Your privacy #
WhatDoTheyKnow is run by mySociety, a project of the charity UK Citizens Online Democracy.
For full details of mySociety's structure, governance, and details of the relevant registrations with the Information Commissioner and The Charity Commission see: Who makes WhatDoTheyKnow?.
We hope it covers everything you need to know, but if you still have any questions please feel free to contact us.
What personal information we collect #
When you make an FOI request #
In using WhatDoTheyKnow to send an FOI request, you are providing us with the following personal information:
- Your name
- Your email address
- Your IP address
Some of this information is passed on to the public authority who receive your request, and is published on the website. This page explains:
- what we do with each type of information
- who sees it
- how it is used
- how long it is retained
- our protocols for altering or removing information
- what to do if you are unhappy with the way we have handled your data
When you email WhatDoTheyKnow through our contact form, directly, or via mySociety #
Support mail is handled by the WhatDoTheyKnow volunteer admin team via a central mailbox, which they must access with adherence to our strict security protocols.
As with any other email, this results in us holding your email address and, if provided, your name, along with the content of your message.
Who gets to see your personal information #
Your name #
When you submit an FOI request through WhatDoTheyKnow, your name (or the name you are making your request under) is:
- sent to the public authority, and
- published on the website along with the request.
See this section for more information on why this is the case.
Your email address #
Your email address is not shared with the public authority, nor is it published on the website. WhatDoTheyKnow automatically generates a @whatdotheyknow.com email address specific to each request — your message will have this address in the ‘from’ line and it’s also the address that responses are sent to.
When the public authority replies via this custom email address, their response is published on your request’s page on WhatDoTheyKnow.com. At the same time, our system alerts you, by sending a message to the personal email address you have provided when creating your request, to let you know there is a response: this too is an automated process.
So, your email address is largely kept private. There are two exceptions to this. Firstly, site administrators may access your email address in the process of administering the site, and may use your email address to contact you about your use of the site. We also occasionally contact users who have made a particularly interesting request, as we like to write about these on the mySociety blog.
Secondly, if you send a message to another user on the site, your email address is shared with them. You’ll see an alert to warn you of this before you submit your message.
We will not disclose your email address to anyone else unless we are obliged to by law, or you ask us to.
Will your email address be used for any other purposes?
No. After you sign up to WhatDoTheyKnow we will only send you emails relating to a request you made, an email alert that you have signed up for, or for other reasons that you specifically authorise. We will never give or sell your email addresses to anyone else, unless we are obliged to by law, or you ask us to.
In theory, spam could be received via the ‘send this user an email’ function. Abuse of this service is not common and you can report any messages which you consider inappropriate to us via the Contact Us form. Upon consideration, we may suspend users who have abused this service.
Your request #
Your request is sent to the public authority from whom you are requesting information. At the same time, it is published on this website where anyone can see it.
Your IP address #
The IP address associated with your use of the site (which may or may not be sufficient to identify you, depending on circumstances), is recorded automatically to our logs. It will not normally be seen by anyone - see the section on our own logging for more information.
We do not share IP addresses with anyone else unless required to by law (for example in the course of a police investigation for which a court order has been received).
Your postal address #
You do not need to supply a postal address in order to make an FOI request. If a public authority asks you for your full, physical address, reply to them saying that section 8.1.b of the FOI Act asks for an "address for correspondence", and that the email address you are using is sufficient.
- The Ministry of Justice has guidance on this– “As well as hard copy written correspondence, requests that are transmitted electronically (for example, in emails) are acceptable ... If a request is received by email and no postal address is given, the email address should be treated as the return address.”
- The Information Commissioner’s Hints for Practitioners say “A request must ... include an address for correspondence. This need not be the person’s residential or work address - it can be any address at which you can write to them, including a postal address or email address;”
Paragraph 107 of the Information
Commissioner’s Guidance on recognising a request under the Freedom
of Information Act now contains a section specifically on
WhatDoTheyKnow which states:
With respect to the address for correspondence, we consider the
@whatdotheyknow.comemail address provided to authorities when requests are made through the site to be a valid contact address for the purposes of Section 8(1)(b).
What to do if the authority asks for a postal address to send a paper response #
If an authority only has a paper copy of the information that you want, they may ask you for a postal address. Naturally, since one of the principles of WhatDoTheyKnow is that, by sharing responses to FOI requests, we are providing resources for everyone to use, we prefer that they provide the information by email.
So you might try persuading them to scan in the documents for you. You can even offer to gift them a scanner.
If that doesn’t work, and you want to provide your postal address privately in order to receive the documents, mark your request as “They are going to reply by post”, and it will give you an email address to use for that purpose.
Our own logging #
In addition to the information you give us about yourself in order to use the site (e.g. your name and email address), we collect and log some additional information in order to analyse and fix problems with the site.
