 Good morning. Welcome to the seventh meeting of the Public Audit and Post Legislative Scrutiny Committee in 2018. I'll ask everyone in the public gallery to switch off their electronic devices or switch them to silent mode so they do not affect the committee's work. We have apologies today from our convener, Jenny Marra, and from Colin Beattie. The first question is to the members of the committee on business in private at item 3. Do we agree to take item 3 in private? Thank you. Item 2 on our agenda is post legislative scrutiny, consideration of post legislative scrutiny on the Freedom of Information Scotland Act 2002. We previously sought suggestions from stakeholders and members of the public for acts on which we could undertake post legislative scrutiny. The Freedom of Information Scotland Act 2002 was one that was suggested to us. I'd like to welcome all our participants today and thank them for coming. First of all, I can ask all the MSPs and participants to very briefly introduce themselves before we begin. We'll just go around the table. My name is Liam Kerr. I'm the deputy convener of the Public Audit and Post Legislative Scrutiny Committee standing in for Jenny Marra. I represent the north-east region. My name is Ritchie Asha. I work for the Scottish Council of Voluntary Organisations where I head up the policy and research department. I'm Eion Gray. I'm the MSP for East Lothian. I'm Margaret Cays. I'm head of enforcement. I work for the Scottish Information Commissioner. I'm Carol Yurt, convener of the campaign for freedom of information in Scotland, and we campaigned for FOISA a way back in 2000. Bill Bowman MSP for the north-east region. I'm Sarah Hutchison. I'm head of policy and information for the Scottish Information Commissioner. I'm Willie Coffey, MSP for Komar Macnervin Valley. I'm Darren FitzHenry, the Scottish Information Commissioner. Hi, I'm Tommy Kane. I'm a political adviser for Jeremy Corbyn, but I would like to stress that I am here very much in a personal capacity as someone who has used FOI fairly relentlessly over the past 10 or 11 years as an academic researcher and a political researcher. Just one thing to say, you don't need to press your button. We have a sound technician who will make sure that you're always mic'd up. The purpose of the evidence session today is to explore the scope and viability of the committee undertaking post-legislative scrutiny on the 2002 act. We're keen to understand how post-legislative scrutiny could add value to the act before deciding what action to take. We're also interested to hear from Darren FitzHenry, the Scottish Information Commissioner on the work that his office will be taking forward. We would like the discussion to be free-flowing and you are welcome to ask questions of each other, not simply respond to questions from the committee. We do still want some structures, so I'd be grateful if everyone could indicate to me as the chair or the clerks if you wish to contribute. As I say, when you speak, your microphone will be activated automatically, so there's no need for you to touch it. The first question that I'll throw out to attendees is that we're interested to know at a general level, could you share your views on the effectiveness of the act in meeting its intended policy objectives? Who would like to take that first, Richie? I think that it's quite important even before we start answering the questions that we just state for the public record who we are, the delegation that you invited from the open government network, if that's okay. The delegation that is here today, three or four people from the open government network, was decided by the open government network through an open process, so everybody here openly indicated why they wanted to give evidence and that was shared with the network of around 300 people, so I just wanted to make that clear. However, just to be absolutely clear, the open government network itself is not a corporate body, it's not an organisation, so everybody here is a member of the open government network, but we're not representing the open government network. We're all representing a variety of perspectives on this issue, and the bit that unites us, of course, is that we want to see a post-legislative scrutiny of the Freedom of Information Scotland Act. A few things that I would like to highlight that have come out from the open government network members. The key thing for us, for many of us, is growing concerns around the application of freedom of information by public authorities, in particular the Scottish Government, but not just the Scottish Government. We are, of course, extremely concerned by what seems to us increasingly systematic practice of not miniting meetings held by Scottish ministers, and that does undermine, in our view, representative democracy. There's also been a number of concerns raised that the unnecessary secrecy in government will undermine our ambitions in Scotland to be an open government pioneer. Many of you will know that Scotland is currently an open government pioneer within the open government partnership internationally, so it has a direct visibility on the global stage as being an innovator around open government. Getting the basics right around freedom of information is absolutely critical to keep the credibility of that going. SVO itself has a lot invested in the joint working with the Scottish Government around the action planning process for open government, and freedom of information is absolutely core to that. A lot of what prompted this whole track of conversations was a letter by a number of journalists who wrote to Parliament last year claiming widespread failures to comply with the laws on the supply of information held by public bodies. That is extremely concerning for many of us. We also noted that there was a strong concern that the Parliament agreed to inquire into freedom of information Scotland already, back in June 2017, yet we are still being asked to make the case for this. We noted from the record that there seems to be a lot of—I might put it slightly stronger, but I need to—a lot of buck passing going on since June about who is going to do what, when and waiting on each other to—particularly within the Parliament, between Parliament and Government, and with the Freedom of Information Commissioner. That is of concern to us. We thought by now that we would have had the initiation of post-legions scrutiny on that. To state that the founding principles of the Scottish Parliament were specifically to set it out to be open and transparent. We would say that a robust and trusted freedom of information is core to the Parliament's function and, of course, to our democracy as well. Thank you. The question that you might want to come back on, Richie, or perhaps anyone else in the room—we are looking at the effectiveness of the act, to the intended policy objective of the act—has the act been effective in achieving those? First of all, we welcome this opportunity to give this evidence in public, and we applaud the decision of the committee to do so. I would just like to reiterate what Richie has said, that we had anticipated by this stage that there would have been an inquiry launched into post-legislative scrutiny and receiving a broad range of submissions about what the problems are with FOISA. To answer your question specifically, we have a number of concerns. We are concerned that FOISA still remains limited in scope when it was first debated, passed and implemented in 2005. Twitter and WhatsApp hadn't even been devised, developed and implemented. The whole information regime now is quite different. How people communicate is quite different, and therefore does FOISA fulfil its purpose so that we can capture the information that informs decision-making within Government and public authorities. We are also concerned that promises made in 2002 at stage 3 that RSLs, housing associations register social landlords, would soon be incorporated into FOISA, is still not delivered. The latest date that we have for that is April 2019, which remains a considerable source of surprise. We are also concerned about the numerous examples where arms length external organisations have been established, which seem to operate out with FOISA. That is a change in people's ability to source information about how decisions are made. What is interesting is that we are still not clear