Mr X and University College Cork
Ó Oifig an Choimisinéara Faisnéise
Cásuimhir: OIC-103932-T8P7Y5
Foilsithe
Teanga: Níl leagan Gaeilge den mhír seo ar fáil.
Ó Oifig an Choimisinéara Faisnéise
Cásuimhir: OIC-103932-T8P7Y5
Foilsithe
Teanga: Níl leagan Gaeilge den mhír seo ar fáil.
Whether UCC was justified in refusing access, under sections 29(1), 30(1)(b), and 36(1)(b) of the FOI Act, to its risk registers for the years 2013 to 2018
15 June 2021
In a request dated 20 July 2020, the applicant sought access to copies of UCC’s Primary Risk Registers for the years 2013 to 2018. On 17 September 2020, UCC refused the request, citing sections 29(1), 30(1)(b) and (c) and 36(1)(b) of the FOI Act as the basis for its refusal. On 30 September 2020, the applicant sought an internal review of UCC’s decision. On 13 February 2021, UCC affirmed its refusal of the request, under sections 29(1), 30(1)(b), and 36(1)(b).
On 17 February 2021, the applicant sought a review by this Office of UCC’s decision. In the course of his application, he argued that UCC had failed to provide sufficient reasons for its decision, and that it had adopted an unwarranted and overly restrictive approach which, according to the applicant, was in conflict with its obligations as an FOI body. The applicant also submitted in support of his application risk registers from a number of other higher education establishments, which he indicated he had obtained by way of similar FOI requests to that made to UCC.
I have now completed my review in accordance with section 22(2) of the FOI Act. In carrying out my review, I have had regard to the correspondence between the applicant and UCC as outlined above. I have also had regard to the correspondence between this Office and both UCC and the applicant on the matter. I have also examined the records at issue. I have decided to conclude this review by way of a formal, binding decision.
My review in this case is concerned solely with the question of whether UCC was justified in refusing access, under sections 29(1), 30(1)(b), and 36(1)(b) of the FOI Act, to its risk registers for the years 2013 to 2018.
Section 29(1)
Section 29(1) of the Act provides that an FOI body may refuse to grant a request (a) if the record concerned contains matter relating to the deliberative processes of an FOI body, and (b) the body considers that granting the request would be contrary to the public interest. These are two separate requirements and the fact that the first is met carries no presumption that the second is also met. It is therefore important for public bodies to satisfy this Office that both requirements are met. The public interest test at section 29(1)(b) is a strong test, and any arguments against release should be supported by the facts of the case and it should be shown how release of the record(s) would be contrary to the public interest.
There is nothing in the exemption itself which requires the deliberative process to be ongoing, although the question of whether the deliberative process is ongoing or at an end may be relevant to the issue of the public interest. It should also be noted that the exemption does not apply in so far as the record(s) contain any of the information or matter referred to in section 29(2). Thus, where an FOI body is relying on section 29(1) for the refusal of a record, it must also consider whether section 29(2) applies in relation to the record concerned.
Deliberative process
The first requirement which must be met in order for section 29(1) to apply is that the record must contain matter relating to the ‘deliberative processes’ of an FOI body. An FOI body relying on this exemption should identify both the deliberative processes concerned and any matter in particular records which relates to these processes.
A deliberative process may be described as a thinking process which informs decision making in FOI bodies. It involves the gathering of information from a variety of sources and weighing or considering carefully all of the information and facts obtained with a view to making a decision or reflecting upon the reasons for or against a particular choice. Thus, it involves the consideration of various matters with a view to making a decision on a particular matter. It would, for example, include some weighing up or evaluation of competing options or the consideration of proposals or courses of action.
With regard to the exercise by an FOI body of purely procedural or service delivery functions, it should be noted that this Office has previously held that where the FOI body’s role is confined to establishing the facts and circumstances of a case and applying a pre-existing principle, this does not entail a deliberative process.
In its submissions to this Office on the applicability of the exemption provided for by section 29(1) of the Act, UCC stated in relation to the question of a ‘deliberative process’ as follows:
“Risk Management is a continuous and developing process which runs throughout the University’s strategy and the implementation of that strategy, methodically addressing all risks surrounding the University’s current activities and those into the future. UCC considers risk management to be fundamental to good management practice and a key component of corporate governance. Effective management of risk provides an essential contribution towards the achievement of the University’s strategic and operational objectives and goals.
