How we run WhatDoTheyKnow
WhatDoTheyKnow is administered by a small group of dedicated volunteers who have extensive knowledge and experience of Freedom of Information, and who support it. Decisions about the administration of the site are taken by these volunteers, with support from mySociety’s Chief Executive and Trustees.
Reactive moderation principle
It would be impossible for the WhatDoTheyKnow volunteer team to moderate all requests and responses before they appear on the site. We will remove inappropriate material (material that contravenes our House Rules) upon being informed, a process known as reactive moderation.
This policy is in line with the approach used by major publishers such as the BBC and the Guardian. A key reason we take this approach is to reduce the liability we have for the content posted by users on our site; this is something we need to do due to the significant financial risks involved if we were deemed to be publishing libellous material.
When we remove potentially defamatory material from our site we are not taking a view on if it is accurate or not, we don’t have the resources to investigate that.
What happens once a request is reported for attention?
Users report material on WhatDoTheyKnow for a wide range of different reasons. These include:
- Personal information which has been released by accident
- Potentially libellous or defamatory material published on the site
- Copyright material
- Vexatious requests
- Invalid requests, that is, requests that are not Freedom of Information requests
Policy as a guide, not a rigid set of rules
Our policies have developed from the consideration and discussion of cases where the right course of action has not been obvious.
These policies are not set in stone. New and unforeseen circumstances occur frequently, and while our body of policy and practice helps guide decisions, any WDTK volunteer or mySociety staff member/trustee involved is free to suggest that the right thing to do in a specific case is to make an exception and/or establish a new policy.
To discuss how to take action on a particular case that is not straightforward, volunteer administrators start an email discussion amongst the team of other volunteers and specific mySociety staff. Discussion among this group then leads to an agreed course of action.
Removal of information
Our default is to keep unproblematic information online. WhatDoTheyKnow is a permanent, public archive of Freedom of Information requests. Even though you may not find the response to your request useful any more, it may be of interest to others. For this reason, our overriding aim is not to remove substantive public information requests and responses.
However, we act quickly to remove problematic information. Once informed, the team will take prompt action to take such information down.
Not all requests to remove information from the site are straightforward. When it is not immediately obvious that the information is for example libellous or personal, the volunteer team seek to obtain further information from the complainant to fully understand exactly what information they are concerned about and what they consider to be the problem with us publishing the information.
The team always asks for the complainant to give their explanation by email, so there is a written record. Upon receiving sufficient information, the team discusses whether to take down the material amongst themselves, and where there’s an exceptional case with a wider internal group including mySociety’s Trustees and CEO via email. If we agree to remove some material we will usually request a replacement response from the authority with all the original material minus the problematic material.
If agreement cannot be reached for any reason, then mySociety’s Chief Executive will be the final arbiter.Accidentally released personal information
Sometimes public bodies mistakenly release personal information, in breach of the Data Protection Act. Once the admin team has received a notification/complaint about an accidental data release, they follow this procedure:
- The first person to see the complaint about an accidental data release will start by hiding the minimum amount of material required to excise the problem. We seek to run the site as transparently as possible so will replace the material with an explanation such as “personal information removed”, and may add an annotation explaining the problem which occured and the action taken.
- If it is technically difficult to separate properly released material from that which needs to be removed, we ask the public body to provide a replacement response.
- In the case of a serious breach we suggest that the authority self-reports to the ICO. If the authority doesn’t acknowledge the data breach we will contact the ICO ourselves.
In order for material to be removed from the site, it must be a credible accidental release and not a rethink or change of mind over a release.
The ICO requests that serious breaches of data protection are reported to them; their guidance on what constitutes serious is at: https://ico.org.uk/media/for-organisations/documents/1536/breach_reporting.pdf.
Potentially defamatory or libellous material
Unfortunately, some people use WhatDoTheyKnow to post potentially defamatory/libellous material. We take action, upon being informed, to remove this material. However, we also try to strike a balance: we don’t remove information unnecessarily if we believe that publishing it is in the public interest, or if we think there is a strong case in UK law to defend its publication.
For example we are, under some circumstances, prepared to publish:
- Potentially defamatory requests which address the performance and behaviour of public bodies.
- Requests for complaints and performance information about regulated professionals such as police officers, doctors and social workers.
As with personal information, where the decision on what to do isn’t clear cut, we discuss the matter with the wider group, including mySociety’s CEO and Trustees.
Requests to remove commercial information
Takedown requests on matters such as commercial sensitivity and confidential information such as contracts are infrequent but important. We deal with them on a case by case basis with trustees ultimately assessing the legal risk of ongoing publication.
The law prohibiting a breach of confidence is our prime concern in such cases.
It is legitimate to request copyrighted material under Freedom of Information law.
