Case number: OIC-140927-J1V5R7

Whether the DPC was justified in refusing access, under sections 29(1), 30(1)(a), 32(1)(a)(iii), 33(3)(c)(iii) and 36(1)(b) of the FOI Act, to parts of a project closure report on the DPC’s CMS Development Project

 

21 December 2023

 

Background

In 2017, the Data Protection Commission established a “GDPR Readiness Programme” to prepare for its increased and enhanced functions under the GDPR and other associated legislative changes. One of the projects within this programme was the development and implementation of a new case management system (CMS). In March 2018, following a request for tenders, a vendor was appointed to work on the project. Implementing this system took longer than anticipated.

In a request dated 30 May 2023, the applicant sought access to a closure report on the CMS development project. On 27 June 2023, the DPC part-granted the request. It identified one relevant record, entitled Project Closure Report: CMS Development Project (“the Report”), dated 13 December 2022. It released a redacted copy of the Report, with redactions made under sections 29(1), 30(1)(a) and 30(1)(b) of the FOI Act. On 7 July 2023, the applicant sought an internal review of that decision. He said that the Report was extensively redacted and that the DPC had not specified which exemptions applied to which redacted portions of the Report. Furthermore, he said that he did not accept that the exemptions applied or that the public interest was served by withholding the redacted information. The DPC affirmed its decision on 24 July 2023, following which the applicant applied to this Office for a review of the DPC’s decision.

In the course of the review, the DPC revised its position and issued a second copy of the Report to the applicant with some of the original redactions removed. For the parts of the Report that remained refused, it specified which exemption(s) under the FOI Act it was relying on. In addition to sections 29 and 30, it also cited sections 32(1)(a)(iii) and 33(3)(c)(iii) in support of the redactions. The applicant confirmed that he wished the review to continue.

During the review, the Investigator formed the view that section 36, a mandatory exemption for the protection of commercially sensitive information relating to third parties, might also be relevant to part of the record. She informed both parties of her view. The DPC made no submissions on section 36. The applicant provided some comments on section 36, in addition to submissions on sections 32 and 33.

I have now completed my review in accordance with section 22(2) of the FOI Act. In carrying out my review, I have had regard to the correspondence the DPC and the applicant as described above and to the communications between this Office and both parties on the matter. I have also had regard to the contents of the record at issue. I have decided to conclude this review by way of a formal, binding decision.

Scope of Review

During the course of the review, the applicant confirmed to this Office that he was not seeking the release of specific software or systems used by the DPC that are referenced in the Report and that this information could be excluded from the scope of the review. For the avoidance of doubt, I include in this category the link redacted at the top of page 13 (but not the rest of the sentence).

Accordingly, this review is concerned with whether the DPC was justified in refusing access, under sections 29, 30, 32, 33 and 36 of the FOI Act, to the remaining redacted parts of pages 5 to 14 of the Report.

Preliminary Matters

Before I address the substantive issues in this case, I wish to make a number of preliminary comments. First, when the DPC originally part-released the record to the applicant, the redaction methodology used enabled the applicant to decipher much of the text that the DPC had attempted to redact. As a result, the applicant was in the unusual position of being able to make specific arguments based on the actual content of parts of the record that had been redacted, both in his application for review and in his submissions to this Office. The DPC’s position is that, regardless, the redacted information should be treated as refused.

I accept that certain parts of the record were withheld further to a deliberate decision made by the DPC under the FOI Act to refuse access to those parts on the ground that they are exempt from release. Having carefully considered the matter, I have decided to proceed with my consideration of whether the DPC was justified in redacting all of the relevant parts of the version of the report that was released during the review, regardless of what information the applicant has been able to decipher.

Secondly, while I am required by section 22(10) of the FOI Act to give reasons for my decisions, this is subject to the requirement of section 25(3) that I take all reasonable precautions to prevent disclosure of information contained in an exempt record during the course of a review. This is complicated further by the issue described above wherein the applicant has made arguments having had access to some of the information which the DPC has claimed to be exempt from release under the FOI Act. Accordingly, in the analysis which follows, I am required to limit the level of detail I can give in describing the relevant information and some of the arguments made by the parties.

