Feeds

ICO: Uni workers' personal webmail may be pried open

E-missives may be requested if related to public business

Secure remote control for conventional and virtual desktops

University workers must release information from personal webmail accounts on request if it is related to public business, the Information Commissioner's Office (ICO) has said.

Material in personal email accounts such as Gmail or Hotmail accounts must be disclosed under freedom of information (FOI) laws if it is related to the business of a public authority, the ICO has said in guidance on what research information universities and other higher education authorities have to disclose under FOI requests. The ICO is the watchdog responsible for ensuring public sector organisations comply with legitimate FOI requests.

"Information held on personal, non-work email accounts (eg: Hotmail, Yahoo!, Gmail) can still be subject to disclosure under the legislation," the ICO said in its new guidance (28-page / 288KB PDF).

"Generally, if the information held on a personal email account is related to public authority business, it is likely to be held on behalf of the public authority in accordance with [FOI laws]. When searching for information in response to a request you should consider whether it is appropriate to ask a member of staff whether they hold information in a personal email account. If the information is not related to the public authority’s work ... it will not be subject to the legislation. The ICO recommends that official work is stored on properly secure networks rather than personal email accounts," the guidance said.

The Freedom of Information (FOI) Act and the Freedom of Information (Scotland) Act came into full force on 1 January 2005, giving individuals the right for the first time to see information held by government departments and public bodies.

Under the FOI laws information is deemed to be held by a public authority "if it is held by another person on behalf of the authority".

Some information can be held back under qualified and absolute exemptions. However, where information can be withheld under a qualified exemption organisations are still obliged to conduct a 'public interest test' to determine whether it is right for information to be disclosed.

"Even if a qualified exemption or exception is engaged (ie covers the requested information), the information must still be disclosed unless the public interest in maintaining the exemption or exception is greater than the public interest in disclosing it. The decision involves the balancing of factors on each side," the ICO's guide said.

Factors that should be considered in determining whether information should be disclosed in the public's interest include whether releasing information will add to "the understanding of and participation in the public debate of issues of the day" and promote greater transparency in public money expenditure.

"There will be a greater public interest in disclosing information relating to research that is publicly funded," the ICO's guide to higher education bodies said.

"The content of the information and contextual factors including the age of the information and the timing of the request will all have some bearing on the balancing of the public interest. The greater the amounts of money involved or number of people affected by decisions will weigh more heavily in favour of disclosure," the ICO said.

The ICO said that universities and colleges do not have to disclose sensitive commercial information if there is a "genuine need" to protect it.

"There is a distinction to be drawn between commercial interests and financial interests. While there will be many cases where prejudice to the financial interests of a public authority may affect its commercial interests, this is not always the case," the ICO said in its guide.

Under FOI laws "information is exempt information if its disclosure ... would, or would be likely to, prejudice the commercial interests of any person (including the public authority holding it)".

Universities and colleges do not always need to disclose documents that contain "free and frank discussion" between academics, the ICO said. Organisations need to show that the information was part of a policy discussion or that disclosing the information would have a "chilling effect" on policy debate, it said.

"Academics should be able to formulate and debate opinions relating to research away from external scrutiny," the ICO's guide said.

"Chilling effect arguments are directly concerned with the argued loss of frankness and candour in debate, that it is said, would lead to poorer quality advice and less well formulated policy and decisions," it said.

Higher education bodies do not have to disclose information if a request is "vexatious" in nature. Under FOI laws, public sector organisations can decide not to provide information requested if they deem the request to be vexatious.

"Deciding whether a request is vexatious is a balancing exercise, taking into account the context and history of the request. The key question is whether the request is likely to cause unjustified distress, disruption or irritation," the ICO's guide said.

Education authorities can avoid problems responding to burdensome FOI requests and also build public trust if they proactively release information they hold, the ICO said.

Under FOI laws public authorities must "adopt and maintain" a scheme of publishing information, which must be approved by the ICO. The scheme has to "specify classes of information which the public authority publishes or intends to publish, specify the manner in which information of each class is, or is intended to be, published, and specify whether the material is, or is intended to be, available to the public free of charge or on payment".

"The ICO encourages higher education institutions to go further in the publication of background and factual data supporting research wherever possible, particularly once research projects are complete, so that certain categories of research information are consistently available," the ICO guide said.

"The ICO accepts that understanding the context of research areas is important and information sharing across disciplines and subject areas will sometimes vary for legitimate reasons – some areas can easily make data freely available as soon as it is produced, others may need to be more restrictive in what information is made available and to whom," it said.

"The ICO recommends research policies and strategies should also be published – this will include quality assurance procedures, policy and procedures relating to intellectual property, ethics committee terms of reference, applications and their approval, and any other relevant codes of practice; and any policy, strategy and procedures relating to knowledge transfer and enterprise," the ICO said in its guide.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Boost IT visibility and business value

More from The Register

next story
'Stop dissing Google or quit': OK, I quit, says Code Club co-founder
And now a message from our sponsors: 'STFU or else'
Ex US cybersecurity czar guilty in child sex abuse website case
Health and Human Services IT security chief headed online to share vile images
Uber, Lyft and cutting corners: The true face of the Sharing Economy
Casual labour and tired ideas = not really web-tastic
Don't even THINK about copyright violation, says Indian state
Pre-emptive arrest for pirates in Karnataka
The police are WRONG: Watching YouTube videos is NOT illegal
And our man Corfield is pretty bloody cross about it
Oz biz regulator discovers shared servers in EPIC FACEPALM
'Not aware' that one IP can hold more than one Website
Apple tried to get a ban on Galaxy, judge said: NO, NO, NO
Judge Koh refuses Samsung ban for the third time
Pedals and wheel in that Google robo-car or it's off the road – Cali DMV
And insists on $5 million insurance per motor against accidents
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.