Justice CommitteeWritten evidence from Gary Shipsey

Executive Summary

1. The cost of responding to requests will be greater if records are poorly managed and data of poor quality. The inclusion of the Section 46 Code of Practice on records management recognises this; however, the relative lack of investigation into, and enforcement of, compliance with the Section 46 Code, and the fact that it is not directly legally binding on public authorities, is a major area of weakness in the FoI Act.

2. Any debate about the cost of complying with FoI must therefore be viewed alongside a debate about whether sufficient regard has been had to complying with the Section 46 Code and, more so, when resource has been allocated, has it successful embedding records management in the organisation. A failure to comply with the Code, a failure of records management should not enable the “cost of complying” to deny access to information.

3. Published details purporting to state the cost of compliance with FoI must be scrutinised—included in this submission is a factual example of where the published figures are not supported by any actual data, but instead by approximations that happen to match the maximum cost limit defined by the Fee Regulations, with the likely impact of exaggerating the cost of compliance.

Submission

4. One area of weakness is the Section 46 Code of Practice on records management not being directly legally binding. The impact of not following the Code is recognised by the ICO; it is “likely to lead to breaches of the Act”.i

5. This issue directly affects compliance with Section 10 (time for compliance); the Foreword to the Code notes this:

Access rights are of limited value if information cannot be found when requested or, when found, cannot be relied upon as authoritative. Good records and information management benefits those requesting information because it provides some assurance that the information provided will be complete and reliable. It benefits those holding the requested information because it enables them to locate and retrieve it easily within the statutory timescales or to explain why it is not held.ii

6. Poor records management also affects an issue highlighted by the Ministry of Justice’s memorandum: the cost of compliance. The cost of responding to requests will be greater if records are poorly managed—the Section 46 Code highlights some key risks:

Unnecessary costs caused by storing records and other information for longer than they are needed; Staff time wasted searching for records; Staff time wasted considering issues that have previously been addressed and resolved.iii

7. Yes, the inability to include reading time and redaction time in the cost estimate can mean that tasks necessary to ensure compliance with the FoI Act are not included in the estimate of the time taken to comply, but the resources required to undertake these tasks should be minimised if records are being managed: the need to review documents would be reduced if they were appropriately protectively marked and stored in the first place; the amount of redaction would be reduced if the volume of records held was only that which was necessary to meet legal and business requirements.

8. The few Practice Recommendations made in relation to public authority failure to comply with the Section 46 Code demonstrate two key issues; I outline them below.

9. Some organisation just did not prepare their records keeping for Freedom of Information. Practice Recommendation reference FPR 0150 638, Nottingham City Council, 23 October 2007, highlights that, seven years after the passage of the FoI Act, a large unitary authority had “no culture of corporate information or records management” and did not allocate specific funding to the subject.iv The Practice Recommendation outlines a number of failings; I quote a few below for emphasis:

There are no corporate or service wide filing systems for either electronic or paper-based information.

The lack of a strategic corporate approach to records management… complicates and slows the process of responding to FOI requests.

Paper information is often stored both locally and in group filing systems with a significant amount of duplication between the two. Management of older paper records is often poor or non-existent and is largely dictated by storage space. In several cases only one or two people know the system well enough to retrieve documents when required, and there are significant volumes whose content, sensitivity and retention requirements are effectively unknown.

Electronic information is created and kept in personal drives, shared drives or email accounts. Emails are generally kept within the email system or printed if they are important. There is some evidence of poor practice in the management of personal and shared drives, including inappropriate storage of information with departmental or corporate value in personal drives, rendering it invisible and inaccessible to colleagues who may need it.

Generally, older information is only destroyed when more space is required….There is no systematic or organised disposal of records once they cease to be in active use.v

10. It is little wonder that Nottingham failed to locate information when an FoI request was submitted. The cost of complying with FoI would clearly be high—in order to overcome the records management failings.

11. Yet allocating resource alone is not sufficient to ensure the necessary culture and practices are adopted. Practice Recommendation reference FPR 0224 884, Department of Health, 3 March 2009, highlights this:

The Information Management and Governance Team has specific responsibility for records management. The team is well organised, reasonably resourced in relation to its current activities and is considered both professional and supportive by colleagues elsewhere in the organisation. However, due to the devolved nature of corporate processes in the Department, it is not clear whether this team has the necessary levels of organisational support to be fully effective. Furthermore, the work of the Information Management and Governance Team is adversely affected by the prevailing culture which allows business units to choose alternatives to recommended corporate systems where they wish to... the Information Management and Governance Team do not possess a formal mandate to monitor, police and enforce official policies.vi

12. There is public money being spent on records management. It can be well resourced in terms of people and money—but if the organisational culture does not embrace their message, if records management practice and custom does not change, then the cost of compliance with FoI requests will remain high. The sections “record creation” (paragraphs 35–40) and “record keeping” (paragraphs 41–55) of the Practice Recommendation outline the impact of the failure to embed a culture of records management.

13. These two Recommendations are a few years old—but the questions raised recently about Michael Gove MP and the use of private emails highlighted the issue of records keeping once again; the use of private email accounts, outside of government systems, to store records of government business again demonstrates how a poor adherence to a culture of records management will increase the resource required to comply with FoI requests. In July 2011, the Parliamentary Under Secretary of State replied to a question about the guidance provided to Ministers about the use of private email accounts for official duties as follows:

Ministers and special advisers: “DON’T use unofficial devices (such as your own/constituency PC/Laptop/PDA) or unofficial services (such as internet email accounts like Hotmail or Gmail) to access or hold DfE information. Only official devices and services have been tested and risk assessed to ensure they are secure enough for routine HMG business”.vii

14. Yet the story that broke in September 2011 suggests that, like the Department of Health, there is a gap between the existence of records management policy and guidance and the actions of officials.