Thirdly, section 22(12)(b) of the FOI Act provides that when the Commissioner reviews a decision to refuse a request, there is a presumption that the refusal is not justified unless the public body "shows to the satisfaction of the Commissioner that the decision was justified". Therefore, in this case, the onus is on the DPC to satisfy the Commissioner that its decision to refuse access to certain parts of the Report was justified. However, that is not the end of the matter. I must also have regard to the findings of the Supreme Court in The Minister for Communications, Energy and Natural Resources and the Information Commissioner & Ors [2020] IESC 57 ("the Enet Case"). In that case, the Court noted that while the presumption places an onus on the FOI body to justify refusal, that does not mean that the conclusion is always that disclosure is to be ordered. The Commissioner must adjudicate the merits of the decision to refuse by reason of an analysis of the records and the interests engaged, which might suggest either disclosure or refusal.  ​       

Finally, I note that the Investigator raised the question of section 36 of the Act with the parties. While the DPC has not made submissions on this exemption, given the de novo nature of reviews by this Office, and the fact that this exemption is mandatory and designed to protect the interests of third parties, I am satisfied that it is appropriate for me to consider its potential relevance.

Analysis and Findings

Section 29: Deliberations of FOI bodies

The DPC claimed that parts of pages 8, 9, 12 and 14 are exempt from release under section 29 of the FOI Act. Section 29(1) provides for the refusal of a request if (a) the record contains matter relating to the deliberative processes of an FOI body and (b) the FOI body considers that granting the request would be contrary to the public interest. The exemption has two independent requirements: the record must contain matter relating to the deliberative process, and its disclosure must be contrary to the public interest. The fact that the first is met carries no presumption that the second is also met. It is therefore important for public bodies to satisfy this Office that both requirements are met. Any arguments against release should be supported by the facts of the case and it should be shown how release of the record(s) would be contrary to the public interest. It should also be noted that the exemption does not apply insofar as the record(s) contain any of the information or matter referred to in section 29(2) of the Act.

This Office takes that view that a deliberative process may be described as a thinking process which informs decision-making in an FOI body. It involves the gathering of information from a variety of sources and weighing or considering carefully all of the information and facts obtained with a view to making a decision or reflecting upon the reasons for or against a particular choice. Section 29(1)(a) provides that “matter relating to the deliberative processes of an FOI body” includes “opinions, advice, recommendations, and the results of consultations, considered by the body”. I accept that this list is not necessarily exhaustive but it does, in my view, give a clear indication of the nature of the information that falls for protection and, indeed, the purpose of the exemption itself. There is nothing in the exemption which requires the deliberative process to be ongoing; equally, the fact that a deliberative process is ongoing does not mean that the exemption automatically applies. However, the question of whether or not a deliberative process is ongoing may be relevant to the issue of the public interest

In its revised position issued to the applicant on 25 October 2023 when it released the Report with fewer redactions, the DPC described the information it withheld under section 29(1) as “relating to the delivery of services”. It said that these matters “are the subject of ongoing engagement with the vendor” and are part of the DPC’s deliberative process regarding roll-out of the system and engagement with the vendor as the roll-out is not yet completed. It said the Report itself lists one of its purposes as being to enable the DPC to resolve all open issues regarding the project. It said that release of the information would “prejudice the DPC’s ability to achieve optimum delivery of the services”, as well as prejudicing its “ability to fully and frankly engage with the vendor in relation to completion of the services”.

It argued that the release of the information would be contrary to the public interest because it would prejudice the DPC’s ongoing engagement with the vendor (issues in relation to the system and services that remain to be closed out) and would also

prejudice the vendor’s competition position in relation to seeking other work (including tendering for other public sector work). It said that release would prejudice the

DPC’s ability to perform its management and IT security functions effectively and would be contrary to the public interest in ensuring a high standard of security in respect of its CMS. It said that the countervailing considerations in the public interest which might favour release are not outweighed by these expected adverse effects. It indicated that these factors included transparency and accountability in the DPC’s administration/management of its ICT systems, and expenditure of public monies in its ICT systems, and the interest in knowing a public sector body’s experience in the implementation of such a system which may be to the benefit of other public sector bodies or more generally. It said that the release of the redacted version of the Report served to meet these public interest considerations.

