Public Audit and Post-legislative Scrutiny Committee

Meeting date: Thursday, March 22, 2018

Official Report 403KB pdf

---

Freedom of Information (Scotland) Act 2002: Post-legislative Scrutiny

Agenda item 2 is consideration of post-legislative scrutiny on the Freedom of Information (Scotland) Act 2002. We previously sought suggestions from stakeholders and members of the public of acts on which we could undertake post-legislative scrutiny. The Freedom of Information (Scotland) Act 2002 is one that was suggested to us.

I welcome our participants today and thank them for coming. I ask that all MSPs and participants introduce themselves briefly before we begin the evidence taking.

I am the deputy convener, and am standing in for Jenny Marra in her absence. I represent the North East Scotland region.

I work for the Scottish Council for Voluntary Organisations, where I head up the policy and research department.

I am the MSP for Airdrie and Shotts.

I am the director of the think tank Common Weal. I am here as a member of the Open Government Partnership.

I am the MSP for East Lothian.

I work for the Scottish Information Commissioner as the head of enforcement.

I am the convener of the Campaign for Freedom of Information in Scotland. We campaigned for FOISA way back in 2000.

I am an MSP for the North East Scotland region.

I am head of policy and information for the Scottish Information Commissioner.

I am the MSP for Kilmarnock and Irvine Valley.

I am the Scottish Information Commissioner.

I am a political adviser for Jeremy Corbyn, but I stress that I am here very much in a personal capacity as someone who has used FOI relentlessly over the past 10 or 11 years as an academic and political researcher.

I have just one thing to say before we start: the panellists need not press their microphone buttons before speaking—our sound technician will make sure that your microphone is on.

The purpose of today’s evidence-taking session is to explore the scope and viability of the committee undertaking post-legislative scrutiny on the 2002 act. We are keen to understand how post-legislative scrutiny could add value to the act before deciding what action to take. We are also interested to hear from Daren Fitzhenry, the Scottish Information Commissioner, on the work that his office will be taking forward.

We want the discussion to be free flowing. You are welcome to ask questions of each other rather than just respond to questions from the committee. However, we still want some structure, so I would be grateful if you would indicate to me or the clerks when you want to contribute. As I have said, your microphones will be activated when you speak, so there is no need for you to touch them.

The first question is open to all to answer. What are your views on the effectiveness of the 2002 act in meeting its intended policy objectives?

It is important that, even before we start answering questions, the delegation that the committee has invited from the open government network state who we are. The three or four people from the network who are here today were decided on by the network through an open process. We openly indicated why we wanted to give evidence, and that information was shared with the network of about 300 people.

I want it to be absolutely clear that the open government network is not a corporate body or an organisation. Therefore, although we are members of the network, we do not represent it. We represent a variety of perspectives on freedom of information, and the issue that unites us is that we all want to see post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002. To answer the question, I will highlight a few issues that have been raised by open government network members.

A key issue for many of us is the growing concern about the application of freedom of information legislation by public authorities, particularly—but not exclusively—the Scottish Government. We are extremely concerned by the increasingly systematic practice of not minuting meetings that are held by Scottish ministers. That undermines representative democracy.

Concerns have also been raised that the unnecessary secrecy in Government will undermine our ambition that Scotland be an open government pioneer. I hope that many of you know that Scotland is an open government pioneer within the Open Government Partnership internationally. That means that Scotland has direct visibility on the global stage as an innovator in open government. Therefore, getting the basics right on freedom of information is critical to keeping that credibility going. The SCVO has a lot invested in joint work with the Scottish Government on the action planning process for open government—freedom of information is absolutely core to that.

A lot of what prompted this track of conversations was the last year’s letter from a number of journalists to Parliament claiming widespread failures to comply with laws on supply of information that is held by public bodies. That is extremely concerning for many of us.

We also noted the strong concern about the fact that although Parliament agreed back in June 2017 to inquire into the Freedom of Information Scotland Act 2002, we are still being asked to make the case for that.

We note from the record of correspondence that there has been quite a lot of—I will put it strongly, because I need to—buck passing since June about who will do what and when. People are waiting for one another to act, particularly within Parliament, between Parliament and the Government and with the Scottish Information Commissioner. That is a concern to us. We thought that, by now, post-legislative scrutiny would have been initiated.

Finally, the founding principles of the Scottish Parliament set out specifically that the Parliament should be an exemplar of openness and transparency. A robust and trusted freedom of information process is absolutely core to Parliament’s function and, of course, to our democracy.

Ruchir Shah or anyone else might want to answer my next question. Has the 2002 act been effective in achieving its intended policy objectives?

First, we welcome the opportunity to give evidence in public and we applaud the decision of the committee to give us that opportunity.

I reiterate what Ruchir Shah said. We had anticipated that post-legislative scrutiny would by now have been launched, and would have received a broad range of submissions about the problems with FOISA.

On the specific question, we have a number of concerns. We are concerned that FOISA remains limited in its scope. When the legislation was first debated, when it was passed in 2002 and when it was implemented in 2005, Twitter and WhatsApp had not been devised, developed or implemented. The whole information regime and how people communicate are now quite different. Therefore, we are concerned about whether FOISA fulfils its purpose, so that we can capture the information that informs decision making in Government and in public authorities.

We are concerned that promises that were made in 2002 at stage 3 that housing associations and registered social landlords would soon be incorporated into FOISA have still not been delivered. The latest date that we have been given for that is April 2019, which remains a source of considerable surprise.

