E-Mail, “Personal” Records and Privacy

Recently, David Holland reported the unedifying spectacle of John Mitchell, Chief Scientist of the Hadley Center, an institution which proclaimed itself to be the “most significant” contributor to WG1, attempting to circumvent mandated requirements that IPCC be “open and transparent” and that all “written comments” be archived, by claiming that his email correspondence with IPCC Authors using his Hadley Center email account were somehow his “personal” property and therefore not subject to UK Freedom of Information legislation.

Elsewhere, we’ve seen the equally unedifying spectacle of Caspar Ammann, a U.S. federal employee, an employee of a federally funded research and development center (NCAR), seeking to circumvent the IPCC requirement that comments be “open and transparent” by sending comments to IPCC author Briffa at his CRU email, rather than through the IPCC registry (as even Susan Solomon did). Even though IPCC is required to archive all written comments, Ammann and Briffa regard themselves as above IPCC policy and entitled to exchange confidential comments, sort of like little school children whispering at the back of the classroom.

While the spectacle is obviously unedifying in itself, I thought that it would be interesting to examine government policies on e-mail correspondence to see whether there is any policy basis for either theory.

Canadian Government Policy

I’m going to start by discussing Canadian government policy on e-mail involving government employees at their place of business, not because it is directly applicable to any of the parties, but because, in this case, the Canadian government appears to have spelled out their policies in more detail. Given the close similarity of applicable legislation in the U.K. to Canadian legislation, it becomes a useful reference point. (My take in this respect is that, by issuing the manuals, the Canadian government is not promulgating new policy, but merely providing information to employees on policies that are already required by the legislation. That’s why one can reasonably expect the principles in these manuals to carry over to the U.K. situation,)

A first principle is that most email messages are “records” (the first test in FOI legislation):

1. Most email messages are records: Email messages, including any electronic attachments, created, collected, received or transmitted in the normal course of government business which reflect the functions, business activities, and decisions of government are records.

Second, e-mail received at the Hadley Center comes under the “control” of the institution:

A record is under the control of a government institution when that institution is authorized to grant or deny access to the record, to govern its use and, subject to the approval of the Librarian and Archivist of Canada, to dispose of it. Regarding the question of physical possession, a record held by an institution, whether at headquarters, regional, satellite or other office, either within or outside Canada, is presumed to be under its control unless there is evidence to the contrary. A record held elsewhere on behalf of an institution is also under its control, for example at an employee’s home or on business travel.

The distinction between “official” and “personal” records is discussed as follows:

Email messages created, collected, received or transmitted during the normal course of government business are records of the Government of Canada. Such messages and their attachments reflect the functions, business activities, and decisions of the government. They must be kept to ensure the integrity of the corporate memory of government. Records, including Transitory records , regardless of format, must only be disposed of according to Records Disposition Authorities approved by the Librarian and Archivist of Canada.

Email messages whose content is of a personal nature are not records of the Government of Canada and therefore are not covered by the Library and Archives of Canada Act. Examples include email messages regarding arrangements for lunch, an employee’s personal information such as email relating to hobbies, extracurricular activities, announcements, unsolicited advertising, etc. Such messages should be deleted once their usefulness is completed. However, a user must not delete records where the institution has received a formal request, under the Access to Information or Privacy Acts, relating to these records

Assuming a similar U.K. policy, Mitchell’s claim seems absurd on its face. His correspondence with IPCC authors presumably rose above being “arrangements for lunch” and his correspondence with IPCC authors in his capacity as Review Editor hardly relates to a hobby or extracurricular activity (by which one would think of things like squash games). I see no conceivable basis under which Mitchell’s claim that his IPCC correspondence were his “personal” property could possibly stand up. Accordingly, by asserting title to the correspondence that is inconsistent with the title of the true owner (his employer), Mitchell has, in effect, converted the property. The conversion of company property by its executives is a touchy issue. My advice to Mitchell, for whatever it’s worth, would be not to go down this road. The risks and rewards are worth considering; maybe there’s an even a precautionary principle.

