Decision 207/2010 | Scottish Information Commissioner

Home Decisions

Decision 207/2010

Decision 207/2010 Mr Ian Benson and the University of Edinburgh

Staff email addresses

Reference No: 201001173
Decision Date: 8 December 2010

Summary

Mr Benson asked the University of Edinburgh (the University) to provide a list of the workplace email addresses for all staff.

The University refused Mr Benson's request, advising that the information could be obtained from its website.After review, it revised this decision and found the information to be exempt from disclosure under section 38(1)(b) (Personal information) of the Freedom of Information (Scotland) Act 2002 (FOISA).Mr Benson remained dissatisfied and applied to the Commissioner for a decision.

The University later cited other exemptions in addition to section 38(1)(b).Following an investigation, the Commissioner found that the information was properly withheld under section 38(1)(b) of FOISA, being personal data the disclosure of which would breach the first data protection principle.

Relevant statutory provisions and other sources

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i) and (b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) section 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedule 1 (The data protection principles) (the first data protection principle); Schedule 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6).

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision.The Appendix forms part of this decision.

Background

1.On 26 April 2010, Mr Benson wrote to the University to request the following information:

"A list of the workplace e-mail addresses for all staff.By workplace I am referring to corporate e-mail addresses ending in .ac.uk.By staff I am referring to all individuals employed by your institution.Please note that I do not require any segmentation of the list or any associated details."

2.The University responded to Mr Benson's request on 27 April 2010.It advised him that the information he had asked for was easily accessible on the University website, and provided the address for the main contacts web page (www.ed.ac.uk/contacts).

3.Mr Benson requested a review of the University's response on 28 April 2010.He asked the University to consider whether the exemption in section 25 of FOISA (Information otherwise accessible) was appropriate, given the volume of work required to extract all staff email addresses from the website.He explained that he suffered from keyboard strain, which limited the amount of time each day he could spend using a keyboard, and estimated that it would take him 11 hours to copy the information from the website.

4.Mr Benson also referred to section 11 of FOISA (Means of providing information).He considered that supplying a list of addresses as originally requested was (in terms of section 11(1)) a "reasonably practicable" step for the University to take.

5.Finally, Mr Benson queried whether the data available from the website was complete and up-to-date, and whether it was correct for the University to claim that the information on the website was the information covered by his request.

6.The University issued its review response on 24 May 2010.It advised Mr Benson that the information he had asked for was exempt from disclosure under section 38(1)(b) of FOISA (Personal information).Reasons for this decision were provided.Given the additional information Mr Benson had provided about his circumstances, the University did not seek to uphold the exemption in section 25 of FOISA.

7.The University also accepted that a complete list of all staff email addresses was not available from its website.It explained that there were three sources of email address information within the University, none of which comprised a complete list, and stated that the University did not hold a complete and up-to-date list of all staff email addresses.The University believed it would cost in excess of ?600 to create a single list by cross-referencing the existing lists, and noted that the cost of compliance with the request would therefore exceed the limit specified for the purposes of section 12 of FOISA.

8.Mr Benson remained dissatisfied with the University's response and applied for a decision from the Commissioner, in terms of section 47(1) of FOISA, on 8 June 2010.

9.The application was validated by establishing that Mr Benson had made a request for information to a Scottish public authority and had applied for a decision from the Commissioner only after asking the authority to review its response to that request.The case was then allocated to an investigating officer.

Investigation

10.The University was first asked whether it would be prepared to provide a list of the email addresses on its website in order to settle the case.Mr Benson had indicated that he would be prepared to withdraw his application for a decision from the Commissioner if this information were provided.However, the University was unwilling to do so, advising that the list would include email addresses for people who were not members of staff, and explaining that staff had expressed concerns about making their email addresses available in a way which would encourage the sending of spam email (i.e. a list of email addresses).

11.On 1 July 2010, therefore, the University was notified in writing that a valid application had been received from Mr Benson and was invited to provide comments on his application, as required by section 49(3)(a) of FOISA.

12.The University was invited to provide further comments about the application of the exemption in section 38(1)(b) of FOISA, and to provide examples of staff concerns about the disclosure of their email addresses.The University was asked about the mechanism it used to obtain staff consent to making their email address available through the search function on the University website, and to explain how much autonomy staff had over when and how their email address might be disclosed.

13.The University responded on 30 July 2010.Its response was framed in relation to the email addresses available through the University website, as this was the information to which the University understood Mr Benson's application to the Commissioner to refer.

