Mr A and Office of the Revenue Commissioners
From Office of the Information Commissioner (OIC)
Case number: OIC-142103-V4R2S3
Published on
From Office of the Information Commissioner (OIC)
Case number: OIC-142103-V4R2S3
Published on
Whether Revenue was justified in refusing access, under sections 30(1)(a) and 32(1)(a) of the FOI Act, to information relating to the applicant’s records having been accessed
On 1 June 2023, the applicant e-mailed Revenue’s FOI email address and said that he was enquiring about his records “to see if someone requested information from Revenue regarding [his] file and for what reason”. Following exchanges of correspondence between the parties, the applicant submitted a refined request on 11 July 2023 for “information in relation to the accessing of [his] personal records”. He specifically referenced “all of [his] records accessed by the investigation, prosecution and frontier management division (formally investigations and prosecutions division) between the following dates: 1st Oct 2022 – 1st June 2023”. He requested a detailed record of what was accessed, by whom, the legislation it was accessed under, the business reason it was accessed under and if his information was passed to a third party, including on what basis that was carried out.
In a decision dated 20 July 2023, Revenue refused the request under section 15(1)(a) of the FOI Act, which provides for the refusal of a request where the records sought do not exist or cannot be found. The applicant sought an internal review of that decision on the basis that the “IT area” did not appear to have been consulted.
In its internal review decision dated 9 August 2023, Revenue said that as part of its review, it had regard to section 17(4) of the Act which requires an FOI body to extract records or existing information held on electronic devices if reasonable to do so. It said it conducted fresh searches for records on all Revenue systems and files in the Investigation, Prosecution and Frontier Management Division and Information and Communications Technology and Logistics Division, which resulted in the creation of one new record that contained information requested. It said the record was created solely for the purpose of responding to the request. It refused access to the record under sections 30(1)(a) and 32(1)(a) of the Act. It provided details of the basis on which personal information is accessed by Revenue. On 5 September 2023, the applicant applied to this Office for a review of Revenue’s decision.
I have now completed my review in accordance with section 22(2) of the FOI Act. In carrying out my review, I have had regard to the submissions made by the parties. I have also had regard to the contents of the record to which access was refused. I have decided to conclude this review by way of a formal, binding decision.
In his application to this Office for a review of Revenue’s decision, the applicant added that he was seeking a report of what legislation his information was accessed under and if the information was passed to a third party. During the review, the Investigator sought submissions from Revenue and its position is that no such record exists. It said that this part of the request was refused under section 15(1)(a) and it made submissions in respect of the applicability of that provision. The applicant was notified of Revenue’s submissions, following which he confirmed that this matter could be excluded from the scope of the review and that the review could be confined to Revenue’s refusal to release the created record under sections 30(1)(a) and 32(1)(a).
In its submissions to this Office, Revenue said that the record at issue was created in the form of a particular internal report under section 17(4) of the FOI Act specifically for the purposes of responding to the applicant’s request. It said that prior to its creation, the data contained in the record did not exist in any record held by Revenue. It said that as the record did not exist on the day the FOI request was received, Revenue refused the request under section 15(1)(a) of the FOI Act. In its submissions, it said that it had reviewed the original decision and considers that the record was correctly refused under section 15(1)(a) as there was “no requirement under section 17(4) to create a new record”. It said that the record was subsequently created after the request for internal review was received. It said that it “could be argued” that the record is outside the scope of the original request and that section 15(1)(a) applies.
Section 17(4) provides that where a request relates to data contained in more than one record held on an electronic device by the FOI body concerned, the body must take reasonable steps to search for and extract the records to which the request relates, being steps that involve the use of any facility for electronic search or extraction that existed on the date of the request and was ordinarily used by the FOI body. Section 17(4)(b) provides that where reasonable steps to search for and extract records result in the creation of a new record, that record shall be deemed to have been created on the date of receipt of the FOI request. Put simply, if the FOI body can extract electronically held information by taking reasonable steps and in doing so it creates a new record, then that record is deemed to have existed on the date of the request for information and must be considered for release.
