What else do you need to consider?

How do we manage expectations of confidentiality with third parties, such as contractors? 

You should manage expectations of confidentiality with the third parties you have dealings with from the beginning. Make them aware of your obligations under FOIA and any other transparency obligations you may be subject to, eg relevant procurement rules. 

You should not give blanket assurances of confidentiality, nor can you make information automatically exempt under FOIA by stating in a contract that certain information is confidential.

When you work jointly with another public authority or an external contractor, a good way to manage expectations is by having an information sharing agreement in place. 

Chapter nine of the Section 45 Code of Practice on Freedom of Information gives you additional guidance on good practice when contracting with private sector organisations for the delivery of public services.

For more information about what we expect you to do to meet your FOI obligations when contracting with private sector organisations, read our guidance on Outsourcing – FOIA and EIR obligations. 

Should we consult with third parties when we receive a request?

Consulting with third parties is good practice, although you don’t have to. 

Chapter three of the Section 45 Code of Practice on Freedom of Information sets out when it may appropriate for you to consult with third parties before disclosing information in response to an FOI request. 

When a third party has given you information in confidence, we recommend you engage with them before issuing your response. If you don’t, it could undermine your position if your decision to refuse disclosure is challenged. 
If you decide to consult with third parties, this must not delay your response under FOIA. The statutory deadline for responding is normally 20 working days. 

You are ultimately responsible for deciding whether you can disclose the information under FOIA. You should make this clear to those you consult. You should take into account the third parties’ views as part of your decision, but the final decision is yours.

Consent

Sometimes, the people you owe a duty of confidence to may consent to the disclosure of the information under FOIA. 

If the person to whom the duty is owed consents to its disclosure, there would be no unauthorised use of the information. This means the third limb of the Coco test is not met. 

If the person to whom the duty is owed tells you they’re happy to consent to its disclosure under FOIA, you should explain to them this would mean placing the information in the public domain, resulting in loss of confidentiality.

There are risks when relying on consent as the basis for disclosing confidential information in response to an FOI request. 

These are: 

• You may owe a duty of confidence to more than one person. It may be difficult to trace all of them and get their consent.
• People may not fully appreciate what they’re consenting to and the implications of releasing information in response to an FOI request.
• If they withdraw their consent after disclosure, you would struggle to regain control over the information because you effectively placed it in the public domain. 

Therefore, relying on consent can still leave you exposed to the risk of an actionable breach of confidence. 

Waiver of the right to bring a claim

Equally, sometimes, the person who has the right to bring a claim for breach of confidence may wish to waive that right. When someone waives their right to bring a claim, it means that the claim is not “actionable”. Therefore, you would be able to disclose the information under FOIA. 

The person who can bring a claim is normally the person you obtained the information from. However, it can also be somebody else. For example, in the case of deceased people, the right to bring a claim for breach of confidence passes to their personal representative. 

The risks of relying on a waiver of the right to bring a claim are similar to those of relying on consent.

This example shows that the application of section 41 can fall away if the person you owe the duty to consents to the disclosure and waives the right to bring an action for breach of confidence. 

This Tribunal’s decision was based on the particular circumstances of that case. In particular: 

• All personal representatives of the deceased had consented to the disclosure and waived the right to bring a claim. The Tribunal was satisfied that there was no one else with legal rights in relation to the deceased’s estate. 
• The applicant had evidence their father would have wanted his medical information known. This is because he believed his health problems were linked to his exposure to radioactivity.
• There was a high public interest in the information because the testing would have affected other former officers. Newspapers had published articles about this issue.
• The applicant had no right to access their father’s medical records under the AHRA 1990 because this piece of legislation does not apply to records created before its enactment. 

Protectively marked documents 

Protective markings and security classifications, such as “confidential” or “official sensitive”, are a helpful way to tell people to handle marked documents with care. They can also help your information access team to know the type of information included in a document, and which exemption may be relevant. This helps you protect the value and integrity of your information. 

However, you should not base your decision about whether section 41 applies on the fact a document you’ve received has been marked “confidential” or “provided in confidence”. 

For instance, in the Busby example cited before, the Tribunal rejected the Home Office’s claim that the information had been shared in circumstances giving rise to a duty of confidence simply because it was contained in a report marked “confidential”. 

Equally, you should not assume that a document not marked “confidential” does not contain information with the necessary quality of confidence. 
To decide if section 41 applies to the requested information, you should follow the relevant legal test. 

The right of access under FOIA applies to recorded information, rather than documents. This means that not all the information contained in a document may be exempt from disclosure. Therefore, even if a document has been protectively marked as “confidential”, you must still check its contents to decide what information is exempt under section 41 and what information you can disclose.  

If you need more information about the right to recorded information under FOIA, read our guidance on The right to recorded information and requests for documents.