15 December 2011

UK ICO guidance on private email accounts

The UK Information Commissioner's Office (ICO) has just issued a guidance note related to whether official business communicated via private or non-governmental channels (such as via gmail, or SMS texts) can be considered 'held' on behalf of the the authority for the purposes of FOI.

Unsurprisingly (given past hints), the ICO has stated clearly that any communication that is related to 'official business' wherever it is stored (and on whatever medium) is FOI-able. Public authorities will now be requested to ask relevant people to search, and to document that search, their personal email accounts where relevant to any specific FOI request.

It is worth noting that this guidance goes considerably beyond equivalent US legislation where 'information held' is defined more strictly as being information that the agency has access to and control over - neither of which apply to gmail accounts.

However, while this makes sense in light of the UK law as written, it is likely to be problematic for a number of reasons. By its very nature, private email accounts will, in general, contain a much higher proportion of non-official correspondence, and inevitably, in a more informal style. There is no way to prove ahead of time that no official business was conducted via the personal account of any authority employee (any simple claim of this is likely to be appealed, and on past form the ICO will grant that appeal since no evidence can exist that demonstrates the negative in a comprehensive way short of an actual search of the account).

Thus for many FOI requests of a general nature (which are quite common in the US), such as requests for correspondence using specific terms or referring to a specific website or person, it will automatically require that all personal accounts will need to be searched. The ICO thinks this will be 'rare' but it practice it is likely to become far more common than he anticipates, even mundane. Given the search which, depending on the phrasing of the request, might lead to a huge amount of results, determination will need to be made as to whether each and every individual email counts as being 'official'. Who will determine this? If it is to be the authority FOI official, the privacy of the individual concerned will clearly be compromised - what if some of the potential responsive email expresses dissatisfaction with the job, and a desire to apply for something new? Or reveals an affair with a work colleague? If it is to be the individual themselves, there is an obvious issue with interpretation: determinations are related to legal precedent and require experience that any specific individual is unlikely to possess. (Of course, should this become to onerous, the exemptions for 'too much time needed' will apply). Employing a neutral third party to process the emails is conceivable but would clearly be an extra and unfunded burden on the authority.

Worse, FOI requests may start to specifically target private emails on the anticipation that the determination of official v. non-official will be indistinct, and perhaps a little arbitrary. Remember there is no restriction on what can be asked for - all emails containing an expletive perhaps, or emails related to something sexually suggestive. By the very nature of this ruling, all that is required is that there is a suspicion (justified or not) that some official communication might be caught by these terms to start the process of searching, and sifting through people's private mail. Regardless of how scrupulous any employee is in separating their personal and professional lives, they will still be forced to turn over their private mail.

While this may well not have been the intent of the law, the consequence of this guidance is that no-one working for a UK public authority has any private space in which to communicate. The irony is that the guardian of privacy law in the UK is also the Information Commissioner.

No comments:

Post a Comment