|
Many financial institutions adopt the approach that they
need not concern themselves with the Freedom of Information Act
2000 ('the Act') because they do not, on the whole, deal direct
with public authorities. This approach may, however, prove
risky.
Although a financial institution may not be dealing with a
public authority itself, further up or down the contractual chain
may be a public authority which holds the financial institution's
information, thus rendering this information potentially
disclosable.
The Act interprets "information held by a public authority" as
including information held by a third party on behalf of a public
authority. Thus those third parties providing a service to public
authorities, such as hedge fund providers managing public authority
money - or those acting as agents of public authorities – may,
through a financial institution dealing with them, cause
information belonging to that financial institution to become
potentially disclosable.
This was highlighted in the case of Hertfordshire County
Council. On 1 February 2007 case reference FS50086121 was heard by
the Information Commissioner. The council had resisted the
disclosure of information regarding private equity investments it
made on the basis that, in doing so, it would breach
confidentiality agreements between it (the Council) and third party
investment organisations.
The Commissioner held that the existence of a confidentiality
clause, per se, would not result in the right to refuse disclosure
of the request under the Act. Instead the Commissioner looked
behind the clause, to the nature of the information concerned.
Although the Commissioner decided that: an obligation of confidence
arose; the information was not trivial; and the information was not
available by another means (thereby causing a duty of confidence to
exist) the Commissioner held that, in the particular circumstances
of the case, the public interest in disclosure outweighed the
public interest in non-disclosure.
Because of the above risks, therefore, wherever the relationship
between financial institution and third party is contractual, it is
good practice to draft confidentiality provisions in a way that
restricts, as much as possible, any such public authority
disclosure – regardless of whom the contract is with. This will
ensure that protection is afforded against disclosures under the
Act further up or down the contractual chain, rather than simply
running the risk that all is well because there is no direct
contract with a public authority.
Where the relationship between the two parties is not
contractual, however, the task of protecting commercially sensitive
information is more challenging.
Protecting information in non-contractual
scenarios
One of the steps a financial organisation should take, when
confronted with a request under the Act, is to check and/or
challenge the statutory basis on which the request is made and see
if there are any exemptions to disclosure available to it under the
Act.
It is possible that if the bank or financial institution has
simply allowed a public authority to view certain documents,
perhaps at the bank's premises, but without actually physically
handing over any information, then it could be argued that the
public authority does not actually hold the information and thus it
is not disclosable in a request made under the Act to that public
authority.
If this is not possible, it would be wise to provide only one
hard copy version of any required information, at the very latest
possible date, subject to the proviso that such information be
returned immediately once the public authority ceases to
need it. This will seek to limit both the amount of information
held and the length of time for which it is held, thus narrowing
the window of opportunity for a potential disclosure request under
the Act.
A further, additional, safeguard would be to disclose documents
in two batches, one that is disclosable and the other confidential.
Any confidential information disclosed by a bank or financial
institution should be marked 'sensitive'/ 'confidential', so that
the commercially-sensitive/confidential nature of the information
is flagged to the public authority recipient's attention and could
potentially fall within one of the exemptions in the Act.
Banks and other financial institutions working with public
authorities should generally adopt a policy of 'minimum
disclosure', since it is best to assume that all information
provided to a public authority could find its way into the hands of
a third party, to the potential detriment of the relevant bank or
financial institution.
Summary
1. Manage the information provided to public
authorities - to establish/record who gives what information to
which public authority and on what basis. Such a review may well
identify information which is being provided without sufficient
reason or in an unnecessary level of detail.
2. Analyse the information provided in terms
of confidentiality and risk - identify information which is always
confidential.
3. Design suitable processes for management
of provision of information - these will vary to be consistent with
other management processes within the bank.
4. Establish policies and processes for
claiming confidentiality and for ensuring these claims are
effective.
The Financial Services Authority (the
'FSA')
The FSA has offered guidance on how it will respond to requests
under the Act (see www.fsa.gov.uk/foi). The guidance
explains that the FSA will not be able to disclose (subject to
limited exceptions) information about authorised firms that has
been obtained by the FSA in carrying out its regulatory functions.
This is due to the strict prohibition under section 348 of the
Financial Services and Markets Act 2000 ('FSMA').
In the case of HSBC Investment Bank plc ('HSBC'), the
Information Commissioner upheld the FSA's claim for exemption from
making a disclosure under the Act due to the provision of the FSMA
referred to above.
The ruling related to a FSA investigation of a complaint against
HSBC in which the FSA refused to disclose certain information to
the complainant, citing:
(a) section 44 of the Act, which provides
that information is exempt from disclosure by the public authority
if such is prohibited under any enactment
(b) section 348 of FSMA, which provides that
confidential information must not be disclosed by the FSA without
the consent of the person who supplied it and the consent of the
person (if such exists) to whom the information relates. In order
to establish if the information is covered by the statutory bar the
Commissioner must consider the following:
(i) is the information confidential under
the terms of FSMA;
(ii) has consent been given;
(iii) has the information already been
disclosed to the public; and
(iv) could the information be provided in
the form of a summary so it is not possible to ascertain to whom
the information relates?
The Commissioner first set out to establish if, for the purposes
of section 348 of FSMA, the information was confidential. To be
classed as confidential, as defined by section 348, information
must have been obtained by the FSA as part of its functions as the
regulatory body overseeing the financial services industry. The
information must also relate to the business or other affairs of
any person. The legal definition of ‘person’ includes corporations
and limited companies.
In a letter to the Information Commissioner, the FSA stated that
information withheld under section 44 of the Act consisted of
documents which were either sourced from HSBC or internally
generated documents by the FSA which described, repeated or
summarised information received from HSBC.
After analysis of the relevant documents disclosed by the FSA to
the Information Commissioner, it was apparent to the Commissioner
that the documents were either received by the FSA from HSBC or the
information they contained was sourced from HSBC.
Section 348 (1) states that confidential information must not be
disclosed without the consent of the person from whom the
information was obtained from (and if different the person to whom
the information relates). The FSA had approached HSBC to ascertain
whether or not the bank would consent to disclosing the information
and HSBC declined.
The Commissioner found that the information was covered by
section 348 of the FSMA and therefore section 44 of the Act was
engaged. The Act provided an absolute exemption and there was
therefore no requirement to consider the public interest test.
Summary
Banks and financial institutions are not normally affected by
the Act but they should be aware of when it might come into play.
If a public authority, bank or financial institution believes that
the Act could be invoked by third parties making a request under
the Act then they should have procedures in place to deal with such
requests.
Jimmy Desai is a partner in Blake
Lapthorn.
|