Data Protection - Freedom of information

Overview

The Freedom of Information Act 2000 (“the Act”) grants a statutory right for persons to access recorded information held by public authorities.

The Act’s purpose is to enhance openness in Government and other public bodies, with the objective of allowing people to have access to the information they want to see and to ensure transparent decision-making.  As well as being of interest to those seeking information, the Act has an impact on organisations providing information to public bodies, which may include confidential or sensitive information, such as in tenders and contractual arrangements, as they need to consider whether their information is disclosable under the Act.

The Act does not stand alone – access to information is also controlled, in the main, by two other pieces of legislation:

• the Data Protection Act 1998 (“the DPA”) – which is set to be replaced in 2018 by the EU General Data Protection Regulation; and
• the Environmental Information Regulations 2004 (“the EIRs”).

This note focuses on the Act, but also touches upon these two other pieces of legislation.

Scotland has its own similar versions of the Act and the EIRs.  The UK Information Commissioner enforces the DPA in Scotland but there is a separate Information Commissioner based in St Andrews who enforces freedom of information and environmental information legislation in Scotland.

Who can apply for information under the Act?

The Act gives rights to any person, whether an individual, partnership, company, etc and whether or not they are a UK national or resident.
 
What is a Public Authority?

Public authorities are widely defined and include government departments, the Houses of Parliament, the Welsh and Northern Irish Assemblies, local government bodies and bodies and agencies such as health authorities, universities, governing bodies of schools, the police, private companies wholly owned by a public authority and many others.  The Secretary of State is empowered under Section 5 of the Act to designate any person as a public authority if that person appears to exercise public functions or if that person provides public services under a contract with a public authority.  The Freedom of Information (Designation as Public Authorities) Order 2011 and The Freedom of Information (Designation as Public Authorities) Order 2015 have designated a range of new organisations as ‘public authorities’, including the Financial Ombudsman Service (FOS), the Association of Chief Police Officers of England, Wales and Northern Ireland, the Universities and Colleges Admission Service (UCAS) and Network Rail companies.  It is estimated that there are currently over 100,000 public authorities in the UK. 

The Right to Information

Applicants have the right to be told (i) whether or not the information requested is held (the duty to confirm or deny) and (ii) if it is, to have that information communicated.  “Information” is defined very widely.

A request for information must be in writing and must give the name and correspondence address of the applicant and describe the information requested. An applicant should consider requesting the form of response desired (for example, a summary report, hard copies, electronic copies or the opportunity to inspect original documents in person).  The public authority must take reasonable steps to comply with the applicant’s requirements for the response, but if none is stated it may provide the information as it elects.  The Information Commissioner has issued guidance confirming that an applicant’s real name must be provided. Many applicants choose to use professional advisers, such as firms of solicitors, to make a request on their behalf. 

The general rule is that a public authority must comply with its obligations promptly and in any event no later than 20 working days following the date of receipt of request.  Public authorities have a duty to provide advice and assistance in connection with non vexatious requests for information. 

Datasets

Datasets are collections of raw factual data held in electronic form, other than official statistics, which have been obtained or recorded in connection with the provision of a service by a public authority or any other functions of an authority. 
Where information forming part of a dataset is the subject of a request for information and is requested to be provided in electronic form, the Act requires the information to be provided so far as reasonably practicable in an electronic form which is “capable of re-use”, meaning machine readable and based on open standards. Where the public authority owns the copyright and database rights in the information, it must also make it available to the applicant for re-use under a specified licence (see section on “Fees” below).  These provisions, which were introduced into the Act in 2013, are intended to encourage developers to re-use public authority data in new products and applications to create business opportunities and drive growth. 
On 18 July 2015, a new set of regulations called the Re-use of Public Sector Information Regulations 2015 (“RPSI Regulations”) came into force to require public bodies to permit the re-use of documents.  The RPSI Regulations are applicable to many public authorities, but do not apply to information held by public service broadcasters, educational and research establishments and cultural establishments (unless they are libraries, including university libraries, museums and archives, in which case they may but are not obliged to permit re-use).  Furthermore, the RPSI Regulations only apply to information produced as part of the public body’s core role and functions, as defined in legislation or established through custom and practice. Therefore, certain datasets may fall outside the slightly narrower scope of the RPSI Regulations. If a requested dataset does fall under the RPSI Regulations, then the licensing of the dataset for re-use must be dealt with under those regulations rather than under the Act.  This note is not intended to cover the re-use licensing regime under the RPSI Regulations.

