Case number: 180391

Whether TCD was justified in its decision to refuse access to records relating to its audit committee and risk, on the ground that the records are exempt under sections 29, 30, 32 and 35 of the FOI Act 

 

26 April 2019

 

Background


On 5 July 2018, the applicant made an FOI request for the following: (1) a report referred to in a meeting of TCD's audit committee; (2) the most recent audit function risk register; (3) a further report referred to in a meeting of TCD's audit committee; and (4) a risk assessment referred to in a meeting of TCD's audit committee. TCD issued a decision on 16 August 2018, in which it refused access to the records under sections 29, 30, 32 and 35 of the FOI Act. On 28 August 2018 the applicant applied for an internal review. TCD issued an internal review decision on 17 September 2018, in which it affirmed its original decision. On 22 September 2018 the applicant applied to this Office for a review of TCD's decision. 

In conducting my review, I have had regard to the correspondence between the applicant and TCD as outlined above and to the correspondence between this Office and both parties, as well as the content of the records that were provided to this Office by TCD for the purposes of this review. 

 

Scope of this Review

 

TCD scheduled three records in this case. It explained that item (4) is the same record as item (3). The question for me is whether TCD was justified in refusing access to Records 1, 2 and 3 under sections 29, 30, 32 or 35 of the FOI Act.

 

Preliminary Matters

 

While I am required to give reasons for my decision under section 22(10) of the FOI Act, I am also required to take reasonable precautions to prevent disclosure of information in an exempt record, under section 25. This means that the extent to which I can describe the records at issue is very limited.

 

Analysis and Findings


At the outset, I should note that TCD's submissions on the records overlapped in places, despite the different content of each record. I refer to the most relevant points of its submissions in relation to particular records.
Section 32(1)(a)(i) - Law enforcement and public safety
TCD claims section 32(1)(a)(i) over the records. Section 32(1)(a)(i) is relevant where access to the record could reasonably be expected to prejudice or impair the prevention, detection or investigation of offences; the apprehension or prosecution of offenders; or the effectiveness of lawful methods, systems, plans or procedures employed for the purposes of the matters above. Where an FOI body relies on section 32(1)(a), it should identify the potential harm to the matters specified in the relevant sub-paragraph that might arise from disclosure and having identified that harm, consider the reasonableness of any expectation that the harm will occur. The FOI body should show how or why releasing the particular record could reasonably be expected to cause the harm which it has identified. 

Record 1 is a report on an incident concerning petty cash management. This record describes the incident and its background and makes recommendations in relation to cash controls and processing payments. TCD says that while it took immediate remedial steps following the incident, this record contains other recommendations which are also to be implemented and remain under discussion. It says that this record identifies risks in the current processes and that releasing it could expose TCD to further attacks, as it would provide useful information to "bad actors" wishing to exploit its systems. Having regard to the content of the record, I accept that it discloses weaknesses and risks. I also accept that it is reasonable to expect that releasing such information could prejudice the prevention, detection or investigation of offences or effectiveness of lawful methods, systems, plans or procedures employed for the purpose of detecting and preventing offences. I find that section 32(1)(a)(i) applies to Record 1. The public interest test in section 32(3) is limited to certain circumstances specified in paragraphs (a)(i) or (a)(ii). I am satisfied that none of these circumstances apply. 
Record 3 is a risk assessment about cyber-security, which TCD's audit committee commissioned. It discloses risk areas identified in TCD's cyber-security and vulnerabilities in this regard. TCD says that these risks have been exploited and could be exploited again and that releasing this record would expose it to cyber-security attacks. Having regard to the content of this record, I accept that it discloses weaknesses and risks and that releasing such information could reasonably be expected to prejudice the prevention, detection or investigation of offences or the effectiveness of lawful methods, systems, plans or procedures employed for this. I find that section 32(1)(a)(i) applies to Record 3. The public interest test in section 32(3) is limited to certain circumstances specified in paragraphs (a)(i) or (a)(ii). I am satisfied that none of these circumstances apply. 

I find that TCD was justified in refusing access to Records 1 and 3 under section 32(1)(a)(i) of the FOI Act. In view of this finding, I am not required to consider the other exemptions claimed over these records.

Record 2 is a risk register for TCD's audit committee. It discloses the committee's strategic and operational goals; risks which it has identified for itself; controls in place to address these risks and further actions required. TCD says that the main function of the audit committee is to review significant financial reporting issues and the effectiveness of TCD's internal controls. It says that releasing this record would undermine the committee's functions and that the committee may feel hampered in the extent to which it can identify risks. Although it says that "the method of implementation of such risks remains under consideration" (sic), it does not specify which risks it is referring to. I note that the risks identified list "controls already in place" and in some cases "further actions required" beside them. Unlike Records 1 and 3 discussed above, Record 2 does not detail specific incidents in relation to risks listed or potential offences. Having regard to the content of the record and TCD's submissions, I am not satisfied that it is reasonable to expect that releasing this record could prejudice the prevention, detection or investigation of offences or the effectiveness of lawful methods, systems, plans or procedures employed for this.