The record at issue is a report describing the development and implementation of a new case management system (CMS) for the DPC. The introduction to the Report describes it as “the final document produced for the project and is used by the CMS Works Board to assess the success of the project, identify best practices for future projects, resolve all open issues, and formally close the project”. The specific information redacted under section 29(1) includes risks identified and issues experienced during the delivery of the project, reasons for a decision taken following the DPC’s consideration of the risks, and outstanding risks at the closure of the project, including risk impact and mitigation actions.

The DPC’s argument is that the information identified in the Report forms part of its deliberative process regarding roll-out of the system and ongoing engagement with the vendor. In my view, such engagements with the vendor in respect of the roll-out of the system cannot reasonably be described as a thinking process which informs decision-making in the DPC. It does not involve the gathering of information from a variety of sources and weighing or considering carefully all of the information and facts obtained with a view to making a decision or reflecting upon the reasons for or against a particular choice. Rather, the information describes the DPC’s reflections on risks identified and issues experienced during the roll out and includes details of reasons for actions taken. I find that section 29(1)(a) does not apply. This finding, of itself, is sufficient for me to find that the DPC was not justified in refusing access to the information at issue under section 29(1).

I would add, in any event, that even if I had found section 29(1)(a) to apply, the question of whether release of the information would be contrary to the public interest, as provided for at section 29(1)(b) would remain to be considered, as would the provisions of section 29(2). I note, in particular that subsections (b) and (c) of section 29(2) provide that section 29(1) does not apply to a record in so far as it contains (b) factual information, or (c) the reasons for the making of a decision by an FOI body. It seems to me that the information at issue can reasonably be described as comprising findings of fact and reasons why a particular decision was taken by the DPC.

Section 30: Functions and negotiations of FOI bodies

The DPC claimed that parts of pages 8, 9 and 14 are exempt from release under section 30 of the FOI Act. Section 30(1) of the Act provides for the refusal of a request if the FOI body considers that access to the record concerned could reasonably be expected to:

a. prejudice the effectiveness of tests, examinations, investigations, inquiries or audits conducted by or on behalf of an FOI body or the procedures or methods employed for the conduct thereof,

b. have a significant, adverse effect on the performance by an FOI body of any of its functions relating to management (including industrial relations and management of its staff), or

c. disclose positions taken, or to be taken, or plans, procedures, criteria or instructions used or followed, or to be used or followed, for the purpose of any negotiations carried on or being, or to be, carried on by or on behalf of the Government or an FOI body.

Section 30(2) provides that section 30(1) does not apply where the FOI body considers that the public interest would, on balance, be better served by granting than by refusing to grant the request. In its submissions to this Office, the DPC argued that subsections (a), (b) and (c) applied to the information in question. The information refused under section 30 concerns risks identified and issues experienced in the delivery of the project, and the reasons why a particular decision was taken.

Section 30(1)(a)

Section 30(1)(a) is what is known as a harm-based provision. It envisages two potential types of "prejudice" or harm: the decision maker must hold the view that the release of the record could reasonably be expected to prejudice the "effectiveness" of the tests, examinations, investigations, inquiries or audits, or the procedures or methods employed for the conduct thereof. Where an FOI body relies on this provision, it should identify the potential harm in relation to the relevant function specified in paragraph (a) that might arise from disclosure and, having identified that harm, consider the reasonableness of any expectation that the harm will occur. A claim for exemption under this provision must be made on its merits and in light of the contents of the particular record concerned and the relevant facts and circumstances of the case. 

The DPC said that release of the redacted information could prejudice the effectiveness of the IT procedures and methods employed by the DPC for the conduct of its investigations and inquiries. It did not elaborate further on how it envisaged its procedures and methods being prejudiced, or how release of the particular information could lead to such harm. Nor is it evident to me from a careful examination of the record how the release of such information could possibly cause harm to the methods used by the DPC for its investigations. In the case of UCC v the Information Commissioner [2020] IESC 58, the Supreme Court found as follows:

“I am not satisfied that it is sufficient for an FOI body to identify the records and merely assert that they could prejudice the competitive position of a person. An FOI body must also have a reasonable basis for that position. A bare assertion will never do”

While those comments were made in respect of a claim for exemption under section 36, I am satisfied that they are of more general relevance to all claims for exemption. A general prediction without any further explanation or supporting evidence is not sufficient to satisfy the requirement that access to the record could reasonably be expected to result in the outcome envisaged. I find that the DPC was not justified in refusing access to the information at issue under section 30(1)(a).

