Jake Hurfurt v Information Commissioner & Anor

Background 1. On 5 April 2022, Mr Hurfurt (the Appellant) wrote to the Department for Work and Pensions (DWP) requesting information in the following terms: “I write to request information and records under the FOIA, regarding the Department’s DPIAs in relation to the Integrated Risk and Intelligence Service [IRIS]. Specifically, I am asking for the following: – Copies of all current Data Protection Impact Assessments relating to any use of profiling, machine learning or artificial intelligence in IRIS – A copy of any general policy or guidance held by the department about the DWP’s policy on publication or lack thereof of DPIAs” 2. We are only concerned with the first section of the request for copies of Data Protection Impact Assessments (DPIAs). 3. In the DWP response on 5 May 2022 the department confirmed that it held the requested DPIAs. DWP withheld the information and cited section 31 Freedom of Information Act 2000 (FOIA) as the basis for withholding the information requested. The DWP stated that it would not disclose the DPIAs as this would compromise the effectiveness of its response to fraud. 4. Section 31 FOIA is a qualified exemption and therefore a public authority must also consider whether the public interest in maintaining the exemption outweighs the duty to disclose under FOIA. As to those public interest considerations, DWP explained that while there is a public interest in ensuring that it gathers and uses information legitimately to check accuracy and eligibility in the award and payment of benefits, it would not be able to provide more specific information as that would enable a wrongdoer to understand its services. 5. DWP averred that its DPIAs are highly detailed documents describing; a. the specific data attributes used; b. the techniques used; c. how the model is interpreted; d. the business process; e. and what the controls are to monitor and mitigate risks. 6. It was suggested by DWP that providing the Appellant (and thus the world) with the level of detail contained in the DPIA documents would enable a perpetrator to understand the way its IT systems work, as well as where and how it gathers information and thus facilitate crime and compromise the provision of public services. 7. In response to the Appellant’s request for an internal review the DWP maintained its position that section 31 FOIA was engaged and opined that the public interest was heavily in favour of maintaining the exemption. 8. The Appellant was not satisfied and complained to the Information Commissioner (the Commissioner) who clarified in the course of the investigation that DWP were relying on section 31(1)(a) FOIA. 9. During the course of the investigation one of the Commissioner’s case workers visited the DWP to view the withheld information and discuss principles of redaction. Those principles were then applied by a DWP team to the DPIAs that the Appellant had requested. Thereafter, on 20 February 2023 the DWP released redacted versions of the DPIAs to the Appellant. 10. The Commissioner’s decision notice reference IC-176118-M6Q9 was published on 13 March 2023. The Commissioner held that: a. Section 31(1)(a) FOIA 2000 is engaged to withhold the disputed information; b. The balance of the public interest weighs in favour of maintaining the exemption; c. The DWP procedurally breached s.10(1) by disclosing the redacted DPIAs outside the statutory time frame; d. No further steps were required to be taken by the DWP. 11. The Appellant appealed to the Tribunal by way of notice dated 14 April 2023. In due course directions were made joining the DWP as second respondent. 12. The hearing took place at Field House in London on 29 and 30 May 2024. The Appellant represented himself and both respondents were represented by counsel. The Tribunal heard oral evidence from the DWP and from the Appellant. All parties made submissions orally, in addition to their previous written submissions and formal documents received by the tribunal throughout the process. 13. Part of the hearing was held in private. This is known as a closed session. A gist of that session was provided to the Appellant. The gist as approved by the Tribunal is to be found at annex 1 of this decision. 14. I would like to apologise to the parties for the delay in committing this decision to writing which has been caused by a lengthy period of ill health and other judicial duties. Legal Framework 15. Section 1(1) FOIA states “Any person making a request for information to a public authority is entitled – (a) to be informed in writing by the public authority whether it holds information of the description specified in the request, and (b) if that is the case, to have that information communicated to him.” 16. FOIA provides a regime whereby public authorities have a duty to disclose information in response to a request. That duty to disclose is subject to the exemptions set out in the act. Some exemptions are absolute, others qualified. Where a qualified exemption is engaged disclosure should be made unless the public interest in maintaining the exemption outweighs the public interest in disclosure pursuant to section 2(2)(b). Disclosure made under FOIA is regarded as being to the world and is not simply disclosure to the requestor. No conditions may be placed on disclosure under FOIA. 17. The powers of the Tribunal in determining this appeal are set out in section 58 FOIA, as follows: If on an appeal under section 57 the Tribunal considers – (a) that the notice against which the appeal is brought is not in accordance with the law, or (b) to the extent that the notice involved an exercise of discretion by the Commissioner, that he ought to have exercised his discretion differently, the Tribunal shall allow the appeal or substitute such other notice as could have been served by the Commissioner, and in any other case the Tribunal shall dismiss the appeal. On such an appeal, the Tribunal may review any finding of fact on which the notice in question was based. 