Right to Know CLG and Trinity College Dublin
From Office of the Information Commissioner (OIC)
Case number: OIC-110741-X9R7D6
Published on
BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
Irish Information Commissioner's Decisions |
||
You are here: BAILII >> Databases >> Irish Information Commissioner's Decisions >> Right to Know CLG and Trinity College Dublin [2024] IEIC 110741 (26 March 2024) URL: http://www.bailii.org/ie/cases/IEIC/2024/110741.html Cite as: [2024] IEIC 110741 |
[New search] [Help]
From Office of the Information Commissioner (OIC)
Case number: OIC-110741-X9R7D6
Published on
Whether TCD was justified in refusing access to reports of all internal audits completed in 2019 and 2020
26 March 2024
In a request to TCD dated 4 May 2021, the applicant sought access to copies of reports of all internal audits completed in 2019 and 2020. TCD's decision dated 29 June 2021 granted partial access to record 3 and withheld 12 others in full. It relied on combinations of sections 29(1) (deliberative processes), 30(1)(a) (audits of an FOI body), 32(1)(a)(i) (prevention of offences) and 36(1)(b) (commercial sensitivity) of the FOI Act.
The applicant sought an internal review on 29 June 2021. TCD's internal review decision of 20 July 2021 affirmed its decision on the request. On 23 July 2021, the applicant applied to this Office for a review of TCD's decision.
I wish to apologise to all parties involved for the delay in finalising this matter. I have now completed my review in accordance with section 22(2) of the FOI Act and I have decided to conclude it by way of a formal, binding decision. In carrying out my review, I have had regard to the above exchanges and correspondence between this Office, TCD and the applicant, as well as contents of the records at issue and the provisions of the FOI Act.
The scope of this review is confined to whether TCD's decision on the request was justified under the provisions of the FOI Act.
The applicant says that TCD's position on the harms that would arise from release of any details in the reports is contradicted by its publication of minutes of audit committee meetings without any apparent harm arising. This may be an argument that I should direct release of particular excerpts of the records, such as anything that repeats the details contained in the published minutes. However, the Commissioner's position on section 18 of the FOI Act is relevant. Section 18(1) provides, that "if it is practicable to do so", access to an otherwise exempt record shall be granted by preparing a copy, in such form as the head of the public body concerned considers appropriate, of the record with the exempt information removed. Section 18(1) does not apply, however, if the copy provided for thereby would be misleading (section 18(2) refers). The Commissioner takes the view that, generally, neither the definition of a record nor the provisions of section 18 envisage or require the extracting of particular sentences or occasional paragraphs from a withheld record for the purpose of granting access to those particular sentences or paragraphs.
Section 25(3) requires this Office to take all reasonable precautions to prevent the disclosure of exempt material in the performance of its functions. I am therefore required to limit the level of detail I can give in describing the withheld records. Equally, I must limit my description of certain parts of TCD's submission regarding why the records are exempt.
Disclosure under FOI is accepted as equivalent to publication to the world at large.
Finally, it is noted that, in The Minister for Communications, Energy and Natural Resources and the Information Commissioner & Ors, [2020] IESC 5 (the eNet judgment), the Supreme Court said that "it is the FOI body that must explain and justify a conclusion that the records are exempt by reference to the relevant provisions of the Act, and equally, it is the FOI body that must explain why the public interest does not justify release in the public interest."
I also note that, in the Supreme Court case of Sheedy v the Information Commissioner ([2005] 2 I.L.R.M. 374, [2005] 2 IR 272, [2005] IESC 35) Kearns, J. made it clear that a general prediction without any supporting evidence is not sufficient to satisfy the requirement that access to the record could reasonably be expected to result in the outcome envisaged. He stated that "[a] mere assertion of an expectation of [prejudice] could never constitute sufficient evidence in this regard".
However, while FOI bodies must justify their decisions, the eNet judgment in particular also says that a failure by an FOI body to do so does not lead to an inevitable or statutorily mandated outcome. Rather, I must adjudicate the merits of the decision to refuse by reason of an analysis of the records and the interests engaged, which might suggest either disclosure or refusal.
General arguments
The applicant says that sections 30, 32 and 36 have been applied to the reports as a class exemption and that section 32 was never intended to apply to audit reports given their nature and function.
In particular, however, he says that TCD seems to be taking a very isolated position in this case, given that other bodies, including universities, release internal audit reports routinely and in full except for occasional and very specific redactions e.g. regarding active investigations. He says that Right to Know has been publishing such reports routinely for the last six months and that not one body has claimed an adverse effect from such publication. He says that this is an important factor to bear in mind in making my decision in this case, particularly with regard to how reasonable are TCD's expectations of harm. He says that such release/publication has led to significant public interest disclosures and to one body committing to including internal audits within its publication scheme. He says that a negative decision in this case would be a retrograde step in that it could encourage other bodies to withhold audit reports. He says that audit reports should be released as a matter of course by FOI bodies without recourse to FOI.