Our webserver logs maintain a history of page requests. This includes information about requests, including the client IP address, data submitted (which might include your email address when you log on to the site), request date and time, page requested, browser version and referrer. We routinely keep this information for 60 days. Note that in normal circumstances, this data is infrequently accessed by a human, and when it is, they are likely to be assessing it in bulk, in order to understand an issue with the site, rather than at a granular level of individual users.
mySociety sometimes analyses data such as requests and responses from WhatDoTheyKnow for research. We adhere to strict internal privacy policies which mean that any personal data is kept secure. Data such as names and email addresses is excluded from the research datasets, and where possible redacted from the body of the text.
We would also like to share non-personal data from WhatDoTheyKnow with external researchers and are currently working on a policy which will allow us to take precautions against the release of sensitive personal information in cases where such data has been released in error. These precautions include excluding certain file attachments that could contain unintended releases but have low research value (such as Excel XLS or CSV files); a delay of 3 months to give time for leaks to be detected; and maintaining a register of researchers who have access to the datasets. Data passed to third parties will never exceed what is publically available on the website.
When it is complete, our Research Data Release policy will be available on request.
Encrypted Transfer of Data #
Sometimes we will want to send a copy of sensitive material to the Information Commissioner to assist them with their investigation into a public body’s breach of the Data Protection Act or the General Data Protection Regulations. In the case of bulk sensitive personal information we do this by encrypting the data with an AES algorithm using at least a 256bit key. The encrypted data will be sent by email or made available for download via the web, FTP or USB and the decryption password is provided via a separate channel.
Why do users’ names and requests appear publicly on the site? #
Your name is an integral part of your request, so has to be published with it. It is only fair, as we are also going to publish the name of the civil servant who writes the response to your request. Using your real name also helps people get in touch with you to assist you with your research or to campaign with you.
But perhaps most importantly, it means that our users think twice before making a request: if you know that your name will be permanently attached to it for all to see, then you are far more likely to make a responsible, valid and useful request.
By law, you must use your real name for the request to be a valid Freedom of Information request — but see the next question for alternatives if you do not want to publish your full name.
Your requests will be grouped together and appear on your profile on the site.
Can FOI requests be made under a pseudonym? #
Technically, you must use your real name for your request to be a valid Freedom of Information request in law. See this guidance from the Information Commissioner (October 2007). However, the same guidance also says it is good practice for the public authority to still consider a request made using an obvious pseudonym. You should refer to this if a public authority refuses a request because you used a pseudonym.
Be aware, though, that even if the authority follows this good practice, the pseudonym will probably make it impossible for you to complain to the Information Commissioner later about the handling of your request.
There are several good alternatives to using a pseudonym.
- Use a different form of your name. The guidance says that “Mr Arthur Thomas Roberts” can make a valid request as “Arthur Roberts”, “A. T. Roberts”, or “Mr Roberts”, but not as “Arthur” or “A.T.R.”.
- Women may use their maiden name.
- In most cases, you may use any name by which you are “widely known and/or is regularly used”.
- Use the name of an organisation, the name of a company, the trading name of a company, or the trading name of a sole trader.
- Ask someone else to make the request on your behalf.
- You may, if you are really stuck, ask us to make the request on your behalf. Please contact us with a good reason why you cannot make the request yourself and cannot ask a friend to. Do not impersonate someone else. This is an abuse of our terms of service - read more in our House Rules.
Historically, some public authorities used mySociety’s FOI Register software (which has since been discontinued) in order to use WhatDoTheyKnow as a disclosure log for all their FOI activity. When people made requests to the authority their names were usually withheld from publication just as they would in an authority disclosure log on an authority website.
Sometimes, for various reasons including proven endangerment to the individual, we will remove a user’s name from the site; when we do so we make this clear; typically by replacing the name with “[name removed]”. For more information, see our section on your right to erasure.
What are the possible or definite consequences of using WhatDoTheyKnow? #
When making an FOI request #
As you have seen from the points above, using WhatDoTheyKnow results in the publication of your name and request online, in most cases permanently. Some possible consequences of this are:
- Your request appearing in results when your name is put into search engines.
- Contact from others with an interest in your request, potentially including the press, via the user contact facility.
When registering with the site #
Creating an account on the site allows you to make FOI requests, but it’s also a required step for those who wish to sign up for email alerts (“following” a specific request, user or authority) or add annotations to request pages.
- We collect your name and email address; these are only looked at if there’s a problem with an account.
- Users with accounts gain a public profile page on the site: this may be accessed by anyone who clicks on the name attached to any FOI request you have sent through the site or any annotation you have made.
Your profile page displays:
- Your name
- The date you joined the site
- Any text you provide to describe yourself
- A list of the requests and annotations you have made
The page does not display your email address, but does allow others to get in touch with you via a messaging system.