how many allios there are in Scotland. Audit Scotland was in a position to say some years ago that 34 major ones existed, but it could not tell us how many existed. Compare that with the Scottish housing regulator, who very promptly, after we made a freedom of information request last year, was able to tell us that there are nearly 150 subsidiaries of RSLs, and that is why we were very appreciative of RSL subsidiaries being included in the consultation that was launched by the Scottish Government in December last year. We believe that the subsidiaries, as well as the RSLs, should be covered by FOISA. We are also very familiar with the view that we have had an insular approach to FOISA in the debate so far, and we should have a much more expansive view about how other countries deliver their access to information rights. There is a lot to learn out there—lots of countries that would have 100 FOI laws. Some of them, such as Sweden, have had it since 1766, so there is a lot to learn there. One of the ideas that we particularly like is that there should be an index of information held by public bodies, which can inspire people then to make an FOI request. We also had expected FOISA to be about the public's right to assert and enforce their access to information rights, but in parallel there would be proactive publication of information, preventing the need for an individual FOI request. It might be something that we could change FOISA to require the proactive publication of information so that the whole process is more efficient. We also think that international human rights law, given the founding principles of the Scottish Parliament, is a principle about the European framework, as well as the international human rights framework. There is lots to learn there about article 10, the jurisprudence from the European Court of Human Rights on this regard, article 19 of the international covenant and civil and political rights, and the guidance and general comments from the UN on how that right should be implemented. We have concerns specifically about the insular discussion that we are having in Scotland. We want it to be far more ambitious, and we would certainly urge the committee to inconduct the post-legislative scrutiny, because nine months later it seems that we still have to win that argument, and that, I have to say, is a bit of a disappointment. I will go to Ian Gray first and then come over to the side. I am quite interested in the contrast between Ruchar's opening comments and Carrell's, because sadly I was there when the promises were made in 2002, and I do remember them. Over the years, it seems to me that the major criticism of FOISA has been its scope. In other words, the bodies that it captures and there has been a debate and some change, although very slow, Carrell's right, around housing associations and on-going debate around arms length bodies. There are other bodies where there is a debate as to whether they are public or not, whether they should be caught by the bill. In the past, criticism of the bill or suggestions for improvement of the FOISA regime has tended to be about broadening its scope. Laterally, the criticism seemed to me to have been much more of the nature that Ruchar alluded to around alleged systematic attempts to avoid compliance with FOISA, whether it is not miniting meetings or using new technologies such as WhatsApp to communicate in the belief that they are not caught by the act, particular regimes of treatment for journalist inquiries. Just only this week, we have seen guidance that includes the suggestion that emails should be deliberately deleted in order to avoid being FOI. If we are looking at where the act is weak or failing or needs to be strengthened, what is the priority? Is it the scope of the act or is it about the culture of compliance or non-compliance with the legislation that we have? Which is the problem now? I just summarised the fact that there are quite a few problems with FOISA, which prompts me to say again that the post-legislative scrutiny is essential. In this forum, it is difficult to capture all the problems. I believe that there is an issue around designation. I believe that there is an issue around being more ambitious about what FOISA should be able to do, but there is also an issue about practice. The practice is not just about the culture, but about whether FOISA is fit for purpose in punishing those who deliberately seek to avoid records being kept or made in the first place, which might be the subject of an FOI request. There should also be more proactive publication of information to show a culture of openness and transparency. The public should not be feared, because, as Rachael Hamilton has said, the Parliament was established to be open, accessible and accountable. It is interesting to know from the commission that if they think that systematic avoidance has been caught by FOISA as something that has increased in recent years, because it does seem to be more of a problem now than it was in the early years of FOISA. Yes, thank you very much. It would perhaps be helpful if I set the context of if I may respond to the initial question of whether I view FOISA as being effective. Do you mind that? I know that Tommy wants to come in on that specific point. Tommy, do you want to come in there and then we will come back? I think that there are two issues. I think that there is the application and there is also the application, as the law stands now, in whether we should extend the law. I think that those are two different questions and I think that both merit post-legislative scrutiny, so I would agree with Carol in answer to your question whether the act works. As a researcher, I have received some really good stuff back, which, as a researcher, fills me with great joy that I can then share with people that holds government to account. I think that that is the same for any regular user of FOIs. On occasion, in answer to your question, it does work. Let us not say that it is all wrong—there are elements of it where I, as a researcher, get a benefit. However, what is clear is that there are increasing concerns that it is not working or that it has been circumvented by public authorities. I have to say that, specifically or increasingly, the Scottish Government—there are concerns now that the Scottish Government and other public authorities are circumventing through delays, through increasing redactions, through a tenuous use of exemptions—for example, the £600 threshold—there is never any explanation about how cost is calculated. Nobody, as a researcher, gets that information. That is one point. The second point to that is that the 2002 act set the threshold at £600. £600 in 2018 values is £825. The question has been asked of the Scottish Government—do you intend to increase that threshold to reflect modern values? The answer is no. Finally, the most important one, the most important concern that people have now, is that the Scottish Government, specifically when it has been highlighted by the 23 journalists last year and others, is no longer taking minutes of meetings. It seems to be systematic, it seems to be routine practice that they do not take minutes of meetings. Those are fairly important meetings. I have put in an FOI, for example, and I have submitted several that have got me the same result. However, I think that this specific one speaks volumes. John Swinney, as finance minister, met with Sir Angus Grossart, the then chairman of the Scottish Futures Trust, who is in charge of delivering capital investment projects in Scotland, which is not an insignificant undertaking, is meeting the finance secretary. Seven times between 2011 and 2015, no minute of the meeting is taken. How do we, as researchers, but most importantly, how is the public able to see not just what decisions are made but how those decisions are arrived at? Who is influencing those decisions? What factors have influenced those decisions that, after all, are going to affect every single one of us? That is not just the world of geeks, technocratic Greeks and people in the research and media community. Those are decisions that are going to affect every single one of us. I think that the systematic and routine use of not-many-thing meetings is extremely concerning. That is an interesting point, and I think that we will come on later to look at whether that is a failing of the