Case number: OIC-127198-M0W8S2
3 March 2023
In a request dated 30 June 2022, the applicant sought access to a copy of the most up to date Risk Register for the CSSO. In a decision dated 28 July 2022, the CSSO refused the request, citing sections 29(1)(a), 30(1)(a), (b) and (c), 32(1)(a) and (c), 36(1)(b), 40(1)(d) and 42(f) of the FOI Act. The applicant sought an internal review of that decision on 29 July 2022, wherein he noted that no reasons had been provided for any of the exemptions cited nor had any explanation been provided as to how and why they applied.
On 11 August 2022, the CSSO affirmed its refusal of the request. The internal reviewer said that while all of the exemptions relied on in the original decision may be reasons for the request to be refused (either in its entirety, or in part), she was satisfied that section 30(1)(a) and (b) were appropriate grounds on which to refuse the request in its entirety. She provided a more detailed explanation of the basis on which section 30(1) was deemed to apply. She added that she had not considered the other sections cited in the original decision as “this would not alter in any respect the outcome of the Review”. On the same day, the applicant applied to this Office for a review of the CSSO’s decision.
I have now completed my review in accordance with section 22(2) of the FOI Act. In carrying out my review, I have had regard to the submissions made by the CSSO and the applicant’s comments in his application for review. I have also examined the record at issue. I have decided to conclude this review by way of a formal, binding decision.
The CSSO’s position is that the record sought is exempt under the various provisions cited in its original decision. Accordingly, this review is concerned solely with whether the CSSO was justified in refusing access to its Risk Register, in whole or in part, under sections 29(1)(a), 30(1)(a), (b) and (c), 32(1)(a) and (c), 36(1)(b), 40(1)(d) and 42(f) of the FOI Act.
It should be noted that during the course of the review, the applicant confirmed to this Office that he was not seeking the release of the names of specific software or systems used by the CSSO contained in the record and that this information could be excluded from the scope of the review.
I wish to make a number of preliminary comments before addressing the substantive issues in this case.
First, in his correspondence with the CSSO and with this Office, the applicant expressed concerns about the approach taken by the CSSO in the decisions it issued to him on his request. In his request for internal review, he noted that no reasons had been provided in the original decision letter for any of the exemptions cited, nor any explanation provided as to why and how they apply.
In his correspondence with this Office, he noted that while the original decision was to refuse access to the record under six separate sections of the Act, the internal review decision refers only to a single section of the Act without any consideration or discussion of the other five sections. He argued that were the CSSO to seek to argue during the course of the review that the record was exempt under the six sections originally cited, he would be expected to make a submission on exemptions under six separate sections of the Act, only one of which has been explained in any level of detail. He also noted that no detail is provided on the public interest test that took place, or indeed the fact that different sections of the Act require different standards when it comes to the public interest balancing test.
The applicant’s concerns are, in my view, wholly justified. Under sections 13(2)(d) and 21(5)(c) of the FOI Act, where an FOI body decides to refuse to grant a request, the notification of the decision shall specify the reasons for the refusal, any provisions of the FOI Act pursuant to which the request is refused, the findings on any material issues relevant to the decision, and particulars of any matter relating to the public interest taken into consideration for the purposes of the decision. The original decision falls well short of those requirements.
Moreover, while the CSSO provided reasons at internal review stage for its reliance on section 30, it continued to rely on other provisions of the Act in addition to section 30 without providing any explanation to the applicant as to the rationale and relevance of these other exemptions. As such, the internal review decision also falls well short of the requirements of the Act.
It is worth noting that I wrote to all FOI bodies in September 2022 to remind them of their obligations under sections 13 and 21 of the Act. I informed them that where we consider the statement of reasons given for decisions to be inadequate, we will, under section 23 of the Act, direct the Head of the body to provide a fuller statement that complies with the provisions of section 13. I also informed the bodies that from January 2023, we would be publishing details of the FOI bodies to whom section 23 Notices were issued on a more regular basis on our website.
While the decision letters in this case issued before I issued that notification, the CSSO has been subject to the FOI Act for many years and should be fully aware of its statutory obligations. I expect the CSSO to examine its procedures for processing future FOI requests to ensure that they are properly processed in accordance with the requirements of the Act.
