Original script may differ from delivered version
Elizabeth Denham’s keynote speech at the ARA Conference ‘Challenge the Past. Set the agenda’ on 31 August 2017.
Good morning and thank you for the kind introduction.
Having started out my career as an archivist, I always love being back with who I like to think of as my people.
Standing here as Information Commissioner in front of fellow archivists, I also recall that I was “this close” to becoming a lawyer.
I studied history and political science as an undergraduate at the University of British Columbia in Vancouver Canada, and on graduation, applied and was accepted to law school where I planned to train in the protection of human rights.
But … it wasn’t to be. Fate, that crafty old codger, devised other plans.
I think I disappointed my parents, pursuing graduate studies in information science – in the newly-minted Master of Archival Studies program at the university. I followed my heart into the world of preserving and overseeing access to archives and historical records.
I won’t go into what date that was – but we did have a mandatory course in “machine readable records” which involved main frame computers and Hollerith punch cards.
This education launched me head-first into a fascinating career.
After graduating I worked as a Municipal Archivist in my home town of Richmond, British Columbia, and as City Archivist in Calgary Alberta, incorporating the records of the 1988 Winter Olympics.
When FOI and privacy laws were first introduced in the Canadian provinces in the 1990s I made the move to freedom of information and privacy rights.
Some of my colleagues thought this transition from archival and culture work to FOI and privacy rights represented crossing to a legislative dark side.
For me though, this crossing felt natural. Many of the ethical and policy issues archivists face have determined the standard and practices for those working with access to information and privacy rights.
After working as a municipal archivist, I then worked as a regulator in the privacy and access area for more than twelve years, across two provincial governments and at the federal jurisdiction in Canada. That was before my move to England, just over a year ago, to take up the role of the UK’s Information Commissioner.
Sunny Manchester is a place I am getting to know as my ‘local city’ – my main office is based just down the road in Wilmslow.
And I understand this is the ideal building from which to appreciate such a great city. Colleagues tell me that from the bar upstairs you can see the whole of Manchester and beyond. I may not have time to visit today but I hope to squeeze in a drink there when I return to this soaring building in three weeks’ time. It’s then my office is co-hosting the International Conference of Information Commissioners.
The event will bring together freedom of information experts and more than 50 regulators (from countries as diverse as Azerbaijan, India and Australia) as we discuss trust, transparency and progressive information rights. That shows how much of a global issue access to information has become. Records matter, whatever you’re from in the world.
But we know records matter, that’s why we’re all here today.
As most of you know, my office regulates both the Data Protection Act and Freedom of Information Act.
Last year we handled 5,000 complaints about FOI requests, over 167,000 about nuisance marketing and more than 17,000 about data protection. We have over 450 staff, with more jobs being created all the time. We are hiring!
My office is tasked with regulating both the right to know, and the right to privacy. This dual mandate helps us adjudicate and balance between public interest scrutiny of government and protection of personal privacy.
Much of our work as regulator on the FOI side relates to record keeping. Questions around the holding of information and release of records by public bodies are dealt with by my office on a daily basis.
Effective record keeping and the proper maintenance of government information is an essential public service and is a prerequisite to good governance. The responsible management of these records ensures the maintenance of institutional memory, that appropriate information is available to decision-makers, that evidence of a public body’s activities is retained, and that legal requirements are met. Information management is also necessary to meet the goals and requirements of the Freedom of Information Act.
Without the proper creation and management of records, any statutory right of access to records will prove unenforceable in practice.
If the public are to access information from public bodies, that information needs to be there in the first place.
Good records management goes beyond the ability to locate records efficiently. As you know, it is also concerned with how and which records should be created, how long they should be retained, and with their ultimate disposition – usually destruction or transfer to the archives.
The essential value of maintaining records in an organised archive has long been acknowledged. As you may have heard me say before, I’m an admirer of Arthur Doughty, Dominion Archivist of Canada. So much so that I have a quote from him displayed on my wall at home. In 1924 he said:
“Of all national assets, archives are the most precious, they are the gifts of one generation to another, and the extent of our care of them marks the extent of our civilisation…
“As a rule the papers of a given generation are seldom required after their reception and primary use; but when all personal touch with that period has ceased, then these records assume a startling importance, for they replace hands that have vanished and lips that are sealed.”
The mandate for records and archiving has been around for eons. What Arthur Doughty said in 1924 was urgent then but his sentiment sets the agenda today too …while the constant evolution of technology gives a different context.
Transparency remains important. People demand to know how governments run their countries and communities. They want and have a right to know what is done in their name, with their taxes.
But if we’re saying we need to have a window into government activities, then there needs to be something inside for people to look at on the other side of the glass.
In Doughty’s day, that meant preserving papers, guarding against fire and flood.
In today’s tech-driven world it means something similar; selecting the appropriate records for preservation, guarding them against heedlessness and hacking.
So what I want to talk about today is preserving digital records and making sure decisions are documented. And I’ll touch on the other side of the information rights coin: data protection.
Tech and the future
Let’s talk about the agenda setter of the day: technology.