TCD agrees that other bodies have released audit reports and that there is no blanket exemption for such records. However, it says the corollary is that there is no presumption that audit reports as a class will be released. It also refers to this Office's finding in Case No 180391 that section 32(1)(a)(i) of the FOI Act applied to certain audit reports in the circumstances of that case.
It would not be appropriate for me to find that the records are or are not exempt under the provisions relied on in this case because of their type or function. Neither is it appropriate for me to direct release just because other bodies have released similar records. It has always been this Office's position that each case is treated on its own merits and that decisions are made having regard to the content of the record(s) and the arguments made regarding why they are exempt. The eNet judgment also makes it clear that decisions to order release must not arise from the application of a general policy.
I have already set out the applicant's view that TCD's refusal of the records in full is contradicted by its publication of minutes of audit committee meetings without any apparent harm arising. I also note that he says, in the context of public interest arguments, that the published minutes are frequently extremely vague and do not compare to the detail in audit reports released by other bodies. The publication of a general comment about or summary of a particular issue does not, of itself, mean that more detailed information about the issue cannot be exempt under the FOI Act. Furthermore, and although the applicant does not specifically make such a suggestion, it would not be appropriate for me to direct release by comparing the detail or apparent sensitivity of the records to those published by other FOI bodies or third level institutions.
Finally, I note the applicant's position regarding how audit reports should generally be made available by all FOI bodies. However, it is not part of my role to direct bodies to make audit reports available, whether under the Act's publication scheme or outside of FOI.
Section 29(1) - deliberative processes
Section 29(1) is a discretionary exemption. In brief, section 29(1) provides that an FOI request may be refused if (a) it contains matter relating to the deliberative processes of an FOI body (including opinions, advice, recommendations, and the results of consultations), and (b) the granting of the request would, in the opinion of the head of the FOI body, be contrary to the public interest. However, section 29(1) does not apply in so far as the record(s) contain any of the information or matter referred to in section 29(2). In particular, section 29(2)(d) provides that section 29(1) does not apply to a report of an investigation or analysis of the performance, efficiency or effectiveness of an FOI body in relation to the functions generally or a particular function of the body.
The applicant says that section 29(1) cannot apply because of the provisions of section 29(2)(d). TCD says that the reports set out recommendations to address the vulnerabilities on particular risks and vulnerabilities that arise in relation to events, legislative changes or policy changes, and to oversee structures and processes in place to provide oversight and assurance. It gives examples of reports making recommendations relating to TCD's compliance with various legislation. It says that the audit function is not to just analyse or investigate the performance, efficiency or effectiveness of the functions of TCD, but rather to identify risks, vulnerabilities and controls and provide recommendations on how to minimise risks and vulnerabilities and to improve controls in place.
I accept that a function of audit reports is to make recommendations to address vulnerabilities. Nonetheless, however, I am satisfied that the audit reports comprise analyses of TCD's performance - whether in relation to its compliance with particular legislation and/or other matters - in relation to its functions generally or particular functions. I find that section 29(2)(d) applies and that none of the records are exempt under section 29(1) of the FOI Act.
Section 30(1)(a) - audits of an FOI body
TCD relied on section 30(1)(a) in relation to a number of reports, some of which I will address under the other exemptions also applied to them. As a result, I will deal here with TCD's application of section 30(1)(a) to records 2, 4, 5, 6, 8, 10 and 13.
Record 2 is concerned with TCD's controls relating to the payment of employee expenses. Record 4 assesses the nature and implementation of TCD's oversight processes in relation to related bodies (as defined in the report). Record 5 is concerned with TCD's general management of policies. Record 6 concerns the proposed casual payroll process. Record 8 is concerned with TCD's overall oversight of health and safety matters. Record 10 concerns TCD's business continuity and disaster recovery processes and controls. Record 13 is concerned with controls for managing risks arising from the requirements of various frameworks regarding the management of the public sector pay bill.
Section 30(1)(a) - general
Section 30(1)(a) of the FOI Act provides that a head may refuse to grant an FOI request if access to the record concerned could, in the opinion of the head, reasonably be expected to prejudice the effectiveness of tests, examinations, investigations, inquiries or audits conducted by or on behalf of an FOI body or the procedures or methods employed for the conduct thereof. It is what is known as a harm-based provision. Where an FOI body relies on section 30(1)(a) it should identify the potential harm in relation to the relevant function specified in paragraph (a) that might arise from disclosure and having identified that harm, consider the reasonableness of any expectation that the harm will occur.
