Gill Bull, ICO’s Director of Freedom of Information Complaints and Compliance, speech at the British Records Association in London, 13 November 2019.
Original script may differ from delivered version.
“Hello my name is Gill Bull.
I am the Director of Freedom of Information at the Information Commissioner’s Office (the ICO) and I am honoured to be presenting this year’s Bond lecture.
I had wanted to start my lecture by setting the scene with some of the wider context. So I jotted some ideas at the end of March when I started to think about this lecture. They were quickly out of date, so I wrote down some new thoughts a month later. Then of course I reflected again at the end of October. And now with a general election … well there goes my introduction.
Have we known a time where the political picture moves so quickly? We seem to live in speeded up times, where events are transmitted like one of those kaleidoscopes you had as a child, leaving little time for reflection before the next sequence begins.
Similarly, have we known a time when ‘information’ is so contested - both in terms of whether it is actually ‘genuine’, and in how it is used?
One question commentators have been asking is ‘How will history judge this?’. It’s a crucial question. Not necessarily in the way the commentators intended: what will future generations make of the decisions being made right now. But more basically, ‘how will history be able to judge this’?
If those of us living through these times struggle to keep up with such a fast-moving story, how will future generations know what happened? Who made decisions? When did they make them? Why did they make them? Where is the record of them? How accessible is that record?
Which brings us to the man after whom this lecture is presented. As you all know Maurice Bond was Clerk of the Records for the House of Lords Record Office from 1946-1981. He is regarded as one of the most innovative and influential archival figures of the post-war period.
It’s thanks to much of his foundational work that history will be able to judge the decisions being made in Westminster. It’s thanks to his work that future generations will be able to reflect on who made decisions, when they made them and why.
Elizabeth Denham, the Information Commissioner, is fond of quoting a fellow Canadian, early 20th century archivist Arthur Doughty, who said “Of all national assets, archives are the most precious. They are the gifts of one generation to another”.
So what kind of ‘gifts’ do we want to pass on in the second decade of the 21st century? How will they be conserved? What form will they be in and how accessible will these records of history be?
A couple of years ago I took some time out, went back to studying, completed an MA in Cultural Heritage management and went to work for an archaeological heritage charity for a while. The charity was coming towards its 75th anniversary. One of our projects was to reflect on and celebrate the story of the past 75 years. We had a PhD student working with us, and it became fascinating to look at the records of the early meetings of the charity, get a perspective on the personalities and their passions, and feel the emotion of the early battles they were involved with.
So what I want to talk to you about this evening is about the personal and emotional aspects of the work we’re involved with.
How information is handled, how records are managed, how people can access information - can all sometimes be seen as a dry and dusty topic. One that is principally about systems – and how they are developed, maintained and accessed. But for me, this is about people. And rather than being just about the past, it is as much about the future.
I want to tap into the passions of people like Maurice Bond and Arthur Doughty. The passions of women archivists like Ethel Stokes - whose voices can sometimes be more hidden - and the excitement of uncovering a story, and of the emotions that are all around us in the work we do every day.
I’ll talk about the role that access to information has in creating trust – and more importantly - trustworthiness, in the work institutions do, and in democracy itself.
While I will focus on access to information, I’ll also try and explore some of the interfaces with data privacy.
I’ll reflect on how the notion of ‘kindness’ in public policy as developed by the work of the Carnegie Trust and others, could become an even more important part of our work.
But perhaps I should begin by going back to the basics of restating why access to information matters in these turbulent times and is important not only for government accountability, but also for the long-term sustainability of our democracy, which is self-evidently facing all sorts of stresses and strains.
At one level Information is viewed and used as an asset in corporate processes, as our increasingly data-driven economies demonstrate. In economic life, those who control information benefit financially. In public life, information enhances the power of those who control it. Conversely, a loss of control is usually seen as a ‘bad thing’.