The digital world creates a huge opportunity for making transparency automatic and expanding freedom of information. The increase in search and retrieval efficiency offered by technology is a real positive which we must embrace.
The truth is in the details. And if we can find those details more easily, then so much the better.
But the constant evolution of technology creates significant challenges for information management too.
It’s little surprise then to see the digital age being such a prominent part of the National Archives’ Digital Strategy.
The explosion of information and communication technologies has increased the availability, mobility and value of data.
As data and information become more mobile, their flow blurs borders between organisations, government agencies and nations.
What worries me is that in a society where most of us walk around with our digital workplace in our purses and pockets, we all become records managers.
If important texts, emails, instant messages and tweets aren't retained, then we increase reliance on oral government, or even government by “socialised media”.
In a democracy, how does the public hold government accountable and enter into an informed debate if the record is incomplete and unreliable?
Accurate records are necessary to protect citizens’ rights and inform study.
This is an area the ICO is doing some important work in. Last month my office issued a decision notice to the Cabinet Office following a complaint from a member of the public about the response they’d received to a freedom of information request.
It concerned information held by the Cabinet Office on a cloud based communication tool called Slack.
The Cabinet Office refused the request, arguing that to provide the information would be unduly burdensome, primarily because of the manual work that would be needed to prepare such information for release.
Locating any potentially exempt information was going to involve manually reviewing around 65,000 messages.
Although we supported the Cabinet Office’s reason not to disclose the communications in Slack cloud in this case, the citizen’s complaint raised novel issues about compliance with the requirements of the Freedom of Information Act.
Technological changes, such as the advent of cloud based communication tools like Slack, impact the way public servants communicate with each other.
Although it was not necessary for us to take a definitive position regarding the extent to which information held by the Cabinet Office on Slack was held for the purposes of FOIA, we do not see this as a closed case. I will continue to liaise with the Cabinet Office about its use of Slack and the challenges it presents for compliance with FOIA. We will be doing further work in this area and consult with our colleagues at the National Archives.
Our current view is that information held by public bodies, whether in a WhatsApp account, cloud-based tool or text message, is subject to the Freedom of Information Act if that information relates to the official business of the public body. That includes messages by government officials, advisors or ministers. With apologies to fellow Canadian Marshall McLuhan, in the context of information rights, it’s the message, not the medium that matters.
We cannot maintain integrity of the public record while exempting tools such as Slack from effective procedures. Public authorities as well as private citizens require access to official information, wherever and however it may be stored.
This stance is reflected in guidance we’ve previously issued to help public bodies deal with FOI requests and private email accounts.
Important records captured and communicated through private accounts are easily forgotten or deleted. Use of private email accounts and instant messaging to conduct government business can frustrate good governance and undermine the public’s right to know.
And it’s not just government that needs to consider their use of online communication tools. Whether your role is to create archives for a church, charity or business, having an accurate record is important.
If records held on tools such as Slack aren’t kept then it means when “all personal touch with that period has ceased” we won’t have those documents which give legacy to “a given generation”.
Duty to document
That brings us to duty to document – d2d in street parlance.
The duty to create records in appropriate circumstances, often called the “duty to document” has been on information managers’ and regulators’ minds for a decade or more.
I am talking about a positive duty in law to create records of significant decisions, actions and events. That means records explaining and providing context to why a specific course of action was taken.
Minutes of important meetings, decisions, that led to policy change and new initiatives.
D2d is fundamental to the process of information management and eventual archival preservation.
Proper documentation, retention and accessibility also nurture reputation and trust.
I can think of few better examples of damage to reputation than an investigation I headed during my time in British Columbia in 2015. It involved records which were potentially responsive to an FOI request relating to the subject of murdered and missing women on Highway 16. This road is known as the “Highway of Tears” because of the number of aboriginal women who disappeared in that area over a 30 year period. Many were later found to have been murdered.
My former office’s investigation led to a resignation, prosecution, and many weeks of negative media coverage about the records management practices of the provincial government.
My office examined government FOI responses and allegations of records destruction and published a report entitled: Access Denied: Records Retention and Disposal practices of the Government of British Columbia.
It dealt with two government departments and the Office of the Premier.
In the case of one Minister’s Office, a former employee provided a whistle blower account of his supervisor’s alleged destructive of emails.
Our investigation used digital forensics to confirm that an employee had deleted potentially responsive emails to the FOI about the Highway of Tears – and lied to the Commissioner under oath – an offence he was successfully prosecuted for under the FOI Act. The work also revealed a deeply concerning practice of “triple deletion of emails” among some ministerial staff.
Triple deleting means first moving an email to the computer system's "deleted" folder, expunging the email from the folder itself, and then manually overriding a backup that allows the system to recover deleted items for up to 14 days.
My report made 11 recommendations, including changes to information management law: adding a legislative duty to document key decisions of government agencies, oversight of records management and new sanctions for wilful destruction of records.
The British Columbia government accepted all the recommendations in my report and has since that time passed duty to document legislation.