act or whether that is a practice and procedure thing, but I think that we will come back to that. Darren, can I bring in here? Thank you very much. We have had now about 13 years since the act has come into force, so we have got quite a well-embedded system now that we can have a look at. I think that there is no doubt that this system has brought about a positive change in the relationship between the public and Scottish public authorities. The public knows that they have a freedom of information right. They have got the right, and they know that they have got it. Knowledge is up at about 85 per cent, still the highest level that we have had. Scottish public authorities also report this year receiving in the region of 75,000 information requests, and most of those requests in the region of about 74 per cent on last financial year's terms will receive some or all of the information that they asked for. Appeal rates to my office are generally low at under 1 per cent of those cases, and in the last year, 73 per cent of the appeals that came to my office resulted in at least partial success for the person who is looking for the information. We have a system that is known about, and is actively used by a lot of people, and results in a lot of information going out there. It is important to set for that context. We are not dealing with a system that is just not delivering. Is that delivery consistent? Is it always perfect? Is it always good? No. There are obviously differences in performance between authorities, in authorities as between departments and, depending on what is being looked for. Is there something that can be improved in the system? I have no doubt about that. Is it useful to have a review of the system? I think that it certainly would. I think that we are looking at a situation where we have a system that has been in place for a long time. We had an amendment act back in 2013, but it was not a full review of the system. If we do not look at the criticisms being levied, and we pretend that it is working quite well, let us just stick with it, if we do not look at the criticisms and seek to improve the system, then the system will get worse, and it will get out of touch. Certainly, for one, being the regulator of that system, that is not a position that I would like the system to get into. Where the concerns are being raised, let us look at them and deal with them. I think that we have to have a bit of a division between criticisms of the system, per se, of structural problems with the system and the act as is, and issues of compliance with it, although there can be some read across on that. It is mentioned earlier to express some interest in what we were doing in relation to the criticisms of the performance of the Scottish Government. I do not know whether now would be a good time for me to explain what we are doing in relation to that and giving an assessment of whether we feel that the tools in our toolkit to deal with that are sufficient or whether those are some areas that would benefit a look? If I may, Darren, the committee is intending to specifically ask on that later on. Perhaps if we get towards the end and no one has, by all means, jump back in. I am still interested in the question of what has happened over time, and the commission is the institutional memory of how the act is. I know that Darren is obviously not being imposed all that long, but the commission has the institutional memory. Certainly, Tommy's evidence there implied that, in terms of non-compliance or avoiding compliance, things were getting worse. Darren, you said that if we do nothing, we will end up with an act that is not working at all. That rather implies public authorities in which ways of avoiding foysar being learned and applied more widely, or maybe it is technological change. I am still interested in the question of, has that got worse? Have public authorities got better or deliberately developed strategies in order to avoid releasing information under foysar? I think that you were implying that. Tommy, is that fair? I think that it is fair, but I should clarify as well that I think that there could increasingly be a two-tier system that has been applied by public authorities. Insofar as people who are seen as politically problematic, who are putting in requests that may see contentious or controversial information coming into the public domain, people who they may resist at, people who are political researchers, where red lines are shot across government when they submit an FY request or a journalist, likewise, I think that when people who submit requests in areas that may be problematic for the Government, I think that there is a concern that there is then an attempt to circumvent actually providing that information, using various means. I just wondered if the commission feel that this is something that has got worse over time? I think that performance has varied over the years. I think that in relation to the early days, I think that there was quite a degree of suspicion about the act, so it takes a time for the legislation to bed in, if you like. However, over the years, I think that it has become more accepted and freedom of information has been viewed with less suspicion. It has been viewed as being more of a good thing. We have had time to explain the benefits of it, not just to the public, but to the organisations themselves. That is not to say that, in certain cases, organisations will not play with a straight bat. It is not to say that you will not get situations, particularly if it is a very awkward bit of information that some people might not try to play the system. Bear in mind that we are in a context where we have seen an ever-increasing number of requests, so the demand on the authorities is higher than it has ever been before. We have to keep that context in play. However, much of that is about enforcement. Much of it is about, if there are concerns, then an appeal can be put in and we can deal with that. With regard to wider-ranging worries, wider-ranging— In relation to the recording of the information— If the meeting has not been recorded, then— Yes. Our system is based, at the moment, on information that exists, and it is the provision of the information that is held. We have had a number of cases in the past where we have been surprised about the records management and the lack of information. In those cases, comment has been passed about the fact that the information was not there, but we do not have the powers within the legislation as is to enforce creation of the minutes. I am really interested in the issue around engagement and finding out intelligence about how that is actually working. I just wanted to bring two points to the committee's attention. The Scottish Government published six FOI principles, and one of them was about engaging with stakeholders. One of the vehicles to deliver that was the Scottish Public Information Forum, and it had morphed from various different guises. When it was introduced many years ago, probably about 2005-2006, it was a really interesting vehicle for around the one table, the duty bearers, the people who hold the information to engage with the Government, the regulator and also the requesters. It went along quite happily until 2010, and then was allowed to fall into abeyance. There was a promise that it would be a virtual forum, and that was not delivered. With a grant from Unison Scotland in May 2017, the campaign for freedom of information in Scotland resuscitated it. We have since had three very successful meetings where there is an opportunity to learn about the problems but also to be inspired by good practice. It is important to pick up the point that the commissioner and Tommy have made that not everybody is bad at delivering FOIs. There is some really, really good practice out there, and SPF is an opportunity to hear that and be inspired and to learn. We hope that the committee embarks on post-legislative scrutiny, and we would like to offer up SPF as a way to engage with the next meeting. It is going to be on 28 September, which is international right to no day, and it is going to be hosted in Dundee. There is a vehicle to have a broader engagement. I also wanted to come back on minutes of meetings, because there seems to be a trend. I have been around for so long. I have seen so many minutes created, and it is a surprise to me now that there