Tag Archive for Email

FOIMan’s FOI Inbox

FOIMan answers your questions in the latest issue of the Freedom of Information Journal.

I recently put out a call to practitioners for their FOI problems with a view to featuring them (and my solutions) in one of my articles for the Freedom of Information Journal. You can now read the results in what I hope will be the first of a semi-regular feature: FOIMan’s FOI Inbox.

Problems posed in the first of these articles are:

  • when can small numbers be refused as personal data (if you shouted out ‘five or less’ or similar just now, you can do three laps of the sportsfield – rounded up to five, of course – right now…go on, off you go *folds arms, raises eyebrows, P.E. teacher-style*)?
  • do public authorities have to provide an email address to which FOI requests can be addressed?
  • how do you work out whether information in the possession of contractors is held for FOI purposes, especially when many contractual relationships are so complex?

Thanks to Gillian, Sarah and Mark for contributing the questions this time around. If you’re an FOI Officer struggling with any FOI or EIR issues, please do get in touch with myself or the FOI Journal editor and I’ll try to answer your query in print in a future issue.

FOI-avoidance or good records management? Cabinet Office Email Policy

FOIMan wonders if 90 day retention of email by the Cabinet Office is a conspiracy, or if it could be a (clumsy) attempt at governance.

The Cabinet Office

The Cabinet Office

The FT has a piece this morning stating that the Cabinet Office routinely deletes email after 90 days. It argues that this is evidence of the Cabinet Office deliberately avoiding FOI. Cue outraged voices from all quarters.

However, this may not be the dark conspiracy that everyone supposes. Email causes significant problems for those responsible for managing information in all organisations. Despite the fact that it has been around for years, there is no generally accepted approach to managing it. Records management consultant James Lappin wrote a really good piece a couple of years ago outlining the options and their shortcomings. Amongst them is the option of automatically deleting email after a short period.

The argument in favour of this policy is that most email is ephemeral. Keeping it all forever isn’t an option for various reasons (including data protection requirements). But some emails are important records. What you need is to identify a way to encourage staff to file the important emails. But staff tend to put off filing. So the aim of the 90 day retention policy is to force staff to file key email because if they don’t it will be gone forever.

There are of course weaknesses with this policy. Staff may still fail to file things and then they are lost. It is usually easy for staff to find ways to get round the policy by creating folders and moving all their email into them in bulk before the 90 days is up. Their intention is to get round to weeding and filing them at some point but it never happens. As the FT article demonstrates, the policy can be readily misinterpreted. But it is a policy widely adopted because at least it is an attempt to manage the chaos of the email server.

My understanding is that this policy was adopted by many government departments in 2004. It was a policy that we adopted at the Greater London Authority possibly at my suggestion (it’s a long time ago). The intention – at least on my part – was to manage email, not to bypass FOI. As I’ve previously argued, retaining everything would be impractical – it might even reduce the likelihood of information being disclosed, as the section 12 limit would more often be an issue. And I should be clear – the intention was never that all emails would be deleted; it was to encourage staff to take action by identifying and keeping the emails that were formal records. My strong suspicion is that staff in the Cabinet Office are encouraged to do the same. This is not about deleting ALL emails; staff should be saving emails which document key decisions within whatever records management system is in place within the Cabinet Office.

One of the reasons I advocated it was that it was a policy which had been adopted by a previous employer. That employer wasn’t in the public sector, and didn’t face the prospect of receiving FOI requests. I saw it as a legitimate and established way to address the management of email.

None of this is to say that the policy hasn’t become a convenient way for the Cabinet Office to avoid having to answer certain questions. As a policy it has significant weaknesses and it is not necessarily one which I would advocate now. Given the complaints made by the officials quoted by the FT, the approach doesn’t seem to be working well for the Cabinet Office’s staff (although it’s also possible that those quoted ignored the instructions they were given on email filing). If I was advising the Cabinet Office (not very likely, I grant you), I would be advocating a different approach, not least because of the obvious reputational harm that it is causing.

As I’ve written before, records managers do need to consider the political ramifications of their advice and policies. But my strong suspicion is that the 3 month email policy was not – at least initially – proposed as a way to avoid FOI. It was just one of many options for managing email – and every single approach that I’ve ever used or read about has its shortcomings.

