Andrey Popov - stock.adobe.com
Public bodies are quoting unrealistic estimates of database search times, leading to freedom of information (FOI) requests being wrongly refused, a computer scientist has claimed.
A tribunal judge heard last week that public authorities’ estimates of how long it would take to search for documents were open to abuse and should not be accepted without questioning.
The case followed claims by the Information Commissioner’s Office (ICO), which regulates the Freedom of Information Act (FOIA), that it did not have the expertise in-house to use an Excel spreadsheet to search for information subject to a freedom of information request.
Reuben Kirkham, an expert in human computer interaction, claimed that public authorities were using electronic search tools in an “inadequate and ineffective” way, leading to FOIA requests wrongly being denied.
Kirkham has asked for permission to appeal to the Upper Tribunal over his legal battle with the Information Commissioner’s Office, which claimed it would take more than 18 hours to identify documentation that Kirkham has requested.
ICO lacks expertise for spreadsheet searches
The ICO said it did not have the expertise in-house to search its own data using an Excel spreadsheet and other software in response to an FOIA request from the academic. Kirkham suggested that a simple spreadsheet search would allow it to identify documents more quickly.
The academic argued in a peer-reviewed article that there was a widespread lack of recognition by public authorities and the information commissioner that there is a range of techniques to search electronic storage systems more effectively than the standard interface used by staff at public bodies.
His research identified cases where public bodies claimed they would have to read each document on their database manually, argued that it was not possible to carry out keyword searches, or gave exaggerated estimates of how long a search would take based on “mathematically flawed” assertions.
Kirkham said the information commissioner had taken these claims on face value “without any exploration of alternative approaches towards information searching” in nearly every case in a sample of 80 he examined.
In his own case against the ICO, Kirkham has disputed the ICO’s claims that it would take over 21 hours to identify information he requested, putting his application beyond the 18-hour limit for non-central government agencies.
Kirkham gave evidence that the documents could be identified more quickly by joining two sets of data in an Excel spreadsheet and filtering the data, putting the exercise well within the 18-hour limit.
He claimed that a tribunal judge either failed to follow his evidence or chose to ignore it, before dismissing his appeal against the ICO in the First Tier Tribunal in 2017.
According to a tribunal judgment, the ICO’s head of digital and IT architecture, Neil Smithies, accepted that Kirkham’s method of searching Excel was possible, but said the ICO had no staff who were able to undertake such searches. Carrying out an Excel search would require chargeable work from an external provider that fell outside current contractual arrangements.
Kirkham also put forward other ways that the ICO could search its data more efficiently, including searches conducted through the command-line interface, SQL database scripts and macros to automate searches of graphical user interfaces (GUIs).
How databases allow public bodies to avoid FOIA requests
A peer-reviewed research paper by Reuben Kirkham, expert in human computer interaction, found multiple examples of public authorities in the UK claiming they were unable to search their IT systems to respond to freedom of information requests.
- In numerous cases, a public authority asserted it was not possible to conduct keyword searches of their IT system.
- Public bodies claimed that the interface on their IT systems only allowed limited searches, such as the “title fields” in a database.
- In one case, a public body claimed it would have to read electronic documents manually to perform a search by postcode. However, it would have been possible to create a “look up table” to carry the search out automatically.
- In a freedom of information request for building issues and repairs, one council claimed it could not retrieve documents from its database as they were not stored by category, for example “leaks”.
- Public authorities asserted that they would need to read all documents from beginning to end to determine if they were relevant to the request. Kirkham argues that the documents could be quickly assessed by performing keyword searches.
- Government bodies carried out broad keyword searches on databases which recovered large numbers of documents which took the search beyond the cost limits allowed under the Freedom of Information Act. They could have narrowed the search down using more targeted keywords. Kirkham argues that even when the search capabilities of Graphical User Interfaces used by public bodies are limited, organisations can carry out more sophisticated searches by using the Command Line Interface, macros or bots, or downloading data into spreadsheets.
Judge Alison McKenna found Kirkham’s approach required the technical competence of a computer science academic and not one that may reasonably be expected of a public authority. She said, citing a previous upper tribunal verdict, that Kirkham’s “rigorous scientific approach” did not aid “statutory interpretation”.
The judge accepted the evidence from the ICO’s head of digital and IT architecture that the ICO “lacks the applications and technical ability” to conduct the searches suggested by Kirkham, and that it fell out of the scope of FOIA to buy in additional expertise.