Thus the conditions under which individuals and institutions control information directly affects how our institutions function and thus the democratic process itself. It goes to the very heart of respect and trust in our accountability mechanisms. And I will return to these themes later.
The overall goal of freedom of information laws like ours is to help level the playing field. The right to information seeks to disrupt any monopoly on information. Access to information equips citizens, the media, advocacy groups and others with information through which they can scrutinize the myriad decisions and actions taken by public authorities at all levels. So, while the right to information has necessary and appropriate limits under freedom of information laws, once liberated information aids us in holding those in power to account for their actions.
The ICO as access to information regulator
Having set out how I see some of the benefits of access to information I wanted to do a whistle stop tour of the role of the Information Commissioner’s Office and what we do in relation to regulating access to information laws.
Within that context I want to emphasise that a key feature of the work of any regulator is the contribution made by civil society, advocacy groups and academics. That is no different for our access to information work and we are fortunate to have skilled and dedicated organisations to work with. Their work is key on the policy front and also I believe in making a significant contribution to our casework.
Our main casework task at the ICO is to review public authorities’ decisions on requests for access to information under the Freedom of Information Act and the Environmental Information Regulations.
Each year a casework team handle around 6,500 cases about freedom of information – the volume and complexity of those cases is increasing year on year. The vast majority are about very local issues at parish and local authority level – what I often call ‘everyday FOI’ - made by individuals, journalists or researchers wanting to find out information about local decisions, affecting their local area.
This everyday FOI is an integral part of our democracy. Those 6,500 cases are 6,500 examples of people who care about the decisions being made in their name, care about how public money is being spent, and understand the important rights that access to information gives them.
You only have to look at national, regional or local newspaper to see the impact – whether it’s about the time taken for local ambulance services to get to 999 calls, issues of: domestic abuse, public spending, cybercrime, dodgy landlords, inflated bonuses, spurious expense claims or the extent of days off taken due to mental health and stress in a police force.
But what continues to concern me is the proportion of people who are unaware of their rights under the access to information legislation, and that levels of awareness fall with younger people. And what I am still very curious about is the low volume of cases that we see about environmental information - that could be a reflection of how well cases are handled, but equally could reflect the even lower levels of awareness.
So the Information Commissioner’s Office investigates cases where public authorities may have withheld information inappropriately, have failed to respond, or have failed to respond in a timely way. If we cannot resolve a case informally, we will issue a Decision Notice and all of those are published on our website. That is part of our role to promote openness and transparency in our decision-making. It’s an important part of our advisory and education role.
These Decision Notices must be complied with, unless there is an appeal of our decision through the tribunal system. Appeals on which we’ve issued decisions range from scallop fishing in the English Channel to MPs’ expenses. Whatever the subject matter, our decisions ensure that public authorities’ claims for protection of information are justified, based on specific and credible evidence and not assertions of harm through disclosure or other ills – and on the topic of emotions, we often have to remind them that embarrassment is not an exemption!
It’s clear that a great deal of the work of any freedom of information regulator implicates the management of records and information, and this is becoming an ever more prominent part of our work. We are called upon to delve into whether public authorities have kept records that are being requested. We are required to ascertain if they have properly searched for responsive records. We may have to determine whether requested records have been destroyed. We have to decide if information held on personal mobile devices used for work purposes is within scope.
These activities all intersect significantly with issues of records management and preservation. Questions relating to the creation, proper management and maintenance of government records are therefore at the heart of what the ICO does. If public authorities do not maintain a proper record of their decisions and actions, if they do not properly manage their records, the public’s right to gain access to information will be damaged, even thwarted.
And of course digital records are by nature much more varied and complex than the paper records with which archivists such as Ethel Stokes had to deal with. The nature and complexity of digital records affect the assessment of what might have value and thus influence records appraisal and selection. I am pleased that we are working with The National Archives on what a new Code of Practice in relation to records management looks like for the 21st century and I am interested in the work The National Archives is developing for taking a risk based approach to model digital preservation risks.