Sometimes we receive requests to take down information for copyright reasons from a public authority or from someone who holds commercial or other copyright of information on WhatDoTheyKnow.
While many responses are accompanied by a notice saying that the material provided is protected by copyright, we only consider taking content down following contact from someone raising specific concerns.
In those cases we bear in mind that our Freedom of Information law is “applicant blind”, so anyone in the world can request the same document and get a copy of it. We also want to save taxpayers’ money by preventing duplicate requests.
How do we deal with vexatious requests?
We remove vexatious requests from our site when they are drawn to our attention.
In determining if a request is vexatious (has no serious purpose, or is intended to be disruptive to the work of a public body), we make an independent judgement taking into account the ICO’s guidance on vexatious requests and don’t always follow the position of the public body.
How do we deal with requests that are not valid?
When we are made aware of it, we remove any correspondence from our site which is not a request for information that anyone could expect a substantive response to.
The vast majority of invalid “requests” are actually not Freedom of Information requests at all but correspondence relating to people’s personal circumstances.
We point users making requests for their own personal information to guidance on making Subject Access requests under the Data Protection Act and try to help others find more appropriate means of contacting public bodies.
Why do we remove email addresses and mobile phone numbers from responses?
To guard all parties against spam, and to encourage keeping all correspondence on WhatDoTheyKnow, we automatically remove most email addresses and some mobile numbers from responses to requests. For technical reasons we don’t always manage to remove them from attachments, such as certain PDFs.
Because our service automatically redacts email addresses and mobile phone numbers from responses, it isn’t well suited to making requests for contact email contacts — but if you need to know an address that we’ve removed, please get in touch with us. Occasionally, an email address forms an important part of a response and if we’re asked to reveal it we may post it in an annotation.
How do we deal with requests that are not sent successfully?
- The admin team act to re-send requests/messages when we spot failed delivery within a reasonable period of a user submitting the
- A public body or the requestor may ask us to resend a specific message and typically we will do so.
- We generally don’t resend very old correspondence, for example if there’s been a delivery failure that has gone unnoticed for many months, and the if there’s a clear bounce/error message) the request may be marked “withdrawn” on the basis of abandonment, or marked as still awaiting a response.
Membership of the admin team
The majority of WhatDoTheyKnow’s admin team are volunteers, who are active users of the site.
Volunteers are supervised and mentored by their peer volunteers, and by mySociety staff on the management and FOI team. As mySociety is a distributed organisation, this happens via the monthly WhatDoTheyKnow volunteer catchup calls, and by email or individual calls as required. Volunteers’ activity running the site, or on email lists, are visible to other members of the volunteer team, as well as mySociety staff, and anyone can speak up with suggestions for doing things differently.
When a new volunteer starts, they are asked to agree to the terms of a volunteer agreement, and the WhatDoTheyKnow password and data retention policies. Depending on the nature of their volunteering, they may have an introductory call or meeting with a current volunteer or with a member of mySociety staff.
Volunteers who will actively administer the site will be asked to join a call in which a current volunteer demonstrates the use of the WhatDoTheyKnow admin interface. If everyone concerned is comfortable, they may then be given access to the administration interface.
If you sign up for an account on WhatDotheyKnow, a profile listing any requests and annotations you have made will be publicly accessible.
Requests to remove or anonymise an account
We think that well-written requests for information on important subjects form a positive element of anyone’s “online footprint”. We hope our users’ record of actions on WhatDoTheyKnow reflects well on them and shouldn’t be something they feel the need to ask to have removed.
That said, we will, on request, change the username of an account to “name removed”, and make an attempt to remove a user’s name where it appears in the plain text of the correspondence. When we take such action we suspend the account in question and prevent any further use of it as we don’t want people interacting with public bodies via our site under the name “name removed”. Users whose accounts have been anonymised in this way are free to sign up again with a new account for any future use of our site.
If the account hasn’t been used to post anything (request or annotation) then removing it is obviously unproblematic and we do so on request.
We do not remove substantive FOI requests and responses other than in exceptional circumstances, such as where we’re required to do so by law. We, like public bodies publishing disclosure logs, don’t consider anonymised requests and responses to be users’ personal information which they have a right to have removed from our service on request.
We ban users for persistent misuse of our service (e.g. going against our House Rules). Banning or suspending users is a last resort; if possible the WhatDoTheyKnow volunteer team advise users on how to use our service in an acceptable way. This guidance is provided via email or annotations. If the user continues to abuse the service after such interventions, their account is banned. Bans without a warning can be used in cases where there’s no serious use of the service, e.g. spam accounts, or in cases of serious misuse. After an account has been banned, the WhatDoTheyKnow volunteer team write to the user to explain the reasons that led to this decision.