Feeds

ICO: Uni workers' personal webmail may be pried open

E-missives may be requested if related to public business

Providing a secure and efficient Helpdesk

University workers must release information from personal webmail accounts on request if it is related to public business, the Information Commissioner's Office (ICO) has said.

Material in personal email accounts such as Gmail or Hotmail accounts must be disclosed under freedom of information (FOI) laws if it is related to the business of a public authority, the ICO has said in guidance on what research information universities and other higher education authorities have to disclose under FOI requests. The ICO is the watchdog responsible for ensuring public sector organisations comply with legitimate FOI requests.

"Information held on personal, non-work email accounts (eg: Hotmail, Yahoo!, Gmail) can still be subject to disclosure under the legislation," the ICO said in its new guidance (28-page / 288KB PDF).

"Generally, if the information held on a personal email account is related to public authority business, it is likely to be held on behalf of the public authority in accordance with [FOI laws]. When searching for information in response to a request you should consider whether it is appropriate to ask a member of staff whether they hold information in a personal email account. If the information is not related to the public authority’s work ... it will not be subject to the legislation. The ICO recommends that official work is stored on properly secure networks rather than personal email accounts," the guidance said.

The Freedom of Information (FOI) Act and the Freedom of Information (Scotland) Act came into full force on 1 January 2005, giving individuals the right for the first time to see information held by government departments and public bodies.

Under the FOI laws information is deemed to be held by a public authority "if it is held by another person on behalf of the authority".

Some information can be held back under qualified and absolute exemptions. However, where information can be withheld under a qualified exemption organisations are still obliged to conduct a 'public interest test' to determine whether it is right for information to be disclosed.

"Even if a qualified exemption or exception is engaged (ie covers the requested information), the information must still be disclosed unless the public interest in maintaining the exemption or exception is greater than the public interest in disclosing it. The decision involves the balancing of factors on each side," the ICO's guide said.

Factors that should be considered in determining whether information should be disclosed in the public's interest include whether releasing information will add to "the understanding of and participation in the public debate of issues of the day" and promote greater transparency in public money expenditure.

"There will be a greater public interest in disclosing information relating to research that is publicly funded," the ICO's guide to higher education bodies said.

"The content of the information and contextual factors including the age of the information and the timing of the request will all have some bearing on the balancing of the public interest. The greater the amounts of money involved or number of people affected by decisions will weigh more heavily in favour of disclosure," the ICO said.

The ICO said that universities and colleges do not have to disclose sensitive commercial information if there is a "genuine need" to protect it.

"There is a distinction to be drawn between commercial interests and financial interests. While there will be many cases where prejudice to the financial interests of a public authority may affect its commercial interests, this is not always the case," the ICO said in its guide.

Under FOI laws "information is exempt information if its disclosure ... would, or would be likely to, prejudice the commercial interests of any person (including the public authority holding it)".

Universities and colleges do not always need to disclose documents that contain "free and frank discussion" between academics, the ICO said. Organisations need to show that the information was part of a policy discussion or that disclosing the information would have a "chilling effect" on policy debate, it said.

"Academics should be able to formulate and debate opinions relating to research away from external scrutiny," the ICO's guide said.

"Chilling effect arguments are directly concerned with the argued loss of frankness and candour in debate, that it is said, would lead to poorer quality advice and less well formulated policy and decisions," it said.

Higher education bodies do not have to disclose information if a request is "vexatious" in nature. Under FOI laws, public sector organisations can decide not to provide information requested if they deem the request to be vexatious.

"Deciding whether a request is vexatious is a balancing exercise, taking into account the context and history of the request. The key question is whether the request is likely to cause unjustified distress, disruption or irritation," the ICO's guide said.

Education authorities can avoid problems responding to burdensome FOI requests and also build public trust if they proactively release information they hold, the ICO said.

Under FOI laws public authorities must "adopt and maintain" a scheme of publishing information, which must be approved by the ICO. The scheme has to "specify classes of information which the public authority publishes or intends to publish, specify the manner in which information of each class is, or is intended to be, published, and specify whether the material is, or is intended to be, available to the public free of charge or on payment".

"The ICO encourages higher education institutions to go further in the publication of background and factual data supporting research wherever possible, particularly once research projects are complete, so that certain categories of research information are consistently available," the ICO guide said.

"The ICO accepts that understanding the context of research areas is important and information sharing across disciplines and subject areas will sometimes vary for legitimate reasons – some areas can easily make data freely available as soon as it is produced, others may need to be more restrictive in what information is made available and to whom," it said.

"The ICO recommends research policies and strategies should also be published – this will include quality assurance procedures, policy and procedures relating to intellectual property, ethics committee terms of reference, applications and their approval, and any other relevant codes of practice; and any policy, strategy and procedures relating to knowledge transfer and enterprise," the ICO said in its guide.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.