The Information Commissioner's Office (ICO), the regulator that enforces the UK Freedom of Information Act 2000 (FOIA), has issued updated guidance reminding public bodies that information contained in private correspondence is subject to FOI laws if it relates to the work of public bodies.
We have become used to very different ways of working in the past two years of pandemic restrictions – prominent amongst those is that many of us now work from home a lot more than we used to (even before the latest encouragement to do so). That can blur the boundaries between home and work, and those who work in the public sector, whether as elected office-holders, officers or employees, are no exception. Workplace communication now happens through a number of channels, including through services such as WhatsApp, with workers often using private devices to communicate with colleagues as much as workplace devices (assuming that workplace devices have even been issued – some employers ask their employees to use their personal devices for work).
But while that sort of informality has seeped into every remote workplace, in the public sector it comes into conflict with FOI laws. FOIA covers all information relevant to a request that is held by a public body or by another person on behalf of the public body, in whatever form. Where employees hold information that relates to their work for a public body, they hold that information on behalf of the public body and not on their own behalf, regardless of the device or application that the information is held on. That makes it subject to FOIA.
The ICO's guidance gives the following as examples:
- Information contained in private email accounts e.g. Gmail, ProtonMail or Yahoo Mail.
- Information contained in private messaging accounts e.g. WhatsApp, Signal or Telegram.
- Information contained in direct messages sent on apps such as Twitter or via Facebook messenger (messages sent in the messaging function of programmes like Microsoft Teams or Zoom would also fall into this category).
- Information contained on private mobile devices, including text messages on mobile phones and voice recordings.
A recent decision of the Scottish Information Commissioner also confirms, for the avoidance of doubt, that the Freedom of Information (Scotland) Act 2002 applies to such information in the same way as FOIA.
What do public bodies need to consider?
It is clearly better – and the ICO recommends – that information is always processed using official channels and devices (and that such channels and devices be made available to public employees to use), or at least transferred to those channels at the earliest opportunity. But where that doesn't happen, a public body must ensure that information exchanged through private channels is capable of being included in any search done in response to an FOI request. The ICO has recommended measures such as:
- Copying any emails sent to or from private accounts to an authority email address;
- Giving employees instructions about transferring or exporting information onto the authority's system;
- Giving employees clear guidance about private conversations on non-corporate channels "drifting" into a discussion about official matters – for example, once a WhatsApp group for the office Christmas party starts discussing policy or operational matters, the conversation needs to be transferred onto official channels; and
- Auto-delete options on personal devices used for work should be in line with the authority's data retention policies.
The measures above should help the authority respond to any request for information, but ultimately if officials and employees are using personal devices and applications for work purposes, if an FOI request is received they will need to be asked to search their own devices and applications for any information relevant to the FOI request, and make a record of the search that they undertook. If the ICO (or Scottish Information Commissioner) has reason to believe information is being concealed, they can obtain a search warrant to check for themselves.
Officials and employees also need to bear in mind that deleting or concealing information they have, including on a personal device, once an FOI request has been received, is a criminal offence.