Risk Management: Freedom of Information & Data Protection
The Freedom of Information Act 2000 has been in the news headlines recently and the matters raised show the risk associated with weak control frameworks to ensure compliance with the legislation, whilst protected data that should remain confidential. The headlines have included:
Police Service Northern Ireland (PSNI) - In response to a Freedom of Information (FOIs) request, the PSNI had shared names of all police and civilian personnel, where they were based and their roles. The details were then published online, before being removed;
Norfolk and Suffolk Police - The personal information of 1,230 people, including victims of crime and witnesses, was included in Freedom of Information (FOIs) responses. The data related to a range of offences, including domestic incidents, sexual offences, assaults, thefts and hate crime;
The Information Commissioners Office (ICO) has also reprimanded seven organisations who failed in their duty to respond to Subject Access Requests (SARs). This has included:
London Borough of Croydon – the authority had responded to less than half of their SARs within the statutory timescales. This meant that 115 residents did not receive a response in accordance with the UK GDPR;
Kent Police - received over 200 SARs in a five month period, only 60% were completed during the statutory deadline. Some of the remaining SARs are reported to have taken over 18 months to issue a response;
London Borough of Hackney – In an eleven month period the Council did not respond to over 60% of the SARs submitted to them in the statutory timeframe. The oldest SAR was over 23 months old; and
London Borough of Lambeth in a year the Council had only responded to 74% of the SARs it has received within the statutory. The council continued to have a backlog of SAR cases and based on the updated figures; this did not appear to be improving.
Elucidate Consulting were commissioned by a local authority that identified the risk associated with FOIs and SARs and data indicating they had a growing instance of non-compliance with the deadlines. To manage these risks, the review:
Undertook a route cause analysis of delayed FOIs and SARs responses;
Reviewed the arrangements to monitor and report upon FOIs and SARs performance data;
Reviewed controls, including segregation of duties and authorisation arrangements to ensure data disclosures made under both FOIs and SARs was compliant but did not reveal any data that should not have been disclosed; and
Reviewed the policies, procedures, and staff training with regards to FOIs and SARs.
The review made recommendations to enhance the monitoring of both FOIs and SARs including the development of a defined escalation pathway to address cases at risk of exceeded the deadlines. The work also made recommendations to improve data search protocols, especially with regards to SARs and changes in operational procedures with regards emails containing data for an individual or group of individuals.
Our client was proactive in commissioning a review before the backlog resulted in an ICO referral or potential reprimand. The work also addressed the risk of disclosure of confidential information in either an FOI or SAR responses.
This case study demonstrates that prompt intervention and corrective actions on business intelligence can prevent reputational damage.