The second point I wish to make is that I am required by section 25(3) of the Act to take all reasonable precautions in the course of a review to prevent the disclosure of exempt material. Therefore, while I am required by section 22(10) of the FOI Act to give reasons for decisions, the description I can give of the contents of the record at issue and of the reasons for my decision is somewhat limited.
Thirdly, it is important to note that under section 22(12)(b) of the Act, a decision to refuse to grant a request shall be presumed not to have been justified unless the FOI body shows to the satisfaction of the Commissioner that the refusal was justified. Thus, the CSSO carries the burden of satisfying this Office that the record at issue in this case should not be released.
The Record at issue
The record at issue is the CSSO’s Revised Risk Register dated December 2021. It comprises a table of 27 risks and contains information related to those risks under various headings, including Risk Category, Mitigations/Controls/Managements, Score, Suggestions on Additional Actions/Controls/Mitigations, and Responsibility Ownership.
As I have outlined above, the CSSO argued that the record is exempt under sections 29(1)(a), 30(1)(a), (b) and (c), 32(1)(a) and (c), 36(1)(b), 40(1)(d) and 42(f) of the FOI Act. As the effect of section 42(f) is to exclude certain records held by the CSSO from the FOI Act, I will examine its applicability first.
Section 42: Restriction of the FOI Act
The CSSO refused access, under section 42(f), to the risks in the register numbered 1 to 11 and 15. Section 42 is contained in Part 5 of the Act, which is entitled “Restriction of Act”. The effect of section 42 is to exclude records held by the relevant bodies from the ambit of the Act subject to certain exceptions. Section 42(f) of the Act provides that the Act does not apply to a record held or created by the Attorney General or the Director of Public Prosecutions or the Office of the Attorney General or the Office of Director of Public Prosecutions, other than a record relating to general administration. The CSSO is a constituent office of the Office of the Attorney General.
The effect of section 42(f) is that the only records held by the CSSO to which a potential right of access applies are those that relate to general administration. While the Act is silent on the meaning of general administration, this Office considers that it clearly refers to records which have to do with the management of the Office of the Attorney General such as records relating to personnel, pay matters, recruitment, accounts, information technology, accommodation, internal organisation, office procedures and the like. I am satisfied that it does not refer to records relating to matters concerning the core business of the Office, which includes, but is not limited to, advising on legislation and litigation.
In its submissions to this Office, the CSSO said that a number of risks within the Register deal exclusively with how it conducts its core business, including matters such as how it advises its clients, how it handles caseloads, how it engages with Counsel, discussions with the Attorney General’s Office, and risks associated with advices and legal privilege. It said that these risks do not relate to the general administration of the CSSO but to legal risks it faces in its core business function which is to provide legal services and support to Government Departments and other Public Sector Bodies.
Having examined the relevant risks, I accept that the risks numbered 4, and 6 to 10 in the Risk Register are essentially concerned with CSSO casework and as such, do not relate to general administration. I find therefore that risks 4 and 6 to 10 are excluded from the scope of the FOI Act pursuant to section 42(f) of the Act and I will give them no further consideration.
However, in my view, risks numbered 1 to 3, 5, 11 and 15 do, indeed, relate to general administration. Risks 1 to 3 and 11 are essentially business continuity and resourcing related risks. Risk 5 is concerned with records management while risk 15 is concerned with processing counsel fees. I find that section 42(f) does not apply to those risks. Accordingly, I will consider them, along with the other risks in the Risk Register, under the other exemptions claimed by the CSSO.
Section 29: Deliberations of FOI bodies
The CSSO refused access to the Risk Register in its entirety under section 29(1). Section 29(1) provides for the discretionary refusal of a request if (a) the record contains matter relating to the deliberative processes of an FOI body and (b) granting the request would be contrary to the public interest. The exemption has two independent requirements: the record must contain matter relating to the deliberative process, and its disclosure must be contrary to the public interest. The fact that the first is met carries no presumption that the second is also met. It is therefore important for public bodies to satisfy this Office that both requirements are met. Any arguments against release should be supported by the facts of the case and it should be shown how release of the record(s) would be contrary to the public interest.
