24 August 2015

Haringey Council got themselves into a mustard pickle

Those lovely people at the Campaign for the Freedom of Information have kindly provided some information to Mr Mustard about how Haringey Council should have handled his request.

The CFOI are battling on our behalf to keep FOI free and wide in scope and they need money to do that. Please visit their website and donate to help the cause.

The CFOI also provide training to councils, like Haringey, and perhaps instead of jerking Mr Mustard around, they might like to invest money in high quality training (there is of course the possibility that messing with the mustard is council policy)

 So here is what the experts say:

It actually doesn't matter what legislation you cite in the request, the authority should handle it under the appropriate legislation, whether that be the FOIA, DPA or both. The ICO advises:

Dealing with freedom of information requests for the requester’s personal data.

As mentioned above, a valid SAR may, at first sight, appear to be something else. It is not uncommon, for example, for the request to state that it is a freedom of information (FOI) request. If, in reality, it relates to the requester’s personal data, you must treat it as a subject access request.

If it is clear that the requester is merely asking for their own personal data, but they have cited FOIA, you should do the following:
• Deal with the request as a SAR in the normal way. The requester does not need to make a new request. You may need to ask for payment of any necessary fee or ask the individual to verify their identity.
• If your organisation is a public authority, the requested personal data is, in fact, exempt from disclosure under FOIA or the EIR. Strictly speaking, you should issue a formal refusal notice saying so. In practice, however, we would not expect you to do this if you are dealing with the request as a SAR.
• It is good practice for public authorities to clarify within 20 working days (the time limit for responding to FOI requests) that the request is being dealt with as a SAR under the DPA, and that the 40-day time limit for responding applies.

If the request relates to information that cannot be requested by means of a SAR (eg it includes a request for non-personal information) then, if your organisation is a public authority, you should treat this as two requests: one for the requester’s personal data made under the DPA; and another for the remaining, nonpersonal information made under FOIA. If any of the non-personal information is environmental, you should consider this as a request made under the EIR.

Simple then really. At the start Haringey Council should have just asked for £10 (or waived it as the cost of processing exceeds £10) proof of ID and got on with it. If they had done that, they would not have created a mini blog-fest dedicated to themselves.

Yours frugally

Mr Mustard

No comments:

Post a Comment

I now moderate comments in the light of the Delfi case. Due to the current high incidence of spam I have had to turn word verification on.