Decision 205/2010 | Scottish Information Commissioner

Home Decisions

Decision 205/2010

Decision 205/2010 Mr Ian Benson and the University of the West of Scotland

Staff email addresses

Reference No: 201001269
Decision Date: 8 December 2010

Summary

Mr Benson asked the University of the West of Scotland (the University) to provide a list of the workplace email addresses for all staff.

The University refused Mr Benson's request.It advised that the information as requested was exempt from disclosure under section 30(c) (Prejudice to effective conduct of public affairs) and 38(1)(b) (Personal information) of the Freedom of Information (Scotland) Act 2002 (FOISA).This decision was upheld after review.When requesting a review, Mr Benson asked the University to consider providing him instead with the email addresses of all staff named on its website.The University advised that compliance with this request would incur costs in excess of the ?600 limit imposed by the Freedom of Information (Fees for Required Disclosure) (Scotland) Regulations 2004 (the Fees Regulations).It also considered the information to be exempt under section 25(1) of FOISA.Mr Benson remained dissatisfied and applied to the Commissioner for a decision.

After investigation, the Commissioner found that the exemption in section 25(1) should be upheld in relation to information available on the University website, while the remaining information was exempt from disclosure under section 38(1)(b) of FOISA.The Commissioner did not require the University to take any action.

Relevant statutory provisions and other sources

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1) and (2)(e)(ii) (Effect of exemptions); 25(1) (Information otherwise accessible); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) section 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedule 1 (The data protection principles) (the first data protection principle); Schedule 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Background

1.On 26 April 2010, Mr Benson wrote to the University to request the following information:

"A list of the workplace e-mail addresses for all staff.By workplace I am referring to corporate e-mail addresses ending in .ac.uk.By staff I am referring to all individuals employed by your institution.Please note that I do not require any segmentation of the list or any associated details."

2.The University responded to Mr Benson's request on 24 May 2010.It withheld the information he had asked for under section 30(c) (Prejudice to effective conduct of public affairs) and section 38(1)(b) (Personal information) of FOISA.In relation to section 30(c), it took the view that a list of all staff email addresses could be used to bombard its system with emails, hindering the University from conducting its affairs and also impinging on user security.In relation to section 38(1)(b), the University advised that it did not publish its Staff Directory on its website and did not have the permission of all staff to release the information requested.It considered that disclosure would contravene the first data protection principle.

3.Mr Benson requested a review of the University's response on 24 May 2010.He stated that he understood the desire to protect the University from cyber attacks, but pointed out that its website already listed several hundred email addresses, which he believed would be sufficient for anyone minded to carry out such an attack: he suggested it was the University's responsibility to have appropriate systems in place to deal with this.He asked the University to consider a "compromise" arrangement, releasing a list of the email addresses for all staff whose names and/or email addresses were already publicly available on the website.

4.The University issued its review response on 17 June 2010.It upheld the decision to withhold the information under both section 30(c) and section 38(1)(b) of FOISA, noting that Mr Benson had not challenged the application of section 38(1)(b) in his request for review.In relation to the proposed compromise arrangement, the University advised that it did not have software which would harvest the information from its website, while to extract the data manually would incur costs over the limit prescribed for the purposes of section 12(1) of FOISA (?600).

5.The University cited section 25 of FOISA in relation to the information available on its website, but also provided a list of the key web pages containing staff contact information.It advised that the format used for staff email addresses meant that it was easy to compile the email address for any member of staff who had consented to their name being published on the website.

6.Mr Benson remained dissatisfied with the University's response and applied for a decision from the Commissioner, in terms of section 47(1) of FOISA, on 17 June 2010. He did not accept that any of the exemptions cited by the University were applicable in relation to the information he had requested, and disputed whether it would cost in excess of ?600 to collate a list of the email addresses already published on the University website.

7.The application was validated by establishing that Mr Benson had made a request for information to a Scottish public authority and had applied for a decision from the Commissioner only after asking the authority to review its response to that request.The case was then allocated to an investigating officer.

Investigation

8.On 5 July 2010, the University was notified in writing that an application had been received from Mr Benson and was invited to provide comments on his application, as required by section 49(3)(a) of FOISA.

9.In his application for a decision, Mr Benson had provided the Commissioner with information about the extent and effects of the keyboard strain from which he suffers, and argued that the resulting limitations on the amount of time he could spend using a keyboard meant that the information was not reasonably accessibly to him as the applicant (as required in order for the exemption in section 25(1) of FOISA to apply).The University was invited to provide further comments about the use of the exemption in section 25(1) of FOISA, in light of Mr Benson's statement about his disability.

10.The University was also asked to clarify whether it wished to refuse Mr Benson's request on the grounds of excessive costs (section 12 of FOISA), and whether it would be possible to produce a complete list of staff email addresses (i.e. both published and unpublished addresses) without incurring costs over ?600.