18. Section 31(1)(a) FOIA provides, inter alia, that information (which is not exempt information by virtue of section 30) is exempt information if its disclosure would, or would be likely to, prejudice the prevention or detection of crime. There is no issue in this case that the requested information would be exempt by virtue of section 30 FOIA. 19. Whether section 31(1)(a) is engaged requires a fact specific consideration of the information requested and the circumstances of the public authority. The same information in the hands of different public authorities may or may not engage the exemption. This is because section 31 creates a prejudice based exemption. 20. In DWP v Information Commissioner [2017] 1 WLR 1 the Court of Appeal approved the three step test first set out in Hogan v Information Commissioner [2011] 1 Info LR 588 to be applied in considering whether the disclosure of the requested information would or would be likely to be prejudice the prevention or detection of crime: a. the alleged prejudice has to relate to the applicable public interest within the exemption; the applicable interest is the prevention or detection of crime; b. the second step is whether there is a causal link between disclosure of the information and the nature of the prejudice claimed. Any such prejudice should be real, actual or of substance. The prejudice need not be extensive but must have a “very significant and weighty chance” of causing prejudice that is “real, actual and of substance” See DWP v Information Commissioner and FZ [2014] UKUT 0334 and R (Lord) v Secretary of State for the Home Department [2003] EWHC 2073 (Admin) ; c. the third step is to determine the likelihood of prejudice occurring on disclosure; there must be a real and significant risk. To reach the threshold that disclosure would or would be likely to prejudice the prevention or detection of crime the tribunal must be satisfied that it is more probable than not that the prejudice would occur. 21. When considering the nature of the prejudice the tribunal is not limited to looking at prejudice that could be caused by the disclosure of the information in isolation. 22. If s31(1)(a) is engaged then the Tribunal must go on to assess the balance of the public interests as they were on 5 May 2022 pursuant to s2(2)(b) FOIA. The public interest balance must be carried out according to the circumstances at the time of the response to the request. A dilatory public authority cannot take advantage of delaying their response beyond the 20 days provided for making their response in section 10(1) FOIA as the public interest will be assessed at the time the response should have been given. This is established by R (Evans) v Attorney General [2015] UKSC 21 and Montague v Information Commissioner and the Department of International Trade [2022] UKUT 104 (AAC). 23. Only if the public interest in maintaining the exemption outweighs the public interest in disclosure should the material be withheld from disclosure. We take a contents based approach; that is an assessment and comparison of actual harm (including risk of actual harm) and benefit by reference to the contents of any information that falls within the qualified exemption. 24. If the exemption is engaged the tribunal should consider whether the public interest in maintaining the exemption outweighs the public interest in disclosure. Relevant considerations will include a. The likelihood of prejudice. This means that if prejudice would occur the public interest in maintain the exemption is likely to be stronger than where the prejudice only meets the lower threshold of “would be likely” to occur. b. The extent of the prejudice c. All the realistically possible consequences. See London Borough of Camden v Information Commissioner and Voyias [2012] UKUT 190 (AAC) 25. Where a public authority has particular knowledge or expertise, most frequently in matters of national security, the position taken by that authority will be given appropriate weight due to that expertise. While it seems to us that in an appropriate case that principle would be capable of being applied in a law enforcement context we have concluded that it would not be appropriate in this case for any significant weight to be put on the opinion of the public authority for the reasons set out below. 