ICO: Uni workers' personal webmail may be pried open
E-missives may be requested if related to public business
University workers must release information from personal webmail accounts on request if it is related to public business, the Information Commissioner's Office (ICO) has said.
Material in personal email accounts such as Gmail or Hotmail accounts must be disclosed under freedom of information (FOI) laws if it is related to the business of a public authority, the ICO has said in guidance on what research information universities and other higher education authorities have to disclose under FOI requests. The ICO is the watchdog responsible for ensuring public sector organisations comply with legitimate FOI requests.
"Information held on personal, non-work email accounts (eg: Hotmail, Yahoo!, Gmail) can still be subject to disclosure under the legislation," the ICO said in its new guidance (28-page / 288KB PDF).
"Generally, if the information held on a personal email account is related to public authority business, it is likely to be held on behalf of the public authority in accordance with [FOI laws]. When searching for information in response to a request you should consider whether it is appropriate to ask a member of staff whether they hold information in a personal email account. If the information is not related to the public authority’s work ... it will not be subject to the legislation. The ICO recommends that official work is stored on properly secure networks rather than personal email accounts," the guidance said.
The Freedom of Information (FOI) Act and the Freedom of Information (Scotland) Act came into full force on 1 January 2005, giving individuals the right for the first time to see information held by government departments and public bodies.
Under the FOI laws information is deemed to be held by a public authority "if it is held by another person on behalf of the authority".
Some information can be held back under qualified and absolute exemptions. However, where information can be withheld under a qualified exemption organisations are still obliged to conduct a 'public interest test' to determine whether it is right for information to be disclosed.
"Even if a qualified exemption or exception is engaged (ie covers the requested information), the information must still be disclosed unless the public interest in maintaining the exemption or exception is greater than the public interest in disclosing it. The decision involves the balancing of factors on each side," the ICO's guide said.
Factors that should be considered in determining whether information should be disclosed in the public's interest include whether releasing information will add to "the understanding of and participation in the public debate of issues of the day" and promote greater transparency in public money expenditure.
"There will be a greater public interest in disclosing information relating to research that is publicly funded," the ICO's guide to higher education bodies said.
"The content of the information and contextual factors including the age of the information and the timing of the request will all have some bearing on the balancing of the public interest. The greater the amounts of money involved or number of people affected by decisions will weigh more heavily in favour of disclosure," the ICO said.
The ICO said that universities and colleges do not have to disclose sensitive commercial information if there is a "genuine need" to protect it.
"There is a distinction to be drawn between commercial interests and financial interests. While there will be many cases where prejudice to the financial interests of a public authority may affect its commercial interests, this is not always the case," the ICO said in its guide.
Under FOI laws "information is exempt information if its disclosure ... would, or would be likely to, prejudice the commercial interests of any person (including the public authority holding it)".
Universities and colleges do not always need to disclose documents that contain "free and frank discussion" between academics, the ICO said. Organisations need to show that the information was part of a policy discussion or that disclosing the information would have a "chilling effect" on policy debate, it said.
"Academics should be able to formulate and debate opinions relating to research away from external scrutiny," the ICO's guide said.
"Chilling effect arguments are directly concerned with the argued loss of frankness and candour in debate, that it is said, would lead to poorer quality advice and less well formulated policy and decisions," it said.
Higher education bodies do not have to disclose information if a request is "vexatious" in nature. Under FOI laws, public sector organisations can decide not to provide information requested if they deem the request to be vexatious.
"Deciding whether a request is vexatious is a balancing exercise, taking into account the context and history of the request. The key question is whether the request is likely to cause unjustified distress, disruption or irritation," the ICO's guide said.
Education authorities can avoid problems responding to burdensome FOI requests and also build public trust if they proactively release information they hold, the ICO said.
Under FOI laws public authorities must "adopt and maintain" a scheme of publishing information, which must be approved by the ICO. The scheme has to "specify classes of information which the public authority publishes or intends to publish, specify the manner in which information of each class is, or is intended to be, published, and specify whether the material is, or is intended to be, available to the public free of charge or on payment".
"The ICO encourages higher education institutions to go further in the publication of background and factual data supporting research wherever possible, particularly once research projects are complete, so that certain categories of research information are consistently available," the ICO guide said.
"The ICO accepts that understanding the context of research areas is important and information sharing across disciplines and subject areas will sometimes vary for legitimate reasons – some areas can easily make data freely available as soon as it is produced, others may need to be more restrictive in what information is made available and to whom," it said.
"The ICO recommends research policies and strategies should also be published – this will include quality assurance procedures, policy and procedures relating to intellectual property, ethics committee terms of reference, applications and their approval, and any other relevant codes of practice; and any policy, strategy and procedures relating to knowledge transfer and enterprise," the ICO said in its guide.
Copyright © 2011, OUT-LAW.com
OUT-LAW.COM is part of international law firm Pinsent Masons.
Sponsored: DevOps and continuous delivery