Fees

In order to achieve the objective of open access, there will be no charge for information that costs the public authority less than £450 to produce in response to a request under the Act.  For central government the threshold is £600.  Public authorities are, however, entitled to charge for disbursements such as copying and postage costs for providing the information.

If a dataset has been made available for re-use under a licence pursuant to the Act, the public authority may charge a licence fee.  Public authorities are encouraged to use the Open Government Licence, under which no licence fee is payable, but they are also entitled to use a prescribed "Charged Licence" under which they may charge not more than the cost of reproduction, provision and dissemination of the relevant work and a reasonable "return on investment". 

Publication Schemes

In addition to answering specific requests for information, the Act requires all public authorities to make information available proactively by the use of Publication Schemes.  These Schemes specify the classes of information which the public authority publishes or intends to publish and the manner in which the information is to be published.  A new model Publication Scheme was published by the Information Commissioner in 2015.

Where a public authority has been requested to disclose a dataset it holds, it must include that dataset and any updated version it holds in its Publication Scheme (whether or not the dataset was actually disclosed to the applicant), unless it is satisfied that it is not appropriate to do so.  Where reasonably practicable, the dataset should be published in an electronic form which is capable of re-use.

Exemptions

There are 23 specific exemptions which public authorities may use to refuse to provide requested information.  Many of these have a “national interest” element to them, such as information relating to national security and defence, or information where disclosure may be prejudicial to the economic interests of the UK, or prejudicial to the prevention of crime, etc.

Private industry’s main concern under the Act is the effect of sharing information with the public sector, and the potential for disclosure of commercially sensitive information. The obligation to disclose applies to information ‘held’ by a public authority, regardless of its source and could, therefore, include information obtained from commercial third parties. The “confidentiality” and “commercial interests” exemptions are therefore likely to be the main exemptions of interest to businesses that provide information to, or seek information from, public authorities. 

The Confidentiality Exemption

Information is exempt where it has been provided to a public authority by any other person and disclosure of the information by the public authority to the public would constitute an actionable breach of confidence.

The exemption cannot be used to protect information that a business would merely prefer to remain private but which is not confidential – the information must have been disclosed in circumstances where there is an obligation of confidentiality, and must be worthy of protection.  Therefore, even if a public authority has expressly agreed to accept information in confidence or where the information is marked ‘confidential’, the nature of the information itself must be confidential to be protected by the exemption.  The Information Tribunal and courts will also consider the wider public interest in determining whether there would be a breach of confidence.

In addition to the above, the confidential information must have been obtained by the public authority from another person.  The Information Tribunal has taken the view that generally, the terms of an agreed contract (including commercially sensitive information such as pricing) do not constitute information that has been obtained by the public authority from another person. Instead the courts consider a contract to be a record of the rights and obligations of the parties, rather than the flow of information from one party to the other.  However contract content that relates to the supplier (e.g. a technical specification) may still be treated as ‘confidential’.

The Commercial Interests Exemption

This exemption has two parts. First, it prevents disclosure of a “trade secret” and secondly it protects against any disclosure that “would, or would be likely to, prejudice the commercial interests of any person”.

A trade secret is automatically exempt from disclosure, regardless of the potential consequences of disclosure. A trade secret is not defined in the Act but in government guidance notes the term is stated to cover secret formulae and recipes, and it could even extend to the names of customers or a company’s pricing structure.

The second part of the exemption is likely, in practice, to be more difficult to establish, as ‘prejudice’ to commercial interests must be shown.  In addition, whichever part of the exemption is applicable, the public authority must, before a decision on disclosure is made, consider the public interest in disclosing or withholding the information, i.e. does the public interest in applying the exemption outweigh the public interest in making the disclosure?

