Your privacy #
WhatDoTheyKnow is run by the charity mySociety.
For full details of mySociety’s structure, governance, and details of the relevant registrations with the Information Commissioner and The Charity Commission see: Who makes WhatDoTheyKnow?.
We hope it covers everything you need to know, but if you still have any questions please feel free to contact us.
What personal information we collect #
When you make an FOI request #
In using WhatDoTheyKnow to send an FOI request, you are providing us with the following personal information:
- Your name
- Your email address
- Your IP address
Some of this information is passed on to the public authority who receive your request, and is published on the website. This page explains:
- what we do with each type of information
- who sees it
- how it is used
- how long it is retained
- our protocols for altering or removing information
- what to do if you are unhappy with the way we have handled your data
When you email WhatDoTheyKnow through our contact form, directly, or via mySociety #
Support mail is handled by the WhatDoTheyKnow volunteer admin team via a central mailbox, which they must access with adherence to our strict security protocols.
As with any other email, this results in us holding your email address and, if provided, your name, along with the content of your message.
Who gets to see your personal information #
Your name #
When you submit an FOI request through WhatDoTheyKnow, your name (or the name you are making your request under) is:
- sent to the public authority, and
- published on the website along with the request.
See this section for more information on why this is the case.
Your email address #
Your email address is not shared with the public authority, nor is it published on the website. WhatDoTheyKnow automatically generates a @whatdotheyknow.com email address specific to each request — your message will have this address in the ‘from’ line and it’s also the address that responses are sent to.
When the public authority replies via this custom email address, their response is published on your request’s page on WhatDoTheyKnow.com. At the same time, our system alerts you, by sending a message to the personal email address you have provided when creating your request, to let you know there is a response: this too is an automated process.
So, your email address is largely kept private. There are two exceptions to this. Firstly, site administrators may access your email address in the process of administering the site, and may use your email address to contact you about your use of the site. We also occasionally contact users who have made a particularly interesting request, as we like to write about these on the mySociety blog.
Secondly, if you send a message to another user on the site, your email address is shared with them. You’ll see an alert to warn you of this before you submit your message.
We will not disclose your email address to anyone else unless we are obliged to by law, or you ask us to.
Will your email address be used for any other purposes?
No. After you sign up to WhatDoTheyKnow we will only send you emails relating to a request you made, an email alert that you have signed up for, or for other reasons that you specifically authorise. We will never give or sell your email addresses to anyone else, unless we are obliged to by law, or you ask us to.
In theory, spam could be received via the ‘send this user an email’ function. Abuse of this service is not common and you can report any messages which you consider inappropriate to us via the Contact Us form. Upon consideration, we may suspend users who have abused this service.
Your request #
Your request is sent to the public authority from whom you are requesting information. At the same time, it is published on this website where anyone can see it.
Your IP address #
The IP address associated with your use of the site (which may or may not be sufficient to identify you, depending on circumstances), is recorded automatically to our logs. It will not normally be seen by anyone - see the section on our own logging for more information.
We do not share IP addresses with anyone else unless required to by law (for example in the course of a police investigation for which a court order has been received).
Your postal address #
You do not need to supply a postal address in order to make an FOI request. If a public authority asks you for your full, physical address, reply to them saying that section 8.1.b of the FOI Act asks for an "address for correspondence", and that the email address you are using is sufficient.
- The Ministry of Justice has guidance on this– “As well as hard copy written correspondence, requests that are transmitted electronically (for example, in emails) are acceptable ... If a request is received by email and no postal address is given, the email address should be treated as the return address.”
- The Information Commissioner’s guidance for organisations says “A request must ... include an address for correspondence. This need not be the person’s residential or work address - it can be any address at which you can write to them, including a postal address or email address;”
Paragraph 107 of the Information
Commissioner’s Guidance on recognising a request under the Freedom
of Information Act now contains a section specifically on
WhatDoTheyKnow which states:
With respect to the address for correspondence, we consider the
@whatdotheyknow.comemail address provided to authorities when requests are made through the site to be a valid contact address for the purposes of Section 8(1)(b).
