This guide is based on UK law. It was last updated in March 2008.
The Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002 ("the Acts") came into full force on 1 January 2005, giving individuals a statutory right for the first time to see a huge amount of information held by Government departments and public bodies. The Data Protection Act ("DPA") has traditionally provided individuals with a right of access to information held about themselves, the new Acts extend this right to cover information about third parties as well as any other information that may be held by the public authority.
Under the Acts, anyone of any nationality, and living anywhere in the world, can make a written request for information, and expect a response within 20 working days. The public authority will be obliged to meet that request subject to a number of specified exemptions and certain practical and financial constraints.
The Acts impose a substantial burden on those responsible for administering freedom of information (FOI) requests in public authorities, with over 4,000 requests in the first month of operation. However it is not only public authorities that have been affected by the Acts. Whilst the primary impact of the Acts will be on public authorities, the Acts will have a knock on effect on companies dealing with public authorities.
What does this mean for public sector employers?
The public sector employer is to a large extent caught between a rock and a hard place. Whilst the aim of the Acts is to increase openness in the public sector and disclosing information about decisions and activities of employees may promote this, it is recognised that employees also have legitimate concerns over privacy and rights to have those concerns respected.
With this delicate balancing act, how should the employer prepare for requests made by third parties about their employees? They could consider the following factors:
The employer should draw up a policy setting out how it intends to deal with requests for employee information to provide a clear view of how information will be dealt with under the Acts. This policy should be made available to all employees and ideally published on the publication scheme (required under the Acts for all public authorities) for all to see. Policies could cover what types of information and in what circumstances information will or will not generally be disclosed and also what issues will be considered in determining whether to disclose employee information. Issuing this policy will help the authority to meet its DPA obligations to employees.
Know your information
Records management is important. Try to know what personal data you have. This will also be useful in dealing with subject access requests under the DPA and consider separating or flagging information at the point of collection or creation to information which is not exempt from third party requests and other information.
One potential factor to consider when determining whether information should be disclosed is what the employee was told when the information was collected. With this in mind, the authority could consider alerting new employees to the potential for disclosure of employee information under the Acts by including a notice on induction. Including FOI as part of new employees' training would provide them with a greater understanding of the authority's obligations under the Acts and also the relevant exemptions. Consideration should also be given to alerting employees of their right to object to the processing of personal information (which includes making disclosures) if there is a likelihood of them suffering substantial damage or damage and distress under section 10 of the DPA.
Give notice of, or consult the employee about, any proposed disclosure and certainly where there is any doubt as to whether the information should be disclosed.
Impact on private sector employers
Although it may seem that the Acts will only be relevant to public authorities, in practice they will also have an affect on the private sector. While there are limited circumstances where a private company may be deemed a public authority for the purposes of the Acts (and therefore required to disclose information that it holds), the more concerning affect of the Acts relates to information that the private sector businesses hand over to the public sector.
Most public authorities contract on a regular basis with private sector companies for the provision of goods and services. Many of these contracts contain sensitive information which the private sector company would rather not be disclosed. However, all of this information is held by public authorities and, in theory, is now accessible by anyone requesting it.
What can private sector businesses do to protect their interests? They may consider the following factors:
Put in place clear internal policies.
Make it clear which individuals are authorised to release information to public authorities and identify individuals to liaise with public authorities with regard to monitoring the information once the authority has it.
Raise awareness within the organisation of the risk that any information disclosed to a public authority may potentially end up being disclosed to a member of the public or a competitor.
Manage information that is provided to public authorities.
Identify which customers may be public authorities and review what information is provided to them. Record what information is provided to aid monitoring of this.
If information is particularly sensitive, consider whether it is really necessary to disclose it.
Amend standard terms and conditions used for dealing with public authorities to include drafting to minimise the impact of the Acts. Blanket confidentiality clauses are no longer likely to be accepted by public authorities or by the Information Commissioner. Consider segregating confidential and non-confidential material to reduce the risk of inadvertent disclosure and to increase the likelihood of the confidentiality exemption applying.
Consider negotiating a clause in the contract which provides a right to be notified about and make submissions in relation to an information request that may contain employee / commercially sensitive information. This is important as if a decision made by the Information Commissioner is unfavourable to you, it will be the decision of the authority not you as to whether to appeal or not. There is no obligation on the authority to consult any interested third parties.
You should consider implementing a procedure to ensure that if a request for comments is received from a public authority, that you have procedures in place to ensure that this request is dealt with promptly and effectively so that your views are put forward and considered in good time.
Be aware that information which is passed to public authorities may contain employee information. Thought should be given to consulting any affected third parties prior to releasing the information. Consider providing induction training on FOI, amending your data protection notices and alerting employees to their right to object to disclosure of information under section 10 of the DPA.
Use the Acts to your advantage
Consider what types of information might be available from the public sector to assist your business and make use of your own rights to access that information. Training employees about the Acts will increase your effectiveness in this area.
It is clear that both the public and private sector have been significantly affected by obligations imposed by the Acts, albeit in different ways. It is essential for both sectors to implement policies, training and raise awareness within their organisations as to how the Acts should be dealt with within their individual business.