Section 30(1)(b)

Section 30(1)(b) is also a harm-based exemption. In relying on this sub-section, an FOI body should identify the potential harm to the performance by an FOI body of any of its functions relating to management that might arise from disclosure and, having identified that harm, consider the reasonableness of any expectation that the harm will occur. An FOI body seeking to rely on section 30(1)(b) should explain how, in its opinion, release of the record(s) could reasonably be expected to give rise to the harm envisaged. A claim for exemption under this provision must be made on its merits and in light of the contents of each particular record concerned and the relevant facts and circumstances of the case.

When invoking section 30(1)(b), the FOI body must make an assessment of the degree of importance or significance attaching to the adverse effects claimed. Establishing "significant, adverse effect" requires stronger evidence of damage than, for example, "prejudice" (as per section 30(1)(a) of the FOI Act, above). In other words, not only must the harm be reasonably expected, but it must also be expected that the harm will be of a significant nature.

The DPC argued that release of the redacted information would have a significant adverse effect on its management of the project to completion and its management/relationship with the vendor. It said that the Report contains information concerning strategic planning, and the management of operational matters, in particular in respect of IT infrastructure and security throughout this project, and disclosure of the information could reasonably be expected to have a significant adverse effect on the performance by an FOI body of its functions relating to management.

Having considered the relevant information at issue, it seems to me that the DPC’s arguments reflect a concern that the release of the information might impact on its relationship with the vendor which, in turn, might impact on its ability to fully complete the project. It seems to me that the DPDC’s concerns are significantly overstated. Even if the release of the information was to impact on the relationship between the parties, I find it difficult to accept that any impact would be such that it might adversely affect the DPC’s ability to manage the project to completion. While I appreciate that any further delays in the completion of the project are not desirable, the DPC’s concerns fall far short, in my view, of the requirement that the adverse effect on the performance by an FOI body of any of its functions relating to management must be significant. I am not satisfied that the DPC has satisfactorily shown that the release of the information at issue could reasonably be expected to result in the harms outlined in section 30(1)(b). I find that section 30(1)(b) does not apply.

Section 30(1)(c)

Section 30(1)(c) provides for the refusal of a request where the FOI body considers that access to the record concerned could reasonably be expected to disclose positions taken, or to be taken, or plans, procedures, criteria or instructions used or followed, or to be used or followed, for the purpose of any negotiations carried on or being, or to be, carried on by or on behalf of the Government or an FOI body. It is important to note that this exemption does not contain a harm test (unlike section 30(1)(a) and 30(1)(b)). It is sufficient that access to the record concerned could reasonably be expected to disclose such negotiation positions, plans etc.

This Office takes the view that an FOI body seeking to refuse access to information under section 30(1)(c) should identify the relevant negotiations at issue. Relevant factors in considering whether there is or was a negotiation include whether the FOI body was trying to reach some compromise or some mutual agreement. The Commissioner also accepts that, generally speaking, proposal-type information relating to a public body's negotiations would also be exempt under section 30(1)(c).

The DPC said that the redacted information, if released, would disclose positions taken or to be taken in relation to the DPC’s ongoing engagement with the vendor, including negotiations with the vendor to enable the project to be fully completed. It said that the redacted information has not been disclosed by the DPC to the vendor, and disclosure of the relevant information at this stage would prejudice the DPC in finalising the project. The DPC has not identified any specific negotiations in this case, beyond simply continuing to work with the vendor to bring the project to completion. Neither have they pointed to any positions taken that the records would disclose, or any plans, procedures, criteria or instructions used or followed, for the purposes of any negotiations. It is not apparent to me from a careful examination of the records that release would disclose any of the information encompassed by section 30(1)(c). I find that section 30(1)(c) does not apply.

