Mr X and Trinity College Dublin
Ó Oifig an Choimisinéara Faisnéise
Cásuimhir: OIC-105592-V7G5P3
Foilsithe
Teanga: Níl leagan Gaeilge den mhír seo ar fáil.
Ó Oifig an Choimisinéara Faisnéise
Cásuimhir: OIC-105592-V7G5P3
Foilsithe
Teanga: Níl leagan Gaeilge den mhír seo ar fáil.
Whether TCD was justified in refusing access to its Primary Risk Registers for a number of given years under sections 36 and 40 of the FOI Act
9 July 2021
In a request dated 20 July 2020, the applicant sought access to copies of TCD’s Primary Risk Registers from 2013 – 2018. On 15 September 2020, TCD refused the request, citing sections 36(1)(b) and 40(1)(d) of the FOI Act as the basis for its refusal. On 2 October 2020, the applicant sought an internal review of TCD’s decision, following which TCD affirmed its original decision. On 15 March 2021, the applicant sought a review by this Office for a review of TCD’s decision.
I have now completed my review in accordance with section 22(2) of the FOI Act. In carrying out my review, I have had regard to the application for review and the submissions made by TCD. I have also examined the record at issue. I have now decided to conclude this review by way of a formal, binding decision.
TCD identified one record as being relevant to the request in this case, namely its Risk Register dated April 2017. This Office subsequently sought clarification from TCD as to why, in response to a request that sought risk registers from 2013 to 2018, only one record was identified. TCD explained that between the period 2013 to 2018, the Primary Risk Register of the college was the one dated April 2017, and as such was the only relevant record.
Accordingly, my review is concerned solely with the question of whether TCD was justified under the FOI Act in refusing access, under sections 36 and 40 of the Act, to its Risk Register dated April 2017.
In its submissions to this Office, TCD indicated that it was relying on section 36(1), and sections 40(1)(d) and 40(2)(n) and (o), of the FOI Act as a basis for its refusal to grant access to the record.
Section 36(1)(b)
Section 36(1)(b) of the FOI Act provides that an FOI body shall refuse to grant an FOI request if the record concerned contains financial, commercial, scientific or technical or other information whose disclosure could reasonably be expected to result in a material financial loss or gain to the person to whom the information relates, or could prejudice the competitive position of that person in the conduct of his or her profession or business or otherwise in his or her occupation. The essence of the test in section 36(1)(b) is not the nature of the information, but the nature of the harm which might be occasioned by its release.
There are certain situations where, although section 36(1)(b) (and indeed section 36(1) as a whole) relates to the request, the request shall still be granted. These situations are specified in section 36(2). Moreover, section 36(1) of the Act is subject to a public interest balancing test which is set out at section 36(3). Subject to section 38, the exemption at section 36(1) does not apply where the public interest would, on balance, be better served by granting than by refusing to grant the FOI request. Thus, where an FOI body is relying on section 36(1) of the Act for the refusal of a record, it must go on to consider whether section 36(3) applies in relation the record concerned.
As a general principle, this Office is of the view that section 36 of the Act is primarily aimed at protecting the commercial interests of parties engaged in commercial activity. However, this Office has previously held there is some uncertainty as to the position of FOI bodies under section 36. Depending on the circumstances of the case, this Office has accepted that the FOI Act does not prohibit an FOI body from relying on the provisions of section 36.
In its submissions to this Office, TCD argued that the record at issue contained financial and commercially sensitive information, the disclosure of which could reasonably be expected to result in a material financial loss to it and could prejudice its competitive position by providing its competitors and service providers with financial and commercially sensitive information which, it stated, was set out in the record. It argued that the disclosure of the record would provide suppliers and potential suppliers with commercial, technical and organisational information that could be used to their benefit in future competitions, to its detriment. As an example, TCD argued that making it known to the public and accordingly suppliers and potential suppliers the risks that TCD faced, and what it required to mitigate such risks, could provide potential suppliers with key commercial information that would benefit them in negotiations. This, TCD stated, could reasonably be expected to result in a financial loss to it and a material financial benefit to the third party.