The page does not display details of alerts you have subscribed to, although these are visible to you (and only you) when you are logged in.
This data (your name, email address, alert subscriptions) is not used for any purpose other than the running of the site and will not be shared externally.
Retention periods #
FOI requests #
As detailed above, sending an FOI request through this site results in your name and email address being stored, along with the body of your request, on our servers. Your email address is accessible only to site administrators. At the current time, the policy is to retain this information indefinitely.
Information released inadvertently in breach of data protection law #
Sometimes public bodies accidentally release personal data in bulk. WhatDoTheyKnow does not want to hold this information longer than necessary and treats it with due care.
Volunteers will only download from WhatDoTheyKnow whatever information is necessary to handle a suspected breach of the data protection law by an authority, encrypting the data using a strong algorithm, protecting their device with a strong password, and deleting the data as soon as possible and in all circumstances within four hours. If the data needs to be retained after that period, it is kept on mySociety’s servers and mySociety is responsible for holding and deleting it.
For material that needs to be retained for a relatively short period e.g. where we give the ICO four weeks to request the material from us before we delete it, the material will remain hidden on WhatDoTheyKnow and will usually be deleted at the end of the retention period. In exceptional circumstances, such as where we are in correspondence with the ICO about the case, we may extend the retention period.
In any, rare, case where a retention period over four weeks is deemed necessary and it is considered the release of the material is would pose a significant risk of harm, mySociety staff are responsible for moving the material to non-web accessible storage on mySociety’s servers and deleting it when the retention period is complete.
Support emails #
We retain emails sent to and from this central mailbox for two years — correspondence is automatically and permanently deleted after that point, although any email that needs to be kept on file for specific legal reasons, such as in-progress police investigations or lawsuits, is retained separately. Misdirected mail of a sensitive nature, such as a request for help with personal circumstances, is kept for a shorter period of thirty days.
Legal basis for processing #
In using WhatDoTheyKnow to make your FOI request, you are consenting to your data being processed as described on this page. In most cases the legal basis for this processing is Legitimate Interests (this is as laid out in 6(1)(f) – of the GDPR, in force from 25 May 2018). We believe that we are pursuing a legitimate interest in processing your personal data to provide the service to your benefit and the benefit of society. There is a benefit to you in that we offer an easy way to make and track Freedom of Information requests. The service also has a benefit to the public as any information released in response to the request is publicly available in a historic archive for anyone to use. There is also a benefit to authorities responding to requests, in that the automatic publication of the requests reduces duplicate requesting. We believe that our processing of your data is as you would expect when you use the service.
On rare occasions the legal basis of Compliance With a Legal Obligation will apply when we are legally obliged to hold material, for example where a court order has been issued (6(1)(c) of the GDPR).
Your rights #
Your right to erasure #
See also your right to object.
Your own requests, annotations and user profile
WhatDoTheyKnow, as well as providing a service by which you can easily make an FOI request, also acts as an online archive of information.
Requests We publish your request on the internet so that anybody can read it and make use of the information that you have found. Even though you may not find the response to a request useful any more, it may be of interest to others, and may have been used to support research, news articles, lobbying or other activities. For this reason, we will not normally delete the substance of requests and responses.
Names If you have made requests for information via our site and are considering asking us to remove your name, please do take a moment to reflect and reconsider. Typically Freedom of Information requests made via our service form a positive part of an individual’s online footprint; a public record of civic activism is something to be proud of.
That said, we understand that there can be good reasons why you may want us to remove your name and will make our best efforts to do so if you ask us to. Similarly, we may also remove other personal information. Note that if your name has been released as part of an authority’s response, we may not be able to remove it easily, however we will of course consider formal “right to be forgotten” / “right of erasure” requests and remove material if we are unable to justify continuing to hold and process it.
If you’re worried about your name being associated with your request, and you’ve not made it yet, then see our advice on using pseudonyms.
Email addresses We also hold your email address. If you ask us to cease holding your email address while you are awaiting a response, we will not be able to notify you when a response does come in. For this reason we strongly advise keeping an active email address associated with your account while you have correspondence in progress. As a user you can change the email address associated with your account at any time yourself, or you can get in touch with us an ask us to remove your email address from your account.
Other information we hold on users of our service is described under: “When registering with the site” and “Our own logging”. As a user you can view and edit much of this material yourself, but if you feel the need to ask us to delete material do get in touch.
Removal of personal information from requests and responses
If you see any personal information about you on the site which you’d like us to remove or hide, then please let us know. Specify exactly what information you believe to be problematic and why, and let us know where it appears on the site.
We will consider any such notice, and balance it against any public interest in publishing the material. There is some guidance about this on the ICO’s website.