Whether such legislation is needed in the UK is something I’m looking at. It’s an important issue so I’ll be building the evidence and examining the case. If you’ve got any anecdotes (or allegations), or even just opinions, on this issue I’d be most interested to hear them.
Whether the answer to our new digital challenges is a legislated duty to document or not, there’s no ambiguity about the powerful effect government has on our lives as citizens nor about the importance of those records that any given generation creates, as Doughty urged us to appreciate. I am glad that today we still have his comments to hold onto.
Following the public pound
Sometimes it’s not long before records which didn’t seem important at the time become critical.
Take the tragic fire at Grenfell Tower on the 14 of June as a case in point. Fire safety information and product assessments have suddenly become far more significant than I imagine anyone ever thought they would be. They have assumed the “startling importance” Doughty wrote about. As I said earlier, the truth is in the details.
In the wake of such a tragedy, how might councils and other authorities make fire safety information available now and in the future? How can they be transparent? People have a right to know how their communities are run – to know what their homes (literally and metaphorically) are made of.
A compelling public interest adheres to fire safety information. There are councils, and other public bodies that are meeting the requirements of related Freedom of Information requests. But I am encouraging them to go further.
Unless good reasons present themselves, I am urging public organisations holding relevant fire-risk assessments and other fire safety information to publish those records proactively.
Our culture of transparency and the public’s ever-expanding interests are constantly re-shaped by changing contexts. Public bodies that effectively promote trust are the ones who adapt and change their approach.
The Grenfell Tower fire illustrates why the Freedom of Information Act should be extended further. Today my office researches how social housing organisations can operate transparently. For example, housing associations are not currently subject to FOIA because the Act does not designate them as public bodies.
This fact introduces a significant gap in the public’s right to know.
I will address this issue in my forthcoming report to Parliament about extending the reach of FOI legislation.
Lastly, we must recognise another key driver for sound information management – data protection – my other core responsibility.
Those affected by the European Union’s General Data Protection Regulation (GDPR) must comply with its provisions from 25 May 2018. The Government is introducing measures related to this and wider data protection reforms in a Data Protection Bill.
The implementation of the GDPR will underscore the importance of effective information management. I talk a lot about the key role accountability programmes will play in delivering compliance with this new legislation and information management programmes are an important component. The GDPR should help drive the business case for increased investment in these programmes and new information management technologies.
I know the GDPR has raised a number of uncertainties for archives about their legal basis for processing records containing personal data. There are concerns around data subject right of access, right to rectification and erasure.
I know the ARA is seeking GDPR implementation that will support maximum continuity of practice and integrity of private and public archives programmes. We’ve been speaking to government with our support for derogations within the GDPR and planned Data Protection Bill and the Department for Digital, Media, Culture and Sport will be taking this forward.
I could talk all day about GDPR, and some days I do, but for now my advice would be to check out our website. The ICO’s website includes pages dedicated to data protection reform and we’ll be providing updates on there, and through our e-newsletter.
Whether we’re talking about data protection or freedom of information, the dizzying pace of development in the digital world means we must constantly adapt act to stay current and relevant.
Citizen trust in both privacy and Freedom of Information legislation is fundamental to democracy. Open government, freedom of information and data innovation are all dependent on a transparent and a contemporary approach to information management.
These issues are at the forefront of the strategic plan that I released earlier this year. The ICO’s Information Rights Strategy sets out my mission to increase the trust that the public has in government, public bodies, and the private sector. Alongside this plan, we have launched a grants programme which is designed to give researchers and civil society a stronger voice in the information rights evolution.
International issues grappled with by our information community will be discussed in this very building when commissioners from all over the world meet here, in a few weeks’ time. There are still some places available and you can register online at icic2017open.org.
The view from the bar upstairs displays signs of history’s movements: evolution and change everywhere. From the warehouse buildings used for Manchester’s cotton trade during the Industrial Revolution to the Media City development in Salford. But these are also signs of people who have challenged the past and set the agenda. Like we are doing at this conference today. It’s not always easy, or glorious, there are different roads to choose from and decisions to be made.
Sometimes it may feel a bit like Sisyphus – pushing a rock up a hill only to have it roll down again – but when we look at how much more advanced information management is today than when I was looking at machine readable records in Canada, I think it’s clear we’ve made real progress. Today’s stone rolls a little faster but that’s because it’s become smaller and lot easier to push.
We’ve missed out on one more important subject and I put that to you now. Namely the difference between access laws and open government and how the two strands must be integrated for true transparency.
The public has a fundamental right to know what government is doing on its behalf. And that includes not just open government but also access rules – they’re two sides of the same transparency coin.
Then there’s the need for politicians and government leaders to embrace the changes to information management the digital economy brings. They must lead by example and walk the talk.
But, like those planners and builders who stand behind the sights we see across Manchester, I am confident that we will navigate the road ahead. And whatever route we take, Doughty’s words can guide us – archives have a startling importance.
By working together, embracing innovation and anticipating change we can find a path to information management that keeps pace with the digital age.
Thank you for inviting me to speak today. I welcome your comments or any questions that you have.