested
is being with held as it falls under the exemption in section 38 of the Freedom of Information Act. This exemption covers safety and security. In applying this exemption the department has balanced the public interest in withholding the information against the public interest in disclosing the information... I understand that your request for information is based on concerns as to the security of data collected using our telephony. Providing details of any risk assessment carried out on the telephony could compromise the security of the system by identifying potential weakness and any controls put in place to address them if any existed.” |
||
|
|
||
|
5 |
||
|
|
||
|
|
||
|
7. Mr King responded to this refusal
by the DWP by letter of 5th
September 2006 in which he pointed out that section 38 FOIA does not deal with “safety and security” but “health and safety” and stating: “ It is clear that this
exemption does not apply to the information I have
requested. Consequently I must ask that you review my request for information.” And asking for a response within 14 days. 8. A month later on 2nd October
2006, Mr King wrote again indicating that
he had not had a response to his request for a review of 5th September 2006, and asking that the DWP review their decision not to supply the information requested. 9. The DWP reviewed the decision and
notified Mr King in an undated
letter from Deborah Boore (Operational Development Manager) that: “Having reviewed all of the details of your request I am content that the decision to withhold the information on Health and Safety grounds under the exemption in section 38 of the Freedom of Information Act was correct”. This letter correctly cited the
exemption as “health and safety” but gave
no explanation as to why health and safety was engaged. The complaint to the Information
Commissioner
10. On 29th October 2006, Mr King
applied to the Commissioner asking
him to consider the DWP’s handling of his request. Prior to the Commissioner taking any active steps to investigate the case, Colin Denson (Planning and Risk Manager) at the DWP wrote to Mr King on 24th January 2007 informing him that: □ In response
to the appeal to the Information Commissioner, Jobcentre
Plus had reconsidered its decision not to release the risk assessment, □ Extracts
from the risk assessment were attached,
□ Some
information was still being withheld under section 38 FOIA
“This exemption covers safety and security”. (Tribunals emphasis) |
||
|
|
||
|
6 |
||
|
|
||
|
|
||
|
□ Providing the full
details of the risk assessment carried out on the
telephony could compromise the security of the system…” 11. Mr King wrote to the Information
Commissioner on 5th February 2007
noting: “..section 38 of the Freedom
of Information Act 2000 relates to “Health
and Safety” and not “safety and security” as Jobcentre Plus have claimed. The reason given by Jobcentre Plus relates to the security of their system and not to the safety of any individual, and so the exemption does not apply in this case.” In this same letter Mr King
expressed the view that the Commissioner
was bound under section 50(1) FOIA to make a decision at the time of his application, and asking for a copy of the decision notice without further delay. 12. Ms Rachael Cragg (Senior Complaints
Officer from the Information
Commissioner’s Office (ICO)) wrote on 9th February 2007 to Mr King and explaining that an investigation had now begun but no decision notice was yet issued. She further stated that: “I have examined the recent
letter sent to you from Mr Colin Denson of
the DWP and I do not believe at this stage that section 38 of the Act has been applied correctly. I have contacted the DWP and asked them to reconsider their refusal to release the information based on my initial view, and requested that they respond to me within the next ten days….. I will keep you informed of
developments in the investigation of your
complaint.” 13. At the time of the investigation, Mr
King had entered into correspondence with the Information Commissioner’s Office in relation to the statutory validity or otherwise of the Commissioner’s “Robust Handling Policy” insofar as it had been applied to 2 other cases, which he had submitted to the Commissioner. On 9th February 2007 he submitted a pre-action Protocol for a proposed claim for Judicial |
||
|
|
||
|
7 |
||
|
|
||
|
|
||
|
Review in which he included
particulars of this case in his grounds. His
reasoning was further explained in his letter of 15th February to Jane Durkin (Assistant Commissioner) when Mr King expressed the view that Section 50(2) of FOIA: “requires that decisions
relate to the time of receipt of my complaint,
not the time my complaint was considered as you have claimed”. 14. Charles Cushing (DWP
Adjudication and Constitutional Issues
Information Policy Division) sent an email of 29th March 2007 attaching a letter, dated 27th March 2007, from Janine Fearon (Jobcentre Plus National Freedom of Information Focal Point) defending the reasons that the withheld material was exempt under section 38 FOIA and including the considerations followed in the public interest test. The email further stated that: □ The DWP was
continuing to assess the withheld information and to
consider whether, in the alternative to section 38, a robust case could be made under section 36 FOIA (Prejudice to the effective conduct of public affairs), □ The DWP
were also considering whether the exempted information fell
to be withheld under section 31(1)(a) FOIA (prejudice to the prevention (or detection ) of crime), □ The DWP
were also considering whether the exempted information
actually fell within the scope of Mr Kings request because: “The original request seems to
have arisen as he was querying the fact that he is required to supply personal details over the telephone when making a new claim to benefit and wanted to know how he could be sure that his personal information was secure. In response to these concerns Mr King was advised that “the telephony used in our (DWP/JC+) contact centres was risk assessed to ensure that it was secure however, this was not entirely accurate as the “Accord NOSP DWP Jobcentre Plus System Security Policy (SSP)” that was identified as a “ risk assessment to telephony” goes much wider than that and is a high level document regarding all aspects of system security and |
||
|
|
||
|
8 |
||
|
|
||
|
|
||
|
does not address Mr King’s
concerns. My contention is that such
concerns would have been best allayed by providing Mr King with detailed information about departmental policies and procedures surrounding the confidentiality and security of our customers’ information. ... I will ensure that his (sic) material is sent to Mr King.” □ A copy of
the full document and a separate copy of the withheld
material was being sent to the ICO. 15. After further communication between the
DWP and ICO Mr Cushing
wrote to the ICO on 3rd July 2007 indicating that: □ The DWP
were now of the view that they only needed to look at and
disclose those parts of the “ACCORD” that actually covered any risk assessment involving telephony, □ Outside of