We are concerned about the numerous examples of the establishment of arm’s-length external organisations that seem to operate outwith FOISA. That changes people’s ability to source information about how decisions are made. It is really interesting that we are still not clear about how many ALEOs there are in Scotland. Audit Scotland was in a position some years ago to say that 34 major ALEOs existed, but it could not tell us exactly how many. We can compare that with the Scottish Housing Regulator, which, after we made a freedom of information request last year, was able very promptly to tell us that there are nearly 150 RSL subsidiaries. That is why we were very appreciative of RSL subsidiaries being included in the consultation that the Scottish Government launched last year. We believe that the subsidiaries as well as the RSLs should be covered by FOISA.

We are firmly of the view that there has been an insular approach to the debate on FOISA so far. We should have a much more expansive view about how other countries deliver their access-to-information rights. There is a lot to learn out there—more than 100 countries have FOI laws. Sweden, for example, has had such laws since 1766. We particularly like the idea that public bodies should hold an index of information, which could inspire people to make an FOI request.

We expected FOISA to be about the public being able to assert and enforce its right to access information but, in parallel, we expected that there would be proactive publication of information that would prevent the need for individual FOI requests. Perhaps we could change FOISA so that proactive publication of information is required, so that the whole process is more efficient.

Given that one of the founding principles of the Scottish Parliament is about the European human rights framework as well as the international human rights framework, we think that there is a lot to learn from international human rights law. Article 10 of the European convention on human rights mentions the jurisprudence of the European Court of Human Rights in that regard. There is also article 19 of the International Covenant on Civil and Political Rights and the guidance and general comments from the United Nations on how that right should be implemented.

We have specific concerns about the insular discussion that we are having in Scotland: we want to be far more ambitious. We urge the committee to conduct the post-legislative scrutiny because, nine months later, it seems that we still have to win that argument, which is a bit of a disappointment.

10:15  

I am interested in the contrast between Ruchir Shah’s opening comments and Carole Ewart’s. Sadly, I was there when the promises were made in 2002 and I remember them.

Over the years, the major criticism of FOISA has been its scope—in other words, the bodies that it captures. There has been a debate and some change, although it has been slow, in relation to housing associations—Carole Ewart is right about that. There is a continuing debate about arm’s-length bodies and there is a debate about whether other bodies are public bodies and should be caught by the act.

In the past, suggestions on improving the FOISA regime have tended to be about broadening its scope. However, latterly the criticisms have been much more of the type to which Ruchir Shah alluded: they have concerned systematic attempts to avoid compliance with the regime, whether by not minuting meetings, using new technologies such as WhatsApp to communicate in the belief that they are not caught by the act or using particular regimes of treatment for journalist inquiries. Only this week, we have seen guidance that includes the suggestion that emails should be deliberately deleted to avoid them being FOI-ed.

If we are considering where the 2002 act is weak, is failing or needs to be strengthened, what is the priority? Is it the scope of the act or the culture of compliance or non-compliance with the legislation that we have? Which is the problem now?

Iain Gray has just summarised the fact that there are quite a few problems with FOISA, which prompts me to say again that post-legislative scrutiny is essential. In this forum, it is difficult to capture all the problems. There is an issue with designation and a need to be more ambitious about what FOISA should be able to do, but there is also an issue with practice.

The practice is not only about the culture; it is also about whether FOISA is fit for purpose in terms of punishing people who deliberately seek to avoid keeping, or making in the first place, records that might be the subject of FOI requests. There should also be more proactive publication of information to show a culture of openness and transparency. The public should not be feart: the Parliament was established to be open, accessible and accountable.

I am interested to know whether the Scottish Information Commissioner thinks that, in recent years, there has been an increase in systematic avoidance of being caught by FOISA. It seems to be more of a problem now than it was in the early years of the act.

Perhaps it would be helpful if I set the context and respond to the initial question, which was whether I view FOISA as being effective.

I am sorry, Daren, but Tommy Kane wants to come in on that point. If he comes in now, we will come back to you.

There are two issues: the application of the law as it stands now, and whether we should extend the law. They are two different questions, and both merit post-legislative scrutiny, so I agree with Carole Ewart.

To answer the question whether the act works, I have received some really good stuff back from FOI requests that, as a researcher, fills me with great joy, that I can share with people and that holds the Government to account. It is the same for any regular user of the FOI regime so, on occasion, it does work. Let us not say that it is all wrong. There are elements of it from which I, as a researcher, get a benefit. However, it is clear that there are increasing concerns that the regime is not working or that it is being circumvented by public authorities—specifically, or increasingly, the Scottish Government. There are concerns that the Scottish Government and other public authorities are circumventing it through delays, increasing redactions and tenuous use of exemptions.

Let us take for example the £600 threshold. There is never any explanation of how cost is calculated. No researcher gets that information. Another point on that is that the 2002 act set the threshold at £600 but, in 2018 values, £600 is £825. The Scottish Government was asked whether it intends to increase that threshold to reflect modern values and the answer was no.

Finally, the most important concern that people have is that the Scottish Government is no longer taking minutes of meetings, as was highlighted in the letter from 23 journalists last year; others have also highlighted that point. The Government seems to have a systematic and routine practice of not taking minutes of meetings, including important meetings.

