Cinneadh
Mr Z & The National Treasury Management Agency (NTMA)
Ó Oifig an Choimisinéara Faisnéise
Cásuimhir: OIC-154285-T0K5Z4
Foilsithe
Teanga: Níl leagan Gaeilge den mhír seo ar fáil.
Ó Oifig an Choimisinéara Faisnéise
Cásuimhir: OIC-154285-T0K5Z4
Foilsithe
Teanga: Níl leagan Gaeilge den mhír seo ar fáil.
Whether the NTMA was justified in refusing access, under sections 32(1)(c) and/or 36(1)(b) of the FOI Act, to a statistical report by a named company in relation to the Prize Bonds draw
26 November 2025
The Prize Bonds Scheme is operated by the Prize Bond Company (PBC) on behalf of the NTMA. The Prize Bond Draw is electronic, and winning numbers are selected using a random number generator. The system generates a random series of numbers in the same format as a Prize Bond number. The number is matched with an active Prize Bond, and this process repeats until all prizes are awarded.
In a request dated 7 October 2024, the applicant submitted a request to the NTMA for access to all reports filed by a named company (Company A) in relation to the Prize Bonds draw. In a decision dated 4 November 2024, the NTMA refused access to the one record it identified as coming within the scope of the request, under sections 32(1)(c), 36(1)(b), and 37(1) of the FOI Act. The applicant sought an internal review of that decision, following which the NTMA affirmed its refusal of the request. On 5 December 2024, the applicant applied to this Office for a review of the NTMA’s decision.
The record at issue is a report dated 30 July 2024 entitled “A Statistical Analysis of Prize Bonds Candidate Numbers ”. The report was provided to the NTMA by PBC as part of the NTMA’s ongoing oversight/governance role in relation to Prize Bonds. During the review by this Office, both Company A and PBC were notified of the review and invited to make submissions. Submissions were received from both parties and also from the NTMA. While the applicant was also invited to make a submission, no such submission has been received to date.
I have now completed my review in accordance with section 22(2) of the FOI Act. In carrying out my review, I have had regard to the correspondence between the applicant and the NTMA as outlined above, to the submissions made by the NTMA, PBC, and Company A, and to the contents of the record at issue. I have decided to conclude this review by way of a formal, binding decision.
During the review, the applicant agreed to remove the names of individuals who are or were employees of Company A from the scope of his request. As such, the NTMA’s reliance on section 37(1) of the FOI Act is no longer relevant. Accordingly, this review is concerned solely with whether the NTMA was justified in refusing access to the remainder of the report under sections 32(1)(c) and/or 36(1)(b) of the FOI Act.
Before I address the substantive issues arising, it is important to note that section 22(12)(b) of the FOI Act provides that a decision to refuse to grant a request under section 12 shall be presumed not to have been justified unless the head of the relevant FOI body shows to the Commissioner's satisfaction that its decision was justified. This means that the onus is on the NTMA to satisfy this Office that its decision to refuse access to the record sought, either in whole or in part, was justified. Furthermore, while clarifications may be required in some instances, this does not mean that this Office must, or will, continue to ask an FOI body for sufficient details and arguments until the threshold for an exemption is met. Neither do I believe that I am required to construct arguments to support an FOI body’s broad assertions.
The report at issue is a report prepared by Company A comprising an independent statistical analysis of the Prize Bond numbers generated by PBC’s random number generator, based on an assessment of the results from the Prize Bonds draws from July 2023 to June 2024. According to the report, the objective of the analysis was to detect and report any non-random patterns in the data.
Section 32(1)(c) provides for the refusal of a request if the FOI body considers that access to the record concerned could reasonably be expected to facilitate the commission of an offence. This Office considers that an FOI body relying on section 32(1)(c) should indicate the nature of the relevant offence(s) and show how release of the particular record at issue could make the commission of the offence(s) easier. The question is not whether such an offence will occur, but whether release of the information could reasonably be expected to make it easier to commit an offence.
The record at issue has been refused by the NTMA under section 32(1)(c) on the basis that release of the record could reasonably be expected to facilitate the commission of fraud and/or cybercrime. In its submissions to this Office, the NTMA said the record contains detailed information regarding the composition of Prize Bond numbers, the generation of datasets as part of the prize draw, the statistical tests used to detect non-randomness within datasets, and analysis conducted by reference to the results of a completed draw. It said that as such, the content of the record is not confined to statistical information only but also extends to information about the draw more generally.
