Written Evidence from Lynn Wyeth (FOI 09)
The Cabinet Office’s compliance with and implementation of the FOI Act 2000
Personal experience of the Cabinet Office is that they often find as many exemptions as possible to refuse requests. Example of a refusal of a request:
Claims doesn’t hold information as their titles for the campaign have been selected independently by their media planning and buying agency OmniGOV. Uses terminology of ‘The Government’ regularly. e.g. “The Government has negotiated a unique and unprecedented partnership with the newspaper industry, providing essential funding to these much-loved publications.” (Seriously, their words, not mine!) So, chooses to say all departments responsible independently when it suits them, yet can co-ordinate across them easily for the FOI Clearing House or to negotiate deals when it needs to. Complete lack of transparency.
You can see the numbers of requests they refuse here:
The role and operation of the Cabinet Office Freedom of Information Clearing House, including
I fail to see how this can be compliant with UK GDPR and the Data Protection Act 2018. Government departments are different data controllers and sharing personal data like this is covered by the legislation. There should be in place a Data Protection Impact Assessment, a Data Sharing Agreement and a clear Privacy Notice wherever you have details about submitting a FOI request that your data will be shared. The DPIA should identify that the sharing is actually unnecessary. The Cabinet Office, for example, does not need to know if I ask the DfE for some information on schools’ admissions.
I submitted a Subject Access Request to discover if my data had been processed by the Clearing House. They noted on my file that I had produced an article in a FOI journal. None of this was relevant at all to the processing of any of my FoI requests across any departments, and is excessive processing about me.
The lack of transparency with how personal data of requesters has been used is unlawful. The Cabinet Office should be advising other departments of best practice, not breaking the law.
My current PhD research into FOI in local government shows that the majority of local authorities will not even share the name of the requester internally with other council staff that are collating the information, that’s how important it is to respect GDPR principles and the requester blind principle.