Case number: OIC-106961-R2N0H7
28 June 2021
It appears that the applicant in this case originally submitted a subject access request under GDPR to the NMBI on 23 February 2021 and that the request was processed as a request under the FOI Act. The request was for a copy of any information the NMBI keeps, on computer or in manual form, in relation to him and previous concerns raised with the NMBI. On 18 March 2021, the applicant also submitted an FOI request for a copy of a specified complaint.
In a decision dated 22 March 2021, the NMBI part-granted the applicant’s request, releasing 21 records to him with redactions made under section 37 of the FOI Act. The applicant sought an internal review of that decision on the grounds that he had not received all relevant records and that he wished to receive access to the domain of the email addresses that had been redacted.
The NMBI issued its internal review decision on 27 April 2021, in which it affirmed its original decision. Following correspondence with the applicant, it released a revised internal review decision on 28 April 2021, in which it varied its original decision and released the further record sought by the applicant to him with redactions made under section 37 of the FOI Act. On 28 April 2021, the applicant sought a review by this Office of the NMBI’s decision.
I have now completed my review in accordance with section 22(2) of the FOI Act. In carrying out my review, I have had regard to the correspondence between the applicant and the NMBI as outlined above and to the correspondence between this Office and both the applicant and the NMBI on the matter. I have also had regard to the content of the relevant records. In referring to the records at issue, I have adopted the record numbering system used by the NMBI when processing the request. I have decided to conclude this review by way of a formal, binding decision.
In his application for review to this Office, the applicant stated that he was seeking access only to the domain name(s) of the email addresses redacted from the records released to him. Accordingly, this review is concerned solely with whether the NMBI was justified in refusing, under section 37(1) of the Act, to grant access to the domain names of the redacted email addresses.
Before I address the substantive issues arising, I would like to make a number of preliminary comments. First, the applicant should note that under section 13(4) of the Act, any reason that a requester gives for a request must generally be disregarded when deciding whether to grant or refuse the request. This means that this Office cannot have regard to the applicant's motives for seeking access to the information at issue, except in so far as those motives reflect what might be regarded as public interest factors in favour of release of the information where the Act requires a consideration of the public interest.
It should also be noted that while I am obliged to give reasons for my decision, section 25(3) of the Act requires that all reasonable precautions be taken in the course of a review to prevent disclosure of information contained in an exempt record. This means that I am somewhat limited in the reasons I can give for my findings in this case.
Finally, it should be noted that this Office has no role in considering access to records under GDPR or complaints about GDPR. That is a matter for the Data Protection Commission.
The NMBI redacted email addresses from records 1, 2, 4 to 8, 11, 13, 14, 18 and 20. Although redactions were made to the remainder of the records, the redactions do not involve email addresses and as such, I do not need to consider those records any further.
Section 37(1) of the FOI Act provides that, subject to the other provisions of the section, an FOI body shall refuse a request if access to the record concerned would involve the disclosure of personal information relating to an individual other than the requester.
For the purposes of the Act, personal information is defined as information about an identifiable individual that either (a) would ordinarily be known only to the individual or members of the family, or friends, of the individual, or (b) is held by an FOI body on the understanding that it would be treated by that body as confidential. The definition also details fourteen specific categories of information that is personal information without prejudice to the generality of the foregoing definition, including (iii) information relating to the employment or employment history of the individual.
In the circumstances of this case, it is relevant to note that Paragraph I of section 2 excludes certain information from the definition of personal information, including the name of a staff member of an FOI body and information relating to his/her office or position or its functions, or anything written or recorded in any form by the individual in the course of and for the purpose of the performance of his or her functions. This exclusion is intended, in essence, to ensure that section 37 will not be used to exempt the identity of a public servant while carrying out his or her official functions.
The emails addresses redacted from Record 1 comprise the work email addresses of two NMBI staff members. As outlined above, the applicant is seeking access only to the domain names of the email addresses redacted from the records. Given that the email addresses in question comprise the work emails of NMBI staff members, I find that the domain names of those email addresses is excluded from the definition of personal information, pursuant to the exclusion in Paragraph I, and that section 37(1) does not, therefore, apply.
With regard to the remainder of the redacted email addresses, which do not relate to NMBI staff members, it is the applicant’s position that the domain names of email addresses do not comprise personal information and should therefore be released. It is relevant to note that the vast majority of the records at issue, including their subject matter, were released to the applicant. As such, the context in which the various emails were exchanged will be readily apparent to the applicant. It is also important to note that the release of information that does not contain the identity of an individual may still qualify as personal information for the purposes of the FOI Act. The question I must consider, therefore, is whether the release of the domain names of the redacted email addresses would involve the disclosure of personal information relating to identifiable individuals.
