A draft copy of a report by Sir Nigel Sheinwald recently came to public attention. This report dealt with data sharing and called for new treaties to force corporations to cooperate with government demands for access to data.
This could, as the Guardian have already pointed out that it could be used to provide an alternative to the other main proposal (commonly referred to as the ‘snoopers charter’). Unfortunately the government chose to classify the document as top secret. This decision was apparently based on the presence of commercially sensitive information in the report. Such information could, however, been redacted from any published version of the report and the presence of such information should not have prevented publication nor require the document to be classified in any way.
As a concerned citizen worried what about the impact such agreements could have on me I asked for a copy of the report. The Cabinet Office replied reasonably promptly, although to my dismay they chose to deny access and claimed that since the information was already in the public domain they had no obligation to release the information again (s.21 of the FoIA). There was one problem with that conclusion however: the information that was in the public domain wasn’t the report that I had requested but rather only a summary of the report.
A summary is not sufficient in my view especially when it involves fulfilling requests made under the Freedom of Information Act. Details could be added, removed or entirely misrepresented (either by accident or otherwise).
Those of you that follow Freedom of Information related news may already know that this isn’t the first time that summaries have been used in response to such requests. The government tried a similar tactic over recent years with access to MP expense receipts. The summaries were seen as insufficient, and appeals were made first to the ICO and then subsequently the tribunal. In both cases they sided with the reporter trying to gain access to these documents, but IPSA made the misguided and ultimately futile attempt to challenge all of these appeals. Luckily for both the reporter and the wider general public even the court of appeal agreed with the requester, the ICO and even the tribunal.
I was already aware of all of this at the time of making my request, and I must confess that the way in which they seemed to be playing games with public access to documents annoyed me.
They may want to maintain tight control over how information is presented, but once you take this out of the equation there is only one reason that comes to mind for using summaries: any such release of the full report would make the level of redaction clear to the general public. The contempt that the government has shown to the public and to the Freedom of Information Act in general would be laid bare in the large chunks of redacted text in anything they choose to release. The end result of this would be questions being raised over the validity of the use of s.23 and s.24.
They seemed to be making an effort to appear transparent whilst at the same time failing to comply with the request. I therefore decided to ask for an internal review.
S.23 is an absolute exemption. This means that information can be refused without first having to consider any public interest argument against withholding the information. The problem I have with this argument is that the reason for using s.23 isn’t entirely clear given the subject matter of the report. This is a report involving corporations & data sharing and unless the report contains detailed examples that include details involving specific operations or the internal structure of said organisations then I fail to see how s.23 could apply here. Even if it did it should not be so difficult to release a copy of the report with any such sensitive detail redacted from it.
Personally I suspect they are using s.23 not to protect the work of government agencies, but to protect development of policies that they have already decided are the way forward, regardless of the impact they may have. I’m also left wondering if the use of s.21 in the initial response and s.23 in the internal review was an attempt to sidestep the public interest test normally applied to more appropriate exemptions such as s.35.
It should also be noted that at no stage have the Cabinet Office attempted to use s.35 to refuse my request in this case, and have relied purely on s.23 and s.24 after apparently realising that relying upon s.21 was a mistake.
In addition the use of s.24 seems to be questionable, since the result of the internal review seemed to suggest that the information protected by s.24 was distinct from the part of the report protected under s.23 and this in turn raises other questions. Apart from anything else, just what are they protecting?
It’s difficult for me to get rid of the impression that they’re using circular logic: they initially classified the report as top secret because ‘national security’, only now I wouldn’t be surprised if the use of s.24 was based on the fact that it has previously been classified. So we could have ended up with a situation where the report has been classified because of national security, and it relates to national security because it’s been classified. It’s an endless loop with no way out.
As others in the media have pointed out it’s widely believed that the report contains commercially sensitive information.
I hope that the Cabinet Office isn’t using s.24 when all that has been protected are commercial interests, or merely because they’ve arbitrarily decided to block access. That really would be appalling and serious abuse of the levels of secrecy only available to them and other parts of government.
It’s impossible to have any reasonable debate about something if you can’t understand it, and you can’t understand it if information is withheld like this. How are we, as members of the public, supposed to have faith in the legal system when the reasoning behind any changes is being withheld from us like this?
For that matter why should we trust them with such powers given the abuses by local authorities in the past? Legislation intended to help catch terrorists has already been abused to check on such ‘serious’ crimes as applying for school places outside their catchment areas and people not clearing up when the mess left by their dogs or littering.
In my opinion – whatever that may be worth – the sheer insanity that plans such as this represents coupled with other failings, notably the OPM hack in the US, significantly strengthens the public interest argument for releasing the report. Any new data sharing treaty is likely to work in both directions, and in many cases to the detriment of UK citizens (as they often seem to do in the case of extradition treaties). The end result is that whilst the UK will be able to demand cooperation from other countries, those other countries will also be able to demand that same level of cooperation from us.
The lack of rights for foreigners in other countries – or lack thereof – is a huge concern, especially since some of them have been found to share unfiltered data with yet more countries. This means that anything even remotely personal shared with those 3rd parties could end up in the hands of states not bound by any treaty that the UK has signed. Assurances such as Safe Harbour, Mutual Legal Assistance Treaties and other mechanisms intended to control access are meaningless here (not that Safe Harbour has a promising future at this stage).
If you need any evidence of this then just look at Microsoft trying to prevent US access to servers in Ireland, despite the US having established a Mutual Legal Assistance Treaty with Ireland, large corporations in the US pushing for CISA to be passed into law or the very Safe Harbour framework relied upon by those same US corporations being called into question.
The government here is being naive if it truly believes that our data is protected in any meaningful way once it leaves their control.
In any case an appeal has been lodged with the ICO. It will be interesting to see what the outcome is. I would hope that the ICO would at least agree with me that a summary is not an appropriate response to an FoIA request in such cases.
UPDATE: The CJEU has ruled against safe harbour (or harbor). This means that companies exporting data to the US from the EU cannot now rely upon it. It might also be worth adding that all other mechanisms for legalising export of data to the US – including BCRs – suffer from the same issue that resulted in safe harbour being struck down, so it will be interesting to see how regulators such as the ICO respond to recent developments.