Skip to content

New Research Exemption for FOIA

One item of particular interest to the HE sector in the Queen’s Speech relates to the proposal for a new FOIA exemption for research intended for future publication, contained within the Intellectual Property Bill.

The Bill as introduced can be found here: The relevant section is S19 in Part 3. It states:

19 Freedom of information: exemption for research

After section 22 of the Freedom of Information Act 2000, insert—

“22A Research

(1) Information obtained in the course of, or derived from, a programme of research is exempt information if—

(a) the programme is continuing with a view to the publication, by a public authority or any other person, of a report of the research (whether or not including a statement of that information), and

(b) disclosure of the information under this Act before the date of publication would, or would be likely to, prejudice—

(i) the programme,

(ii) the interests of any individual participating in the programme,

(iii) the interests of the authority which holds the information, or

(iv) the interests of the authority mentioned in paragraph (a) (if it is a different authority from that which holds the information).

(2) The duty to confirm or deny does not arise in relation to information which is (or if it were held by the public authority would be) exempt information by virtue of subsection (1) if, or to the extent that, compliance with section 1(1)(a) would, or would be likely to, prejudice any of the matters mentioned in subsection (1)(b).”

To try and pick that apart a bit, the first thing this says is that the exemption would only be engaged if there is a prior stated intention to publish. If you have not intended to publish prior to receiving the FOIA request for the information, you cannot then employ this as an exemption.

Publishing may not necessarily mean publishing in the usual sense of the word. The ICO’s guidance on the exemption under S21 (information intended for future publication) reads as follows:

Publication is often understood to indicate that the information will be made available in a form that can be reproduced or circulated, for example in print or online. However, it is not restricted to making the information available in this way. It would also include making it available on inspection or, in some circumstances through speech. Information in picture form will be covered if the picture is to be made available through public display. Notes made in preparation of a speech will be covered if the speech is to be publicly broadcast. What is important is that the intention is to make the information available to the general public.

Secondly, it requires that the release of the information would prejudice either the research or the interests of the researchers, the researcher’s institution or any other public authority. This prejudice must be real. Prejudice is a difficult concept. The ICO has a guidance note available here:…specialist_guides/the_prejudice_test.pdf

The test of prejudice involves several steps, as outlined in the above document from the ICO:

  •  Identify the applicable interests within the relevant exemption.
  • Identify the nature of the prejudice. This means that the public authority must:
    • Show that the prejudice claimed is real, actual or of substance; and
    • Show that there is a causal link between the disclosure and the prejudice claimed.
  • Decide on the likelihood of the prejudice occurring. This means deciding whether the prejudice would or would be likely to occur.
    • ‘Would’ and ‘would be likely’ imply different levels of likelihood.
    • Where a public authority has not specified the level of likelihood, and in the absence of clear evidence to the contrary, the Commissioner will consider that ‘would be likely’ applies.

So, it may not necessarily be simple to demonstrate that the exemption is engaged.

Finally, the exemption allows us to “neither confirm nor deny” any relevant information is held if that prejudice can be demonstrated – however, it does not compel us to do so – we may be happy to confirm the information exists, but refuse to supply it.

This exemption has been lobbied for by UUK and many other organisations, and is broadly welcomed, however, it is entirely likely that until it receives royal assent and until the ICO issues guidance, the nuances may not be entirely apparent. There are some dissenting views on the likely usefulness of such an exemption, such as FOIMan’s post here:

What I would say is that this demonstrates the importance of stating the intention to publish in research plans as early as possible, and this cannot be too vague, either. “Some time in the future” will not wash – it must be as specific as possible.

Posted in Freedom of Information.

Tagged with , .

Evernote Hacked

In yet another high profile hacking attack, the Cloud-based archiving and notetaking service has been hit. The user information taken included passwords, user Ids and e-mail addresses.

Don’t be tempted to think it doesn’t matter because you don’t put anything into Evernote. If you’ve got an account with them, those details can be used by sophisticated hackers to cross reference with other hacking incidents to weaken still other systems where you really might care.

DMU staff that have accounts on LinkedIn are strongly advised to change their account passwords immediately. The Governance Team in ITMS has produced a document with advice on how to create and remember a strong password available from

Posted in Data Protection Act, Information Security.

Tagged with , .

Researchers Find More Than a Quarter of Android Apps Pose Data

Researchers say that more than a quarter of apps for Androids available through the Google Play store appear to pose potential security risks to users.

The researchers considered the apps to be questionable or suspicious if they had the capability to access personal information such as GPS data, phone calls and phone numbers. Users were led into allowing the apps to collect the data when they were installed; if users do not agree to the apps’ requests, the apps will not run on their devices. The practice appeared to be popular among games, entertainment, and wallpaper apps, despite the fact that those apps would seem to have little or no practical use for the information.

The researchers state specifically that these apps are not considered malware, simply that they pose a privacy risk to users.

Posted in Information Security.

Data Breaches in UK Up More Than Tenfold in Five Years

(August 30, 2012)

The UK Information Commissioner’s Office (ICO) says that over the past five years, data security breaches in the UK have increased more than 1,000 percent. The figure is slightly higher for local government breaches, and slightly lower for National Health Service (NHS) breaches.