the FOIA regime in furtherance of good customer relations,
the DWP were nevertheless releasing much of the material to Mr King, even though it was outside of the scope of his request, □ The DWP
were no longer relying upon section 38 FOIA,
□ The DWP’s
primary assertion was that the withheld material was not
within the scope of the request but in the alternative they were relying upon sections 31(1)(a), section 36 and section 24 (National Security) of FOIA. 16. Mr Cushing also wrote to Mr King
on 3rd July 2007 enclosing much of
the risk assessment and the policies and procedures relating to the protection of personal information and indicating: “..unfortunately the information given to you originally was not strictly correct. The reference to a telephony risk assessment was unfortunate because that document does not relate to the thrust of your concerns. I maintain that provision of
this material falls beyond the scope of your request which was for the telephony risk assessment. I am however happy to provide you with this material as a matter of good customer service… |
||
|
|
||
|
9 |
||
|
|
||
|
|
||
|
Some of the document remains
to be withheld as it provides details of
wider IT security controls etc. This exempt material relates to security controls that are peripheral to your original request and as such I consider that I do not need to cite any exemptions under the Freedom of Information Act…I consider… that disclosure of this particular material would be prejudicial to the department’s IT security I can confirm that should any further request be made for this particular information that we would wish to continue to withhold it citing the exemptions, at sections 24, 31 and 36 FOIA. 17. Mr King responded by
letter dated 12th July 2007 explaining:
“My interest were somewhat wider than just the telephony system but I had nothing more to go on than these references in making my request”. Mr King felt that the DWP had
failed to extend the section 16 FOIA
advice and assistance to him as an applicant and had not followed the section 45 Code of Practice… “the limited references were
inadequate for me to determine the extent
of the available information, and consequently the precise information I required. It was my intention to ask for
the fullest possible information, but I was
prevented from making clear the scope of my request for the reasons outlined above. The question of whether my request for the full “ACCORD” document is part of my original request or a new request makes no practical difference, and only serves to delay further what has been a very protracted and difficult request for information.” 18. Additionally he notes
that titles and headings of withheld paragraphs
have themselves been withheld, and that no reasons have been given (as required by section 17 FOIA) for reliance upon each exemption. 19. Mr Cushing replied on
30th July 2007 reiterating that the DWP primarily felt that the withheld information was outside the scope of the request, but quoting from the correspondence with the Commissioner explaining |
||
|
|
||
|
10 |
||
|
|
||
|
|
||
|
why the DWP felt that the
exemptions applied. Mr Cushing accepted
that previously withheld headings should have been disclosed and included a schedule of them to remedy that removal. 20. In Mr King’s letter to
DWP of 13th August, he comments that the policy
documents he has received: “deal with disclosure to third
parties, verification of identity and bogus
callers. However, they do not address the threat of the appropriation for illegal purposes of personal information provided over the public telephone to your contact centre for making benefit claims, which was my original request for information. I therefore do not believe that my original information request has been dealt with. If the ACCORD document does not contain this information we must establish what document Mrs. Kay Jackson was referring to and also what other documents may contain this information.” The Commissioner’s Decision
21. The Commissioner’s
Decision dated 14th August 2007 was
summarized as follows: “After having initially
refused to disclose the information, DWP later
provided the documents it considered relevant to the request. These were taken from a wider report that the authority did not disclose in full as it was considered to be outside the scope of the request. .. The Commissioner... agreed that the information withheld from the complainant is outside of his request and therefore DWP is not required to disclose it. The Commissioner found that DWP failed to respond to the complainant’s request within 20 working days and was in breach of section 10 of the Act. The Commissioner also found that as the refusal notice issued was outside of the 20 working days that DWP were in breach of section 17 of the Act. 22. More specifically the Commissioner defined the scope
of the case thus: |
||
|
|
||
|
11 |
||
|
|
||
|
|
||
|
□ Paragraph
10. During the course of the investigation DWP
disclosed to the complainant all the elements of the “risk assessment” document it holds, which it found fell within the scope of the complainant’s request. His analysis was as follows: □ Paragraph
29. In the Commissioner’s view the information withheld
does fall outside of the complainant’s request. The documents withheld which reference telephony are strategic policy information related to the set up of the telephony, security or job structure within Job Centre Plus and are not therefore “risk assessments”. The information in Appendix C, whilst referring to risk assessments in relation to security breaches of the computer systems does not relate to a telephony risk assessment. DWP has now complied with the
complainant’s request for the
information held on the “ telephony risk assessment” □ Paragraph
32. In providing the information, which was originally
requested by the complainant, DWP has complied with the requirements of section 1. □ Paragraph
37. DWP confirmed it held information relevant to the
complainant’s request and disclosed this information to him on 3rd July 2007 ”. 23. The Commissioner’s Decision was recorded
as follows:
□ DWP had
complied with section 1 of the Act as the requested
information was provided to the complainant, □ DWP had
breached section 17 of the Act,
□ DWP had
breached section 10 of the Act,
□ The
Commissioner required no steps to be taken.
The appeal to the Tribunal
24. Mr King appealed to the Information
Tribunal on 22nd August 2007
upon the following grounds: i) The ACCORD document does not
contain the information requested and consequently the decision notice was wrong to state |
||
|
|
||
|
12 |
||
|
|
||
|
|
||
|
that: “the DWP has disclosed
all the elements of this document
which it has found relate to telephony risk assessment as requested by the complainant”. ii) The DWP misled Mr King by
referring him to a document that it now
admits does not relate to his concerns.. Mr King does not feel that the DWP has provided reasonable advice and assistance as required by section 16 FOIA and the Code of Practice issued under section 45. iii) The Information Commissioner
did not offer any assistance.
