9 December 1999. Thanks to Mr J.
Source:
http://www.parliament.ombudsman.org.uk/pca/document/hc21/hc21-04.pdf
Parli Ombudsman AOI v1 8/12/99 2:26 pm Pages 11-17
Cases Investigations Completed April – October 1999
Mr J, the Director of an organisation concerned with the interaction between information technology and society, complained that the Department of Trade and Industry (DTI) refused to supply him with information relating to the formulation of the government’s policy on encryption. In response to his initial request for information, Mr J was informed by DTI that it would take two to three months of work in order to assess the large amount of information concerned. As an alternative they suggested a meeting in order to narrow the scope of Mr J’s request. As a result of the meeting Mr J had with DTI officials an inventory of 16 documents, which DTI considered the most significant in the development of the United Kingdom’s encryption policy, was produced. Subsequently, Mr J confirmed that he wanted these documents evaluated for disclosure. He also asked a number of further questions regarding encryption policy. In response to his request, DTI officials said that they would answer the additional questions but that it was likely that very little of the information from the 16 documents would be sanctioned for release. At the start of the Ombudsman’s investigation the Permanent Secretary of DTI confirmed that none of the information from the 16 documents could be released and cited exemptions 1 and 2 and exemptions 4(b) and 11 of the Code in support of his decision. In addition two of the documents were, he said, covered by section 8(4) of the Parliamentary Commissioner Act 1967. After discussions between the Permanent Secretary and the Ombudsman, the Permanent Secretary agreed to commission a summary of analysis of the policy issues involved in developing cryptographic policy (the summary). The Permanent Secretary said on its completion that the summary contained all of the disclosable information within the documents that Mr J wanted released. That being the case, he thought that DTI had fulfilled their obligations under the Code by providing Mr J with a copy of that summary. The Ombudsman held that while the summary did include much of the information which should have been disclosed under the Code, there was still further information which should have been provided. Exemption 7(b) did, however, apply to some of the information requested. The Ombudsman also found Mr J’s requests to have been poorly handled. Mr J’s complaint was partially upheld.
2.1 Mr J complained that the Department of Trade and Industry (DTI) failed to supply him with information which he was entitled to receive under the Code of Practice on Access to Government Information (the Code). I have not put into this report every detail investigated; but I am satisfied that no matter of significance has been overlooked.
2.2 Mr J is Director of an organisation concerned with the interaction between information technology and society. On 5 March 1998, he e-mailed the Open Government Enquiry Point (OGEP) of DTI requesting information on the formulation of the government’s policy on the regulation of encryption. He cited the Code, and said that he was making his request as a private individual. The particular information he sought was:
‘Any position papers (or policy advice) relating to the UK Government’s proposals (in the past five years) for:(i) ETSI standards;(ii) the EC’s DGXIII ‘‘European Trusted Services’’ project;
(iii)‘‘Pillar 3’’ agreements between member states;
(iv)domestic UK policy on regulation of encryption or ‘‘Trusted Third Parties’’.
bearing on:
(a) key recovery/key encapsulation/key escrow;(b) lawful government access to the plaintext of electronic communications or keys required to decrypt communications;
(c) jurisdictional criteria for satisfying (b) with regard to requests made between EU member states or other governments; and
(d) analysis of the impact of regulation of encryption techniques on e-commerce and the information economy’.
2.3 On 9 March the Information Security Policy Group (ISPG) at DTI wrote to Mr J to say that their usual target for replying to such requests was 15 days from the date of receipt of the request. However, because of the nature and breadth of his request and the need to consult other Government departments, ISPG would not be able to let him have a substantive response until 30 April. On 29 April Mr J e-mailed a reminder to ISPG, in which he accepted that the reply might take a little longer than promised, and in which he also raised a number of other issues. ISPG e-mailed Mr J the following day to say that they would reply to him as soon as possible.
2.4 On 30 May Mr J e-mailed the OGEP. He reminded DTI that their reply was now a month overdue and requested details of their internal review procedure. ISPG replied on 20 July apologising for the delay. They went on to say that, to consider his request in full, they would need to ‘review over 30 thick files containing thousands of minutes, letters, e-mails and other items of correspondence’. They said that they would have no option but to levy a charge, in accordance with the Code, for what they estimated would be between two and three months’ work. As an alternative, ISPG suggested a meeting at which it might be possible to focus Mr J’s request more narrowly in a way acceptable both to him and to DTI. They did not give details of DTI’s internal review procedure.