Matter relating to deliberative processes
In its submissions to this Office, the CSSO said that risk management is a continuous and developing examination which is embedded deeply in its strategy, methodically addressing all risks surrounding its current activities and those into the future. It said the Risk Register is a document that is fluid in nature as the risks themselves evolve over time. It said that the Register is compiled by the CSSO Risk Committee and entails numerous discussions with relevant stakeholders within its office. It said that the Committee then weighs up the proposed risks and effectiveness of the mitigations to reach an overall risk rating. It said that it is then submitted to the CSSO Management Board for final approval before presenting the Risk Register to the Audit Committee. It said that this process is conducted biannually and that the risks and mitigations are kept under constant review, with new risks added and others removed and it argued that, as such, it is an ongoing deliberative process.
A ‘deliberative process’ as envisaged by section 29(1)(a) may be described as a thinking process which informs decision making in FOI bodies. It involves the gathering of information from a variety of sources and weighing or considering carefully all of the information and facts obtained with a view to making a decision or reflecting upon the reasons for or against a particular choice.
I note that section 29(1)(a) provides that “matter relating to the deliberative processes of an FOI body” includes “opinions, advice, recommendations, and the results of consultations, considered by the body”. I accept that this list is not necessarily exhaustive but it does, in my view, give a clear indication of the nature of the information that falls for protection and, indeed, the purpose of the exemption itself. It seems to me that the information that falls for protection is, in essence, the type of deliberative material that feeds into an FOI body’s deliberations. This Office considers that a distinction may be made between records relating to positions adopted by an FOI body following its deliberations and matter relating to the deliberative processes. I note, for example, that in Case 030830, available on our website at www.oic.ie, the then Commissioner found that records disclosing the substantive submissions of a Hospital to a Tribunal of Enquiry related to positions adopted by the Hospital following its deliberations as opposed to material disclosing the internal thinking process within the Hospital or the weighing up of options. The Commissioner found that such material was not exempt under the equivalent provision of the FOI Act 1997.
In Case OIC-103932, also available on our website, I considered arguments made by University College Cork in relation to Risk Registers and deliberative processes. In that case, I found as follows:
“In relation to the above arguments made by UCC, this Office would note that there is a distinction to be drawn between records relating to positions adopted by an FOI body following its deliberations, and matter relating to the deliberative processes. It seems to me that a year-end risk register for a given year falls within the former category of records, albeit that the risk register may have been updated at various points throughout the year. In other words, a year-end risk register sets out positions adopted by the body in relation to the various risks it has identified throughout the year, by way of (as the UCC risk registers have it) internal controls and further actions. Thus, while the risk registers contain outlines of various matters of concern to UCC from a risk management perspective, which matters have clearly been raised with a view to making a decision on the particular matter, rather than setting out a weighing up or evaluation of competing options, or the consideration of proposals or courses of action, it seems to me the risk registers set out instead the actions decided on (by way of the specified internal controls and further actions), such as to bring it within the ambit of a record relating to positions adopted by UCC following its deliberations. As such, I find that the risk registers do not relate to the ‘deliberative processes’ of UCC for the purposes of section 29(1) of the FOI Act.”
While I accept the CSSO’s assertion that risk management is a continuous and developing examination and that the process is conducted biannually, the record at issue in this case contains details of risks the CSSO has already identified at a particular point in time, the mitigations and controls it has in place for addressing those risks, and, in some cases, additional suggested mitigations. Accordingly, it is not at all clear to me that the record contains matter relating to the deliberative processes of the CSSO.
In any event, even if I were to find subsection (a) to apply, subsection (b) must also apply for the record to qualify for exemption under section 29(1), i.e. granting the request must be contrary to the public interest.
Contrary to the Public Interest
The public interest test at section 29(1)(b) is a stronger public interest test than the public interest test in many other sections of the Act (which generally require that, on balance, the public interest would be better served by granting than by refusing to grant the request). Any arguments against release should be substantiated and supported by the facts of the case. It is important that the FOI body shows to the satisfaction of this Office how granting access to the particular record(s) would be contrary to the public interest, e.g. by identifying a specific harm to the public interest flowing from release.
