The UK Information Commissioner’s Office published guidance yesterday which confirms that information held by public authority employees in their private e-mail accounts and in SMS messages which relates to the official business of the public authority may be the subject of freedom of information requests.
This is because such information would be considered as being held by the employee on behalf of the public authority. While the guidance relates to the UK Freedom of Information Act 2000, it is of equal relevance north of the border where the relevant legislation is the Freedom of Information (Scotland) Act 2002.
The guidance provides that where a public authority receives an FoI request, it must consider all locations where the requested information may be held, which may include its employees’ private e-mail accounts and SMS messages stored on employees’ mobile devices (the latter is more likely to be the case where employees have been provided with such mobile devices as part of their employment).
Before a public authority asks employees to carry out searches of their private e-mail accounts and mobile devices, it should consider:
- the focus of the request
- the subject matter of the information
- whether the information was sent to an individual in a work or personal capacity
- if a private means of communication was used because no official channel was available or was not appropriate at the time (this may be the case because of the sensitive nature of the matter)
Public authorities should keep records of any such action taken to ensure they are able to show that appropriate searches have been undertaken in response to the request, particularly if its handling of the request is subsequently subject to scrutiny by the Information Commissioner.
The guidance also provides a useful reminder to public authorities that concealing information with the intention of preventing its disclosure in response to an FoI request is an offence under the 2000 Act (and also the 2002 Act). Public authority employees should therefore exercise caution before deleting e-mails and SMS messages in their private e-mail accounts and mobile devices, respectively. To get round this, the guidance suggests that, when conducting official business from their private e-mail accounts, public authority employees should copy the correspondence to their official e-mail addresses (if appropriate) to ensure that a record is maintained on the public authority’s systems. Guidance to employees on such issues should be included in a public authority’s records management policy.
While the subject matter of the guidance should not come as a surprise to public authorities, particularly in light of the broad definition of information contained in both theUKand Scottish Freedom of Information Acts, it is likely it will give rise to an increase in the number of FoI requests for such information. Public authorities should therefore update their records management policies and provide training to their employees to ensure they are aware that any information relating to official business contained within their private e-mail accounts and within SMS messages stored in their mobile devices may be the subject of an FoI request and disclosed – unless, of course, an exemption from disclosure applies.