The NTMA noted that the release of records to a requester pursuant to the FOI Act is release without any restrictions, and as such, the content of the record may be reproduced or published in an uncontrolled manner. It noted that the applicant, a journalist, published an article in December 2024 referring to the refusal of his FOI request by the NTMA and expressly stated that he intended to share the contents of the report with readers.
The NTMA submitted that there are a number of ways in which the content of the record could make it easier for a third party to commit fraud or a cybercrime. It argued, for example, that the information relating to the operational functionality of the draw would be of assistance to criminal actors in potentially facilitating:
• the issuing of targeted phishing messages aimed at defrauding Prize Bond holders and/or individuals involved in the conduct of the draw;
• attempts to fraudulently claim prizes (e.g. via a fake system mirroring the characteristics of the draw);
• the selling of the information to other fraudsters / threat actors as reconnaissance data for unlawful use;
• the provision of, or use of, the information for Generative AI or AI training models with currently unknown or unquantifiable risks.
The NTMA said that given the prevalence of cybersecurity risks as reported by entities including Irelands National Cyber Security Centre (NCSC) and the EU Agency for Cybersecurity, there is a reasonable expectation that disclosure of non-public information regarding an electronically conducted draw could pose risks in the context of the range of offences that could be committed. It further said that given the level and value of prizes and the number of holders of Prize Bonds and their related value, there would appear to be sufficient financial and commercial incentive to fraudsters/threat actors in seeking to potentially use the information in question for unlawful purposes.
The NTMA identified what it said were examples of restricted information in the report which is not currently in the public domain, including the exact (various) structures of a Prize Bond number, and detailed information on how datasets are created and the use of these datasets, as well as the volume of eligible and ineligible bond numbers monthly. It argued that releasing this level of detailed information in the record would increase the likelihood of a potential fraud or cyber incident causing harm to a bondholder or prospective purchaser (the individual), harm to the Prize Bonds draw system, and/or harm to the NTMA in the context of its ability as delegate of the Minister for Finance to provide this savings scheme on behalf of the State.
In relation to harms to individuals, it said that cyber criminals actively seek opportunities for social engineering of individuals and that a common tactic is to leverage current affairs, news articles or stories picked up by the media. It argued that while phishing attempts related to the Prize Bonds draw could be generated using information already in the public domain, the release of the information contained in the record could significantly enhance the risk of successful phishing of individuals in terms of (i) the likelihood of a higher number of phishing attempts using the additional information gleaned from the report and (ii) the probability that a phishing attempt would be more accurate or targeted given the nature of the information provided in the report (Prize Bond number structure). It said the risk to the individual is that they would be coaxed into clicking on links resulting in malware infection, or exposing passwords, personal details, or bank account details in the expectation of payment of Prize Bond winnings. It said the NCSC has warned of a noticeable increase in reports of attempts to defraud companies or steal sensitive data through email deception. It also quoted the An Garda Síochána website which describes the six most common types of fraud in Ireland today and which includes “lottery fraud where the victim is told that they have won a lottery or prize draw and need to pay money to release the funds ”.
On foot of the NTMA’s submissions that the release of the report would involve the disclosure of information relating to Prize Bond number structure, this Office’s Investigator sought further submissions in light of the fact that winning Prize Bonds numbers are already published online on the Ireland State Savings website. In response, the NTMA acknowledged that results of the weekly Prize Bonds draws are published on the Ireland State Savings website pursuant to Regulation 21 of the Prize Bonds Regulations 1993 (as amended). It said that Regulation 21 requires that the public has reasonable access to winning bond numbers, but that it is important to note that such access is not unfettered. It said the regulation expressly states that the names of Prize Bonds holders, the number of bonds held by a holder, and the amounts paid for such bonds shall not be published. In this regard, it said that the focus of the regulations is on transparency regarding the outcome [the NTMA’s emphasis] of the Prize Bond weekly draws, whilst continuing to protect holder information. It said that the enhanced risk referred to in its previous submissions relates to the potential misuse of the additional information contained in the record on the randomness of the draw results, such as the exact structure of a Prize Bonds number, the letters that are not used to create a Prize Bond number and the alpha prefix associated with certain types of bonds. It said this information is not currently in the public domain. It said that while it might be possible for threat actors to deduce such information from the published draw results, this would likely require considerable effort and analysis. It stated that making this additional information readily available to threat actors could significantly enhance the risk of successful phishing/social engineering.