15. The costs of responding to requests will also be greater if the quality of data created and held by organisations is similarly poor. The Audit Commission National Report Is There Something I Should Know? found that less than 5% of councils have excellent data quality and “many acknowledge that their data quality problems are fundamental in nature.”viii

16. Table 7 of the Report provides four examples of poor data quality. They are almost comic, but they sadly provide examples of where, should an FoI request be made for the data involved, the cost of complying would undoubtedly be high—because the public authority have to (and would want to, to ensure accuracy) try and address the longstanding issues about data quality before responding. Either that, or they provide a set of data that is clearly of poor quality—exposing the longstanding data quality issue—or they state they cannot provide the figure or statistic being requested within the appropriate limit—a possibly damning response if the figure or statistic has importance. Addressing data quality issues can take time; that this time and resource was not previously allocated is not the fault of the FoI requester or the FoI Act.

17. FoI requests often only expose the longstanding data quality issues; they are not the cause of the issues and the cost of sorting them should not be placed at the door of “complying with FoI”.

18. With these issues in mind, I provide below an example of a public authority claiming to articulate the cost of complying with FoI, and how this is, in fact, based on no hard data.

19. The Avon and Somerset Constabulary FoI pagesix tell you, immediately and with no uncertainty, how much FoI costs the Constabulary; they provide the calculation they use to reach the figures: “Requests x £30 per hour x 18 hours (average time spent per FOI request, some requests take significantly more time)”.

20. They are therefore claiming that the maximum 18 hour cost limit prescribed by the Fees Regulations does, in their case, also amount to the average time the Constabulary spends per FoI request. Knowing that they must (surely?) handle at least some requests quicker than 18 hours, I was interested to see the data behind the calculation—I mean, how long must some of the request take to get to the average of 18 hours?

21. I submitted an FoI request for “the data showing how the £30 cost and the 18 hour average time spent per request were arrived at.”

22. I received the following response: “no data is held. The figures were derived from approximations of staff time spent on the Freedom of Information process and an approximate hourly rate.

23. Publicising these figures so prominently at the front of the Constabulary’s FoI page therefore seems disingenuous and, frankly, a deliberate attempt to make compliance with FoI appear a costly burden when in fact it is based on nothing more than “approximations”.

24. None of the other 42 forces in England and Wales have adopted this approach to publish FoI cost figures on their website. I worry about the records keeping and data quality at the Avon and Somerset Constabulary if they genuinely take an average of 18 hours to answer their FoI requests; if the average is in fact lower, I worry about the message the Constabulary is seeking to send to the public about the cost of FoI.

25. There has been an Information and Records Management Society since 1983. The public sector has known about FoI since 2000. Good records keeping underpins good governance and good decision making; there should be no excuses for poor records keeping or poor data quality. Where they remain an issue, where there is still failure to comply with the Section 46 Code, I expect the cost of complying with FoI requests will remain high—but this cost is only addressing those records keeping and data quality failings, and these should not be an excuse for denying access to information.

Recommendations

26. Make compliance with Section 46 Code of Practice legally binding.

27. The activities that can be included in the estimate of the cost of complying with requests for information created on or before the Freedom of Information Act 2000 came fully into force on 1 January 2005 should be expanded to include the time taken to read the information once and the redacting time. However, the activities that can be included in the estimate of the cost of complying with requests for information created after 1 January 2000 should remain unchanged.

28. This distinction would recognise that the standard of records keeping and the expectations prior to the full implementation of the FoI Act were not necessarily geared to full public access to information. Information was not created, stored or managed with the expectation that anyone might seek to access that information at any time; this can result in the need to thoroughly review such information in the event of a request and redact large amounts of information in order to comply.

29. However, public authorities were fully aware of the changes that FoI would bring, and had five years to prepare for those changes. Therefore those complying with the Section 46 Code of Practice, those that recognised the business benefits of good quality data, would have been creating, storing and managing information after 1 January 2005 with the expectation that there could be requests to access that information. Their use of file plans, retention schedules, Electronic Document and Record Management systems, protective marking scheme (and other records management tools) mean that they only hold the information they need to hold, that they have a structured and managed approach to handling information, and take practical measures to enable routine access to information.

30. Extending the activities that can be included in the estimate for requests for all information would therefore penalise organisations who invest in managing their records and data and enable those who do not pay sufficient regard to such matters to deny access to information purely on the grounds of their poor record keeping.

February 2012

References

i The Guide to Freedom of Information, Version 1.0, ICO, January 2012, Page 8.

ii Foreword, Lord Chancellor’s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000, 2009, page 4.

iii Ibid., page 5.

iv FPR 0150 638, Nottingham City Council, 23 October 2007, Paragraph 14

v Ibid., Paragraphs 18-20

vi FPR 0224 884, Department of Health, 3 March 2009, Paragraphs 23–24

vii Tim Loughton (Parliamentary Under Secretary of State, Education; East Worthing and Shoreham, Conservative) responding to Kevin Brennan (Cardiff West, Labour); Hansard source Citation: HC Deb, 19 July 2011, c905W: see http://www.theyworkforyou.com/wrans/?id=2011-07-19b.66782.h&s=email+speaker%3A10753#g66782.q0

viii Is There Something I Should Know? Making the most of your information to improve services, Audit Commission, July 2009, page 6

ix http://www.avonandsomerset.police.uk/information/FOI/

Prepared 25th July 2012