11.Finally, the University was asked to provide details of any guidance given to staff in relation to the publication of their email addresses on the University website, in order to help establish what expectations staff might have in this respect.

12.The University responded on 21 July 2010.It provided further arguments and comments in relation to each of the exemptions cited.It advised that a full list of staff emails was held and would cost less than ?600 to provide, and explained why it would cost over ?600 to compile a list of email addresses for those staff named on its website.

13.In a further submission (22 October 2010), the University clarified that in its view the exemption in section 38(1)(b) applied only to personal information not published on its website, and provided additional reasoning in support of its position.

14.The submissions made by both parties, insofar as relevant, are considered in detail in the next part of this Decision Notice.

Commissioner's analysis and findings

15.In coming to a decision on this matter, the Commissioner has considered all of the information withheld and the submissions which have been presented to him and is satisfied that no matter of relevance has been overlooked.

Section 25(1) of FOISA

16.Under section 25(1) of FOISA, information which an applicant can reasonably obtain other than by requesting it under section 1(1) of FOISA is exempt information.The exemption in section 25 is absolute, in that it is not subject to the public interest test set out in section 2(1)(b) of FOISA.

17.In this case, the University did not initially apply the exemption in section 25 as Mr Benson's request was for all staff email addresses, which included some information not already published on the University website.However, after Mr Benson made it clear in his request for review that he would settle for a list of email addresses for staff whose names were published on the website, the University advised Mr Benson that this information was exempt under section 25(1) of FOISA.

18.As the Commissioner has said in his published guidance[1], section 25 has a different focus from other exemptions in FOISA.It is not about withholding information from the public but instead recognises that where information is already available to the applicant, there is no need to provide an alternative right of access through FOISA.

19.The exemption also differs from others in FOISA in requiring that the particular circumstances of the applicant be taken into account in deciding whether the information is already available to them by other means.Information which is reasonably obtainable by one applicant may not be accessible to another.

20.The University directed Mr Benson to 22 web pages listing staff contact information on its website.Some of these pages provide email addresses for the staff listed there; some require the user to click through to another page to obtain the email address; some simply provide names of staff members and advise that email addresses are usually in the format forename.surname@uws.ac.uk.Some pages contain examples of all of the above.

21.In his application to the Commissioner, Mr Benson noted that, because the exemption in section 25 had been applied only at the review stage, he had not had the opportunity to ask the University to take into consideration the fact that he suffers from keyboard strain to a degree which limits the amount of time he can spend using a keyboard each day.Mr Benson estimated that it would take him 10 hours to compile a list of email addresses from the pages listed in the University's review response.He argued that the volume of work required meant that the information was not reasonably accessible to him.He believed the University had an obligation to consider whether information deemed reasonably accessible generally was also reasonably accessible to him as the particular applicant.

22.The University was asked to comment on Mr Benson's arguments.It commented that Mr Benson had not mentioned any disability when he made his request or submitted his request for review.It noted that he had submitted 7 information requests within 3 days, and at no time had asked the University to present data in a particular format because he had a disability.Based on the information provided about Mr Benson's disability, the University did not consider that any adjustment of its position was necessary.

23.Mr Benson has informed the Commissioner that he has now acquired software which enables him to harvest email addresses from websites, and he can now obtain in a matter of minutes a list of the email addresses on the University website.However, the Commissioner accepts that Mr Benson did not have this software at the time he made his request.The Commissioner is also aware that in some cases staff are named on the website without their email address being listed in full, so the software available to Mr Benson would not succeed in capturing the email addresses for all staff named on the website.

24.The Commissioner examined Mr Benson's claim that it would take him around 10 hours to extract the information he required from the University website.The Commissioner believes that email addresses for the majority of staff named on the website could be obtained in a much shorter time.The University has provided details of the key web pages used for staff contact information, on which around 530 staff members are listed.The Commissioner found that it was possible to create a list of 100 email addresses in 20 minutes, by typing forename.surname into a list pre-populated with "@.uws.ac.uk".The Commissioner has concluded that it would be possible to create a list of email addresses for all staff listed on the 22 key contact information web pages in less than 3 hours.He takes the view that this is not an unreasonable amount of time, and that the information in question can therefore be reasonably obtained by Mr Benson other than by requesting it under section 1(1) of FOISA.The exemption in section 25(1) of FOISA was therefore correctly applied in respect of email addresses for staff listed on the 22 key contact pages on the University website.

25.The Commissioner accepts that there may be other staff listed on the University website whose details do not appear on the web pages considered above.Any such information will be more difficult to find, and therefore less likely to be reasonably obtained by the applicant.However, after studying the logs available to users of the email harvesting software, the Commissioner believes that most staff email addresses available on the website are indeed found on the 22 pages identified by the University, while the email addresses picked up on other pages by the harvesting software tend to be corporate email addresses, addresses for individuals who are not staff members, or duplicates of addresses found on the 22 contact pages.