As I have found none of the relevant subsections of section 30(1) to apply to the information at issue, there is no need to examine the public interest under section 30(2).

Section 32: Law enforcement and public safety

The DPC claimed that parts of pages 5, 6, 7, 8, 9, 10, 11, 12 and 13 of the Report are exempt from release under section 32(1)(a)(iii) of the FOI Act.

Section 32 is a harm-based exemption which allows an FOI body to refuse a request if it considers that access to the record sought could reasonably be expected to give rise to any of the harms set out in subsection (1). Where an FOI body relies on section 32(1), it should identify the potential harm to the matters specified in the relevant sub-paragraph or sub-section that might arise from disclosure and, having identified that harm, consider the reasonableness of any expectation that the harm will occur. A mere assertion of an expectation of harm is not sufficient, the FOI body should show how release of the particular record could reasonably be expected to result in that harm; the contents of the record(s) at issue are important and consideration should be given to what they reveal. The exemption is subject to a public interest test; however, the public interest test arises only where certain limited circumstances exist.

Subsection (1)(a)(iii) is concerned with prejudice to, or impairment of, lawful methods, systems, plans or procedures for ensuring the safety of the public and the safety or security of persons and property.

In its submissions, the DPC indicated that the parts of the Report refused under this exemption broadly fall within one of two categories, either descriptions of “design and risk mitigation characteristics of the technical system and infrastructure and systems customisations” or “specific solutions and systems used by the DPC and/or to be adopted by the DPC”, both of which, if disclosed, could compromise security. One redaction made (on page 13) includes a reference to a location of a file in a folder on the DPC’s system; the link itself is outside the scope of the review. The DPC said that release of the withheld information could be reasonably expected to prejudice or impair the DPC’s lawful methods, systems, plans or procedures for ensuring the security of its property, in particular, its IT system and management system, the documents and data stored on those systems, and the particular methods and software used in that regard, as well as the ongoing plans in respect of those systems. It said that the redacted information identifies specific software used and specific properties and features of that software and aspects of the DPC’s IT system. It said that “of its nature, it is security information and/or information from which security information can be gleaned, which is not otherwise published by the DPC, and is of a type that could be used to compromise the DPC’s systems, e.g. by giving mal-intended actors specific information which could assist them in compromising the relevant systems”. It said that it considers that “a risk-based approach should be adopted in relation to ICT security information, and if there is any risk associated with the information such that it could compromise security (and the DPC confirms that there is such a risk), then, on balance and given what is at stake, the information should not be released”.

The applicant said that the record contained no compromising security information whatsoever and described the information in the report overall as ‘very generalised’. He referred to the Guidance Note on section 32 available on this Office’s website, and the point made within the Guidance that FOI bodies relying on this exemption should show how the harm envisaged could reasonably be expected to result from the release of the records. He said that the DPC had not done this and had offered no analysis of how the relevant harms could manifest, or what the likelihood was of them arising.

I fully accept that all organisations have serious and genuine concerns around information security and IT security, and that, given the nature of the DPC’s remit and the nature of the complaints it deals with, and the investigations it carries out, this concern is heightened even further. Within this context, I acknowledge the DPC’s comment about its approach to risk and I have carefully examined the information at issue on each of the relevant pages of the report. It is important to note that any specific references to names of software or IT systems used have been removed from the scope of this review and require no further consideration, so any arguments connected to the identification of specific software necessarily fall away.

Looking at the remaining parts of the record that have been refused under this exemption, they seem to me to contain generalised, high level information referring to various approaches and steps taken, and to be taken, in the development of the CMS for the DPC, in the context of reporting on the project to the CMS Works Board. Conscious of the constraints of section 25(3), I am limited in how much more I can say about the redacted information. However, I think it is reasonable to say that it appears to me to be the kind of information that any large regulatory body would include in a report to management documenting a project to develop a new CMS. The features of the system that the report describes and steps to be taken in its implementation are, it seems to me, standard and unsurprising, as well as being described in broad terms. The DPC has described the information at issue as “security information and/or information from which security information can be gleaned” but having carefully scrutinised the information, I simply cannot accept that this is an accurate description. The DPC has not explained how it reasonably expects the release of this information to prejudice or impair the lawful methods, systems, plans or procedures for ensuring the security of its IT system, management system, documents, data, software or plans regarding any of these systems, and it is not evident to me how such prejudice or impairment could arise. Overall, it seems to me that the redacted information lacks the kind of specificity that might lend itself to giving ‘bad actors’ any kind of advantage if they intended to attempt to compromise the DPC’s systems. For these reasons, I find that the DPC has not justified its reliance on section 32(1)(a)(iii) of the FOI Act for refusing access to the relevant parts of the record.