Records Management, FOI and Email – a podcast

FOIMan brings you a recent podcast from the Information & Records Management Society on private email accounts, FOI and records management.

As indicated in my last post, my usual long, considered (possibly verbose) blog posts will continue to be infrequent for a month or so. In their absence, I’m going to provide links over the next few weeks to a number of publications and other resources that I’ve contributed to this year, and that you might find interesting and/or useful.

First up, at the end of September, records management consultant James Lappin came to meet me for a chat about FOI, private email accounts and the implications of all of that for records management. You can hear the result in the second installment of the IRMS podcast series.

James and his fellow consultant, Heather Jack, have also interviewed Canadian records management expert Chris Walker about auto-classification of records, and Hugh Hagan of the National Records of Scotland on the Public Records (Scotland) Act.

Incidentally, I wrote recently on Act Now Training’s blog (Blog Now) about records management and the importance of just getting on with it. I run the Records Management A-Z training course for Act Now and will also be developing a Records Management and the PR(S)A course which will run for the first time in Edinburgh next May. More details can be found on the Act Now Training website.

Cabinet Office issues new guidance on private email accounts

FOI Man looks at new guidance issued by the Cabinet Office which appears to directly contradict the Information Commissioner.

Email is a fraught subject for information managers. Take this recent (and rather excellent) blog post from records management consultant James Lappin. As James makes clear, few – if any – organisations have really got a handle on how the valuable information held in email should be retained and managed.

And that’s just the email held in corporate accounts. If staff or others use their own private email accounts to conduct organisational business that creates a whole new complication. Especially if you’re a public authority and that business might be subject to the requirements of the Freedom of Information Act.

Now unless you have a very short memory, you will recall that the Coalition Government has had its fingers burnt in this area before. Through clever use of both FOI and the Data Protection Act (and useful leaks), Financial Times journalist Chris Cook established that Education Secretary Michael Gove and some of his special advisers (or Spads) had been using private email accounts to conduct business which appeared to many (eventually including the Information Commissioner) to be Government business. It was suggested that this had been done to avoid potential disclosure of the emails through FOI.

Following this controversy, the Information Commissioner issued guidance to public bodies which confirmed that email held within private email accounts could indeed be subject to FOI, and what his approach to this tricky issue was.

If I were a Government that had been accused of trying to avoid proper and lawful scrutiny through the use of private email accounts to conduct government business, I think I might want to take a “whiter than white” approach to these matters in future. I’d want to make sure that I followed the Information Commissioner’s line on the issue to the letter, so that nobody could put so much as a hair between my approach and that of the regulator. That seems sensible doesn’t it?

So imagine my surprise as I read the Cabinet Office’s new Guidance to Departments on the Use of Private Email, published perhaps less surprisingly late last Friday afternoon. The guidance starts off by pointing out that it should be read in conjunction with the Information Commissioner’s guidance. So, obedient to the last, I’ve done just that. Let’s see what they say, shall we?

Information Commissioner:

“There is a need to have a clear demarcation between political and departmental work.”

Cabinet Office:

“The originator or recipient of a communication should consider whether the information contained in it is substantive discussions or decisions generated in the course of conducting Government business…”

Information Commissioner:

“In order to avoid the complications of requesting searches of private email accounts, and other private media, records management policies should make clear that information on authority-related business should be recorded on the authority’s record keeping systems in so far as reasonably practicable.”

Cabinet Office:

“Civil servants and Ministers are generally provided with access to Government email systems. Other forms of electronic communication may be used in the course of conducting Government business.”

Information Commissioner:

“When a request is received, public authorities should consider all locations where relevant information may be held. This may include private email accounts.”

Cabinet Office:

“As set out above, it is expected that Government business should be recorded on government record systems. It will generally be reasonable to search only within those systems when a request has been received.” [so presumably, any FOI Officer asking a Minister if they have emails relating to Government business in their private email account will be considered unreasonable]

Information Commissioner:

“Public authorities should also remind staff that deleting or concealing information with the intention of preventing its disclosure following receipt of a request is a criminal offence under section 77 of FOIA.”

Cabinet Office:

[Silence falls. Tumbleweed rolls down Whitehall.]