26.The Commissioner understands that Mr Benson's review request for the email addresses of all staff named on the website was intended as a suggested compromise, not a non-negotiable request requiring identification of every single staff member named on the University website without exception. In other words, the Commissioner believes that Mr Benson's approach indicates that he would be satisfied with a list of email addresses for most of the staff named on the University website, even if a few of the published email addresses were missing from that list. Bearing in mind that his decision on the matter is now largely academic, now that Mr Benson has access to software which will help him obtain most of the information he requires, the Commissioner upholds the exemption in section 25(1) in relation to the information available on the University website.

27.Having reached this conclusion in relation to the information available on the University's website, the Commissioner does not find it necessary to consider the University's arguments under section 12(1) of FOISA (Excessive cost of compliance) in relation to that information.

28.The Commissioner will go on to consider whether the email addresses of staff not named on the University website (unpublished information) were correctly withheld under the exemptions cited by the University.

Section 38(1)(b) of FOISA

29.Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (as appropriate) section 38(2)(b), exempts information if it is personal data and if its disclosure to a member of the public otherwise than under FOISA would contravene any of the data protection principles laid down in Schedule 1 to the DPA.

30.This particular exemption is an absolute exemption, so is not subject to the public interest test laid down by section 2(1)(b) of FOISA.

31.The University argued that staff email addresses were personal data and that disclosure would contravene the first data protection principle, where those addresses (or the names of staff, from which their email addresses could be worked out) were not already published online.The University found that such information was exempt from disclosure under section 38(1)(b) of FOISA.

Is the information personal data?

32.Personal data is defined in section 1(1) of the DPA as data which relate to a living individual who can be identified a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the full definition is set out in the Appendix).

33.In this case, the Commissioner is satisfied that the withheld information relates to living individuals who can be identified from that information, because of the standard format used (and publicised) for University email addresses (forename.surname@uws.ac.uk).He accepts that the email address is the personal data of the member of staff whose name forms part of the address.

34.The Commissioner will therefore consider whether the email addresses not available through the University website can be disclosed, or whether this would contravene one or more of the data protection principles.

Would disclosure contravene the first data protection principle?

35.The University has argued that the release of the information would breach the first data protection principle, which requires that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA is also met.The processing under consideration in this case is disclosure into the public domain in response to Mr Benson's information request.The Commissioner has considered the definition of sensitive personal data set out in section 2 of the DPA and is satisfied that the personal data in this case does not fall into any of the relevant categories.It is therefore not necessary to consider the conditions in Schedule 3 in this case.

36.There are three separate aspects to the first data protection principle: (i) fairness, (ii) lawfulness and (iii) the conditions in the schedules.However, these three aspects are interlinked.For example, if there is a specific condition in Schedule 2 which permits the personal data to be disclosed, it is likely that the disclosure will also be fair and lawful.

37.The Commissioner will now go on to consider whether there are any conditions in Schedule 2 to the DPA which would permit the personal data to be disclosed.If any of these conditions can be met, he must then consider whether the disclosure of this personal data would be fair and lawful.

Can any of the conditions in Schedule 2 to the DPA be met?

38.The University has advised that it does not have the consent of the staff involved to release their personal data into the public domain, and that to gain such consent would require disproportionate effort.In the circumstances, condition 1 of Schedule 2, which requires that the data subject has given consent to the processing of the information, cannot be met.

39.Condition 6 of Schedule 2 would appear to be the only condition which would permit disclosure to Mr Benson, if it can be met. Condition 6 allows personal data to be processed if the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject(s) (the individuals to whom the data relate).

40.There are a number of different tests which must be satisfied before condition 6 can be met.These are:

Does Mr Benson have a legitimate interest in obtaining the personal data?

If yes, is the disclosure necessary to achieve these legitimate aims?In other words, is the disclosure proportionate as a means and fairly balanced as to ends, or could these legitimate aims be achieved by means which interfere less with the privacy of the data subjects?

Even if the processing is necessary for Mr Benson's legitimate purposes, would the disclosure nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects?There is no presumption in favour of the release of personal data under the general obligation laid down by FOISA.Accordingly, the legitimate interests of Mr Benson must outweigh the rights and freedoms or legitimate interests of the data subjects before condition 6 will permit the personal data to be disclosed.If the two are evenly balanced, the Commissioner must find that the University was correct to refuse to disclose the personal data to Mr Benson.

41.The University has stated that it is not aware that Mr Benson has any legitimate interest in the personal data in question.