Despite a promise to keep Mr King informed of developments in the investigation of his complaint, he received no further correspondence until the decision notice, some six months later. iv) At the time that the
complaint was received by the Information
Commissioner, the DWP had not complied with Part I of FOIA. The Commissioner was wrong to allow the DWP time to comply with Part I FOIA during the investigation and wrong therefore to find that the DWP had complied with part 1 of FOIA because the information was provided prior to the drafting of the decision notice. 25. Mr Cushing responded
to Mr King’s letter of 13th August in a letter
dated 6th September 2007 detailing the provisions in place to ensure that information remains secure once it reaches a member of the department’s staff, and noting: “If your concern is about the
integrity of the telephone line between the
public telephone and the department’s call centre, then I am sorry that I cannot help you. This is an issue that would need to be addressed to the line provider, presumably British Telecom. “ He further invited Mr King to
provide a clear example of the specific circumstances which are of concern to him, and offered to identify someone in the department who could answer those specifics. |
||
|
|
||
|
13 |
||
|
|
||
|
|
||
|
26. The Information Commissioner served a
reply dated 13th September
2007 resisting all grounds of appeal on the basis that the appeal was without merit. DWP were joined as an additional party pursuant to Rule 7(2) of the Information Tribunal (Enforcement Appeals) Rules 2005 SI 2005 No.14 on 26th September 2007 and also opposed the appeal on the following grounds: □ They have
provided all the information which they held which fell
within the scope of the request, □ The
information which the Department withheld does not fall
within the scope of the request. In the alternative the information is exempt information by virtue of sections 44, 36 and 31 of FOIA. (The Tribunal notes that this is the first time that section 44 (prohibition by or under any enactment - in this case the Data Protection Act) has been raised). □ The
Department has provided advice and assistance insofar as
it would be reasonable to expect the Department to do so. Thus there has been no breach of section 16 FOIA. The questions for the Tribunal
27. The Tribunal’s powers in relation to
appeals under section 57 FOIA are
set out in section 58 of FOIA, as follows: (1) If on an appeal under
section 57 the Tribunal considers-
(a) that the notice
against which the appeal is brought is not
in accordance with the law, or (b) to the extent
that the notice involved an exercise of
discretion by the Commissioner, that he ought to have exercised his discretion differently, the Tribunal shall allow the
appeal or substitute such other notice as could have been served by the Commissioner; and in any other case the Tribunal shall dismiss the appeal. |
||
|
|
||
|
14 |
||
|
|
||
|
|
||
|
(2) On such an appeal, the
Tribunal may review any finding
of fact on which the notice in question was based. 28. Upon consideration of all of
the material before it, the Tribunal is
satisfied that the issues that it is required to determine are: i. Was the telephone risk
assessment as contained within
the ACCORD document covered by Mr King’s request for information? ii. Did the DWP at the time of
the request hold further
undisclosed information, which fell within the scope of the request? In particular this includes: a. A different document
dealing with the telephony
risk assessment, b. Documents addressing Mr
King’s concerns of the
threat of the appropriation for illegal purposes of personal information provided over the telephone to the DWP’s contact centre for making benefit claims. c. The 3 documents
identified by Mr King in the
bibliography section of the ACCORD document. iii. If requested information has
not been disclosed, can
DWP rely upon the exemptions in sections 31(1)(a), 36 or 44 FOIA to withhold the information? iv. Should the Commissioner have
found that DWP had
breached its obligations to advise and assist the Appellant under Section 16 FOIA 2000, in that the Appellant asserts that they had: a) Misled Mr King by
referring to the ACCORD
document, when that document did not address his concerns, b) Failed to identify
documents which would |
||
|
|
||
|
15 |
||
|
|
||
|
|
||
|
address his concerns. |
||
|
|
||
|
v. Did the Commissioner have a
duty to provide advice
and assistance? If so did the Commissioner provide inadequate assistance in light of his failure to keep Mr King informed of developments during the currency of the investigation? vi. Was the Commissioner wrong in
law to find that the
DWP had not breached its obligations under Section 1 FOIA because the public authority was granted the opportunity to correct its earlier defaults under FOIA prior to the drafting of the Decision Notice? 29. Questions i), ii) and
iv) are questions of fact. Questions iii) and v) are
questions of law based upon the analysis of the facts. Question iv), whether the Commissioner was wrong in law to find the DWP had not breached section 1 FOIA is a question of law. The Tribunal may substitute its own view for that of the Commissioner on these issues if it considers that the Commissioner’s conclusion was wrong. This is not a case where the Commissioner was required to exercise his discretion. 30. The Tribunal is
satisfied that it is not required to determine the
following
points: i. The Information Commissioner’s
handling of a pre-action protocol
for Judicial review sent by Mr King, ii. Whether it was appropriate
for the Information Commissioner to fail
to issue a Decision Notice in Case FS5107137, The Tribunal’s Jurisdiction
extends only to consideration of whether the Commissioner’s decision on the complaint in this case should be upheld or substituted with a fresh decision. |
||
|
|
||
|
16 |
||
|
|
||
|
|
||
|
Evidence
31. Witness statements from
Martin Dillon (team leader of the central DWP
policy team responsible for Data Protection and Freedom of Information policies within the Department) and Kay Jackson (District Communications Manager for Jobcentre Plus in Surrey and Sussex) rehearsed much of the correspondence as already set out in paragraphs 2-9 above, in particular the letter from Mrs Jackson dated 30th May 2006 stating: “Our Contact Centre network
has been set up in collaboration with both
British Telecom and our own Department’s security specialists. A comprehensive risk assessment has been completed to identify and counter any potential security threats to our telephony system.” and Mr King’s letter dated 5th June 2006 which included
the following:
“Although your Contact
Centre telephone network may be secure,
customers are telephoning from
insecure public telephone networks
which would not be a secure
environment for personal and sensitive
information…
“Finally, I would be
interested to see the risk assessment carried out of
your telephone
system to which you refer, and I should be obliged
if
you would make it available to
me”. (emphasis added).
32. The Tribunal is satisfied from this
that:
• Mr King’s request
was specifically tied to the information that
had already been identified by Mrs Jackson, • It was not a request for any other risk
assessment,
• Mr King knew at
the time of his request that the risk assessment he was requesting would not deal with line security of public telephone lines as it purported only to deal with their contact centre telephone network, |
||
|
|
||
|
17 |
||
|
|
||
|
|
||
|
• The information he had been
given which had prompted his
request was neutral as to whether it would deal with security of the information once it had been received by the contact centre as it referred to potential security threats to their telephony system. 33. Helpful evidence was
provided by Thomas Buckle (DWP Security
Manager) whose role is to manage the Departmental Security team. He is also the Accreditor for the DWP with responsibility for inter alia security policy and information system security accreditation, he also discharges the role of Department Information Technology Security Officer. He has held these posts for over 10 years (covering the date of the ACCORD document and the date of the request). He was involved in the creation of the ACCORD document, being listed as one of those who approved the ACCORD document and co-authored the introduction. 34. He explained that a
System Security Policy (SSP) for the Jobcentre
Plus Contact Centres Telephony System (entitled ACCORD NOSP SSP) was created (the ACCORD document) which describes all aspects of security for a system including: • asset
valuation,
• security controls
and associated procedures,
• the security risk
assessment.