TCD went on to state that the disclosure of the information in the record could result in a material financial loss to the University by giving third parties the ability to target perceived risks and this could bring a material financial gain to third parties. It argued that, for example, publishing information about IT security risks and governance risks could allow third parties to target the University’s IT security systems which would have significant financial and reputational risk for the University. It referred to the recent ransomware attack carried out on the HSE IT security system, arguing that perceived vulnerabilities in that system had led third parties to target the HSE. TCD contended that third parties could use risks and areas where further action is required as identified in the record to target it, referring to a recent RTE report which listed the academic sector as a high value target for such attacks. TCD noted that, in 2017, unauthorised access by a third party to the email account of an employee of Trinity foundation had resulted in the authorisation of fraudulent payments to individuals unconnected to Trinity College or the Trinity Foundation. It stated that it had been targeted in the past and may be targeted in the future in particular if risks that it faced, and the required controls that need to be put in place, were made public.
The harm test in the first part of subsection (1)(b) of section 36 is whether disclosure of the information “could reasonably be expected to result in material financial loss or gain”. This Office takes the view that the test to be applied is not concerned with the question of probabilities or possibilities, but with whether the decision maker’s expectation is reasonable. The nature of the harm envisaged and a basis for a claim that such harm could reasonably be expected to result from disclosure of the particular information in the record(s) at issue should be shown by an FOI body or a third party relying on this provision.
The harm test in the second part of subsection (1)(b) of section 36 is whether disclosure of the information “could prejudice the competitive position” of the person in the conduct of his or her profession or business or otherwise in his or her occupation. The standard of proof necessary to meet this test is considerably lower than the standard required to meet the test of "could reasonably be expected to" in the first part of section 36(1)(b). This notwithstanding, this Office has previously held that, in invoking the phrase "prejudice", the damage which could occur as a result of disclosure of the information must be specified with a reasonable degree of clarity. In the High Court case of Westwood Club v The Information Commissioner [2014] IEHC 375, Cross J held that the explanation, as finally given by the FOI body to the Commissioner, did little more than repeat the requirements of what is now section 36(1)(b) and referred to the nature of the documents held. Cross J stated:
“It does not in any sense engage with the proper question ... as to why these particular documents, if disclosed, could prejudice the financial position.... In particular, the point properly made ... as to the antiquity of the documents was not dealt with at all by the email [from the FOI body]”.
The High Court decision in Westwood Club makes it clear that it is not sufficient for the party relying on section 36(1)(b) to merely restate the provisions of the section, list the documents and say that they are commercially sensitive. The FOI body or the third party opposing release should explain why disclosure of the particular records could prejudice the competitive position of the third party.
In analysing the applicability of section 36(1)(b) to records that FOI bodies have sought to withhold, this Office has previously held that that factors such as the availability or otherwise of the information and whether it is in the public domain; the passage of time; and the broader context and rate of change in the relevant industry are elements that may be taken into account.
Applying the above analysis to the records at issue, this Office would first of all note that it considers that that TCD has set out the nature of the harm envisaged from the release of the record at issue, namely by way of its arguments that its Risk Register contains information which, if disclosed:
However, while TCD has set out in some detail the harms outlined above, what is less clear is the basis on which it contends that the above harms could reasonably be expected to result from the disclosure of the particular information contained in the risk register. It is not self-evident from its submissions how TCD considers that material financial loss can reasonably be expected to follow from the release of the particular information contained in the risk register. TCD has not identified or specified the particular material that is contained in its Risk Register and which it considers is financially and commercially sensitive, and appears instead to seek to assert the exemption provided for in section 36(1) of the Act over the record as a whole, without analysis of the particular information contained therein. This Office does not consider that such an argument is sustainable under section 36(1).
TCD did give the specific example of risks relating to its IT security systems contained in its Risk Register, stating that the disclosure of risks of this nature would enable third parties to target its IT systems. However, on examining the specific IT security risk identified in the Risk Register, it is not apparent to me how the disclosure of this information would be of particular assistance in targeting TCD’s IT security systems as the Risk Register does not appear to me to contain any particular information of a technical or specialist nature which would give any valuable insight into the IT security systems utilised by TCD.
