Memorandum submitted by Richard Thomas CBE (CRU 53)
1.1 My name is Richard Thomas. I was appointed Information Commissioner for the UK in 2002 and held that position until the end of my 2nd term in mid-2009.
1.2 I currently hold appointments as Chairman of the Administrative Justice and Tribunals Council (AJTC); Board Member of the International Association of Privacy Professionals (IAPP); Deputy Chairman of the Consumers Association/Which? and Trustee/Board Member of the Whitehall and Industry Group. I also have a part-time consultancy as a Global Strategy Adviser with the Centre for Information Policy Leadership, a think tank associated with the law firm, Hunton & Williams, that explores and develops new approaches to information governance issues, particularly in the field of privacy and data protection.
1.3 Hunton & Williams has clients, and the Centre has members, with an interest in climate change issues, but I am not representing any such client or member and no such client or member has seen or contributed to this written evidence. Equally I have not consulted the Information Commissioner's Office (ICO).
1.4 Beyond what is stated above, I have no declarable interests.
1.5 I was Information Commissioner when the Freedom of Information Act 2000 ("FOIA") came into force on 1st January 2005 and for its first three and half years of active life. As such, while leading the Information Commissioner's Office (ICO), I had a range of promotional, adjudicatory and enforcement responsibilities under that Act, under the closely-related Environmental Information Regulations 2004 ("EIR") and under the Data Protection Act 1998 ("DPA"). For convenience, I describe these collectively as the "information laws."
1.6 I am happy to assist the Committee to the best of my ability in relation to the information laws - in particular, their underlying rationales and policy objectives, their interpretation and their application in practice. This evidence is likely to be most relevant to the first two issues set out in the Terms of Reference of the Inquiry. I do not have any comments in relation to the last matter, which falls well outside of my sphere of expertise.
2. Factual BACKGROUND
2.1 I understand that the Climatic Research Unit ("CRU") is part of the University of East Anglia, which is a "public authority" for the purposes of the Freedom of Information Act and the Environmental Information Regulations, and a "data controller" under the Data Protection Act. I understand that on November 17, 2009, meteorological station data used for research by CRU and approximately 1,000 emails sent or received by members of the CRU were posted on the internet by a person purporting to be a whistle blower. I have not had any opportunity to familiarise myself with the detailed content of this information, but it has clearly led to questions about the integrity of the climate science research published by CRU.
2.2 CRU has responded that, although language used in the emails was ill-advised, there has been no improper manipulation of data. The University has announced 2 inquiries in order to determine (amongst other matters) whether that statement is correct. I am not aware of any statement denying the authenticity of the emails. The issues that are most relevant to the information laws appear to be:
(a) the relevance and impact of the information laws on scientific and academic research conducted within universities;
(b) the handling of a large number of FOIA/EIR requests by the University relating especially to climate change research which (within CRU) it "held";
(c) the adequacy of section 77 of FOIA to deal with suggestions that CRU researchers deleted information, not in course of normal work, but to frustrate FOIA/EIR requests;
(d) whether this case illustrates that there is scope to extend the "proactive" disclosure provisions of FOIA as they relate to universities.
3. Freedom of InfOrmation Aspects
3.1 Rationales and Policy Objectives
Put simply, the main rationales behind FOIA and EIR - the "Right to Know" - are:
(a) to challenge unnecessary official secrecy;
(b) to promote trust and confidence in public authorities;
(c) to hold public authorities more accountable;
(d) to increase accountability in particular for the use of public expenditure;
(e) to deter - and sometimes to expose - impropriety within pubic authorities;
(f) to improve the quality of decision-making.
To summarise: citizens in a democracy are entitled to know what is being done in their name, for their benefit, and with their money. Transparency has been described as a defining characteristic of a modern democracy and there has been substantial consensus over the last decade as to the benefits of maximum transparency. As long ago as 1913 Mr Justice Brandeis famously coined the phrase in the United States that "Sunshine is the best of disinfectants."
3.2 These rationales can be related to the present Inquiry. The public must be satisfied that publicly-funded universities, as with any other public authority in receipt of public funding, are properly accountable, adopt systems of good governance and can inspire public trust and confidence in their work and operations. The FOIA, by requiring transparency and open access, allows the public to scrutinize the actions and decisions taken by public institutions. Failure to respond or to respond properly to FOIA requests undermines public confidence in public institutions. The fact that the FOIA requests relate to complex scientific data does not detract from this proposition or excuse non-compliance. The public, even if they can not themselves scrutinize the data, want to ensure that there is a meaningful informed debate especially in respect of issues that are of great public importance currently and for generations to come.
3.3 It can also be said that failure to fulfill FOIA obligations undermines the development of public policy. The CRU is a leading climate research centre and its work has been incorporated into the assessment reports of the Intergovernmental Panel on Climate Change (IPCC).
3.4 Where public policy is based on science, the public expect the science to be the best science available and that the scientists imparting that science act impartially. Scientists must adopt high standards of ethics and scientific integrity, and allow their work to be peer reviewed, subject to appropriate safeguards of intellectual property rights.