Section 33: Security, defence and international relations

The DPC claimed that parts of pages 5, 6, 7, 8, 9, 10, 11, 12 and 13 of the Report are also exempt from release under section 33(3)(c)(iii) of the FOI Act.

Section 33(3)(c)(iii) provides that an FOI request shall be refused if the record concerned contains information communicated in confidence “(whether generated in the State or elsewhere) in the possession of a public body in relation to planning for, or responses to, threats or incidents in respect of network and information security”.

This is a mandatory exemption, and in considering whether the subsection applies, the relevant test to apply is whether the record meets the description of any of the classes or categories of records set out therein. There is no requirement on the FOI body to identify a potential harm that might arise from disclosure of the record. In addition, there is no public interest override which would allow for the consideration of whether the public interest would be better served by release of the record. Nevertheless, in order for subsection (3)(c) to apply, it is an overarching requirement that the record concerned must contain information communicated in confidence.

In its submissions, the DPC said that the information at issue “is and has been communicated in confidence (both internally within the DPC and with the DPC’s relevant ICT service provider) and is not published by the DPC and so it remains confidential”. It said that the information was in the possession of the DPC in relation to its planning for, or its responses to, threats or incidents in relation to network and/or information security. It said that the information is, of its nature, security information and/or information from which security information can be gleaned, which is not otherwise published by the DPC, and is of a type that could be used to compromise the DPC’s systems, e.g. by giving mal-intended actors specific information which could assist them in compromising the relevant systems. It also said that the Report related to confidential consultation between the DPC and the vendor, and release of the information could negatively impact on this or future consultation with others parties in the future if they were of the view that their communications would be released to the public by the DPC.

Having carefully considered the wording of section 33(3)(c)(iii), it seems to me that it cannot be intended to include internal communications from one part of an FOI body to another, and that relates solely to internal matters. Neither do I accept that the redacted information, which I have found to be of a general nature in my analysis under section 32 above, constitutes information relating to the planning for, or responses to, threats or incidents in respect of network security. 

It is not clear to me how references to consultation with the service provider are relevant to the DPC’s reliance on this exemption. However, I think it is important to make the point here that when a service provider is doing business with a public body that is subject to the FOI Act, there should be no expectation that such business would be conducted in complete secrecy. Any concerns about commercial sensitivity in this regard, should be more properly dealt with under section 36 of the Act, which I have addressed below.

For the reasons set out above, I find that the DPC has not justified its reliance on section 33(3)(c)(iii) of the FOI Act for refusing access to the relevant parts of the record.

Section 36: Commercially sensitive information

As stated above, the DPC made no submissions on section 36. However, some of the arguments it made in support of its reliance on other exemptions are, it seems to me, relevant to the issue of commercial sensitivity, specifically section 36(1)(b), which is a mandatory exemption that serves to protect commercially sensitive information relating to third parties.

Section 36(1)(b) of the Act provides that an FOI body shall refuse to grant a request if the disclosure of the record sought could reasonably be expected to result in a material financial loss or gain to the person to whom the information relates, or could prejudice the competitive position of the person in the conduct of his or her profession or business or otherwise in his or her occupation. The essence of the test in section 36(1)(b) is not the nature of the information but the nature of the harm which might be occasioned by its release.

The harm test in the first part of section 36(1)(b) is that disclosure “could reasonably be expected to result in material loss or gain”. This Office takes the view that the test to be applied is not concerned with the question of probabilities or possibilities but with whether the decision maker’s expectation is reasonable. The harm test in the second part of section 36(1)(b) is that disclosure of the information "could prejudice the competitive position" of the person in the conduct of their business or profession. The standard of proof to be met here is considerably lower than the "could reasonably be expected" test in the first part of this exemption. However, this Office takes the view that, in invoking "prejudice", the damage that could occur must be specified with a reasonable degree of clarity.