are not so many minutes around. The campaign for freedom of information in Scotland launched a Get It Minute campaign, and that was launched in January. We are delighted that Unison Scotland, the Scottish Council in Deafness, the Jim Reid Foundation, the National Union of Journalists and others are supporting the campaign so that the public are encouraged to ask for minutes, ask for agendas, ask for reports, and that will hopefully throw up some more examples of where minutes that were previously taken are no longer taken and in the process will help inform people about how decisions are reached and what business is being discussed. Willie Coffey, you want to come in on this point. Thank you very much, convener. I was going to say that I hope that we get some kind of perspective from the commissioner about where we are with some of these issues, but I didn't feel that it was appropriate for our committee to begin investigating these at this committee. You may feel otherwise. In general terms, there are complaints about the act and whether minutes exist or don't exist. Is there a duty within the act that we know of to generate data and to generate minutes? Is that the issue that there is none and people would like one? I suggest that, if there is then, that is perhaps just a failure of the act rather than anyone else. Perhaps we should focus on that in part of our future discussion. I wonder whether the commissioner could confirm whether that is the case or not, given that we have decided to get into this, that the commissioner is presumably looking at himself. Thank you. That is indeed the case. The legislation as it currently exists has no duty to minute meetings. It's got no duty to create. It deals with the provision of information that is held by the authorities. That's certainly the situation as it currently stands. There are other, not pieces of legislation but other policies such as the ministerial code, for example, which may provide an obligation to minute certain meetings. The issue there is, does that go far enough? Is that accountable enough? Or is a more structured system preferred based on statute, perhaps with statutory guidance, as exists in certain parts of Canada? I think that that is an important debate to have because certainly one area that I'd be particularly concerned about is if there was any chilling effect of the legislation so that actually because people know that the information will be sent out, they are deliberately avoiding taking the minutes in order to avoid the freedom of information legislation. There are very useful comments in the papers before the committee today, which were put forward. I think that the issue is the difficulty in improving a chilling effect, but there are certainly circumstances in which it would be beneficial to have the information there where it currently isn't there. Whether that should form part of freedom of information legislation or some other legislation against another issue, because it doesn't fall squarely within certainly my bailiwick. Does it fall within the keeper of the records bailiwick or some other organisation that, as a matter, would have to be looked at in considering any legislation on that area? I'm just surprised that it's been 13 years for us to arrive at this point where we're all suddenly complaining that there are no minutes for certain things. That must surely have been going on in a number of organisations that you would imagine, but we all seem to be mentioning the Scottish Government this morning, but no others. Do you think that there is a lack of clarity about what information should be in and available as public record to people? We're now saying that there is more information that people should be seeking and wanting to have on the public record. Tell me on this first of all. A couple of points. Just to say that this is not a recent phenomenon, Kevin Dunian, when he was hearing at the Justice Committee in 2012, he said, The biggest concern that I have and others have is the attempts to avoid sharing information by not creating information in the first place. There has to be some record of the substantive process by which a decision is arrived at, the options that were considered and the reasons why a decision was carried into effect. He said that in 2012, so this is not a recent phenomenon, I would suggest. In terms of record keeping, there is a public records 2018-19 Scotland act that actually influences how public authorities should keep information. The Scottish Government's own record keeping management plan states that the Scottish Government recognises that its records are an important public asset and that they are a key resource in the effective operation, policy making and accountability of the Scottish Government. They say that. They want to say that the aims of this policy is to define a framework for managing the Scottish Government's records to ensure, among other things, that we create and capture accurate, authentic and reliable records. That is the Scottish Government's own policy. So I would ask you if you are not keeping notes in minutes of meetings, because is that consistent with your own policy? Whether that be the Government—and actually, I think that there are other examples of bad practices, not just the Scottish Government—when Kevin Duniw, in 2012, raised the issue of the Water Industry Commission for Scotland, who was destroying diaries and routinely deleting information, I know that because it was me that submitted those FOI requests. So I think that in terms of how we create minutes, how we record information, actually, there is rules out there now. I would say that this is a pyramid. At the top of the pyramid is this issue about not taking minutes, particularly ministerial meetings but also other meetings as well. Of course, this is an issue that is not just something that Scotland is currently facing. We have seen fewer in Northern Ireland last week with comments made by the head of the civil service. For me, the way to see this is that yes, minutes are key, but if we just look at the lack of taking minutes, we will completely fail in reviewing this legislation. I have had concerns raised about the NHS over using confidentiality clauses to prevent accessibility information, also stalling tactics in local councils, using the full time allowance allowed under FOI, for example, to frustrate the process. Of course, another issue that has been raised is that public bodies seem to be releasing lots and lots of information in one go so that the really important bits are buried somewhere in there. You can imagine that if you just tackle the lack of taking minutes, you are not going to solve the concerns, you are not going to build the trust in the system, so it has got to be a part of a wider whole. Yes, minutes are at the top of the pyramid but there is a whole range of other things underneath that as well. Robin McAlpine, I want to say this. This is an enormous issue, which the entire public realm, largely across the world, is coming to terms with now. This is an era of data, this is an era of mass data, this is an era of mass collection and sharing of personal data, this is an era where people expect large amounts of knowledge. There are a whole range of issues in and around this that are going to have to be addressed over time, how public uses the data of individuals, how they are allowed to access it, what the relationship is between the right to know, the right to have a degree of internal secrecy. This is an enormous agenda, how decisions are arrived at and there are lots of things. We have published work on much better publication of information in the first place, the national statistics agency, which is putting out much more usable information in the first place with an assumption of providing that kind of information. All of that is definitely true and I would expect that once you get into this inquiry you will discover that there are quite a number of other loose threads, which you will see. Those probably need to be pulled back a little bit as well. This is the change that is happening in this era. However, there are specific issues with this piece of legislation. It cannot capture everything, it cannot do everything, or, if you wanted it to, you need to adapt it very substantially to start becoming a kind of statement of expected record keeping, which it is not currently. However, the