Your privacy #
- Who gets to see my email address? #
We will not disclose your email address to anyone unless we are obliged to by law, or you ask us to. This includes the public authority that you are sending a request to. The system automatically generates a @whatdotheyknow.com email address which is specific to each request — your message will have this address in the ‘from’ line and it’s also the address that responses are sent to. Our system alerts you, via the personal email address you have provided when creating your request, to let you know there is a response: this too is an automated process.
Site administrators may get to see your email address in the process of administering the site, and may use your email address to contact you about your use of the site.
On the other hand, if you send a message to another user on the site, then it will reveal your email address to them. You’ll see an alert to warn you of this before you submit your message.
- Will you send spam to my email address? #
No. After you sign up to WhatDoTheyKnow we will only send you emails relating to a request you made, an email alert that you have signed up for, or for other reasons that you specifically authorise. We will never give or sell your email addresses to anyone else, unless we are obliged to by law, or you ask us to.
Site administrators may see users’ email addresses and may contact you about your use of the site. We also occasionally contact users who have made a particularly interesting request, as we like to write about these on the mySociety blog.
Other users may also contact you via the ‘send this user an email’ function. Abuse of this service is not common and you can report any messages which you consider abusive to us via the Contact Us form. Upon consideration, we may then suspend users who have abused this service.
- Why will my name and my request appear publicly on the site? #
Your name is an integral part tangled up with your request, so has to be published with it. It is only fair, as we are also going to publish the name of the civil servant who writes the response to your request.
Using your real name also helps people get in touch with you to assist you with your research or to campaign with you.
But perhaps most importantly, it means that our users think twice before making a request: if you know that your name will be permanently attached to it for all to see, then you are far more likely to make a responsible, valid and useful request.
By law, you must use your real name for the request to be a valid Freedom of Information request — but see the next question for alternatives if you do not want to publish your full name.
Your requests will be grouped together and appear on your profile on the site.
- Can I make an FOI request using a pseudonym? #
Technically, you must use your real name for your request to be a valid Freedom of Information request in law. See this guidance from the Information Commissioner (October 2007).
However, the same guidance also says it is good practice for the public authority to still consider a request made using an obvious pseudonym. You should refer to this if a public authority refuses a request because you used a pseudonym.
Be careful though, even if the authority follows this good practice, the pseudonym will probably make it impossible for you to complain to the Information Commissioner later about the handling of your request.
There are several good alternatives to using a pseudonym.
- Use a different form of your name. The guidance says that “Mr Arthur Thomas Roberts” can make a valid request as “Arthur Roberts”, “A. T. Roberts”, or “Mr Roberts”, but not as “Arthur” or “A.T.R.”.
- Women may use their maiden name.
- In most cases, you may use any name by which you are “widely known and/or is regularly used”.
- Use the name of an organisation, the name of a company, the trading name of a company, or the trading name of a sole trader.
- Ask someone else to make the request on your behalf.
- You may, if you are really stuck, ask us to make the request on your behalf. Please contact us with a good reason why you cannot make the request yourself and cannot ask a friend to. Do not impersonate someone else. This is an abuse of our terms of service - read more in our House Rules.
- Why are there anonymous requests on the site? #
Historically, some public authorities used mySociety’s FOI Register software (which has since been discontinued) in order to use WhatDoTheyKnow as a disclosure log for all their FOI activity. When people made requests to the authority their names were usually withheld from publication just as they would in an authority disclosure log on an authority website.
Sometimes, for various reasons including proven endangerment to the individual, we will remove a user’s name from the site; when we do so we make this clear; typically by replacing the name with “[name removed]”.
- They’ve asked for my postal address! #
If a public authority asks you for your full, physical address, reply to them saying that section 8.1.b of the FOI Act asks for an "address for correspondence", and that the email address you are using is sufficient.
- The Ministry of Justice has guidance on this– “As well as hard copy written correspondence, requests that are transmitted electronically (for example, in emails) are acceptable ... If a request is received by email and no postal address is given, the email address should be treated as the return address.”