The scope of the system described
in the ACCORD document
excluded any consideration of security of a telephone call before it reached the call centre, which was beyond the control of the DWP. 35. The section containing
the main body of the risk assessment also contained, in three of its paragraphs, details of security controls and facilities that could benefit an attacker and impact on the Department’s ability to deliver securely its services. Mr Buckle deemed these out of the scope of the request as they related to security controls and not to |
||
|
|
||
|
18 |
||
|
|
||
|
|
||
|
the actual risk assessment. Other
areas throughout the document
relevant to the risk assessment were disclosed. 36. The withheld information
as well as being deemed outside the request
would also provide detailed information and insight into the security architecture (hardware and software); specific technical solutions; personnel security counter measure and control, and thus could be of use to an attacker and compromise the correct operation of the system. 37. In his second statement
Thomas Buckle dealt with 3 documents
referred to by Mr King (as listed in the bibliography of the ACCORD document): • Telephony Service
Security Awareness Briefing Material,
• BT Corporate
Security Policy,
• The Business
allocation for Advanced Telephony (31 March 2003)
The first 2 of these documents
were not held by DWP and without now
being able to refer to them Mr Buckle’s opinion was that these were not likely to contain a telephony risk assessment. In relation to the third document it did not contain the risk assessment and the only part of the document that dealt with security was disclosed in any event. The Tribunal accepts this evidence. 38. The Tribunal considered
Sec 10 security 1.4 headed Project ACCORD
as set out in the 31st March 2003 document which states: “The CONTRACTOR shall conduct
a security risk assessment to
inform the selection of security controls and countermeasures to be agreed with the AUTHORITY in accordance with BS7799. 39. We are satisfied from
consideration of the ACCORD document itself that it contains the risk assessment that was to be carried out by BT (referred to in Sec 10 para 1.4 of the Business Allocation for Advanced Telephony 31 March 2003), because: |
||
|
|
||
|
19 |
||
|
|
||
|
|
||
|
• The ACCORD
document shares the title, and the aims of the
proposed risk assessment, • The ACCORD
document is in accordance with BS7799 (as stated
in paragraph 1.4 of the introduction to the ACCORD document), • The ACCORD
document is authored by BT (who were the
Contractors at the time), • The draft of the
ACCORD document that we have is dated 29.9.03
which post dates the 31st March 2003 document. 40. Consequently this
Tribunal is satisfied that the ACCORD document is
the only document held by the DWP which includes a risk assessment in respect of the DWP’s telephone system, and that consequently the ACCORD document was the document being referred to by Mrs Jackson, which then became the subject of Mr King’s information request. 41. Mr Buckle noted in his
first statement that advice available to
government security officers at the time the SSP was written supported the use of the Public Switched Telephone Network for the secure transmission of personal information. There is no evidence before us to suggest that this advice was a risk assessment, and it would have fallen outside of the terms of the request in any event (since it was general advice and not a risk assessment of the DWP telephony system). 42. The Tribunal also
considered the redacted information. Its analysis of
the status of the withheld information appears at paragraphs 53-62 below. 43. The Tribunal is in a
position to review the evidence and decide matters of law and fact afresh from the source documents and in those circumstances did not feel that the earlier complaints that Mr King has had against the Commissioner and his allegations of bias were relevant |
||
|
|
||
|
20 |
||
|
|
||
|
|
||
|
in the determination of this case.
Legal submissions and analysis
Was the telephone risk
assessment as contained within the ACCORD
document covered by Mr King’s request for information? 44. Mr King argues that it
is possible that no documents exist which relate
to his request. The Tribunal has rejected this contention. Mr King seeks to argue that the ICO is wrong as a matter of fact to focus on the ACCORD document in his decision as his information request was not for the ACCORD document: “My request was for a risk assessment which related to the concerns I had raised in previous correspondence” (emphasis added). Whilst that may have been the intention behind Mr King’s request, the above constitutes a reformulation of the request and is not in fact that which he had asked for. Whilst the DWP have admitted that the ACCORD document “does not relate to the thrust of your concerns” this is an irrelevant consideration when responding to an information request (see paragraph 65 et seq below). 45. Mr King asserts that the
ICO was fully aware in the five months prior to
his decision, that the ACCORD document did not address Mr King’s concerns. His decision notice was therefore wrong on a question of fact. On the information available to him at the time of the decision the ICO should have exercised his discretion differently. The Commissioner has no discretion on this point. He is bound to consider the information request and if the requestor wishes to have different information from that already requested, his remedy is to make a fresh request in different terms. 46. The DWP argue that
irrespective of the Appellant’s original concerns, the information request that the Appellant made on 5th June 2006 was specific, particular and there was no doubt that he wished to see the risk assessment referred to in the DWP’s letter of 30th May 2006. The Tribunal concurs with this analysis. |
||
|
|
||
|
21 |
||
|
|
||
|
|
||
|
Did the DWP at the time of the
request hold further undisclosed
information which fell within the scope of the request? 47. Mr King does not
actively argue that those elements of the ACCORD
document that have been withheld by the DWP are within scope or are not liable to be withheld under any of the exemptions relied upon by the DWP. His case is principally that the information contained in the part of the ACCORD document that deals with the telephony risk assessment does not meet his concerns. Nevertheless he wishes the Tribunal to decide whether and to what extent the DWP have failed to comply with Part I of FOIA. 48. The DWP argues that the
Tribunal need not consider scope and
exemptions as Mr King has stated in his submissions that the ACCORD document “does not contain the information I sought”. The Tribunal understands that there was an inadvertent disclosure of the redacted material with the draft bundle by the ICO, however, there is no evidence before the Tribunal that Mr King considered the “withheld” material before he returned it. Mr King may be relying upon the assertion by the DWP that the document “does not meet his concerns”. Whilst clearly the document does not meet all his concerns, the Tribunal is proceeding from the position that Mr King has not read the material that is before the Tribunal and therefore is not in a position to judge whether it does fall within the ambit of his original request, which is the subject of this appeal. 49. The Tribunal would
expect a risk assessment to include the following
types of information: • identification of a potential security
risk,
• the assessment of how serious that risk
is,
• identification of
measures that are (or can be put) in place to combat
that risk, • an assessment of whether to put such
measures in place, |
||
|
|
||
|
22 |
||
|
|
||
|
|
||
|
• an evaluation of how successful they are likely to
be.