The information redacted from page 14 and from the last two paragraphs of page 8 contains comments about the vendor that was appointed to work on the delivery of the CMS project.

The applicant said that the CMS project was beset by problems before the vendor was selected, and that this was a matter of public record and has been covered in the media. In addition, he said that the vendor was not named in the record. He argued that the release of the information on page 14 is of significant public interest and is unlikely to prejudice the competitive position of the vendor.

While I am constrained by section 25(3) in describing the information at issue any further, and having regard to the relatively low evidential bar in the second part of section 36(1)(b), I am satisfied that release of the information redacted from page 14 and from the last two paragraphs of page 8 could prejudice the competitive position of the vendor in the conduct of its business. For completeness I should note that the vendor is named in the record, and in any event it secured the contract through a public tender process so its name would, in any event, be a matter of public record. I find that section 36(1)(b) applies to the information.

Section 36(2) provides that section 36(1) does not apply in certain circumstances. I am satisfied that no such circumstances arise in this case. Moreover, section 36(3) provides that section 36(1) does not apply in relation to a case in which, in the opinion of the head concerned, the public interest would, on balance, be better served by granting than by refusing the FOI request.

In considering where the balance of the public interest lies in, I have had regard to section 11(3) of the Act which provides that in performing any functions under the Act, an FOI body must have regard to, among other things, the need to achieve greater openness in the activities of FOI bodies and to promote adherence by them to the principles of transparency in government and public affairs and the need to inform scrutiny, discussion, comment and review by the public of the activities of FOI bodies. However, in doing so, I have also had regard to the judgment of the Supreme Court in The Minister for Communications, Energy and Natural Resources and the Information Commissioner & Ors [2020] IESC 57 (“the Enet case”). In that case, the Supreme Court found that a general principle of openness does not suffice to direct release of records in the public interest and “there must be a sufficiently specific, cogent and fact-based reason to tip the balance in favour of disclosure”. 

Section 36(1) is an express recognition of the fact that there is a public interest in private companies or individuals being able to do business with FOI bodies without harming their competitive position, their reputation or their ability to carry out their business or profession. I accept that the release of the information could prejudice the competitive position of the vendor in the conduct of its business. While I am limited in saying any further, I do not believe that the degree of potential harm is insignificant. It is also relevant to note that the Commissioner takes the view that the FOI Act was designed to increase openness and transparency in the way in which FOI bodies conduct their operations and, in general terms, it was not designed as a means by which the operations of private enterprises were to be opened up to scrutiny.

The applicant did not identify any specific arguments as to why the public interest would, on balance, be better served by the release of the information, apart from suggesting that there is a significant public interest in its release. Having examined the information at issue, it seems to me that its release would serve to enhance, to some degree, the public understanding of the level of service the DPC achieved for its expenditure of public monies and the extent to which it has achieved value for its expenditure.

Having regard to the specific information at issue, however, I believe that the extent to which that public understanding would be enhanced through its release would be minimal. I am satisfied that it would not be such that it would outweigh the public interest in the protection of the vendor from potential prejudice to its competitive position by refusing access to the information. In the circumstances, I am satisfied that the public interest would, on balance, be better served by refusing rather than granting access to, the information. I find, therefore, that the information at issue is exempt from release under section36(1)(b) of the Act.

Decision

Having carried out a review under section 22(2) of the FOI Act, I hereby vary the DPC’s decision. I find that the information redacted from page 14 of the Report, and from the last two paragraphs of page 8, is exempt from release under section 36(1)(b) and that the DPC was therefore justified in refusing access to it. I find, however, that it has not justified its refusal to release the remainder of the Report, and I direct its release subject to the redaction of the names of any specific software/ IT systems.

Right of Appeal

Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated by the applicant not later than eight weeks after notice of the decision was given, and by any other party not later than four weeks after notice of the decision was given.

 

Stephen Rafferty
Senior Investigator