fact that this is quite a big job with quite a lot of aspects, which is changing quite fast because of the nature of the technology and public expectation, should not be used as a reason not to get on and fix this bit because this bit is here and there are problems in it. Now, people will always try to avoid transparency. I was on the other side of FOI with a public agency and, of course, there were meetings when people said that we should not probably minute this. These are FOI-able minutes. It is normal. People have these conversations all the time. It is natural behaviour, which is why you have to keep reviewing and revising as we go along. You have heard a number of bugbears about the legislation as it is. There are lots of them. My personal one is that I accept a degree of commercial confidentiality during the tendering and immediate post-tendering period for public contracts that go to private companies. I think that 10 years after a contract is completed that it is still commercially confidential and cannot be FOI-ed is a nonsense. It is counterproductive to investigating some of the financing deals, which have really been quite scandalous in Scotland. There are lots of examples of that. What I am trying to say here is that, yes, absolutely, I think, as data has become more open, as social media, as the internet has made the gotcha culture of we found a piece of information, we are going to rapidly share it for the purposes of political embarrasment, all those kinds of things. I think that it has made people more enclosed in. They have tried not to get caught out in these gotcha moments more. I think that that is a universal problem and I think that that needs to be looked at. You would put too much weight on the post-legislative scrutiny of this piece of legislation to try to capture everything with it. I think that you need to say that, first of all, the FOI legislation has exemptions that are overused, that should be tidied up, that are areas that it does not get to touch, that are agencies that ought to be in the aren't. As you carry out that inquiry, I suspect that you will find that there are a number of issues that come up that are outside the direct remit of the act, which you may wish to flag up, such as practice and data management. There is a big change happening in public expectation of government and what the public expects to know about government. It is a function of large data, of the internet, of the much greater ability of an individual citizen to poke around themselves. You can do it on the internet, but you do not have to go and sit in a records library or have a three-month postal campaign to try and get information. That is changing externally anyway, and it is going to have that impact on you. My personal advice would be to note that, accept that, that is going to come up, but it is 12 years now, plus, since the legislation was fully in place, it is time to review it because it is not quite right to review that. As part of the process, I think that you will come up with recommendations for other things that the Parliament might wish to consider in relation to how it becomes an open, data-accessible Parliament. Moving on from that, I think that Bill is a question that leads on quite usefully. I was, thank you, convener, to maybe take a different focus and ask the participants what parts of the 2002 act actually work or even work well. Carol? One of the best bits is that it is applicant-blind, so it does not matter whether you are a journalist, a community activist, a person living in Fife or in Stornoway or wherever, or in fact Canada, you can make a freedom of information request. I think that that is really important, whether or not that is how it is delivered, of course, is a different matter. It is also good that you should be able to email as well as write a letter and the simplicity of it. I do not think that it works well in a number of regards, but the key point is the simplicity of the process and also the fact that your right is enforceable, because that your right does not actually mean anything. It is the enforcement that makes the difference, and your ability to enforce the information request means that you can receive free guidance from the Office of the Scottish Information Commissioner. There are loads of information materials that are published by the Scottish Information Commissioner, and that is why we have had hundreds of decisions. It is a free, accessible, simple process. A number of people have found it overly legalistic, which I think could be improved, but it is simple and free. I think that one thing that is quite critical for many of us is right-spaced. You could argue that human right-spaced in the sense that it is not about responsibilities. It is not about saying, well, okay, you can have this information if you tell us exactly how you are going to use it, and you can make a strong case for it. None of that. It is unconditional, and that means that it is right-spaced, and that is a really important development. The more of our legislation that is right-spaced, the better our society will be. That is a good example of that. I will say very quickly the fact that we are here looking for enhancement. Let's not forget what transformational act this is. Let's not forget what it was like beforehand when you did not have the right to information. I am here to sing the praises of the Freedom of Information Act despite its flaws and despite the things that could be improved in it. It has been—I think that it will be seen as the first stage—a transformational process that has changed the public's relation to Parliament. It has been absolutely crucial in covering examples of bad governance, mistakes that have been made in one or two occasions, things that appear to be corruption, things that have enhanced future policy development. It has been a wonderful thing. It is the fact that it is not firing at full pace here. It is not quite what it could be because of the bits and pieces that are not in it, but the fact that—it is always this problem when you do an inquiry that you end up mourning about the bad bits and forgetting just how transformational the principle of freedom of information was. I want to sing the praises of Freedom of Information. I want to criticise organisations who have lobbied for the reverse which is to say to remove freedom of information from their public authority area because they would like to not be covered. I think that that is the regressive aspect of it. We can make that better still. I genuinely believe that the Scottish Parliament could be an exemplar of absolutely first-rate participatory open governance. At the heart of that is the freedom of information act. It has been a transformational thing in the relationship between the public and the right to know what is done in their name. If we can just improve it a bit, it will improve that case, it will improve that public attitude. I do not think that that is enough. I think that that was a great solution for just the post millennial era. I think that we need other solutions for the post Facebook era. However, let us get this right, let us review this, let us improve it the best we can and then let us start to look at how we can live up to the founding principles of this Parliament as being a people's parliament, which is really about their right to be represented as a citizen. I think that you used the expression that it could be improved a bit, Robin. I think that it could be improved considerably. It has to be in order to uphold the principles that you spoke of. I genuinely think that that has to be the case. Therefore, that is why post-legislative scrutiny is fundamentally necessary to make sure that those principles are upheld. Obviously, Carol and others have outlined some improvements and specified some areas that we would like to see improved. For me, the fact that Tony Blair thinks that parallel legislation down south is his greatest mistake, in my view, makes it a raving success. That is another matter. Is there a consensus on the reforms that are required among the people around the table this morning and the campaigning groups? You made a list of areas that need to be improved, such as the scope, indexation and so on. You mentioned passing the social media like Twitter and Facebook. Obviously, in addition to what is publicly available for what people put on social