In terms of the harm to the Prize Bonds draw system, the NTMA said that cyber criminals continuously trawl publicly available internet resources to gather information that could be used to target a system and plan an attack. It said this is known as cybersecurity reconnaissance and is the initial phase of a cyberattack. It said it considers that the information contained in the report is essentially a blueprint regarding the universe of bonds that make up the draw and the generation of datasets. It noted that the NCSC has advised that the technical ability of perpetrators should never be underestimated and that, as such, the NTMA considers that it is not in a position to anticipate or pre-determine the precise steps, complexity of effort or advanced techniques that could be used by threat actors to infiltrate the Prize Bonds draw system. It said its concerns relate to the scope of harm that could be caused by threat actors after they have gained unlawful access to the system. It said that while the information in the report may not, in isolation, directly result in a compromise of the system, it would however be valuable information that could be used and leveraged post-compromise e.g. to manipulate draw results. It said a “white box” risk relates to vulnerabilities that could be exploited by a threat actor with access to information on the system's internal structure and design. It said it considers that the information contained in the report introduces a “white box ” risk, thereby increasing the overall risk of cybersecurity breach. It said that the probability that the system could be successfully targeted for a potential future cyberattack would be heightened should the report be available in the public domain.
In its submissions, the NTMA said it took careful account of the wording of section 32(1)(c). It said the exemption provides refusal if access to the record concerned “could, in the opinion of the head, reasonably be expected [the NTMA’s emphasis] to facilitate the commission of an offence ”. It argued that it is not required to demonstrate that release of the record would facilitate the commission of cybercrime. It said this was a higher standard of proof which would require it to demonstrate that there is a strong likelihood of access to the record facilitating the commission of an offence. It said it was required to demonstrate that an offence “could ” be committed which, it said, required it to show that there is a possibility of access to the record facilitating the commission of an offence. It said that the test in section 32(1)(c) is not absolute in nature and allows the decision maker to form an opinion based on a reasonable expectation. It stressed that it is not in a position to anticipate or pre-determine the precise steps, complexity of effort or advanced techniques that could be used by threat actors to infiltrate the Prize Bonds draw system. It said that it did not believe that reliance on section 32(1)(c) required it to have an in-depth knowledge of the technical or criminal capabilities of threat actors and to predict the exact steps or types of offence that such third parties could undertake or commit. Rather, it said that it has a reasonable expectation that there is a risk of fraud/cybercrime and that this view is based on the expertise of its personnel, including the Ireland State Savings team and its ICT team. It said it regularly consults with the NCSC on matters relating to cybersecurity risks.
On the matter of the harm to the NTMA’s ability to provide the Prize Bonds savings scheme on behalf of the State, it said that as part of its range of statutory functions, it oversees the Prize Bonds scheme as administered by its agent, PBC. It said that should the integrity of the system or public trust in the Prize Bonds product be damaged due to a fraud or a cyber incident, it could face long-term damage and currently unquantifiable cost in rebuilding the system, investigating and resolving any fraud or cyber incident and rebuilding trust in the Ireland State Savings brand. It said that given the level of vigilance required of public bodies in the current environment, it considers that protecting its customers against any form of fraud is of paramount importance. It said it believes that the release of the report increases the risk of harm against holders of Prize Bonds or prospective purchasers.
In his application to this Office, the applicant argued that there is no basis for the NTMA’s claims that the release of a statistical report into the Prize Bond draw would pose risks to the integrity and security of the arrangements relating to the conduct of the draw or that the information could be unlawfully used to target the draw by way of cyberattacks. He said there was no evidence that anyone would attempt to target the Prize Bond draw with a cyberattack.
Company A said there are two main issues in working with pseudorandom numbers, namely how they are generated and how they are tested. It said its exchanges to date with the NTMA through PBC have been about the testing. It said it has no input into how the numbers are generated, nor is this information required for its analysis. It said its report details the approach in which the data emanating from the random number generator are tested statistically. It said that although the report does not contain a comprehensive insight into how the numbers were generated, it does assist anyone wishing to bypass the checks on how they might deceive the system and remain undetected. Drawing upon an analogy, it said that if you provide someone with the blueprint to a sophisticated burglar alarm system, you lose the security aspects of that system, as it allows actors with malicious intent with a means to design ways to circumvent the system. It said that it would therefore appear sensible to avoid such a disclosure in this instance and protect the draw system, bond holders and prospective bond holders.