14.The University provided further details of the sources of email address information within the University (as referred to in paragraph 7 above), and explained why this data included many email addresses which did not relate to University staff.It reiterated that the University did not have a comprehensive list of current staff email addresses, and that it believed the cost of editing the existing data to create such a list would be in excess of the ?600 limit laid down for the purposes of section 12 of FOISA.

15.The University also provided further information about the autonomy its staff enjoyed over when and how their email addresses were disclosed.

16.At this point, and subsequently during the investigation, the University advised that it was also relying on exemptions in sections 25, 30(c) and 39(1) of FOISA.Mr Benson was invited to comment on the University's application of these in addition to its use of the exemption in section 38(1)(b) of FOISA.Insofar as relevant, the comments supplied by both Mr Benson and the University will be considered in the Commissioner's analysis and findings below.

Commissioner's analysis and findings

17.In coming to a decision on this matter, the Commissioner has considered all of the information withheld and the submissions which have been presented to him and is satisfied that no matter of relevance has been overlooked.

Nature of the information requested

18.Mr Benson asked for "a list of the workplace e-mail addresses for all staff".The University has advised that, while on previous occasions it has complied with requests for email addresses for specified individuals, it considers that Mr Benson's request is different, and different considerations apply.

19.The Commissioner accepts that collective disclosure of staff email addresses may have different implications than the disclosure of email addresses for individuals identified by name or role.It is impossible to consider collective disclosure without taking into account that a list of email addresses may be used to send spam emails, which may cause anything from a minor nuisance to serious disruption of email communication systems.While Mr Benson has outlined the limited use he intends to make of the email address information, the Commissioner must take into consideration that disclosure under FOISA is accepted to be disclosure into the public domain, and the information would therefore (if disclosed) be accessible to other parties.

20.The University has identified three main sources of email address information, none of which it considers to be a complete list of staff email addresses.These are the list of email addresses held by its Human Resources department (the "HR list"); the list on the University email server; and the email addresses published on the University website.

Personal data ? section 38(1)(b) of FOISA

21.The University has applied the exemption in section 38(1)(b) of FOISA to all information covered by Mr Benson's request, both published and unpublished.

22.Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (as appropriate) section 38(2)(b), exempts information if it is personal data and if its disclosure to a member of the public otherwise than under FOISA would contravene any of the data protection principles laid down in Schedule 1 to the DPA. The University has argued that disclosure of the list of email addresses requested by Mr Benson would breach the first data protection principle.

23.This exemption in section 38(1)(b) is an absolute exemption, so is not subject to the public interest test laid down by section 2(1)(b) of FOISA.

Is the information personal data?

24.Personal data is defined in section 1(1) of the DPA as data which relate to a living individual who can be identified a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the full definition is set out in the Appendix).

25.In this case, the Commissioner is satisfied that the withheld information relates to living individuals who can be identified from that information and other information in the possession of the University.He notes that in most cases the staff email addresses consist of a first name or initial and a surname.When combined with the fact that the individual is associated with the University, the Commissioner accepts that this information is capable of identifying the individual concerned, to whom the information relates, and is therefore the personal data of those individuals.Although the remaining email addresses are more anonymous in nature and less easily associated with an identifiable individual, the Commissioner is satisfied that these email addresses relate to specific individuals who are identifiable from their email address taken in conjunction with other data held by the University (the data controller), and the email addresses therefore meet the definition of personal data in the DPA.

26.The Commissioner will consider whether disclosure of the staff email addresses which are personal data would contravene one or more of the data protection principles.

Would disclosure breach the first data protection principle?

27.The University has argued that the release of the information would breach the first data protection principle, which requires that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA is also met.The processing under consideration in this case is disclosure of staff email addresses into the public domain in response to Mr Benson's information request.The Commissioner has considered the definition of sensitive personal data set out in section 2 of the DPA and is satisfied that the personal data in this case does not fall into any of the relevant categories.It is therefore not necessary to consider the conditions in Schedule 3 in this case.

28.There are three separate aspects to the first data protection principle: (i) fairness, (ii) lawfulness and (iii) the conditions in the schedules.However, these three aspects are interlinked.For example, if there is a specific condition in Schedule 2 which permits the personal data to be disclosed, it is likely that the disclosure will also be fair and lawful.

29.The Commissioner will now go on to consider whether there are any conditions in Schedule 2 to the DPA which would permit the personal data to be disclosed.If any of these conditions can be met, he must then consider whether the disclosure of this personal data would be fair and lawful.

Can any of the conditions in Schedule 2 to the DPA be met?