26. On the application of the mosaic effect context is crucial and there is no reason in law to restrict the scope of the mosaic effect to actions of law abiding persons nor to that which has been widely publicised. The motivated intruder may be inspired by legitimate or illegitimate reasons, they may have access to widely available information or to that which has been obtained covertly or by subterfuge. The motivated intruder may not “play by the rules” and in our judgment it would be wrong as a matter of principle to restrict the ambit of consideration by reference to the capabilities of a quarter of a century ago as opposed to that which is possible at the date at which the public authority respond to the request. What can be said to be a realistic possibility in terms of risk will alter over time. The Issues 27. The Appellant does not dispute that some of the information within the DPIAs is exempt from disclosure under s31(1)(a) FOIA and that the public interest falls in favour of maintaining that exemption. For example that information which relates to matters of cyber security. The issue is the proper scope of the redactions. He is not able to give detailed reasons for his submissions that some information is not exempt nor whether, if so, the public interest would fall in favour of disclosure because he has not had sight of the material in question. He fairly argues his position by inference and with reference to principle. 28. The Commissioner’s position is that disclosure of the requested information would prejudice the prevention or detection of crime, as opposed to would be likely to do so, and that the public interest is in favour of maintaining the exemption. 29. The DWP relies on both limbs and submits that if the Tribunal is not satisfied that disclosure of the information would prejudice the prevention or detection of crime then we can be satisfied that it would be likely to do so. The DWP also avers that the public interest is in favour of maintaining the exemption. 30. We accept there is a real possibility that threat actors target departments such as the DWP. However, the issue for us is to consider is whether disclosure of the information requested would (or would be likely) of itself or in combination with other information to prejudice the prevention or detection of crime. The facts 31. We find the following facts based on our assessment of all the evidence, both oral and documentary. 32. In 2022 the Secretary of State for Work and Pensions announced that the government was going to invest £613 million pounds over three years to boost the Department of Work and Pension’s (“DWP”) counter-fraud initiatives, in particular “measures to improve how [the DWP] use and analyse data to respond to emerging threats” Fighting Fraud in the Welfare System CP 679, May 2022 . Levels of fraud fluctuate year on year but the general trend is that fraud is increasing. 33. A Data Protection Impact Assessment (DPIA) is a process used to analyse, identify and minimise the data protection risks of a project. The risks that the proposed processing of data will not comply with the regulatory framework, and of wider data protection obligations are considered and ways of mitigating those risks identified. DPIAs should consider broader risks to the rights and freedoms of individuals, potential social or economic disadvantage. 34. In order to perform its functions the DWP processes the data of over 20 million active claimants and customers. As part of the systems of data processing DWP use DPIAs to identify and minimise data protection risks from pieces of work which are called “initiatives” such as changes to processes and projects at local and national levels. 35. A DPIA must include a general description of the processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address those risks and safeguards security measures and mechanisms to ensure the protection of personal data. 36. Five DPIAs are within scope of the request. The DPIAs have two parts. Part 1 is a screening tool used to identify all initiatives that may involve high risk processing of personal data. If an initiative is so identified by the Data Protection Officer’s team the detailed assessment in part 2 of the process is completed. Part 1 is a part of the process rather than a part of the DPIA. The Appellant told the Tribunal that he did not wish to receive part 1 of any of the five DPIAs. His request was only for the Part 2 sections of the DPIAS; the detailed risk assessments. We were provided with and have reviewed a copy of a blank Part 1 and we agree that Part 1 is not within the scope of the request. 37. We are of the opinion that much of the information included within the requested documents should not be in the DPIAs in the first place. In our view the DWP have used the DPIAs as general risk assessments which is not their purpose. Furthermore, the articulation of risk within the DPIAs is poor. The documents fail to distinguish between risk to the data subject’s data and risks to the system. These factors likely contributed to the difficulty the DWP experienced in deciding what should be disclosed, albeit we acknowledge that the drafting of their DPIAs is a matter for the DWP. However, the inclusion of the extraneous material (as it is in our view) also makes disaggregation of the information unrealistic because what would be produced by that process would be meaningless. 