In its submissions, the CSSO said that it is somewhat unique as a Civil Service body in that it operates in a highly competitive and adversarial environment. It said this applies at a number of levels:
1. competition from the private sector for Government business,
2. competing for staff resources, and
3. competing against opponents in legal proceedings.
It said that while all public bodies compete with the private sector in a tight labour market, the reference here is to competition for scarce highly skilled legal professionals, and it argued that private sector law firms could very likely use the contents of the Risk Register to paint themselves as more attractive options to prospective employees. It said it would be contrary to the public interest for the CSSO’s competitors to be aware of the risk issues facing the Office and how it addresses them. It said the harm in this case would be the ability of private sector law firms to direct their efforts more efficiently and effectively at adopting processes/systems in use in the Office for their own benefit and competing with and undermining the Office on the three aforementioned fronts. It said that the public interest is best served in the CSSO having a well-managed, effective and efficient risk management system that is not available to its competitors.
It is noteworthy that the CSSO has not identified any specific risks in the record that it considers private sector firms could use to make themselves more attractive to prospective employees, or indeed that they could use to undermine the CSSO in legal proceedings or in competing for business. Having examined the record, it seems to me that the risks (excluding risks 4 and 6 to 10 to which I have found section 42(f) of the Act to apply) reflect challenges that one might expect to find across the wider civil and public service more generally and it is not evident to me that there is any particular information in the record that could give a competitive advantage to the CSSO’s competitors in any of the areas identified by the CSSO. On balance, I am not satisfied that the CSSO has demonstrated that release of the Risk Register would be contrary to the public interest. Accordingly, I find that section 29(1) does not apply.
Section 30: Functions and negotiations of FOI bodies
Section 30(1) of the FOI Act provides that an FOI request may be refused if access to the record concerned could reasonably be expected to:
a. prejudice the effectiveness of tests, examinations, investigations, inquiries or audits conducted by or on behalf of an FOI body or the procedures or methods employed for the conduct thereof,
b. have a significant, adverse effect on the performance by an FOI body of any of its functions relating to management (including industrial relations and management of its staff), or
c. disclose positions taken, or to be taken, or plans, procedures, criteria or instructions used or followed, or to be used or followed, for the purpose of any negotiations carried on or being, or to be, carried on by or on behalf of the Government or an FOI body.
Section 30(2) provides that section 30(1) does not apply where the FOI body considers that the public interest would, on balance, be better served by granting than by refusing to grant the request.
The CSSO claimed that sections 30(1)(a) and 30(1)(b) apply to the Risk Register in its entirety, and that section 30(1)(c) applies to the information relating to risks 11 to 16, 19, 20 and 25.
Section 30(1)(a) is what is known as a harm-based provision. Where an FOI body relies on this provision, it should identify the potential harm in relation to the relevant function specified in paragraph (a) that might arise from disclosure and, having identified that harm, consider the reasonableness of any expectation that the harm will occur. The FOI body should explain how and why, in its opinion, release of the record(s) could reasonably be expected to give rise to the harm envisaged. A claim for exemption under this provision must be made on its merits and in light of the contents of the particular record concerned and the relevant facts and circumstances of the case. A claim for exemption which is class-based is not sustainable e.g. a claim for exemption for ‘any’ draft report.
The CSSO argued that the release of the Risk Register could reasonably be expected to prejudice the effectiveness of the procedures and methods employed for the conduct of the CSSO’s internal examinations and inquiries relating to risk. It said that the maintenance of an up-to-date and live Risk Register which is continually reviewed and refreshed is a key element of its effective risk management process. It said that the Register is a record which at any point in time represents the outcome of detailed internal examinations and inquiries and that there is a robust internal system of inquiry which feeds into it, in particular its comprehensive bi-annual review of the Risk Register. It said that this review is a process involving meetings across the CSSO between senior management in each unit/section and their staff, then meetings between those senior managers and members of the Risk Management Committee who are not in the unit/section concerned, and finally meetings between the Risk Management Committee and the Management Board to evaluate the risks. It said that this process involves thorough examinations, inquiries, discussions and consideration of the principal risks identified.