Not only is records management more complex because of the nature of the information, but also because of the way public services are provided. The outsourcing of services means that originating organisations are not necessarily stable in function, with shifts across the public-private sector divide, and with service providers changing over time. Nor is there any guarantee that service providers take reasonably systematic approaches to record-keeping. And if they do, their objective may not align well with the public interest goals, approaches and expertise of archival practice in different sectors.
The outsourcing of public services to private sector organisations is also of great concern for openness and accountability through the freedom of information act and the environmental information regulations.
As we all know, public services are no longer solely delivered by public authorities. Examples include social housing owned and managed by housing associations, safeguarding services for children run by charities, and leisure centres and prisons run by private companies. Going back to my earlier point, these are areas of public life that affect people, that are emotive, and that people care deeply about. This isn’t about dusty records, but people’s lives.
So let me share some facts that I think demonstrate the challenge – and the ways in which our current regulatory framework has come to be seen as out of step:
- Government spends £284 billion year – almost one third of its expenditure with external suppliers.
- Of the 169 children’s homes opened in 2017/18, 86 per cent of them were opened by private organisations
- When Carillion collapsed, the National Audit Office estimated it had 420 public sector contracts.
And these services are not always subject to the scrutiny provided by freedom of information or the environmental information regulations. And while some proactive disclosure measures and open data initiatives do provide some detail, that can only go so far. I am not the first to say the law has not kept pace with the way services are provided or with public expectations. Next year, 2020 will be the fifteenth year since the legislation came into force. It is inevitable that the environment in which the legislation operates has changed.
Earlier in the year the ICO published a report, ‘Outsourcing Oversight’ making the case to extend access to information - by designating contractors delivering public functions such as when probation services provided on behalf of the MOJ –and by designating other bodies providing services of a public nature – like housing associations, or the publicly funded work of charities.
It is part of the wider debate on what 21st century access to information legislation looks like.
And it’s not just about how the statute is drafted, or how contracts for outsourced services are structured, but it is also about trust.
People must be able to feel that publicly funded services however they are provided are trustworthy. FOI can shine a spotlight and create the conditions for where it is reasonable for us to place our trust. It stands to reason that where that spotlight is not allowed to shine, trust is less likely follow.
Trust and confidence
I’ve not always worked for the regulator. I know that FOI has its detractors and that it can feel like a burden at times, and that it’s easy to get lost in the numbers: how many requests have we had , when are they due a response, are we meeting our targets, and so on.
I think we can sometimes forget about the important relationship that access to information can create with issues of trust and trustworthiness.
We get an interesting perspective on trust when we look at access to information work in an international context.
It’s a context we’re fortunate at the ICO to be well placed to be involved with through our role with the International Conference of Information Commissioners. It’s a global body that brings together FOI regulators to share expertise, support one another, and promote the principle of access to information.
Elizabeth Denham chairs that group, which met in Johannesburg earlier this year. At that conference, UNESCO’s Guy Berger, their Director of Freedom of Expression, described access to information as an issue that “goes with the grain of history.”
I think it’s difficult to argue with his view. Data that on UNESCO has compiled shows how it is right that is spreading. In the last five years, the number of states with access to information laws has risen by almost a third, to 125 countries.
It is still not a universal right, but it is recognised by UNESCO as a central aspect of modern democracy, reflecting a growing awareness of the value of those ‘everyday FOI’ requests. There is a growing awareness that access to information and public trust in how a country is run, is part of the same picture.
There is also an increasing appreciation of the complexity of what ‘trust’ – and ‘trustworthiness’ mean. We all hear reports that we live in a society that is less trusting – whether that is less trusting of journalists, less trusting of scientists, less trusting of civil servants or … politicians.
Yet the trust picture is not as straightforward as you might think.