38. The DWP publishes a Personal Information Charter (PIC). We were provided, at our request with a copy of the PIC which was published in December 2021 and was in force at the relevant date in May 2022. There was no separate privacy notice. We note in particular that the PIC sets out, inter alia: a. The types of personal data that will be processed; b. The people whose data will be processed. The DWP holds “ basic information … about everyone who has been allocated a National Insurance Number. The information is used by DWP and HMRC, and also by the Department for Communities in Northern Ireland”; c. DWP works together with other parts of government. DWP uses data from and shares data with a range of organisations including HMRC and the Ministry of Justice; d. Artificial Intelligence is used by DWP to help detect and prevent fraud and error; e. DWP is constantly developing new digital services. 39. In our view the PIC should have separated out the data uses to a greater extent. The PIC might be regarded as confusing as a result of its aggregation of different aspects and a lack of explanation of some terms. Furthermore it is not clear (given the content of the DPIAs which we have read in full) how those assessments practically interrelate to the PIC. This is relevant to our assessment of the public interest. 40. The document “Fighting Fraud in the Welfare System” was published by the DWP on 19 May 2022. This document states – “18. We have also set up two new teams to improve fraud prevention and detection. The Enhanced Checking Service and Disrupt team, which prevents losses by intervening in high-risk cases before payments have been issued, is estimated to have saved £800 million in 2020/21. Our Integrated Risk and Intelligence Service, maximising our cyber capability, helped teams identify new fraud threats. Together, they disrupted or corrected over 298,000 claims during 2020/21. Without taking actions like these, nearly £3.0 billion would now be in the hands of criminals. … 21. Welfare transactions last year totalled £258.2 billion – 22.5% of all UK government spending. This makes the welfare system a target for deliberate fraud by both organised crime groups and opportunistic individuals. With the complexity of the operations we run, we also recognise that both claimants and DWP staff can also make mistakes that can lead to payments being made in error. 22. Last year, there was an estimated £6.3 billion of welfare fraud, up from £2.8 billion from the year before. Together with £2.1 billion of error, the combined loss as a result of fraud and error was £8.4 billion or 3.9% of benefit expenditure. … 34. Effective use of data and intelligence helps our professionals do their job, from using online identity checks to accessing real time information, to specialist data-matching and other analytics. For example, our Integrated Risk and Intelligence Service are experts in monitoring risks and using data matching and analytical expertise to help identify fraudulent activity. This digital evidence is critical to help our trained professionals make the right decisions on a case-by-case basis. 35. As well as increasing the numbers of our staff, we are investing £145 million over three years on a package to further enhance data, analytics and investigative techniques to boost our capabilities to prevent and detect fraudulent attacks.” 41. The DPIAs within scope of the request cover a range of counter-fraud processing activities undertaken by the DWP’s Integrated Risk and Intelligence Service [IRIS]. Profiling is used in relation to the transaction and not the individual to determine how likely it is that the circumstances are likely to be true based on similar transactions. That profiling may flag risks which are then checked by a member of staff. No decisions are taken solely by machine learning or artificial intelligence. 42. The DWP’s case was that were the DPIAs to be disclosed to the public under FOIA that the information they contained was highly likely to be of interest to sophisticated threat actors seeking to perpetrate fraud on a system that handles billions of pounds each year. Conversely, publication of information about how data is gathered and used by a department such as the DWP adds to the public’s (data subjects’) knowledge of who they are sharing their data with and how it is being processed. 43. We find that fraud in this context can take many forms from individuals misrepresenting their circumstances to serious organised crime gangs targeting the benefits system with false claims. 44. Mr Boundy, the former DWP Head of Advanced Analytics, told the tribunal about examples of criminal cases where significant sums of welfare benefits were falsely claimed. We were provided with two examples of crimes that had been uncovered, both of which post-dated the request in this case. a. First we were given a press release published 27 October 2023, concerning the sentencing of a group of seven people for benefit fraud. We noted that there was no suggestion in the press report, nor from Mr Boundy, that the fraudsters had used any data from the DWP, or knowledge about how data was processed, to perpetrate their crimes which were committed using stolen and hijacked genuine identities to make false claims. b. The second press report placed before us concerned another group who had made false claims for welfare benefits, totally £53.9 million between October 2016 and May 2021. Similarly to the first case, this group of five criminals had used fake documents to support the false claims. Their method was to make a claim and if it was rejected to try again and again until the claim was granted. Again there was no suggestion in the report that the fraudsters had used any data from the DWP or knowledge about how data was processed, to perpetrate their crimes. 