Cinneadh
Mr. F and Department of Agriculture, Food and the Marine
Ó Oifig an Choimisinéara um Fhaisnéis Comhshaoil
Cásuimhir: OCE-150742-X3G1W9
Foilsithe
Teanga: Níl leagan Gaeilge den mhír seo ar fáil.
Ó Oifig an Choimisinéara um Fhaisnéis Comhshaoil
Cásuimhir: OCE-150742-X3G1W9
Foilsithe
Teanga: Níl leagan Gaeilge den mhír seo ar fáil.
1. On 1 March 2024, the appellant requested;
1.Information on all Alleged Illegal Afforestation, Alleged Illegal Roads & Alleged Illegal Felling Incidents reported during March 2024
2.Information on all Alleged Illegal Afforestation, Alleged Illegal Roads & Alleged Illegal Felling Incidents investigated during March 2024
2. The Department responded on 11 June 2024, part granting the request, having identified 70 relevant records, 20 of which were to be fully granted with 50 to be partially redacted under Article 8(a)(i) of the AIE Regulations.
3. The appellant requested an internal review on 18 June 2024, on the basis that he did not consider his request satisfied, as he could not access the information released via the Departments new file share system, which requires multifactor authentication through a smartphone app. in order to access the data. The appellant advised the Department that as he did not own a smartphone, he could not access the data and requested the records be sent to him via another means.
4. The Department replied on 15 July 2024, advising the appellant in its decision that;
“Due to the volume and size of documents you have requested, it is impractical to send the documents via email or post. Email services have size limits for attachments, and mailing physical copies of such a large volume of documents would result in significant delays and potential costs of public money. Given that the volume of documents is too large to send via email or post, using the Cloud Sharing system is a practical and reasonable approach to make information accessible. This aligns with general principles of providing information in an efficient manner while considering the Page 2 of 2 technical and logistical constraints and ensures that you receive the documents promptly and securely, while also being mindful of environmental considerations and operational efficiency.
5. The Department went on to explain the following on its position in relation to the cloud share system;
“This approach is fully compliant with both Irish law and AIE Regulations. The use of secure cloud sharing platforms for disseminating large volumes of information is a widely accepted and reasonable practice. It enables us to maintain the integrity and confidentiality of the documents while providing you with convenient access. Authentication apps provide an extra layer of security by requiring multiple factors to verify identity. Ensuring that only authenticated users can access records helps maintain the integrity of the data. It prevents tampering, unauthorised modifications, or deletion of records, which is crucial for maintaining accurate and reliable information. The required authentication app also requires you to agree to tracking and logging, which can record who accessed records and when. This accountability is essential for potential auditing purposes and for investigating any suspicious activities or security incidents. In summary, using an authentication app to access records is a reasonable measure that enhances security, ensures compliance, maintains data integrity, provides accountability, fosters user trust, and mitigates the risk of phishing attacks. Our goal is to ensure that you receive the information you requested in a manner that is both efficient and satisfactory. We appreciate your understanding and cooperation.
6. The Department included a step by step guide on installation and use of the cloud share system in its correspondence with the appellant.
7. The appellant appealed to my Office on 24 July 2024. This appeal does not concern the matter of the partial refusal of information sought under the AIE Regulations, it relates solely to the issue of the accessibility of that information.
8. I am directed by the Commissioner for Environmental Information to carry out a review under article 12(5) of the Regulations. In carrying out my review, I have had regard to the submissions made by the appellant and the Department. In addition, I have had regard to:
what follows does not comment or make findings on each and every argument advanced but all relevant points have been considered.
9. In accordance with article 12(5) of the AIE Regulations, the role of this Office is to review the public authority’s internal review decision and to affirm, annul or vary it.