I submitted several FOI requests that got me the same result, but a specific one speaks volumes. It concerned meetings between John Swinney as finance minister and Sir Angus Grossart, then chairman of the Scottish Futures Trust, which was in charge of delivering capital investment projects in Scotland—a not insignificant undertaking. They met seven times between 2011 and 2015, and no minutes were taken.

How will researchers such as me or, most important, the public be able to see not only the decisions that are made but how they are arrived at—who is influencing the decisions and what factors are influencing them? This is not just the world of technocratic geeks and people in the research and media community. These decisions will affect every one of us, and the systematic and routine practice of not minuting meetings is extremely concerning.

That is an interesting point. We will look later at whether that is a failure of the act or a practice and procedure point.

It is now about 13 years since the act came into force, so we have a well-embedded system to look at. There is no doubt that the system has brought about positive change in the relationship between the public and Scottish public authorities. The public know that they have a freedom of information right—the number with that knowledge is now at about 85 per cent, which is the highest level that we have had.

Scottish public authorities report that they have received in the region of 75,000 information requests this year. Most of those requests—in the region of 74 per cent, based on last financial year’s figures—will receive some or all of the information that they ask for. Appeal rates to my office are generally low, at less than 1 per cent. In the past year, 73 per cent of the appeals that came to my office resulted in at least partial success for the person looking for the information.

Thus, we have a system that is known about, is actively used by a lot of people and results in a lot of information going out. It is important to set that context. We are not dealing with a system that is not delivering. The system is delivering. Is that delivery consistent? Is it always perfect, or good? No.

There are obviously differences in performance between authorities, and within authorities there are differences between departments, and differences depending on what is being looked for. Is there something that can be improved in the system? I have no doubt that there is. Would it be useful to have a review of the system? I think that it certainly would be.

We have a system that has been in place for a long time. We had an amendment act in 2013, but it was not a full review of the system. If, because it is working quite well, we decide to stick with it and do not look at the criticisms that are being levied or seek to improve it, it will get worse and out of touch. As the regulator of that system, that is certainly not a position that I would like it to get into. Where concerns are being raised, let us look at them and deal with them.

We have to have a division between criticism of the system per se—the structural problems with it—the legislation as is and the issues of compliance with the legislation, although there can be some read across.

Interest has been expressed in hearing about what we are doing about criticisms of the Scottish Government’s performance. I am not sure whether now would be a good time for me to explain what we are doing on that and to give an assessment of whether we feel that the tools that we have in our toolkit are sufficient to deal with the matter or whether there are areas that would benefit from another look.

The committee intends to ask specific questions about that later. If we get towards the end and no one has asked those questions, by all means jump back in.

Does Iain Gray have further comments?

I am still interested in the question of what has happened over time. I know that Daren Fitzhenry has not been in post for very long, but his office will have an institutional memory. Tommy Kane’s evidence implied that, as far as non-compliance, or the avoidance of compliance, is concerned, things are getting worse. Daren Fitzhenry said that if his office did nothing we would end up with an act that is not working at all, which rather implies that, in public authorities, ways in which FOISA can be avoided are being learned and applied more widely—or perhaps the issue is to do with technological change. I am still interested in the question whether the situation has got worse. Have public authorities got better, or have they deliberately developed strategies to avoid releasing information under FOISA? Is it fair to say that you were implying that, Tommy?

It is fair, but I should clarify the point. Increasingly, it seems that public authorities could be applying a two-tier system in resisting requests that are from people who are seen as politically problematic and which might result in contentious or controversial information coming into the public domain. Where red lines are shot across the Government, when political researchers or journalists submit FOI requests in areas that might be problematic for the Government, there is a concern that there might then be attempts, by various means, to circumvent the provision of such information.

I ask Daren Fitzhenry whether his office feels the situation has got worse over time.

Performance has varied over the years. In the early days, there was suspicion about the 2002 act, and it took time for the legislation to bed in. However, over the years, the freedom of information regime has become more accepted and has been viewed less with suspicion and more as being a good thing. We have had time to explain its benefits not just to the public but to organisations themselves.

That is not to say that, in certain cases, organisations will not play with a straight bat, or that—particularly if the requests are for very awkward bits of information—we will not have situations in which people might try to play the system. We must bear in mind that we are in a context in which there is an ever-increasing number of requests, so the level of demand on public authorities is higher than it has ever been. However, much of the difficulty relates to enforcement, and if there is a concern, an appeal can be put in and we can deal with it.

With regard to wider-ranging worries—

But you can only deal with that concern if the information exists.

Yes—in relation to the recording of the information.

If a meeting has not been recorded, you cannot deal with it.

At the moment, our system is based on information that exists and the provision of information that is held. In the past, we have had a number of cases in which we have been surprised by a lack of records management or a lack of information. In such cases, comment has been passed about the fact that the information was not there but, in the legislation as it is, we do not have powers to enforce the creation of minutes.

I am very interested in engagement and in intelligence—in finding out how FOISA is actually working. I want to bring two points to the committee’s attention.

First, the Scottish Government published six FOI principles, one of which was about engaging with stakeholders. One vehicle for delivering that was something that morphed from various guises into the Scottish public information forum.

10:30  

When SPIF was introduced many years ago—probably in around 2005 or 2006—it was a really interesting vehicle for getting around one table the duty bearers and the people who held the information to engage with the Government, the regulator and requesters. It went along quite happily until 2010, but was then allowed to fall into abeyance. There was a promise that it would be a virtual forum, but that was not delivered. With a grant from Unison Scotland in May 2017, the Campaign for Freedom of Information in Scotland resuscitated it. Since then, we have had three very successful meetings. In such meetings, there are opportunities to learn about the problems but also to be inspired by good practice.