Kirkham argued that judge McKenna, president of the General Regulatory Chamber until August 2021, made an error in law, and he dismissed claims that analysing the ICO’s data required a computer scientist as “nonsense”.
“She failed to engage with or analyse my evidence. My evidence was not challenged in any kind of cross-examination, aside from some bizarre questions asserting that I did not have Mr Smithies’ job, or a similar role,” he said.
Using a spreadsheet posed no security issues for the ICO’s IT systems, which had Excel installed, Kirkham argued in a presentation given to the tribunal. The ICO already had a spreadsheet containing the relevant data in its possession, he said.
Tribunal accepted self-certified evidence without question
Kirkham criticised the tribunal for accepting evidence from the ICO about the time it would take to respond to his request without questioning whether the estimate was correct, saying it had relied on self-certification.
In a previous decision, Upper Tribunal judge Edward Jacobs said: “The information commissioner and the tribunals should take a sceptical approach and require the public authority to provide persuasive evidence of how they undertook the estimate, with follow-up questions if necessary.”
The ICO had not disclosed what interface it was using to interrogate its database, why it would have taken an ICO employee two minutes to examine each document, or whether the time estimate included impermissible activities, such as redacting the document, said Kirkham.
He said no one would sensibly click through hundreds of files at the rate of two minutes a file, when there were tools, known as GUI bots or macros, available to do that automatically.
Security used as an excuse
The ICO had refused to consider automated tools, citing the need to limit employees’ access rights to its computer systems for security reasons, but Kirkham said this was “bunkum”.
“It was eventually accepted in argument that using a GUI bot did not give them more access, [it] just meant that the existing access would be used more effectively,” he said.
Kirkham said he had not been given a fair hearing, claiming there was “a failure to analyse the evidence that favoured my case”.
The judge said during the tribunal that organisations don’t design their IT systems to protect against rogue employees. But Kirkham argued that “anyone who understands security would know it’s actually aimed at protecting from rogue actors, including employees”.
Kirkham told the tribunal that he had received an unexplained package of documentation, sent to him in Australia, that contained poorly redacted tribunal documents, including internal emails.
Held to the light, they revealed personal details, including telephone numbers and addresses, about tribunal staff.
Kirkham said there was a need for an “expert tribunal” with relevant expertise to assess claims by public authorities about their technical capability.
“It is only by lobotomising the case that I brought (and ignoring all of Mr Smithies’ missteps) that the ICO won before [the judge],” he said.
Kirkham said he had conducted a sampling exercise which found judge McKenna almost never ordered public authorities to disclose information. The only case he found where she did order disclosure was overturned by the Upper Tribunal.
Keyword searches would cut retrieval time
In a research paper, Kirkham found a number of cases where public authorities had typed keywords into their system, counted the number of records returned and asserted that all of the documents would have to be read by a human.
In one case, a requestor had asked for a keyword search to identify “incidents involving winter service vehicles”.
The public authority claimed it would take two minutes to read each document to check whether a winter service vehicle was mentioned, but Kirkham wrote that the results could be found quickly by a keyword search of each document.
“There appears to be a widespread lack of recognition, both by public authorities and the commissioner, that most information systems can be searched in a variety of different fashions,” he wrote.
Information systems designers might deliberately design systems with a graphical user interface that cannot be efficiently used by staff to make general enquiries.
“Public authorities are holding increasingly large volumes of information but have no clear plans to use more sophisticated approaches towards accessing the information they hold,” said Kirkham.
In many cases, the information commissioner was wrongly deciding cases on the “bare assertion” that a public authority’s systems cannot be searched automatically or can only be searched in a restricted way – when this is unlikely to be correct.
Read more about the Freedom of Information Act
- Freedom of information tribunal rules that investigative journalists and others can use the Freedom of Information Act if they live outside the UK or are not British citizens.
- Journalists and UK citizens living overseas have appeals for information under the Freedom of Information Act put on hold after tribunal questions whether people living outside the UK have legal rights to use the Act.
- The Metropolitan Police should release correspondence with the US Department of Justice about three UK-based WikiLeaks journalists, despite national security claims, a tribunal hears.
Read more on Business applications
Sellafield local authority unsure if data was stolen six years on from North Korea ransomware attack
Sensitive NatWest customer files set to be returned after High Court agreement
NatWest customer calls bank’s handling of breach of his data ‘disgusting’
Tribunal investigates complaint that journalists’ phones were unlawfully monitored