30.As noted previously, the University has identified three main sources of staff email address information: the "HR list"; the list on the University email server; and the email addresses available on the University website.In relation to the email addresses found on the University website, the Commissioner understands that this information falls into two categories: email addresses which can be retrieved through the search facility from entries which staff have chosen to create in the online staff directory; and email addresses which are not included in the online staff directory, but which may be published elsewhere on the website.

Condition 1

31.Condition 1 of Schedule 2 applies where the data subject has given consent to the processing of their personal data.

32.The Commissioner accepts that it is not standard practice within the University to routinely obtain staff consent to disclosure, except where this relates to the availability of their email address through the online directory search.The Commissioner will therefore consider condition 1 only in relation to email addresses available through the online directory search.

33.The University has advised that its staff may choose whether to make their email addresses publicly available through the website.In order to gain an entry in the online web directory, staff must actively "opt in" by sending an email to a specified address, and they must state whether they wish their address to be included in the public directory or not.Staff have the option of excluding their directory entry from the website search facility.(The University advised, however, that some departments had moved away from this procedure and were now adding staff to the web directory as a matter of course and without enabling them to opt out: it emphasised, however, that this was not the University's stated practice in this area.)

34.The Commissioner considered whether condition 1 of Schedule 2 might be met in relation to the email addresses available through the online directory.While it could be argued that staff have effectively consented to disclosure of their personal data by opting in to the online web directory and not exercising the option to exclude their entry from the search facility, the University has advised the Commissioner that the web directory includes entries for many (generally junior) staff who do not have "outward facing" roles and who have included their email addresses in the web directory simply to enable internal colleagues to contact them.The University stated that the nature of their roles meant that these staff had no expectation of contact from external sources.

35.The University advised that the website's staff search facility was deliberately designed to prevent large numbers of addresses being collected by senders of spam emails.It was intended to assist the user to locate information about a person already known to be associated with the University, searching by their surname, but did not accept wildcard searches and required a minimum of two letters to be submitted as a search term.It was therefore not possible to retrieve a single list of all email addresses, or lists of email addresses for staff with surnames beginning with "A", "B" and so on.The University argued that even those members of staff whose email addresses were publicly available had an expectation that their addresses would not be disclosed in a way which could lend itself to spam email, but instead expected the University to take reasonable steps to protect them from this.

36.The University provided evidence that some staff had expressed concern at the prospect that their email address would be disclosed within a list of staff email addresses.

37.In these circumstances, the Commissioner accepts that condition 1 of Schedule 2 cannot be met in relation to the email addresses available through the staff search facility on the website.Any consent given by staff in relation to these addresses cannot be regarded as consent to disclosure of the information in the form requested by Mr Benson.

Condition 6

38.The Commissioner finds that condition 6 of Schedule 2 of the DPA would appear to be the only condition which might permit disclosure of staff email addresses from any of the sources identified in paragraph 20 above. Condition 6 allows personal data to be processed if the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject(s).

39.There are a number of different tests which must be satisfied before condition 6 can be met.These are:

Does Mr Benson have a legitimate interest in obtaining the personal data?

If yes, is the disclosure necessary to achieve these legitimate aims?In other words, is the disclosure proportionate as a means and fairly balanced as to ends, or could these legitimate aims be achieved by means which interfere less with the privacy of the data subjects?

Even if the processing is necessary for Mr Benson's legitimate purposes, would the disclosure nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects (i.e. the individual members of staff to whom the data relate)?There is no presumption in favour of the release of personal data under the general obligation laid down by FOISA.Accordingly, the legitimate interests of Mr Benson must outweigh the rights and freedoms or legitimate interests of the data subjects before condition 6 will permit the personal data to be disclosed.If the two are evenly balanced, the Commissioner must find that the University was correct to refuse to disclose the personal data to Mr Benson.

Does the applicant have a legitimate interest?

40.The University questioned whether Mr Benson had any legitimate interest in obtaining the information he requested.

41.Mr Benson has explained that he requires the list of staff email addresses in order to inform university staff about his website AcademicFOI.com.The purpose of the website is described as "Investigating UK Universities through Freedom of Information" and university staff are invited to suggest, in confidence, topics for investigation.The website states that forthcoming reports will cover workplace bullying, internet surveillance, public engagement, staff suspensions and public criticism.

42.There is no definition within the DPA of what constitutes a "legitimate interest", but the Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive.In his published guidance on section 38 of FOISA[1], the Commissioner states:

"In some cases, the legitimate interest might be personal to the applicant? e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as scrutiny of the actions of public bodies or public safety."

