Case number: OIC-125194-D4Z5C3
18 October 2022
It appears that the applicant has issued proceedings against her employer under the Data Protection Act regarding a data breach which resulted in a fraudulent social welfare claim being made to the Department using her personal details. The applicant was represented by her legal representatives throughout this FOI process. Any reference to communications with the applicant in this decision should be taken to include communications with her legal representatives.
In a request dated 29 March 2022, the applicant sought access, through her legal representatives, to a copy of the information kept by the Department in respect of a PUP claim using the applicant’s details. In particular, she was seeking a copy of the claim form that was submitted to confirm the bank details and if the claim was made electronically, she was seeking the Internet Protocol Address (IP address) to help confirm that the applicant did not make the claim.
The Department issued a late decision on 22 April 2022, wherein it refused the request on the grounds that section 32(1)(a)(i) applied, i.e. that release of the records would prejudice or impair the prevention, detection or investigation of offences, the apprehension or prosecution of offenders or the effectiveness of lawful methods, systems, plans or procedures employed for the purposes of the matters aforesaid.
On 13 May 2022, the applicant sought an internal review of the Department’s refusal of her request. She indicated that she could not see how the release of the records sought could impair the prosecution of an offender. On 1 June 2022, the Department affirmed its refusal of the request. It also cited section 32(1)(a)(ii) in support of its refusal. On 10 June 2022, the applicant sought a review by this Office of the Department’s decision.
I have now completed my review in accordance with section 22(2) of the FOI Act. In carrying out my review, I have had regard to the correspondence referred to above and to the correspondence between this Office and both parties on the matter. I have also had regard to the contents of the records concerned. I have decided to conclude this review by way of a formal, binding decision.
This review is concerned solely with whether the Department was justified in refusing access, under section 32(1) of the Act, to records relating to a fraudulent claim made using the applicant’s information.
Before I address the substantive issues arising, I would like to make a number of preliminary points.
First, section 25(3) of the FOI Act requires the Information Commissioner to take all reasonable precautions in the performance of his functions to prevent the disclosure of information contained in an exempt record or that would cause the record to be exempt if it contained that information. In light of that requirement, the descriptions I can give of the Department’s arguments in support of its refusal of the request and of the reasons for my decision are somewhat limited in this case.
Secondly, the release of a record under the FOI Act is understood, effectively, to be equivalent to its release to the world at large, given that the Act places no restrictions on the uses to which a record released under FOI may be put.
Finally, while the applicant has outlined her reasons for seeking access to the records, it is important to note that section 13(4) of the Act generally requires the FOI body to disregard any reason that the applicant gives for a request in deciding whether to grant or refuse the request.
During the course of the review, the Department provided this Office with submissions, wherein it argued that the records sought are exempt from release under sections 32(1)(1)(a)(i), 32(1)(a)(ii), and 37(1). I propose to consider the applicability of section 32(1)(a)(i) in the first instance as I consider that provision to be of most relevance in this case.
Section 32(1)(a)(i) provides that a request may be refused if access to the record sought could reasonably be expected to prejudice or impair the prevention, detection or investigation of offences, the apprehension or prosecution of offenders or the effectiveness of lawful methods, systems, plans or procedures employed for the purposes of such matters. Where an FOI body relies on section 32(1)(a), it should identify the potential harm to the matters specified in the relevant sub-paragraph that might arise from disclosure and having identified that harm, explain how releasing the particular record could reasonably be expected to cause the harm which it has identified. It must also consider the reasonableness of any expectation that the harm will occur. A mere assertion of an expectation of harm is not sufficient.
In its submission to this Office, the Department said the records at issue in this case were created electronically through its online application process for PUP. It explained that the PUP scheme was approved by Government and introduced in light of the unprecedented impact of the Covid crisis on the labour market. Given the background to the PUP Scheme, claims were processed on the basis of the information submitted by the applicant. When applications were being accepted the application process included the provision, by the applicant, of elements of their Public Service Identity (PSI) dataset. Application processing involved matching this data against PSI data held on the Department’s systems to provide a level of identity assurance. Officer intervention was required where the data did not meet a certain match-threshold. Where the threshold was met, the application was processed.
While processing claims using the applicant’s PPSN the Department became aware of discrepancies and the case was referred to An Garda Síochána in relation to the theft suffered by the Department. It explained that the records hold evidentiary value in an ongoing criminal investigation. It said the investigation remains ongoing, the purpose of which is to identify, apprehend and prosecute a suspect for theft of monies from the Department, for providing fraudulent information to deceive or induce the Department into paying him or her, and the fraudulent obtaining and use of a public service number.
The Department listed a number of offences and corresponding legislation that An Garda Síochána is considering as part of its investigation. It submitted that release of the records essentially means the unconditional release of the records to the world at large. It said that as the records hold evidential value in an ongoing criminal investigation it could conceivably impair and undermine the ongoing criminal investigation which will likely result in a prosecution. The Department explained that the investigating Gardaí have outlined that they consider the records in question to be crucial to the ongoing criminal investigation, the identification of a suspect or suspects and the prosecuting of the criminal case. The Department explained that its’ primary concern was that elements of the records would identify a third- party suspect or suspects in the criminal investigation. It said the release poses the risk to interference with the investigation by parties who could identify the suspect from their data set, by the suspect themselves through evading Garda enquiries, arrest or to fore-arm/forewarn them in relation to evidence before Gardaí complete their investigations.
The Commissioner has previously found that, where an investigation is still ongoing, a prosecution has not commenced and there is a strong possibility that a criminal prosecution will result, the arguments in favour of release of relevant records are weak and remain weak until such time as the investigation has been completed and a prosecution has been concluded or a decision has been taken not to institute a prosecution.
Considering the contents of the records refused and the Department’s submissions, I am satisfied that disclosure of the records could reasonably be expected to prejudice or impair the prevention, detection or investigation of offences or the effectiveness of lawful methods, systems, plans or procedures employed for the purpose of such matters.
However, this is not the end of the matter and I must consider the public interest test. This is not a standard public interest balancing test that can be found in other exemptions within the Act. The balancing test may be carried out only where certain circumstances described in section 32(3) arise. I am satisfied that none of the relevant circumstances arise in this case.
Having carried out a review under section 22(2) of the FOI Act, I hereby affirm the Department’s decision. I find that the Department was justified in refusing access to the records sought under section 32(1)(a)(i) of the Act.
Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated not later than four weeks after notice of the decision was given to the person bringing the appeal.