Case number: OIC-112710-T7B9B0

Whether KETB was justified in refusing access, under sections 15(1)(a), 30(1)(b) and 37(1) of the FOI Act, to details of who accessed certain KETB electronic files and folders

16 December 2021

Background

The applicant, an employee of KETB, teaches five modules as part of two different courses in a KETB College of Further Education. On 5 July 2021, she sought reports containing details of the dates and times five electronic folders and the files contained therein for each of the five named modules were accessed/modified, and by whom.

In a decision dated 30 July 2021, KETB part-granted the request. It identified five records relevant to the request, described as ‘audit logs’ of the electronic folders for each of the modules. The audit logs were each put into Excel spreadsheet format and an edited version of them was released to the applicant. Each of the spreadsheets released to the applicant contained three columns: (A) “CreationDate” (the date and time the folder was accessed), (B) “UserIDs” (the user’s email address), and (C) “Operations” (whether a file was previewed, modified, downloaded etc). Only the entries relating to the applicant were released. All information relating to files being accessed by any other parties was withheld under sections 30 and 37(1) of the FOI Act.

The applicant sought an internal review of KETB’s decision on 3 August 2021, wherein she argued that the names of who accessed the files and when does not constitute personal information for the purposes of the FOI Act. She also noted that KETB had not indicated which sub-section of section 30 it was relying on to withhold information.

In an internal review decision dated 3 September 2021, KETB varied the original decision and said that it was refusing the request in accordance with section 15(1)(a) of the FOI Act. Referring to a previous decision of the Information Commissioner (OIC – 150278), it stated that the applicant had sought metadata which does not constitute a record within the meaning of the FOI Act. Notwithstanding this revised position, it said that if the applicant’s request was deemed to fall within the meaning of a record, it maintained that sections 30(1)(b) and 37(1) of the Act applied to the information withheld from the records that were released.   

In the course of this review, in pursuit of a potential settlement, KETB released amended versions of the spreadsheets to the applicant containing the same three columns as had been released previously. However, rather than removing all rows in their entirety that contained details of a user other than the applicant accessing a particular folder, in this version KETB left in the information under CreationDate and Operations but redacted the UserID. It was therefore possible to see which folders had been accessed, when and in what manner, but not who had accessed them. The applicant, having reviewed this additional information, remained dissatisfied and requested that the review by this Office continue.

I have decided to conclude this review by way of a formal, binding decision. I have completed my review in accordance with section 22(2) of the FOI Act.  In carrying out my review, I have had regard to the submissions made by KETB and by the applicant, to the correspondence between the applicant and KETB as set out above, as well as to further communications between the parties and this Office. I have also had regard to the contents of the records concerned. 

Scope of Review

This review is concerned with whether KETB was justified in refusing, under section 15(1)(a) of the Act, the applicant’s request for the identities of the individuals who accessed certain electronic folders and files and when, on the ground that the information sought is not a record for the purposes of the Act and as such, that no relevant record exists.

If it is determined that KETB was not justified in refusing the request under section 15(1)(a), the review will then consider whether it was justified in refusing certain information from the records under sections 30(1)(b) and 37(1) of the FOI Act.

Preliminary Matters                                                                        

In her correspondence with this Office, the applicant provided some background information as to the reasons for her request. It is important to note, as a preliminary matter, that section 13(4) of the Act provides that in deciding whether to grant or refuse a request, any reason that the requester gives for the request shall be disregarded. This means that this Office cannot have regard to the applicant's motives for seeking access to the information in question, except in so far as those motives reflect what might be regarded as public interest factors in favour of release of the information where the Act requires a consideration of the public interest.

In addition, this Office has no remit to investigate complaints, to adjudicate on how FOI bodies perform their functions generally, or to act as an alternative dispute resolution mechanism with respect to actions taken by FOI bodies.

Finally, it is important to note that the release of a record under FOI is, in effect, regarded as release to the world at large given that the Act places no constraints on the uses to which a record released under the Act may be put.

