Recent headlines about personal data breaches at several police forces in Northern Ireland and the UK have understandably shaken public confidence. But the current focus on the role of Freedom of Information requests in these breaches must not distract us from the real story.
“There is not a crime, there is not a dodge, there is not a trick, there is not a swindle which does not live by secrecy. Get these things out in the open, describe them, attack them, ridicule them in the press, and sooner or later public opinion will sweep them away.” Joseph Pulitzer
Freedom of Information (FoI) has been around in some shape or form for many years across the world. It is largely based on the principle that access to information is essential for accountability in the relationship between the citizen and the state.
It is also seen to have a role in preventing (or finding out about!) government misconduct, financial impropriety and even threats to the public’s health and safety. It is generally seen as an essential element of an open and democratic government.
FoI has been in the news a lot lately. Not because it was being celebrated as the key to openness, transparency and accountability, or for being a cornerstone of democracy. It has been in the news because it has been caught up in some of the most extraordinary and disturbing stories involving data breaches that we have seen in a long time.
Those of us who work in this field are likely to be experiencing a number of contradictory reactions to these harrowing stories of real harms to real people. On the one hand it is good that we are talking about these things and they are being pushed up the agenda, but on the other why, oh why, are we so often only talking about them after something has gone badly wrong? Harms done are hard, if not impossible, to undo.
Not only is the scale of the harms staggering (particularly the PSNI incident), but it is also unusual for FoI to be in the mix.
For the personal data breaches to have arisen from what appear to be mishandled FoI requests does, in my view, risk being a distraction. If we are diverting our attention from the real causes of the problems and failures, we are also diverting our attention from the potential for real solutions.
The problem, in the case of recent breaches, seem to have been an almost unfathomable disregard for governance processes and the failures have been, from what we know so far, human error.
To talk of ‘human error’ suggests a single point of failure in the form of one human being.
The individual who released the information certainly should not have done so. But more importantly, the governance frameworks, controls, and processes in place should not have allowed them to do so. That was the failure point, and it is a critical distinction.
Dealing with information and personal data is not an administrative or tick box task, nor is it any one individual's responsibility. It is a core business activity for each and every employee – regardless of the nature of the business or individual role.
The success, or failure, of an organisation as well as the welfare of individuals is at stake.
Organisations need to invest time and resources into their people and they also need to ensure that they instil good values into and throughout the organisation. Be in no doubt that the ‘tone from the top’ matters
Information and data are the life blood of all organisations, but we have a very poor track record of truly understanding what that means, especially from a risk perspective.
Those in public service should be constantly mindful of what those two words mean. Putting in statutory or codified standards around access to information, accountability and transparency is critical in seeking high standards of conduct, decision-making and expenditure – all of which is done for and on behalf of the public.
Some examples of FoI ‘exposés’ in the UK:
- MP’s expenses
- (The then) Prince of Wales’ ‘spider memos’
- Hinkley point nuclear reactor cracks
- Afghan civilian deaths
- Air strikes in Syria
- Police use of tasers on children
There are many more. Journalists use the code a great deal and you often hear a news story starting with the words ‘following an FoI request.’
Anyone, including the public service, with the responsibility of looking after our personal data needs to recognise the enormous ethical and legal obligations that result. The principles and objectives of the law are not complex, but ensuring compliance often requires careful and informed consideration of what can be a complex set of circumstances. Binary answers to questions of law and compliance does, of course, make things easier for us.
If we are driving a car, we know there is a speed limit.
If we are in a shop, we know we have to pay for things we want.
But looking after information is not binary, so the attention we give it needs to reflect that.
Information governance has been the poor relation for as long as I can remember. Whether it is culturally, economically or politically, I do not believe that we have truly grasped the scale of the opportunity – if we get it right, or the threats – if we do not.
Data protection is not contrary to, or an enemy of, freedom of information; they are different sides of the same coin. Information matters in all areas of our lives.
To seek accountability from those with power whilst at the same time ensuring protections for those who are often without it may require effort, but these things are surely worthwhile when one considers what our world would look like in their absence.
If anything good is to come from the stories making the headlines recently, let it be a shift in our recognition that these things matter not only because there are laws, but because it gets to the heart of how we treat each other and ourselves.
There are, as we have seen, risks if we get these things wrong. Just as there are opportunities if we get it right.