The dramatic increase may be attributable in part to organizations reporting more breaches than they have in the past because of increased awareness and legal requirements to keep personal data safe.

Telecommunications is the only sector that showed a decline in the number of breaches reported over the given period of time.


Posted in Data Protection Act.

Microsoft Password Checker

This is a useful link for checking the strength of your password:


Posted in Information Security.

The Tech Support Phone Call Scam

Criminals trying to separate you from your personal details are using ever more sophisticated methods of doing so. One that is currently very effective is the Tech Support Phone Call Scam. I can vouch for the fact that this one is effective because a family member fell for it. It cost him over £100 to sort out the damage done to his laptop by the fraudsters. Fortunately, he didn’t lose any money. You may not be so lucky unless you know how to stay safe.

How it works:

You get a call from someone claiming to be from a computer support company. Sometimes they’ll even claim to be Microsoft themselves. They’ll tell you that they’ve detected a serious virus on your computer and advise you that you need to act immediately to save your PC and your data. The scam typically results in the caller getting you to download and install software from the Internet onto your machine.

Sometimes, they’ll get you to buy the product needed to sort the problem (“What’s that? You want me to enter my credit card details into your website? No problem! What could possibly go wrong?”) but often they’ll recommend free products. The end result is always the same – you compromise the integrity of your personal data. Whether you enter your card details yourself, or whether they use a bit of software to frisk your machine and look for personal data on your hard drive, they’re looking to rip you off.

These people are very convincing. They’ll put the fear into you and use technical jargon and they’ll appear very friendly and helpful. They’ll be happy for you to ring off and phone them back on the number they’ve provided (probably a premium rate number). They’ll bend over backwards because by doing so, they’re getting closer to your data.

How to protect yourself

It’s horrible to have to say this, but be more suspicious!

If someone phones up claiming to be from tech support and that you’ve got a problem, don’t give them your name or other personal details. Never give out passwords over the phone.

Get their contact details and say you’ll call ’em back. If you recognise the company, then Google the them and only use contact details from official websites to contact their help services. If you don’t recognise the company, don’t call ’em.

Don’t give strangers remote access to control your PC.

IT companies do not routinely phone people up even if there is a problem with their PC. The way to protect your PC from viruses is to run up to date anti-virus programs.

Posted in Data Protection Act, Information Security.

Tagged with , .

Some Say Credit Card Fraud Bust Means PCI-DSS Isn’t Enough

Experts say that the international takedown that resulted in 24 arrests for credit card fraud illustrates problems inherent in the Payment Card Industry Data Security Standard (PCI DSS).

The two-year operation, dubbed Operation Card Shop, revealed that cards from 47 different institutions were compromised. It also underscores the need “to move beyond check-the-box regulatory compliance.” Some have questioned whether the breached entities will face fines from the PCI Council as a result. Still others say that while news of the arrests is positive, they ultimately will not have an effect of the amount of credit card fraud that is occurring.

Posted in Information Security.

Digital Economy Act Code Published

OFCOM have finally published the Initial Obligations Code under the Digital Economy Act. The paper accompanying the new Code has, in Annex 5, some very detailed and helpful comments on universities, colleges, libraries, etc. The very quick summary is “carry on dealing effectively with reports of alleged infringements”.


For a bit more detail, see the blog post For a lot more detail, see the links there to the paper and Code.

Posted in Uncategorized.

LinkedIn Hacked – Change Your Password!

Technical blogs are reporting that a database containing password information for 6.5m members of business social network LinkedIn has been accessed by Russian hackers. While the passwords are encrypted, it is being reported that weaker passwords have already been cracked. LinkedIn have yet to comment except for a Tweet from their official account to say they are investigating.

Once a password is decrypted, hackers would be able to access personal information stored on the site, including home address details and email addresses and more.

DMU staff that have accounts on LinkedIn are strongly advised to change their account passwords immediately. The Governance Team in ITMS has produced a document with advice on how to create and remember a strong password available from

Posted in Data Protection Act, Information Security.

Tagged with , .

Protection Of Freedoms Bill Recieves Royal Assent

Today, the Protection of Freedoms Bill has become law. So far, so what?

Well, Part 6 of the Act relates to FOI and DPA. Most of it relates to extending the powers of the Information Commissioner and is likely to be of little or no interest to you, but there is one bit a University ought to be paying attention to.
Section 106 of the new Bill relates to the release and publication of datasets held by public authorities. This effectively puts information that has been collected by researchers under the FOI Act for the first time. We are entitled to issue a licence for any re-use of the information and charge for it. This is a new area of law, so it’s going to take some time to work out exactly what it means for the HE sector, but we know it means change. It is certain to increase the number of requests from bodies wanting to process data for commercial purposes and it’s going to make it harder for us to say no.

What is meant by a dataset?

Well, it’s information obtained or recorded for the purpose of giving us information in connection with the provision of a service by us or carrying out of any other function of the University. It’s the raw or source data, not any interpreted data, and not an official statistic.

A requester can, within reason, dictate the format in which the information should be supplied to them, i.e. in a machine-readable form using open standards.

Are we in a position to supply requested information within 20 working days?


Posted in Data Protection Act, Freedom of Information.