But aside from anything else, the spectacle of Mitchell arguing that the correspondence is his “personal” property is going to appear very distasteful to any member of the public who encounters the argument. Considerable interest has arisen in the UK about FOI legislation in connection with MP salaries and benefits. Would the tabloid newspapers get interested in the evasions of the U.K. Met Office? Who can tell. I was surprised at the traction of the Y2K issue last summer.

U.S. Government Policy

Here is a statement summarizing model U.S. policy.

It states explicitly that employees do not have any right or expectation of privacy when using government e-mail, which are waived. So Ammann, at his end, has little basis for claiming an expectation of privacy vis-a-vis U.S. FOI. Given a comparable Canadian policy, it seems unlikely that U.K. policy would deviate much from these principles.

Executive Branch employees do not have a right, nor should they have an expectation, of privacy while using any Government office equipment at any time, including accessing the Internet, using E-mail. To the extent that employees wish that their private activities remain private, they should avoid using an Agency or department’s office equipment such as their computer, the Internet, or Email. By using Government office equipment, executive branch employees imply their consent to disclosing the contents of any files or information maintained or pass-through Government office equipment.

By using this office equipment, consent to monitoring and recording is implied with or without cause, including (but not limited to) accessing the Internet, using E-mail. Any use of government communications resources is made with the understanding that such use is generally not secure, is not private, and is not anonymous.

This language is adopted by a number of institutions. Here’s similar language at Stanford, for example.

Sarbanes-Oxley
Regulations on public companies in the U.S. are very severe under Sarbanes-Oxley.

Financial regulations, such as Sarbanes Oxley and Basel II, stipulate that companies must store all emails for at least seven years. Although none have been convicted yet, chief executive officers found to have failed in such auditing regulations can face heavy fines and jail sentences.

Sarbanes-Oxley obviously does not apply to executives of the U.K. Met Office, but readers will undoubtedly understand why the destruction of e-mail correspondence by a Hadley Center executive is something that appears very unsavory to someone familiar with securities regulations.

27 Comments

  1. Sam Urbinto
    Posted Jul 2, 2008 at 6:21 PM | Permalink

    But hey.

  2. Posted Jul 2, 2008 at 7:25 PM | Permalink

    Steve, in the US Federal Govt, email is archived on Agency/Department servers, and sometimes the issue is finding the correct IT Office with control. Asking the individual will go nowhere.

    Also, there can be a substantial charge for recovering from servers. Most offices are not well set up to filter for specific users/subjects/time frames/etc. Once filtered it may take significant manual review to assure privacy and security is maintained.

    Bottom line: may not be an easy request to fill and may end up a costly request.

  3. Pete
    Posted Jul 2, 2008 at 9:07 PM | Permalink

    In U.S. even handwritten notes are “records” as well as every single e-mail that pertains to the topic of the FOIA request. This was direction I got from lawyers and a FOIA coordinator during a collection action maybe 5 years ago.

  4. TAC
    Posted Jul 3, 2008 at 1:51 AM | Permalink

    Steve, my understanding is that you are correct that both the intent and the letter of the U.S. FOIA would usually require U.S. federal employees to turn over the kind of documents you mention (FOIA has some categorical exclusions — documents related to criminal and legal proceedings, personnel records, national security, etc. — but I don’t see how they would apply here).

    However, there are likely political considerations at work here that would complicate any efforts to enforce the law. The current Administration has too-often been accused of manipulating public access to information for political purposes. Thus, regardless of the merit of its legal position in this case, the Administration may feel a need to maintain a “hands off” policy with respect to Ammann (among others).

    An analogous situation seems to exist with respect to Jim Hansen, to whom the Administration has apparently awarded a de facto right to speak out on any topic he chooses (a cynic might wonder if the Administration policy is based on the recognition that Hansen is his own worst enemy — the more press he gets, the more he embarrasses himself and his cause — but that seems improbable given everything else we’ve seen).

    It will be interesting to see how the next Administration deals with these issues.

  5. DaveR
    Posted Jul 3, 2008 at 3:44 AM | Permalink

    Steve, there’s a rather nasty personal tone starting to creep back into your recent posts. I think you actually have no idea how Ammann and Briffa regard themselves and the comment about schoolchildren is unworthy of you.

  6. MarkW
    Posted Jul 3, 2008 at 5:26 AM | Permalink

    When people act like they have something to hide, they usually do.

