On the 10th of June 2013 I spoke at an event titled “Transparency in UK Policing” run by the Association of Chief Police Officers. Around a hundred and fifty people from all but one or two of the country’s police forces were present, along with staff from the information commissioner’s office and central government.
I had been invited for two related reasons; the first being I’m someone who uses Freedom of Information requests in relation to the campaigning on policing related matters which I get involved in (that campaigning itsself often includes on lobbying for greater openness and transparency). The other reason is I’m a member of the volunteer administration team which is responsible for much of the day to day running of mySociety’s Freedom of Information website WhatDoTheyKnow.com. In the event programme I was billed as “journalist” (I’m perfectly happy with that, though it wasn’t how I described myself).
I made clear I’m just a volunteer helping out with a couple of mySociety’s projects, I’m not a member of mySociety’s staff and certainly don’t speak for them. My attendance at the event was supported by the WhatDoTheyKnow.com team; we see staff at public bodies as our users who we need to maintain a good relationship with just as much as those making requests and are happy to talk about what we do. Members of the team have attended a number of events.
What I Said
Given the audience WhatDoTheyKnow.com needed almost no introduction; it’s a website which helps people make Freedom of Information requests; and its key feature is it makes the FOI request, any related correspondence, and the response, automatically available online for anyone to read.
Running WhatDoTheyKnow.com Responsibly
One of the key points I wanted to get across is that we strive to run the site in a responsible manner. We’re not Wikileaks. We don’t take a idealogical position that all information must be free. While I didn’t want to try and define us by what we’re not I noted our service hadn’t been installed on a server run in a remote jurisdiction and just left to run, unchecked.
I explained how WhatDoTheyKnow.com fits into the wider context of myScociety, with the wider group of staff and volunteers who make up the organisation contributing to running the site; with mySociety’s director, Tom Steinberg taking a role of “editor”, in relation to the site, and the trustees of the charity behind WhatDoTheyKnow and mySociety also, as those ultimately responsible for the site, being involved when required.
WhatDoTheyKnow.com is not a one man operation; it’s run by a serious organisation. It’s trying to make a difference, it is trying to “poke the beast” but it’s striving to do so in a responsible manner and has strong governance arrangements.
Just by running our site we:
- publicise FOI, the existence of the law, and what it enables.
- publicise how public bodies respond to requests and through that encourage better performance.
- make it easier to make FOI requests, and make it easier for people to find information released via FOI
- enable requestors to cite their responses when taking action based on them
That last point is really key, WhatDoTheyKnow.com acts as an independent third party, providing evidence that a FOI response really did come from the public body in question; making it easier for those who a request might be taken to, such as a journalist, or MP, to take action on the back of it.
The WhatDoTheyKnow team have some primary campaigning points:
- The scope of the act should be extended to cover a wider range of public bodies.
- Time limits should be introduced for public interest tests and internal reviews.
- There is a need for more proactive publication of information, and a culture of openness and transparency needs to continue to be nurtured and extended within the UK’s public sector.
We’re not really FOI campaigners as such; what we want to see is a continuation of the culture change that we are already seeing in many parts of the UK public sector. Proactive publication is far preferable over information being requested via FOI.
I gave some examples of the things that public bodies, like police forces, ought be pro-actively publishing such as policies, meeting papers, statistics and performance data. I also talked about releasing raw data, and what the new dataset provisions expected to come into force soon might cover in relation to policing. For example if police conduct speed surveys, that will perhaps come well within the definition; quite what else will be included when the act is interpreted is unclear. Might it enable someone like me who campaigns on phone answering performance to prompt the regular release of phone answering performance data for example?
Database of Public Bodies
I explained how WhatDoTheyKnow’s database of public bodies was created and maintained by largely by volunteers, and how we think it might be one of the most comprehensive lists of UK public bodies available.
I note we still add bodies on request and despite listing more than 15,000 bodies we don’t yet cover all schools, parish councils, pharmacies, or GP practices; though we are comprehensive when it comes to other areas such as police forces, police and crime commissioners, central and local government.
The policy of adding bodies we think ought be subject to the act, if they are formally, or not, as a form of activism was also explained. We add bodies which voluntary respond to requests for information and asses others based on the degree to which they:
- make public appointments
- receive substantial public funding
- control public assets
- have a regulatory function (eg. control access to professions)
- control significant national infrastructure
- distribute public funds
We also add public bodies caught by the loophole in the act which excludes organisations owned by two or more public bodies.
