27 September 2011

ICO FOI guidance for universities

The Information Commissioner's Office in the UK has issued a new guidance for Universities and other institutes of Higher Education on dealing with FOI and EIR requests.

This is welcome for a number of reasons, and though it is quite clear, it also raises some additional questions.

One thread comes across clearly in the advice, and that is that any exemption claimed that is subject to a public interest test must be thoroughly supported. In a number of the cases highlighted in the advice (the QUB/Ballie tree ring case, or the CRU dataset case), the decisions were based not on the manifest inappropriateness of the exemptions claimed, but on the specific lack of clear and sufficient support to invoke them. Given the lack of precedent in these cases, one might expect future ICO appeals to be defended more robustly if these exemptions are to be claimed.

There are some positive statements in the advice regarding whether peer review documentation - either reviews performed or received by a covered academic - is exempt under sections 36 and 41 of FOI. In the MRC case, the expectation of confidentiality in peer review, and the need for a 'safe space' for frank discussion of a proposal's merits were made clear and were upheld as valid reasons for an exemption which no public interest trumped. The ICO is careful to state that this is not a blanket exemption for all peer-review material, but it is hard to see how these justifications do not extend to all such requests, absent some overwhelming public interest which, though conceivable in theory, is hard to see ever applying.

Another welcome clarification is related to the exemption for "information intended for future publication". This will cover almost all unpublished data or analyses, as long as the requestee can demonstrate that the data was really being worked on with an intent for future publication at the time of the request. This will be tested in a specific case mentioned here previously where Steve McIntyre has appealed the refusal of UEA to release an unpublished analysis related to tree ring reconstructions.

More worrying are the ICO statements regarding personal email accounts. These are email accounts (on gmail, hotmail etc.) that are not controlled by the university. Since there is no statutory requirement for UK academics (or any other academics as far as I know) to solely use university email for academic or university communications there is a clear possibility that information that would be FOI-able if located on a university server will reside on private email servers. (NB. US government business at the Executive Office level - ie. the White House - does have a requirement via the Presidental Records Act to be conducted on official computers - but in this case there is an absolute exemption under US FOI for material related to discussions made by the executive - so it is not particularly relevant).

In the US, the first test of whether a document is FOI-able, is whether an agency has control of the document. In the case of a document on a gmail server, the answer is obviously no. It is hard to imagine what might compel Google to release any private email records to an agency (short of a court order, which is not within the power of the agency to produce). Fourth amendment protections against unjustified search would almost certainly trump any FOI justification.

The ICO, however, seems to suggest (section 2.3that "if the information held on a personal email account is related to public authority business, it is likely to be held on behalf of the public authority in accordance with s3(2)(b) of FOIA" and that FOI officers should "consider whether it is appropriate to ask a member of staff whether they hold information in a personal email account". There are no cases given of this occurring, but it is unclear under what authority a university could compel the turning over of information from a gmail account. This is clearly an issue which bears further watching, and will probably require a test case to determine the limits.

No comments:

Post a Comment