42.Mr Benson has explained that he requires the list of staff email addresses in order to inform university staff about his website AcademicFOI.com.The purpose of the website is described as "Investigating UK Universities through Freedom of Information", and university staff are invited to suggest, in confidence, topics for investigation.The website states that forthcoming reports will cover workplace bullying, internet surveillance, public engagement, staff suspensions and public criticism.

43.There is no definition within the DPA of what constitutes a "legitimate interest", but the Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive.In his published guidance on section 38 of FOISA[2], the Commissioner states:

"In some cases, the legitimate interest might be personal to the applicant? e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as scrutiny of the actions of public bodies or public safety."

44.The Commissioner finds that Mr Benson's reasons for requiring the email addresses of university staff stem from a desire for additional public scrutiny of the way in which UK universities operate, and as such should be accepted as constituting a legitimate interest in terms of condition 6 of Schedule 2 to the DPA.

45.The Commissioner then considered whether disclosure of the personal data was necessary to achieve Mr Benson's aims.Given the nature of the request, and noting the absence of consent to publication, he could identify no reasonable alternative to disclosure which would meet the legitimate interest he had identified.

46.Having concluded that disclosure was therefore necessary to achieve Mr Benson's legitimate aims (there being no reasonable means of achieving them which interfered less with the privacy of the data subjects), the Commissioner went on to consider whether disclosure would nevertheless cause unwarranted prejudice to the rights and freedoms of the data subjects.

47.The University believed that there was a real and significant possibility of harm and distress being caused to staff through disclosure of their email addresses.It argued that there might be staff who, because of their personal circumstances, did not wish any personal data to be released, but who might not have previously informed the University of this because they were not in a public-facing role (and so did not expect their contact details to be disclosed).The University argued that a mass release of employees' email addresses into the public domain was likely to lead to these addresses being targeted for marketing purposes.The University stated that it had a duty of care to all staff regarding unwarranted intrusion, especially where it might pose a risk to the data subject's emotional well-being.It noted that its own purposes were learning, teaching and research, and could identify no pressing interest in further publication of staff email addresses for any of these.

48.The Commissioner accepts that the data subjects in this case have a reasonable expectation that their personal data will not be processed in the way required to satisfy Mr Benson's request; that is, by its inclusion in a list of email addresses which would lend itself to mass marketing or spam emails.He accepts that staff are likely to expect that the University will publish their contact details only where this is required for the University's purposes of teaching, learning and research, or where the staff member has a public-facing role or occupies a position of some seniority within the University. While this information is personal data relating to their professional rather than their personal lives, the Commissioner finds that the data subjects' expectation of privacy is reasonable in the circumstances.He accepts that some members of staff may have come to rely upon the privacy afforded by the University's usual practices in this area without providing formal notification that they would object to the wider disclosure or publication of their personal data.

49.The Commissioner finds that the data subjects' right to privacy regarding their email addresses outweighs Mr Benson's legitimate interest in obtaining the information.The Commissioner believes that Mr Benson's interests will not be unduly prejudiced if the personal data in question is withheld: he already has access to email addresses for around half of all staff employed by the University, and it is likely that this will provide sufficient access to enable him to advertise his website services widely through the University.

50.The Commissioner therefore finds that none of the conditions in Schedule 2 of the DPA can be met, and that disclosure of the personal data in question would contravene the first data protection principle.Disclosure would consequently be unlawful and, for the reasons given above, unfair.Accordingly, the Commissioner finds that the information was correctly withheld under section 38(1)(b) of FOISA.

51.Having reached this conclusion, the Commissioner does not go on to consider it necessary to go on to consider the arguments put forward in relation to section 30(c) of FOISA.

DECISION

The Commissioner finds that the University of the West of Scotland complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr Benson.

Appeal

Should either Mr Benson or the University wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision notice.

Margaret Keyse
Head of Enforcement
8 December 2010

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1General entitlement

(1)A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6)This section is subject to sections 2, 9, 12 and 14.

2Effect of exemptions

(1)To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?

(a)the provision does not confer absolute exemption; and

(b)in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?

(e) in subsection (1) of section 38 ?

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

25 Information otherwise accessible

(1)Information which the applicant can reasonably obtain other than by requesting it under section 1(1) is exempt information.

38Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1Basic interpretative provisions

In this Act, unless the context otherwise requires ?

"personal data" means data which relate to a living individual who can be identified ?

(a)from those data, or

(b)from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 ? The data protection principles

Part I ? The principles

1.Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless ?

(a)at least one of the conditions in Schedule 2 is met, and

(b)in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 ? Conditions relevant for purposes of the first principle: processing of any personal data

1The data subject has given his consent to the processing.

...

6(1)The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

[1] http://www.itspublicknowledge.info/nmsruntime/saveasdialog.aspx?lID=2663&sID=107

[2] http://www.itspublicknowledge.info/nmsruntime/saveasdialog.aspx?lID=3085&sID=133