10. The appellant’s appeal is solely based on the accessibility of the information sought. He contends that in choosing to implement the file share system described above, the Department have not, in fact, made the information available to him within the meaning of article 7(1) of the AIE Regulations and Article 3 of the AIE Directive. My jurisdiction arises where a public authority has refused a request, in whole or in part. A request which has been “refused” includes a request that has not been dealt with in accordance with articles 3, 4 or 5 of the AIE Directive (see article 11(1) and (5)(c) of the AIE Regulations). I am therefore satisfied that the scope of my review in this case is whether the Department have dealt with the request in accordance with article 3 of the AIE Directive and article 7(1) of the AIE Regulations.
The Appellant
11. In his submission to this office the appellant has outlined his observations on the internal review decision of the Department and raised a number of concerns regarding the Departments use of the new cloud share system for disseminating information in response to larger volume requests. His submission can be summarised as follows;
i. The appellant acknowledges that the Department has acted in good faith in processing his AIE request although questions if it has actually made the information available to him if it requires access to a smart phone, which he does not have, in order to download software which then permits access.
ii. The appellant questions if a public authority is required to consider other means of making the information available where there are technical issues for the requester in using the public authorities preferred means of dissemination.
iii. The appellant questions whether a public authority can apply the conditions that are applied in this case which restrict access to a single user and permit the tracking of information which has been released under an AIE request.
iv. The appellant contends that, by limiting options to only having this means of electronically disseminating information where there are technical issues for some requesters, the Department is not fully compliant with Article 7 (1) of the AIE Regulations.
v. The appellant disputes the position of the Department that it is impractical to send the information by post and suggests it is feasible for the Department to load the information onto a Hard Drive/USB Drive/SBHC Memory Card thus providing it in the requested electronic format. The appellant acknowledges that a charge could be applied for this.
The Department
12. In its submission to this Office the Department submit that it utilises a cloud sharing facility for disseminating large volumes of information with stakeholders and third parties in line with how most public bodies choose to disseminate information outside of their organisations. The necessity for this is to allow easy and safe access for those outside of the Department to view records and files in a safe and efficient manner. The Departments cloud sharing solution (DAFM SharePoint for Cloud Sharing) which replaced the previous system NextCloud, was implemented to protect Department staff and assets in line with National Cyber Security Centre (NCSC) recommendations. SharePoint requires users to utilise multi factor authentication and a full user guide has been provided to the Appellant on several AIEs to date due to the size and scale of records requested. In instances where the records are small enough to be sent by email, the Department continue to utilise this method. The use of the cloud sharing link is only used on cases where there is a requirement to do so.
13. The Department also submit the following points in support of its decision;
i. Security: Microsoft Authentication App provides an extra layer of security by requiring multiple factors to verify identity. This ensures that only authorised individuals can access sensitive records, reducing the risk of unauthorised access and potential data breaches. If, for example, the Appellants devices were compromised due to their own use the Department would be confident that the shared information was safe.
ii. Data Integrity: Ensuring that only authenticated users can access records helps maintain the integrity of the data. It prevents tampering, unauthorised modifications, or deletion of records, which is crucial for maintaining accurate and reliable information.
iii. Compliance: Many industries and jurisdictions have regulations that mandate strong authentication measures to protect sensitive data. Using an authentication app can help organisations comply with legal and regulatory requirements, avoiding potential fines and legal issues.
iv. Accountability: The required authentication app also requires you to agree to tracking and logging, which can record who accessed records and when. This accountability is essential for potential auditing purposes and for investigating any suspicious activities or security incidents.
v. User Trust: By implementing strong authentication measures, Departments and other public bodies can build trust with their users or stakeholders. Knowing that their data is protected by robust security measures can increase confidence and trust in the organisation's commitment to protecting their information.
vi. Mitigation of Phishing Attacks: Authentication apps, especially those using timebased one-time passwords (TOTP) or push notifications, are less vulnerable to phishing attacks compared to traditional methods like passwords. This further enhances the security of the records being accessed.
14. The Department also submit that it did consider alternative routes of disseminating records to the Appellant including via USB drive, although it identified barriers to this, including the potential for the USB to be lost en route resulting in a potential data breach, in addition to the associated cost to purchase USB drives for the Appellants relevant AIE requests.