The CSSO added that the effectiveness of the Risk Register is entirely dependent on the quality of the risk examination and evaluation process, which relied on discussions being robust and thorough, with staff and managers speaking freely about their perception of risks and the effectiveness of their mitigations. It said the Management Board and Risk Committee have created an environment of trusted scrutiny where risks and mitigations are robustly examined, scrutinised, challenged and tested and the rating then given to them is relied on for the ongoing management of that risk. It said that if the document was released, it was reasonable to expect that this may impair the effectiveness of the internal examinations relating to risk management. While it acknowledged that the staff of public bodies should be expected to properly carry out their functions, it said the issue is not so much that staff would be reluctant to express their views on risks and mitigations during these examinations, but rather that there would be an aversion to committing to the outcome of these to a record in such a level of detail as currently is the case. It argued that this would undermine the effectiveness and efficiency of the review process itself and the usefulness of the Register in terms of horizontal and vertical engagement.
The CSSO further added that the risk management process is set apart from other forms of communications such as briefings or position papers insofar as its primary function is to identify, assess and document threats and risks posed to the organisation. It said the more frank and open staff are, the more efficient the risk management process is. It said it is reasonable to expect that risk-related concerns would be voiced more freely in an internal environment, where staff are assured that there would be no negative repercussions for raising a concern, for example around a new or emerging risk or around the continued effectiveness of mitigations of an existing risk, than they would in an external environment. It said it is reasonable to expect that concerns could be sanitised or lack depth if the risk register inquiry procedures were set against the backdrop of the register being a publicly
available document. It said the Register contains information regarding the management of relationships between the CSSO and its clients, thus potentially negatively affecting the CSSO risk Management process.
It is again noteworthy that the CSSO did not tie its arguments to any specific risks set out in the Risk Register, apart from a general reference to the management of relationships with clients which, in any event, is one of the risks that I have found to be excluded from the Act under section 42. Instead, it essentially argued that the Risk Register, as a class of document, is exempt under section 30(1)(a).
I note that the Department of Public Expenditure and Reform published risk management guidance in 2016, namely “Risk Management Guidance for Government Departments and Offices”. The guidance notes that risk management is one of the keystones to achieving effective corporate governance. It notes, among other things, that;
“Those with responsibility for achieving and delivering on objectives, and involved in making or altering decisions need to appreciate that risk is an unavoidable part of organisational activity. Risk associated with decisions should be understood at the time the decision is made. Having an effective risk management framework and process in place allows for better understanding and more informed decision-making.”
It also provides that as part of its governance framework, each Department/Office must have a risk management strategy which informs and facilitates risk management as an integral and on-going part of its management process.
It seems to me that the risk register is an integral part of a public body’s corporate governance. Having carefully examined the relevant contents of the record, I do not believe that the release of any of the information at issue could possibly be expected to give rise to an aversion to committing the outcome of the examination process to the Risk Register. Nor is it apparent to me that the release of the Register might cause staff to be reluctant to voice risk-related concerns more freely without an assurance that there would be no negative repercussions for raising a concern. It is not at all clear to me why staff would have need such an assurance in respect of the specific risks outlined in the register, nor can I see anything in the Register that causes me to believe that staff might not have contributed freely without such an assurance.
I find that the CSSO has not satisfactorily shown that the release of the record could reasonably be expected to give rise to the harms identified. I find that section 30(1)(a) does not apply.
Like section 30(1)(a), section 30(1)(b) is also a harm-based provision. Where an FOI body relies on section 30(1)(b) it should identify the function relating to management concerned and identify the significant adverse effect on the performance of that function which is envisaged. The FOI body should also consider the reasonableness of the expectation that the harm will occur. It is important to note that the significant adverse effect in section 30(1)(b) requires stronger evidence than the prejudice standard of section 30(1)(a).