It is important to pick up the point that the commissioner and Tommy Kane have made. Not everybody is bad at delivering under FOISA. There is some really good practice out there. SPIF provides an opportunity to hear about that, to be inspired by it and to learn from it. We hope that the committee embarks on post-legislative scrutiny, and we offer up SPIF as a way to engage. Its next meeting will be in Dundee on 28 September, which is international right to know day. There is, therefore, a vehicle for broader engagement.

My second point goes back to minutes of meetings. There seems to be a trend. I have been around for so long that I have seen many minutes created, and it is a surprise to me that there are not as many minutes around now. In January, the Campaign for Freedom of Information in Scotland launched a get it minuted campaign. We are delighted that there is support for that campaign from Unison Scotland, the Scottish Council on Deafness, the Jimmy Reid Foundation, the National Union of Journalists and others. The public are encouraged to ask for minutes, agendas and reports. I hope that that campaign will throw up more examples of minutes that were previously taken but which are no longer taken. That will help to inform people about how decisions are reached and what business is being discussed.

I was going to say that I hope that we get a perspective from the commissioner on where we are with some of those issues, but I do not think that it is appropriate for the committee to investigate them—you may think differently, convener.

In general, on complaints about the 2002 act and whether minutes exist or not, does the 2002 act place a duty on authorities to generate data and minutes, or is the issue that there is no such duty and that people would like there to be one? If so, perhaps that is just a failure of the act rather than anything else. Perhaps we should focus on that in our future discussions. Given that we have decided to get into that issue, will the commissioner confirm the position? I presume that the commissioner is looking at that issue.

It is indeed the case that the legislation contains no duty to minute meetings or to create information. It deals with the provision of information that is held by authorities. That is the current situation.

There are other policies, rather than pieces of legislation—the ministerial code, for example—that may provide an obligation to minute certain meetings. The issue is whether that approach goes far enough and whether there is enough accountability, or whether a more structured system is preferred—one that is based on statute, perhaps with statutory guidance, as exists in certain parts of Canada. It is important to have a debate about that.

I am particularly concerned about the legislation having a chilling effect, with people deliberately avoiding taking minutes in order to avoid being caught by the regime as they know that the information would be sent out. There are very useful comments in the papers that are before the committee, which show the difficulty in proving such a chilling effect. However, there are certainly circumstances in which it would be beneficial to have information that currently does not exist. Whether that should form part of freedom of information legislation or some other legislation is another issue. The matter does not fall squarely within my bailiwick. Whether it falls within the bailiwick of the keeper of the records of Scotland or another organisation would have to be looked at in considering any legislation in the area.

Thank you for clarifying that issue, commissioner. I am surprised that it has taken us 13 years to arrive at the point at which we are suddenly complaining that minutes are not taken for certain meetings. You would imagine that that is true of a number of organisations, but this morning we all seem to be mentioning the Scottish Government and no others in that regard.

Is there a lack of clarity about what information should be made publicly available? People are calling for the minutes of meetings, but should we be seeking to have more information on the public record?

This is not a recent phenomenon. Kevin Dunion said that the biggest concern that he and others had was about attempts to avoid sharing information by not creating information in the first place. He stated:

“there has to be some record of the substantive process by which a decision is arrived at—the options that were considered and the reasons why a decision was carried into effect.”—[Official Report, Justice Committee, 10 January 2012; c 821.]

When did the act come in?

In 2002.

On record keeping, the Public Records (Scotland) Act 2011 influences how public authorities should keep information. The Scottish Government records management policy states:

“The Scottish Government recognises that its records are an important public asset and are a key resource in the effective operation, policy making and accountability of the Scottish Government.”

It goes on to say:

“The aim of this policy is to define a framework for managing the Scottish Government’s records to ensure”—

among other things—

“that we ... Create and capture accurate, authentic and reliable records”.

If you are not keeping notes and minutes of meetings, is that consistent with your own policy? It is not just the Scottish Government that is doing that—there are other examples of bad practice. When Kevin Dunion was before the Justice Committee in 2012, he raised the issue of the Water Industry Commission for Scotland, which was destroying diaries and routinely deleting information. I know that because I was the one who submitted those FOI requests.

We have rules on how we create minutes and record information.

I suggest that you think of this as a pyramid. At the top of the pyramid is the issue of not taking minutes, particularly of ministerial meetings. It is not only Scotland that faces that issue; last week, there was a furore in Northern Ireland after comments were made by the head of the civil service.

Yes, minutes are key, but if we just look at that issue we will completely fail in reviewing the legislation. I have had concerns raised about the national health service overusing and abusing confidentiality clauses to prevent access to information, local councils using stalling tactics by using the full time allowance under FOISA to frustrate the process, and public bodies releasing lots of information in one go so that the important bits of information are buried.

If we just tackle the lack of minute taking, we will not allay those concerns or build trust in the system; such action must be part of a wider effort. Although minute taking is at the top of the pyramid, a whole range of other issues lie beneath it.

This is an enormous issue that the entire public realm across the world is coming to terms with. We are in an era of mass data and the mass collection and sharing of personal data, and people expect large amounts of knowledge. A whole range of issues in and around that must be addressed, including how public authorities use the data of individuals, how they are allowed to access it, and what the relationship is between the right to know and the right to have a degree of internal secrecy. How decisions are arrived at is an enormous agenda.