Risk management is an integral part of the University’s decision-making and management and is incorporated within the strategic and operational planning processes at all levels across all aspects of the University’s local, national and international business.
Accordingly, UCC’s Risk Register is a document that is fluid in nature as the risks themselves evolve over time and the University’s treatment of such risks is under constant review. New risks are added, others are removed when they are mitigated to a satisfactory level and new mitigation measures are regularly introduced or adapted as part of the management of the risks. It is frequently assessed, evaluated, numerically scored and updated by risk owners, members of the University Management Team and the Risk Management Committee after careful consideration of all of the information to hand and, as such, is an ongoing deliberative process”.
In relation to the above arguments made by UCC, this Office would note that there is a distinction to be drawn between records relating to positions adopted by an FOI body following its deliberations, and matter relating to the deliberative processes. It seems to me that a year-end risk register for a given year falls within the former category of records, albeit that the risk register may have been updated at various points throughout the year. In other words, a year-end risk register sets out positions adopted by the body in relation to the various risks it has identified throughout the year, by way of (as the UCC risk registers have it) internal controls and further actions. Thus, while the risk registers contain outlines of various matters of concern to UCC from a risk management perspective, which matters have clearly been raised with a view to making a decision on the particular matter, rather than setting out a weighing up or evaluation of competing options, or the consideration of proposals or courses of action, it seems to me the risk registers set out instead the actions decided on (by way of the specified internal controls and further actions), such as to bring it within the ambit of a record relating to positions adopted by UCC following its deliberations. As such, I find that the risk registers do not relate to the ‘deliberative processes’ of UCC for the purposes of section 29(1) of the FOI Act.
Public Interest
In circumstances where I have determined that the risk registers in respect of which UCC asserts an exemption under section 29(1) of the FOI Act do not come within the scope of the ‘deliberative processes’ envisaged by that provision, it is not necessary to consider the public interest test under section 29(1)(b) of the Act (as the records have been found not to meet the first requirement of the exemption under section 29(1)(a) of the Act).
Section 30(1)(b)
Section 30(1)(b) of the Act provides that an FOI body may refuse to grant a request if it considers that access to the record concerned could reasonably be expected to have a significant, adverse effect on the performance by an FOI body of any of its functions relating to management (including industrial relations and management of its staff).
Section 30(1)(b) is a ‘harm based’ exemption, i.e. it applies where the granting of access to a record can reasonably be expected to cause a particular prejudice or harm. An FOI body seeking to rely on section 30(1)(b) of the Act must show how the harm anticipated could reasonably be expected to result from the release of the record(s). In particular, the body should identify the potential harm to the performance by an FOI body of any of its functions relating to management that might arise from disclosure and, having identified that harm, consider the reasonableness of any expectation that the harm will occur.
Furthermore, an FOI body seeking to rely on section 30(1)(b) of the Act should explain how and why, in its opinion, release of the record(s) could reasonably be expected to give rise to the harm envisaged. A claim for exemption under these provisions must be made on its merits and in light of the contents of each particular record concerned and the relevant facts and circumstances of the case. A claim for exemption pursuant to paragraph (b) which is class-based is not sustainable e.g. a claim for exemption for ‘any’ draft report.
When invoking section 30(1)(b), the FOI body must make an assessment of the degree of importance or significance attaching to the adverse effects claimed. Establishing "significant, adverse effect" requires stronger evidence of damage than, for example, "prejudice" (as per section 30(1)(a) of the Act). In other words, not only must the harm be reasonably expected, but it must also be expected that the harm will be of a significant nature
The wording of section 30(1)(b) makes it clear that the words "industrial relations and management of its staff" are, in the context of that section, a subset of "functions relating to management". Other than the specific references to industrial relations and the management of staff, section 30(1)(b) does not indicate what other management functions are embraced by the term "functions relating to management". This Office has held that management is a word of wide import and that it is apt to cover a variety of activities of an FOI body apart from management of staff and industrial relations. In previous decisions of this Office, it has held that the term “functions relating to management” covers such matters as strategic planning, the management of financial resources and the management of operational matters; management of operations, including reviewing how those operations are carried out, and devising and testing new methods of conducting the operations through the use of pilot projects; investigating complaints against a body, members of its staff and parties under contract to it; and attending to complaints from or about members of staff.