The FOI body should explain how and why, in its opinion, release of the record(s) could reasonably be expected to give rise to the harm envisaged. A claim for exemption under section 30(1)(a) must be made on its merits and in light of the contents of each particular record concerned and the relevant facts and circumstances of the case. A claim for exemption pursuant to section 30(1)(a) which is class-based is not sustainable e.g. a claim for exemption for 'any' draft report.
As mentioned earlier, the applicant says that the release of audit reports by other FOI bodies without any apparent resultant harm is relevant to my assessment of how reasonable TCD's expectations of harm are in this case. It is important to note that I do not have to be satisfied that any particular outcome will occur if the records under review are released. The relevant test is not concerned with the question of probabilities or possibilities. It is concerned with whether or not the decision maker's expectation is reasonable. It is sufficient for the FOI body to show that it expects an outcome and that its expectations are justifiable in the sense that there are adequate grounds for the expectations.
Submissions
The applicant refers to this Office's decision regarding section 30 in Case No 030963. The then Commissioner said that, even if relevant records were released, it was reasonable to expect that public servants would fully cooperate with audit enquiries relating to their work areas or functions.
TCD refers generally to this Office's decision in Case No 53257, which concerned audit findings. That decision accepted that there was a reasonable expectation of prejudice to the effectiveness of the relevant body's internal audit process and the methods employed for its conduct if the findings were to be released to the world at large. TCD says the decision accepts that the body had identified potential harms to the effectiveness of its audits and/or to the procedures employed and demonstrated how it expected such harms to concur for the purposes of section 30(1)(a).
TCD says that its staff (and management, units/schools across TCD and third party related bodies as appropriate) may have concerns that information they provide during an audit may be made publicly available. It gives an example of audit reports assigning recommendations to staff titles or areas within TCD. It says that by combining such details with information on the TCD website, relevant staff and their contact details can easily be identified. It says that staff etc. may be more guarded in providing information where they know it may become public and where this information could affect reputations, impact on the competitive position of units to attract students, staff, researchers and third party partnerships and affect TCD's competitive position. TCD's concern is not that staff will not co-operate with audits but that by becoming less open and providing poorer quality information to the auditors, the audit process becomes more difficult and more likely to involve conflict and impact on the management decisions that are taken accordingly.
It says that details in records 2 and 6 could provide staff with information on controls in place and provide them with the means to circumvent such controls.
Finally, even at the time of signing this decision, TCD confirms that a number of recommendations in the various reports have yet to be implemented. TCD also says that actioned recommendations should not be considered historic. It says that audit committee advice and recommendations are provided for the purpose of an ongoing process, rather than for a single discernible decision. It says that recommendations could well or should influence or be implemented in broader future decision making in the relevant units or could be adopted into future plans generally.
Analysis and findings on section 30(1)(a)
I note that the decision in Case No 53257 said the withheld material was "of a very detailed nature both in relation to the specific processes of [the body's] various divisions and the methodology and procedures employed in the audit." Furthermore, the decision did not necessarily accept that each and every one of the harms identified by the body could reasonably be expected to occur.
Although saying that record 10 "goes into detail" about its subject matter, TCD has not explained why it considers the records to contain particularly detailed information about either the specific processes of its units, etc. and/or the methodology and procedures employed in the audits. In any event, even if a record contains considerably or very detailed information, this of itself does not determine that it is exempt under section 30(1)(a). Rather, it is a question of whether access to the information, in the opinion of the head, reasonably be expected to result in the harms set out in the exemption. As set out below, TCD's submission does not explain this.
Generally speaking, I am also of the view that a staff member asked to contribute to a review of his/her area of work would, like any other employee, owe a duty of good faith to their employer that would oblige them to fully cooperate with that review. That said, circumstances may arise where the release of detailed comments made by staff in the course of a sensitive investigation could have an impact on the body's investigative processes and procedures. Similarly, audit findings relative to the actions of a particular staff member may require particular consideration.
However, neither TCD's submission nor any of the relevant records indicate that any of the audits arose from or concerned any special or sensitive circumstances that might, for instance, have needed assurances of confidentiality to be given to staff, management or other parties regarding their input. Neither does TCD refer me to any other particularly relevant or distinguishing factors. In addition, it does not refer me to any findings in the reports that concern the actions of individual staff (nor are any such details evident to me from my examination of the records). In relation to the particular example given, I do not see, nor has it been explained, how disclosing that a person in a particular functional area has been given responsibility for a particular matter affecting that area is something that, of itself, could affect that person's reputation (or the reputation of a unit/school/TCD/other parties) or impact on that person's willingness to cooperate with audits or to carry out their role.
