Feeds

ICO: Uni workers' personal webmail may be pried open

E-missives may be requested if related to public business

Website security in corporate America

University workers must release information from personal webmail accounts on request if it is related to public business, the Information Commissioner's Office (ICO) has said.

Material in personal email accounts such as Gmail or Hotmail accounts must be disclosed under freedom of information (FOI) laws if it is related to the business of a public authority, the ICO has said in guidance on what research information universities and other higher education authorities have to disclose under FOI requests. The ICO is the watchdog responsible for ensuring public sector organisations comply with legitimate FOI requests.

"Information held on personal, non-work email accounts (eg: Hotmail, Yahoo!, Gmail) can still be subject to disclosure under the legislation," the ICO said in its new guidance (28-page / 288KB PDF).

"Generally, if the information held on a personal email account is related to public authority business, it is likely to be held on behalf of the public authority in accordance with [FOI laws]. When searching for information in response to a request you should consider whether it is appropriate to ask a member of staff whether they hold information in a personal email account. If the information is not related to the public authority’s work ... it will not be subject to the legislation. The ICO recommends that official work is stored on properly secure networks rather than personal email accounts," the guidance said.

The Freedom of Information (FOI) Act and the Freedom of Information (Scotland) Act came into full force on 1 January 2005, giving individuals the right for the first time to see information held by government departments and public bodies.

Under the FOI laws information is deemed to be held by a public authority "if it is held by another person on behalf of the authority".

Some information can be held back under qualified and absolute exemptions. However, where information can be withheld under a qualified exemption organisations are still obliged to conduct a 'public interest test' to determine whether it is right for information to be disclosed.

"Even if a qualified exemption or exception is engaged (ie covers the requested information), the information must still be disclosed unless the public interest in maintaining the exemption or exception is greater than the public interest in disclosing it. The decision involves the balancing of factors on each side," the ICO's guide said.

Factors that should be considered in determining whether information should be disclosed in the public's interest include whether releasing information will add to "the understanding of and participation in the public debate of issues of the day" and promote greater transparency in public money expenditure.

"There will be a greater public interest in disclosing information relating to research that is publicly funded," the ICO's guide to higher education bodies said.

"The content of the information and contextual factors including the age of the information and the timing of the request will all have some bearing on the balancing of the public interest. The greater the amounts of money involved or number of people affected by decisions will weigh more heavily in favour of disclosure," the ICO said.

The ICO said that universities and colleges do not have to disclose sensitive commercial information if there is a "genuine need" to protect it.

"There is a distinction to be drawn between commercial interests and financial interests. While there will be many cases where prejudice to the financial interests of a public authority may affect its commercial interests, this is not always the case," the ICO said in its guide.

Under FOI laws "information is exempt information if its disclosure ... would, or would be likely to, prejudice the commercial interests of any person (including the public authority holding it)".

Universities and colleges do not always need to disclose documents that contain "free and frank discussion" between academics, the ICO said. Organisations need to show that the information was part of a policy discussion or that disclosing the information would have a "chilling effect" on policy debate, it said.

"Academics should be able to formulate and debate opinions relating to research away from external scrutiny," the ICO's guide said.

"Chilling effect arguments are directly concerned with the argued loss of frankness and candour in debate, that it is said, would lead to poorer quality advice and less well formulated policy and decisions," it said.

Higher education bodies do not have to disclose information if a request is "vexatious" in nature. Under FOI laws, public sector organisations can decide not to provide information requested if they deem the request to be vexatious.

"Deciding whether a request is vexatious is a balancing exercise, taking into account the context and history of the request. The key question is whether the request is likely to cause unjustified distress, disruption or irritation," the ICO's guide said.

Education authorities can avoid problems responding to burdensome FOI requests and also build public trust if they proactively release information they hold, the ICO said.

Under FOI laws public authorities must "adopt and maintain" a scheme of publishing information, which must be approved by the ICO. The scheme has to "specify classes of information which the public authority publishes or intends to publish, specify the manner in which information of each class is, or is intended to be, published, and specify whether the material is, or is intended to be, available to the public free of charge or on payment".

"The ICO encourages higher education institutions to go further in the publication of background and factual data supporting research wherever possible, particularly once research projects are complete, so that certain categories of research information are consistently available," the ICO guide said.

"The ICO accepts that understanding the context of research areas is important and information sharing across disciplines and subject areas will sometimes vary for legitimate reasons – some areas can easily make data freely available as soon as it is produced, others may need to be more restrictive in what information is made available and to whom," it said.

"The ICO recommends research policies and strategies should also be published – this will include quality assurance procedures, policy and procedures relating to intellectual property, ethics committee terms of reference, applications and their approval, and any other relevant codes of practice; and any policy, strategy and procedures relating to knowledge transfer and enterprise," the ICO said in its guide.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Internet Security Threat Report 2014

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Bono: Apple will sort out monetising music where the labels failed
Remastered so hard it would be difficult or impossible to master it again
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.