Analysis and Findings

Section 15(1)(a)

Section 15(1)(a) of the FOI Act provides for the refusal of a request for a record where the record does not exist or cannot be found after all reasonable steps to ascertain its whereabouts have been taken.

The applicant submitted that the records do exist, stating that a report containing the information sought by her had been given to her line manager prior to the FOI request being made, and she stated that the Microsoft Office system used in managing the files/folders automatically generates reports on access, modifications etc. of each individual file. In its submissions to this Office, KETB clarified that its position is not that the information requested by the applicant does not exist, but rather that the information requested is not a record within the meaning of the FOI Act.

KETB argued that the applicant has sought metadata, which it characterised as information about a record, rather than being a record itself. It referred to a previous decision of the Information Commissioner in support of its position (Mr M and University College Dublin, Case OIC -150277). KETB said that even in circumstances where an FOI body has obtained the metadata and copied it into the format of a document, it remains information about a record. KETB said that, according to the Information Commissioner, the requester is not entitled to the information, i.e. the format the metadata is in does not change the fact that it is metadata. It went on to note that it extracted the information from the IT management system in circumstances where the applicant had raised a query in relation to the metadata and it was only in order to consider this query that the metadata was reviewed

I do not accept that the previous decision relied upon by KETB can be characterised as providing a definitive position that a request for metadata cannot be considered a valid request for records under the FOI Act. Notwithstanding that each case must be examined on its own set of particular circumstances, the decision of the public body in OIC-150277 was affirmed under section 15(1)(g) of the FOI Act, i.e. that the request formed part of a pattern of manifestly unreasonable requests. While UCD had also claimed 15(1)(a) in its refusal of the applicant’s request, because it was determined that 15(1)(g) applied, no binding determination was made in relation to section 15(1)(a). The decision contains a number of comments in relation to metadata, which the applicant in that case had sought from specific records, but again these comments must be interpreted in light of the particular circumstances of that case. I do not accept that they can be taken to mean that any request for records containing metadata is necessarily an invalid request under the FOI Act.

The FOI Act provides for a right of access to records held by an FOI body. Requests for information or for answers to questions, as opposed to requests for records, are not valid requests under the Act, except to the extent that a request for information or for an answer to a question can reasonably be inferred to be a request for a record containing the information or answer sought. The FOI Act is concerned with the provision of access to records that are actually held. It does not provide for a right of access to a record which ought to exist. The Act does not require FOI bodies to create a record if none exists, apart from a specific requirement to extract records or existing information held on electronic devices, in accordance with section 17(4) of the Act.

Under section 17(4), where a request relates to data contained in more than one record held on an electronic device by the body concerned, the body must take reasonable steps to search for and extract the records to which the request relates. The reasonable steps are those that involve the use of any facility for electronic search or extraction that existed on the date of the request and was ordinarily used by the FOI body. Where these reasonable steps result in the creation of a new record, that record is, for the purposes of considering whether or not such a new record should be disclosed in response to the request, deemed to have been created on the date of receipt of the request. However, if the body does not hold a record containing the information sought and cannot search for and extract the electronically held records by taking reasonable steps, then that is the end of the matter.

In this case, the applicant sought records containing information about who accessed certain folders, and when they accessed them. I think it is correct and reasonable to say that the information sought constitutes metadata pertaining to these folders. KETB extracted this metadata from its IT system in the form of audit logs for each of the named folders which it then put into a spreadsheet format using Excel. It seems to me that this is in keeping with the reasonable steps envisaged in section 17(4)(a) and that, in accordance with section 17(4)(b), the five Excel files constitute new records deemed to have been created on the date of receipt of the FOI request.

In these circumstances, I am not satisfied that KETB was justified in refusing the applicant’s request under section 15(1)(a).

