Response to ICO consultation ‘Openness by Design: Our draft access to information strategy’

We welcome the introduction of a draft access to information strategy, particularly as recent ICO strategic documents such as the ‘Information Rights Strategic Plan 2017-2021’ and the ‘Regulatory Action Policy’ primarily reflect a data protection perspective even though they apply to the full range of the ICO’s functions including FOI. We are extremely pleased to see access to information now being dealt with in its own terms.

This response only addresses some of the consultation questions.

Do you agree with the vision we have set out for the regulation of access to information rights?

We strongly welcome the proposal that the ICO should become more proactive and increase the impact of its regulation.

We are not persuaded that the object of this vision should be ‘to allow people to have more trust and confidence in the openness and accountability of public authorities’. The building of confidence in public authorities’ openness and accountability is primarily a matter for those authorities. They can achieve it by acting in an open manner, by ensuring that their actions are in fact creditable and, when these fall short, by acknowledging and seeking to correct shortcomings rather than conceal them.

If the public lack trust in public authorities’ openness and accountability that is more likely to reflect the authorities’ failings than the ICO’s. Equally, any improvement in public confidence in authorities’ openness may have more to do with the approach of those at the top of the organisation than with the ICO’s efforts. This is not a criticism of the ICO. We merely question whether the necessary connection exists between the ICO’s efforts, however vigorous, and public confidence in the openness of public authorities.

We don’t agree that it should be part of the ICO’s vision to ensure that the public ‘have more opportunities to participate in civic life’. The ‘opportunities’ to participate are determined by legislation requiring consultation and by public authorities’ policies. The ICO’s focus should be on assisting the public to obtain the information with which to participate effectively.

We suggest that the ICO’s vision statement might instead refer to an objective such as enabling the public: to have greater insight into public authorities’ work and decisions, to make a more informed contribution to discussion of public affairs and to more effectively hold public authorities to account.

Do you agree with our five proposed goals?

Not as set out. We think the ICO’s overriding priority in this field should be to ensure that the public’s information rights operate, and are enforced, in an effective and timely manner.

At present the need to improve compliance is merely listed as one of six possible means of improving openness under the proposed Goal 1. The fact that targeting non-compliance is apparently given similar weight to proposals such the development of a self-assessment toolkit for authorities and the provision of transparency audits, is a fundamental mischaracterisation. Toolkits are optional, enforcing compliance is not.

Prolonged delays in complying with requests are a source of dismay and disillusion for many requesters and a major threat to the health of the FOI regime. Our recent report documenting the fact that some London councils answer only around 60% of FOI requests on time, with delays of up to 10 months or more in responding, illustrates the problem.

Securing compliance with FOIA and EIR is the ICO’s key function under that legislation. Addressing it should be a major goal, perhaps the major goal, not an ingredient of some other objective.

The ICO has limited resources which are already under considerable pressure. Unless there is a strong focus on the most critical issues, we fear that pursuing the range of goals and priorities described in the draft strategy, worthy though they clearly are, may be at the expense of what should be a central concern.

Addressing non-compliance could involve a combination of regulation and support.

Regulation might involve:

  • special reports targeted at authorities causing substantial problems. A special report on delays by the Scottish Information Commissioner in 2014 led to a reduction in valid appeals about non-responses from 24% of the SIC’s caseload to 16% in one year.[1]
  • the reinstatement of the monitoring of poorly performing authorities on a scale which matches the size of the problem, which is likely to be considerable. This process, and monthly reports made by monitored authorities, should be made public. Private discussions, whose existence the ICO itself does not acknowledge, but have on occasion been revealed by FOI requests to the authorities concerned, [2] are no substitute and may obscure any contribution actually made by the ICO.
  • the use of Enforcement Notices for authorities which fail to respond promptly to pressure for improvements. We have difficulty understanding why these have only been used to deal with delays twice in thirteen years. They are likely to have a significant impact on the receiving authority, on other authorities who realise they may face similar action and on the ICO’s own caseload. They should be capable of dealing with all outstanding requests to a particular authority at a stroke, removing the need to separately investigate each individual complaint. The reluctance to use enforcement notices will have reassured public authorities that they will face no sanction for ignoring requests, merely the prospect of a decision notice addressing only the particular request in question but not affecting other similarly delayed requests.

Support measures also have an important part to play. Some of these are described in slightly different contexts in the draft strategy document. They could be expressly targeted at non-complying authorities. For example:

  • ‘Goal 3’ refers to practitioner workshops which are envisioned as a means of raising awareness. They might instead be designed to assist underperforming authorities to address their problems, perhaps drawing on the experience of authorities which have successfully addressed such problems in the past.
  • Self assessment toolkits which are listed under ‘Goal 1’ might play a significant role in addressing non-compliance, if specifically designed for that purpose.
  • Additional targeted guidance could also assist. Inadequate searches for requested information are often relied on either to demonstrate that information is not held or to justify withholding information on cost grounds. Practical guidance on carrying out electronic searches may be helpful. This would be distinct from the investigation of new, ‘high-tech’ search techniques referred in the draft strategy. The problem is the failure to make proper use of rudimentary search techniques, for example, by refining search terms to exclude irrelevant information.
  • The publication of performance statistics, in a form which allows comparisons between authorities, should be an essential element. These would help both the public and the ICO identify under-performing authorities, adding to pressure for improvements. They would also allow some authorities to see how far their own performance was behind that of their peers. Ideally, the ICO itself should publish these statistics, using automated online tools to minimise demands on its time, following the model adopted by the Scottish Information Commissioner.[3]

The ICO should investigate the extent to which it has the power to effectively require the publication of statistics under the FOIA publication scheme and dataset provisions, the EIR proactive publication requirements and in connection with the Commissioner’s duty to promote observance with the section 45 code of practice, which now calls for the publication of compliance statistics.


[1] Scottish Information Commissioner, Annual Report 2015/16.



Scroll to Top