You are here

In the know (2)

Marcus Turle reports on the effect of FOIA on disclosure of information by business regulators

25 March 2005

Judged on the evidence from North America where freedom of information laws have operated for decades, the most enthusiastic users in the UK of the right-to-know won’t be the retired colonel from Surrey researching Ministry of Defence spending on army rifles, or even the aggrieved benefit claimant whose rejected application for an entitlement card has deprived him of the right to use the NHS.
The most frequent applicants under the Freedom of Information Act (FOIA) here will be ‘business’ and the media. In the US and Canada, the multi-billion dollar industry for ‘data broking’ or ‘surrogate requesting’ clearly demonstrates the value to competitors of information in contracts between public authorities and their commercial partners. Already, disclosure of such contracts (price and all) is becoming accepted here as the price of doing business with government.
The value of contracts as a source of business intelligence is self-evident. But there is another area, to date largely neglected by information lawyers, in which the most sensitive business information is routinely supplied by companies to public authorities. That area is the ‘regulated industries’. As common sense would suggest, some of this type of information will be FOIA-exempt. But it is far from guaranteed that all of it will be. Those operating within one of the UK’s many regulated sectors should beware – sensitive and valuable information provided to regulators could find its way into the hands of competitors, or the press, unless you take steps to protect it.

Who are the regulators?
Some of the better known regulators are now household names – most obviously the ones who police the privatised utilities. The industry watchdogs for gas, electricity, water, telecommunications and the railways have evolved over the years into what we now call Ofgem (gas and electricity), Ofwat (water), Ofcom (telecoms and broadcasting) and the Office of Rail Regulation (ORR) for the railways. We also now have regulators covering charities and pension providers, and one of the most important and controversial areas of all (particularly post-Shipman Enquiry) is the ‘self-regulating’ professions. Regulators exist to oversee sectors as diverse as medicine and health (the General Medical Council, amongst others), law (the Law Commission), and financial services and insurance (regulated by the Financial Services Authority, or FSA).
There will be a substantial amount of sensitive and commercial information finding its way into the hands of all these regulators and we can be confident that competitor companies, the press and other interested groups will use the law to get hold of it if they can. The chances of that happening are much greater than you might think.

Are regulators caught by FOIA?
In most cases, yes. Here’s why.
The FSA is an ‘independent non-governmental body’ (even though the Treasury appoints its board), constituted as a company limited by guarantee, and financed by the financial services industry. It is a public authority for the purposes of FOIA because it is listed as such in Sched 1. Other listed bodies include Ofcom, the General Medical Council and the Law Commission.
The ORR and Ofwat are both described as a ‘non-ministerial government departments’. Neither is individually listed in FOIA, but each is swept up by the phrase at the beginning of Sched 1 bringing ‘any government department’ within the definition of ‘public authorities’.
Ofgem operates under the direction and governance of the Gas and Electricity Markets Authority, which is not named in FOIA, but its functions are performed on behalf of the Crown and its members are appointed by the Secretary of State. Ofgem is therefore covered by FOIA because it is a publicly-owned company within the meaning s 6 FOIA.

What kind of information do regulators handle?
Regulators handle two kinds of information on regulated organisations. First, their routine activities makes them privy to a whole range of business information. Good examples might be future business plans, anticipated revenues and costs, and projected service levels. Regulators also tend to have information on major areas of risk to organisations, and other business assumptions.
Secondly, regulators have to collect information in order to carry out investigations. Although this is clearly important, I do not cover it in detail here. For this, interested readers can refer to the Department for Constitutional Affairs (DCA) guidance on the ‘Investigations and Proceedings’ (s 30 FOIA) and ‘Law Enforcement’ (s 31 FOIA) exemptions.
It is with the first category of information that I am concerned, and it is clear that regulated businesses ought to be addressing the very real possibility that their commercially sensitive or confidential information could find its way into the public domain through enforced FOIA disclosure.

What are the specific risks?
As we know, the starting point under FOIA is that information must be disclosed unless it can justifiably be withheld under an exemption. The exemptions for commercially sensitive and confidential information sound like they ought to help us. And they do, up to a point. However, taken in the abstract, it’s far from clear just how effective they are.
The commercial interests exemption in s 43 FOIA covers trade secrets, and also information more generally, if disclosure would prejudice someone’s commercial interests. Helpfully, the DCA guidance on s 43 says that “information provided to a public authority in respect of an application for a licence or as a requirement of a licence condition or under a regulatory regime” is “likely” to be commercially sensitive. It goes on:
“Departments may obtain commercially sensitive information from third parties in a number of ways, for example as a result of legal, regulatory, or licensing requirements.”

