Mr X and the Department of Social Protection [2015] IEIC 120314 (19 February 2015)


BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

Irish Information Commissioner's Decisions


You are here: BAILII >> Databases >> Irish Information Commissioner's Decisions >> Mr X and the Department of Social Protection [2015] IEIC 120314 (19 February 2015)
URL: http://www.bailii.org/ie/cases/IEIC/2015/120314.html
Cite as: [2015] IEIC 120314

[New search] [Help]


Mr X and the Department of Social Protection [2015] IEIC 120314 (19 February 2015)

Mr X and the Department of Social Protection

Whether the Department was justified in refusing to release, from the relevant database (i) the names of certain employers that had applied to participate in the JobBridge scheme, and (ii) details pertaining to all employers as contained in the "Company_ID" field of that database (a field that links employer names to details of the internships offered by them)

Conducted in accordance with section 34(2) of the FOI Act, by Peter Tyndall, Information Commissioner

Background

The applicant made a four-part FOI request to the Department, dated 27 March 2012, including at part 3 a "datadump (export of/copy of) the entirety of the JobBridge database, since the inception of that database. This should include all relevant fields, including the name and contact details for the applying companies seeking trainees under the National Internship Scheme."

The Department initially refused to release any information relating to part 3. Further to the applicant having narrowed the scope of part 3 of his request, the Department partially released three spreadsheets (one containing details about the employers, and the other two containing details of the internships they offered) to him on 29 June 2012. I will describe only those details withheld from the spreadsheets that ultimately were the basis of this application to my Office.

(i) Details Pertaining to "Closed Vacancy" Employers

As I understand it, an employer choosing to participate in JobBridge is asked "Would you like the details of your company NOT to be shown for this vacancy (a so-called closed vacancy)". The employer must choose one of two options: "closed" or "open". I will refer in the remainder of this decision to those who selected the "closed" option as "closed vacancy employers", and to those who selected the "open" option as "open vacancy employers".

Although it is not entirely clear from its decision on part 3 of the request, it seems that the Department considered it appropriate to release under FOI the names of the open vacancy employers and certain details concerning the internships they had offered. However, it took the position that it must treat as confidential, and therefore withhold, all details pertaining to closed vacancy employers. Thus, the spreadsheets released to the applicant on 29 June 2012 purported to withhold the names of (and, although not covered by the scope of this review, the details of internships offered by) the closed vacancy employers.

(ii) Details Contained in the "COMPANY_ID" field

Although the Department released the names of, and certain details concerning, open vacancy employers, it appears that the relevant database lacked the functionality to allow the Department to release the names of those employers linked to the various details of the internships they offered. As I understand it, the only way that the details could be released in such a "matched" format was if the Department also released the contents of the field that links such details on the database i.e the "COMPANY_ID" field. This is, I understand, an internal Departmental code number assigned to employers. The spreadsheets released to the applicant on 29 June 2012 purported to withhold the contents of the database's "COMPANY_ID" field as it pertained to both closed and open vacancy employers.

At the request of the applicant on 2 August 2012, the Department conducted an internal review and issued its decision on 20 August 2012, wherein it refused access to the "COMPANY ID's" for all companies and to details of those companies "who wished their details to remain anonymous". On 28 November 2012, the applicant sought a review by this Office of the Department's decision. While he referred to its refusal "to release all data contained in the 'JobBridge' database", he commented specifically on the refusal of "the names of the companies seeking JobBridge interns" and on the refusal of the details in the "Company_ID" field. The applicant is aware that I have confined my review, accordingly, to the Department's refusal of (i) the names of companies who expressly requested that their details would not be displayed on the JobBridge website, and (ii) the various contents of the "COMPANY_ID" field.

Developments During the Course of the Review

Names of Closed Vacancy Employers
During the course of the review, it became clear that the Department whether had inadvertently released the names and certain job details of all closed vacancy employers. However, such release was done under the FOI Act. In light of this fact, I have concluded that there is no need for me to consider whether those names are exempt from release under some or all of the provisions of the FOI Act relied on by the Department or if the public interest requires their disclosure, notwithstanding the applicant's request that I would do so. However, later in the decision, I set out some general observations arising from the Department's approach in this case which might provide some guidance for decision makers considering whether information of this type qualifies for exemption.