It should be noted that the exemption provided for in section 30(1)(b) is subject to a ‘public interest override’, by virtue of section 30(2) of the Act. In other words, even where the requirements of section 30(1)(b) have been met, the exemption does not apply where the public interest would, on balance, be better served by granting access than by refusing to grant the request. Where section 30(1)(b) of the Act is being relied on for the refusal of a record, the body must go on to consider the public interest test provided for in section 30(2) in relation the record concerned.
In its submissions to this Office on the applicability of section 30(1)(b) of the Act, UCC characterised the functions relating to management that would be affected by release of the records as follows. It stated that it considered risk management to be fundamental to good management practice and a key component of corporate governance. It argued that effective management of risk provided an essential contribution towards the achievement of its strategic and operational objectives and goals. It said that the risk management process relied on risk owners being open and honest about the risks faced by the organisation, and their proposed strategies for mitigating those risks. As such, according to UCC, its risk register contained a significant amount of detail in order for the risks to be fully assessed, evaluated and scored by relevant managers and committees.
The significant, adverse effect on the above functions identified by UCC was that, according to its submissions, disclosure of the risk register into the public domain would curtail the level of detail which could be included in the register, and this would detract from the effectiveness of the risk register as a live decision-making tool to improve the quality of decision making in the FOI body. UCC further submitted that some of the risks identified related to the management of industrial relations or staff performance issues, disclosure of which could be detrimental to the University’s management functions in respect of these matters.
UCC argued in conclusion that FOI bodies should be able to discuss matters of significance to the governance and management of their institutions, without prejudicing the position of the institution or releasing information which could adversely affect its management functions.
In relation to the question of whether UCC has identified “functions relating to management” for the purposes of section 30(1)(b) of the Act, I find that risk management can be said to fall within the scope of this term. As outlined above, “management” is a term of broad import that covers a wide variety of activities. In particular, I consider that the management of risk within an organisation falls within the ambit of strategic planning, the management of financial resources and the management of operational matters, such as to render it a management function for the purposes of section 30(1)(b).
In terms of a “significant, adverse effect” on these functions that would follow from the release of the records, in its submissions UCC outlined how disclosure of its risk registers would curtail the level of detail that could be included in the register, thus detracting from its effectiveness as a live decision-making tool. It tied this argument to its submissions relating to the further exemption it cited under section 36(1) of the FOI Act, relating to the release of commercially sensitive information (addressed in more detail below). In essence UCC argued that the knowledge that its risk register might be open to public scrutiny would result in contributors to the register being less open, especially in relation to risks related commercially sensitive information.
I accept that the result as outlined above, should it occur, could potentially constitute a “significant, adverse effect” on the management functions of UCC in relation to risk management. However, as outlined above, a claim for exemption under section 30(1)(b) must be made on its merits and in light of the contents of each particular record concerned and the relevant facts and circumstances of the case. A claim for exemption pursuant to section 30(1)(b) which is class-based is not sustainable e.g. a claim for exemption for ‘any’ draft report. In the case at hand, UCC has not offered arguments with reference to the contents of any of the specific records at issue, but instead appears to seek to exert a blanket exemption for all risk registers on the basis of section 30(1)(b). I consider that this amounts to an attempt to assert a class-based exemption (ie an assertion that all risk registers are exempt in their entirety by virtue of section 30(1)(b) of the Act).
Moreover, I do not consider that UCC has elucidated fully the basis on which it considers that the significant adverse effect it has identified can be reasonably expected to occur. It should be noted that the test in this regard is not concerned with the question of probabilities or possibilities. It is concerned with whether or not the decision maker's expectation is reasonable. It is sufficient for an FOI body seeking to assert an exemption under section 30(1)(b) to show that it expects an outcome and that its expectations are justifiable in the sense that there are adequate grounds for the expectations, and the body is not required to demonstrate that such an outcome will definitely occur.
This being said, the FOI body should show how release of the record could reasonably be expected to cause the harm envisaged, i.e. it should show the link between granting access to the record concerned and the harm identified. It should do this by reference to the specific record being considered for release: what is it about the particular record or the particular information in the record which, if released, could reasonably be expected to cause the harm envisaged? An FOI body’s submissions to this Office should be sufficiently detailed to demonstrate that link, and a general prediction without any supporting evidence is not sufficient to satisfy the requirement that access to the record could reasonably be expected to result in the outcome envisaged. In this instance I find that UCC has asserted the existence of a potential significant adverse effect but has not tied this to the contents of any of the particular records at issue, or demonstrated how the contents of any of the particular records could reasonably be expected to result in the adverse outcome envisaged.
On the basis of the above analysis, I find that UCC has not shown how the release of the records could reasonably be expected to give rise to the harm identified in the exemption, nor is it apparent to me as to how such harm might arise. In these circumstances, and in the absence of arguments based on the contents of each particular record, I do not consider that UCC has made out its case for the applicability of the exemption provided for by section 30(1)(b) of the Act.
Section 36(1)(b)
Section 36(1)(b) of the Act provides that an FOI body shall refuse to grant a request if the record concerned contains financial, commercial, scientific or technical or other information whose disclosure could reasonably be expected to result in a material financial loss or gain to the person to whom the information relates, or could prejudice the competitive position of that person in the conduct of his or her profession or business or otherwise in his or her occupation.
There are certain situations where, although section 36(1)(b) (and indeed section 36(1) as a whole) relates to the request, the request shall still be granted. These situations are specified in section 36(2). Moreover, section 36(1) of the Act is subject to a public interest balancing test which is set out at section 36(3). Subject to section 38, the exemption at section 36(1) does not apply where the public interest would, on balance, be better served by granting than by refusing to grant the FOI request. Thus, where an FOI body is relying on section 36(1) of the Act for the refusal of a record, it must go on to consider whether section 36(3) applies in relation the record concerned.
As a general principle, this Office is of the view that section 36 of the Act is primarily aimed at protecting the commercial interests of parties engaged in commercial activity. However, this Office has previously held there is some uncertainty as to the position of FOI bodies under section 36. Depending on the circumstances of the case, this Office has accepted that the FOI Act does not prohibit an FOI body, either as a decision making body or as a third party applicant, from relying on the provisions of section 36.
In its submissions to this Office, UCC stated in relation to the applicability of section 36(1)(b) of the Act that it considered that “almost all” of the information comprising the risk registers document would fall under this exemption. The basis upon which it maintained that this was the case was that, according to UCC, the information in the risk registers related to issues such as university rankings, the ability to secure non-exchequer funding from donors, funding from external sources, Brexit and how the UCC responds to the challenges that poses, UCC’s buildings and infrastructure, including its IT infrastructure, UCC’s external engagement, and Accreditation matters.
UCC submitted that the fact that these issues had been identified as risks, in itself, revealed commercially sensitive information. It stated that disclosing the records would reveal the UCC’s vulnerabilities and its strategies for mitigating and responding to same. It stated that detailed information about how it was currently controlling those risks and/or how it planned to mitigate them further in the future further revealed information which would be commercially advantageous to competitors and disadvantageous to UCC. It stated that some of the risks faced by UCC (such as Brexit, rankings, funding) would likely be risks faced by other institutions, and knowledge of how UCC was handling those risks and the strategies it proposed to follow into the future was highly commercially sensitive and would provide UCC’s competitors with very useful information with which to gain a competitive advantage. UCC indicated that, while it was a designated FOI body, it operated in a highly competitive, commercial environment, both nationally and internationally, in which third level institutions competed for scarce resources, students, staff, research funding and commercial contracts.
Furthermore, according to UCC’s submissions, in an era where exchequer funding for the higher education sector was below 2008 levels despite significant increases in student numbers in this period, universities have had to diversify their revenue streams. In this regard, it cited an Oireachtas report on the financial implications of Covid-19 for Ireland’s university sector, from which it quoted the following excerpt:
“Due to restrictions on international travel, weak employment prospects for students and graduates, and the move to remote learning, fewer enrolments of international students are expected in the near term, post-COVID-19. Furthermore, restrictions on economic activity have undermined key sources of commercial revenue for [Higher Education Institutions]”.
In this context, UCC stated that it had had to identify and explore all possible avenues of opportunity and to mitigate the threats to its economic survival. It stated that documenting and managing this in a risk register is one of the key ways that UCC addressed this challenge, and that disclosure of the information contained in the risk registers to the world at large would put UCC at a commercial disadvantage.
The harm test in the first part of subsection (1)(b) of section 36 is whether disclosure of the information “could reasonably be expected to result in material financial loss or gain”. This Office takes the view that the test to be applied in this regard is not concerned with the question of probabilities or possibilities, but with whether the decision maker’s expectation is reasonable. An FOI body or third party seeking to rely on this provision should outlined the nature of the harm envisaged and a basis for a claim that such harm could reasonably be expected to result from disclosure of the particular information in the record(s) at issue.
The harm test in the second part of subsection (1)(b) of section 36 is whether disclosure of the information “could prejudice the competitive position” of the person in the conduct of his or her profession or business or otherwise in his or her occupation. The only requirement which has to be met in the second part of section 36(1)(b) is that disclosure "could prejudice the competitive position" of the person concerned. The standard of proof necessary to meet this test is considerably lower than the standard required to meet the test of "could reasonably be expected to" in the first part of section 36(1)(b).
This notwithstanding, this Office has previously held that, in invoking the phrase "prejudice", the damage which could occur as a result of disclosure of the information must be specified with a reasonable degree of clarity. In the High Court case of Westwood Club v The Information Commissioner [2014] IEHC 375, Cross J held that the explanation provided by the FOI body to the Commissioner did little more than repeat the requirements of what is now section 36(1)(b) and referred to the nature of the documents held. Cross J stated:
“It does not in any sense engage with the proper question ... as to why these particular documents, if disclosed, could prejudice the financial position.... In particular, the point properly made ... as to the antiquity of the documents was not dealt with at all by the email [from the FOI body]”.
The High Court decision in Westwood Club makes it clear that it is not sufficient for the party relying on section 36(1)(b) to merely restate the provisions of the section, list the documents and say that they are commercially sensitive. The FOI body or the third party opposing release should explain why disclosure of the particular records could prejudice the competitive position of the third party.
In analysing the applicability of section 36(1)(b) to records that FOI bodies have sought to withhold, this Office has previously held that that factors such as the availability or otherwise of the information and whether it is in the public domain; the passage of time; and the broader context and rate of change in the relevant industry are elements that may be taken into account.
Applying the above analysis to the records at issue, this Office would first of all note that it considers that UCC has set out the nature of the harm envisaged from the release of its risk registers, namely by way of its arguments that the risk registers contain information which:
However, while UCC has set out in some detail the harms outlined above, in relation to the test in the first part of subsection 1(b) of section 36, this Office considers that it is less clear that UCC has set out the basis on which it contends that the above harms could reasonably be expected to result from the disclosure of the particular information contained in the risk registers. UCC has stated that the release of the risk registers would, in itself, reveal commercially sensitive information, and would put it at a commercial disadvantage, and would provide competitors with information which could confer a competitive advantage; but it is not sufficient for the purposes of the first test in section 36(1)(b) for an FOI body to simply state that this is the case. It is not self-evident from its submissions how UCC considers that material financial loss can reasonably be expected to follow from the release of the particular information contained in the risk registers.
As regards the test in the second part of subsection 1(b) of section 36, this Office further holds that UCC has not fully elucidated the basis upon which the release of the particular information contained in the risk registers could prejudice its competitive position. To take the example of the 2013 risk register as sought by the applicant, UCC has made no argument as to how it considers that the release of information pertaining to risks and mitigating actions that were identified some seven years ago could prejudice its competitive position in 2021. Nor has UCC made any arguments in relation to the level of detail which the records contain in relation to information that might be commercially sensitive. Again, it is not sufficient for the purposes of section 36(1)(b) for an FOI body to simply state that it is the case that the prejudice it has identified would follow from the release of the records sought. It is not self-evident from its submissions how UCC considers that the release of the particular information contained in the risk registers would prejudice its competitive position.
On the basis of the above analysis, I find that UCC has not shown how the release of the records could reasonably be expected to give rise to the harms identified in the exemption, nor is it apparent to me as to how such harms might arise. In these circumstances, I do not consider that UCC has made out its case for the applicability of the exemption provided for by section 36(1)(b) of the Act.
Having carried out a review under section 22(2) of the FOI Act, I hereby annul the decision of UCC to refuse access, under sections 29(1), 30(1)(b), and 36(1)(b) of the FOI Act, to its risk registers for the years 2013 to 2018 and direct the release of the records.
Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated by the applicant not later than eight weeks after notice of the decision was given, and by any other party not later than four weeks after notice of the decision was given.
Stephen Rafferty
Senior Investigator