Freedom of Information: To Have is to Hold?

October 8, 2011

We’ve all done it – used our personal e-mail account for work purposes –  and Michael Gove and his colleagues at the Department of Education are no different it seems.  According to the Financial Times,[1] the Education Secretary and his advisers have conducted government business via private e-mail accounts, which, following freedom of information requests by the FT, civil servants were then unable to locate.  The paper went on to report that Dominic Cummings, Gove’s special adviser, had said that he would not answer any further e-mails from his Departmental e-mail account.  This was to enable him to avoid using Government resources for Conservative party purposes, according to the DfE. 

Are private e-mails covered by freedom of information?

Significant security, data protection and confidentiality issues may well be in play if work matters or documents are circulated or discussed via personal accounts, but it’s the freedom of information implications that have recently come into the spotlight.  The legal question that had to be answered was whether the requested information was ‘held’ by the public authority (in this case the DfE) for the purposes of the Freedom of Information Act 2000.  Information is held if it is held by the public authority, otherwise than on behalf of another person (s 3(2)(a)), or it is held by another person ‘on behalf’ of the authority (s 3(2)(b)).  According to the Act’s explanatory notes, this includes information held on behalf of the authority in a ‘private repository’.

Gove’s Department claimed that private e-mail accounts were not covered by the FOIA.  The Information Commissioner’s Office begged to differ; according to the FT,[2] a spokesperson for the ICO commented that it was possible for information in private e-mail accounts to fall within the FOIA’s scope, if the information concerned government business.  This view has been confirmed in the ICO’s recent Guidance for the Higher Education Sector.[3] 

Information with both ‘public’ and ‘private’ purposes

In addition, information can be ‘held’ on behalf of the public authority, even though it has an ancillary or even dominant private purpose.  In the case of a special adviser for instance, there will often be considerable overlap between governmental and political activity.  The ICO considered the question of dual purposes in a decision involving the Open University.[4]  A request was made for transcripts of certain seminars conducted by one of the University’s lecturers.  At the time the seminars were conducted, the lecturer was acting in his private capacity (and so, at that time, the University would not have ‘held’ the information).  Subsequently, the lecturer used the transcripts to write an article as part of his research activity for the University.  The University’s policies required researchers to archive data used for research projects.  The ICO concluded that, at this point, the transcripts were held by the University.

Legal and practical issues

A public authority that is unable to retrieve its own information is surely risking both legal censure and reputational damage.  One only needs to look at s 1(1)(a) – the entitlement to be informed whether the public authority holds the information described in the request (the duty to confirm or deny) – to see where problems could begin.  Public record keeping and audit issues may follow. 

To be obliged to search private e-mail and messaging accounts, as well as its own records, also creates a number of practical compliance issues.  How does the authority know that all relevant messages have been searched?  If it suspects that information may be held in a private e-mail account, how far can it go in requiring an employee to disclose the messages?  What should public authorities’ policies be on the use of private e-mail for work purposes?  Giving, say, a conference organiser your private Blackberry e-mail address so that you can receive travel information on the move may be regarded as entirely legitimate and necessary.  However, a public authority might want to consider banning the use of private accounts for conducting correspondence about its business and decisions.  Some of course may balk at a complete ban, particularly as provision of mobile devices for work purposes is not widespread.  Addressing the inevitable record keeping and retrievability issues would then take on an increased significance.

Implications for the Cloud

And what of the wider implications for public authorities considering the use of cloud services?[5]  A provider of remote computing services is likely to be regarded as holding information on behalf of a public authority for the purposes of the FOIA, certainly not an area commonly covered in standard service terms and conditions.

From the public sector perspective, data availability and integrity will be crucial aspects of a cloud service: will the data be both available when it is needed and unchanged from the original?  Standard terms often attempt to push ultimate responsibility for confidentiality and integrity onto the customer.[6]  In addition, the Government’s transparency agenda has already resulted in more proactive release of public sector information, with future plans for the release of datasets in electronic format capable of re-use.[7]  A cloud provider will need to be able to live up to a public authority’s freedom of information commitments.

The contract between a public authority and a provider of cloud services could of course be subject to disclosure, either proactively under the current transparency agenda, or in response to a FOIA request.  But what if a provider uses the public authority’s data, say to create a report: could it be argued that the report is held on behalf of the authority, even though it had a primary private purpose?


Although advances in technology and pressures on time may mean that a public authority’s information moves outside of its physical control, it continues to have duties under the FOIA with respect to this information.  Inevitably, users will adopt new technologies that benefit working practices, whether provided by the employer or not; practical and implementable information policies that keep track of these new technologies can only help to minimise legal and reputational risk. 

Marion Oswald is a Solicitor and is Senior Lecturer at the Centre for Information Rights, Department of Law, University of Winchester:


[1] Gove under scrutiny for official use of private e-mail accounts, Cook C., Financial Times [London, UK] 20 Sep 2011:1

[2] Council lawyers step into Gove e-mails affair, Cook C.,, Sep 21, 2011

[3], Sep2011, p 5, section 2.3

[4] Decision notice FER0289351, 18 Nov 2010

[5] The Government’s procurement process for its cloud strategy is likely to begin at the end of October

[6]Bradshaw S, Millard C, Walden I, Contracts for clouds: comparison and analysis of the terms and conditions of cloud computing services, I.J.L.&I.T. 2011, 19(3), 187-223, 202, para 4.7 and Bradshaw S, Millard C, Walden I, Watching Cloud Contracts Take Shape, Computers & Law, 7-10, 8-9

[7] Protection of Freedoms Bill, clause 98(2)(c)