3.5 This is especially the case in new areas of science such as climate change research, where it is clear the results are directly influencing the development of public policy. (Indeed, FOIA makes special provision for the easier disclosure of statistical data where the section 36 exemption could otherwise apply - see section 36(4)). Access to the original data, computer models and an explanation of the analytical methods used is necessary to ensure that results are reproducible. Any attempts to limit peer review, to omit or distort scientific data or to limit access to data sets, models or methodologies used and thus frustrating any review of the science would lead to legitimate questioning of the conclusions asserted. In the wider context of public sector transparency, there is a risk that attempts to withhold the disclosure of information without good reason will increasingly be characterised in terms of "something to hide."
3.6 FOIA and EIR in practice
Parliament has created a presumption in favour of disclosure. FOIA states - with broadly equivalent provisions in EIR for environmental information as defined - that any person may make a request for any information specified in the request that is (or is thought to be) held by the public authority recorded in any form. There is no formal application process. No fees are payable in the vast majority of cases. There simply has to be a request specifying the information requested for public disclosure. When a request has been received by the public authority, it has 20 working days in which to respond. The 20 working days deadline can be extended if there are public interest issues in which case a reasonable time is provided for consideration as to whether or not the request should be granted. There is a legal duty to provide advice and assistance to those making the request, and there is a Code of Practice (known as the section 45 Code) setting out in some detail how public authorities are encouraged to handle requests that they receive.
If a request is rejected and the requested information is not disclosed, the public authority must issue a Refusal Notice and must then - if requested - carry out an internal review. There is no statutory time limit for this, but a complaint cannot normally be made to the Commissioner until the internal review has been concluded.
3.7 There are over 20 exemptions to the fundamental duty to disclose requested information in FOIA - with broadly equivalent arrangements in EIR, though with detailed differences. Eight of the main exemptions are absolute and 16 are qualified. Qualified means that there is a "public interest override," which means that, even where the exemption applies, the public interest considerations must be considered. In formal terms, there must still be disclosure - even though the qualified exemption applies - unless the public interest in the exemption outweighs the public interest in disclosure.
The exemptions are similar to those found in other Freedom of Information laws in force in the world. I am not aware which exemptions were considered by the University as potentially applicable to some or all of the requests to CRU. I can speculate that some or all of the following (and/or their EIR equivalents) might have been considered:
(a) Section 22 - where the requested information is intended for future (but imminent) publication;
(b) Section 40 - where disclosure of personal data would breach any of the data protection principles;
(c) Section 41 - where the information had been obtained from elsewhere in such circumstances that its disclosure would constitute an actionable breach of confidence under common law;
(d) Section 43 (qualified) - where disclosure would, or would be likely to, prejudice the commercial interests of any person, including the public authority;
(e) Section 44 - where disclosure is prohibited by another enactment or inconsistent with an EU obligation (which may include some intellectual property restrictions);
(f) Section 14 (not an exemption, strictly speaking) - where the request is vexatious.
I do not know whether any of these exemptions were in fact considered by the University or if they were, in fact, relied upon to justify non-disclosure. Nor do I know what complaints the requester(s) made to the ICO. And it is not possible, without a great deal more knowledge and analysis, to say whether the Commissioner would have or will upheld reliance upon any of these (or any other) exemptions. I can say, however, that the application of these and other exemptions to particular requests and fact situations can be a complex and demanding exercise, both for the public authority and the ICO.
3.8 In this case, I am aware however that the Deputy Commissioner has issued a widely-reported statement - commented on in more detail below - which suggests that at least some of the requested information should have been disclosed in the absence of applicable exemptions.
4. Prevention of Disclosure
4.1 The Deputy Information Commissioner has made a statement in this case that:
"The FOI Act makes it an offence for public authorities to act so as to prevent intentionally the disclosure of requested information. Mr Holland's FOI requests were submitted in 2007/8, but it has only recently come to light that they were not dealt with in accordance with the Act. The legislation requires action within six months of the offence taking place, so by the time the action came to light the opportunity to consider a prosecution was long gone."
This is clearly a reference to section 77 of the Act and/or the near-identical Regulation 19 of EIR. Section 77 needs to be set out in full:
Offence of altering etc. records with intent to prevent disclosure
(a) a request for information has been made to a public authority,
(b) under section 1 of this Act or section 7 of the Data Protection Act 1998, the applicant would have been entitled (subject to payment of any fee) to communication of any information in accordance with that section,
any person to whom this subsection applies is guilty of an offence if he alters, defaces, blocks, erases, destroys or conceals any record held by the public authority, with the intention of preventing the disclosure by that authority of all, or any part, of the information to the communication of which the applicant would have been entitled.
2. Subsection (1) applies to the public authority and to any person who is employed by, is an officer of, or is subject to the direction of, the public authority.
3. A person guilty of an offence under this section is liable on summary conviction to a fine not exceeding level 5 on the standard scale.