50. The Tribunal is
satisfied that since the request for information is
contained within a larger document, and as Mr King was told that the risk assessment was “comprehensive” that the Tribunal should take a broad approach to what constitutes the “telephony system” and what forms part of the risk assessment. For example the IT supporting the telephony and enabling its use would form part of the telephony system. Similarly “technical solutions to identified security risks” to the telephony would form part of the risk assessment. Consequently the Tribunal finds that whilst most of the withheld information from the ACCORD document is outside the scope of the request, there are parts of the withheld information which do fall within the terms of the request. A consideration of whether this material is disclosable in light of the exemptions relied upon by DWP is set out at paragraphs 53-62 below. 51. Since Mr King’s request
referred specifically to the document already
identified by Mrs Jackson, which the Tribunal has found is the risk assessment of the telephony contained within the ACCORD document, the Tribunal is satisfied that there are no other documents that fall to be disclosed within the terms of Mr King’s original request. 52. Mr King notes that it is
not clear what the status is of the public telephones which the DWP supplies at their own Job centres for public use and whether or not these have been included in any risk assessment. The Tribunal would agree that their status is not entirely clear (are they ordinary BT type telephones or are they some sort of internal calling system) but is satisfied on the evidence of Mr Buckle that such risk assessment by DWP of their telephony system that there has been is contained within the ACCORD document. |
||
|
|
||
|
23 |
||
|
|
||
|
|
||
|
If relevant parts have not
been disclosed, can DWP rely upon the
exemptions in sections 24, 31(1)(a), 36 or 44 FOIA to withhold the information? 53. The DWP initially relied
upon section 38 FOIA in their initial refusal of
the request and then in front of the Commissioner sections 24, 31 and 36 FOIA (although he did not consider any exemptions, finding that all the withheld material was outside of the scope of the request). In front of this Tribunal the DWP no longer relies upon sections 38 or 24 but seeks instead to rely upon sections 31(1)(a), 36 and 44 FOIA. 54. Late reliance on
exemptions was considered in Bowbrick
EA/2005/0006 at paragraph 54: “In deciding whether there
should be a revised notice, and if so on
what terms, it is relevant for the Tribunal to take account of a claim by the public authority that an exemption applies in respect of particular information. The Tribunal is in effect exercising the powers of the Commissioner at this point. We ought not to ignore the public authority's claim that an exemption applies, just as the Commissioner ought not to ignore a similar claim if it is raised during his investigation. If the claim is well-founded then the Tribunal ought not to order disclosure, just as in comparable circumstances the Commissioner ought not to order disclosure. “ 55. Whilst there have been
subsequent Tribunal Decisions noting that in Bowbrick the legislation was new, and the information only discovered during the Appeal process, this Tribunal is satisfied that (adopting the approach set out in Bowbrick) both the Commissioner and the Tribunal have the power to consider exemptions raised in front of them for the first time. Whether it will consider a recently raised exemption will depend on the facts in each case. |
||
|
|
||
|
24 |
||
|
|
||
|
|
||
|
56. In considering the exemption
raised under section 31(1) (a) of FOIA this Tribunal notes that it was raised immediately after the ICO indicated that section 38 FOIA was in his view not an appropriate exemption. The reasoning advanced by DWP for relying upon this exemption is very similar to that relied upon in relation to section 38. It would seem unjust to prevent a public authority from relying upon an early identified harm because they have mistakenly applied the same or similar facts and reasoning to the wrong exemption. The Tribunal also considers the interests of justice and the wider impact of a failure to consider a late arising exemption upon persons not party to the case (such as the general taxpayer as well as users of the DWP telephony system). Further whilst the Tribunal expects public authorities to give proper consideration to exemptions when considering an information request, there is a danger that too rigid an approach by the Commissioner or this Tribunal would result in public authorities raising all conceivable exemptions in response to a request, in a “belt and braces” approach in order to preserve their position for later. This would add unnecessarily to confusion upon the part of the information requestor and would add to the burden upon the ICO in relation to time and money spent dealing with complaints to it. |
||
|
|
||
|
57. Section 31 FOIA states:
(1) Information which is not
exempt information by virtue of section 30
is exempt information if its disclosure under this Act would, or would be likely to, prejudice— a) the prevention or detection of crime,
58. The DWP argue that risks
from unauthorized access to [the withheld] information include identity fraud, impersonation, revenge or malicious attacks against individuals, modification of personal information, blackmail or targeting of ethnic minority groups or other vulnerable |
||
|
|
||
|
25 |
||
|
|
||
|
|
||
|
groups in society. The
Department’s computer security experts
consider that access to the withheld information in the ACCORD document would provide knowledge of the security and operational management of a live/operational Department system/service. Release of this information would reveal security controls, or the possible lack of them. 59. The Tribunal accepts
this evidence and is satisfied that the exemption
is engaged as disclosure of this material would prejudice the prevention or detection of crime. Additionally the Tribunal reminds itself that the Computer Misuse Act 1990 creates certain criminal offences connected with the unauthorised access of Computer systems and that disclosing information that could constitute a “hacker’s manual” would also prejudice the prevention of this type of crime. 60. Section 31 FOIA is not
an absolute exemption listed in section 2(3)
FOIA, and consequently pursuant to section 2(2)(b) FOIA is subject to the public interest test: (2) In respect of any
information which is exempt information by virtue
of any provision of Part II, section 1(1)(b) does not apply if or to the extent that— (b) in all the circumstances
of the case, the public interest in
maintaining the exemption outweighs the public interest in disclosing the information. 61. The DWP assert that
there is a strong public interest in favour of
withholding the information so that: • the public will have confidence that their
information is secure,
• that they will not
be the victim of malicious attacks, identify fraud or
any other unlawful activities. • The DWP services
that they rely upon will not be impeded
or disrupted. |
||
|
|
||
|
26 |
||
|
|
||
|
|
||
|
62. The DWP assert that
there is “No public interest in disclosure of the
withheld information”. This Tribunal disagrees and takes into account that there is a public benefit in disclosure: • either to promote confidence in the security of
the system or
• to enable the
public to call for the DWP to shore up their defences
and make them more robust. 63. However, the Tribunal is
satisfied that the factors in favour of
withholding the information under the section 31(1)(a) exemption substantially outweigh those factors which favour disclosure and that such material as was within the scope of the request from the ACCORD document which has been withheld, should not be disclosed. 64. In light of the
Tribunal’s findings in relation to section 31(1)(a) FOIA,
this Tribunal does not consider the other exemptions advanced. Should the Commissioner have
found that DWP had breached its
obligations to advise and assist the Appellant under Section 16 FOIA 2000, in that the Appellant asserts that they had: a) Misled Mr King by
referring to the Accord document when that
document did not address his concerns, b) Failed to identify
documents which would address his concerns.