"COMPANY_ID" Field
During the course of the review, the Department confirmed that it is now possible for it to match the details of an employer to the details of the internship they offered, without the need to release the associated Company ID field. This is because of improvements made to the database since the applicant made his request. I welcome the Department's offer to provide the applicant with names of the open vacancy employers, matched to the details that it previously released concerning the internships offered by those employers. As the applicant indicated that he is willing to accept a solution whereby the Department provides him the data "in such a format that this linking is possible without providing the "COMPANY_ID" field", I consider this aspect of the review to have been settled, and that there is no need for me to make any direction in relation to the content of the "COMPANY_ID" field insofar as it relates to open vacancy employers. I expect that the Department will now provide the applicant with the necessary "matched" information if it has not already done so.

However, the Department is not willing to carry out the same exercise in respect of the closed vacancy employers' details that have also been released under FOI. Accordingly, my review must consider whether or not the Department is justified in refusing to release the details in the "Company_ID field" of the database, insofar as such details relate to "closed vacancy" companies whose details were contained on that database on the date of receipt of the applicant's request.

In carrying out my review, I have had regard to a copy of the redacted spreadsheets as released to the applicant together with a copy of those spreadsheets in their unredacted form, which were provided to this Office for the purposes of this review; to correspondence between the Department and the applicant as set out above; to contacts between Ms Lyons and the Department; and to contacts between Ms Lyons and the applicant. I have had regard also to the provisions of the FOI Act. In the interests of clarity, I should point out that this review was carried out under the provisions of the FOI Acts 1997-2003, notwithstanding the fact that the FOI Act 2014 has now been enacted. The transitional provisions in section 55 of the 2014 Act provide that any action commenced under the 1997 Act but not completed before the commencement of the 2014 Act shall continue to be performed and shall be completed as if the 1997 Act had not been repealed.

Scope of the Review

Having regard to the developments described above, this review is confined to the issue of whether the Department has justified its refusal of access to those details of closed vacancy companies, as contained in the "COMPANY_ID" field of the JobBridge database, at the date of receipt of the applicant's FOI request.

Findings

It is relevant to note that section 34(12)(b) of the FOI Act provides that a decision to refuse to grant a request under section 7 shall be presumed not to have been justified unless the head of the relevant public body shows to my satisfaction that its decision was justified.

Contents of the "COMPANY_ID" Field

Replacement With "Dummy Codes"
To avoid the need for the Department to release the various contents of the "COMPANY_ID" field, the applicant has suggested that the Department should replace the code numbers concerned with other "dummy" numbers that would still preserve the link between the company details and the internship details. It appears to me that what the applicant is suggesting would require the creation of a new record. While I do not consider that a public body is creating records where it is possible for it to extract relevant information that is already contained on a computer system or database, the FOI Act does not require public bodies to create new records in order to fulfil an FOI request. Thus, I cannot direct a public body to take the step that the applicant has suggested, if it is not offering to do so. For that matter, the FOI Act does not require that public bodies replace actual names that are redacted from hard copy records with designations such as "Name 1", "Name 2", etc. which the applicant has suggested would be good practice nor do I consider that I have jurisdiction to direct a public body to take such a step.

The Department's Arguments
In its initial dealings with the applicant, the Department said that it considered details that participating employers had "specifically declare[d]" to be anonymous to be "of a personal nature". Its original and internal review decisions refused access to the relevant details on the basis that they comprised "private and sensitive" and/or "commercially sensitive" information. In the course of this review, the Department argued that section 21(1)(b) of the FOI Act is applicable to the details in the "COMPANY_ID" field on the basis that such release "would significantly adversely impact upon the work of the Department and is likely to have a significant adverse impact upon the operation of the Scheme". It also considered that such release "would have a similarly significant impact upon the work of other Agencies and the operation of other Schemes using the Job Bank".

Section 21(1)(b) is a discretionary provision that may be applied to a record where the head of the public body is of the view that release "could reasonably be expected to -
(b) have a significant, adverse effect on the performance by a public body of any of its functions relating to management..." Section 21(2) provides that the exemption does not apply where the public interest would, on balance, be better served by granting rather than by refusing the request.

