When companies are subject to the Freedom of Information Act
It is a myth that companies operating in the UK do not need to concern themselves with the Freedom of Information Act.
As companies take an increasing role in providing services outsourced from public bodies, these services are increasingly subject to media and consumer scrutiny to encourage safety, quality and value for money. While Data Protection by Design and by Default are familiar concepts from the GDPR applying to personal data, Transparency by Design and by Default is the underlying concept for the UK’s Freedom of Information Act applying to non-personal data.
The traditional simplistic assumption that the Freedom of Information Act (FoIA) covers only public bodies has now been eroded to the point where any company providing a service to a public body should take steps to understand their risk profile as part of their pre-contract negotiations.
Elizabeth Denham, in her final public engagement before leaving office at the end of November, spelled out to a House of Commons Committee some of the areas of weakness in the current FoIA and the ICO’s lack of powers to fulfil its statutory role. However, companies should not relax, as FoIA requests to them, if refused, are subject to appeal to the ICO and from there to the Information Rights First Tier Tribunal.
FoIA requests apply to companies when …
Issues to which Denham drew attention include the access law’s coverage of all types of communications. She raised the question: “What is the public record and how do you preserve the public record during this time of Twitter and end-to-end encrypted messaging systems?”
The ICO’s website provides helpful interpretation on how public bodies and the companies providing outsourced services should prepare so they can respond to FoIA requests. The guidance explains that there is a right of access to non-corporate communications channels. Information subject to both the FoIA and the Environmental Information Regulations (EIR) on non-corporate communications channels should be transferred onto official systems.
As a result, companies holding information on behalf of a public body should be aware that the FoIA and EIR apply to non-corporate systems including:
- In private email accounts e.g. Gmail, ProtonMail or Yahoo Mail.
- In private messaging accounts e.g. WhatsApp, Signal or Telegram.
- Direct messages sent on apps such as Twitter or via Facebook Messenger.
- On private mobile devices, including text messages on mobile phones and voice recordings.
Companies should prepare at the contract stage to avoid a criminal offence
Companies providing outsourced services should prepare at the contract stage for future unaccustomed public scrutiny leading to reputational damage. For example, I expect that few company managers realise that after receiving a FoIA request, it is a criminal offence under section 77 of the FoIA to erase, destroy or conceal information with the intention of preventing its disclosure.
To avoid such an outcome, the ICO provides helpful guidance on ensuring that staff can access official IT systems and equipment; there is a clear distinction between official business and non-official communications; and detailed advice on records management. All these matters should be discussed during the negotiations before finalising an outsourcing contract.
In practice, Transparency by Design and by Default in the FoIA context means company managers should understand that their public authority clients are strongly encouraged by the ICO to publish as much information proactively and routinely as possible for solid reasons of accountability to the public and as a foundation of a democratic society. (See PL&B UK Report January 2017 p.20 and January 2017 Blog: Freedom of information underlies democracy)
Therefore, both sides need to identify and agree key information about the contract that can be made publicly available. Questions to resolve will include how will this information be provided, by whom, and in what format? FoIA requesters are likely to demand not only the contract itself but also information about the contractor’s performance against Key Performance Indicators. The two sides should list the types of information they intend to publish proactively in an annex to the contract.
New Commissioner’s FoI expertise
John Edwards, the new Information Commissioner, before taking on the role of the Privacy Commissioner in New Zealand, among other roles, was FoI policy adviser to the New Zealand government. So companies should not expect Edwards to relax Denham’s advocacy of the FoIA.
PL&B will continue to report on the ICO’s work on both data protection and FoI issues.
Publisher, Privacy Laws & Business