4. No proceedings for an offence under this section shall be instituted:
(a) in England or Wales, except by the Commissioner or by or with the consent of the Director of Public Prosecutions;
(b) in Northern Ireland, except by the Commissioner or by or with the consent of the Director of Public Prosecutions for Northern Ireland.
4.2 The Deputy Commissioner also appeared to have in mind the "boiler-plate" wording of Section 127(1) of the Magistrates Court Act which states that:
"a magistrates' court shall not try an information or hear a complaint unless the information was laid, or the complaint made, within 6 months from the time when the offence was committed, or the matter of complaint arose."
4.3 Section 77 is a very important section of FOIA, which most public authorities take very seriously. It is the only section with a criminal sanction, although there have not yet been any prosecutions. It has to be established that the "applicant would have been entitled" to receive the requested information, in particular that no exemptions applied. It is also necessary to establish that the destruction or alteration was done with the "intention" of preventing disclosure. A further problem, highlighted in the present circumstances, is that the offence can very rarely be detected - let alone properly investigated - in time for a prosecution to be brought. It can, in practice take several months before an authority carries out the internal review which is necessary before a complaint can be made to the ICO. Once a complaint is made, time continues to pass and (except in the most blatant cases) it will usually be impossible for the ICO to detect an offence within 6 months of it occurrence.
4.4 This problem has been raised well before the current controversy. An amendment to section 77 to extend the time limit for prosecutions was debated in the House of Lords in July 2009 at the Report Stage of the Coroners and Justice Bill. The amendment was identical to provisions already found in several other statues, such as the Animal Welfare Act 2006 and the Theft Act (as amended by the Vehicles (Crime) Act 2001), where the government itself had decided to extend the 6 month limit for prosecutions. More recently, in 2008, the Building Regulations were amended following a public consultation, as local authorities had maintained that the 6 month period did not allow prosecutions to be brought where a breach of the regulations only came to light after completion of the building work or where remediation of the work had been promised but not carried out.
4.5 The proposed amendment would have allowed a prosecution to be brought within 6 months of the evidence of the offence coming to the Commissioner's knowledge, rather than within 6 months of the offence being committed. The amendment was tabled to the Coroners and Justice Bill by Lord Dubs. Responding to the amendment, the Minister Lord Bach said on behalf of the government
"The Freedom of Information Act 2000 came into force only in 2005, and I have to tell my noble friend that we have no evidence at present that the current six-month time limit presents a systemic problem for the Information Commissioner or any other prosecutor in taking action under Section 77. However, I shall say this, which I hope will give my noble friend some comfort. We will listen to the views of the Information Commissioner and other interested parties on this point, and if there is evidence that the current legislation is causing systemic difficulties, we will look for ways to address the matter, if necessary by means of an alternative legislative vehicle in future. However, I cannot go further than that today on behalf of the Government."
5. the terms of reference and scope of the Independent Review
5.1 An Independent Review of the circumstances surrounding and the implications of the data release is being conducted by Sir Muir Russell.
5.2 Amongst other aspects, the Muir Russell Review will:
"review CRU's compliance or otherwise with the University's policies and practices regarding requests under the Freedom of Information Act ('the FOIA') and the Environmental Information Regulations ('the EIR') for the release of data."
It is not clear whether the Review will look at policies and practices in general or will undertake a detailed consideration of some or all requests and their handling. If the latter, there may well be some delicate inter-action with the (on-going) statutory and quasi-judicial obligations of the Commissioner to rule on individual complaints.
6. PROACTIVE DISCLOSURE
6.1 Towards the end of my time as Commissioner, I placed more and more emphasis on the benefits of proactive disclosure by public authorities, without the need to await requests, and often the burden and defensiveness of dealing with them. In January 2009 - after extensive consultation - new arrangements were introduced for public authorities to adopt Publication Schemes in line with a Model Scheme published by the ICO. Publication Schemes are mandated by section 19 of FOIA and the new initiative was an attempt to maximise disclosure and minimise bureaucracy.
6.2 As part of the new arrangements, a "Definition Document" for Universities was published, setting out the kinds of information that universities would be expected to provide to meet their commitments. (http://www.ico.gov.uk/what_we_cover/freedom_of_information/publication_schemes/definition_document_universities.aspx). This covers many aspects of university governance, administration, and operations. It explicitly includes such matters as procedures and policies for academic services, internal and external procedures for assuring academic quality, research policy and strategy, and research funding. But there is no explicit reference to research findings and data. The issues arising at the University of East Anglia suggest that this should now be addressed as a heading for proactive and routine disclosure.
7.1 Based on my current knowledge of the issues before the Committee, I suggest that the Committee might conclude that:
(a) the legislation should be amended so that a prosecution under section 77 of FOIA or Regulation 19 of EIR could be brought within six months of evidence of the offence coming to the Information Commissioner's knowledge;
(b) the Information Commissioner - not the Muir Russell Review Team - should make any rulings on the validity of FOI / EIR requests; and
(c) the Information Commissioner should be invited to extend the "Definition Document" for Universities so that - with any necessary exceptions - publicly-funded statistical or factual data and research findings should be proactively disclosed as the norm.
Richard Thomas CBE