The CSSO said that the relevant management function in this instance was the risk management function. It said that the Risk Register is the bedrock of its risk management and that management decisions on how to manage and prioritise risk management efforts at any given time are based on the grading of risks in the Risk Register. It said that if the procedures leading to the creation of the Risk Register are prejudiced in the manner identified above (I have taken that to mean as identified under section 30(1)(a)), then the Risk Register would cease to be a top-class reliable tool for risk management. It said it is axiomatic that you cannot manage what you cannot measure and therefore to have a Risk Register in which the credibility of the measurements is undermined (by virtue of not having been predicated on full disclosure in a trusted internal environment) would almost be more damaging to management than having no Risk Register at all. It said that the Risk Registers that are publically available, giving the example of Irish Water’s Risk Register, appeared to be at a much higher organisational level and do not go into the level of detail as the CSSO Risk Register.
While I accept that risk management is a function relating to management for the purposes of section 30(1)(b), the CSSO’s arguments in terms of the ‘significant, adverse effect’ on the performance of this function are essentially based on its arguments that the harms it outlined under section 30(1)(a) could reasonably be expected to occur. As I have explained above, and for the reasons outlined, I do not believe that the such harms could reasonably be expected to arise as a result of the release of the record at issue. It follows, therefore, that I do not accept that the release of the record could reasonably be expected to have a significant, adverse effect on the performance by the CSSO of its risk management function. I find that section 30(1)(b) does not apply.
The CSSO cited section 30(1)(c) in relation to risks numbered 11 to 16, 19, 20, and 25. The section is designed to protect positions taken for the purpose of any negotiation carried on by or on behalf of the Government or an FOI body. It is important to note that unlike section 30(1)(a) and 30(1)(b), this exemption does not contain a harm test. It is sufficient that access to the record concerned could reasonably be expected to disclose positions taken, or to be taken, or plans, procedures, criteria or instructions used or followed, or to be used or followed, for the purpose of any negotiations carried on or being, or to be, carried on by or on behalf of the Government or an FOI body.
An FOI body relying on section 30(1)(c) should identify the relevant negotiations at issue. The Oxford English Dictionary defines "negotiation" as "the action or business of negotiating or making terms with others". It goes on to define the verb "negotiate" as "to hold communication or conference (with another) for the purpose of arranging some matter by mutual agreement; to discuss a matter with a view to some settlement or compromise". Relevant factors in considering whether there is, or was, a negotiation include whether the FOI body was trying to reach some compromise or some mutual agreement. This Office also accepts that, generally speaking, proposal-type information relating to a public body's negotiations would be exempt under section 30(1)(c). In deciding whether there are negotiations for the purpose of section 30(1)(c), factors to consider include, for example, whether there is any proposal for settlement or compromise, any indications of 'fall-back' positions, information created for the purpose of negotiations, the FOI body’s negotiating strategy, or an opening position with a view to further negotiation.
In its submissions, the CSSO said that while its core function is to provide legal services, it is still subject to administrative oversight. Referring to the Commissioner’s understanding of a negotiation as set out in previous decisions, it said that the CSSO Risk Register contains the opening positions of the CSSO in relation to numerous interests including discussions with the Department of Public Expenditure & Reform (DPER), discussions with the Office of Public Works (the OPW) in respect of a proposed move of office premises, and a planned move to a new financial management system.
I have examined the information in the records relating to the risks numbered 11 to 16, 19, 20 and 25. They contain some general references to discussions with DPER and with the OPW, and to the move to the financial management shared services (FMSS) model. It seems to me that the various steps being taken or to be taken, with regard to the risks identified, are set out in a general way and are steps that one might reasonably expect to find in a risk register. Having carefully examined each of these risks, I do not accept that their release would amount to the disclosure of a position taken, or to be taken, or plans, procedures, criteria or instructions used or followed, or to be used or followed, for the purpose of any negotiations carried on or to be carried on.
I find that the CSSO has not justified its reliance on section 30(1)(c) as a basis to refuse access to risks 11 to 16, 19, 20, and 25 in the Risk Register.
As I have not found sections 30(1)(a), (b), or (c) to apply to the record, there is no need to consider the public interest test at section 30(2).