We have approaching fifty thousand registered users, and many more people visit the site and read the content without registering.
I was aware of questions and concerns surrounding the site’s policy regarding anonymous users. What we do is make our users aware of the position, to be valid a FOI request requires a name, so use of an obvious pseudonym may result in it being rejected (though the ICO’s guidance is that responding would be good practice) , also if a real name is not the opportunity to appeal to the Information Commissioner, and above, is lost as a real name is then required.
I noted that our site only allows one user name per email address; and makes it no easier to make FOI requests using different names than email providers like Gmail or Hotmail.
This was a subject I knew there would be quite some interest in, so spent some time on it.
Requests made via WhatDoTheyKnow are automatically published online without human intervention, and responses too go straight on the website without pre-moderation.
There are two reasons for taking this approach; one is we don’t have the resources to pre-moderate content on the site and the second is the current state of the law which holds us more responsible for material on the site if we do carry out pre-moderation than if we do not.
We are responsive to concerns about material posted on the site. We are easy to contact, and there is a “report” button next to every request. The volunteer team spend a large amount of time dealing with requests to take material down from the site.
Sometimes requestors put their personal information in their requests; for example their addresses, or personal background information about what has happened to them, and where this is brought to our attention we remove it.
Where we remove information we do so transparently we’ll add something like “Personal Information Removed” in square brackets in place of the removed material, leaving the FOI request visible on the site.
If anything is not a FOI request we will remove it from public view on our site. We’re not a site which allows people to engage in general correspondence with public bodies online. If someone uses our site to try and make a subject access request under the data protection act we will will take it down. When we take material down we can “hide” it from public view so that while it isn’t on the website the user who made the request can access the correspondence and, for example, read an authority’s advice on how to get in touch directly and make a subject access request.
We also have personal information released by public bodies. For example those responding sometimes include signatures along with responses. If someone thinks that their signature being available poses a risk of identity theft or fraud they really shouldn’t be sending it out to the public they’re corresponding with, but they do, and in such cases we’re happy to take the signatures down; though sometimes we need the help of the public bodies to provide new copies of documents.
Accidental Releases via Excel
I used the opportunity to describe, in detail, the mechanism behind some of the worst accidental releases of personal information which we have seen.
What appears to happen is a FOI Officer obtains information which contains personal data, puts it into Excel, and tries to create a summary sheet, or pivot table, containing anonymised data. The personal data is not though deleted before release; often sheets within Excel are only “hidden”. The personal data is still present, it can be easily unhidden. It may be particularly clear that hidden sheets are present and available in some versions of Excel.
Our website, and Google’s cache, both convert documents to HTML which can make accidentally released material even more easy to find. It’s not of course our website, or such services which are at fault, its the bodies accidentally releasing the information.
I suggested not trusting the black box of Microsoft file formats, and considering using text based, eg CSV, files to release information. I urged against the printing out and scanning in of spreadsheets and other data and instead providing it in an electronic format enabling re-use.
The problems of personal data release in this way are not limited to the police; but we have seen police forces release information on those arrested for certain offences, information on victims of crime, and personal information about police officers.
I noted dealing with accidental releases is massively time consuming for us, the WhatDoTheyKnow.com volunteers.
Defamation is a particular concern for WhatDoTheyKnow given the state of UK libel law and the size of libel damages which could, if an error is made in a case involving defamation, result in the financial ruin of the organisation behind WhatDoTheyKnow.
Where defamation occurs in a request we remove it if our attention is drawn to it. Sometimes people do, for example, make allegations alongside FOI requests. We urge our users to keep requests to simply describing the information sought, and not including any extraneous material.
Very very few, if any, valid FOI requests in themselves have to be defamatory. There is perhaps some grey area, for example we’ve had to consider if asking for information on complaints against named individuals is acceptable. We’ve come to the view that in the case of regulated professionals such as police officers, doctors, social workers etc. that straightforward requests of that nature are reasonable.
More interesting is defamation in material released under FOI.
There are a small number of documents which anyone can request via FOI, which we have not been prepared to continue to publish on WhatDoTheyKnow following threats of libel action. This isn’t a big problem in terms of the quantity of such documents, but it does highlight a rather bizzare state of affairs. Personally I think the law ought be changed to give privilege, ie. exemption from libel law, to those publishing documents obtained from public bodies under FOI.