In its submissions, PBC said the report contains confidential information about the Prize Bonds draw system and the draw’s operational processes. It argued that the disclosure of such details could increase the risk of cybercrime or fraudulent activity, as non-public technical information may be misused by threat actors. It said the release of this information could facilitate phishing, fraud, or other forms of system compromise, given the significant financial incentive for malicious actors. It said that in light of current cybersecurity threats highlighted by national and European agencies, there is a reasonable expectation that making this information public would pose material risks to the integrity of the scheme. It said that given the scale of the Prize Bonds scheme and the significant financial incentive for fraudsters, with circa. 3 million holders with over €4.4 billion in savings in Prize Bonds, the risk of harm to individuals, the draw system, and the State’s savings brand is substantial.
I fully accept that section 32(1)(c) does not require the NTMA to demonstrate that release of the record at issue would facilitate the commission of cybercrime. As I have outlined above, the question is not whether an offence will occur, but whether release of the information at issue could reasonably be expected to facilitate the commission of an offence. I do not, however, accept the NTMA’s argument that it is only required to show that “there is a possibility of access to the record facilitating the commission of an offence ”. This Office takes the view that there must be adequate grounds for any such expectation. The mere possibility of some adverse effect is not sufficient for the exemption to apply.
In interpreting the words “could reasonably be expected to ”, this Office considers that the test is not concerned with the question of probabilities or possibilities. It is concerned with whether or not the FOI body’s expectation is reasonable. The FOI body must firstly identify the potential harm to the functions covered by the exemption that might arise from disclosure and, having identified that harm, consider the reasonableness of any expectation that the harm will occur. It is noteworthy that in The Minister for Communications, Energy and Natural Resources and the Information Commissioner & Ors [2020] IESC 57, the Supreme Court found that there is a presumption in favour of disclosure under the framework of the FOI Act, such that a refusal to disclose must be fully reasoned and sufficiently coherent, fact specific, and logically connected to the document or record such that the justification is sufficient.
The NTMA argued that the release of the report would be of assistance to criminal actors in potentially facilitating increased phishing, attempted fraudulent claims, selling of information to other threat actors, and other unknown risks arising from the use of AI. It argued that release could reasonably be expected to harm individuals, the Prize Bonds draw system, and its ability to manage the Prize Bonds scheme.
In terms of the harms to individuals, the NTMA’s argument, that the release of the report could significantly enhance the risk of successful phishing of individuals in terms of increased and/or more accurate or targeted phishing attempts, appears to be based on the information contained in the report concerning the structure of a Prize Bond number. I do not accept that argument. While I fully accept that the precise construction of Prize Bond numbers is not publicly available information, genuine numbers are already published online in their thousands. In my view, there is more than ample publicly available information on the composition of Prize Bonds numbers that could be used by threat actors to replicate legitimate looking Prize Bonds numbers. It is not apparent to me that the release of details of the precise number structure makes it any easier to engage in phishing. As such information is not currently available, targets of phishing attempts would not be in a position to identify an invalid number construction to help them identify fraudulent emails. Accordingly, I am not satisfied that the release of that information could reasonably be expected to facilitate the commission of an offence of phishing beyond what is already possible with publicly available information.
Neither do I accept the NTMA’s argument that the release of the report might facilitate attempts to fraudulently claim prizes or that the information might reasonably be used as reconnaissance data for unlawful use. While it has cited the use of a fake system mirroring the characteristics of a draw as an example of how attempts to fraudulently claim prizes might be facilitated, it has not explained how this might work or how the release of the report might facilitate fraudulent claims. Neither has it identified what precise information might be used for reconnaissance data for unlawful use, apart from its concerns about the release of the Prize Bond number structure that I have addressed above.