  7. Posted Jul 3, 2008 at 5:32 AM | Permalink

    lsewhere, we’ve seen the equally unedifying spectacle of Caspar Ammann, a U.S. federal employee,

    Have you checked whether people who work at NCAR are government employees? The web page says “sponsored by NSF” and the domain names end with .edu.

    Many, but not all, government research agencies are subcontracted. People who work at National Labs ( Argonne, Los Alamos, Pacific Northwest National etc. ) are not government employees. So, I’m not sure if NCAR people are.

  8. Steve McIntyre
    Posted Jul 3, 2008 at 7:49 AM | Permalink

    #7. Hmmmm, interesting question and checking it out led to something interesting that I’ll post on later today.

    The NCAR website is a bit vague about what it actually is legally. NSF describes it or here as a “focal point”, an organizational structure not recognized in law:

    The National Center for Atmospheric Research (NCAR), which is funded by NSF, is a focal point for research in the field of atmospheric sciences. NCAR is located in Boulder, Colorado, and has about 750 scientists and support personnel.

    In a document entitled “NCAR as an Integrator: A Vision for the Atmospheric Sciences and Geosciences”, dated October 2001, it is described as a “federally funded research and development center” of the NSF:

    The National Center for Atmospheric Research (NCAR) is a uniquely important institution in many ways. As a federally funded research and development center of the National Science Foundation (NSF), it plays a key role in helping to shape the scientific agenda for the only agency of the U.S. government that has basic research at the core of its mission. As a well endowed center with a university governance system, a broad portfolio of fundamental and applied research, and a focus on the geosciences, it has an important responsibility to both lead and support the nation’s researchers in the interdisciplinary study of the atmosphere and related systems.

    The term “federally funded research and development center” is recognized at law and NCAR is listed as one of 36 such organizations at Wikipedia, which says that such centers are:

    They are administered in accordance with U.S Code of Federal Regulations, Title 48, Part 35, Section 35.017 by universities and corporations.

    NCAR is “managed” by UCAR, which extracts management fees and has somehow ended up owning many of the assets used by NCAR. UCAR is not bound by the Freedom of Information Act (FOIA) – see here.

    While federal funds cannot be used directly to lobby the federal government, UCAR seems to maintain an active lobbying presence. As far as I can tell, virtually all of their funding is federal. I guess that their position is that the management fee structure launders the money so that it is no longer subject to federal policies – sort of a climate scientist equivalent of Guns-for-Contras.

    As to Ammann, it appears that he is not a federal government employee per se, so I’ll correct that.

  9. Larry T
    Posted Jul 3, 2008 at 8:07 AM | Permalink

    These federally funded research and development centers are not immune to federal laws since DOE has proposed a $3,000,000 fine against University of California for security breaches at Los Alamos National Laboratory.

    This is a link to a story in the Washington Post.

    http://blog.washingtonpost.com/government-inc/2007/07/nukes_documents_and_ffrdcs.html

  10. Larry T
    Posted Jul 3, 2008 at 8:17 AM | Permalink

    Here is the regulations which the centers act under.

    http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=/ecfrbrowse/Title48/48cfr35_main_02.tpl

  11. John Galt
    Posted Jul 3, 2008 at 9:07 AM | Permalink

    snip –

    But Dr. Hansen works for the government and is a civil servant, in theory at least. Any work paid for by the taxpayers belongs to the public and not Dr. Hansen. I’d love to see all of Hansen’s notes, correspondence, raw data, computer code, etc., etc. made public and post on the internet. Hansen says the world is in danger, well then, this is his chance to prove it.

    Since Hansen and his bosses don’t seem to want to do this voluntarily, can this be forced using a FOIA request?

  12. Posted Jul 3, 2008 at 9:15 AM | Permalink

    Steve–
    That set up sounds similar to the way the National Labs are run. There will still be regulations governing email and email communications. I’m just asking because there is a distinction, and the rules won’t be those applying to federal employees themselves. (Often the rules are stricter because the Feds like to give themselves more leeway. :) )

  13. Posted Jul 3, 2008 at 11:34 AM | Permalink

    Steve

    You are right there is no expectation of Privacy if you use a federal government E Mail system. To log on you have to click OK or Accept on a splash screen; the text is very blunt that you have no right to privacy.