I ran through some of the routine administration we do:
- Requests are classified as “successful”, “refused” etc. In the first instance the requestor gets to select this classification, then if they fail to make a choice we open it up to all users. If there’s an error we, as the admin team, are happy to look at and correct it.
- We deal with responses made by post, eg. on paper or by posting a CD, however this hasn’t turned out to be as great a problem as those setting the site up thought it might be. This is presumably aided by S11 of the FOIA requiring the taking into account of a requestor’s preferred means of correspondence.
- We also maintain our list of public bodies; dealing with emails which have bounced and correcting contact addresses
- We suspend users who misuse our site persistently.
- We have a cap of 10 requests a day on most users. We consider lifting this on request, and advise users how they might improve their requests. (It’s worth noting WhatDoTheyKnow does not enable people to make requests to say all police forces, or all local councils, with one click. We’re mindful of our reputation, and that of FOI itsself, and think that if people have not got the time to copy and past and click a button to make a FOI request then they’re not going to have the time and resources to chase up, and act on the responses.
- I noted we don’t currently allow private requests; but if a campaign group or newspaper, got in touch that might be something we could do. We would like to see as great a fraction of FOI requests made via our site as possible; and requests being available eventually, perhaps as an article is published, would be better than them not being available at all.
- Road safety
- Pensions, pay and conditions
- Policies and powers
- How money is spent
- ACPO Guidance on 20MPH Speed Limit Enforcement
- Force Executive Board Papers
- 999 System Performance and Failures
- Cambridge Neighbourhood Action Group Papers
- Restorative Justice – Neighbourhood Resolution Panels
- TASER Statistics Publication Schedule
- Separation of personal and other exempt information at the time data is entered / documents are created.
- Collaboration on data release between policing crime and justice bodies.
- The ability to follow cases, eg from the police to the courts and probation. I noted how police at local meetings can often talk about how many arrests they’ve made, but not what happens to people after that.
- Timely, live information.
- Helilogs – I said that when a police helicopter is up I’d like to be able to find out why. Often it will be possible to release that information, though sometimes it won’t. Such communication could reassure people it’s still safe to go out despite a significant police presence, if for example there’s a search on for a missing person, informing the public might actually help.
- Police “blotters” – the information USA police often provide online, or to local papers, giving often colourful and timely accounts of what the local police have been up to. ie. making those elements of the incident log which can be made public, available.
- Court lists – so we can return to justice being seen to be done, in public.
Police.uk are making attempts, and given the kind of information that’s on police.uk is so popular as it is; imagine the level of public interest if what was there was more timely, interesting, and better connected with others outside and beyond policing such as the courts, probation and health services.
- Placing news releases online, not handing to friendly reporters.
- Greater consideration of the wider public, and elected reps as end users of reports – for example reports on collisions, so they can be considered when road environment changes or planning applications are considered. (Statistical information is available, but the detail can be very hard to access)
We may remove requests deemed vexatious from WhatDoTheyKnow. We take our own judgement on what counts as vexatious, based primarily on if the correspondence clearly has no serious purpose.
It’s not easy to draw the line; for example should requests on ghosts or UFOs be allowed. One council has spent public money on an exorcism and information on UFOs has been created in the Ministry of Defence, so it’s not always clear cut.
What I and Our Users Request
I briefly went through some examples of what I and our users have been requesting in the area of policing. Including:
Topics users make requests on:
Some of my requests:
I noted that I make all my requests in public; and am happy to stand up in-front of people and defend and explain them (as I was doing at the event, and often do in public meetings where I live in Cambridge). My own profile on WhatDoTheyKnow.com links to my personal website, Twitter account and includes my photo.
Police and Crime Commissioners
From my point of view, as a campaigner, and someone interested in following the work of my local police, a lot of proactive routine publication of material stopped completely when Police Authorities were abolished.
Police Authorities used to publish information on police policies, proposed changes to policies, financial information, performance information and more in their committee papers.
As a response to that stopping I’ve been making requests for example for papers from my local police’s “Force Executive Board” and my local Commissioner’s “Business Co-ordination Board”.
It’s hard to find out if, and where, material can now been requested from. The more information that is available about the structures which are being set up to take decisions the more targeted and clear FOI requests can be.