TCD expresses concern about the release of information provided by its management, staff and related bodies or other third parties (as appropriate). I note that, record 4, for instance, is concerned with related bodies. However, it seems to me to be primarily concerned with TCD's processes and interests rather than those of the related bodies. It makes comments relating to some of the related bodies but does not name them. None appear to be identifiable by specific observation and TCD's submission does not explain how this might be possible. It refers to certain material provided by related bodies to TCD but in the context of a process separate to internal audits. I should say that I note a general and passing reference to two named subsidiaries; however, the report does not comment further on these. Stakeholders may have been consulted during the relevant audit, such as in relation to record 5. Record 8 refers to discussions with at least one staff member. However, neither these nor any of the other records appear to contain any detailed input from TCD staff or related bodies or other third parties/stakeholders. Furthermore, TCD does not refer me to or give examples of specific such comments or input (other than, as noted above, saying generally that record 10 "goes into detail" about its subject matter).
I accept that the reports contain TCD management responses to specific matters raised. However, any entity's management is generally accountable for any organisational decisions made and/or actions taken (or the contrary). Therefore, one would generally expect management to respond to audit findings in a way that best presents the organisation's perspective on the matter and either undertake to carry out the recommended remedial action or explain why it is not considered necessary. TCD has not referred me to any special circumstances in which the relevant management comments were made. Furthermore, the management responses in these records seem to me to be quite general; although I note that those in record 8 are more detailed than in the others. However, TCD has not explained why it believes that the release of any of the management comments could cause such parties to provide more limited responses in the future that would be less likely to explain their position on the matters raised, or to become less likely to act in the organisation's best interests.
Finally, I note TCD's position on the continuing nature of the recommendations. However, it does not explain how disclosure to the world at large, of either actioned, pending or continuing recommendations, could reasonably be expected to prejudice the effectiveness of its audits or the procedures etc. employed for their conduct. Similarly, it has not explained, nor is it apparent to me from the records, how the release of details of controls regarding the payment of expenses or the casual payroll process could reasonably be expected to prejudice the effectiveness of its audits or the procedures etc. employed for their conduct.
Having regard to all of these matters, I have no basis to accept that section 30(1)(a) applies to the records set out above.
Section 30(1)(b) - functions relating to management
TCD did not claim section 30(1)(b) in relation to any of the records but I have considered its relevance in light of certain arguments made regarding other exemptions. Section 30(1)(b) provides that a head may refuse to grant an FOI request if access to the record concerned could, in the opinion of the head, reasonably be expected to have a significant, adverse effect on the performance by an FOI body of any of its functions relating to management (including industrial relations and management of its staff.
When relying on this provision, the FOI body should identify the function relating to management concerned and identify the significant adverse effect on the performance of that function which is envisaged. It should explain how and why, in its opinion, release of the record(s) could reasonably be expected to give rise to the harm envisaged. The FOI body should also consider the reasonableness of the expectation that the harm will occur. The claim for exemption must be made on its merits and in light of the contents of each particular record concerned and the relevant facts and circumstances of the case. Again, a claim for exemption that is class-based is not sustainable. It is important to note that significant adverse effect requires stronger evidence than the prejudice standard of section 30(1)(a).
TCD says that the release of recommendations yet to be actioned, as contained in a number of records, could affect the consideration being given to how it (and where relevant, third parties) might best implement those recommendations. As already outlined, it also says that actioned recommendations should not be considered historic and in relation to a single discernible decision, but rather as having been provided for the purpose of an ongoing process and to influence future decision making or for possible adoption into future plans.
However, TCD does not explain how disclosure of yet to be actioned recommendations could affect any consideration being given as to how best to implement those recommendations. Neither does it refer me to any specific details that it considers sensitive in this particular context. Furthermore, it does not explain how disclosure of either actioned, pending or continuing recommendations could affect its ability to ensure their implementation in future, whether on a continuing basis or otherwise. Having regard to the above, I have no basis to accept that release of the records could reasonably be expected to have a significant, adverse effect on the performance by TCD of any of its functions relating to management and I find that section 30(1)(b) does not apply to any details in the withheld records.
Section 32(1)(a)(i) - prejudice the prevention of offences
TCD relied on section 32(1)(a)(i) in relation to records 2, 5, 6, 8, 10 and 13. Furthermore, although TCD applied section 36(1)(b) to some of the details withheld from record 3 (described earlier), in my view its arguments in this regard are more appropriately considered under section 32(1)(a)(i) of the FOI Act. I note that this was brought to the applicant's attention and that he made no comment.
