Information Commissioner talks freedom of information, GDPR and Brexit

Although slightly outside our usual topic focus, I attended an event earlier this week where the UK Information Commissioner, Elizabeth Denham, launched a new report from the ICO looking at the current state of freedom of information (FOI). My interest was piqued by reference in the joining materials to opportunities missed at Carillion, as well as seeing if the Commissioner might give some personal insights into GDPR eight months in. An extra frisson of excitement was added in that the meeting, convened by APPG (All Party Parliamentary Group) PICTFOR, took place in Parliament on 29 January, immediately before the evening Brexit votes, causing a flow of MPs from the meeting as it progressed.

Is Freedom of Information fit for purpose?

The report, called ‘Outsourcing oversight? The case for reforming access to information law’ argues that whilst FOI can shine a light on public authorities, increasing accountability and transparency, the current FOI regulation is now losing relevance. Many public services are delivered by third parties and contractors, who are often outside the scope of FOI requests. The Commissioner made reference to the difficulties accessing information relating to the collapse of Carillion, which had 420 UK public sector contracts, and with social housing providers, noting issues regarding the Grenfell Tower fire. Her report, laid before Parliament this week, aims to bring the regulation into the modern age, alongside leading countries such as Estonia, Brazil and Scotland.

Lord McNally, former Minister of State for Justice, wished her success and called her ‘brave’, noting the atmosphere of secrecy in Parliament.

GDPR 8 months in          

The Commissioner made a few observations about GDPR eight months after go-live. She talked about a lot of growing pains and lots of myths busted. 2018 was the year data protection came of age, because the public were so much more engaged. Everything was up 100% - complaints, questions, website traffic. She talked about what is coming next, referring to Data Protection 2.0/ICO 2.0 – auditing AI and working on accountability and data governance. She noted the impact that GDPR has had globally in helping to drive data protection laws, citing specifically Brazil and South Asia. On Facebook she noted ‘Cambridge Analytica fell into our lap’ and, finding a number of powers were not available when it first landed, was grateful to Parliament for giving her what she needed shortly afterwards.


Finally, with the crucial Brexit votes starting as the meeting finished, she was asked to comment on Brexit. Given what was and is happening, her keyword was ‘uncertainty’. What she did say is that if the UK leaves without an agreement, the UK will not sit on the EU Data Protection Board. She expects the UK to be granted adequacy, but that will take a few months to put in place. In which case, the UK will initially be deemed to be outside the EU, with all that that entails.