We have published work on how to publish much better information in the first place. The UK Statistics Authority is putting out much more usable information, with an assumption that it will provide information in that way.

All that is true, but once the committee gets into its inquiry, I expect that you will discover quite a number of other loose threads that will need to be pulled. That is the change that is happening in this era.

However, there are specific issues with the 2002 act. It cannot capture everything. It cannot do everything or, if you wanted it to, you would need to adapt it substantially for it to become a statement of expected record keeping, which it is not currently. However, the fact that freedom of information is a big job with a lot of aspects that are changing quite quickly because of the nature of technology and public expectation should not be used as a reason not to fix that bit of the regime because there are problems with it.

People will always try to avoid transparency. I was on the other side of FOI with a public agency. Of course there were meetings in which people said, “We should probably not minute this. These are FOI-able minutes.” It is normal. People have those conversations all the time. It is natural behaviour, which is why we have to keep reviewing and revising as we go along.

You have heard a number of bugbears about the current legislation. There are lots of them. My personal bugbear relates to commercial confidentiality. I accept a degree of commercial confidentiality during the tendering and immediate post-tendering period for public contracts that go to private companies. However, it is a nonsense that a contract is still commercially confidential and cannot be FOI-ed 10 years after it has been completed. That is counter-productive to investigating some of the financing deals that have been quite scandalous in Scotland. There are lots of examples of that.

As data has become more open, as social media have grown and as the internet has created the gotcha culture of people finding pieces of information and rapidly sharing them for the purposes of political embarrassment, people have become more closed in. They have tried not to get caught out in those gotcha moments more and it is a universal problem. That needs to be considered but it would put too much weight on the post-legislative scrutiny of the act to try to capture everything with it.

Therefore, first of all, we should say that the FOI legislation has exemptions that are overused and should be tidied up, that there are areas that it does not get to touch, and that there are agencies that ought to be covered but are not. As you carry out the inquiry, I suspect that you will find that a number of issues come up that are outside the direct remit of the 2002 act but that you might wish to flag up, such as practice in data management.

A big change is happening in public expectation of Government and what the public expects to know about Government. It is a function of large data, the internet and the much greater ability of an individual citizen to go and poke around themselves. It can be done on the internet now. People do not have to go and sit in a records library or conduct a three-month postal campaign to try to get information. That is changing externally anyway and it will have an impact on the Parliament.

My advice is to note and accept that. That will come up. However, it is 12-plus years since the act was fully in place. It is time to review it because it is not quite right. Review it and, as part of the process, I think that you will come up with recommendations for other measures that the Parliament might wish to consider for how it becomes an open, data-accessible Parliament.

I will take a different focus and ask the witnesses what parts of the 2002 act work or, even, work well.

One of the best bits is that it is applicant blind. It does not matter whether you are a journalist or a community activist, or whether you live in Fife, Stornoway or Canada, you can make a freedom of information request. That is really important. Whether that is how it is delivered is a different matter. It is also good that someone should be able to email as well as write a letter.

It is also simple. It does not work well in a number of regards but the key point is the simplicity of the process and the fact that the right is enforceable. The right does not mean anything; the enforcement makes the difference. The ability to enforce the information request means that people can receive free guidance from the office of the Scottish Information Commissioner, which publishes loads of information materials. That is why we have had hundreds of decisions. It is a free, accessible, simple process. A number of people have found the process overly legalistic and said that it could be improved but it is simple and free.

For many of us, it is critical that the legislation should be based on human rights. The approach should not be about responsibilities and saying, “Okay, you can have this information if you tell us exactly how you are going to use it and you can make a strong case for it.” There should be none of that. The system is unconditional, which means that it is rights based. That is a very important development. The more of our legislation that is rights based, the better our society will be—and the 2002 act is a good example of that.

10:45  

I want to highlight the fact that we are here looking for enhancement. Let us not forget how transformational the 2002 act was and what the position was like beforehand, when people did not have the right to information. I am here to sing the praises of the Freedom of Information (Scotland) Act 2002. Despite its flaws and the things in it that could be improved, the act will be seen as the first stage in a transformational process that has changed the public’s relationship with Parliament. It has been absolutely crucial in uncovering examples of bad governance, mistakes that have been made and—on one or two occasions—what appears to have been corruption. Some points have also enhanced future policy development.

The act has been a wonderful thing despite the fact that it has not been firing at full pace and is not quite what it could be because of the bits and pieces that are not in it. When we have an inquiry, the problem is that we end up moaning about the bad bits and we are in danger of forgetting just how transformational the principle of freedom of information was. I want to sing the praises of that principle and to criticise organisations that have lobbied for its reversal and the removal of freedom of information from their public authority area, which is a regressive step.

We can make freedom of information better still. I am genuinely of the view that the Scottish Parliament could be an exemplar of absolutely first-rate participatory open government. At the heart of that is the Freedom of Information (Scotland) Act 2002, which has been transformational in the Government’s relationship with the public and their right to know what is done in their name. If we can improve the act just a bit, it will improve that case and the public attitude.

However, that is not enough. The 2002 act was a great solution for the post-millennial era, but we need other solutions for the post-Facebook era. Let us get it right. Let us review the legislation and improve it as best we can. Then we can start to look at how we can live up to the founding principle of the Parliament as being a people’s Parliament, which is about people’s right to be represented as citizens.