Section 32(1)(a)(i) provides that a head may refuse to grant an FOI request if access to the record concerned could, in the opinion of the head, reasonably be expected to prejudice or impair the prevention, detection or investigation of offences, the apprehension or prosecution of offenders or the effectiveness of lawful methods, systems, plans or procedures employed for the purposes of the matters aforesaid.
Section 32(1)(a) is a harm based exemption. It applies where access to the record concerned could reasonably be expected to prejudice or impair the various matters specified in the sub-paragraphs of the provision. Where an FOI body relies on section 32(1)(a), it should identify the potential harm to the matters specified in the relevant sub-paragraph that might arise from disclosure and, having identified that harm, consider the reasonableness of any expectation that the harm will occur. In doing this, the FOI body should show how or why releasing the particular record could reasonably be expected to cause the harm which it has identified. This is an important issue for the FOI body to address and its submission to the Commissioner should explain this.
Submissions
The applicant makes no argument regarding the application of section 32(1)(a)(i) to the specific records. TCD says that records 2 and 6 detail particular weaknesses in its employee expenses control framework and casual payment process that, if disclosed, could be used by employees and others to circumvent its controls and carry out frauds or misappropriate funds. It says that the details withheld from record 3 highlight areas within the College that use petty cash frequently and that release would enable frauds to be targeted on such areas. It says that information on particular risk areas as set out in record 8 could help third parties make fraudulent personal injuries claims against TCD and third parties, in which regard TCD is an open campus and has members of the public passing through daily. It says that record 10 contains information that details weaknesses in its business continuity and disaster recovery plans that could enable third parties to carry out cyber security attacks and other criminal offences. It says that release of the control weaknesses in records 5 and 13 could enable employees, students, contractors and/or third parties to perpetrate offences and prejudice systems etc. employed by TCD to prevent or detect offences but does not add anything further in this regard. As mentioned earlier, not all of the recommendations in the various reports have yet been implemented.
Analysis and findings on section 32(1)(a)(i)
I have no reason to dispute TCD's general position that actioned recommendations may or should have ongoing application. However, it does not explain specifically how the relevant such details could be used by employees and others to carry out frauds, misappropriate funds, impact on procedures to prevent such outcomes, etc. Neither does it explain how the disclosure of those details regarding relevant recommendations yet to be actioned could have such effects.
Record 2 sets out various operational controls regarding the validation/payment of employee expenses, observations on those controls and recommendations (both actioned and not yet actioned) for their improvement. The details withheld from record 3 refer to amounts of petty cash utilised within the College.
Having examined the content of record 2, I do not see how the release of information relating to the actioned recommendations could enable individuals to circumvent its employee expense controls as they now stand, nor has this been explained by TCD. However, it seems to me that the outstanding recommendation (section 3.2) details current weaknesses in the control process. These details are also summarised in the third paragraph under the heading of "Overview". Furthermore, the second sentence in the third paragraph under the heading of "Introduction" describes the ongoing control process for employee expenses. I accept that these details could be informative to and enable individuals to circumvent TCD's controls and make fraudulent expense claims. The details withheld from record 3 (other than what purports to be name of a person responsible for carrying out the recommendations) also seem to me to be recent enough to be indicative and informative for potential thieves.
Two recommendations in record 10 remain outstanding. Having considered the content of the record, I am prepared to accept that disclosure of the second to the fifth paragraphs in section 3 and all of page 9 could be informative to third parties considering whether to target TCD's systems. However, I do not see how disclosure of the remainder of record 10 could be similarly informative, nor does TCD's submission explain this.
Record 6 sets out various operational controls regarding the casual payroll process, observations on those controls and recommendations for their improvement. Detailed observations are set out in an appendix. Having examined the contents of record 6, I do not see how release thereof could enable third parties or employees to circumvent TCD's controls such that they obtain casual pay to which they are not entitled or carry out other related frauds, notwithstanding that all of the recommendations have yet to be acted upon. In saying this, in my view one should distinguish between, for instance, recommendations concerning controls regarding the claiming of expenses from TCD and those concerning controls regarding TCD's own engagement of casual workers. TCD's submission does not do this or as noted above, explain how the harms it envisages could result from release of the specific content at issue.
Record 8, while setting out control weaknesses in respect of TCD's oversight of health and safety matters, does not set out specific areas of the college that have specific health and safety issues or that are non-compliant with legal requirements. I note that all of the recommendations have been actioned. While I also note TCD's general claim about how disclosure of the details in the record could be of use to third parties, TCD does not identify any particular details that could facilitate fraudulent claims if released or explain why such an outcome could arise, nor are such details evident to me.