I noted the variation in what is being protectively published by Police and Crime Commissioners; particularity for example what they are including within the spending information they are releasing.
Force Executive Board Papers
I spoke about my requests for Cambridgeshire Police’s Force Executive Board Papers (which arise following the demise of proactive publication through the police authority). My latest request has been declared vexatious, on the grounds that redaction required would be disruptive to the operation of the force. I personally accepted there is a problem with the law in that redaction time cannot be considered in relation to the cost limits. I did explain the kind of proactive release of information I would like to see eg. publishing agendas in advance, publishing papers which can be published, publishing minutes in a timely manner and separating any material that cannot be released into eg. “confidential appendices” as local councils typically do. That kind of approach would reduce the number of FOI requests being made, and enable those which are made, and require redaction, to be more precise.
Another specific series of requests I drew attention to were those on TASER statistics.
The issue here is again a failure of proactive publication. I pointed out that FOI surveys, eg. those carried out by media organisation, asking forces for TASER use statistics wouldn’t be required if the Home Office proactively published the data (as it used to do), my own requests about the publication schedules would also not have been required.
An Ideal World
I took the opportunity to describe some of the things I’d like to see in an ideal, open and transparent world in the police, crime and justice sector:
The public are increasingly being given opportunities to have a say in relation to policing; where I live we my local councillors have local police priority setting meetings where the public can speak, and we’ve got elected Police and Crime Commissioners. It’s important the public can comment, and fulfil their role, from an informed point of view.
Work With WhatDoTheyKnow
I encouraged public bodies to link to WhatDoTheyKnow.
And noted mySociety has been working with some public bodies on a commercial basis looking at how WhatDoTheyKnow, or related software, could be used as a disclosure log, or to manage FOI requests.
I knew people were interested in how WhatDoTheyKnow.com was funded; so stressed much of the day to day admin is done by volunteers, so that’s probably one of the prime routes the site itsself is supported, through the donation of time. mySociety which runs the site is funded from a range of grants (especially a recent large one) and the organisation also does commercial work the profits from which help to support its sites like WhatDoTheyKnow. If policing bodies are looking to improve what they’re doing online (many Police and Crime Commissioners have promised things like crime reporting apps, and more user friendly provision of information) they could certainly consider talking to mySociety.
The work mySociety is doing on the software behind WhatDoTheyKnow is largely focused on helping people set up similar sites in other countries.
Many questions were put to me prior to speaking so I was able to cover lots of points I was aware there was interest in during my presentation. (I was able to proactively release the information without having to be asked!)
I was asked about what we do in term of tracking ICO decisions. I pointed to the annotations feature on WhatDoTheyKnow which lets people link to decision notices. (We don’t directly integrate with the ICO). I pointed to FOIWiki.com, run by one of the other WhatDoTheyKnow volunteers and the work done there to make ICO decisions more accessible. I also noted that mentions of WhatDoTheyKnow.com in decisions often come to our attention; and that it can be surprising that the ICO don’t put more weight on the record of correspondence we provide on our site when compared to the perspective of the public bodies.
One police force asked if we could do more to point to some work they’ve recently done making more material pro-actively available. We’re happy to consider any suggestions for improving the public body specific text providing advice to users before they make FOI requests. We already link to public bodies’ website and publication schemes where we have that information in our database. We can also add more text and links, for example if they have disclosure logs or pages where they are pro-actively releasing financial or policy information we can link to those too.
Another force expressed an interest in using WhatDoTheyKnow.com as a disclosure log; and I suggested they contact mySociety’s commerial team
Another police force asked about a phone number for a specific member of staff published on our site. Generally we’re happy to publish work phone numbers for staff, but we will consider taking action if the publication is causing a nuisance, perhaps by removing it an adding an annotation with a more appropriate contact number.
ACPO noted they do provide guidance to police forces on what they really ought be pro-actively publishing.
Overall the response was very positive and friendly. If the beast is happy are we poking it effectively? I hope though it’s more that our responsible running of the site is being appreciated and recognised and we’ve got good policies in place.
There were only one or two live tweets from the event. It was jokingly suggested that if Nick Keane isn’t at an ACPO event then nothing emerges from it on Twitter. It wasn’t really clear to me, and some of the other guests, if tweeting was permitted or encouraged. It wasn’t an event which was open to the public.