- The Information Commissioner’s Hints for Practitioners say “A request must ... include an address for correspondence. This need not be the person’s residential or work address - it can be any address at which you can write to them, including a postal address or email address;”
Paragraph 107 of the Information
Commissioner’s Guidance on recognising a request under the Freedom
of Information Act now contains a section specifically on
WhatDoTheyKnow which states:
With respect to the address for correspondence, we consider the
@whatdotheyknow.comemail address provided to authorities when requests are made through the site to be a valid contact address for the purposes of Section 8(1)(b).
- The authority have asked for a postal address to send a paper response #
If an authority only has a paper copy of the information that you want, they may ask you for a postal address. Naturally, since one of the principles of WhatDoTheyKnow is that, by sharing responses to FOI requests, we are providing resources for everyone to use, we prefer that they provide the information by email.
So you might try persuading them to scan in the documents for you. You can even offer to gift them a scanner.
If that doesn’t work, and you want to provide your postal address privately in order to receive the documents, mark your request as “They are going to reply by post”, and it will give you an email address to use for that purpose.
- Emails sent to the WhatDoTheyKnow team #
Support mail is handled by the WhatDoTheyKnow volunteer admin team via a central mailbox, which they must access with adherence to our strict security protocols.
Retention period We retain emails sent to and from this central mailbox for two years — correspondence is automatically and permanently deleted after that point, although any email that needs to be kept on file for specific legal reasons, such as in-progress police investigations or lawsuits, is retained separately. Misdirected mail of a sensitive nature, such as a request for help with personal circumstances, is kept for a shorter period of thirty days.
- Retention policy for information released inadvertently in breach of the Data Protection Act #
Sometimes public bodies accidentally release personal data in bulk. WhatDoTheyKnow does not want to hold this information longer than necessary and treats it with due care. Volunteers will only download from WhatDoTheyKnow whatever information is necessary to handle a suspected breach of the Data Protection Act by an authority, encrypting the data using a strong algorithm, protecting their device with a strong password, and deleting the data as soon as possible and in all circumstances within four hours. If the data needs to be retained after that period, it is kept on mySociety’s servers and mySociety is responsible for holding and deleting it.
For material that needs to be retained for a relatively short period e.g. where we give the ICO two weeks to request the material from us before we delete it, the material will remain hidden on WhatDoTheyKnow and will be deleted at the end of the retention period. In the rare case where a longer retention period is necessary, mySociety staff are responsible for moving the material to non-web accessible storage on mySociety’s servers and deleting it when the retention period is complete.
- Encrypted Transfer of Data #
Sometimes we will want to send a copy of sensitive material to the Information Commissioner to assist them with their investigation into a public body’s breach of the Data Protection Act. In the case of bulk sensitive personal information we do this by encrypting the data with an AES algorithm using at least a 256bit key. The encrypted data will be sent by email or made available for download via the web, FTP, USB and the decryption password is provided via a separate channel.
To make our service easier or more useful, we sometimes place small data files on your computer or mobile phone, known as cookies; this is very common practice and most websites do this.
Cookies help our websites to, for example, remember that you have logged in so you don’t need to do that on every page, or to measure how people use the website so we can improve it and make sure it works properly. Below, we list the cookies and services that this site may use.
Name Typical Content Expires _wdtk_cookie_session A random unique identifier When web browser is closed, or 1 month if ‛Remember me’ is used seen_foi2 The number 1 if you have seen a notice 7 days last_request_id A number, identifying the last FOI request you looked at on the site When web browser is closed last_body_id A number, identifying the last public authority you looked at on the site When web browser is closed widget_vote A random identifier for an ‛I also want to know’ vote you've made for a request When web browser is closed
Measuring website usage (Google Analytics)
We use Google Analytics to collect information about how people use this site. We do this to make sure it’s meeting its users’ needs and to understand how we could do better. Google Analytics stores information such as what pages you visit, how long you are on the site, how you got here, what you click on, and information about your web browser. IP addresses are masked (only a portion is stored) and personal information is only reported in aggregate. We do not allow Google to use or share our analytics data for any purpose besides providing us with analytics information, and we recommend that any user of Google Analytics does the same.