In summary, the Department maintains that this provision is applicable because release of the details at issue would impact on the "proper management of the Scheme". In this regard, it said that the codes are "unique identifiers [for participating employers] in their dealings with the Department's National Contact Centre (NCC)". It argued that release of such details, "especially when taken together with other Company information that has already been released ...", would enable fraudulent access to, and alteration of, all records currently held in the database, including information held by other Agencies, and could lead to identity profiles being compiled on individuals or companies.

The Department has described the details it seeks, from employers contacting the NCC, to verify that they are a registered company. However, these details do not include the details in the "COMPANY_ID" field, and the Department has confirmed that these details are not used as a secondary identity check either. Furthermore, the Department has confirmed that it has not released any details pertinent to individual companies that it would use to verify their identities, or "any identifying details that can be used in isolation to gain access to the Company profile".

It seems to me, therefore, that the contents of the field have two uses. The Department has said that employers "can ...if they so wish"" use the detail to identify themselves to the Department (such employers are, it says, mainly those "who have more than one profile on the Jobs Ireland website"). It has also said that the codes are "assigned and used internally by the Department in all cases including those [where certain incomplete details pertinent to an employer's Revenue affairs] are supplied" to ensure that it "can proceed with the application and update at a later time".

At one stage during the review, the Department also argued that, on provision of the details in the "COMPANY_ID" field, one could gain access to user names and passwords, thus "giving unauthorised access to the companies (sic) profile" and enabling access to a "wider range of information relating to the company" such as whether it was compliant with regard to tax or PRSI. However, it appears to me that such concerns have not remained relevant. This is because a later submission from the Department confirmed that, if an employer does not have access to its password, a password will issue "to the registered email address only", "upon provision of the company name, address, telephone number and email address of the contact person. It also confirmed that, due to improvements in IT systems, the "Company ID number no longer allows a access to a wider range of information such as the extent of a company's compliance with Tax or PRSI". That later submission, however, listed various details about an employer that it contended would be possible for a caller to obtain from the Department if a "Company_ID is quoted over the phone".

Finally, the Department also made a number of arguments to the effect that the release of any details that might identify a closed vacancy employer against their wishes could ultimately cause potential participating employers not to take part in the voluntary JobBridge scheme, thus impacting on the "proper functioning of the Scheme" itself.

Analysis

Many of the Department's arguments pertain to its concerns that release of the details in the "COMPANY_ID" field could identify the closed vacancy employers, thus impacting on the number of employers that volunteer to take part in the Scheme and in turn affecting the viability of the Scheme itself. However, as explained above, it is now clear that the Department has disclosed, effectively to the world at large, the fact of the closed vacancy employers' participation in the Scheme by its release to the applicant of the names of the employers concerned. Thus, I do not intend to set out or address the relevant arguments further, other than to say I am not satisfied that section 21(1)(b) applies in this case in respect of the impact of release of the details at issue on the willingness of employers to participate in the JobBridge scheme, such that this would threaten the continued functioning and viability of the JobBridge scheme itself.

I accept that ensuring the integrity of the data in the database is relevant to the proper management of that database, which feeds into the Department's overall management of the JobBridge scheme. Ensuring such integrity is contingent on the Department's ability to confirm the identity of those with whom it is dealing.

The Department has not explained how knowledge of a company's "COMPANY_ID" would enable interference with records pertaining to that company when it seems that said detail is not required as a security check in the first place. However, I accept that the details in the "COMPANY_ID" field can, from time to time, be useful in identifying employers participating (or potentially participating) in the scheme. Thus, release of the details concerned may have some impact on the Department's identification processes. However, the application of section 21(1)(b) cannot be justified where there is only some impact likely to arise from release. As the Department is aware, it must demonstrate to me that it has a reasonable expectation of a significant, adverse effect on the relevant management function, and an assertion that a particular outcome may arise from release is not sufficient for me to find that a public body has met the onus imposed on it by the FOI Act. In the circumstances of this case, I do not accept that the arguments made by the Department are sufficient for me to find that it has justified its refusal of the details at issue under section 21(1)(b), as required by section 34(12)(b) of the FOI Act.