I note that in its submissions, Revenue said the record at issue was created in the form of an Internal Control Report specifically for the purpose of responding to the applicant’s FOI request. It said such reports are not normally created other than for internal audit and data security assurance purposes. Regardless of Revenue’s argument that Internal Control Reports are not normally created other than for internal audit and data security assurance purposes, it seems to me that the search and extraction undertaken in this case, (namely the creation of an Internal Control Report), involved the use of a facility for electronic search or extraction that existed on the date of the request and was ordinarily used by the FOI body. Accordingly, I find that the record at issue is deemed to have existed on the date of the request for information and that it falls within the scope of the applicant’s request.
This review is therefore concerned solely with whether Revenue was justified in refusing access to the record at issue under sections 30(1)(a) and 32(1)(a) of the FOI Act.
Although I am obliged to give reasons for my decision, section 25(3) of the FOI Act requires me to take all reasonable precautions in the course of a review to prevent disclosure of information contained in an exempt record. This means that the extent to which I can describe the contents of the records and the details of Revenue’s submissions is limited in this case.
It is also important to note that under section 22(12)(b) of the Act, a decision to refuse to grant a request is presumed not to have been justified unless the FOI body shows to the Commissioner's satisfaction that its decision was justified. This means that the onus is on Revenue to satisfy this Office that its decision to refuse access to the record sought was justified.
The record at issue
In the schedule of records accompanying its internal review decision, Revenue described the record at issue as containing details of staff members who accessed the applicant’s records during the period identified in his FOI request. I do not believe I am in breach of section 25(3) by describing the record as containing the name(s) and divisional details of the staff member(s) who accessed the applicant’s records, the system(s) accessed, and the time(s) and date(s) the information was accessed.
As noted above, Revenue said that the record at issue was created in the form of an Internal Control Report. It said that such reports are not normally created other than for internal audit and data security assurance purposes and that such reports are generated quarterly as a normal part of Revenue’s corporate assurance programme and are in addition to routine management oversight of the use of Revenue systems. It said Revenue uses various information and communication systems internally to perform different business functions and to manage operations. It said access to the data on those systems is restricted to staff with an identified business need. Revenue provided background information in respect of the system, which I do not intend to repeat but which I have considered.
As I have outlined above, Revenue cited sections 30(1)(a) and 32(1)(a) as a basis for refusing access to the record at issue. Section 30(1)(a) is concerned with ensuring that the effectiveness of tests, examinations, investigations, inquiries or audits conducted by or on behalf of an FOI body, or the procedures or methods employed for their conduct, is not prejudiced or impaired. Section 32(1)(a) is concerned with ensuring that, among other things, the prevention, detection or investigation of offences, the apprehension or prosecution of offenders, or the effectiveness of lawful methods, systems, plans or procedures employed for those purposes, is not prejudiced or impaired.
In the particular circumstances of this case and given the similarities between the two exemptions cited, there is understandably a significant overlap in Revenue’s submissions as to why it considers each exemption to apply. I propose to consider the applicability of section 32(1)(a) first having regard to Revenue’s submissions
Section 32(1)(a)
Section 32(1)(a)(i) provides for the refusal of a request where the FOI body considers that access to the record concerned could reasonably be expected to prejudice or impair the prevention, detection or investigation of offences, the apprehension or prosecution of offenders or the effectiveness of lawful methods, systems, plans or procedures employed for the purposes of the matters aforesaid. Section 32(1)(a)(ii) provides for the refusal of a request where the FOI body considers that access to the record concerned could reasonably be expected to prejudice or impair the enforcement of, compliance with or administration of any law.
Where an FOI body relies on section 32(1)(a), it should identify the potential harm in relation to the matters specified in the relevant sub-paragraph that might arise from disclosure. Having identified that harm, it should consider the reasonableness of any expectation that the harm will occur. The FOI body should explain how and why, in its opinion, release of the record could reasonably be expected to give rise to the harm envisaged. A claim for exemption under section 32(1)(a) must be made on its merits and in light of the contents of the particular record concerned and the relevant facts and circumstances of the case.