Section 32: Law enforcement and public safety
The CSSO argued that risks numbered 6, 12, 13, 18 and 23 are exempt from release under sections 32(1)(a)(i) and 32(1)(c) of the Act. As I have already found risk 6 to be excluded from the FOI Act by virtue of section 42(f), I do not need to consider if section 32 also applies.
Section 32 is a harm based exemption which allows a body to refuse a request if it considers that access to the record sought could reasonably be expected to give rise to any of the harms set out in subsection (1). Where an FOI body relies on section 32(1), it should identify the potential harm to the matters specified in the relevant sub-paragraph or sub-section that might arise from disclosure and having identified that harm and consider the reasonableness of any expectation that the harm will occur. A mere assertion of an expectation of harm is not sufficient, the FOI body should show how release of the particular record could reasonably be expected to result in that harm; the contents of the record(s) at issue are important and consideration should be given to what they reveal.
Subsection (1)(a)(i) of section 32 is concerned with prejudice or impairment of the prevention, detection or investigation of offences, the apprehension or prosecution of offenders or the effectiveness of lawful methods, systems, plans or procedures employed for those purposes. Subsection (1)(c) is concerned with facilitating the commission of an offence.
In relation to section 32(1)(a)(i), the CSSO said that the Risk Register identifies specific software and systems used by the CSSO in its day to day functions, some of which are bespoke applications developed for the CSSO/AGO while others are systems used to transfer sensitive legal information in a secure fashion. It said that release to the world at large of the systems and software used by the CSSO could leave it vulnerable to cyber security attacks.
It made similar arguments in relation to section 32(1)(c). It pointed to sections 2 to 6 of the Criminal Justice (Offences relating to Information systems) Act 2017 which specify that a person who, without lawful authority, accesses and interferes with information systems in various ways, is guilty of an offence. The CSSO said that there was a reasonable expectation that the disclosure of systems and software used by it could be used by bad faith actors to unlawfully access information through social engineering, phishing or ransomware attacks. It said that the CSSO was subject to ongoing attempts to compromise its ICT systems and data and that the more that is known about an organisation’s ICT systems, the higher the likelihood of compromise attempts and the higher the chance that these attempts will be successful.
I fully accept that all organisations, including the CSSO, have serious and genuine concerns around information security and various types of cyber-attacks and that this represents a major risk to be managed. I have carefully examined risks 12, 13, 18 and 23 with this in mind. It seems to me that the CSSO’s concerns are based wholly on the possibility of the identity of the specific software and systems used by the CSSO in its day to day functions being released. However, as I have outlined above, the applicant is not seeking access to the names of specific software or systems used by the CSSO contained in the record, so it is not necessary for me to give any further consideration to the CSSO’s arguments that relate to the release of those details. Looking at the information contained within these risks beyond the names of the various systems, it seems to me that the information is high level and that the mitigations/actions set out are for the most part steps that one might reasonably expect to find in a risk register. I simply cannot see how the release of these parts of the Risk Register could reasonably be expected to lead to the harms set out in sections 32(1)(a)(i) or 32(1)(c). I find that the CSSO has not justified its reliance on section 32(1) of the FOI Act for refusing access to the relevant parts of the record.
Section 36: Commercial sensitivity
In its submissions to this Office, the CSSO said that the Risk Register was exempt under section 36(1)(b). It did not specify particular risks within the Risk Register so I have considered the record in its entirety under this exemption. Section 36(1)(b) provides for the mandatory refusal of a request if the record concerned contains financial, commercial, scientific or technical or other information whose disclosure could reasonably be expected to result in a material financial loss or gain to the person to whom the information relates, or could prejudice the competitive position of that person in the conduct of his or her profession or business or otherwise in his or her occupation.
The CSSO said that the Risk Register contained numerous examples of information deemed to be commercially sensitive and that could reasonably be seen to prejudice its competitive position. It said that it operates in an extremely competitive market where private firms are competing with it for work and for talented staff. It pointed to certain information concerning its case management of litigation and said that disclosure of this could be exploited by competitors. More broadly it also said that the disclosure of issues of concern to the CSSO, and how these are managed and positions to be taken, could reasonably be expected to have an adverse impact on its competitive position and its ability to provide a cost effective legal services to Government departments.