I am glad that I asked that question. I had been getting a bit depressed up to that point.

I echo Carole Ewart’s comments and, to an extent, Robin McAlpine’s. Robin suggested that the act could be improved “a bit”, but I think that it could be improved quite considerably, and that must be done if we are to uphold its principles. Post-legislative scrutiny is fundamentally necessary to ensure that those principles are upheld.

Carole Ewart and others have outlined improvements and specified areas in which they would like to see them. In my view, the fact that Tony Blair thinks that the parallel legislation down south was his greatest mistake makes it a raving success—but that is another matter.

Is there consensus on the reforms that are required among the people who are at the table this morning and the campaigning groups? Carole Ewart, you listed the areas that need to be improved, such as the act’s scope and indexation and, in passing, you mentioned social media such as Twitter and Facebook. In addition to what people put up publicly, social media can be used to send private messages. These days, Government, local government and government bodies all use such media privately as well as their publicly accessible elements. Do you have an agenda for what a new FOI reform bill might do? That would be a good starting point.

For us, it seems that we still need to win the argument that there should be post-legislative scrutiny, and, as I said, that that is what we want.

Given that we are the Public Audit and Post-legislative Scrutiny Committee, you can take from the fact that you are here today and we are having this discussion that we have accepted the principle that there is a need for such scrutiny of the bill. We have to have a discussion about how we go about that process and make sure that it is comprehensive and so on. Ultimately, if the Government does not want to do anything, the committee has the right to draft its own bill.

Absolutely. We have won the argument about the need for post-legislative scrutiny, and it is right and proper that the committee and the Parliament should embark on the two inquiries that were unanimously agreed to in the motion on 21 June 2017. We have produced draft terms of reference, which I will be happy to share with the committee at the end of the meeting.

The interrelationship between FOISA and other legislation is pretty important. We are a small campaigning organisation with very limited resources, but we have come up with a big list of things that we reckon should be included in the reform analysis. With regard to FOISA’s interrelationship with other legislation, Alex Neil will know very well from all his experience in human rights that the right to privacy is incorporated under the European convention on human rights. It is a founding principle of the Scottish Parliament that all legislation should be ECHR compliant. Article 8 is on the right to respect for private and family life, so private WhatsApp messages and emails remain private, of course, but we know from case law and the general data protection regulation that such private vehicles sometimes contain matters of public interest or official business. We know from what happened to Hillary Clinton that the use of a private server to deal with national security or public information issues means that privacy no longer applies.

Such interrelationships need to be examined in the post-legislative scrutiny process, as does the business and human rights agenda. Robin McAlpine rightly asked why we do not have access to big public sector contracts or meetings at which such contracts are decided. There is also FOISA’s interrelationship with key pieces of legislation that people can point to if they are given the opportunity to give evidence. The inquiry needs to be opened up, and submissions should be invited from rights holders as well as the designated bodies.

One of our concerns is the fact that FOISA took a very narrow approach to designation. The Human Rights Act 1998 applies to public bodies and those organisations that deliver services of a public nature. If that approach had been adopted in FOISA, RSLs would have been covered from day 1. RSLs have been judged to be covered by the Human Rights Act 1998 because some of their functions involve the delivery of public services.

There needs to be a review of the interrelationship between FOISA and other legislation, and key structural issues need to be considered, as well as the practical implementation.

I agree with much, if not all, of what of you said, but some of the reforms to which you refer, such as reform of the telecommunications legislation vis-à-vis apps and so on, and reform of data protection, are reserved matters. When we discuss how to progress our work, my view is that we should identify what changes need to be made and, regardless of whether it is a reserved matter, we should still press for those changes. We should not constrain the scope of our work to devolved aspects of the issue. As a Parliament, we should list all the areas in which reform is required. Whether an issue falls within legislative competence here or legislative competence down in Westminster should not hold us back from saying what is required.

I will bring in Robin McAlpine, after which Willie Coffey will take us down a slightly different but very important route. As we are getting a wee bit short of time, I ask everyone to keep their answers fairly brief, if possible.

I will be brief, but what I will say is that if you want a very long meeting, you should ask social campaigners for a wish list. We would be here for another couple of days.

You could take a minute of your discussion and we could look at it.

From conversations that I have had, my observation would be that if a scatter graph were put together, showing what the various organisations are asking for, it would be more compact than you might think. Quite a lot of different things are being asked for by different people, but the list is not endless, and the range of the scatter graph would not be enormous.

It is right that we identify the problem, but not all of it will be solved by the act or necessarily by the Parliament. We will probably end up thinking, “These are the things that we can do within the act; here are things that should be looked at that lie in other Scottish acts; and here are things that might be looked at but which lie outwith this Parliament’s competence.” As for whether we can pull together a list of possibilities, that work has not been done cross-organisationally. I know that some work, particularly Carole Ewart’s work, has been done within an organisation, but we have not pulled that work together collectively across organisations.

I am really interested in what people have said. It sounds to me that the issue is more about corporate data management and expectations in that respect in this day and age. Robin McAlpine alluded to some of the different mediums that we work in now. Do we deal with just the written word on paper? No—it goes much wider than that. Information exists in a variety of forms, and some of the issues that have been raised are perhaps about corporate data management rather than the failings of the act. Whether we improve the act and include those issues is another argument for another day.

We will soon sign up in order to comply with the European Union’s general data protection regulation, which comes into force in May. How will that impact on the act? Will it make the act even tighter and make it much more difficult to access the kind of information that you are looking for at the moment, or will it open up the act a bit more?