Moreover, it seems to me that TCD has not fully elucidated the basis upon which the release of the particular information contained in the risk register could prejudice its competitive position. Noting that the risk register at issue is dated April 2017, TCD has made no argument in its submissions under section 36(1) of the Act, as to how it considers that the release of information pertaining to risks and mitigating actions that were identified over three years ago could prejudice its competitive position in 2021. Nor has TCD made any arguments in relation to the level of detail which the records contain in relation to information that might be commercially sensitive. Again, it is not sufficient for the purposes of section 36(1)(b) for an FOI body to simply state that it is the case that the prejudice it has identified would follow from the release of the records sought. Noting again that TCD has not tied its arguments in relation to section 36(1) to the specific information contained within the record, it is not evident from its submissions how TCD considers that the release of the particular information contained in the Risk Register would prejudice its competitive position.
On the basis of the above analysis, I find that TCD has not shown how the release of the records could rise to the harms identified in the exemption, nor is it apparent to me as to how such harms might arise. In these circumstances, I do not consider that TCD has made out its case for the applicability of the exemption provided for by section 36(1)(b) of the Act. I find, therefore, that section 36(1)b) does not apply.
Section 40(1)(d); section 42(n) and (o)
Section 40(1)(d) of the FOI Act provides for the discretionary refusal of an FOI request where, in the opinion of the FOI body, access to the record could reasonably be expected to result in an unwarranted benefit or loss to a person or class of persons.
Like section 36(1)(b), section 40(1) of the Act is a harm-based provision; in other words, where an FOI body relies on section 40(1) it should identify the potential harm specified in the relevant paragraph of subsection (1) that might arise from disclosure and, having identified that harm, consider the reasonableness of any expectation that the harm will occur.
The FOI body should show how release of the record could reasonably be expected to cause the harm envisaged, i.e. it should show the link between granting access to the record concerned and the harm identified. It should do this by reference to the specific record being considered for release: what is it about the particular record or the particular information in the record which, if released, could reasonably be expected to cause the harm envisaged?
The FOI body should then consider the reasonableness of its expectation that the harm will occur. In examining the merits of an FOI body’s view that the harm could reasonably be expected, there is no requirement that this Office must be satisfied that such an outcome will definitely occur. The test is not concerned with the question of probabilities or possibilities. It is concerned with whether or not the decision maker's expectation is reasonable. It is sufficient for the FOI body to show that it expects an outcome and that its expectations are justifiable in the sense that there are adequate grounds for the expectations.
Consideration should also be given to what disclosure of the record would actually reveal. For example, where the information contained in the record is already known or in the public domain, it may not be reasonable to expect that prejudice or harm would result from its disclosure. The time at which the FOI decision is being made may also be relevant. It is possible that the release of the record could not reasonably be expected to result in the harm envisaged due to the passage of time.
In relation to subsection (1)(d) of section 40 specifically, this Office takes the view that the context of the section 40 exemption suggests that it is intended to protect the financial and economic interests of the State and of public bodies. Therefore, to the extent that it may also protect the interests of persons generally (as suggested by section 40(1)(d)), this would seem to be the case only to the extent that harm to a person (other than the State or a public body) would also result in harm to the State or a public body. The commercial interests of persons generally are protected by section 36.
Accordingly, this Office considers that the key issue in considering the application of section 40(1)(d) is the extent to which, if at all, the grant of the request would damage the interests of the State or some public body. Such damage would also have to meet the test of being "unwarranted".
Section 40(1)(d) may be applied to any record, but particularly those of a sort described in section 40(2) of the FOI Act. Subsections (n) and (o) of section 40(2), to which TCD’s submissions refer, concern records relating to information the disclosure of which could reasonably be expected to affect adversely the competitive position of a public body in relation to activities carried on by it on a commercial basis (section 40(2)(n) of the Act); and records relating to the economic or financial circumstances of a public body (section 40(2)(o) of the Act). An FOI body may invoke section 40(2) only in conjunction with section 40(1). Thus, the relevant requirements of section 40(1) must still be met.
It should be noted that the exemption provided for by section 40(1)(d) of the Act is subject to a public interest test. Section 40(3) of the Act provides that section 40(1) will not apply in circumstances where the FOI body considers that the public interest would, on balance, be better served by granting than by refusing to grant the FOI request. Thus, any FOI body seeking to rely on section 40(1)(d) as a basis for withholding a record must also go on to consider the provisions of section 40(3).