media, social media can send private messages. Obviously, local government and Government bodies all use social media privately, as well as the public accessible element of it. Is an agenda effectively a new FOI reform bill in your mind about what it would do? That would be a good starting point. For us, it seems that we still need to win the argument that there should be post-legislative scrutiny, so, again, I would say that we want that to happen. Certainly, from our point of view, we are the post-legislative scrutiny committee, so the fact that we are here today and having this discussion, I think that there is no doubt that we have accepted the principle that there is a need for post-legislative scrutiny of this bill. Obviously, we then have to have a discussion about how we take this forward, how we make sure that it is comprehensive and so on and so forth. Of course, we, as a committee, at the end of the day, if the Government does not want to do anything, we have the right, as a committee, to draft our own bill. If we have won the issue around that, yes, there has to be a post-legislative scrutiny, and I think that it is right and proper that the committee and the Parliament embark on the two inquiries that were unanimously agreed in the motion on 21 June. In fact, we have drafted terms of reference here, which I will be happy to share with the committee at the end of the meeting. However, I do think that the interrelationship of FOISA with other legislation is pretty important. We are a small campaigning organisation with very limited resources. We have come up with a big list of things that we reckon should be included in the reform analysis. However, one of the issues for us is the interrelationship with other legislation. I like you know very well from all your experience on human rights that the right to privacy is incorporated under the European convention on human rights, finding principle of the Scottish Parliament that all legislation should be ECHR compliant. There is article 8, which is the right to respect for private and family life. Private WhatsApps, e-mails, obviously that remains private. However, what we do know from case law and the general data protection regulation is that sometimes that private vehicle contains matters of public interest and contains official business. Of course, we know from Hillary Clinton that using your private server when it is dealing with national security or public information issues means that it is no longer private. Those are the kind of interrelationships that the post-legislative scrutiny needs to examine. The whole business and human rights agenda pointed out quite rightly why we are not having access to big public sector contracts and meetings deciding big public sector contracts. There is also the interrelationship with key bills and legislation that people, if they are given the opportunity to give evidence, can throw those up. It is the actual process of opening up this inquiry, inviting submissions from rights holders as well as those designated bodies. I would like to finish off by saying that FOSA took a very narrow approach to designation. That is one of our concerns, because if we look at the interrelationship with the Human Rights Act, the Human Rights Act applies to public bodies and those delivering services of a public nature. Had FOSA adopted that approach, RSLs would have been in from day one, because RSLs have been judged to be covered by the Human Rights Act because they are delivering in some of their functions public services. There needs to be a real review of the interrelationship between FOSA and other legislation and looking at key structural issues as well as the practical implementation. From my point of view, I agree with what Carle has said. If not everything that Carle has said, but clearly some of the reforms that you are referring to potentially such as reform of the telecommunications legislation, visa-free apps and so on and reform of data protection are obviously the moment reserved matters. When we have our discussion about how we take this forward, my view is that we should identify what changes are made. Whether it is a reserved matter or not, we should still press for those changes. We should not narrow ourselves down to devolved matters or devolved aspects of it. We should list all the things, ideally, as a Parliament where reform is required and whether it is within the legislative competence here or the legislative competence down in Westminster. That should hold us back from saying that this is what is required, in my view. Thank you. I will bring in Robin. Then I will go to Willie, who is going to take us down a slightly different but very important route. We are getting a wee bit short of time, so if I can ask everyone to keep their answers fairly brief, if possible. Robin. I was going to keep it brief by saying that if you want to have a very long meeting, ask social campaigners for a wish list. If you ask us for a wish list, we can be here for another couple of days. What I would say is that if you were to take the scatter graph of what all the various organisations have been asking for, it is more compact than you might think. There is quite a lot of things. Different people are asking for different things, but the range of the scatter graph is not enormous. It is not absolutely endless. I think that it is right to say that what you should do is to identify the problem. Not all of it will be thought-solved either by this act or necessarily by this Parliament, so I think that what you will probably end up doing is saying that these are the things that we can do within the act. Here are some things that lie in other Scottish acts and that they should be looked at. Here are things that lie without the side, the competence of this Parliament and they might be looked at as well. I do not think that pulling together a list of possibilities, but it has not been done cross-organisationally if I put it like that. I know that a number of organisations, particularly the work that Carol has done, have done it within an organisation, but we have not pulled it collectively across organisations. Willie Coffey, I am really interested in what people are saying on the table. It sounds to me that it is more of an issue about corporate data management and the expectations of what that should be in this day and age. Robin was alluding to some of the different mediums that we work in now. Is it just the written words, or is it just the paper that we deal with? No, it is much wider than that. Information exists in a variety of different forms out there, so I think that some of the issues that are being raised are about corporate data management, perhaps rather than the failings, if you like, of this act. Whether we improve the act and include that in here is another argument for another day, but what I wanted to ask colleagues around the table is that we will soon be signing up to comply with the European Union's regulation on data protection in May. There is a new data protection in general, GDPR, the regulation coming into force. How do we see that impacting on the act and do you see it being even tighter in making it much more difficult to access the kind of information that you are looking for at the moment, or do you see it being easier in opening it up a little bit more? I will type Robin first, then we will share. I am going to quickly pick this one up, because it is an enormously complex area, and it is one of the areas that we have quite a lot of interest in. The new data legislation is particularly strong and important about the individual's relationship to their own data. That is what is mainly transformational about that, which is your right to decide how your data is used and how it is shared. I am going to say that the Parliament should look now at a radical different view about how we manage data. We should move to a person-centred data approach. You should be starting to make sure that all public data about a person is assembled in a single place that they have control and access over to. That is the way that the legislation is pointing anyway, the European legislation, and that is the way that we should go. It is also going to be important, I think, to reassure people about how their data is used in the public. We have seen the Facebook Cambridge Analytica scandal this week. I would say that that is outside the FOI