Now to be fair to the Cabinet Office (no, come on), some may see these differences as subtle and perhaps it is only my world-weary cynicism that leads me to see conflict. But the final section of the Cabinet Office guidance dealing with The Freedom of Information Act and searches for information sees the Cabinet Office take a running jump away not just from the Information Commissioner’s guidance, but also from any reasonable interpretation of the legislation itself.

“The FOI Act allows people to request information; it does not give the requester any power to dictate where the department should search for that information. It is for the department to consider where the information might be and to take reasonable steps to find it.”

I’m sure that it’s just a coincidence that Chris Cook has made a spate of requests to the Cabinet Office and Department for Education asking for information sent by individuals on Government business using private email accounts. Surely the Cabinet Office couldn’t be so touchy as to write a policy just to thwart the efforts of a single journalist?

But the point is that FOI doesn’t place any limitations on the way that requesters should ask for information. They merely have to describe “the information requested” (FOI, s.8). If that description happens to include the location that they believe the information can be found in, the only reasons why a public authority would not be obliged to provide that information is if an exemption applies to it, if the request is considered to be vexatious, or if to provide the information in that location would exceed the appropriate cost limit.

But you don’t have to take my word for it. The Information Commissioner’s Office issued a decision notice (not yet available on the ICO website) to the Cabinet Office the week before this guidance was published making exactly the same point.

Chris Cook had made a request for “copies of emails relating to the government’s education reforms, sent between the Prime Minister and a special adviser, using non-GSI email accounts”. Given the events described above in relation to the Secretary of State for Education, it can perhaps be understood why such a request might be made. The Cabinet Office argued (as in their guidance) that FOI did not allow requests for information by reference to a particular location or medium, and that Chris’s request was therefore not a valid request. The Information Commissioner concluded that Chris’s request was indeed valid for the reasons I’ve suggested above.

So the week after the Information Commissioner has explicitly stated to them that a request for information held in a specific location is a perfectly valid request, the Cabinet Office have published official guidance to Government departments contradicting the Commissioner’s view. Not for the first time, this Government appears to be interpreting the law to suit itself in the face of all the facts, and raising a single finger in the direction of the Information Commissioner.

Why not just publish everything?

I’ve been meaning to write this post since I read last week about Harrow Council. Their Head of Law was reported in The Lawyer as saying:

“The default model for most councils is that we won’t give anything away unless we have to…I want to turn the whole edifice on its head. I want us to move away from the defensive position of keeping everything to ­ourselves. I want to say that everything’s public except for a few obvious areas.”

Freedom of Information campaigner and journalist Heather Brooke Tweeted that “Finally a British Council sees sense.” Surely this is exciting news for us all. The walls are falling down. Us FOI Officers can pack our bags and head off into the sunset, secure in the knowledge that our work here is done. Maybe not.

Everybody assumes that information is in handy readable chunks that can readily be published on websites, and it’s only because public authorities are all terribly secretive that they’re not there already. There may well be reports that Harrow could be publishing on its website, and as many authorities are now beginning to do, and the Protection of Freedoms Bill aims to encourage, they can make many of their datasets (ie databases) available on their website. But beyond that, there’s a big fat problem.

Email. Or correspondence in any format, for that matter. A large proportion of FOI requests across the country are for correspondence on particular issues. And much of it won’t be exempt.

But how do you cater for that in Harrow’s model? Do you ask people to tick a box whenever they send an email to indicate if it is likely to be exempt under FOI? Do you then automatically publish any email that hasn’t been ticked? What happens if somebody doesn’t realise that the content of the email is sensitive? What if they accidentally forget to delete an email trail? And do you really want to know that I met Bill from Accounts for lunch at 1 on Friday? And even if you can set up such capabilities on an email system, it is likely to involve the introduction of expensive technology. Staff will begin to argue that time is being wasted working out which box to tick when they send an email. If you avoid the technological route, you still need staff to spend time afterwards working out whether correspondence can be published. And imagine the capacity required on the web server…

My point is that whilst it’s great that public authorities are looking at ways to be more open, it’s important not to oversell what they’re doing. I don’t imagine that Harrow are contemplating publishing all emails for a moment. Yet that’s how most business is carried out in organisations across the country.

What they’re really talking about, I imagine, is publishing reports and policies to their website rather than their intranet as a default. There are already some organisations that take that approach, and I’d agree that it’s a welcome move and could have potential to save money. But don’t expect to see public authorities up and down the country rushing to publish the contents of their email inboxes.