Record 5 concerns TCD's policy management in general and does not identify or comment on any particular policies. Record 13 concerns TCD's controls for managing risks arising from the requirements of various frameworks relevant to managing the cost of the public sector pay bill. Both contain recommendations yet to be actioned. However, it is not clear to me what kind of offences could be attempted based on the information in records 5 or 13. Neither is it clear to me how release of the details could prejudice the effectiveness of lawful procedures employed by TCD for the purposes of the matters aforesaid. TCD has not explained this in its submission or decisions.
Further to the above, I find that section 32(1)(a)(i) applies to the following on the basis that their release could reasonably be expected to prejudice or impair the prevention of offences and/or the effectiveness of lawful procedures employed by TCD for the purposes of the matters aforesaid:
Section 32(1)(a)(i) requires consideration of the public interest only where one of three conditions is met. I am satisfied that none of the conditions are met in this case.
Section 36(1)(b) - commercially sensitive information
TCD relies on section 36(1)(b) in relation to records 1, 4, 7, 9, 11, 12 and 13.
Section 36(1)(b) - general
Section 36(1)(b) must be applied to certain types of information whose disclosure could reasonably be expected to result in material financial loss or gain to the person to whom the information relates, or could prejudice the competitive position of the person in the conduct of his or her profession or business or otherwise in his or her occupation. The essence of the test in section 36(1)(b) is not the nature of the information but the nature of the harm which might be occasioned by its release.
The harm test in the first part of section 36(1)(b) is that disclosure "could reasonably be expected to result in material loss or gain". This Office takes the view that the test to be applied is not concerned with the question of probabilities or possibilities but with whether the decision maker's expectation is reasonable. The harm test in the second part of section 36(1)(b) is that disclosure of the information "could prejudice the competitive position" of the person in the conduct of their business or profession. The standard of proof to be met here is considerably lower than the "could reasonably be expected" test in the first part of this exemption. However, this Office takes the view that, in invoking "prejudice", the damage which could occur must be specified with a reasonable degree of clarity.
While section 36 enables the protection of third party commercially sensitive information, previous decisions from this Office have accepted that the provision can also be applied to information concerning an FOI body's financial or other interests.
Section 36(2) provides for a number of exceptions to section 36(1), while section 36(3) provides that access to a record to which section 36(1) applies may be granted if the public interest would, on balance, be better served by granting than refusing to grant the request.
Submissions
The applicant says that the harm anticipated under section 36 is described insufficiently and seems highly unlikely. He says the argument that release could damage TCD's rankings and its ability to attract research and international students is an exaggeration.
TCD says, in relation to record 1, that the Trinity Foundation (the Foundation) is a charity, is registered separately to TCD and is not an FOI body or subject to the FOI Act. It says that the audit report contains information on the Foundation's processes and procedures with reputational implications, the disclosure of which could result in a financial loss for the Foundation and reduce its competitive position. It says that record 4 concerns related bodies that are not FOI bodies or subject to the Act and contains certain commercial or financially sensitive information whose disclosure could result in such bodies suffering a material loss which would prejudice their financial position. It does not elaborate further.
In relation to record 7, TCD says that it contains certain commercial or financially sensitive information relating to Trinity Asia Services Limited (TASL, which is not an FOI body, whose disclosure could result in TASL suffering a material financial loss. It gives examples of such information. It says that record 9 contains a huge amount of detail regarding quality compliance within the college that, if released, could affect its reputation and in turn its competitive position. It says that record 11 contains information that could be useful to bidders in future procurement processes, such that its release could impact on TCD's ability to ensure value for money in such matters and result in financial loss.
TCD says that record 12 contains information relating to Trinity Brand Commercial Services Limited (TBCSL), which it says is a subsidiary of the college and not subject to FOI, which if released could impact on TBCSL's reputation and on its competitive position when trying to enter into partnerships with third parties. Finally, it says that record 13 contains financial and commercially sensitive information whose disclosure could cause a material financial loss to the College or prejudice the College's competitive position.
Analysis and findings on section 36(1)(b)
I note that the Foundation is the primary fundraising agency for TCD. Record 1 is concerned with the implementation of the Foundation's action plan. Having considered its contents and TCD's arguments, I am satisfied that it contains information of a relatively recent nature that could prejudice the Foundation's competitive position if disclosed to the world at large at this point in time.
TASL is a company concerned with TCD's collaboration with the Singapore Institute of Technology. I accept that record 7 contains relatively recent financial, reputational and other information relating primarily to the affairs of TASL or to TASL and TCD jointly. I accept that such information may be of interest to TASL's competitors and/or TCD's competitors such that its disclosure now could prejudice the competitive position of the entities concerned.