I will pick this up very quickly, because it is an enormously complex area in which we have quite a lot of interest. The new data legislation is particularly strong and important with regard to an individual’s relationship to their own data. Indeed, the regulation’s main transformational aspect is that it gives an individual the right to decide how their data is used and shared.

The Parliament should now take a radically different view about how we manage data. We should move to a person-centred data approach. We should start to ensure that all public data on a person is assembled in a single place over which they have control and to which they have access. That is the way in which the European legislation is pointing, and it is the way in which we should go.

It is also important to reassure people about how their data is used in public. The Facebook and Cambridge Analytica scandal this week lies outwith the FOI issues, but it goes in parallel with them. There is some read-across, in that the right to aggregate an individual’s data might require their permission in certain circumstances; however, if we cannot identify an individual, we can still mass aggregate data.

I do not think that there is any particular reason why the GDPR should change the FOI issues that the committee is looking at, certainly not in terms of scope. It should not have any relationship to some of the exclusions—particularly commercial confidentiality exclusions—that I think should be removed from the 2002 act, and the GDPR should not have any impact on extending the act to designate things as new public authorities.

I urge the Scottish Parliament to look at the meaning of the GDPR, to comply with it and to really absorb what it means, because it is about something greater than the relationship between citizen and data. It should have some impact on FOI, but I do not think that the main reforms that most people would be likely to identify in the 2002 act should be greatly compromised by the European regulation, which is very much about personal data and an individual’s right for their data to be used in what they see as their interests. For example, an individual’s health data should not be shared with private pharmaceutical companies without their permission. Therefore, the GDPR should not be too much of an inhibitor on the FOI review.

Sarah Hutchison is head of policy and information at the office of the Scottish Information Commissioner. Do you have anything to say on that particular question?

My colleague, Margaret Keyse, is the expert on the matter. We anticipate some impact as the GDPR is a change, but we hope that the change will not be as great as we might be anticipating. Margaret will be able to say something quickly about the issue.

11:00  

I would simply underline what Robin McAlpine has said: we do not think that there is going to be a huge change in the relationship between freedom of information and personal data once the general data protection regulation and the Data Protection Bill come into force in May. It is a big concern to us that between 25 and 33 per cent of our cases involve looking at whether personal data should be disclosed under freedom of information rules, but we have had contact with Westminster and, thankfully, the changes that will be made to the Freedom of Information Act 2000 as a result of the general data protection regulation will keep things basically as they are.

I am not suggesting that the Scottish Information Commissioner should be able to fine people, but one area that I have an issue with is the fact that any public authorities responding to requests for personal information under freedom of information could, if they get it wrong, be faced with huge fines from the United Kingdom Information Commissioner’s Office, whereas the commissioner in Scotland does not have the right to fine under freedom of information. It will be interesting to see whether, despite the legislation’s being okay, the fear of fines will have a different sort of chilling effect, or whether it is something that we can work through in guidance and decisions as the years—or, I hope, the months—go by.

The general data protection regulation is about personal data. That specific issue relates to corporate data management, but the issues that we are discussing here are not about personal data. Of course, it might involve some more redactions in FOI releases and so on, but what we really need to guard against is any institution using the GDPR rules as a kind of cover for not progressing with FOI. I see the issue that way round.

Surely we are looking at personal data as well. We are looking at data and information, whether personal, corporate or otherwise.

No, there are distinctions between them.

But surely we are interested in all of it, and FOI covers personal data, does it not?

On Willie Coffey’s original point, which was not so much about the European regulation but about his assessment of our concerns as a data-recording issue, I think that it actually goes a bit deeper than that, and we need to go back to the journalists’ letter as well as to other evidence that has emerged. The concerns are about political interference in FOI, delays, non-responses, quite serious redactions and tenuous use of exemptions, and those serious concerns are in addition to any concerns that we have around non-minuting or not recording meetings. That applies not just to the Scottish Government but to all public authorities, and I want to make it abundantly clear that those are the concerns that people have. I was glad to hear Alex Neil saying that it has been accepted that those concerns should provoke post-legislative scrutiny.

One of the advantages of the GDPR is that it has put a clear focus on records management by various public authorities. We hope that there will be an improvement in their management processes, and a clearer understanding of what they hold, how they hold it and why they hold it. We might see a benefit in their general procedures and therefore in their ability to access information quicker when we look at freedom of information.

As for wider practice, there is a distinction to be drawn. A number of criticisms are based on the application of the current act and are issues of enforcement, and I am actively examining some of those at the moment in relation to intervention using my enforcement procedures. You should bear in mind that not all of those things will have a primary legislation fix; some of them are down to sheer enforcement and whether the tools in the toolkit are sufficient for that purpose. That is not to say that they must be taken into account when we have post-legislative scrutiny, but when you enter into that scrutiny phase, it is important to be able to distinguish between things that can be fixed by legislation and things that are ultimately a matter of practice and enforcement.

You are, in your capacity as Scottish Information Commissioner, about to undertake some work in that area, and you have said in your letter to the committee that you are confident that there will be no duplication of the committee’s work if it does post-legislative scrutiny. Can you explain briefly the work that you will be undertaking and why you are confident that there will be no duplication?

Two current interventions on the Scottish Government’s freedom of information performance are under way. The first, which relates to time delays in providing information under the act, started in January 2017, while the second, which is wider in scope, is about freedom of information performance as informed by the journalists’ letter last year and the parliamentary debate on 21 June 2017.