What to do if the authority asks for a postal address to send a paper response #
If an authority only has a paper copy of the information that you want, they may ask you for a postal address. Naturally, since one of the principles of WhatDoTheyKnow is that, by sharing responses to FOI requests, we are providing resources for everyone to use, we prefer that they provide the information by email.
So you might try persuading them to scan in the documents for you. You can even offer to gift them a scanner.
If that doesn’t work, and you want to provide your postal address privately in order to receive the documents, mark your request as “They are going to reply by postal mail”, and it will give you an email address to use for that purpose.
Our own logging #
In addition to the information you give us about yourself in order to use the site (e.g. your name and email address), we collect and log some additional information in order to analyse and fix problems with the site.
Our webserver logs maintain a history of page requests. This includes information about requests, including the client IP address, data submitted (which might include your email address when you log on to the site), request date and time, page requested, browser version and referrer. We routinely keep this information for 60 days. Note that in normal circumstances, this data is infrequently accessed by a human, and when it is, they are likely to be assessing it in bulk, in order to understand an issue with the site, rather than at a granular level of individual users.
mySociety sometimes analyses data such as requests and responses from WhatDoTheyKnow for research. We adhere to strict internal privacy policies which mean that any personal data is kept secure. Data such as names and email addresses is excluded from the research datasets, and where possible redacted from the body of the text.
We would also like to share non-personal data from WhatDoTheyKnow with external researchers where appropriate, in order to assist them with their work. When we do this we follow our Research Data Release Policy to ensure we take sensible precautions against the release of sensitive personal information in cases where such data has been released in error.
These precautions include excluding certain file attachments that could contain unintended releases but have low research value (such as Excel XLS or CSV files); a delay of 3 months to give time for leaks to be detected; and maintaining a register of researchers who have access to the datasets. Data passed to third parties will never exceed what is publically available on the website.
Encrypted Transfer of Data #
Sometimes we will want to send a copy of sensitive material to the Information Commissioner to assist them with their investigation into a public body’s breach of the Data Protection Act or the General Data Protection Regulations. In the case of bulk sensitive personal information we do this by encrypting the data with an AES algorithm using at least a 256bit key. The encrypted data will be sent by email or made available for download via the web, FTP or USB and the decryption password is provided via a separate channel.
WhatDoTheyKnow and young people #
WhatDoTheyKnow.com is not specifically designed for the use of people under the age of eighteen, nor is it actively marketed to them..
Use of the site by children and young people #
We are aware that children and young people may use our services in a wide range of circumstances including:
- When coming across content as a result of a web search, for schoolwork or personal purposes
- As a result of a particular interest in politics or civic matters
- When seeking information to help them make informed decisions about their lives, such as making requests for university admissions data
We consider it important to recognise that children and young people gain rights and responsibilities as they mature and it would be wrong to deny our service to anyone based merely on their age.
Removal of material relating to children and young people #
The personal data of children and young people may appear in requests and responses published on WhatDoTheyKnow. In this instance we are referring to those aged 18 and under.
As we operate a reactive moderation policy, we only deal with issues which are drawn to our attention; we encourage those with concerns about our processing of information relating to children and young people to get in touch (there is a report function on every message and annotation on WhatDoTheyKnow).
We recognise the sensitive nature of personal data relating to children and young people, and give particular weight to protecting their interests..
In our experience, the majority of personal information relating to children released via WhatDoTheyKnow.com is pseudonymised.
There can be significant public interest in such data, for example it may deal with ensuring the safety of healthcare practices; oversight of the policing and justice system; or seeking equitable access to educational opportunities.
Improving safety and fairness for children and young people are among the potential benefits of making such data available.
The right to erasure #
Children and young people have rights in respect of their personal data, as adults do, and we treat rights-based requests from, or on behalf of, children and young people accordingly.
Across all of these areas, we take into account guidance available from a range of sources, including the relevant rights-based requests BBC editorial guidelines, and policies as well as the Information Commissioner’s general guidance on the protection of children’s data and more specific guidance such as that on publication of exam results.
Why do users’ names and requests appear publicly on the site? #
Your name is an integral part of your request, so has to be published with it. It is only fair, as we are also going to publish the name of the civil servant who writes the response to your request. Using your real name also helps people get in touch with you to assist you with your research or to campaign with you.