65. The Commissioner argues
that since Mr King did not specifically raise section 16 in his complaint it was not before the Commissioner and should not therefore form part of this appeal. The Tribunal feels that this argument is flawed. Mr King had not received any disclosure at the time of the complaint neither had he received the concession from the DWP that the “comprehensive” risk assessment of their telephony (which was mentioned in order to allay his fears), did not meet his concerns, and was to be gleaned piecemeal from a different document which encompassed many other things. Consequently he was not at |
||
|
|
||
|
27 |
||
|
|
||
|
|
||
|
the time of his complaint in a
position to argue that he should have
been given assistance to reformulate his complaint. 66. Under section 47 FOIA :
(1) It shall be the duty of
the Commissioner to promote the
following of good practice by public authorities and, in particular, so to perform his functions under this Act as to promote the observance by public authorities of— (a) the requirements of this Act, and
(b) the provisions of the
codes of practice under sections
45 and 46. (emphasis added) Whilst performing his functions
under this Act (in this case investigating
a complaint and coming to a decision) the Information Commissioner has a duty to promote the following of good practice by public authorities. Thus the question of whether the DWP were observing the requirements of section 16 or the provisions of the section 45 Code is something to which the Commissioner will always have regard. 67. Consequently this
Tribunal is satisfied that it should consider Section
16 FOIA which provides: (1) It shall be the duty
of a public authority to provide advice and
assistance, so far as it would be reasonable to expect the authority to do so, to persons who propose to make, or have made, requests for information to it. (2) Any public authority
which, in relation to the provision of advice
or assistance in any case, conforms with the code of practice under section 45 is to be taken to comply with the duty imposed by subsection (1) in relation to that case. 68. Mr King argues that he
did not ask for the ACCORD document and was guided by the initial response that he had from DWP (which appears to have been of marginal relevance to his expressed |
||
|
|
||
|
28 |
||
|
|
||
|
|
||
|
concerns). He argues that the DWP
should have followed the Section
45 FOIA Code: “In seeking to clarify what is sought, public
authorities should bear in
mind that applicants cannot reasonably be expected to possess identifiers such as file reference number”. 69. However, the DWP
argue, (and the Tribunal agrees) that the Appellant
was clear and specific in his letter of 5th June 2006, there was no ambiguity or lack of clarity about his request and that consequently there was no obligation upon them to provide advice or assistance. They rely upon the Information Tribunal case of Berend v ICO and London Borough of Richmond on Thames (EA/2006/0049 & 50) “The Tribunal is satisfied
that the request should be read objectively.
The request is applicant and motive blind and as such public authorities are not expected to go behind the phrasing of the request. Indeed the section 45 Code at paragraph 9 specifically warns against consideration of the motive or interest in the information when providing advice and assistance. Additionally section 8 FOIA appears to provide an objective definition of “information requested”. 8. - (1) In this Act any reference to a
"request for information" is
a reference to such a request which- ..
(c) describes the information
requested
There is no caveat or imputation of subjectivity contained within that section.” 70. This Tribunal concurs
with that assessment of the way in which a request should be treated. Similarly Section 1(3) FOIA provides for a situation where the request is not clear and further information is sought in order to comply with the request for information. In this case the Tribunal accepts that the request appeared plain when read objectively by the DWP and that consequently section 1(3) FOIA did not apply. |
||
|
|
||
|
29 |
||
|
|
||
|
|
||
|
71. The DWP also argue that
they have now sought to address the
Appellant’s concerns relating to the security of personal information once it has been supplied to the DWP, in effect treating this as a separate information request and providing all the information it holds on this point by its letter of 3rd July 2007. In so doing they have actively identified and disclosed information that they felt was relevant to his expressed concerns. They further argue that they do not hold any information relating to the security of the public telephone system. Additionally they have invited Appellant to raise any specific concerns he may have, and provided evidence on the subject where he has engaged with them (e.g. the three documents listed in the bibliography of the ACCORD document). 72. Mr King also argues that
such advice and assistance as he has now
received was provided late and only occurred after the complaint was lodged with the Commissioner and in some respects since the appeal was lodged with the Tribunal. The Tribunal has already found that in the particular circumstances of Mr King’s limited and clearly defined request section 16 FOIA and the section 45 Code did not apply to the request that is the subject of this appeal, and that consequently such advice and assistance was provided outside the FOIA, however, the Tribunal notes that the DWP did not appear to address the issue of disclosure comprehensively until the case was with the Commissioner. Whilst the Tribunal does not find that the mistaken reliance upon section 38 was deliberate or done in bad faith, the Tribunal observes that: • no consideration
appeared to be given to redaction or scope until a
very late stage, • there is no
evidence before the Tribunal that Mr King’s explanation
of why he felt that section 38 was being mis-defined and wrongly applied was ever actively considered during the review process. • neither was the
issue addressed of Mr King having been misled (reference to the ACCORD document when that document did not address the thrust of his concerns) until the case was before the |
||
|
|
||
|
30 |
||
|
|
||
|
|
||
|
Commissioner.
Did the Commissioner have a
duty to provide advice and assistance?