I am satisfied that the release of the full email addresses would involve the disclosure of personal information relating to the individuals concerned. The NMBI argued that the release of the domain names of the emails would have facilitated the identification of the email addresses. Given that the context within which the emails were exchanged and the subject matter of the emails is available to the applicant, I agree. As such, I find that the release of the domain names of the redacted email addresses in question would involve the disclosure of personal information relating to individuals other than the applicant and that section 37(1) applies to that information.
Section 37(2) of the FOI Act sets out certain circumstances in which section 37(1) does not apply. I am satisfied that none of those circumstances arise in this case. Section 37(5) of the FOI Act provides that a request that would fall to be refused under section 37(1) may still be granted where, on balance, (a) the public interest that the request should be granted outweighs the right to privacy of the individual to whom the information relates, or (b) the grant of the information would be to the benefit of the person to whom the information relates.
I am satisfied that the release of the information at issue would not be to the benefit of the individuals concerned and that section 37(5)(b) does not apply. In relation to paragraph (a), I must consider whether the public interest in granting the request outweighs, on balance, the public interest in protecting the right of privacy of the individuals to whom the information relates.
On the matter of whether the public interest in granting access to the records at issue would, on balance, outweigh the privacy rights of the individuals concerned, I have had regard to the comments of the Supreme Court in The Governors and Guardians of the Hospital for the Relief of Poor Lying-In Women v The Information Commissioner  1 I.R. 729,  IESC 26) (“the Rotunda case”). It is noted that a public interest (“a true public interest recognised by means of a well-known and established policy, adopted by the Oireachtas, or by law”) should be distinguished from a private interest. Noting the provisions of section 13(4) as set out above, it is clear that, as a general rule, the actual or perceived reasons for a request must be disregarded in deciding whether to grant or refuse an access request under the FOI Act. In relation to the question of the public interest, the reasons for a request are only relevant insofar as they reflect or overlap with what may be regarded as a "true" public interest.
On the matter of the type of public interest factors that might be considered in support of the release of the records at issue in this case, I have also had regard to the findings of the Supreme Court in The Minister for Communications, Energy and Natural Resources v The Information Commissioner & Ors (the enet judgment). In her judgment, Baker J. indicated that the public interest in favour of disclosure cannot be the same public interest as that broadly stated in the Act. She said the public interest in disclosure must be something more than the general public interest in disclosure and the reason must be found from the scrutiny of the contents of the record. She said there must be a sufficiently specific, cogent and fact-based reason to tip the balance in favour of disclosure.
While the comments of the Supreme Court in both judgments cited above were made in relation to provisions of the FOI Act other than section 37, I consider them to be relevant to the consideration of public interest tests generally.
Both the language of section 37 and the Long Title to the FOI Act recognise a very strong public interest in protecting the right to privacy (which has a Constitutional dimension, as one of the un-enumerated personal rights under the Constitution). Unlike other public interest tests provided for in the FOI Act, there is also a discretionary element to section 37(5)(a), which is a further indication of the very strong public interest in the right to privacy. Privacy rights will therefore be set aside only where the public interest served by granting the request (and breaching those rights) is sufficiently strong to outweigh the public interest in protecting privacy. It is also important to bear in mind that the release of records under FOI is regarded, in essence, as release to the world at large, given that the Act imposes no constraints on the uses to which information released under FOI may be put.
While the applicant has made numerous arguments in his submissions to this Office in support of his request for the information at issue, they relate primarily to his complaint made to the NMBI and to the handling of his personal data during the complaint process. While I do not propose to address each and every argument, I can confirm that I have had regard to them in making my decision. Apart from the applicant’s private interest in accessing the information at issue, he has essentially argued that there is a significant public interest in enhancing the transparency of the NMBI’s complaint process and communications between Irish State organisations and private organisations based in the UK.
I fail to see how the release of domain names of the redacted email addresses would serve any particular positive public interest in favour of release that would outweigh, on balance, the privacy rights of the individuals concerned. I find therefore, that section 37(5)(a) does not apply.
Consequently, I find that the NMBI was justified in refusing access to the information sought under section 37(1).
Having carried out a review under section 22(2) of the FOI Act, I hereby vary the NMBI’s decision to refuse access to the domain names of certain email addresses that were redacted from records released to the applicant. I find that it was not justified in refusing access, under section 37(1) to the domain names of the email addresses of its staff members, as contained in Record 1, but that it was justified in refusing access to the domain names of the remaining email addresses. I direct the release of the NMBI staff emails contained in Record 1.
Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated by the applicant not later than eight weeks after notice of the decision was given, and by any other party not later than four weeks after notice of the decision was given.