2.5 On 23 July Mr J e-mailed ISPG and asked for an estimate for the cost of the work that DTI would need to undertake in order to deal with his request of 5 March. He also asked if he would be reimbursed for work carried out on documents which were not subsequently disclosed. Mr J agreed that a meeting to discuss ‘how the disclosure could be prioritised to promote early release of material of significant public interest’ would be helpful. He asked DTI to provide him, within ten working days, with an inventory of the documents on which they would be basing their consideration. On 4 August Mr J met DTI officials. On 28 August Mr J e-mailed them with his summary of their meeting, in which he recorded his understanding that DTI had agreed to examine their files to identify the most relevant and significant material, and that this material would then be assessed for disclosure. Collation of this material would take four weeks.
2.6 On 2 November, having received no further response, Mr J referred his complaint to the Member, who forwarded it to my Office. As the matter was still under consideration by DTI, one of my staff invited DTI, by telephone, to review Mr J’s request and reach a view on the question of disclosure as soon as possible. DTI told my officer they were to meet Mr J again in order to try to narrow down his complaint. During this meeting, which took place on 17 November, ISPG provided Mr J with an inventory listing the 16 documents which ISPG considered to be the most relevant and significant in the development of UK encryption policy. On 20 November Mr J wrote to ISPG to confirm that he ‘would like these documents to be evaluated for disclosure (at the earliest possible opportunity) according to the Code of Practice... ’. He also requested additional information which he described under six headings.
The information sought consisted of:
‘a) (Internal) document which first codified the requirements for key recovery systems acceptable to HMG (specified in Annex E. March 1997 Consultation “Minimum Functional Requirements for an International TTP Architecture”).b) First reference and/or substantive discussion of possible use of Jeffries/Mitchell/Walker (aka “Royal Holloway”) architecture in confidentiality services offered to the public.
c) Clarification of when and how the 4 page statement of Ian Taylor (June 96) was actually published. (Library of the House? Website? Official DTI/ HMSO publication?)
d) Any references to the Labour Policy on encryption (contained in “Communicating Britain’s Future” 1995) in the DTI files.
e) Date and substance of (oral/ informal/ written) briefing to Labour Ministers on state of policy, results of March 1997 consultation exercise, and reconciliation of HMG policy with Labour’s pre-election written statements.
f) Reference to, and/or definition of, UK and US policy becoming “actively compatible” ... ’.
On 3 December ISPG wrote to Mr J and said that they would try to answer these additional questions by the end of the year. They also said that ‘in view of the classifications involved (some are marked ‘‘secret’’ or above) it is likely that very little, if any, information from the documents [i.e. those listed on the inventory] will be sanctioned for release’.
2.7 On 31 December ISPG wrote to Mr J to answer the request for additional information which he made on 20 November. On 28 January 1999 Mr J wrote to a member of my staff to complain that the DTI had not disclosed any of the 16 documents on the inventory, and had provided insufficient detail in their answers to the request for additional information which he made on 20 November 1998. Mr J also complained that DTI had failed to provide him with any further information about a DTI Cryptographic Policy Working Group (CPWG), to which reference was made in their letter of 31 December.
2.8 A member of my staff subsequently spoke to Mr J on the telephone on 26 February. Mr J confirmed that the information he wanted to be considered for disclosure consisted of the 16 documents listed on the inventory as well as a more detailed response to the request for additional information which he had made on 20 November 1998. On 10 February my Office issued a statement of complaint on this basis, referring also to Mr J’s request to have more information about the CPWG. On 4 March Mr J sent a fax to this Office requesting a further five documents. My Deputy wrote to the Permanent Secretary on 5 March. As well as reminding him of the need to respond as soon as possible to the original statement of complaint, my Deputy said that Mr J had drawn attention to a further five documents which he wished to have considered for disclosure. He asked DTI to consider these in their reply, as well as the documents which originally formed the subject of the information request, because he felt that these additional documents fell within the ambit of that original request.
2.9 In his comments on the complaint the Permanent Secretary said that, after having personally examined the documents which Mr J had requested, he was satisfied ‘that none of the [16] documents in question - all of which relate to the very sensitive subject of encryption policy - could be made available’. He said that none of the information requested could be released under the Code: DTI were relying primarily on exemptions 1 and 2, but some of the information was also covered by exemptions 4(b) and 11. The Permanent Secretary went on to say that two of the documents requested referred to the work of a Cabinet Committee and therefore could not be released, as they fell within section 8(4) of the Parliamentary Commissioner Act 1967 (see following paragraph). As to the request for the additional five documents, the Permanent Secretary said that DTI were treating this as a new request and would deal with it accordingly. No mention was made of Mr J’s request for information concerning the CPWG.
2.10 Exemption 1 is headed ‘Defence, security and international relations’. It reads:
‘a) Information whose disclosure would harm national security or defence.b) Information whose disclosure would harm the conduct of international relations or affairs.
c) Information received in confidence from foreign governments, foreign courts or international organisations’.