45. In the financial year ending 2023 fraud and error was estimated to account for approximately 3.6% of payments or £8.3bn of which 76% was fraud as opposed to error. The figures for fraud increased during the pandemic to £8.7bn for the year end 2022. We are satisfied that the levels of fraud on the welfare system are significant. 46. The DWP argues that there are potential “knock-on effects” were these DPIAs to be released. It is suggested that release of this information would increase the likelihood of future requests for similar DPIAs. We accept that small disclosures may have a cumulative effect that allow a fuller picture to be revealed. Sometimes anodyne information can take on a greater significance when used as part of the overall picture but each case is fact sensitive. It is not always clear what is in the public domain or in the hands of criminals illegitimately. 47. The engagement of the exemption and the applicable public interests must be applied as at the date of the response to the request. It seems to us that the risks posed by any such potential further requests would need to be considered at the time they are made in the light of what had been previously released not by curtailing the response to this request just in case another request is made by someone else. To the extent that any guidance suggests otherwise, it does not bind us. 48. The DWP do not maintain a register of disclosures under FOIA which might assist them in establishing whether the subsequent disclosure of another piece of information would reveal more in the light of what had been released previously. 49. DWP personnel are sometimes targeted by criminals, we accept that releasing individual’s names and contact details could increase the risk to those individuals of being targeted by criminals. This is not disputed by the Appellant. 50. We have concluded that that criminals will change their behaviour if they know a specific area of operation or project will be targeted or scrutinised for the purposes of crime prevention. For example a thief will most likely choose to steal from an area that is not under CCTV coverage as opposed to one that is. This is a common sense conclusion. The requested information 51. The DPIAs within scope have been partially disclosed, further disclosures were made during the course of the hearing. The DPIAs are a. DPIA 278 – describes DWP data stores and tools used to counter fraud/error. Further disclosure was made during the hearing of risk scores and some text. b. DPIA 791 – Further disclosure was made during the hearing of risk scores and some text. c. DPIA 1026 – Further disclosure was made during the hearing of risk scores and some text. d. DPIA 1300 – describes the Common Risk Engine and Universal Advances Fraud Risk Model. Further disclosure was made during the hearing of risk scores. Most information in this DPIA has now been released. e. DPIA 1442 – Further disclosure was made during the hearing of risk scores. This DPIA was disclosed with its date of creation included. 52. From our consideration of the withheld material we have concluded that there are five types of information that have not yet been disclosed, these are in broad terms a. Technical measures, b. Personal or Organisational information, c. Explanations of the initiatives, d. Risk Assessment information, e. Details of data sharing. 53. The remaining strands of information have been considered alone and in combination. We have not taken a microscopic view but an holistic one of the remaining information. 54. We have concluded that the following types of information engages the exemption from disclosure under s31(1)(a) because, for the most part it would be likely to prejudice the prevention or detection of crime. Where we have concluded that the higher threshold of would prejudice has been reached we so indicate. The threshold of prejudice is reached because there is a real and significant risk that criminals will use the information alone or in combination with other sources to facilitate fraud. The DWP processes provide a target for those who want to profit from false claims and the more information they have about those processes the better they will be able to create and adapt their criminal enterprises. 55. Technical measures in this case refers to cyber security systems and actions. All parties in this appeal agree these matters should not be disclosed and we agree. That is because disclosure of these matters relating to cyber security would prejudice the prevention or detection of crime in that the disclosure would allow threat actors to understand and be better able to avoid those systems and actions. The public interest falls squarely on the side of maintenance of the exemption. We will not consider technical measures further in this decision. 