43.The Commissioner finds that Mr Benson's reasons for requiring the email addresses of university staff stem from a desire for additional public scrutiny of the way in which UK universities operate, and as such should be accepted as constituting a legitimate interest in terms of condition 6 of Schedule 2 to the DPA.

Is disclosure of the information necessary for Mr Benson's legitimate interests?

44.The Commissioner then considered whether disclosure of the personal data was necessary to achieve Mr Benson's aims.The Commissioner asked the University whether it might agree to send an email to all staff, on behalf of Mr Benson, rather than disclose all staff email addresses.The University advised that it could not comply with such a suggestion.It explained that not only did its staff have an expectation that their email addresses would not be given out for marketing purposes, they also had an expectation that the University will not send them this sort of material.The University believed it would be in breach of the DPA if it did so.

45.In the circumstances, the Commissioner can identify no means of meeting Mr Benson's legitimate aims which would interfere less with the privacy of the data subjects, and consequently finds disclosure of the withheld personal data to be necessary for these purposes.Having concluded that disclosure was necessary to achieve Mr Benson's legitimate aims, the Commissioner went on to consider whether disclosure would cause unwarranted prejudice to the rights and freedoms of the data subjects.

The rights and freedoms or legitimate interests of the data subjects

46.The University argued that the withheld information included data relating to individuals who had made an explicit decision that they did not want to put their email address into the public domain.In relation to the list of email addresses held by its Human Resources department (the HR list), the University stated that it had no way of identifying which staff on the HR list had taken this decision, as the list was intended for internal use only and this information had not been collected.In relation to the list of email addresses available through the web site search facility (the Eddir list), the University had a record of the staff who had elected not to put their email address into the public domain, but no knowledge of their reasons for this decision.

47.The University provided information about a number of different situations which it was aware had led individual staff to restrict access to their email addresses.

48.The University considered that disclosure of the email addresses requested by Mr Benson would not comply with its stated policy and practice, and would cause unwarranted prejudice to an individual member of staff's right to exercise autonomy over when and how their email address was disclosed.The University believed that disclosure could leave some individuals exposed to real harm, while the risk of exposure could cause severe anxiety and distress.

49.The Commissioner takes the view that while some staff may have particular reasons why disclosure of their email address would prejudice their rights and freedoms or legitimate interests, all University staff are likely to share certain expectations in relation to disclosure of their email address.They already have some choice in whether their address is available through the University website, and information on the University website, such as guidance for staff who wish to make their email addresses available in a format that is difficult to "harvest"[2], would lead them to expect that the University will take reasonable steps to prevent staff from receiving mass marketing or spam emails.

50.While the email addresses withheld from Mr Benson represent personal data relating to the professional rather than the personal lives of University staff, the Commissioner finds that the data subjects' expectation of privacy is reasonable in the circumstances, and that there is evidence to suggest that the data subjects would suffer unwarranted prejudice to their rights and freedoms or legitimate interests if their email address was made public.

51.The Commissioner finds that the data subjects' rights to privacy regarding their email addresses outweigh Mr Benson's legitimate interest in obtaining the information, and consequently that condition 6 cannot be met in the circumstances.As none of the conditions in Schedule 2 of the DPA can be met, disclosure of the personal data in question would contravene the first data protection principle.Consequently, disclosure would be unlawful and, for the reasons stated above, unfair.Accordingly, the Commissioner finds that the information was correctly withheld under section 38(1)(b) of FOISA.

52.As the exemption in section 38(1)(b) of FOISA has been found to apply, the Commissioner has not gone on to consider the arguments put forward by the University in relation to the other exemptions cited in this case.

DECISION

The Commissioner finds that the University of Edinburgh complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr Benson.

Appeal

Should either Mr Benson or the University of Edinburgh wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision notice.

Margaret Keyse
Head of Enforcement
8 December 2010

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1General entitlement

(1)A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6)This section is subject to sections 2, 9, 12 and 14.

2Effect of exemptions

(1)To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?

(a)the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?

(e) in subsection (1) of section 38 ?

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1Basic interpretative provisions

In this Act, unless the context otherwise requires ?

"personal data" means data which relate to a living individual who can be identified ?

(a)from those data, or

(b)from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 ? The data protection principles

Part I ? The principles

1.Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless ?

(a)at least one of the conditions in Schedule 2 is met, and

(b)in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 ? Conditions relevant for purposes of the first principle: processing of any personal data

1The data subject has given his consent to the processing.

...

6(1)The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

[1] http://www.itspublicknowledge.info/nmsruntime/saveasdialog.aspx?lID=3085&sID=133

[2] http://www.inf.ed.ac.uk/systems/web/faq.html#eharvest