But perhaps most importantly, it means that our users think twice before making a request: if you know that your name will be permanently attached to it for all to see, then you are far more likely to make a responsible, valid and useful request.
By law, you must use your real name for the request to be a valid Freedom of Information request — but see the next question for alternatives if you do not want to publish your full name.
Your requests will be grouped together and appear on your profile on the site.
Can FOI requests be made under a pseudonym? #
Technically, you must use your real name for your request to be a valid Freedom of Information request in law. See this guidance from the Information Commissioner (November 2016). However, the same guidance also says it is good practice for the public authority to still consider a request made using an obvious pseudonym. You should refer to this if a public authority refuses a request because you used a pseudonym.
Be aware, though, that even if the authority follows this good practice, the pseudonym will probably make it impossible for you to complain to the Information Commissioner later about the handling of your request.
There are several good alternatives to using a pseudonym.
- Use a different form of your name. The guidance says that Robert Jones” can make a valid request as "Bob Jones", "Bobby Jones", “Rob Jones”, "R. Jones" or “Mr Jones”, but not as "Bob", “Bobby”, "Robert" or "R.J.".
- Women may use their maiden name.
- In most cases, you may use any name by which you are “widely known and/or is regularly used”.
- Use the name of an organisation, the name of a company, the trading name of a company, or the trading name of a sole trader.
- Ask someone else to make the request on your behalf.
- You may, if you are really stuck, ask us to make the request on your behalf. Please contact us with a good reason why you cannot make the request yourself and cannot ask a friend to. Do not impersonate someone else. This is an abuse of our terms of service - read more in our House Rules.
Historically, some public authorities used mySociety’s FOI Register software (which has since been discontinued) in order to use WhatDoTheyKnow as a disclosure log for all their FOI activity. When people made requests to the authority their names were usually withheld from publication just as they would in an authority disclosure log on an authority website.
Sometimes, for various reasons including proven endangerment to the individual, we will remove a user’s name from the site; when we do so we make this clear; typically by replacing the name with “[name removed]”. For more information, see our section on your right to erasure.
What are the possible or definite consequences of using WhatDoTheyKnow? #
When making an FOI request #
As you have seen from the points above, using WhatDoTheyKnow results in the publication of your name and request online, in most cases permanently. Some possible consequences of this are:
- Your request appearing in results when your name is put into search engines.
- Contact from others with an interest in your request, potentially including the press, via the user contact facility.
When registering with the site #
Creating an account on the site allows you to make FOI requests, but it’s also a required step for those who wish to sign up for email alerts (“following” a specific request, user or authority) or add annotations to request pages.
- We collect your name and email address; these are only looked at if there’s a problem with an account.
- Users with accounts gain a public profile page on the site: this may be accessed by anyone who clicks on the name attached to any FOI request you have sent through the site or any annotation you have made.
Your profile page displays:
- Your name
- The date you joined the site
- Any text you provide to describe yourself
- A list of the requests and annotations you have made
The page does not display your email address, but does allow others to get in touch with you via a messaging system.
The page does not display details of alerts you have subscribed to, although these are visible to you (and only you) when you are logged in.
This data (your name, email address, alert subscriptions) is not used for any purpose other than the running of the site and will not be shared externally.
Retention periods #
FOI requests #
As detailed above, sending an FOI request through this site results in your name and email address being stored, along with the body of your request, on our servers. Your email address is accessible only to site administrators. At the current time, the policy is to retain this information indefinitely.
Information released inadvertently in breach of data protection law #
Sometimes public bodies accidentally release personal data in bulk. WhatDoTheyKnow does not want to hold this information longer than necessary and treats it with due care.
Volunteers will only download from WhatDoTheyKnow whatever information is necessary to handle a suspected breach of the data protection law by an authority, encrypting the data using a strong algorithm, protecting their device with a strong password, and deleting the data as soon as possible and in all circumstances within four hours. If the data needs to be retained after that period, it is kept on mySociety’s servers and mySociety is responsible for holding and deleting it.