An Ipsos MORI study published in September this year, called the ‘Trust the truth’ points to the complexity surrounding issues of trust and trustworthiness and emphasises the highly contextual nature of trust and that there is no ‘one size fits all’. It found that in the UK for example, trust of experts has actually risen over the last few decades.
Interestingly, it also found that despite those rises, people’s perception of trust – how much they think other people trust institutions like the government or the press – has decreased.
That’s not an easy concept, but essentially, more people are saying “yes, I trust scientists”. But those same people are also saying “no, I don’t think other people do.”
The Ipsos MORI collection of essays casts a wide net over many dimensions of trust both in the UK and internationally. I was especially interested in an essay exploring what organisations might need to do be trustworthy.
And this is all about asking questions about how to trust, who to trust and what we are being asked to trust in.
And in an international study in the report, three overarching factors stood out as most important in deciding whether or not to trust an organisation: whether it is reliable, whether it behaves responsibly, and…. of course, whether it is open and transparent.
Trust and data protection
But there’s a paradox here. What if the transparency shows the organisation is less reliable? Or less responsible?
This is something we see in our data protection enforcement work, where we are responsible for regulating the General Data Protection Regulation.
When we issue fines or pull back the curtain on hidden processing, it can often decrease trust and confidence in the short term, as people learn of poor data practice of which they had been previously unaware. That theory is supported in our own survey that showed the decrease in trust and confidence alongside an increase in people’s awareness of their data protection rights.
In that respect, data protection and freedom of information are two sides of the same coin. At their core, they are both about transparency and accountability.
They empower individuals to probe, challenge, and access decisions that impact on them and their lives. Both laws are key tools for democracy and citizen engagement.
And I’m sure all of you in this room will be familiar with GDPR, and the changes it has brought over the past year or so.
A lot of that was the basics to get the law up and running. The new consents. The changes to paperwork. The box ticking.
But now we’re into the law proper, and it offers some real opportunities for access to information.
An interesting area here is subject access requests. This is an area of data protection work that overlaps greatly with Freedom of Information, and some of you in the room may have some responsibility with, or involvement in, your organisation’s subject access responses.
It’s also an area that we find from our casework that many organisations are generally not so good at yet as they could be. Two thirds of the data protection complaints our office looks at are about organisations not handling subject access requests properly - more than any other area of complaint. And what we see when we look into those complaints, more often than not, are information professionals in the subject access teams being held back by poor records management across an organisation. That’s always going to have an impact on FOI requests too, and both are central to providing the type of service that inspires trust and confidence.
If an organisation doesn’t know what information it holds, it can’t properly deal with data breaches, subject access requests or freedom of information requests.
The accountability aspect of the GDPR is crucial here. Accountability means organisations must take a comprehensive view of how they’re documenting, sharing and retaining data. Organisations need to think carefully about every aspect of that data’s journey, recognising that personal data has a value. And if they cannot demonstrate that proper care has been taken, then the ICO can respond with sanctions.
If this an area you’re interested in, I’d urge you to take a look at our current consultation on accountability, which you can find on our website.
This is also relevant in one of the very important examples - going back to my theme of the personal and emotional - we’ve seen at the ICO of why good records management matters.
The Memory - Identity – Rights in Records - Access project or MIRRA for short - is a research project run by University College London that looks to support the rights of care leavers by exploring how children’s social care records have been created, kept, - lost - and used in public and voluntary organisations. It is a project that the ICO has been involved with for a while.
The project demonstrates vividly that these are not dry records, part of a digital file or simply a box of papers, but records of people’s pasts. These records not only shape people’s memories, but help to shape how people see themselves today.
One of the participants in the research study said
‘For the first time in my life, I was free. And it was all because of those records. It was very emotional. It was so important to me … it can put things away so that you can carry on with the rest of your life.’
One of the issues the MIRRA work uncovered was that people’s records were incomplete, both from a data perspective and from a personal perspective.