56. Personal or Organisational information, such as team names, individual’s names and staff functions does not form a homogenous category in our opinion. It is necessary to distinguish the names of individuals from team names and functions. a. We accept the case for the department that individual’s names and contact details should not be disclosed; see further in our closed decision. Alone or on combination with other information the disclosure of this information under FOIA would be likely to prejudice the prevention or detection of crime. b. Some team names have already been placed in the public domain, see for example the document “Fighting Fraud in the Welfare System”. Also important in this case is the link between those team names and the subject matter of the DPIA. Team names could be used to give verisimilitude to criminal activities, for example phishing scams targeting members of the public. Alone or in combination with other information the disclosure of this information under FOIA would be likely to prejudice the prevention or detection of crime. c. Team functions are internal operational details. Disclosure of details of how a team operates to counter fraud or other types of crime would prejudice the prevention or detection of crime in that the disclosure would allow threat actors to understand and be better able to avoid those team’s functions and operations. 57. Explanations of the initiatives must also be considered with reference to its separate components and not as a whole. Those parts are the fact of initiative, the name/area of operation and its detail including the date of the DPIA. We accept that criminals or threat actors will be likely to change their behaviour to either avoid targeting a certain benefit or activity if they learn that area of operation is the subject of a DWP counter fraud initiative or to target an area of operation if it seems that it is not the focus of counter-fraud efforts . 58. The prejudicial effect of criminals piecing together information from different sources is a real one. Any particular piece of information may appear anodyne in isolation but in combination with (all or part of) the remainder of the requested information or other information in the public domain the utility of the information to a threat actor is enhanced. 59. The release of the date of a DPIA in combination with details of the subject of the initiative may reveal the status of the initiative/operation and of the software and hardware being used. The date alone tells one nothing about the initiative or the mechanisms employed. Knowledge of the date on which the risks of processing have been assessed is of importance to the exercise of data subjects’ rights. 60. We have concluded that publication of each aspect of the explanations of the initiatives, whether alone or in combination with other information, under FOIA would be likely to prejudice the prevention or detection of crime. 61. Risk Assessment information might be an analysis of risk to a. the information security systems, b. the organisation itself, or its reputation, c. the data subject or their data, including the nature and scope of processing of that data As to (a) this has already been dealt with above in relation to technical measures. It is important that any DPIA distinguishes between these risks, see further in closed. We have concluded that alone or on combination with other information the disclosure of this information under FOIA would be likely to prejudice the prevention or detection of crime. 62. As to details of data sharing by the DWP, the fact of sharing must be distinguished from details of how that sharing may be achieved when considering the risk of prejudice that would be caused by disclosure. Some information about the source of data is already in the public domain, see inter alia Fighting Fraud in the Welfare System and the PIC. We accept that knowledge of the source of data or with whom DWP data is shared can indicate something about the initiative. Details about the data sharing, for example how data sharing takes place or its frequency can assist a threat actor to better target their efforts, see further in closed. We have concluded that alone or on combination with other information the disclosure of information under FOIA would prejudice the prevention or detection of crime. 63. We have concluded that section 31(1)(a) FOIA is engaged in relation to the requested information to the extent set out above and in our closed decision. The prejudice being asserted by the DWP is neither trivial nor insignificant and it relates to the prevention or detection of crime. There is a demonstrable link between any disclosure of the requested information and the prejudice claimed that is real, actual and of substance. There is a real and significant risk of the prejudice occurring if the requested material is disclosed. The public interest 64. The public interest in maintaining the exemption as regards information that would be likely to prejudice the prevention or detection of crime is a strong one. The strength of that public interest increases where the disclosure of the material would prejudice the prevention or detection of crime. 