Feeds

ICO: Uni workers' personal webmail may be pried open

E-missives may be requested if related to public business

High performance access to file storage

University workers must release information from personal webmail accounts on request if it is related to public business, the Information Commissioner's Office (ICO) has said.

Material in personal email accounts such as Gmail or Hotmail accounts must be disclosed under freedom of information (FOI) laws if it is related to the business of a public authority, the ICO has said in guidance on what research information universities and other higher education authorities have to disclose under FOI requests. The ICO is the watchdog responsible for ensuring public sector organisations comply with legitimate FOI requests.

"Information held on personal, non-work email accounts (eg: Hotmail, Yahoo!, Gmail) can still be subject to disclosure under the legislation," the ICO said in its new guidance (28-page / 288KB PDF).

"Generally, if the information held on a personal email account is related to public authority business, it is likely to be held on behalf of the public authority in accordance with [FOI laws]. When searching for information in response to a request you should consider whether it is appropriate to ask a member of staff whether they hold information in a personal email account. If the information is not related to the public authority’s work ... it will not be subject to the legislation. The ICO recommends that official work is stored on properly secure networks rather than personal email accounts," the guidance said.

The Freedom of Information (FOI) Act and the Freedom of Information (Scotland) Act came into full force on 1 January 2005, giving individuals the right for the first time to see information held by government departments and public bodies.

Under the FOI laws information is deemed to be held by a public authority "if it is held by another person on behalf of the authority".

Some information can be held back under qualified and absolute exemptions. However, where information can be withheld under a qualified exemption organisations are still obliged to conduct a 'public interest test' to determine whether it is right for information to be disclosed.

"Even if a qualified exemption or exception is engaged (ie covers the requested information), the information must still be disclosed unless the public interest in maintaining the exemption or exception is greater than the public interest in disclosing it. The decision involves the balancing of factors on each side," the ICO's guide said.

Factors that should be considered in determining whether information should be disclosed in the public's interest include whether releasing information will add to "the understanding of and participation in the public debate of issues of the day" and promote greater transparency in public money expenditure.

"There will be a greater public interest in disclosing information relating to research that is publicly funded," the ICO's guide to higher education bodies said.

"The content of the information and contextual factors including the age of the information and the timing of the request will all have some bearing on the balancing of the public interest. The greater the amounts of money involved or number of people affected by decisions will weigh more heavily in favour of disclosure," the ICO said.

The ICO said that universities and colleges do not have to disclose sensitive commercial information if there is a "genuine need" to protect it.

"There is a distinction to be drawn between commercial interests and financial interests. While there will be many cases where prejudice to the financial interests of a public authority may affect its commercial interests, this is not always the case," the ICO said in its guide.

Under FOI laws "information is exempt information if its disclosure ... would, or would be likely to, prejudice the commercial interests of any person (including the public authority holding it)".

Universities and colleges do not always need to disclose documents that contain "free and frank discussion" between academics, the ICO said. Organisations need to show that the information was part of a policy discussion or that disclosing the information would have a "chilling effect" on policy debate, it said.

"Academics should be able to formulate and debate opinions relating to research away from external scrutiny," the ICO's guide said.

"Chilling effect arguments are directly concerned with the argued loss of frankness and candour in debate, that it is said, would lead to poorer quality advice and less well formulated policy and decisions," it said.

Higher education bodies do not have to disclose information if a request is "vexatious" in nature. Under FOI laws, public sector organisations can decide not to provide information requested if they deem the request to be vexatious.

"Deciding whether a request is vexatious is a balancing exercise, taking into account the context and history of the request. The key question is whether the request is likely to cause unjustified distress, disruption or irritation," the ICO's guide said.

Education authorities can avoid problems responding to burdensome FOI requests and also build public trust if they proactively release information they hold, the ICO said.

Under FOI laws public authorities must "adopt and maintain" a scheme of publishing information, which must be approved by the ICO. The scheme has to "specify classes of information which the public authority publishes or intends to publish, specify the manner in which information of each class is, or is intended to be, published, and specify whether the material is, or is intended to be, available to the public free of charge or on payment".

"The ICO encourages higher education institutions to go further in the publication of background and factual data supporting research wherever possible, particularly once research projects are complete, so that certain categories of research information are consistently available," the ICO guide said.

"The ICO accepts that understanding the context of research areas is important and information sharing across disciplines and subject areas will sometimes vary for legitimate reasons – some areas can easily make data freely available as soon as it is produced, others may need to be more restrictive in what information is made available and to whom," it said.

"The ICO recommends research policies and strategies should also be published – this will include quality assurance procedures, policy and procedures relating to intellectual property, ethics committee terms of reference, applications and their approval, and any other relevant codes of practice; and any policy, strategy and procedures relating to knowledge transfer and enterprise," the ICO said in its guide.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
Singapore decides 'three strikes' laws are too intrusive
When even a prurient island nation thinks an idea is dodgy it has problems
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
Reprieve for Weev: Court disowns AT&T hacker's conviction
Appeals court strikes down landmark sentence
US taxman blows Win XP deadline, must now spend millions on custom support
Gov't IT likened to 'a Model T with a lot of things on top of it'
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.