Insofar as record 9 is concerned, I accept that TCD competes with other colleges in relation to attracting students, lecturers, research studies, etc. It seems to me that the report gives a detailed and recent assessment of TCD's own compliance with quality assurance requirements, which could have reputational impacts if placed in the public domain. I am satisfied that in the circumstances, the release of record 9 could prejudice TCD's competitive position in the conduct of its profession or business or otherwise in its occupation.
Having examined record 11, I accept TCD's position that its contents could be informative to prospective tenderers and could prejudice TCD's competitive position in such matters.
TBCSL is a company concerned with TCD's commercial internationalisation of its brand. I am satisfied that record 12 relates primarily to TBCSL and to a lesser extent TCD and that the details concerned are of a sort that could impact on TBCSL's reputation and in turn prejudice its competitive position and its ability to achieve its business objectives. I note TCD's position that the record also contains legal advice. Although I see no need to consider this separately, the mandatory section 31(1)(a) (legal professional privilege) would be relevant to such information.
I find that section 36(1)(b) applies to records 1, 7, 9, 11 and 12. I should also say that insofar as the reports contain information relating to recommendations that have been acted on, it is not necessarily the case that section 36(1)(b) does not apply to such details in their own right, if assessed on their own. In any event, I do not consider it in keeping with the Commissioner's position on section 18 to direct their release or any excerpts that may otherwise not qualify for exemption under s36(1)(b). it is my view that to do so would be tantamount to a dissection of the records.
However, I am not satisfied that section 36(1)(b) applies to the remaining records. I have already set out my analysis of the contents of record 4. TCD does not identify the particular information in that record which it considers to be sensitive from the perspective of the related bodies, or explain how harm to the related bodies could arise from release of the record.
Similarly, TCD does not identify the information in record 13 that it considers to be of a sort that if disclosed could cause a material financial loss to the college or prejudice its competitive position. It is not apparent to me from a reading of the record what information TCD is referring to, and neither does it explain how harms could arise from disclosure of either some or all of the report.
Section 36(2) - exceptions to section 36(1)
Section 36(2) provides for the release of information to which section 36(1) is found to apply in certain circumstances. I am satisfied that none of the circumstances identified at section 36(2) arise in this case.
Section 36(3) - the public interest
Having found that section 36(1)(b) of the FOI Act applies to certain of the records, I shall now consider section 36(3) of the FOI Act.
In relation to the public interest test contained in section 36(3), I wish to emphasise that in carrying out any review, this Office has regard to the general principles of openness and transparency set out in section 11(3) of the FOI Act. In sum, section 11(3) recognises the need to enhance public scrutiny and accountability of government and public affairs, particularly the activities and decision making of FOI bodies. However, in the eNet judgment, the Supreme Court held that general principles of openness and transparency do not provide a sufficient basis for directing the release of otherwise exempt information in the public interest. Rather, a "sufficiently specific, cogent and fact-based reason" is required "to tip the balance in favour of disclosure".
In general, TCD says that minutes of audit committee meetings are publicly available, which contain details of such meetings and the audit reports considered. It says that it is not in the public interest to cause the harms that could result from disclosure of the detailed reports. It says that the public interest is better served by the Foundation being able to implement the audit recommendations in record 1 and not being subject to a financial or competitive loss due to the report's disclosure. It says that there is a public interest in it being able to put in place good governance and risk management structures in respect of subsidiary companies as set out in record 7. In relation to record 9, TCD says that damage to its reputation and competitive position is not in the public interest as this will impact on its rankings, and on its ability to attract international students and attract research. It says that the public interest in disclosing record 11 does not outweigh the public interest in ensuring that TCD can get value for money and the best possible goods and/or services in procurement processes. It does not make any specific comments regarding the public in release or otherwise of record 12. However, one could argue that the public interest in its disclosure does not outweigh the public interest in ensuring that its competitive position is not prejudiced.
I set out earlier the applicant's view that the published minutes are limited and vague.
It seems to me that release of the various records will enable an assessment of the matters under audit, of the actions of the audit function, and of TCD's responses to the issues so raised. Such release would provide greater insight than do the published minutes of the audit committee meetings. However, I also accept that various harms could arise from their release. Having considered the matter carefully, I am not aware of any public interest factors that might serve to support the public interest in their release that, on balance, outweighs the public interest in withholding them.
