Announcing change to my publication policy on FOI's - & why I'm doing so...

I make a lot of FOI requests when trying to establish how well (or more commonly just how badly) UK Law Enforcement entitites operate under the Data Protection Act 2018 Part 3 - the specific law that governs their processing of personal data for a Law Enforcement purpose (operational stuff...).

Normally I don't publish those responses. Occasionally they'll find their way into articles in the media when, in a discussion with a journo or third party, I'll clarify or correct something they tell me by showing them the relevant FOI response; but most of the FOI requests I have made in the past 3-4 years simply don't see the light of day. From today I'm adjusting that policy a bit.

My new FOI publication policy

From now on, when I get an FOI response I'll still keep it private (unless there's a genuine urgent public interest element) for 3-6 months. This ensures that when I find something problematic, and I inform the organisation that there is a problem (which I always do), they'll have time to consider if they want to take action and to initiate that action.

Think of this in the context of Vulnerability Disclosure - the purpose of many Security Researchers when they find a bug or possible exploit is not to actually use that to hack a system, but to improve the software by telling the vendor what they've found and why its important to address it.

Only after the vendor does something about it, or after a set period of time has passed, will they release that information into the public domain. This can be as a last gasp effort to oblige the vendor to 'do the right thing' (which sometimes works), but also because users of that software do have a right to know that there is a flaw or issue that puts their data at risk.

I'm now going to adopt that model from now on for FOI requests.

Avoiding a flood of releases

If I just published everything that was well overdue and has had nothing done about it then I'd be publishing about two dozen FOI responses right away.

If I included all the cases where the request has been refused and all the twists and turns employed by the Authorities NOT to release information that they now is harmful to their position then I'd be publishing many more than that...

How I'm going to release these is as follows:

Whatdotheyknow (the website I use for collation of FOI requests) allows me to keep requests private for an indefinite period of time.

I've been doing this now for a couple of years, clicking the 'Keep Private' button a week or so before stuff is automatically published.

From now on when the 'Keep Private' period expires, I won't renew it unless there's a genuine issue that shouldn't be in public domain (a couple could fall into that camp in my view*), they'll be published and I'll then comment on them and explain the implications of the request here on LI.

* You might say I should publish everything I get (or thats been refused) through FOI regardless of the consequences and I do have sympathy with that position, but TBH I've been involved in the positive delivery of National Policing systems, and before that operationally in Policing and Prisons, for way too long to just throw all this stuff into public domain without still caring about the consequences. So I'm going to take the position of 'my request, my disclosure rules' on a very few of them and NOT routinely publish them when their clock runs down.

Otherwise however the timeline will work like this:

1. I make an FOI request
2. I get a full and final response (under legislation you might think this just takes 20 working days but actually some requests I make have taken nearly 2 years to get to that position and required me to involve the ICO or the Scottish ICO to force a disclosure, and even then its often just partial)
3. I set a time of "Keep Private" - typically 3-6 months - to allow the Authority to get their house in order, or at least to start to do so.
4. When the clock runs down, I'll publish the FOI request and response
5. I'll link to it from LI and provide a commentary and explanation.

What I'm hoping to get out of this

I have been trying to get Law Enforcement bodies to comply with UK law for nearly 5 years - that's how long the legislation has now been in force, and its still being flouted every single day.

In fact I've been working on this for a bit longer than the lifetime of the Act, because even whilst this was at the Bill stage I was trying to advise MOJ, HMCTS, Police and other bodies (as well as Cloud suppliers) of the problems coming over the horizon.

My inputs have mostly been ignored. Twice however I've been fired (actually my contract was terminated, so I wasn't really 'fired') from a Law Enforcement role, because the IT Directors really didn't want the Seniors to hear the message that they were breaking the law. (Actually in my experience the Seniors usually already know - they're just being shielded from possible proof that they know...)

In the meantime, those doing the ignoring / firing have advanced themselves into positions where they've then massively accelerated the adoption of IT services that break the law and place the public at risk, whilst concurrently wasting £100m's of public money on services that are inherently unsuitable for the purpose to which they put them and building a huge potential risk of compensation payments that outstrips even the cost of the IT in the first place. Luckily for them a risk that has not yet been realised - though that'll happen sooner or later I am sure.

That's not OK, but its 'OK' for me in the respect that its a pretty normal outcome. I've made a comfortable 25+ year career out of telling folks what they need to know rather than what they want to hear (first as a Security advisor, & latterly in the area of DPA law) and it pretty much goes with the territory that those you tell will be advanced, whilst those to DO the telling definitely don't.