Implications for Business

Businesses need to manage the information that they make available to public authorities and consider what can be done to protect any sensitive information from disclosure under the Act, bearing in mind that the exemptions in the Act do not create a ‘blanket’ exemption for all information in a particular category.  In each case, it is left to the public authority to consider its duty of disclosure and relevant exemptions. 

A dialogue with public authorities may be required to assess if an exemption applies to the requested information.  The Code of Practice issued under Section 45 of the Act (the Code) states that in a variety of other circumstances it will be good practice for public authorities to consult with persons to determine whether or not an exemption applies.   The Code also makes clear it may be advisable to consult third parties to assess if further explanatory guidance ought to be provided along with the information requested (for example, copyright restrictions). 

On a practical level, there are a number of steps businesses can take to try to safeguard their own information, including:

• implementing systems to identify the information already held by public authorities;
• reviewing what information needs to be divulged to public authorities in the future;
• developing policies on the disclosure of information, and who gives (and is authorised to give) what information to which public authority and on what basis, and the application of the exemptions to categories of information disclosed;
• requesting information about themselves to see what is disclosed;
• consulting with public authorities. Representative organisations and individual contractors need to raise and discuss these issues with public authorities to ensure that arguments on the application of the exemptions are put forward, properly argued and recorded;
• agreeing with the public authority, from the outset, the information that is considered to be confidential;
• drafting information of a technical nature or trade secrets in a separate schedule to the contract so that it can easily be redacted.

The Act offers businesses the opportunity to obtain from public authorities information about others which may be valuable and which is not otherwise easily available.  Businesses should have a policy of accessing information which may be helpful to their business plans.  This could include information about the background and context of particular regulatory regimes, the background and likely development of rules and policies, the application of regulatory, licensing and consent regimes and information relating to public contracts. 

Relationship with the DPA

The DPA governs the processing of “personal data” and has its own regime for allowing access to personal data by individuals who are the subject of the data.  The relationship between the two pieces of legislation is complex.

The only ‘data’ protected by the DPA had been limited (in the main) to electronic data and that forming part of a ‘relevant filing system’.  However since the Act ‘data’ under the DPA also covers any data recorded by a public authority.  This means that individuals will have rights of access under the DPA to a potentially far broader category of personal data when seeking their own information from public authorities.

Note that requests for personal data relating to a third party will be dealt with under the Act – although disclosure still may be exempt, e.g. on the grounds of confidentiality.

Relationship with the EIRs

The EIRs came into force to coincide with the introduction of the Act, replacing earlier 1992 Regulations.

If a person makes a request for “environmental information” from a public authority, such request is exempt from disclosure under the Freedom of Information Act – the request falls to be considered under the EIRs.

“Environmental information” is widely defined, including, e.g. not only information directly concerning the state of any site, but also reports and analyses prepared.  Public authorities under the EIRs extend beyond those defined in the Act, to cover any entity carrying out public administration and any entity under the control of a public authority which has environmental responsibilities, such as water, energy and other companies with environmental responsibilities.

Government Responsibility and Guidance

Overall responsibility for the Act lies with the Ministry of Justice.  However, the Information Commissioner has obligations to publicise the Act, to deal with complaints and to enforce its provisions.  Both the Ministry of Justice and the Information Commissioner have published separate guidance notes on the Act. 

Sanctions

The Information Commissioner may not issue fines for breach of the Act, nor may it award compensation to aggrieved businesses and individuals.  If the Information Commissioner considers that the Act has not been complied with it can issue “enforcement” notices.  Failure to comply with notices can ultimately result in a court finding the public authority in contempt of court.

Should you have any concerns or queries about any aspect of the information contained in this briefing note, or if you are uncertain as to how and to what extent these changes will affect you or your business, please contact Beverley Flynn on 01483 734264 or Beverley Whittaker on 01483 734281.

This information is necessarily brief and is not intended to be an exhaustive statement of the law.  It is essential that professional advice is sought before any decision is taken.

© Stevens & Bolton LLP April 2016