For material that needs to be retained for a relatively short period e.g. where we give the ICO four weeks to request the material from us before we delete it, the material will remain hidden on WhatDoTheyKnow and will usually be deleted at the end of the retention period. In exceptional circumstances, such as where we are in correspondence with the ICO about the case, we may extend the retention period.
In any, rare, case where a retention period over four weeks is deemed necessary and it is considered the release of the material would pose a significant risk of harm, mySociety staff are responsible for moving the material to non-web accessible storage on mySociety’s servers and deleting it when the retention period is complete.
Support emails #
We retain emails sent to and from this central mailbox for two years — by default correspondence is automatically and permanently deleted after that point. Any email that needs to be kept on file for specific reasons, such monitoring our complaints and abuse handling processes and legal compliance, or responding to in-progress police investigations or lawsuits, is retained separately. Misdirected mail of a sensitive nature, such as a request for help with personal circumstances, is kept for a shorter period of thirty days.
Legal basis for processing #
In most cases our legal basis for processing personal information is "legitimate interest" (this is as laid out in 6(1)(f) – of the UK GDPR. We believe that we are pursuing a legitimate interest in processing personal data to provide our service to benefit of our users and the benefit of society. There is a benefit to our users in that we offer an easy way to make, track and publish Freedom of Information requests. The service also has a benefit to the public as any information released in response to the request is publicly available in a historic archive for anyone to use. There is also a benefit to authorities responding to requests, in that the automatic publication of the requests reduces duplicate requesting.
We believe that our processing of our users’ data is as they would expect when they use our service. We make clear how we handle users’ data, and link to this page, at appropriate places within our service, including during the process of signing up, and making a request.
On rare occasions the legal basis of "compliance with a legal obligation" will apply when we are legally obliged to hold material, for example where a court order has been issued (6(1)(c) of the UK GDPR).
In almost all cases our processing of personal information will be lawful under Article 6 of the UK GDPR but we may also rely on the "special purposes" derogations in the Data Protection Act 2018, especially those applying to academic and journalistic purposes. Often use of our service is academic or journalistic in nature, and the provision of our service as a whole may be considered a journalistic endeavour.
Your rights #
Your right to erasure #
See also your right to object.
Your own requests, annotations and user profile
WhatDoTheyKnow, as well as providing a service by which you can easily make an FOI request, also acts as an online archive of information.
Requests We publish your request on the internet so that anybody can read it and make use of the information that you have found. Even though you may not find the response to a request useful any more, it may be of interest to others, and may have been used to support research, news articles, lobbying or other activities. For this reason, we will not normally delete the substance of requests and responses.
Names If you have made requests for information via our site and are considering asking us to remove your name, please do take a moment to reflect and reconsider. Typically Freedom of Information requests made via our service form a positive part of an individual’s online footprint; a public record of civic activism is something to be proud of.
That said, we understand that there can be good reasons why you may want us to remove your name and will make our best efforts to do so if you ask us to. Similarly, we may also remove other personal information. Note that if your name has been released as part of an authority’s response, we may not be able to remove it easily, however we will of course consider formal “right to be forgotten” / “right of erasure” requests and remove material if we are unable to justify continuing to hold and process it.
If you’re worried about your name being associated with your request, and you’ve not made it yet, then see our advice on using pseudonyms.
Email addresses We also hold your email address. If you ask us to cease holding your email address while you are awaiting a response, we will not be able to notify you when a response does come in. For this reason we strongly advise keeping an active email address associated with your account while you have correspondence in progress. As a user you can change the email address associated with your account at any time yourself, or you can get in touch with us an ask us to remove your email address from your account.
Other information we hold on users of our service is described under: “When registering with the site” and “Our own logging”. As a user you can view and edit much of this material yourself, but if you feel the need to ask us to delete material do get in touch.
Removal of personal information from requests and responses
If you see any personal information about you on the site which you’d like us to remove or hide, then please let us know. Specify exactly what information you believe to be problematic and why, and let us know where it appears on the site.
We will consider any such notice, and balance it against our legitimate interests in processing the material. There is some guidance about this on the ICO’s website.
If it is sensitive personal information that has been accidentally posted, then we will usually remove it. Normally we will only consider requests to remove personal information which come from the individual concerned, but for sensitive information or large volumes of breached personal data we would appreciate being notified by anyone.
