As well as considering exemptions under the Freedom of Information Act 2000 (FOIA), it is always important for HEIs to assess whether the information requested is “held” by them within the meaning of FOIA. If it is not, then the information falls outside the scope of FOIA entirely. As well as several recent cases on this point, the Information Commissioner’s Office (ICO) published new guidance earlier this year.
Section 3(2) FOIA expands upon the core concept of a public authority “holding” information. That section states that information is “held” by a public authority if (a) it is held by the authority other than on behalf of another person, or (b) it is held by another person on behalf of the authority.
It follows from section 3(2) that where the information is held by an HEI solely on behalf of another person, it does not “hold” the information itself for the purposes of FOIA. In practice however, it is often far from clear how this test should be applied.
The need for an “appropriate connection”
The leading case on this issue is University of Newcastle upon Tyne v BUAV (2011). In this case, it was ruled that there must be an appropriate connection between the university and the information, for it to be “held” by the university within the meaning of FOIA.
The recent ICO guidance, published in February this year, contains a longer list of factors which might indicate that the information is solely held by an HEI for another person. These include the following:
- the HEI has no use for, or interest, in the information;
- access to the information is controlled by the other person;
- the HEI does not control or assist in creating, managing or amending the information or its retention or removal; and
- the HEI is merely providing storage facilities for the information.
Private emails using university email addresses
The guidance also clarifies that “non-official communications” within an HEI do not constitute information “held” by the HEI for the purposes of FOIA. This would typically be the case for private emails to or from employees of the HEI which are sent and received via the HEI’s email system, and stored on its email servers.
A good example of this is Montagu v IC & Liverpool John Moores University (2012), which concerned a private and personal email sent by a senior member of the university staff, using his university email account, but which concerned his own private research. In that case it was ruled that the university did not “hold” the information, due to lack of the necessary connection between the private research and the work undertaken by the university.
The recent case of Keiller v IC & University of East Anglia (2012) also touches a number of these issues. This case concerned the so-called “Climategate” affair, surrounding the Climatic Research Unit based at UEA and various claims made in the press concerning alleged manipulation of its research data in order to support the case for climate change. The case involved a request for a specific email written, but subsequently deleted, by a member of the Unit (ie an employee of the university). There was a back-up copy of the email, but the back-up server was in the possession of the police who had launched an investigation of their own into the affair. The university had accordingly refused the request on the basis that it did not “hold” the requested email.
The First-Tier Tribunal (Information Rights) (FTT), which hears appeals from notices issued by the Information Commissioner, disagreed. It ruled that as a matter of common sense the back-up server was still in the control of UEA, and as such the information contained on it was still “held” by UEA.
In particular, the FTT did not accept UEA’s argument that the email would probably have been deleted from the back-up servers anyway, if they had not been relinquished to the police. In this respect FTT pointed to the apparent lack of any coherent university policy on the retention and deletion of emails.
Practical points to consider
A lack of a consistent policy was one of the issues which hampered UEA (as mentioned above). So it is important to ensure that you have a detailed and robust data retention policy, which also covers the management of information on back-up servers.
You should also consider how easily information can be obtained from back-up servers from a technical perspective, and what the cost implications of this might be, as clearly both of these issues may be relevant to the response made to an information request.