In its submissions to this Office regarding the applicability of sections 40(1)(d) and 40(2)(n) and (o), TCD stated that the release of the record at issue could result in an unwarranted loss to it and, accordingly, an unwarranted loss to its students, staff and researchers. It argued that the risks that have been identified in the record, and the fact that certain actions are required to manage those risks could provide external third parties with the opportunity to use those risks against it, and stated that this could cause it loss and provide an unwarranted benefit to those third parties. Furthermore, TCD stated that the risks identified in the risk register could have the effect of damaging its reputation which in turn could cause it unwarranted loss. TCD argued that any damage to its reputation would in turn affect its past, current and prospective students. Furthermore, it contended that any damage to its reputation could cause a reduction in parties that wished to align themselves with TCD on research projects or partnerships.
TCD went on to outline a number of specific risks identified in the Risk Register, and enumerated the manner in which it considered the release of such information could lead to it suffering loss. In particular, it identified risks 14, 15, 19, 24 and 26 and outlined in respect of each of these risks the harm – by way of potential loss to TCD – that it envisaged could occur by this information being made public. TCD characterised in its submissions such potential losses as “unwarranted” on the basis that, through the creation of a risk register and a risk management structure it was attempting to prevent and reduce the likelihood of such risks materialising, and it argued that for TCD to suffer damage, where it is trying to prevent and minimise such risks, would be unwarranted.
TCD went on to argue in respect of section 40(1)(d) that, while the Risk Register at issue was from 2017, the risks identified in the risk register were very relevant to the University today and would continue to remain relevant. TCD also noted that when the Record was circulated to board members to be considered it was done so with the classification of “confidential college circulation only”.
I consider that TCD has outlined the harms specified in the section 40(1)(d) of the Act that it considers might arise from disclosure of the record. Generally, it outlined financial harms it stated could occur through loss of earnings, litigation, insurance claims and IT Security attacks, and argued that such losses would have a significant impact on it financially, which in turn would affect students, researchers and the public. More specifically, TCD argued that the release of the record, in its view, could provide external third parties with the opportunity to use those risks against it; could damage its reputation; and cause a reduction in parties that wish to align themselves with TCD on research projects or partnerships.
However, I am less clear as to the basis on which TCD maintains that the harms it has identified can be said to reasonably be expected to occur as a result of the release of the record. For example, I find it quite difficult to accept that the release of the information in the Risk Register for 2017 could damage TCD’s reputation and/or cause a reduction in parties that wish to align themselves with TCD on research projects or partnerships. The purpose of a risk register is to identify potential future risks and to identify measures that can be put in place that can mitigate against those risks materialising.
It is incumbent on an institution such as TCD to identify and mitigate risks, and it seems to me that the release of the risk register simply discloses that the institution practices prudent financial management. Indeed, it seems to me that parties who may wish to align themselves with the Institution would be concerned if it was not in a position to show that it had identified certain potential risks and had taken measures to mitigate against such risks. In the circumstances, I do not accept the argument that the release of the information contained in the risk register is likely to damage TCD’s reputation or dissuade potential partners from engaging.
Similarly, in relation to TCD’s argument that the release of the record could provide external third parties with the opportunity to use the risks documented therein against it (for example by way of cyber-attacks), it is not evident to me that such harms could reasonably be expected to follow from the record’s release. I consider that the risks identified in the register are pitched at a sufficiently high level, and moreover lack a requisite degree of specificity, such that a third party who sought to take commercial advantage of the information, or to use it to cause TCD harm, would not gain the necessary insight from the information contained in the record that would enable it to do so. As such, I find that TCD has not shown how the release of the records could reasonably be expected to give rise to the harms identified in the exemptions, nor is it apparent to me as to how such harms might arise.
In circumstances where I have determined that section 40(1)(d) does not serve a basis on which to exempt the record for release, it is not necessary to consider the applicability of section 40(2)(n) and (o) as cited by TCD.
Furthermore, in circumstances where I have found that TCD is not entitled to rely on the exemption provided for in section 40(1)(d), it is not necessary for me to consider the public interest arguments for and against release of the record, pursuant to section 40(3) of the Act.
Having carried out a review under section 22(2) of the FOI Act, I hereby annul the decision of TCD to refuse access, under sections 36(1), 40(1)(d) and 40(2)(n) and (o) of the FOI Act, to its Risk Register dated April 2017, and direct the release of the record.
Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated by the applicant not later than eight weeks after notice of the decision was given, and by any other party not later than four weeks after notice of the decision was given.
Stephen Rafferty
Senior Investigator