In considering the CSSO’s arguments, I note first of all that any information contained in the Risk Register concerning the management of litigation falls outside the scope of the FOI Act. I refer to my findings under section 42(f). My consideration of section 36(1)(b) is therefore limited to risks 1 to 3, 5, and 11 to 27. The essence of the test in section 36(1)(b) is not the nature of the information, but the nature of the harm which might be occasioned by its release. The standard of proof in relation to the second limb of section 36(1)(b), which the CSSO has relied upon, is quite low. All that is required is the possibility of prejudice with the only requirement being that disclosure "could prejudice the competitive position" of the person concerned. Nonetheless, this Office takes the view that, in invoking the phrase "prejudice", the damage which could occur as a result of disclosure of the information must be specified with a reasonable degree of clarity.
In the High Court case of Westwood Club v The Information Commissioner  IEHC 375, Cross J. held that the explanation, as finally given by the FOI body to the Commissioner, did little more than repeat the requirements of what is now section 36(1)(b) and referred to the nature of the documents held. Cross J stated:
“It does not in any sense engage with the proper question ... as to why these particular documents, if disclosed, could prejudice the financial position...”
Having carefully examined CSSO’s arguments, it seems to me that they amount to little more than an assertion that the release of the records could give rise to certain harms identified in section 36(1)(b). It has not, in my view, explained how such harms could arise and having carefully examined the record, it is not evident to me how they could. Similar to my findings under section 30(1)(c) above, it seems to me that the risks and proposed actions are set out in a broadly general way and I do not accept that their release could prejudice the competitive position of the CSSO. I find that section 36(1)(b) does not apply
Section 40: Financial and economic interests of the State
The CSSO claimed that the Risk Register was also exempt under section 40(1)(d). That section provides for the refusal of a request where the FOI body considers that access to the record could reasonably be expected to result in an unwarranted benefit or loss to a person or class of persons. Section 40(1) of the Act is a harm-based provision. Where an FOI body relies on section 40(1), it should identify the potential harm specified in the relevant paragraph of subsection (1) that might arise from disclosure and, having identified that harm, consider the reasonableness of any expectation that the harm will occur.
This Office takes the view that the context of the section 40 exemption suggests that it is intended to protect the financial and economic interests of the State and of public bodies. We consider that, to the extent that it may also protect the interests of persons generally (as suggested by section 40(1)(d)), this would seem to be the case only to the extent that harm to a person (other than the State or a public body) would also result in harm to the State or a public body. The commercial interests of persons generally are protected by section 36. Accordingly, this Office considers that the key issue in considering the application of section 40(1)(d) is the extent to which, if at all, the grant of the request would damage the interests of the State or some public body. Such damage would also have to meet the test of being "unwarranted".
The CSSO said that its rationale for refusing access under section 40(1)(d) was similar to the basis on which it cited section 36(1)(b) i.e. that the release of the Register would result in an unwarranted benefit to external parties, namely to legal firms with whom it competes for both experienced and skilled legal staff and high calibre work from clients. My findings in respect of the applicability of section 36(1)(b) equally apply here. As I have outlined above, any information contained in the Risk Register concerning the management of litigation falls outside the scope of the FOI Act. Moreover, the CSSO’s arguments seem to me to amount to little more than an assertion that the release of the records could give rise to harms identified in section 40(1)(d). It has not, in my view, explained how such harms could arise and having carefully examined the record, it is not evident to me how they could. I find that section 40(1)(d) does not apply.
Having carried out a review under section 22(2) of the FOI Act, I hereby vary the decision of the CSSO. I find that it was justified, under section 42(f) of the Act, in refusing to release the information contained in the Risk Register related to risks numbered 4 and 6 to 10. I find that it was not justified in refusing access to the remainder of the record under sections 29(1), 30(1), 32(1), 36(1) or 40(1)(d) and I direct its release, subject to the redaction of the names of any specific software/systems used by the CSSO.
Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated by the applicant not later than eight weeks after notice of the decision was given, and by any other party not later than four weeks after notice of the decision was given.