If so did the Commissioner provide inadequate assistance in light of his failure to keep Mr King informed of developments during the currency of the investigation? 73. Mr King does not argue
that the Commissioner has a statutory duty to
provide advice and assistance, but rather that it would be “proper and fair for the Information Commissioner to assist the DWP and myself to see if the information I required was available elsewhere, or to focus my request in such a way that it could be complied with without recourse to exempt information.” Mr King further argues that as the ICO failed to keep him informed between February and August, he was not in a position to know what specific documents were available. 74. Nicole Duncan (Head of
FOI Complaints) apologizes in her letter of 12th
October 2007 for not having written to Mr King. The ICO concedes that it would have been preferable if in light of the undertaking given to him by Ms Cragg in February 2007 Mr King had been notified as to how the case was progressing prior to the issuing of the Decision Notice. However, the ICO maintains that failure to take such a step does not amount to an error of law and does not in any event operate to flaw the decision reached by the Commissioner. 75. This Tribunal agrees
with the Commissioner’s analysis. Further the
Tribunal has not been pointed to any authority to suggest that the Commissioner’s responsibility goes any further than the duty set out in Section 47 FOIA (as set out in paragraph 66 above) to ensure that the public authorities are fulfilling their obligations. More specifically: • The robust case handling policy (see paragraph 80 et seq below) which is the subject of much
criticism by Mr King, is the mechanism by which the ICO sought to assist the DWP to see if the information was available and to focus the request in such a way that it could |
||
|
|
||
|
31 |
||
|
|
||
|
|
||
|
be complied with without recourse
to exempt information (by
consideration of scope and redaction). • Knowing what specific documents were available in this case would have been irrelevant to the complaint before the Commissioner the remit of which was the initial (in this case restricted) information request. Was the Commissioner wrong in
law to find that the DWP had not
breached its obligations under Section 1 FOIA because the public authority was granted the opportunity to correct its earlier defaults under FOIA prior to the drafting of the Decision Notice? 76. Under FOIA,
Section 1 provides
(1) Any person making a
request for information to a public authority is
entitled- (a) to be informed in writing by the public authority whether it holds information of the description specified in the request, and (b) if that is the case, to
have that information communicated to him.
(2) Subsection (1) has
effect subject to the following provisions of this
section and to the provisions of sections 2, 9, 12 and 14. 77. Section 10 provides that:
(1) … a public authority must
comply with section 1(1) promptly and in
any event not later than the twentieth working day following the date of receipt. 78. Although the Tribunal
has come to a different conclusion from the Information Commissioner on the facts and found that the DWP do hold information within the scope of Mr King’s request, which has not been disclosed, the Tribunal is satisfied that this is properly withheld in reliance upon section 31(1)(a) FOIA (see paragraph 63). As such the change in reason for the withholding of the information does not affect |
||
|
|
||
|
32 |
||
|
|
||
|
|
||
|
the factual basis for considering
the section 1 FOIA breach. It is
accepted by all parties that at the date that Mr King lodged his complaint with the Commissioner (more than 4 months after his initial request) he had not had disclosed to him material which the DWP held which fell within the scope of his request and to which no exemption related. 79. The Information
Commissioner in his submissions proposes amending
the wording of paragraph 39 of the Decision Notice to read: “Compliance with section 1 of the Act as the requested information was provided to the Complainant, albeit that such information was disclosed late and only after a complaint had been submitted to the Commissioner”. The Tribunal is not minded to
follow this course. The Tribunal is not
concerned with altering the drafting of Decision Notices where there is no error of fact or law and there is no provision with Section 58 FOIA to enable such redrafting. 80. The Commissioner argues that:
a. It is apparent from the
body of the decision that the information
was provided after Mr King had applied to the Commissioner for a decision, b. The information was
provided by the time that the decision was
drafted and consequently the breach was not one of failure to comply with section 1 FOIA, but failure to comply with section 10 FOIA. c. It is entirely in
keeping with his statutory obligations that he
should (following receipt of a complaint): o conduct an
investigation with the objective of discovering whether the relevant public authority has failed to comply with its obligations under FOIA. |
||
|
|
||
|
33 |
||
|
|
||
|
|
||
|
o Where he
discovers information has been unlawfully
withheld, exploring with that authority whether it is prepared to disclose that information forthwith in the absence of a formal Decision Notice o There is
nothing in any statute to render this
conduct
unlawful. o It is
consistent with the Commissioner’s obligations to
ensure that information which is disclosable under FOIA is disclosed in a timely fashion, o Section 47
FOIA imposes a duty to promote the
following of good practice by public authorities. 81. The Commissioner also
argues that he is acting in the spirit of the
“Overriding objective” contained in the Civil Procedure Rules. This objective relates to dealing with cases “justly” and includes aspects of speedy resolution, proportionate resource allocation and case management. Whilst the Commissioner is not bound per se, he argues that it is entirely proper that wherever possible the Commissioner should handle complaints in a way that is consistent with that objective. 82. The Appellant’s arguments are two fold:
o firstly that
the statute permits the Commissioner to investigate a case by way of an information notice and then record his findings in a decision notice. He objects to the ICO’s “robust case handling policy” as there is no provision for the Commissioner to substitute the statutory requirements allowing him to take an informal approach “exploring” whether disclosure can be achieved and giving time for a public authority to remedy their default prior to issuing a decision notice. |
||
|
|
||
|
34 |
||
|
|
||
|
|
||
|
o Secondly that
the Commissioner should be considering the
facts as they existed at the date that he received the complaint and not the date that he drafted the decision notice. 83. Section 50 FOIA sets out
the provisions for applying to the
Commissioner for a decision: (1) Any person (in this
section referred to as “the complainant”) may
apply to the Commissioner for a decision whether, in any specified respect, a request for information made by the complainant to a public authority has been dealt with in accordance with the requirements of Part I. (2) On receiving
an application under this section, the Commissioner
shall make a decision unless it appears to him— [that certain exceptions apply]… (4) Where the Commissioner decides that a public
authority—
(a) has failed to
communicate information, or to provide confirmation or
denial, in a case where it is required to do so by section 1(1), or (b) has failed to comply
with any of the requirements of sections 11 and
17, the decision notice must
specify the steps which must be taken
by the authority for complying with that requirement and the period within which they must be taken... (emphasis added) 84. The wording of section
50 supports Mr King’s contention that the Commissioner should be considering the facts as they existed at the date that the Commissioner received the complaint. The complainant is applying for a decision whether the request has been dealt with in accordance with part I (as opposed to “is being dealt with”). The use of “has” indicates that the facts are historic and not evolving and the |