I find that section 32(1)(a)(i) does not apply to Record 2 and TCD was not justified in refusing access to it under section 32(1)(a)(i) of the FOI Act. I will go on to consider the other exemptions claimed over Record 2.

 

Section 29 - Deliberations of FOI bodies

 

Section 29(1) of the FOI Act provides that an FOI body may refuse to grant an FOI request if the record contains matter relating to the deliberative process and granting the request would be contrary to the public interest. These are two independent requirements and the fact that the first is met carries no presumption that the second is also met. It is therefore important for public bodies to show to the satisfaction of the Commissioner that both requirements are met. The public interest test contained in this provision differs from the public interest test found in other exemptions under the FOI Act. To avail of this exemption, the public body must be of the opinion that releasing the records would be against the public interest. Other exemptions require the public body to be of the opinion that the public interest would be better served by release. In my view, this exemption tends more strongly towards release of the records. 

As noted above, although TCD says that "the method of implementation of such risks remains under consideration" (sic), it does not specify which risks it is referring to and the risks identified list "controls already in place" and in some cases "further actions required". It is therefore not clear to me what is still under deliberation. Even if deliberative material was identified in Record 2, I would not be satisfied that it would be contrary to the public interest to release this record. TCD says that releasing Record 2 would result in identified risks being in the public domain and serve to undermine the audit committee's functions in the future. However, I do not accept that disclosing the particular information set out in the risk register would hamper the audit committee in identifying future risks. Under FOI, each record must be considered on a case-by-case basis. It does not follow that disclosing the particular material in this register would deter the audit committee from identifying future risks. I find that TCD was not justified in refusing access to Record 2 under section 29 of the FOI Act.

 

Section 30 - Functions and negotiations

 

Section 30(1)(a) allows an FOI body to refuse to grant an FOI request if access to the record could reasonably be expected to prejudice the effectiveness of tests, examinations, investigations, inquiries or audits conducted by or on behalf of an FOI body or the procedures or methods employed for the conduct thereof. Section 30(1)(b) allows an FOI body to refuse to grant an FOI request if access to the record could reasonably be expected to have a significant adverse effect on its functions relating to management. When a public body relies on section 30(1), it should first identify the potential harm and having identified the harm, consider the reasonableness of any expectation that the harm will occur. Section 30(1) is subject to a public interest balancing test in section 30(2). 

TCD's submissions on section 30(1)(a) and (b) are fundamentally similar to its submissions on other exemptions in relation to Record 2. I accept that this record relates to the functions of the audit committee for the purposes of section 30. However, as noted above, I do not accept that disclosing this particular material would hamper the audit committee in fulfilling its functions. I do not see from its content or from the submissions of TCD how releasing it could reasonably be expected to prejudice the effectiveness of the audit committee's work, or have a significant adverse effect on management functions. I find that section 30(1) does not apply to Record 2 and am therefore not required to consider section 30(2). I find that TCD was not justified in refusing access to Record 2 under section 30 of the FOI Act.


Section 35 - Information obtained in confidence

 

During this review, the Investigator invited TCD to make submissions in relation to section 35 of the FOI Act. She specifically invited TCD to address section 35(2). In response, TCD made submissions on sections 29, 30 and 32 but not on section 35. 

Record 2 was prepared by the audit committee of TCD, which is an FOI body. Section 35(2) disapplies section 35(1) in relation to a record which was prepared by an FOI body in the course of its functions unless disclosure of the information concerned would constitute a breach of duty of confidence that is provided for by an agreement or statute or otherwise by law and is owed to a person other than an FOI body or a service provider. As noted above, TCD did not make submissions to this Office on section 35. I am not satisfied as to how section 35 applies to Record 2 and neither has TCD pointed to a duty of confidence which is owed to a person other than an FOI body or service provider. Having regard to the content of Record 2 and TCD's submissions, I have no basis upon which to find that section 35 applies to Record 2. I find that TCD was not justified in refusing access to this record under section 35 of the FOI Act.

 

Decision


Having carried out a review under section 22(2) of the FOI Act, I vary TCD's decision as follows. I affirm its decision to refuse access to Records 1 and 3, under section 32 of the FOI Act. I annul its decision to refuse access to Record 2 and direct its release.
Right of Appeal
Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated by the applicant not later than eight weeks after notice of the decision was given, and by any other party not later than four weeks after notice of the decision was given.

 

                                     
Elizabeth Dolan
Senior Investigator