Section 37 - personal information
TCD withheld part of record 3 that is titled "[n]ame of person responsible for actions" but did not rely on any particular exemption in relation to these details. As is evident from the other information released from that record, the details relate to the TCD staff member that was designated to update a manual in relation to petty cash on foot of the recommendations in the report. Although the details comprise the person's job title rather than their name, TCD says that their disclosure would nonetheless lead to the relevant person being identified. I will refer to these details as "the identifying information". Furthermore, the other records and parts of records that I have found not to be exempt contain similar information. I will consider TCD's position that the identifying information should not be released under section 37 of the FOI Act.
The applicant says that the point around section 37 is just wrong. He says he has nothing to say other than that the FOI Act does not allow for this except where details may be withheld for security reasons, which is not the case here.
It is not clear if the applicant is disputing TCD's basis for redacting the details or the Investigator's position that I am required to consider section 37 given TCD's argument that the details comprise identifying information. It should be noted that section 37(1) is a mandatory exemption and does not require any assessment of the sensitivity of the information concerned.
Section 37(1), subject to other provisions of section 37, requires the refusal of access to a record containing personal information. Section 2 of the FOI Act includes a list of 14 non-exhaustive examples of what must be considered to be personal information, including (iii), "information relating to the employment or employment history of the individual". However, section 2 of the FOI Act also contains some exclusions to what is personal information where public servants are concerned, which are as follows:
- the name of the individual
- Information relating to the office or position or its functions
- the terms upon and subject to which the individual holds/held that office or occupies/occupied that position or
- anything written or recorded in any form by the individual in the course of and for the purpose of the performance of the functions.
The exclusions to the definition of personal information are quite narrow. They do not deprive public servants of the right to privacy generally. Generally speaking, however, they are intended to prevent FOI bodies from relying on section 37 to refuse to grant access to records created by individual staff members in the course of their work or to details in records that would identify the public servants who dealt with the matters the subject of those records.
I accept that the disclosure of the identifying information would lead to the identification of the individuals concerned i.e. by being coupled with information in the public domain, such as on the TCD website.
The identifying information does not simply reveal that an individual is a member of staff of an FOI body, which is what I consider the first exclusion to be concerned with. The second exclusion seems to me to be concerned with information concerning the general requirements of a public servant's employment by an FOI body, rather than specific tasks that the individual may perform during that employment. I have no reason to consider the third exclusion to apply in this case. Accordingly, I do not consider the identifying information in this case to be covered by the exclusions in section 2. I find that the details are exempt under section 37(1) of the FOI Act.
Section 37(2) - exceptions to section 37(1)
Section 37(2) of the FOI Act sets out certain circumstances in which 37(1) does not apply. I am satisfied that none of the circumstances set out in section 37(2) arise.
Section 37(5)(a) - the public interest
In considering section 37(5), I consider that only section 37(5)(a) is relevant in this case. This section provides that a request that would fall to be refused under section 37(1) may still be granted where, on balance, the public interest that the request should be granted outweighs the public interest that the right to privacy of the individuals to whom the information relates should be upheld.
Both the language of section 37 and the Long Title to the FOI Act recognise a very strong public interest in protecting the right to privacy (which has a Constitutional dimension, as one of the un-enumerated personal rights under the Constitution). Unlike other public interest tests provided for in the FOI Act, there is also a discretionary element to section 37(5)(a), which is a further indication of the very strong public interest in the right to privacy. Privacy rights will therefore be set aside only where the public interest served by granting the request (and breaching those rights) is sufficiently strong to outweigh the public interest in protecting privacy.
The details that TCD released from record 3, and the content of the records that I have found not to be exempt, show the issues and recommendations arising from the relevant audits. Disclosure of the identifying information will provide minimal additional insight in this regard.
I recognise that information concerning a particular task given to a public servant working in a particular functional area is not particularly as sensitive as, for instance, details of that public servant's performance evaluation or other details of their employment history. However, it remains that disclosure of particular work tasks assigned to them will nonetheless result in a minimal breach of their rights to privacy. Having regard to the nature of the information at issue, I am aware of no public interest factors in favour of its release that, on balance, outweigh the rights to privacy of the individuals to whom it relates. I find, therefore, that section 37(5)(a) does not apply.
Having carried out a review under section 22(2) of the FOI Act, I hereby vary TCD's decision. I affirm its refusal to release the following records and parts of records under sections 32(1)(a)(i) and 36(1)(b) of the FOI Act.
I annul TCD's refusal of the remaining records and parts of records and direct that access be granted to these except for identifying details, the refusal of which I affirm under section 37(1) of the FOI Act.
Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated by the applicant not later than eight weeks after notice of the decision was given, and by any other party not later than four weeks after notice of the decision was given.
Deirdre Gallagher, Senior Investigator