I've been pretty well paid during the verious tenures I've held on my contracts over the years however ,and I'm 100% fine with that arrangement. This certainly isn't a vengeance crusade I'm on, if that was the case I'd have published a lot more, and done so a lot sooner - so lets not go there ;)

BUT

Routinely breaking the law, whilst claiming to uphold the law and adopting a superior technology position when you're emplying tech that puts the rights, interests and even the safety of the public at risk really is not acceptable in the long term.

The tipping point for me was reached when (rather than fix a long term problem for which 5 full years in the legislation was provided) Home Office quietly submitted a piece of Secondary Legislation to Parliament on 6th April to extend a transitional provision for Section 62 of the Act due to come into effect on 6th May out to 2026 so they don't have to introduce legally required logging on older Police IT systems.

UK Gov are also seeking to have this obligation struck completely in the new DPDI bill. As a result it will be very hard to achieve non-repudiation (i.e. proving when someone in Law Enforcement looks at, modifies or discloses personal data, which ought to concern us all, quite a lot. It will also put the UK on an even more divergent course from the EU Law Enforcement Directive - this could effect EU LED Adequacy, but right now the politicians seem to be betting that the EU will let them get away with it (the ICO essentially said as much last week when he gave evidence to the Parliamentary Committee that the new DPDI definitely wouldn't affect Adequacy). Time will tell.

I've worked over the last two decades or so with a lot of Civil Servants and Politicians who, when facing an issue about their tech solution of choice breaking the law & placing the public at risk, have defaulted to an initial position of 'we're the Government, we'll just change the law'.

This happens a lot more than most folks realise, but during the periods I was in post in NPIA, Home Office, MoJ, and in various other senior Policing IT or Security roles we pretty much always got those in power to see reason and invest in the required changes, or to force the vendors to adapt their product.

(In large part this was down to the unflinching support of my permie colleagues, who all had a lot more to lose in career terms than I did, and to whom I doff my hat. Most of them are now sadly retired, and the work they did in protection of the public isn't well documented, but they know who they are)

Explaining that a technology you need to change the law to use is probably the wrong technology used to be enough to get folks to understand. Nowadays its not.

What we've seen recently however, with the Home Office introduction of Statutory Instrument 2023/414, is that the reverse is now true.

No-one in those senior tech or security lead positions is today trying to influence the lawmakers that using technologies inherently unsuitable for the purpose to which they are being put is in any way a bad thing - in fact quite the opposite. Those who should be effecting positive change in Home Office and Policing to make tech investments that are legal, performant and proper are instead doing press releases and adverts FOR the vendors who can't & don't comply with UK law. Constraints long applied to comply with national policy, security postures and even legislation are seen as optional, or not even considered in this brave new world... Changed days indeed.

Since I'm no longer in those roles myself and can';t apply the basic architectural principles that would uncover these constraints and question these tech choices, I have to accept thats the state of play and limit myself to this response:

'Fair enough; but if you make the problem, from now on you need to own it & recognise that for each of those decisions there may well be consequences.'

My apology...

I've been masking these issues for far too long, and for that I apologise - part of the problems we face today in the sector are down to me not being willing to publish and be damned a lot sooner.

This has allowed really poor behaviours in Policing and wider Law Enforcement procurement and in the selection of services. Its also helped to spawn a whole international industry of supplying 'UK Policing' Tech that is illegal to use.

I've known about this stuff for years - and so have the decision makers and many of the vendors - but nothing has been done, and part of that is down to me not publishing things that under FOI were (in real terms) releasable to the public domain.

Hundreds of suppliers are now promoting thousands of products performing critical public safety functions that at worst place the public at risk, and at best introducing a risk to the public purse (and against their own companies) for compensation to those who have their data illegally processed. That's if a risk of £100m's for compo claims can feasibly be considered a 'best case' outcome...

I apologise for all that too - but from now on I'll be trying to adopt a more open and 'vulnerability disclosure' led approach around my FOI requests.

Maybe a bit more visibility will help those sitting in their respective ICT hot seats within Police Forces, Ministries and in NDPB's & Consultancies to recognise they have obligations to the public which go along with the job title, and who knows we might effect some chnge and ultimately move this processing back to the point where its legally performed under UK laws. We can but hope...