Section 37(1)

Section 37(1) of the FOI Act provides that, subject to the other provisions of the section, an FOI body shall refuse a request if access to the record concerned would involve the disclosure of personal information. This does not apply where the information involved relates to the requester (section 37(2)(a) refers). However, section 37(7) provides that, notwithstanding section 37(2)(a), an FOI body shall refuse to grant a request if access to the record concerned would, in addition to involving the disclosure of personal information relating to the requester, also involve the disclosure of personal information relating to an individual or individuals other than the requester (commonly known as joint personal information).

Section 2 of the FOI Act defines personal information as information about an identifiable individual that, either (a) would, in the ordinary course of events, be known only to the individual or members of the family, or friends, of the individual, or (b) is held by an FOI body on the understanding that it would be treated by that body as confidential”. Section 2 goes on to specify 14 categories of information which, without prejudice to the generality of the above definition, constitute personal information, including (i) information relating to the educational, medical, psychiatric or psychological history of the individual, and (iii) information relating to the employment or employment history of the individual.

Certain information is excluded from the definition of personal information. Where the individual holds or held a position as a member of the staff of an FOI body, the definition does not include his or her name, or information relating to the position, the functions of the position, the terms upon and subject to which the individual holds or held that position, or anything written or recorded in any form by the individual in the course of and for the purpose of the performance of his or her functions (Paragraph I refers).

As I have explained above, during the course of the review, KETB released redacted versions of the spreadsheets to the applicant containing details of how and when the various files had been accessed. The information redacted comprised the user id of the individuals who accessed them, other than the applicant, in the form of their email addresses. The redacted email addresses comprise the email addresses of other staff members of the college, email addresses of students of the college, a generic contact email address for a section of the college, the word “anonymous”, a string of characters indicating an anonymous user, and guest users with a private Gmail address.

The applicant argued that the name of an individual is not personal information for the purposes of the Act. However, this ignores that the fact that the disclosure of the information sought in this case would disclose more than names of individuals. It would also disclose the fact that the individuals accessed certain files and when they did so. It would disclose their email addresses. In the case of students, it would disclose information relating to their educational history. KETB staff members apart, I am satisfied that the disclosure of the identities of the individuals who accessed the files comprises personal information relating to those individuals for the purposes of the FOI Act.

In relation to the email addresses of staff members, KETB’s position is that this constitutes personal information pursuant to part (iii) of the definition of personal information in section 2 of the Act, namely information relating to the employment or employment history of the individual. It submitted that staff members are entitled to have a reasonable expectation that their accessing of KETB files, in the course of their work, is not unnecessarily monitored in any way and is not shared with the public. It stated that this is particularly important in an education setting where there are very limited circumstances in which a staff member’s teaching can be interfered with or monitored.

The exclusion at Paragraph (I) to the definition of personal information does not exclude all information relating to staff members. The exclusion is intended, in essence, to ensure that section 37 cannot be used to refuse a request for access to information concerning the carrying out of the work of public bodies. For example, if a staff member prepares a report in the course of the performance of his or her functions, the public body is not entitled to regard that report as personal information relating to the staff member in question.

Nevertheless, the exclusion does not deprive public servants of the right to privacy generally. It does not mean that no records relating to staff members can ever be found to comprise personal information relating to those staff members. The records at issue in this case are audit logs. They exist for a specific and discrete purpose, namely to allow for the auditing of system usage, and are not, in my view, of a type that is captured by the exclusion. It seems to me that staff members of an FOI body are entitled to expect that such information is held by the body on the understanding that it would be treated by that body as confidential and that it would not be widely disseminated, potentially to the world at large. I am satisfied that the disclosure of the identities of the staff members would, in this instance, involve the disclosure of personal information relating to those staff members.

In the circumstances, I find that section 37(1) applies to the information at issue. However, that is not the end of the matter as section 37(1) is subject to the other provisions of section 37.

Section 37(2)

Section 37(2) provides that section 37(1) does not apply in certain circumstances. I am satisfied that no such circumstances arise in this case and that section 37(2) does not apply.  