That doesn’t feel right. It feels like some organisations are not holding enough personal data to fulfil the purpose of why they are holding data at all. It feels like some organisations are not thinking carefully enough about the journey of the data they hold, and recognising that personal data has a value.
Or to put it another way, it doesn’t feel like organisations are being kind enough.
That might sound like an odd term. Not kind enough. ‘Kind’ feels an overly emotional word to be using when we’re discussing public policy and our professional work. And yet as we’ve discussed today, emotion is at the core of so much of our work.
This dichotomy was explored further in Julia Unwin’s fascinating recent Carnegie Trust report on kindness and public policy - what she calls the blind spot in public policy.
The report looked at how the growth of our measured and data driven approach to public policy has brought significant benefits. And it argues that this makes it even more important that we explore how ideas about kindness could lead to fundamental changes - not just in the front line delivery of services, but in the most fundamental ways that we frame public policy debate.
I’d recommend the short publication in its entirety but there are two points in particular I’d like to draw out.
Firstly, it discusses how decades of approaches to the management of public services with an emphasis on outcomes, efficiency, best value and the development of technology and data-driven analysis have shaped our mindsets and the language we use. But also how this risks ignoring some of the fundamentals about what motivates people and why we do what we do, essentially our emotional intelligence. Julia Unwin talks about how we all often use words like balanced, transparent, scrutiny, value for money. I can see from people nodding that these are words we all recognise from our own offices.
There’s nothing wrong with those words, of course, but the report suggests that these words, what Julia calls a ‘rational lexicon’, can often be at odds with what she calls a ‘relational lexicon’. Words like connection, personal change, desire, grief, wellbeing and story- telling. How often do we hear them in our workplaces? She argues that we can all benefit from becoming bilingual and we need both sets of lexicon to frame our thinking about public policy.
It reminds me of the work of Dr Kate Granger MBE. For those of you not familiar with that, she was an NHS doctor, who, terminally ill with cancer, saw the NHS from multiple perspective. She realised that many of the staff looking after her didn’t introduce themselves before delivering her care. She started a campaign to encourage more person-centred, compassionate care, based on a simple premise: that healthcare staff introduce themselves with “Hello, my name is.”
And so, going back to ideas of kindness, and its relevance in this room, if we’re talking access to information, if we’re talking everyday FOI and its role in democracy, if we’re talking about archiving as our gift to the next generation, then surely we’re talking about developing our own emotional intelligence? Can we all become bilingual in how we frame the work we do?
I want to conclude by talking about a second aspect of Julia Unwin’s research, where she talks about kindness in the context of allocating resource to people in need. This, she says, has always been hedged by rules and regulations - perhaps necessarily so, to ensure fairness and good value. But that context of something going from ‘us’ to them’, of making a distinction between those needing help and those providing it. She says: “the provision of care has always been viewed as something done by one part of the population for another. This entirely misleading narrative runs through the history of charity and welfare state.”
When I read that, I immediately thought about freedom of information. Our language of requestors and authorities, our fundamental starting point of should we, the organisation, give this information to them, the outsider.
Maybe we’re getting that wrong. In principle the information we hold as organisations isn’t ours. If we’re a public authority, surely it’s the public’s information? If we’re archivists, we’re curating and recording for the future generations, and for the current one. And if we’re an organisation holding people’s personal data, then the law is clear it remains there to access and manage.
So, thinking about the future, perhaps FOI requests should really be as just one part of the approach? Perhaps we could turn this on its head and rather than principally having a ‘request and provide’ framework, we have a more fundamental duty to provide information that goes beyond current ideas of publication schemes?
If we look back in another 15 years’ time, maybe there is a world of more proactive disclosure, of openness by design, where, with certain necessary safeguards, we have more immediate access to information that digitisation makes eminently possible.
If we want to rebuild trust a change of mindset as well as changes to legislation will be needed. And I know you can all play a leading part in helping to chart ways forward.”