Is the government’s secretive ‘Clearing House’ lawful? An expert explains
When government departments share the names of people making freedom of information requests, they may be breaking data protection rules
If you make a freedom of information (FOI) request to a government department, there is a good chance that the details, including your name, will be shared across all government departments. This process of sharing – known in government circles as the "Round Robin List" – is said to be so that departments can provide advice, support and co-ordination in responding to FOI requests.
The Round Robin List has been in place since the FOI Act came into application in 2005, and it is understood to enable the Cabinet Office “Clearing House” – the "Orwellian" unit exposed by openDemocracy earlier this week – to have oversight of cross-departmental and high interest requests.
The practice of sharing requesters' names is well established, and occurs frequently, but is it lawful? I would argue not.
Fair and transparent?
Data protection law and freedom of information law occasionally interact with each other, and this is one example. If a government department shares the name of an FOI requester with others via the Round Robin List, these departments are “processing” that requester's “personal data”. Data protection law – primarily, the General Data Protection Regulation (GDPR) – says that such processing must be lawful, fair, and done in a transparent manner.
We’ve just won a three-year transparency battle against Michael Gove’s department.
Can you help us keep fighting government secrecy?
Let us start with the last of these. According to the GDPR, it should be “transparent” to data subjects “that personal data concerning them are collected, used, consulted or otherwise processed”. The Information Commissioner's Office, the body that oversees both data protection and freedom of information law, explains that this means that "you must be clear, open and honest with people from the start about how you will use their personal data".
So let us put ourselves in the position of, say, someone who makes an FOI request to the Home Office. The relevant government web page merely invites one to make a request to a postal or email address – it does not explain that the request, and one's name, might be shared across all government departments. I can see no reason why the page could not explain this, and the absence of such information means that there is a strong argument, from the start, that any onward disclosure to the Round Robin List will not be done in a transparent manner.
This appears to be the case for all government departments, except the Cabinet Office. If one makes a request directly to the Cabinet Office, the relevant web page says: "For information about how we handle your personal information when you make a freedom of information request, please see our Personal Information Charter,” which it links to. Interestingly enough, that Charter also links to a "Cabinet Office Freedom of Information request and Subject Access request privacy notice", which says:
In relation to freedom of information requests, your data may be shared with other government departments and public bodies. This is in order that we can provide cross-government advice, support and co-ordination in responding to freedom of information requests.
So, at least in the case of FOI requests directly made to the Cabinet Office, requesters are told that their data might be shared across government departments. This, of course, doesn't help those who make requests to departments other than the Cabinet Office, whose data is apparently similarly shared.
In my view, when it comes to the legality of sharing personal data, all government departments except the Cabinet Office fail at the first hurdle – they do not comply with the "transparency" principle of GDPR.
Not strictly necessary
Does that mean the Cabinet Office is in the clear? Well, not so fast. That “Cabinet Office Freedom of Information request and Subject Access request privacy notice” aims to explain how the Cabinet Office's processing of personal data is lawful, by pointing to the legal basis for the processing:
In relation to providing cross-government advice, support and co-ordination in responding to freedom of information requests, the legal basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In this case the task is providing advice, support and co-ordination in responding to freedom of information requests.
A lot here turns on the word “necessary”. The Information Commissioner explains that “if you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply”. To put it in more legalistic terms, "necessary", when it is used in the context of an interference with a fundamental right, implies a proportionality test.
The High Court has explained that it “should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends”. (Corporate Officer of the House of Commons v The Information Commissioner & Ors  EWHC 1084 (Admin).
So is the processing done by the Cabinet Office (and indeed other departments) really "necessary"? It is very hard to see why – if the Round Robin List is essential for “providing advice, support and co-ordination in responding to freedom of information requests” – the requesters’ names can’t simply be removed from it. What benefit does having the names on the list bring? Even if it saves a little time in identifying requests, I am far from convinced that justifies – on the basis of proportionality – the interference with the data protection right.
What’s in a name?
I have worked in an FOI team in a large public authority where “high profile” requests were circulated to internal “stakeholders” for information. But we never named the requester – and never felt the need to. The reason we didn't was precisely because we did not think it was justifiable from a data protection point of view.
As to what detriment the practice might bring, one fears that having a name widely associated with a request might lead to the request being treated differently. FOI operates on a general presumption that the identity of a requester is irrelevant – information is either disclosable or not. Are there individuals – perhaps journalists – whose requests automatically go on the Round Robin List and through the Clearing House?
If so, might those journalists legitimately complain that this feels like being on a blacklist?
Jon Baines is senior data protection specialist at the law firm Mishcon de Reya and chair of the National Association of Data Protection Officers
Get our weekly email