I note that the Department was given several opportunities to justify its refusal of the relevant details. It was referred to my Office's website at www.oic.ie, which contains many decisions setting out this Office's approach to the provisions of the FOI Act. In one of her contacts with the Department, Ms Lyons cited some examples of the "harms" contained in various exemptions, and noted that section 21(1)(b) required a public body to show why release of the requested records could reasonably be expected to have a significant adverse effect on the performance of the particular functions relating to management that would be impacted upon by such release. She emphasised that the requirements of section 34(12)(b) as regards the burden of proof are not met where a public body merely makes assertions as to the possible outcome of release. Furthermore, the Department was given a final opportunity on 9 December 2014 to provide sufficient evidence to support its reliance on section 21(1)(b). Although invited to respond by 6 January 2015, it has not done so.

One would assume that, in the normal course, an internal Departmental identity code may well be something that requires protection under the Act, especially if it is confirmed to be an essential part of the Department's security processes. Accordingly, and also having regard to the length of time since the application was lodged, Ms Lyons gave the Department more opportunities to make the relevant arguments than are generally afforded to public bodies. While I consider it appropriate for her to have done so in the circumstances of this particular case, I wish to make it clear that the FOI Act does not envisage the issue of repeated invitations to public bodies to clarify issues and to attempt to discharge the burden of proof placed on them by section 34(12) of the Act. Indeed, under revised procedures introduced in my Office in respect of more recently lodged cases than this one, public bodies are advised that they should normally make one submission in support of their decision.

As already noted, certain concerns described by the Department at one point in the review seem to be no longer relevant. Further assertions made during the review seem to be contradicted by others. For instance, the Department expressed concerns about how its identification procedures could be circumvented if the details in the "COMPANY_ID" field were combined with other released information. However, it subsequently confirmed that it had not released any details that are used in its usual identification procedures. Neither did it identify any other information it had released that might be used, in conjunction with the relevant "COMPANY_ID" details, by a person purporting to be an employer. Although the Department has listed certain information that it said may be provided to a telephone caller who quotes a "COMPANY_ID", it seems to me that the examples cited, with one exception, are largely details that are of a generally public nature and could be easily enough obtained from sources other than the Department. As for the remaining detail, which concerns a party's Revenue affairs, I note that the Department did not elaborate on why it would ever disclose such information, much less do so over the telephone as opposed to emailing details thereof to the registered email address, as it has confirmed it does with passwords.

In particular, however, I am not satisfied that the arguments before me demonstrate that the "COMPANY_ID" details form a key element of the Department's regular identification process, such that disclosure thereof under FOI could reasonably be expected to have a significant adverse effect on those processes, and in turn the Department's management and safeguarding of the contents of the database. It seems that employers have discretion to use their "COMPANY_ID" for identification purposes, rather than being required to do so by the Department. No details have been given as to how regularly companies decide to exercise that discretion. Neither has the Department explained how revelation of the details in the "COMPANY_ID" field could lead to access to, and alteration of, the contents of the database, or the creation of profiles on employers and/or interns. Furthermore, while it seems that the details in the "COMPANY_ID" field are of use when employers provide "incomplete" Revenue identification details, no explanation was given of how often this scenario arises, such that one could gauge the importance of this code to the Department's ability to process applications accordingly. In short, I have insufficient detail before me to be satisfied that disclosure could reasonably be expected to have a significant adverse effect on the Department's internal processing of applications.

It follows that I am not satisfied that release of the details in the "COMPANY_ID" field could reasonably be expected to have a significant adverse effect on the Department's management of the relevant database or on its ability to ensure the integrity of the details therein. Neither have I a basis on which to accept that such release could reasonably be expected to have a significant adverse effect on the Department's ability to process JobBridge applications generally, such that its ability to administer the operation of the JobBridge scheme itself could be at risk. It thus follows that I have no basis to accept that release of the details at issue could be reasonably expected to have a significant adverse effect on the ability of other agencies to operate other schemes that also rely on the details in the database. In the circumstances of this particular case, I do not consider that the Department has justified to me its refusal of the details at issue in the "COMPANY_ID" field under section 21(1)(b) of the FOI Act.

Other Exemptions
I do not intend to comment on any provisions of the FOI Act that the Department has not explicitly relied on in this case, whether in the original or internal review decisions, or in correspondence with this Office, in relation to the details in the "COMPANY_ID" field. Thus, while the Department's initial contacts with the applicant said it considered those details that participating employers had "specifically declare[d]" to be anonymous to be "of a personal nature", neither its original and internal review decisions, nor its submissions to this Office, sought to argue that the details in the "COMPANY_ID" field were personal information. I have proceeded on the basis that the Department does not maintain that the exemption for personal information (section 28) applies here.