Exemption 2 is headed ‘Internal discussion and advice’. It reads:
‘Information whose disclosure would harm the frankness and candour of internal discussion, including:proceedings of Cabinet and Cabinet Committees;internal opinion, advice, recommendation, consultation and deliberation;
projections and assumptions relatingto internal policy analysis;
analysis of alternative policy options and information relating to rejected policy options;
confidential communications between departments, public bodies and regulatory bodies’.
Exemption 4(b) covers:
‘information whose disclosure could prejudice the enforcement or proper administration of the law, including the prevention, investigation or detection of crime, or the apprehension or prosecution of offenders’.
Exemption 11 is headed ‘Research, statistics and analysis’. It reads:
‘a) Information relating to incomplete analysis, research or statistics, where disclosure would be misleading or deprive the holder of priority of publication or commercial value;b) Information held only for preparing statistics or carrying out research, or for surveillance for health and safety purposes (including food safety), and which relates to individuals, companies or products which will not be identified in reports of that research or surveillance, or in published statistics.’
Section 8(4) of the Parliamentary Commissioner Act 1967 says; ‘No person shall be required or authorised by virtue of this Act to furnish any information or answer any question relating to proceedings of the Cabinet or of any committee of the Cabinet or to produce so much of any document as relates to such proceedings; and for the purposes of this subsection a certificate issued by the Secretary of the Cabinet with the approval of the Prime Minister and certifying that any information, question, document or part of a document so relates shall be conclusive’. (A certificate was so issued during my investigation by the Secretary of the Cabinet).
2.11 I examined the 16 documents which formed the subject of Mr J’s initial request. On 10 May I wrote to the Permanent Secretary of DTI setting out my initial views on whether or not the information those documents contained could be disclosed. After discussions with the Permanent Secretary following this letter he agreed to commission a ‘summary of the analysis of the policy issues involved in developing cryptographic policy’ (the summary). He hoped to have this summary, which he said he would need to clear with the other relevant bodies concerned, available within about three weeks. On 18 May DTI wrote to Mr J to tell him that they would be unable to disclose to him the information requested in the additional five documents, citing Code exemptions 1 and 2. One of my staff subsequently examined these additional five documents.
2.12 It was not until 16 July that a copy of the summary was sent to my Office. On 6 August the Permanent Secretary gave his comments on the additional five documents and the background information on the CPWG which Mr J had requested. He said that, in relation to the five documents, the summary which he had commissioned encompassed, in his view, all of the disclosable information contained within both the original 16 documents and those additionally requested. In respect of the CPWG, the Permanent Secretary explained that no formal record of their meetings was kept, and that those who were asked to participate in the meetings did so on the understanding that their names would not be made available. He pointed out that Mr J had, by invitation, already attended one meeting of the group and would be invited to the next. On that basis the Permanent Secretary believed that this aspect of Mr J’s request had been satisfactorily met.
2.13 There are two matters which I need to consider in relation to this complaint: i) have DTI complied with their obligations under the Code and disclosed all the information they should; and, ii) did DTI handle Mr J’s requests for information effectively? I turn first to the issue of whether or not DTI have complied with their disclosure obligations under the Code.
2.14 I must begin by stressing, as in this case it is of particular relevance, that under the Code there is no requirement that documents should be made available; the requirement is only, subject to any relevant exemptions, to disclose information. From my own examination of the documents I recognised (see below) that some information contained in them clearly fell within the exemptions quoted by DTI and, in particular, exemptions 1 and 4(b). In respect of the remainder, it was in principle possible to disclose it to Mr J either by means of edited documents or through the provision of a summary. It was my view, again based upon an examination of the documents themselves, that a summary would be the better way forward, since an edited version might, by implication, have drawn attention to matters covered by a relevant exemption.
2.15 That summary has now been prepared; and DTI have sent it to Mr J, as well as sending it to me. Having accepted in principle that a summary was an appropriate way to proceed, does this particular summary accurately reflect the information contained in the documents ? I believe that it does. Having received the summary, with which in general he expressed considerable disappointment, Mr J commented to one of my staff that the summary contained very little information which had not been previously disclosed. I agree with that assessment. The fact of the matter is that the documents which Mr J requested, with the exceptions described above, do contain very little information which is not already in the public domain; and it is my view that the summary prepared by DTI presents that information, and other information not previously disclosed but which seemed to me not to be covered by any of the Code exemptions, satisfactorily. It is on that basis that I criticise DTI for their refusal over a considerable period of time to disclose this information, a refusal which seems to have been based on little more than an instinctive reaction to the protection of information in what is perceived to be a sensitive area.