When I came into post, serious concerns had been raised, and we determined that it was important to look at them in the round and to proceed with an intervention, which is an enforcement process available to me under the current powers. In the assessment phase—the first of two key phases of the intervention—we are turning anecdote into proper evidence and hard fact by asking for concrete examples of allegations, and we are looking at the Government’s freedom of information tracker to identify other cases as representative samples for objectivity in the process and to ensure that we have a good, fair and objective understanding of the issues when we assess what the problems are. At the end of this first phase, we will determine what the problems are, why there are problems and what is causing them. In the second phase, we will consider how to fix the problems—in other words, what needs to be done to stop any identified bad practice from happening—and make recommendations about changes in the process.

Before you deal with the duplication question, can you tell us whether you have timescales for that work?

The assessment for identifying what is wrong and the recommendations about remedies will be ready by the end of May.

On the question of duplication, how confident can we be that the committee will not, perhaps inadvertently, stray into territory that you are already examining?

The focus of the intervention is compliance with the existing law. In other words, we are asking: is the Scottish Government complying with the 2002 act and with good practice as contained in the codes of practice? The intervention does not look at what the law should be; if any wider evidence of good or bad practice comes out of it, it will be judged against current legislation. The focus is on recommending not changes to legislation but actions to ensure compliance with current legislation under existing powers.

I understand. Do you have any idea when the intervention might be completed? Alex Neil has just asked me to ask that important question.

That is more difficult to answer. During the assessment phase, we are looking at what is wrong and the recommendations that can remedy the situation. The next phase will depend on how deep the problems that we have found are, what the recommendations are and how long they will take to implement. We would also expect a monitoring phase. We do not want simply to make recommendations and then to walk away from the issue; we will monitor whether the recommendations have been implemented and, if not, look at whether further enforcement action is required. We will also monitor whether we have had the expected benefits from the changes in order to get continuous improvement.

Roughly when will you make the recommendations?

I am sorry—can you repeat that?

What is your ballpark timetable for your recommendations?

The recommendations should be available by the end of May or at the end of the assessment phase. We will tie that up by showing what we think is wrong and how we see its being remedied.

On the question of duplication, we are not convinced that there will be any at all. When we corresponded with the commissioner in January, we asked him to make an open invitation for submissions to inform the enforcement action on the Scottish Government. However, he said no, because his intervention was in response to the journalists’ letter. The major difference with an open inquiry is that it would be not reactive but proactive.

We are concerned and embarrassed about the Scottish Government being subject to two enforcement actions—after all, we believe that it should be leading from the front—but we are also concerned about the impact on the work of the Scottish Information Commissioner’s office. More than 10,000 bodies are covered by FOISA. Given the huge amount of work that the commissioner needs to do routinely, there must be financial and workload implications of devoting so much time to Scottish Government compliance, and I would urge the committee to think about extra resources for the commissioner’s office.

Commissioner, do you want to come back on that?

I would certainly not dispute any gift of additional resources for the task. It is important that my office can manage the current system with a full-time equivalent staff of about 20.5 people. To put it into context, the intervention means an awful lot of work for one organisation, given our role in promotion, guidance, education and giving advice and assistance as well as investigating and deciding on appeals and carrying out interventions.

We foresee additional work with the oncoming addition of registered social landlords later this year, and we are seeking an uplift of four personnel to deal with it. We hope to deal with this current intervention within our existing resource, albeit that, as you will imagine, it will mean quite a lot of additional work. The problem is that we have to get the additional freedom of information officers in post and trained, and I do not want to delay the intervention in order to do that. It is more important that we address the major concerns as quickly and thoroughly as possible. If some other business of my office has to be slightly delayed, I will have to determine what that will be and manage the risk within our resource. That is my responsibility.

Looking forward, additional resource will certainly be required for us to continue our work with additional bodies who become subject to the act. If any changes are made to the legislation that increase our role or the number of bodies subject to the act, increased resource will be absolutely necessary.

I suppose that I should know this from when the legislation was passed, but, commissioner, you said that your current investigation is on compliance with existing legislation. What enforcement powers do you have that you can bring to bear?

There are a couple of policies—an enforcement policy and a specific intervention policy—that set out the system. There are various levels of intervention, and we usually allocate different enforcement powers to each of them. They range from level 1, which is very light-touch recommendation of improvements in process, through to level 4, which involves application of enforcement action. That could include an enforcement notice, notifying a breach of part 1 of the act. Failure to comply with an enforcement notice can lead to the matter being referred to the Court of Session, which might consider it as contempt of court under the current legislation. We can make practice recommendations in relation to breaches of the code of practice; we have powers of entry and inspection under schedule 3 of the act; and we can issue information notices requiring the provision of information.

In any scrutiny, it would be useful to look at those powers afresh to see whether they are entirely sufficient. We know that the powers in relation to proactive publication could be improved upon, and it might also be worth looking at the six-week period for compliance with an information notice. An ability to tie some form of stronger enforcement to breaches of the codes of practice would also be useful.

Once again, the system and tools that we have are by no means perfect, but we have quite a number of tools in the toolkit and we actually use our enforcement powers fairly rarely and sparingly. Often the threat of enforcement is enough to push matters further.

I thank everyone for their genuinely fascinating and useful evidence. I now close the public part of the meeting and move into private session.

11:16 Meeting continued in private until 11:30.