15. Finally, the Department contend that it would be unreasonable to expected it to change a nationwide policy for one Appellant who refuses to move to a more secure way for themselves and public bodies of sending and receiving records.
16. Article 3 of the AIE Directive states:
“Member States shall ensure that public authorities are required, in accordance with the provisions of this Directive, to make available environmental information held by or for them to any applicant at his request and without his having to state an interest.”
17. Article 7(1) states as follows:
“A public authority shall, notwithstanding any other statutory provision and subject only to these Regulations, make available to the applicant any environmental information, the subject of the request, held by, or for, the public authority.”
18. The Appellant in this case submits that as he is precluded from accessing the information which has been made available on the Departments cloud share facility due to not having a smart phone, the information has not been made available to him and therefore the Department are not in compliance with Article 7(1) the AIE Regulations. The appellant makes the point that the previous file share system was adequate and questions why it cannot still be utilised by the Department.
19. The Department in response make arguments in relation to the need to upgrade its systems and the fact that the Microsoft Authentication App provides it with an extra layer of security, ensuring that only authorised individuals can access sensitive records, reducing the risk of unauthorised access to its systems and potential data breaches.
20. Both the appellant and the Department refer to the possibility of using a USB drive to disseminate the information in this appeal which would appear to be a valid option. The Department have identified two barriers to this solution. Firstly the Department states that the USB drive may be lost while being transported, resulting in a potential data breach. I do not agree that the potential for the USB drive to be lost while being transported creates such a barrier. Information released under an AIE request is considered to be published to the world at large and is routinely sent through the post or disseminated through unsecure email servers. In the case of this particular appeal, personal information from 50 of the 70 records has been redacted. A requestor is at liberty to publish information released under an AIE request as they wish, or to provide it to any other person. Therefore, if a USB drive containing information released under an AIE request was in fact lost while being transported, it is unlikely that this could be considered to be a data breach.
21. The second barrier identified by the Department in using a USB drive is the cost from the Departments budget in purchasing the necessary hardware. The Department have not set out what such a cost would be, or that the cost would be unreasonable. Given the average cost of such devices, I find it highly unlikely that such a cost would be unreasonable. Further, a USB drive would not be required for granting information in every instance as the Department can continue to provide information via email where it is practicable to do so.
22. The Department have not set out whether it investigated the use of any other file sharing service that would not require the use of an authenticator app on a smartphone.
23. Having considered all of the above, I find that in the circumstances of this appeal the Department has not dealt with the request in accordance with article 3 of the AIE Directive or article 7 of the AIE Regulations as the information sought has not been made available to the appellant. The Department must identify an alternative method to disseminate the relevant environmental information to the appellant. I will annul the internal review decision of the Department, and direct release of the information sought.
24. I would also suggest that the Department examine its obligations under the AIE Directive and AIE Regulations to actively publish environmental information and ensure that environmental information is progressively made available and disseminated to the public in order to achieve the widest possible systematic availability of environmental information. It would be open to the Department to grant the appellant’s request by publishing the information sought, perhaps via its Open Data website. I note that this website currently contains only 4 datasets related to forestry, which does not reflect that high demand for forestry related environmental information that can be seen in the decisions of this Office.
25. It appears that the need for this appeal to be submitted to this office could have been avoided if there was more engagement at internal review stage and I would urge both parties to consider all valid options and engage further at internal review stage with a view to avoiding appeals where possible. This will assist this office in dealing with the significant amount of appeals being received and assist the Department and the appellant to manage relevant resources.
Having carried out a review under article 12(5) of the AIE Regulations, I annul the internal review decision of the Department and direct release of the information sought.
A party to the appeal or any other person affected by this decision may appeal to the High Court on a point of law from the decision. Such an appeal must be initiated not later than two months after notice of the decision was given to the person bringing the appeal.
Julie O’Leary
On behalf of the Commissioner for Environmental Information