stuff, but I think that it is in parallel with it. There are some read-acrosses simply because the right to aggregate individuals' data may require their permission in certain circumstances. Generally not. If you cannot identify the individual, you can still mass aggregate data. I do not think that there is any particular reason why it should change what you are looking at in the FOI stuff, certainly not in terms of scope. It should not have any relationship to some of the exclusions that I personally think should be removed, particularly commercial confidentiality exclusions, and it should not have any impact on the extension of the act to new public authorities or to designate things as new public authorities. I would really urge separately the Scottish Parliament to look at the meaning of the data legislation, being compliant and really absorbing what this really means, what this is supposed to tell you about the relationship between citizen and data. It is something greater than that. It should have some impact on that, but I do not think that the main reforms that most people would be likely to identify in the freedom of information act itself should be greatly compromised one way or the other by this data. That is very much about personal data and your right for your data to be used in what you see as your interests, not being shared with your health data, not being shared with private pharmaceutical companies without your permission, for example. I do not think that it should be too much of an inhibitor on this review. Sarah Hutchison, you are head of policy and information at the Scottish Information Commissioner. Do you have anything that you would like to say on this particular question? Actually, my colleague Margaret Keyes is the expert on this. What we are anticipating is that there will be, of course, some impact, because it is a change, but that the change is going to be a lot, perhaps. We are hoping that the change will be a lot less than perhaps is anticipated, but I think that Margaret can do this very, very quickly as well. Just to underline what Robin said, we do not think that there is going to be a huge change in the relationship between freedom of information and personal data. Once the General Data Protection Regulation and the Data Protection Act comes into force in May, it is a big concern to us, it was, but 25 per cent to 33 per cent of our cases involve looking where the personal data should be disclosed under freedom of information, but thankfully the changes. We have been quite in contact with Westminster and the changes that have been made will be made to the Freedom of Information Act, as a result of the General Data Protection Regulation, basically keeps things as they are. I am not sitting here suggesting fines for the Scottish Information Commissioner. One ear I do of an issue with however is any public authorities responding to requests for personal information under freedom of information. If they get it wrong, they could be faced with huge fines from the UK Information Commissioner, whereas we obviously do not have the right to—the commissioner does not have the right to fine under freedom of information, so it would be interesting to see that itself, despite the legislation being okay, whether the very fact of the fear of fines will lead to a different chilling effect, but we think that it is something that we can work through with guidance and decisions as the years go by, hopefully months go by. Thank you. Richard. GDPR, the General Data Protection Rules, is about personal data. I would say that that is a very specific issue and it does relate to corporate data management and so on, but the issues that we are discussing here are not about personal data. Yes, of course, it might involve some more redactions in FOI releases and so on, but what we really need to guard against is any institutions that might use the GDPR rules as a kind of cover for not progressing on the FOI, so it is that way around that I would see this issue. Thank you. Willie, would you like to come back on that? Surely we are looking at personal data as well. We are looking at data information, whether it is personal, corporate or otherwise, surely. We are interested in all of that. We are surely interested in that. FOI covers personal data, does it not? Tommy. Just to come back to Willie's original point about his assessment, not so much about the European Act, but actually your assessment is just perhaps our concerns are simply a data recording issue. Actually, I think that it goes a bit deeper than that. I think that we need to go back to the journalist letter as well as other evidence that's emerged. The concerns are around political interference on FOI, delays, non-responsies, quite serious redactions and tenuous use of exemptions. I think that those are all serious concerns that are in addition to any concerns that we have around non-miniting or not recording meetings. It's not just the Scottish Government that this applies to, it's all other public authorities and I want to make that abundantly clear that those are concerns that people have. I think that those are also other concerns that I think should provoke. I'm glad to hear Alex that this is being accepted, that it should provoke post-legislative scrutiny. Darren, do you have something to ask? Just in relation to the GDPR, just a small point, that one of the advantages of the GDPR is that it's put a clear focus on the records management from the various public authorities. What we're hoping to see is an improvement in their management processes, a clearer understanding of what they hold, how they hold it and why they hold it. We might see a benefit in their general procedures and therefore their ability to access information quicker when we look at the freedom of information piece there. In relation to the wider practice piece, there is that distinction that some of the criticisms, in fact a number of the criticisms, are based on the application of the current act and therefore are issues of enforcement and a number of those are actively being examined by me at the moment in relation to the intervention using my enforcement procedures. It's just to bear in mind that not all of these will have a primary legislation fix. Some of them are down to issues of shear enforcement and also whether the tools in the toolkit are sufficient for the purpose there. It's not to say that they mustn't be taken into account when we're looking at post-legislative scrutiny but I think it's important when you enter into that scrutiny phase to be able to distinguish between things that can be fixed by legislation and things that are ultimately a matter of practice and enforcement. Can I ask on that? In your capacity as Scottish Information Commissioner, you are about to undertake some work already that is around this area and you say in your letter to this committee that you're confident that there wouldn't be any duplication of work that we would be doing if we did post-legislative scrutiny. Can you explain briefly for those interested in the committee what work it is that you will be undertaking and what gives you confidence that there won't be any duplication? What we're doing is that we've currently got two interventions in relation to the Scottish Government and its freedom of information performance. The first one was started in January 2017 and that specifically looks at time delays in relation to the provision of information under the act. The second one is wider in scope and it is looking at wider freedom of information performance as informed by the letter from the journalists last year and the parliamentary debate on the 21st of June of last year. What we've done when I came into post, we saw those concerns had been raised. Having seen the concerns, there are obviously serious concerns and we determined that it was important to look at those concerns in the round. So it was determined that we would proceed with an intervention, which is one of the enforcement processes that I have available to me under the current powers, and that involves essentially two key phases. The first phase is an assessment phase, so that's the phase where we take anecdote and turn it into proper evidence, a hard fact. So we're looking at the allegations. We've asked for concrete examples, which we're looking at. We're looking at those cases. We're also looking through the Government's