On the matter of harms to the Prize Bonds draw system, I fully accept that the NTMA is not in a position to anticipate or pre-determine the precise steps, complexity of effort or advanced techniques that could be used by threat actors to infiltrate the Prize Bonds draw system. Nevertheless, I do expect it to be in a position to explain why it reasonably expects that the release of the report could facilitate fraud and/or cybercrime. It is not sufficient for the NTMA to simply argue that there is a reasonable expectation that disclosure of non-public information regarding an electronically conducted draw could pose risks in the context of the range of offences that could be committed. The NTMA described “essentially a blueprint regarding the universe of bonds that make up the draw and the generation of datasets ”. However, it has not explained how the release of any particular information in the report might facilitate a compromise of the draw system.
The NTMA also said that while the information in the report may not, in isolation, directly result in a compromise of the system, it would be valuable information that could be used and leveraged post-compromise e.g. to manipulate draw results. However, it has given no indication of what information in the report might cause such harm or how such harm might arise. I note that the NTMA referred to a "white box " risk relating to vulnerabilities that could be exploited by a threat actor with access to information on the system's internal structure and design. However, it is not apparent to me that the report at issue contains any such system information. Having examined the record in detail, it seems to me that it predominantly consists of statistical tests and equations used by Company A to determine whether there were any patterns of non-randomness in the numbers drawn in Prize Bonds draws in a given period. It seems to me that the NTMA appears to be making blanket assertions based on its concerns as to the nature of the harms that could arise if the system was, in fact, compromised. Such assertions are not sufficient for me to find that section 32(1)(c) applies.
I note that Company A said that, although not a comprehensive insight into how the Prize Bond numbers are generated, the report assists anyone wishing to bypass the checks on how they might deceive the system and remain undetected in future reports. In essence, its argument is based on an individual already having compromised the system. Company A did not explain how the release of the report might facilitate such a compromise.
On the matter of the NTMA’s ability to manage the Prize Bonds scheme, I fully accept the legitimate concerns that it has in relation to cybersecurity and that cyberattacks represent a major risk that all organisations must manage. I also accept that the NTMA oversees a substantial financial portfolio on behalf of the State which may act as an incentive for cybercriminals to target it or the Prize Bonds scheme. However, while I accept that organisations are required to be vigilant and cautious to mitigate the dangers posed by cyberattacks, for the purposes of its obligations under the FOI Act, I do not accept that this amounts to a licence to withhold information based on mere assertions of harm. As I am not satisfied that the release of the record could result in fraud/cybercrime in relation to individuals or the Prize Bonds draw, then I cannot see how release of the record would harm its ability to oversee the Prize Bonds scheme.
In conclusion, for the reasons set out above, I am not satisfied that the release of the record could reasonably be expected to facilitate the commission of an offence. I find that section 32(1)(c) does not apply.
Section 36(1)(b) of the FOI Act provides that an FOI body shall refuse to grant a request if the disclosure of the record sought could reasonably be expected to result in a material financial loss or gain to the person to whom the information relates, or could prejudice the competitive position of the person in the conduct of his or her profession or business or otherwise in his or her occupation. The essence of the test in section 36(1)(b) is not the nature of the information but the nature of the harm which might be occasioned by its release.
The harm test in the first part of section 36(1)(b) is that disclosure “could reasonably be expected to result in material loss or gain ”. As I have outlined above, this Office takes the view that the test to be applied is not concerned with the question of probabilities or possibilities but with whether the decision maker’s expectation is reasonable. The harm test in the second part of section 36(1)(b) is that disclosure of the information "could prejudice the competitive position" of the person in the conduct of their business or profession. The standard of proof to be met here is lower than the "could reasonably be expected " test in the first part of this exemption. However, this Office takes the view that, in invoking "prejudice ", the damage that could occur must be specified with a reasonable degree of clarity.
In its submissions, the NTMA said Company A provides research services by
qualified practitioners specialising in statistical consulting, market research, and statistical
software training. It said the report at issue contains commercially sensitive
information comprising Company A’s analysis of technical and numerical information relating to the Prize Bond draw process. It said such analysis, and the methodology for undertaking same, is commercially sensitive and if disclosed could prejudice Company A’s competitive position in the conduct of its business. It said Company A also regards the content of the report as commercially sensitive.