Removal of public servants’ personal information from responses #
We automatically publish responses to requests made through the site in full. Where these responses include the personal information of public servants, we consider the legal basis for our processing of this information to be that we have a legitimate interest as described in Article 6(1)(f) of the UK GDPR). Our legitimate interest is in benefiting society by preserving and promoting transparency and openness, and the accountability of those in positions of power and in maintaining a historic public archive of Freedom of Information requests and responses. We will consider requests to remove the names of public servants when it seems that the interests, rights and freedoms of the data subject outweigh the public interest in publishing.
This means that:
- If you are a decision-maker of any seniority, or if you are responding to an FOI request, we will not normally remove your details from documents and emails sent by a public body or from FOI requests. Accountability of decision-making is at the heart of good government.
- If you hold a junior, non-decision making post we will consider requests to remove your details. Removing these details is time-consuming for our volunteers, so please let us know why this really matters to you. If we are not required to act by law but agree to remove your details we will take reasonable steps to do so — but in some cases may not be able to as it can be difficult to remove material from some types of document, such as images and PDFs.
We are happy try to assist FOI officers who want us to help them remove their signatures from the website, but generally in such circumstances we require replacement responses to be prepared and sent to the requester before we will remove the original documents. We are generally unable to edit attachments which have been released via our service.
Your right to access #
You may contact us at any time to ask to see what personal data we hold about you. If you have used our service to make a request, then the vast majority of information we hold about you is shown publicly on our website or visible to you on your user profile.
Your right to object #
See also your right to erasure.
The General Data Protection Regulations (UK GDPR) give you the right to object to our processing of your personal information and to ask us to stop processing it. However, it also gives us the right to continue to process it if we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms. To exercise your right to object, you must contact us, giving specific reasons why you are objecting to the processing of your personal data. These reasons should be based upon your particular situation.
Your right to lodge a complaint #
In the UK, the relevant supervisory body is the Information Commissioner’s Office (ICO). Our data protection registration number is ZA9602302.
You can contact the ICO using any of the following methods:
- Online: https://ico.org.uk/make-a-complaint/
- Phone: (0303) 123 1113
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, WILMSLOW, SK9 5AF
Cookies and third party services #
To make our service easier or more useful, we sometimes place small data files on your computer or mobile phone, known as cookies; this is very common practice and most websites do this.
Cookies help our websites to, for example, remember that you have logged in so you don’t need to do that on every page, or to measure how people use the website so we can improve it and make sure it works properly. Below, we list the cookies and services that this site may use.
|_wdtk_cookie_session||A random unique identifier||When web browser is closed, or 1 month if ‛Remember me’ is used|
|seen_foi2||The number 1 if you have seen a notice||7 days|
|has_seen_country_message||The number 1 if you have seen a notice about FOI services in other countries||1 year|
|last_request_id||A number, identifying the last FOI request you looked at on the site||When web browser is closed|
|last_body_id||A number, identifying the last public authority you looked at on the site||When web browser is closed|
|widget_vote||A random identifier for an ‛I also want to know’ vote you’ve made for a request||When web browser is closed|
Measuring website usage (Google Analytics)
We use Google Analytics to collect information about how people use this site. We do this to make sure it’s meeting its users’ needs and to understand how we could do better. Google Analytics stores information such as what pages you visit, how long you are on the site, how you got here, what you click on, and information about your web browser. IP addresses are masked (only a portion is stored) and personal information is only reported in aggregate. We do not allow Google to store browser cookies on your machine or device. We also do not allow Google to use or share our analytics data for any purpose besides providing us with analytics information, and we recommend that any user of Google Analytics does the same.
If you’re unhappy with data about your visit to be used in this way, you can install the official browser plugin for blocking Google Analytics.
Please note that this website initialises Google Analytics with the following settings:
- This masks the last part of your IP address before any analytics data is stored.
- storage: none
- This instructs Google to not create and store browser cookies on your machine or device.
Google’s Official Statement about Analytics Data
Bits of wording taken from the gov.uk cookies page (under the Open Government Licence).
Learn more from the help for FOI officers -->