Section 37(5)

Section 37(5) provides that a request that would fall to be refused under section 37(1) may still be granted where, on balance (a) the public interest that the request should be granted outweighs the right to privacy of the individual to whom the information relates, or (b) the grant of the information would be to the benefit of the person to whom the information relates. There is no evidence to suggest that the individuals to whom the information relates would benefit by its release and I find that section 37(5)(b) does not apply in this case.

As to whether section 37(5)(a) applies, the question I must consider is whether the public interest in releasing the information outweighs, on balance, the public interest in protecting the privacy rights of the individuals to whom the information relates. In considering this issue, I have had regard to the comments of the Supreme Court in The Governors and Guardians of the Hospital for the Relief of Poor Lying-In Women v The Information Commissioner [2011] 1 I.R. 729, [2011] IESC 26) (“the Rotunda case”). It is noted that a public interest (“a true public interest recognised by means of a well-known and established policy, adopted by the Oireachtas, or by law”) should be distinguished from a private interest.

In considering the type of public interest factors that might be considered in support of the release of the information at issue in this case, I have also had regard to the findings of the Supreme Court in The Minister for Communications, Energy and Natural Resources v The Information Commissioner & Ors [2020] IESC 5. In her judgment, Baker J. indicated that the public interest in favour of disclosure cannot be the same public interest as that broadly stated in the Act. She said the public interest in disclosure must be something more than the general public interest in disclosure and the reason must be found from the scrutiny of the contents of the record. She said there must be a sufficiently specific, cogent and fact-based reason to tip the balance in favour of disclosure.

While the comments of the Supreme Court in both judgments cited above were made in relation to provisions of the FOI Act other than section 37, I consider them to be relevant to the consideration of public interest tests generally.

Both the language of section 37 and the Long Title to the FOI Act recognise a very strong public interest in protecting the right to privacy (which has a Constitutional dimension, as one of the un-enumerated personal rights under the Constitution). Unlike other public interest tests provided for in the FOI Act, there is also a discretionary element to section 37(5)(a), which is a further indication of the very strong public interest in the right to privacy. Privacy rights will therefore be set aside only where the public interest served by granting the request (and breaching those rights) is sufficiently strong to outweigh the public interest in protecting privacy.

As noted above, I am required to disregard the applicant's reasons for her FOI request. Therefore, I can only take into account the purpose for which she seeks this information insofar as it could be construed as a public interest. The applicant raised concerns about users accessing the electronic folders beyond what she would have expected and argued that release of the records is needed to understand the reasons for courses of action taken by KETB. For example, if grades were increased or reduced, the records could provide evidence of whether this was in compliance with QQI and ETBI guidelines.

I accept that there is a public interest in ensuring that grades are awarded in colleges of further education in a fair way in keeping with relevant standards. Generally, it will be the responsibility of the FOI body concerned to ensure that it has appropriate practices and procedures in place to achieve this aim and that it has systems and processes for auditing the effectiveness of those practices and procedures. Arguably, it is also in the public interest for the public to be aware that the body has such systems, practices and processes in place. However, this does not mean that the personal information of individuals should be disclosed to allow members of the public to draw their own conclusions as to the efficacy of such processes.  Having carefully considered the matter, and given the strong public interest in protecting the right to privacy, I find that the public interest in granting access to the information at issue does not, on balance, outweigh the right to privacy of the individuals to whom the information relates.

Conclusion

In conclusion, I find that KETB was justified in refusing access, under section 37(1) of the Act, to the user identities of the individuals who accessed various specified files. Having found section 37(1) to apply, I do not deem it necessary to examine KETB’s refusal under section 30(1)(b).

Decision

Having carried out a review under section 22(2) of the FOI Act, I hereby affirm KETB’s decision to refuse access, under section 37(1) of the Act, to the identities of the individuals who accessed various specified files.

Right of Appeal

Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated not later than four weeks after notice of the decision was given to the person bringing the appeal.

Stephen Rafferty

Senior Investigator