65. There is a strong public interest in protecting the security of the welfare system against crime and fraud. It is necessary to recognise that different public interests may be relevant when considering the risk of benefit fraud (whether by unsophisticated individuals or sophisticated and organised criminals) and the risk of cybercrime, for example by cyber incursion to harvest individuals’ data. 66. Benefit fraud costs the DWP a substantial amount of money, see findings above. This loss is born by society as a whole via taxation and while it is right to counter those fraudulent activities the loss is spread. On the other hand were an individual’s data to be obtained by a criminal that data could be used in other types of crime. The losses, in those cases, will fall on the individual data subject and any business or financial institution through which such crimes are perpetrated. The losses caused by data harvesting are not spread in the same way amongst taxpayers. There is a strong public interest in maintaining the security of personal data of all those whose data is processed by the DWP and particularly the more vulnerable claimants who may be more susceptible to criminal activity such as phishing or the possible consequences of any interference with the payment of benefits. See further in closed. 67. The DWP argues that release of the information would have the negative result of reducing the detail put into the DPIAs in future by officials who feared possible requests for disclosure. The purpose of FOIA is to make information available but there are exemptions and these must be considered on a case by case basis. 68. In our view it would be inappropriate to tailor or restrict what is said in any document created for the purposes of a public authority, by reference to what might be disclosed on request under FOIA, if to do so would be to the detriment of competing duties, such as under data protection legislation or to avoid accountability. It must be noted that this decision will set no precedent for how future requests are dealt with by the DWP or any other public authority. 69. The DWP shares information with other parts of Government and third parties. The DWP submits that disclosure of sharing arrangements would risk undermining those relationships and arrangements because it would be perceived that risk to those other bodies would increase and those organisations may revisit their willingness to share data with the DWP. We accept that there is a public interest in maintaining data sharing arrangements in order that the system is provided with the data it needs to operate. 70. The public interests in favour of disclosure include transparency and accountability in relation to data processing, particularly where machine learning tools are involved or there is profiling of data subjects. The DWP attempt to meet this interest by publication of the PIC, see above. However, that PIC is inadequate in certain ways as we have already outlined. Those inadequacies strengthen the public interest in disclosure given the need for proper scrutiny of the nature and scope of data processing taking place and the basis for that processing. 71. Conversely we note that the DWP is bound to comply with all relevant data protection legislation, regulation by the Information Commissioner and audit by the National Audit Office. These mechanisms provide the framework for securing compliance with the DWPs obligations in processing data rather than FOIA. 72. We note that the commitment made to the Public Accounts Committee by the DWP in relation to it the publication of information in its annual accounts. This is relied upon by the DWP, however, the commitment was made after the date of the response to the request and after the date of the decision notice under appeal. As such the commitment cannot form part of the public interest balance at the time of the response but it sheds some light on the DWP’s attitude to transparency in its use of data analytics. 73. The Tribunal acknowledges the Appellant’s concern that there is risk of bias and discrimination in the use of algorithmic and machine learning models. We acknowledge the public interest in the promotion of the understanding of the use of artificial intelligence systems generally and in particular by government departments in the context of automatic decision making. However in this case machine learning is used to identify cases of possible fraud which are then examined by a member of staff. Further, data is not processed by the DWP with reference to protected characteristics. The majority of the redacted information does not deal with issues of automatic decision making, artificial intelligence, bias, nor protected characteristics and thus the release of the material would not significantly further public understanding of these issues. 74. Having considered the competing public interests, above and in our closed decision, we have concluded that the balance falls in favour of maintaining the exemption. Even though there are important issues raised by the Appellant and our close examination of the DPIAs, the public interest in maintaining the exemption outweighs the public interest in disclosure. 75. For all these reasons the appeal is dismissed.