As noted above, the Department's initial and internal review decisions referred to the refusal of the details concerned on the basis that they were "private and sensitive" and/or "commercially sensitive" information. The Department did not cite the provisions of the FOI Act upon which it was relying, which I presume were sections 26 and 27 of the Act. Even if the Department had explicitly relied on these provisions, it remains that it has made no specific argument as to why they are applicable. In particular, it has not explained why it considers that the release of unique identifier codes for employers, which are "assigned and used internally by [the Department]" could, of itself, disclose commercially sensitive information about the companies to which the codes relate or result in a breach of a duty of confidence the Department claims to owe such employers. While the main thrust of the Department's arguments appear to be concerned with protecting material that would identify a closed vacancy employer, such arguments have no merit (if, indeed, they ever did in relation to internal Departmental codes) when the Department has, in fact, released the names of the requested closed vacancy employers to the applicant under the FOI Act.

General Observations on the Withholding of Names of Closed Vacancy Employers
Earlier in this decision I described how the closed vacancy employers' names were released notwithstanding the Department's position that this was not its intention. In the circumstances and having regard to the handling of this request and review by the Department, I wish to comment on the withholding of the names of closed vacancy employers in the context of some of the exemptions set out in the FOI Act.

The Department took the view that the names of the companies were held in confidence (section 26 of the FOI Act refers). It does not appear to be disputed by the Department that the database containing those details was created by staff of a public body. Section 26(2) provides that the details in the database can only be withheld under section 26(1) if the Department owes a duty of confidence to third parties whose details are contained therein (third parties other than public sector employers, or private sector employers who are providing or who have provided a service for a public body under a contract for services, that is). There may well be a reasonable expectation of confidence on the part of the employers that particularly sensitive information imparted by them to the Department should not be released. Furthermore, confidentiality could reasonably be owed to interns whose personal details are presumably on the database - which details, in this case, the applicant has made clear he does not require. However, I do not accept that an indefinite assurance of confidentiality can reasonably be expected by employers in respect of the fact of their participation in the JobBridge scheme or, for that matter, in respect of the details of the internships they sought to fill accordingly. It seems to me that any assurance of confidentiality that might be sought by, or have been given to, an employer, further to their response to the question "Would you like the details of your company NOT to be shown for this vacancy (a so-called closed vacancy)", can only last as long as the recruitment process for the particular post ("this vacancy") itself is in train. While the Department argued that the identities of employers who are recruiting generally are often kept secret, which seems to me to be analogous to the ticking of the relevant box in this case, it did not explain how those employers could, or indeed, do, expect that their identities can be kept confidential indefinitely, much less beyond the point at which the applicant is invited to, or has attended for, interview. Indeed, the interns that are taken on under JobBridge are under no obligation to keep the circumstances of their internship a secret.

The Department has also argued to this Office that the employers receive no payment from the State in relation to their voluntary participation in JobBridge. It seems to me that this approach overlooks the fact that such employers receive an indirect benefit because, in short, the State pays the costs of those interns on placement with them. In such circumstances, I find it difficult to accept that any employer who seeks to participate in the JobBridge scheme can either seek, or be given, everlasting guarantees of confidentiality about the fact of that participation, or indeed about the nature of the internship they offered. This is all the more so when one considers that the FOI regime has been in operation in Ireland for almost 17 years.

Finally, where required to be considered, the public interest arguments for and against release of information concerning participation in and management of a State-funded scheme would need careful consideration and balancing.

Decision

Having carried out a review under section 34(2) of the FOI Act, I hereby annul the Department's refusal of the details in the "COMPANY_ID" field in so far as it pertains to the closed vacancy companies and direct the release of those details.

Right of Appeal

A party to a review, or any other person affected by a decision of the Information Commissioner following a review, may appeal to the High Court on a point of law arising from the decision. Such an appeal must be initiated not later than eight weeks from the date on which notice of the decision was given to the person bringing the appeal.


Peter Tyndall
Information Commissioner

 

 

 

 

 

 

 



The Office of the Information Commissioner (Ireland) ©


BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/ie/cases/IEIC/2015/120314.html