2.16 As to Mr J’s complaint that DTI had provided insufficient detail in their answers to his request for additional information, made on 20 November 1998, I have examined those replies and have discussed them with DTI. DTI subsequently wrote to Mr J on 31 August 1999 giving a fuller explanation of their earlier replies, and I am satisfied that, while ‘insufficient’ is an imprecise term, their responses have given Mr J as full a reply as is possible. I criticise the Department, however, for their earlier reply, some of which could easily have been read to imply that more information was being withheld, when this was not in fact the case.
2.17 I turn finally to the request for further information about the CPWG. I note that, in the opinion of the Permanent Secretary, allowing Mr J to attend a meeting of the CPWG means that this aspect of his complaint has been satisfactorily dealt with. Certainly, I welcome DTI’s initiative in inviting Mr J to a meeting of the CPWG and their intention to invite him to a further one. As a result, Mr J will have gained an idea of the identities of at least some of those present, whom they (and others) may represent, what the purpose of the group is, and the subjects they are likely to have an interest in discussing. It did seem to me, however, that Mr J could be given some more specific information about the broad aims and objectives of the CPWG.
2.18 Different considerations apply to Mr J’s request for details of current membership of the CPWG. In one of the earliest cases which he considered under the Code (A5/94: Selected Cases 1994 – Volume 4, Access to Official Information: First Report - Session 1994 - 95) my predecessor said:
‘Who speaks for a department and within what limits of authority and with whom they have spoken are central to the proper and efficient conduct of the operation of the public services. I accept that, in certain cases, the identities of representatives may be properly withheld from third parties under the Code.’
In that case my predecessor took the view that Exemption 7(b) of the Code applied to the information sought. This exemption reads;
‘Information whose disclosure would harm the proper and efficient conduct of the operations of a department or other public body or authority, including NHS organisations, or of any regulatory body’.
In assessing the application of this exemption I am required to consider whether any public interest there might be in knowing the identities of those attending the meetings of this group would be outweighed by any harm releasing those identities might cause. In general, I consider that the balance of public interest will normally favour disclosure of information regarding which organisations are represented on a body such as the CPWG; it is also likely to be reasonable to indicate the seniority of the representatives. However, it is less likely to be in the public interest to disclose the names of individual members if they are members of such bodies as representatives of their organisations: any suggestion, for example, that they should be held personally answerable for the views which they had expressed would clearly be misplaced. I am not persuaded that releasing the identities of those attending these meetings is required in the public interest. I therefore find that Exemption 7 (b) applies.
2.19 I therefore asked the Permanent Secretary whether he would reconsider Mr J’s request for further information about the CPWG in the light of the arguments in paragraphs 2.17 and 2.18 above. In reply, the Permanent Secretary noted that Mr J wanted further information on this DTI chaired group which he (Mr J) had himself attended, and said that one of his officials would contact Mr J to explain further the purposes, rationale, and objectives of the Group. I welcome this response to Mr J’s request for information about the CPWG.
2.20 I turn finally to the handling of Mr J’s requests. Mr J’s initial request for information, correctly made under the requirements of the Code, was put to DTI in March 1998. It was not, however, until August 1999 that he was sent the summary mentioned in paragraph 2.15 above. While I recognise the need to narrow the focus of Mr J’s early, very substantial, information request, as well as the fact that the request involved departments other than DTI, I am satisfied that a summary of the kind which DTI did finally make available to him could have been provided very much sooner than it was. In view of the shortcomings identified in the handling of his complaint I suggested to the Permanent Secretary that he should offer Mr J an apology. In reply, the Permanent Secretary said that he much regretted the delays in responding to Mr J’s requests, and offered his apologies to him. He said, in explanation of these delays, that Mr J had sought to be shown a significant number of highly sensitive papers, many of which the Department, after due consideration, had decided could not be published under the Code; that officials had, in meetings, explained details of the policy development on encryption to Mr J; that his requests had been treated seriously and co-operatively throughout by officials, who had therefore been obliged to consult the Cabinet Office and the Agencies concerned on a number of occasions as Mr J’s successive requests were made; this process had necessarily taken much time, which he regretted. I welcome the Permanent Secretary’s decision to apologise to Mr J.
2.21 Mr J’s request was poorly handled by DTI. The delay between Mr J’s initial request for information and DTI’s subsequent provision of a summary of encryption policy was a significant one. Nor was the Permanent Secretary’s initial opinion, that none of the information contained within the 16 original documents was disclosable under the Code, helpful. However, in spite of the manner in which DTI handled Mr J’s requests I accept that DTI have now made available all of the disclosable information contained within the original 16 documents. Furthermore, in my view DTI correctly withheld the identities of the members of the CPWG under Exemption 7(b) of the Code and for the reasons given by the Permanent Secretary. I partially uphold the complaint.
Total screening and investigation time = 36 Weeks
Conversion to HTML by Cryptome.