If it is sensitive personal information that has been accidentally posted, then we will usually remove it. Normally we will only consider requests to remove personal information which come from the individual concerned, but for sensitive information or large volumes of breached personal data we would appreciate being notified by anyone.
Removal of public servants’ personal information from responses
We automatically publish responses to requests made through the site in full. Where these responses include the personal information of public servants, we consider the legal basis for our processing of this information to be that we have a legitimate interest as described in Article 6(1)(f) of the GDPR). Our legitimate interest is in benefiting society by preserving and promoting transparency and openness, and the accountability of those in positions of power and in maintaining a historic public archive of Freedom of Information requests and responses. We will consider requests to remove the names of public servants when it seems that the interests, rights and freedoms of the data subject outweigh the public interest in publishing.
This means that:
- If you are a decision-maker of any seniority, or if you are responding to an FOI request, we will not normally remove your details from documents and emails sent by a public body or from FOI requests. Accountability of decision-making is at the heart of good government.
- If you hold a junior, non-decision making post we will consider requests to remove your details. Removing these details is time-consuming for our volunteers, so please let us know why this really matters to you. If we are not required to act by law but agree to remove your details we will take reasonable steps to do so — but in some cases may not be able to as it can be difficult to remove material from some types of document, such as images and PDFs.
We are happy try to assist FOI officers who want us to help them remove their signatures from the website, but generally in such circumstances we require replacement responses to be prepared and sent to the requester before we will remove the original documents. We are generally unable to edit attachments which have been released via our service.
Your right to access #
You may contact us at any time to ask to see what personal data we hold about you. If you have used our service to make a request, then the vast majority of information we hold about you is shown publicly on our website or visible to you on your user profile.
Your right to object #
See also your right to erasure.
The General Data Protection Regulation gives you the right to object to our processing of your personal information and to ask us to stop processing it. However, it also gives us the right to continue to process it if we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms. To exercise your right to object, you must contact us, giving specific reasons why you are objecting to the processing of your personal data. These reasons should be based upon your particular situation.
Your right to lodge a complaint #
You have the right to complain if you believe that we have mishandled your personal data. For the UK, the relevant supervisory body is the Information Commissioner’s Office. You can report a concern here (but do contact us first, so that we can try and help — see our complaints procedure here).
Cookies and third party services #
To make our service easier or more useful, we sometimes place small data files on your computer or mobile phone, known as cookies; this is very common practice and most websites do this.
Cookies help our websites to, for example, remember that you have logged in so you don’t need to do that on every page, or to measure how people use the website so we can improve it and make sure it works properly. Below, we list the cookies and services that this site may use.
|_wdtk_cookie_session||A random unique identifier||When web browser is closed, or 1 month if ‛Remember me’ is used|
|seen_foi2||The number 1 if you have seen a notice||7 days|
|has_seen_country_message||The number 1 if you have seen a notice about FOI services in other countries||1 year|
|last_request_id||A number, identifying the last FOI request you looked at on the site||When web browser is closed|
|last_body_id||A number, identifying the last public authority you looked at on the site||When web browser is closed|
|widget_vote||A random identifier for an ‛I also want to know’ vote you've made for a request||When web browser is closed|
Measuring website usage (Google Analytics)
We use Google Analytics to collect information about how people use this site. We do this to make sure it’s meeting its users’ needs and to understand how we could do better. Google Analytics stores information such as what pages you visit, how long you are on the site, how you got here, what you click on, and information about your web browser. IP addresses are masked (only a portion is stored) and personal information is only reported in aggregate. We do not allow Google to use or share our analytics data for any purpose besides providing us with analytics information, and we recommend that any user of Google Analytics does the same.
If you’re unhappy with data about your visit to be used in this way, you can install the official browser plugin for blocking Google Analytics.
The cookies set by Google Analytics are as follows:
|__utma||Unique anonymous visitor ID||2 years|
|__utmb||Unique anonymous session ID||30 minutes|
|__utmz||Information on how the site was reached (e.g. direct or via a link/search/advertisement)||6 months|
|__utmx||Which variation of a page you are seeing if we are testing different versions to see which is best||2 years|
Google’s Official Statement about Analytics Data
Measuring website performance (New Relic)
WhatDoTheyKnow uses New Relic to collect data on the performance of the site - how quickly it sends pages and how much memory and processing power it takes on the computers that run it. We do this to ensure that the site runs quickly and efficiently. New Relic stores information on:
- What pages are visited on the site, and how long they take to load.
- The structure, not the content, of database queries made in order to run the site and how long they take to run.
- Memory and CPU usage on the servers that run the site.
Sample data about database queries, individual requests for pages is stored by New Relic for 7 days, aggregate data is stored for a maximum of 90 days.
Bits of wording taken from the gov.uk cookies page (under the Open Government Licence).
Learn more from the help for FOI officers -->