IT firms must beware of rivals seeking to exploit law, says Renzo Marchini
There has been much media coverage of the coming into force of the Freedom of Information Act on 1 January.
The act heralds a new spirit of governmental openness which directly applies to more than 100,000 public authorities, but it also affects any IT company that does business with the public sector. Compliance has already been described by one local authority head of IT as involving "an order of magnitude more complex than implementing the Data Protection Act" (Computer Weekly, 30 November 2004).
The Freedom of Information Act gives the public the right to request any information held by a public authority. The authority generally has no option but to comply, unless one of the specified exemptions applies.
Disclosable information could include contracts signed by the authority, tender and other documents relating to the decision-making process which led to the contract, and commercially sensitive pricing information. There are a variety of reasons why a supplier would be wary of allowing commercial information to be disclosed into the public domain.
Commercial intelligence tool
Anyone can make a request. The concern for IT companies is that requests may not only come from members of the public wanting to know how their tax monies are being spent, but also from competitors wanting to know how proposals or contracts are being structured and priced. And reasons for wanting to know do not need to be given. Similar legislation has existed in the US for years and has often been used as just such a commercial intelligence tool.
Not all information has to be disclosed by the public authority facing such a request. There are two relevant and related exemptions, both covering the situation where the information requested is confidential: one "absolute" and the other "qualified".
As a result of the somewhat vague drafting of the act, it will be difficult to decide whether either of these exemptions apply. It is the authority that will have to make that decision. If it deems that the information is subject to the "absolute" exemption, all is well and good for the supplier. In this case only an order from the court that disclosure is in the overwhelming public interest can override the decision.
However, if the authority determines that the exemption is merely "qualified", the authority can decide there is an overwhelming public interest in its disclosure. This type of qualified exemption probably covers a broader range of trade secrets and is likely to encompass not only technical information, but also business information such as pricing structures.
Given these exemptions, it is fair to ask: what is the problem?
First, an over-zealous public authority may not have these exemptions in mind when responding to a request and as a result confidential information may come into the public domain.
Second, even if it does have regard to the exemptions, it may judge particular information as not falling within the exemptions (because it does not believe it is confidential) or it may decide, whether rightly or wrongly, that there is an overriding public interest to be fulfilled by disclosure.
IT companies supplying to public authorities need at the very least to be aware of these rules. They must take them into account when putting together public sector tenders and contracts, as well as throughout the relationship.
Suppliers should ensure there is at least an argument that the exemptions apply. Do this by, if possible, ensuring there are confidentiality agreements in place before any information is disclosed, and by marking all sensitive documents as "confidential".
Consideration should be given to not disclosing genuinely confidential information to public authorities unless absolutely essential. And it may be worth
negotiating with authorities to ensure they commit to consult with you before any disclosure is made under the the act.
As far as contracts already in place are concerned, suppliers should consider contacting public authorities now to remind them of what they consider confidential and to determine (and seek to influence) how a request for this information would be dealt with.
Renzo Marchini is a solicitor specialising in IT and data protection with international law firm Dechert
Read more on IT risk management
Met Police should release information on British WikiLeaks journalists passed to US, tribunal told
Deal between RBS and CA over IT failure will remain secret
How UK security laws and European privacy laws impact businesses
ONS could be forced to share UK census data after failing to seek legal advice