    The first piece of controlling legislation is the Federal records management act which defines records, how long they have to be kept etc. Normal is one year on site and two years in the National Archives. E-Mail systems often are not official record storage; our agency figured it would triple the cost of the system to meet to have it be a record system. All official records are to printed or saved on a CD and placed in a standard file. Thus it is important to make your request in timely manner; there could be automatic deletion policies to save hard drive space and a short-term rotation of back up tapes.

    However any thing on the E-Mail system can be obtained under the freedom of Information Act unless there is an exception such as the Privacy Act. This is all information whether of not it is part of a record. If some one has his scratch notes in an electronic form; they must be released to a FOIA request. Normally an employee can recommend that a document is not retrievable but the decision is a higher-level management decision. My guess is that in an agency like the GISS the Director would be the deciding official.

    A problem all agencies are having since E-Mail and high quality correspondence software on every desk is that someone can make a document that is an Official Record under the Law on there desk top and not realize how it should be filed.

    Things that I am sure you already know.

    Address the FOIA request to Agency Head

    Courtesy copies to the office or person you think has the information. If you think there will be a problem a courtesy copy to the legal staff and maybe the legal staff of the next higher agency.

  14. Kenneth Fritsch
    Posted Jul 3, 2008 at 12:28 PM | Permalink

    That government employees give up their right to privacy of emails originating from government computers and internet services gets the information out of the employees’ hands and into the government agencies, but does that mean that the government agency will give that information up to the public or upon individual requests? Are not the government agencies just as likely to be as ornery as individual employees and use lawyerly defenses and arbitrarily worded FOI regulations to stall the process?

    An individual employee can hide behind privacy considerations, but I am guessing that these bureaucracies are past masters at keeping sensitive information locked up and particularly so when the seekers probably will not litigate nor have a popular position.

  15. Steve McIntyre
    Posted Jul 3, 2008 at 1:43 PM | Permalink

    Tom Karl writes:

    I know we put together a package for you many months ago. We are looking into the reason why you never received a response. We will get back to you as soon as possible.

    Sincerely,
    Tom Karl

  16. James Bailey
    Posted Jul 3, 2008 at 1:57 PM | Permalink

    I worked at a government lab (ORNL) in the 90’s, but was employed by a seperate organization. Back then it was considered against the law to use government computers for personal uses, and it was a firing offense. I doubt that policy has changed. All e-mail is supposed to be recorded. It actually proved usefull when I needed to recover an old e-mail. But then Congress keeps getting upset that White House e-mails go missing, so maybe that happens with other government agencies too.

  17. Craig Loehle
    Posted Jul 3, 2008 at 2:25 PM | Permalink

    As a counter to comments above, I was at Argonne National Lab until 1998. We were employees of the U. of Chicago. Nothing I worked on was any big official project, but rather individual research grants from various places (mainly DOE). No one ever required that I archive anything, except that proposals and final reports went out with official letterhead and a copy for the department files, but nothing was said about data or software.

  18. Posted Jul 3, 2008 at 2:43 PM | Permalink

    Craig Loehle,

    When I worked at PNNL, archiving requirements varied by project. Some projects had formal archiving. The manager wrote up a list of types of documents to be archived; and the end of the project, those got bundled up and stored in a DOE storage facility. (All boxes where checked with geiger counters before entering or leaving storage! )

    I work part-time at Argonne now. The project I work on has archiving requirements for many things, particularly data, project reports and certain types of communication. However, I am not personally required to archive all my emails. I suspect the ANL IT people do archive one heck of a lot of email. Emails sent out through ANL addresses aren’t guaranteed privacy. I suspect ANL may log connections to the web and archive that. (PNNL did at least for a while.)

    Even though I have nothing to hide, still I avoid using ANL e-mail for private anything.

    I suspect archiving requirements have always been project dependent at ANL and at all labs.

    My main point above is simply: NCAR archiving requirements are probably not the same as for any honest to goodness federal agency.