Commercial interests
This sounds promising. But remember that as far as FOIA is concerned, commercial interests are subordinate to the public interest. So the position is not as straightforward as the DCA might imply. The public interest in furthering public debate on how our water and electricity bills are being spent would presumably weigh in favour of disclosure. While it is also arguable that Parliament has decided that a regulator should be appointed to examine this sort of information and make decisions based on it, and therefore that disclosure might undermine this process, the balance of interests is not as easy to call as you might suppose. This is particularly true in light of the Shipman Report’s damning criticism of self-regulation in the medical profession, which suggests that openness and transparency are now more important than ever. There is likely to be an increasing public demand for information that allows us to check whether regulators are fulfilling their remits effectively and efficiently.
So, while there are good reasons to think that lots of information supplied to a regulator ought to be exempt on commercial interest grounds, it is certainly not clear that the public interest will support exemption just because information was collected for regulatory purposes.
The confidential information exemption may also help, but whether an authority owes a duty of confidence will generally depend on how it came by the information in question. The DCA guidance states that where public authorities obtain commercially sensitive or other information by ‘compulsion’ as a result of regulatory or licensing requirements, then a duty of confidentiality will normally arise. This may not protect information obtained in the course of a regulator’s more routine activities, however.
At present, the most important FOIA exemption for the regulated sectors is the one covering ‘Prohibitions on disclosure’ (s 44). This is an absolute exemption (no public interest test applies) which states that: “Information is exempt… if its disclosure… is prohibited under any enactment.”
This exemption is central to the way information held by regulators is handled. Each regulator operates under its own specific statutory powers and obligations and, in so far as these prohibit disclosure, they will continue to do so – at least for now: FOIA does not cut across them. But regulated companies should certainly not be complacent. A detailed understanding of the nature and extent of the powers and obligations of the relevant regulator is fundamental if you are to manage the risk of some information falling between the cracks.
This is well illustrated by a couple of brief examples. Part XXIII of the Financial Services and Markets Act 2000 covers disclosure of information received by the FSA. It says that “confidential information” (defined to mean information relating to “the business or other affairs of any person” where obtained pursuant to regulatory functions) cannot be disclosed except with the consent of the person who supplied the information. Part XXIII also allows for the making of Regulations (see the Financial Services and Markets Act 2000 (Disclosure of Confidential Information) Regulations 2001) to allow for disclosure in exceptional circumstances – eg, to other regulatory bodies, who will then also be subject to restrictions on disclosure.
In the case of the Gas and Electricity Markets Authority, there is a general restriction under the Utilities Act 2000 on disclosure of information that has been received using a regulatory function, if it “relates to the affairs of any individual or to any particular business”. Again, information may be disclosed to certain other authorities in particular circumstances.
These examples sound encouraging. They don’t put the issue beyond debate though. First, the restrictions only apply to information obtained using, or pursuant to, a regulatory function. There is plenty of stuff in regulators’ files which falls outside these parameters. Secondly, the DCA is reviewing all statutory prohibitions on disclosure of information to determine whether they need to be amended or repealed to ensure compatibility with FOIA. And to emphasise that point, the DCA guidance says that any FOIA exemption will “be highly dependent on the precise terms of the relevant prohibition on disclosure”. So, do not assume that information that you would expect to be exempt, is exempt.

Managing the risk
Many of us have assumed that the prospects are slim for getting access under FOIA to information held by regulators. That may be true in some cases, but there remain very clear risks in others. The nature of the information involved and the consequences of disclosure mean that it will be critical for regulated companies to take precautionary steps.
One elementary step is to mark clearly all information submitted to a regulator to indicate that it relates to the company’s business, is being supplied for regulatory purposes and that you expect it to be covered by the exemption under s 44 of FOIA.
Another key step is to make clear to contractors that you reserve the right to meet your regulatory obligations – which might include disclosing tenders – and if the regulator discloses information held by it to satisfy FOIA obligations, you won’t be liable as a result.
Finally, bearing in mind that public authorities often end up holding information that they no longer have any real use for, regulated organisations should also ask for older information (and any copies of it) to be returned by the regulator or destroyed. Going forward, when supplying information, a regulated organisation should adopt the habit of asking for its information to be returned as soon as the regulator no longer needs it in order to fulfil its functions. Whether or not the regulated organisation thinks information given to a regulator is in safe hands, it will be safest of all if the regulator no longer has it!

Categorised in:

Trade Procedures Costs Health & Safety