About this detailed guidance
This guidance discusses how the Freedom of Information Act (FOIA) applies to official information held in non-corporate communications channels. This includes private email accounts, private message accounts and other similar media. It is written for use by public authorities.
The guidance focuses on the importance of ensuring that you transfer official information on non-corporate communications channels onto your official systems. Although the guidance comments on records management issues in the context of such transfers, it does not address what information you should retain on your official systems for the purposes of record keeping. Instead, that issue is covered in the section 46 Code of Practice (the Code).
Although this guidance refers to FOIA, the concepts apply equally to the Environmental Information Regulations (EIR). Read it if you have questions not answered in the Guide, or if you need a deeper understanding about this topic.
- How does the FOIA apply to information held in non-corporate communications channels?
- What is the ICO’s approach to such information?
- What should we do as a public authority?
Section 3 of FOIA sets out the two legal principles which establish whether you hold information for the purposes of FOIA.
“(2) For the purposes of this Act, information is held by a public authority if—
(a) it is held by the authority, otherwise than on behalf of another person, or
(b) it is held by another person on behalf of the authority.”
Section 3(2)(b) provides that, in circumstances where another person holds information on behalf of a public authority, the information is considered to be held by the authority for the purposes of FOIA. It is this sub-section that is of relevance to information held in non-corporate communications channels.
Section 84 contains the definition of information in FOIA and states that ““information” … means information recorded in any form”.
This means that official information held on a public authority’s behalf could be contained in a number of non-corporate channels or locations, including:
- In private email accounts eg Gmail, ProtonMail or Yahoo Mail.
- In private messaging accounts eg WhatsApp, Signal or Telegram.
- Direct messages sent on apps such as Twitter or via Facebook messenger.
- On private mobile devices, including text messages on mobile phones and voice recordings.
The ICO recognises that technological changes mean that new messaging apps, platforms and channels are developed over time. Therefore, you should not assume that the above is a definitive list of non-corporate communications channels.
The use of non-corporate communications channels for official business is an issue that has arisen across a range of sectors. This reflects the emergence of new technology since FOIA came into force and the practical realities of how some working within public authorities have, at times, communicated.
However, such channels create a number of risks and potential challenges to compliance with FOIA and adherence to the Code. We discuss these risks and challenges in further detail below, along with a number of mitigating measures.
As far as reasonably practicable, you should always ensure that you use corporate channels for official business. Where this is not possible for whatever reason, you should make arrangements to store official information on your corporate systems as quickly as possible.
You should also always remember that information held in non-corporate communications channels may be subject to FOIA if it relates to the public authority’s official business. Regardless of whether you hold it in an official or non-corporate communications channel, all such information held by someone who has a direct, formal connection with the public authority is potentially subject to FOIA. If the information held in a non-corporate communications channel amounts to public authority business, it is very likely to be held on your behalf in accordance with section 3(2)(b). However, such information may be exempt under FOIA and you would not necessarily have to disclose it.
Determining whether information relates to the public authority’s official business depends on the context and content of the information itself. The ICO published detailed guidance on section 3 of FOIA and on the issue of determining whether information is held for the purposes of the legislation.
Information in non-corporate communication channels that does not relate to the business of the public authority would not be subject to FOIA.
IT provision for staff
You should ensure that staff can access official IT systems and equipment. This should mean that they do not need to use non-corporate channels and personal devices in order to undertake their roles. This is particularly important as organisations shift to more agile ways of working.
If staff repeatedly use non-corporate communication channels, this may signal that you need to review the capability, usability and limitations of your current corporate channels. You may need to either update your policies or provide additional corporate communication options.
Demarcation between official and non-official information
In any sector, it is important to ensure that there is a clear demarcation between official business and non-official communications.
In the context of central government, there is a need to have a clear demarcation between political work and departmental work. In the context of local government, there is a need to have a clear demarcation between Council business and work for individuals as their local representative.
In the case King’s College, Cambridge v Information Commissioner (EA/2012/0049 & EA/2012/0085), the Tribunal considered a number requests for information submitted to the public authority. The requests concerned King’s College School. As part of its decision, the Tribunal found that information held in the private email accounts of the school governors could contain information held on behalf of the public authority under section 3(2)(b) of FOIA.
This decision emphasises the importance for individuals using non-corporate channels for official business to ensure that there is clear demarcation between private and official information.
The Section 46 Code stresses the importance and benefits of having good records management. However, the use of non-corporate communications channels for official business makes adherence to good records management practice significantly more difficult. For example:
- Such channels often have limited search functionality.
- The retention and deletion periods on such channels are unlikely to align with those of your official systems. In particular, there is a risk of information on non-corporate channels only being held for a limited time or messages being auto deleted.
- Such channels often have limited ability to export information to an official system or to create records which you can transfer onto official systems.
- Access to the information may well be limited to one individual or a small group, but there could be a business need for such information to be more widely available.
- If an individual leaves the organisation, or simply moves roles, access to official information held in non-corporate communications channels can be lost.
- The use of such channels for communicating official information may make it more difficult for you to meet your obligations under data protection law.
As a result your records management policy should explain that, as far as reasonably practicable, you should always ensure that you use corporate channels for official business.
If this is not possible, your policy should make it expressly clear that you should frequently and routinely record any information on authority-related business on non-corporate channels on your official record keeping systems.