In support of its argument, the NTMA also referred to guidance published by this Office regarding section 36 and the Information Commissioner’s position that section 36 is primarily aimed at protecting the commercial interests of parties engaged in commercial activity. It said the record contains the analysis and evaluation undertaken by Company A and its professional opinion regarding the randomness of the draw results. It said it expects that the release of such information could significantly prejudice Company A’s competitive position by revealing its work product, analysis, and methodologies to competitors. It also referred to further guidance from this Office on section 36 which it said acknowledged that the FOI Act is not designed as a means by which the operations of private enterprises were to be opened up to scrutiny. As such, it said that it considers that Company A should be able to provide services to FOI bodies without suffering commercially as a result.
With respect to the public interest factors considered under section 36(3), the NTMA said that while there is a need for openness, accountability, and transparency which would favour the release of the record, there are countervailing considerations which would favour withholding the record. It said this included the need to ensure that companies such as Company A are not deterred from providing similar services in the future due to the fear of commercial harm as a result of the release of commercially sensitive information. It said that, on balance, it considers that the public interest considerations favour withholding the record.
In its submissions, Company A said it considers that the NTMA is correct in its assertion that the release of the report could reasonably be expected to significantly prejudice its competitive position under section 36(1)(b) of the FOI Act. It said that as a core service offering, it provides independent marketing research and statistical analysis services to a range of private and public bodies. It said all research is subject to an open tendering process from time to time and any future tendering submission from Company A would describe the approach and nature of statistical testing read directly from the report under review. It claimed, therefore, that by releasing the contents of the report, it would suffer considerable commercial harm in that its tender could be replicated at will and effectively neutralise its unique selling point in distinguishing it from competing tenderers. In addition, it said it currently provides a similar service to another bonds operator, and if the report was to be released, it could suffer the same possible commercial harm.
In response to a query from this Office’s Investigator on the methodology employed in the report, Company A said that, although all the statistical tests used are openly accessible, it considers the range and selection of specific tests to the reformed data to be unique and its intellectual property. It said the application of the tests in the report has been developed from several decades of expertise from highly qualified statisticians as there are many ways in which these data could have been analysed. It said that the contents of the report are constantly under development as new statistical tests are integrated to existing data and new draw procedures prompt revisions, e.g. the introduction of euro-value bonds from bonds valued in Irish Pounds. It said it could be argued that the range of statistical tests employed are not overly sophisticated and could be replicated by any third party. In response, it drew an analogy to the recipe for Coca-Cola, i.e. given the ingredients and production process, it would be simple for anyone to replicate the production of the product and bypass the expertise it took to develop and blend the product into its current state.
In relation to the public interest, Company A said that it is important that the public have confidence in the fairness of the draw. It said knowledge that the results from the draw are tested statistically by an independent body should be sufficient in this instance as the report is not written for a public audience and access to the detailed results should not be necessary, in its opinion.
In conclusion, Company A said that it fully endorsed the NTMA’s position that the request should be refused pursuant to section 36(1)(b) of the FOI Act, as granting access to the report is not in the public interest and would result in considerable commercial harm to it in the event of a future public tender of such services.
In its submissions, the PBC noted that if the release of the report were to facilitate the commission of an offence, this could result in material financial loss and/or undermine the commercial interests of the PBC. Furthermore, it said that as the report contains commercially sensitive information relating to the PBC’s operational processes and methodologies, its disclosure could weaken the competitive position of the PBC. It said that while openness and accountability are important, the risks outlined above mean that the public interest favours non-release, and that disclosure would undermine the security and trust in the Prize Bonds scheme.
Company A accepts that the tests described in the report at issue are openly accessible. Its essential argument is that the disclosure of the report would involve the disclosure of the precise methodology it used (i.e. the range and selection of specific tests used) which it considers to be its intellectual property and which, it argues, could be replicated by other competitors, thus undermining its competitive position.