own tracker, freedom of information tracker, so that we can identify other cases that we want to have a look at. We're taking representative samples so that we have an objectivity to the process to make sure that when we look and assess what the actual problems are, we have a good understanding and a fair and objective understanding of the issues in front of us. So that's the assessment phase. At the end of the assessment phase, we'll then determine, right, these are the problems, why are the problems and what's causing those problems, whether due to going on to the final stage, which is how do we fix these problems, what needs to be done to stop this any identified bad practice from happening, and that will take the form of recommendations by us as to changes in process in relation to that. So we're already under way in terms of that second intervention. Before you deal with the duplication point, can you give me any timescales on any of that work? Yes, we anticipate probably that the main piece, the assessment piece if you like, the one that's identifying what's wrong and what our recommendations would be to remedy that. We anticipate to be ready by the end of May of this year. And then are you able to deal with the duplication point? How confident can we be that the committee won't perhaps inadvertently strain to territory that you're already examining? The focus of the intervention is to look at practice in relation to the current legislation. So it is the Scottish Government complying with the Freedom of Information Act and with the good practice, as contained in the codes of practice. So it's an issue of compliance with existing law. It's not looking at what law should there be or it's not looking at what law should there be. In the course of it, of course, it's possible that some practice may be found and will have wider evidence of either good or bad practice coming out of it, but it will be judged against what the current legislation is. It's focus is not on recommending changes to legislation, it's focus is on recommending actions to take to ensure compliance with the current legislation using existing powers. Understand. Alex Neil just made an important point. Do you have any idea when the completion of this might happen? That's more difficult. The assessment phase, that's seeing what's wrong and what we'd recommend to remedy it. The next phase will depend upon, one, how deep the problems we've found are, two, what our recommendations are and how long they will take to implement, and we would also expect a monitoring phase. What we're not wanting to do is to simply make the recommendations and then walk away from them. That is something that we would then continue to monitor to see whether the recommendations have taken place and, if not, whether we require further enforcement action and also to monitor it to make sure that the benefits that we were expecting to see from those changes are actually taking effect so that we get a continuous improvement. What's your ballpark timetable for the recommendations? The recommendations, I would imagine, should hopefully be there by the end of May. At the end of the assessment phase, in essence, we'll tie that up with what we think is wrong and this is how we see it being remedied. I'll take a brief point from Carol if I may and then go to Ian Gray finally. I want to talk briefly about duplication. We are not convinced that there would be any duplication at all. We had corresponded with the Information Commissioner in January and invited him to have an open invitation for submissions to inform the enforcement action on the Scottish Government. The Information Commissioner said that it was in response to the journalist's letter. Obviously, an inquiry that was open would not be there for reactive, but it would be proactive. That is a major difference. We are concerned and embarrassed that the Scottish Government is subject to enforcement actions because we believe that they should be leading from the front. We are concerned about the impact on the work of the Scottish Information Commissioner's office. Currently, more than 10,000 bodies are covered by FOISA. There is a huge amount of work that the Commissioner needs to do routinely. Therefore, there must be financial and workload implications by devoting so much time to Scottish Government compliance. I just want to urge the committee to think about extra resources for the Commissioner's office. Does the Commissioner want to come back on that? I would certainly not dispute any gift of additional resource to the task. It is important to see that the current system is managed by my office with a full-time equivalent staff of about 20.5 people. To put it into context, there is a lot of work from one organisation bearing in mind our roles in relation to promotion, guidance, education, advising and assisting, as well as investigating and deciding appeals and carrying out interventions as well. We foresee that there will be additional work in relation to the oncoming additional registered social landlords later on in this year. In relation to that, we are seeking an uplift in personnel by some additional four personnel to be able to deal with that additional work. We are hoping, in relation to the intervention here, to deal with it within existing resources, albeit that there is quite a lot of additional resources as you would imagine. The problem is to get freedom of information officers imposed and trained. I do not want to delay the intervention simply to have additional people imposed and trained. It is more important that we address those areas of major concern as quickly and as thoroughly as possible. If it happens that some other business of my office is slightly delayed, I will have to take a determination as to what that would be and manage that risk. That is my responsibility within those resources. I look forward to that. I am sure that additional resources will be required for us to continue to carry on our work with additional bodies being subject to the act. If any changes are made to the legislation that increases our roles or bodies subject to it, increased resources would again be absolutely necessary. Ian Gray, final point. As you know this from when the legislation was passed, I am just interested. You said that your current investigation is investigating compliance against the existing legislation. I am just interested in what enforcement powers you have got, which you could bring to bear. The enforcement powers that we have have a couple of policies that set out the system. The ones that are enforcement policy and we have also got a specific intervention one. There are various levels of intervention and we usually allocate different enforcement powers to each of those interventions. They range from one that is very light touch, recommending improvement and process through to level four, which involves application of enforcement action. That could include an enforcement notice, which essentially notifies of a breach of part one of the act and failure to comply with an enforcement notice can lead to the matter being referred to the court of session, which may consider it to be a contempt of court under the current legislation. We can also issue practice recommendations in relation to breaches of the code of practice. We also have powers of entry and inspection under schedule three of the act, as it currently is, and information notices requiring the provision of information. In any scrutiny, it would be useful to look at those powers afresh to see if they are entirely sufficient. The powers in relation to some of the proactive publication could be improved upon. The time required to comply with an information notice of six weeks is something that might be worth looking at and an ability to tie some form of stronger enforcement to breaches of the codes of practice would also be useful. Once again, the system that we have and the tools that we have are not yet perfect by any means, but we do have quite a number of tools in the toolkit. We use our enforcement powers fairly rarely, rather than sparing use, because often the threat of the enforcement powers is enough to process matters further. I would like to thank everyone for their evidence today, which has been genuinely fascinating and extremely useful. We now close the meeting to the public as we move into private session. Thank you very much.