||
|
|
||
|
35 |
||
|
|
||
|
|
||
|
Commissioner is being asked to
consider what has already happened
in determining whether there has been a breach of section 1 FOIA. 85. Mr King relies upon
section 50(2) as evidence that (in normal
circumstances) the ICO is required to make his decision on receipt of the complainant’s application and that consequently the evaluation of facts should be immediate and not postponed. The Tribunal feels that the use of “receipt” in this context relates more to the fact that the Commissioner is not required to investigate and make a decision in a case under section 50 FOIA until he has received an application (rather than acting of his own motion). Mr King concedes that the Commissioner will need to investigate a matter in order to ascertain the facts upon which to make his decision, and in that respect accepts that even on his reading “on receipt” cannot mean an immediate decision. 86. The provisions for the
decision notice to specify steps which must be
taken by the public authority in order to comply with their obligations does not take either argument further. It is clear that both parties accept that Decision Notices can be issued where there are no steps to be taken (on the preferred reading advanced by both Mr King and the ICO whether a breach of section 1 was recorded or not, there would be no steps required of a public authority where disclosure was made after the complaint but before the Decision Notice was issued.) 87. The Tribunal agrees that
in cases of delay there are separate breaches
which can be recorded under sections 10 and 17 FOIA, but is satisfied that a failure to provide disclosable information by the date of a complaint to the Commissioner should be properly categorized as a breach of section 1 FOIA as well as a breach of section 10 or 17 FOIA. 88. The Tribunal is
satisfied therefore that the wording of the statute supports Mr King’s analysis that the Commissioner should make a decision upon the facts as they were when he received the complaint not when he came to write the decision. This should not be taken to mean that the Commissioner is precluded from considering fresh |
||
|
|
||
|
36 |
||
|
|
||
|
|
||
|
matters arising during the
currency of his investigation, such as the
discovery of fresh information or the raising of fresh exemptions (see paragraph 52 et seq above). If (as occurred here) disclosure happened during the investigation that can be reflected in the fact that notwithstanding the breach of section 1(1) FOIA, the Commissioner does not require any steps to be taken to remedy the breach. 89. The Tribunal notes that
there is substantial inconsistency between the
Commissioner’s decision notices on this point, with some only recording breaches of section 10 and others recording additional breaches of section 1. The Commissioner’s approach was considered in Adlam v IC EA/2006/0079 where a public authority had provided an honest, reasonably held, but nonetheless erroneous answer to an information request outside the 20 day limit. That Tribunal considered that the obligation set out in section 1(1) was “an absolute one” and observed that: “the Tribunal finds it
difficult to see why the
Commissioner has restricted
himself only to alleged breaches of
sections
10 and 17 alone as being the
consequence of the Treasury’s letters in
issue in September. The
Tribunal finds that it must logically follow that
if
such breaches do attach
themselves to the two letters in 2005 in
question,
it necessarily follows that
the letters entailed a breach of the overriding
obligation in section
1(1)”.
90. The Tribunal does not
accept Mr King’s contentions that the Commissioner’s informal approach to investigate a case is ultra vires. It is accepted that the Commissioner will be required to investigate a complaint (Since Section 58(2) FOIA allows the Tribunal to review a finding of fact by the Commissioner, the Information Commissioner must find facts, therefore there must be an investigation.) There is no mandatory format for investigation set out in FOIA. Contrary to Mr |
||
|
|
||
|
37 |
||
|
|
||
|
|
||
|
King’s assertion the Commissioner
is not bound to issue an information
notice if he requires further information from the public authority: 51(1) If the Commissioner—
(a) has received an application under section
50…
he may serve the
authority with a notice (in this Act referred to as “an
information notice”) requiring it, within such time as is specified in the notice, to furnish the Commissioner, in such form as may be so specified, with such information relating to the application, to compliance with Part I or to conformity with the code of practice as is so specified. 91. Mr King further argues
that the section 47 FOIA duty is “a general one”
and forms no part of the procedures specified in Part IV of the FOIA. However, it is clear that the Commissioner’s duty is: 47.. so to perform his
functions under this Act as to promote the
observance by public authorities of— (a) the requirements of this Act..
Consequently this duty informs
the way in which he performs the
procedures set out in Part IV of the Act. 92. Mr King argues that
“exploring with the public authority whether it is prepared to disclose that information forthwith in the absence of a formal Decision Notice” does not form any part of FOIA and adds nothing that cannot be achieved by the issue of a decision notice. The Tribunal disagrees and finds that there is no conflict between the statutory provisions of FOIA and the reasoning given by the Commissioner at paragraphs 80.c and 81 above. The Commissioner has a duty to ensure that disclosure is made in appropriate cases. “Exploring” is more flexible than the issue of a decision notice. It may be that by discussing redaction or scope (as in this case) or the |
||
|
|
||
|
38 |
||
|
|
||
|
|
||
|
inapplicability of certain
exemptions a public authority will voluntarily
disclose information that had been previously withheld. Equally if as a result of being alerted to their inappropriate reliance upon an exemption, the public authority seek to raise a fresh exemption (as happened in this case), the Commissioner is in a position to consider that in his Decision notice, potentially avoiding the cost, inconvenience and delay of an appeal to the Tribunal. 93. Mr King has categorized
this informal approach between the ICO and
the DWP as “collusion”. The Tribunal does not accept that assertion. As a result of the Commissioner’s intervention the majority of the information that was the subject of the request was disclosed, and the Commissioner issued a Decision Notice, which recorded the failings of the DWP. Conclusion and remedy
94. The Tribunal is
satisfied that the telephone risk assessment as
contained within the ACCORD document was the subject of Mr King’s request for information, and that no other documents fell to be disclosed under the request. 95. At the time of the
request the DWP did hold further undisclosed
information which came within the scope of the request (namely some of the redacted parts of the ACCORD document) however, the exemption in section 31(1)(a) FOIA is engaged and the public interest lies in withholding the information. 96. The DWP did not breach
its obligation to advise and assist the
Appellant under section 16 FOIA as the request was specific and readily identifiable. There was no duty upon the Commissioner to provide advice and assistance to the Appellant. 97. The Commissioner was
wrong in law to find that the DWP had not breached its obligations under Section 1 FOIA because at the time |
||
|
|
||
|
39 |
||
|
|
||
|
|
||
|
when the complaint was lodged
section 1 FOIA had not been complied
with. 98. The Tribunal is
satisfied that all information within the scope of the
request that is not covered by an exemption has now been disclosed, accordingly the Tribunal does not require any steps to be taken by the Department of Work and Pensions. 99. Our decision is
unanimous. Deputy Chairman Date 19th March 2008 |
||
|
|
||
|
40 |
||
|
|
||