More specifically, your records management policy should set out mitigating measures for staff if they use non-corporate communications channels for official business. These measures include the following:
- If they use a private email for public authority business then they must copy in an authority email address to ensure the completeness of the authority’s records.
- Similarly, your policy should state that anyone using such channels needs to understand how to transfer or export information from the messaging app or platform onto official systems.
- Your policy should emphasise the importance of such transfers or exports of information taking place frequently. The frequency of the transfer depends upon the content and context of information, including how often an individual is using a particular non-corporate channel. However, transfers should certainly take place when key decisions are taken, or when an individual moves roles. Routine transfers also minimise the burden on individuals having to consider what information to retain for the purpose of compliance with the Code, which can then be considered by your records management expert(s). It also reduces the impact on these individuals in relation to any FOI requests that cover information sent to their non-corporate channel.
- You should provide training on managing transfers from different non-corporate systems wherever this is necessary.
- You should place transferred or exported information on an official system with an appropriate retention period, for example, not onto a corporate chat function where the information will be deleted after a short time period.
- You should also make staff aware of the potential for a private conversation on non-corporate channels ‘drifting’ into a discussion about official matters. For example, a discussion about a social event drifting into a discussion about a work meeting. At the point that the discussion becomes about official business, you should use official communication channels. Or at the very minimum, you should forward the official part of conversation to an official system.
- If staff use instant messaging services, then auto-delete options should be in line with the retention policies of your official systems.
- You should also have adequate information security policies and oversight to ensure the integrity of your information, in line with the Code.
- You should have a process in place to ensure that when an individual leaves your organisation, any official information they hold on non-corporate channels is transferred to an official system.
We also strongly advise you to use your records management policy to:
- clarify the types of information that could be considered to relate to your public authority’s business; and
- provide clear advice to staff that recorded information individuals hold, regardless of the form in which they hold it, and which relates to the business of the authority, is likely to be held on behalf of the authority and so is subject to FOIA.
The Code explains that there are a number of reasons why it is important to retain information, such as:
- for accountability and audit reasons;
- to comply with statutory requirements; or
- to protect legal and other rights and interests.
This underlines the importance of ensuring that official information on non-corporate channels is also captured on an official system so that it can be retained if necessary.
For example, non-corporate communications channels have sometimes been used to exchange information about emergency or fast-developing, high-profile events. However, your role in such events may subsequently be subject to external scrutiny, such as an inquiry, inquest or investigation. You should therefore be aware of the importance of capturing official information contained on non-corporate channels about such events for the purposes of future scrutiny.
Ensuring that information on authority-related business is recorded on your official record keeping systems helps you avoid the complications of requesting searches of non-corporate communications channels when processing a request. Nevertheless, you should always consider all locations where staff may hold relevant information. This may include non-corporate communications channels.
You should establish procedures for dealing with such situations. These should outline the relevant factors you take into account in deciding whether it is necessary to ask someone to search their non-corporate communication channels for information which might fall within the scope of an FOI request. Relevant factors are likely to include:
- The focus of the request, indicated by the words the requester has used.
- The subject matter of the information which falls within the scope of the request.
- How your organisation handles the issues that the request is about.
- By whom and to whom was the information sent and in what capacity (eg public servant or political party member).
- Whether staff used a private communication channel because no official channel was available at the time.
- Whether there is a practice of staff using private communication channels to discuss particular issues or topics, or if there is a practice of particular officials using such channels, or both.
You should direct your enquiries towards deciding whether any of the information was generated in the course of conducting the authority’s business. If it was, it is likely to be within the scope of the request. This information would therefore be held by the individual on behalf of the public authority for the purposes of FOIA.
You will need to ask an individual to search their accounts and/or devices, if you decide that their personal email account, messaging accounts or personal mobile device may include information which falls within the scope of the request, and which your system does not hold elsewhere.
You should ensure that members of staff or other relevant individuals who conduct such searches create a record of the action they take, including the locations they search. You can then demonstrate, if required, that you made appropriate searches in relation to a particular request. The ICO may need to see this in the event of a section 50 complaint arising from the handling of the request.
Concealment and deletion
You should remind staff that erasing, destroying or concealing information with the intention of preventing its disclosure following receipt of a request is a criminal offence under section 77 of FOIA. This offence can apply to both a public authority and to any person who is employed by, is an officer of, or is subject to the direction of the authority.
For example, where information that a request covers is knowingly treated as not held because it is in a non-corporate communications channel, this may count as concealment intended to prevent the disclosure of information. The person concealing the information may be liable to prosecution.
You may find it useful to consider the following pieces of guidance on the topic of holding information:
- Determining whether information is held; and
- Information held by a public authority for the purposes of the Freedom of Information Act.
In relation to the records management issues concerning private communications channels you should consider:
- the Code of Practice issued under section 46 of FOIA on records management; and
- the ICO’s guidance on the Code.
In a data protection context, the ICO has issued two other pieces of guidance which also address some of the issues discussed above:
- the Bring your own device guidance considers the implications for data controllers allowing employees to use their own device for work purposes. Although we produced this guidance under the Data Protection Act 1998, it may still assist you; and
- the guidance on subject access requests also addresses the issue of information held on personal computer equipment.