  19. Posted Jul 3, 2008 at 2:48 PM | Permalink

    LarryT

    These federally funded research and development centers are not immune to federal laws since DOE

    They aren’t immune from federal laws. However, the specific laws can differ. Congress often wrote one set that applies to honest to goodness federal employees; other laws apply to others.

  20. Larry T
    Posted Jul 3, 2008 at 7:30 PM | Permalink

    In my many years as a employee/contractor to federal agencies including NASA, i realize that legal requirements will vary. It was more a statement about the Washington Post article that i referred too. My 2nd post gave the legal groundwork but i will let those with legal background handle that. Give me numbers to crunch not words!

  21. Henry
    Posted Jul 3, 2008 at 7:32 PM | Permalink

    Those interested in UK records management and destruction might wish to comment on the National Archives consultation on the code of practice it issues to public authorities and some other bodies under section 46 of the Freedom of Information Act. The closing date for responses is 2 September 2008; of course, any comments may be published.

  22. AndyW
    Posted Jul 4, 2008 at 12:45 PM | Permalink

    Steve, I don’t think you pay taxes in the UK and so, to be brutally honest, you have no valid reason to have any demand what the UK Met Office does or does not do with data. If you think you do go and see your local UK Member of Parliament. Even if you did, you should be aware that the UK Met Office is part of the Ministry of Defence and therefore a request for email information can be turned down, with complete justification, with no explanation whatsoever.

    We have a phrase in the UK which is “like it or lump it”.

    Never more apt.

    Steve: I haven’t made any FOI requests to the UK Met Office so I don’t understand your beef. I’ve been reporting recently not on my own FOI requests, but on David Holland’s who is a UK citizen.

  23. Ian Castles
    Posted Jul 4, 2008 at 7:41 PM | Permalink

    Re #22. The obligations of UK authorities under FOI are prescribed in legislation of the UK Parliament – AndyW’s opinion of who is entitled to make requests under the Act is irrelevant. Last month James S, a poster on this blog (Fortress Met Office, post #19), stated that “you don’t need to be British or in Britain” to make a request under the UK FOI Act. I’ve not a UK resident, citizen or taxpayer but I’ve made such a request using the link provided by JS. It’s being processed.

  24. AndyW
    Posted Jul 5, 2008 at 12:08 PM | Permalink

    First of all I just read my post again after Steve mentioned “beef” and I think my post sounded more confrontational to Steve than it was meant to considering his reply. My main thought is “hitting your head against a brick wall” when it comes to our defence services and governmental organisations so it was with a shake of the head and a chuckle when I wrote those words rather than a finger pointing exercise, though it probably does not read like that. So my apologies, I will try to get a better editor to vet my work next time… ie time.

    I still think though that anyone outside the UK is wasting their time and anyone inside the UK is also wasting their time trying to pin down a UK MOD organisation to provide information when that is to the benefit of the person requesting it and not to the benefit to the country at large, whilst a cost is incurred to the country at large.

  25. fFreddy
    Posted Jul 5, 2008 at 2:06 PM | Permalink

    Re #24, AndyW

    So you’re saying that a UK bureaucrat would be more concerned about saving tax-payers’ money than obeying their bureaucratic process ?

    Hmmm. Must be a different UK …

  26. per
    Posted Jul 6, 2008 at 3:33 AM | Permalink

    #24
    surely you must realise that the FOI Act was implemented in the clear knowledge that it would impose a financial burden on the government, and yet only rarely be of direct benefit to the government.

    National security, and related headings, are obviously an excellent reason for exemption from an FOI request. However, I struggle to see how national security could be at risk in this instance, and how it could be a valid excuse for refusing an FOI request. Indeed, you only have to google to see that the MoD does respond to FOI requests.

    per

  27. Steve McIntyre
    Posted Jan 27, 2010 at 2:24 PM | Permalink

    ping

2 Trackbacks

  1. [...] “E-Mail, “Personal” Records and Privacy“, Steve McIntyre, Climate Audit, 2 July 2008. [...]

  2. [...] HCC/CRU over access to their data, their “code” (data analysis software), and even their emails http://www.climateaudit.org/?p=3234. Here’s McIntyre’s philosophy and goals in this quest: [...]

Follow

Get every new post delivered to your Inbox.

Join 3,263 other followers

%d bloggers like this: