Recent disclosures at the UK Covid-19 Inquiry have brought significant attention to the use of non-corporate messaging platforms like WhatsApp in the delivery of public authorities’ official business. This blog looks at the Freedom of Information (Scotland) Act 2002 and how information held by public authorities on non-corporate messaging platforms can be accessed through the freedom of information regime.
What is the Freedom of Information (Scotland) Act 2002?
The Freedom of Information (Scotland) Act 2002 (FOISA) gives a right of access to recorded information. Under FOISA a person who requests information from a public authority in Scotland is entitled to be given the information within 20 working days, subject to some conditions and exemptions.
A detailed list of public authorities included in FOISA is contained in Schedule 1 of the Act. Some of the public authorities on this list include:
- the Scottish Government
- NHS Scotland, and
- the Scottish Parliament.
The Scottish Information Commissioner (SIC) is the independent public official responsible for enforcing and promoting FOISA. David Hamilton is the current SIC and has been in post since October 2023. He was appointed to the post for a fixed term of six years.
UK Government departments and cross-border public authorities operating in Scotland are not covered by FOISA, but are instead covered by the UK Freedom of Information Act 2000.
What kind of information can be accessed under the Freedom of Information (Scotland) Act 2002?
FOISA defines information very broadly as “information recorded in any form”. This means information can be released regardless of the medium or storage platform it is held on, and includes messages on non-corporate platforms such as WhatsApp, assuming exemptions do not apply.
The information that can be given to the requester is the information that the public authority holds at the time of the request. However, certain information in the public authority’s possession may be considered “information not held” under FOISA. This includes information held on behalf of another person and confidential information supplied by a UK Government Minister or department.
Accessing deleted information under the Freedom of Information (Scotland) Act 2002
Deleted information, on corporate and non-corporate platforms, may be considered as “held” for the purposes of FOISA if it can be re-accessed or restored (e.g., via a “recycling bin” or “recently deleted folder”). However, information does not need to be provided if a request is made pertaining to information that is due to be deleted (or amended) in the time between request and response. Similarly, excessive cost provisions may apply if the restoration of the information is sufficiently expensive or resource intensive. In the case of excessive cost provisions applying, the public authority can refuse to comply with the information request.
That being said, FOISA is clear that deletion of information should not be used to circumvent the release of information. Section 1(5) of FOISA sets out the information should not “be destroyed before it can be given (unless the circumstances are such that it is not reasonably practicable to prevent such destruction from occurring)”. It is also a criminal offence under FOISA to alter, deface, block, erase, destroy or conceal information with intent to prevent disclosure following an information request being made.
The link between freedom of information and records management practice
Given the complexity involved in determining whether information is held by a public authority and the various mediums and platforms that information may be held on, public authorities should have good records management practice to support the release of information under FOISA. There is provision in FOISA and the Public Records (Scotland) Act 2011 to support this.
Scottish Ministers issue the Section 61 Code of Practice under FOISA to provide guidance to public authorities on the keeping, management, and disposal of records. The Section 61 Code of Practice states:
“Freedom of information legislation is only as good as the quality of the records and other information to which it provides access. Access rights are of limited value if information cannot be found when requested or, when found, cannot be relied upon as authoritative. Good records and information management benefits those requesting information because it provides some assurance that the information provided will be complete and reliable. It benefits those holding the requested information because it enables them to locate and retrieve it easily within the statutory timescales or to explain why it is not held”.
The Public Records (Scotland) Act 2011 sets out the requirements on certain public authorities in relation to records management. Public authorities are under a duty through the 2011 Act to produce and submit a records management plan for agreement by the Keeper of the Records of Scotland. The records management plan should set out:
- the individual responsible for managing the public authority’s records
- the procedures for managing and maintaining the security of the public authority’s records
- how records will be archived, disposed of, or destroyed by the public authority.
Official records management plans may also be supplemented with the public authority’s own policies for managing information that is not minuted and captured as the official record (e.g., permissions for the use of non-corporate messaging tools and timescales for the retention of corporate emails).
The SIC and Keeper of the Records of Scotland have responsibilities under FOISA to support good practice in records management. The SIC must periodically consult the Keeper on the adherence of Scottish public authorities to the Section 61 Code of Practice. In cases where it appears to the SIC that a public authority’s practices deviate from the code of practice, the SIC may issue a “practice recommendation”. This written recommendation specifies the areas where the public authority is not conforming with good practice and outlines the necessary steps that ought to be taken in order to conform. The SIC must consult with the Keeper of the Records of Scotland before issuing such recommendations.
Creating information trails
Records management and the changing nature of communication in public authorities was raised as an issue long before public health restrictions amid the Covid-19 pandemic necessitated changes in ways of working. For example, the Parliament considered this in 2017 when the Public Audit and Post-legislative Scrutiny Committee (PAPLS; Session 5) undertook post-legislative scrutiny of FOISA. The PAPLS Committee reported that whilst there was an increase in the level of information routinely recorded by public authorities, evidence indicated concerns about the use of unofficial channels of communication (e.g., WhatsApp messages) and the extent to which such information is accessible through effective records management under FOISA.
The PAPLS Committee emphasised “the importance of documenting and recording relevant information” and asserted “that much greater emphasis needs to be given by the public sector as a whole to adequately creating information trails”.
Scottish Information Commissioner statement on non-corporate messaging tools
The Scottish Information Commissioner made an official statement on 2 November 2023 regarding the use of non-corporate messaging tools such as WhatsApp. This statement followed the Scottish Government confirming that it had been issued a formal legal order under section 21 of the Inquiries Act 2005 to release WhatsApp messages to the UK Covid-19 Inquiry. The SIC stated in response to this:
“Where tools such as WhatsApp are used by public authority staff to carry out official business, the information generated will, in most cases, fall under the scope of Scotland’s FOI laws. The Freedom of Information (Scotland) Act 2002 defines “information” as “information recorded in any form”. The Commissioner therefore expects public authorities to identify and consider all appropriate recorded information when responding to FOI and EIR requests, including, where relevant, information recorded in exchanges made through WhatsApp, Microsoft Teams, or other messaging tools”.
The statement also set out the SIC duties relating to promoting and enforcing the Section 61 Code of Practice on records management and stated:
“I have been reviewing my live caseload and am liaising with the Keeper of the Records of Scotland to determine whether regulatory action may be required in specific cases”.
The UK Covid-19 Inquiry released evidence from Scottish Government WhatsApp messages on 22 January 2024. This evidence included extracts of WhatsApp messages between officials appointed by the Scottish Government. David Hamilton (the SIC) indicated concern over the messages on the 22 January 2024 BBC Radio Scotland programme Good Morning Scotland and suggested that decisions on appeals to the Commissioner from during the Covid-19 pandemic may be reviewed.
Courtney Aitken, SPICe Research