If you’re unhappy with data about your visit to be used in this way, you can install the official browser plugin for blocking Google Analytics.
The cookies set by Google Analytics are as follows:
Name Typical Content Expires __utma Unique anonymous visitor ID 2 years __utmb Unique anonymous session ID 30 minutes __utmz Information on how the site was reached (e.g. direct or via a link/search/advertisement) 6 months __utmx Which variation of a page you are seeing if we are testing different versions to see which is best 2 years
Google’s Official Statement about Analytics Data
Measuring website performance (New Relic)
WhatDoTheyKnow uses New Relic to collect data on the performance of the site - how quickly it sends pages and how much memory and processing power it takes on the computers that run it. We do this to ensure that the site runs quickly and efficiently. New Relic stores information on:
- What pages are visited on the site, and how long they take to load.
- The structure, not the content, of database queries made in order to run the site and how long they take to run.
- Memory and CPU usage on the servers that run the site.
Sample data about database queries, individual requests for pages is stored by New Relic for 7 days, aggregate data is stored for a maximum of 90 days.
Our own logging
In addition to the information you give us about yourself in order to use the site (e.g. your name and email address), we collect and log some additional information in order to analyse and fix problems with the site. Our webserver logs maintain a history of page requests. This includes information about requests, including the client IP address, data submitted (which might include your email address when you log on to the site), request date and time, page requested, browser version and referrer. We routinely keep this information for 28 days.
Bits of wording taken from the gov.uk cookies page (under the Open Government Licence).
- Can you delete my requests, or alter my name? #
WhatDoTheyKnow, as well as providing a service by which you can easily make an FOI request, also acts as a massive online archive of information. We publish your request on the Internet so that anybody can read it and make use of the information that you have found. Even though you may not find the response to a request useful any more, it may be of interest to others. For this reason, we will not normally delete requests.
Under exceptional circumstances we may remove or change your name on the website, see the next question. Similarly, we may also remove other personal information.
If you’re worried about this before you make your request, see the section on pseudonyms.
- Can you take down personal information about me? #
If you see any personal information about you on the site which you’d like us to remove or hide, then please let us know. Specify exactly what information you believe to be problematic and why, and where it appears on the site.
If it is sensitive personal information that has been accidentally posted, then we will usually remove it. Normally we will only consider requests to remove personal information which come from the individual concerned, but for sensitive information we would appreciate being notified by anyone.
You have the right under section 10 of the Data Protection Act to request that we remove your personal information on the grounds that it is causing you substantial and unwarranted damage or distress. We will consider any such notice, which does not need to explicitly mention the Act, and balance it against any public interest in publishing the material. There is some guidance on these notices on the ICO’s website.
- I’m a public servant - can you take down personal information about me? #
Whilst WhatDoTheyKnow strives to preserve and promote transparency and openness, we will consider requests to remove the names of public servants when it seems unlikely that the public interest will be harmed by doing so.
This means that:
- If you are a decision-maker of any seniority, or if you are responding to an FOI request, we will not normally remove your details from documents and emails sent by a public body. Accountability of decision-making is at the heart of good government.
- If you hold a junior, non-decision making post we will consider requests to remove your details. Removing these details is time- consuming for our volunteers, so please let us know why this really matters to you. If we agree to remove your details we will take reasonable steps to do so but in some cases may not be able to as it can be difficult to remove material from some types of document, such as images and PDFs.
- We are happy try to assist FOI officers who want us to help them remove their signatures from the website, but generally in such circumstances we require replacement responses to be prepared and sent to the requester before we will remove the original documents. We are unable to edit attachments which have been released via our service.
We are also of course subject to the law and obliged to consider requests from anyone who considers our publication of their personal information is, or is likely to, cause them unwarranted harm or distress. (See S10 of the Data Protection Act.)
Learn more from the help for FOI officers -->