As I have outlined above, I am required by section 25(3) of the FOI Act to take all reasonable precautions in the course of a review to prevent disclosure of information contained in an exempt record. Accordingly, I am quite limited in the extent to which I can describe Revenue’s submissions.
I believe I am not in breach of section 25(3) by stating that Revenue’s essential argument is that the disclosure of the fact that a particular staff member in a particular functional area has accessed information relating to a specific taxpayer could inadvertently indicate that Revenue has concerns in respect of that individual or his/her activities and the nature of those concerns. It said this such disclosure would harm Revenue’s efforts to confront non-compliance as non-compliant taxpayers would have premature notice of a possible audit/investigation and could take counter-measures to limit the effectiveness of any subsequent investigation. It said this would, in turn, be detrimental to Revenue’s ability to fairly and efficiently collect taxes and duties due to the State and to implement Custom controls to protect citizens. It said that access to taxpayer information is a core activity in Revenue’s performance of its functions relating to the enforcement of the law.
The applicant made no substantive submissions as to the applicability of the exemptions cited by Revenue as a basis for withholding the record at issue.
I accept that in certain circumstances, revealing the fact that certain identified staff in a particular functional area within Revenue accessed information in respect of a specific taxpayer could disclose to an individual that he/she is under investigation in respect of the particular functions for which the specific functional area has responsibility. It seems to me that it could also indicate that the individual is not under investigation in respect of the specific functions. I also accept that armed with that knowledge, individuals could then engage in conduct to undermine subsequent interventions or to evade Revenue’s attention. For these reasons, it seems to me that the release of such information could reasonably be expected to prejudice or impair Revenue’s ability to prevent, detect, or investigate possible offences and could reasonably be expected to prejudice or impair its enforcement of, compliance with or administration of any law. Having regard to Revenue’s specific submissions in this case and the particular circumstances arising, I am satisfied that sections 32(1)(a)(i) and 32(1)(a)(ii) apply to the record at issue.
Section 32(3)
Many exemptions in the Act are subject to the application of a public interest balancing test. The public interest test in section 32 is limited to certain specified circumstances. Section 32(3) provides that section 32(1)(a) does not apply to a record-
(a) if it—
(i) discloses that an investigation for the purpose of the enforcement of any law, or anything done in the course of such an investigation or for the purposes of the prevention or detection of offences or the apprehension or prosecution of offenders, is not authorised by law or contravenes any law, or
(ii) contains information concerning—
(I) the performance of the functions of an FOI body whose functions include functions relating to the enforcement of law or the ensuring of the safety of the public (including the effectiveness and efficiency of such performance), or
(II) the merits or otherwise or the success or otherwise of any programme, scheme or policy of an FOI body for preventing, detecting or investigating contraventions of the law or the effectiveness or efficiency of the implementation of any such programme, scheme or policy by an FOI body,
and
(b) in the opinion of the head concerned, the public interest would, on balance, be better served by granting than by refusing to grant the request concerned.
Having regard to the contents and nature of the record at issue and to the details of Revenue’s submissions, it is not apparent to me that any of the circumstances outlined in paragraphs (a)(i) or (a)(ii) above apply in this case, nor has any evidence been presented to this Office to suggest that they might.
In conclusion, therefore, I find that Revenue was justified in refusing access, under sections 32(1)(a)(i) and 32(1)(a)(ii), to the record at issue. Given my finding, I do not need to proceed to consider the applicability of section 30(1)(a).
Having carried out a review under section 22(2) of the FOI Act, I hereby affirm Revenue’s decision to refuse access, under sections 32(1)(a)(i) and 32(1)(a)(ii) of the FOI Act, to the record at issue in this case.
Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated not later than four weeks after notice of the decision was given to the person bringing the appeal.
Stephen Rafferty, Senior Investigator