I understand that the vast majority of tests that might be used to check the randomness of a random number generator would be well known within the relevant industry and are commonly publicly available. On the other hand, I accept that details of the precise tests used by Company A in this case are not publicly available and that the release of the report would give competitors an insight into the methodologies Company A might propose in future tenders for the provision of similar statistical analysis. However, it seems to me that such information would be of very limited value, if any, to such competitors. I note, for example, that the report does not disclose other relevant details that would be used to evaluate tenders such as price, organisational capacity to deliver, and expertise. I also note Company A’s assertion that the contents of the report are constantly under development as new statistical tests are integrated to existing data and new draw procedures prompt revisions, which suggests that the methodologies outlined in the report at issue might be of lesser value to competitors in the future. Moreover, Company A has not identified any features of the methodologies used that might be so unique or novel as to be unlikely to be known by competitors. Indeed, I would expect that the relevance and usefulness of the tests used in this case and the manner of their use in assessing the type of data at issue would be commonly known to Company A’s competitors. In all of the circumstances, while I am conscious of the fact that the harm test in the second part of section 36(1)(b) has a quite low threshold, I am not satisfied that the release of the report might prejudice Company A’s competitive position. I find, on balance, that section 36(1)(b) does not apply. Nevertheless, for the avoidance of doubt, I will proceed to consider the applicability of section 36(3), which provides that section 36(1) does not apply where the public interest would, on balance, be better served by granting the request.
Before I do so, I wish to address the arguments made by PBC in relation to the applicability of section 36(1)(b). PBC claimed that the report contains commercially sensitive information relating to its operational processes and methodologies, the disclosure of which could weaken its competitive position. I do not accept that this is the case. As described above, the report uses statistical tests and analyses to determine if there were any anomalies in the winning Prize Bonds numbers generated by the PBC’s random number generator. The record is not an assessment of the operations, methodologies, or functioning of the PBC or of its procedures in relation to same. Having examined the record, it does not seem to contain sufficiently specific information on how the Prize Bond draw operates, how the numbers are drawn, or the how the PBC functions in its operation of the draw. As such, I am not satisfied that the record contains commercial information on the operations of the PBC the disclosure of which could weaken or prejudice its competitive position.
In its submissions, the NTMA referred to Guidance this Office has published on section 36 wherein we acknowledged that the FOI Act is not designed as a means by which the operations of private entities were to be opened up to scrutiny. It said it considers that Company A should be able to provide services to FOI bodies without suffering commercially as a result. It said that while there is a need for openness, accountability and transparency which would favour release of the record, there are countervailing considerations which would favour not releasing the record, including the need to ensure that companies such as Company A are not deterred from providing similar services in the future due to the fear of commercial harm as a result of the release of commercially sensitive information.
In relation to the public interest, Company A said it is important that the public have confidence in the fairness of the draw. It argued that knowledge that the results from the draw are tested statistically by an independent body should be sufficient in this instance as the report is not written for a public audience and access to the detailed results should not be necessary.
I accept that the FOI Act was not designed as a means by which the operations of private enterprises were to be opened up to scrutiny. However, this does not mean that the operations of private enterprises can never be disclosed. Indeed, section 36(3) expressly provides for the release of information even in circumstances where release might cause a particular commercial harm to a private enterprise. However, such disclosure is generally a by-product of disclosing information in the public interest for the purpose of enhancing the transparency and accountability of the manner in which FOI bodies carry out their functions. In relation to Company A’s argument that knowledge that the results from the draw are tested statistically by an independent body should be sufficient to allow the public to have confidence in the fairness of the Prize Bonds draw, I would simply note that the fact that a certain level of transparency and accountability already exists does not mean that there should be no further transparency and accountability. Indeed, the purpose of the Act, as set out in its long title, is to provide for a right of access to the greatest extent possible consistent with the public interest.
In my view, disclosure of the record at issue would significantly enhance the public’s ability to draw conclusions as to the fairness of the Prize Bonds draw, with the result that it would also serve to further strengthen the NTMA’s accountability in relation to its governance and oversight obligations. Moreover, for the reasons I have outlined above, the release of the record would, in my view, provide little or no useful insight for competitors of Company A, with the result that the public interest in protecting the commercial activities of private enterprise is quite weak in this case. For those same reasons, I do not accept that the release of the report would result in companies such as Company A being deterred from providing similar services in the future. Accordingly, I find that the public interest would, on balance, be better served by the release of the report at issue. I find, therefore, that section 36(3) serves to disapply section 36(1)(b) in this case.
Having carried out a review under section 22(2) of the FOI Act, I hereby annul the NTMA’s decision. I find that it was not justified in refusing the record under sections 32(1)(c) or 36(1)(b) of the FOI Act. I direct its release subject only to the redaction of the names of staff members of Company A.
Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated not later than four weeks after notice of the decision was given to the person bringing the appeal.
____________________
Stephen Rafferty
Senior Investigator