Availability and findability of FOI and privacy statements on Finnish municipalities’ websites

FOI and privacy statements are statements in which an organization inform users about the accessibility of the digital and analog information in its custody and the privacy policy it has adopted. This study examined whether Finnish municipalities have posted FOI and privacy statements on their websites. At the first phase 309 municipal websites were examined to see whether the statements were located on the front page or if there were direct links to them at the front page. If the website did not have FOI or privacy statement or a link to statements at the front page, then it was studied whether the statements could be found easily in the municipal website by making a simple search. At the second phase 38 municipal websites were studied. The study resulted that FOI and privacy statements are non-existent on Finnish municipal websites. The study also revealed while there is sometimes an effort to provide information on municipal FOI and privacy practices, the information is scattered on the website and it is not easy to find. This is in accordance with the previous studies in other countries. Interestingly, long tradition of Finnish FOI legislation does not seem to make a difference when it comes to informing users about FOI and privacy policies. Future studies should examine how aware are the citizens about FOI and privacy rights; whether the citizens trust authorities in handling information; and what are the reasons why authorities ignore to inform the citizens about FOI and privacy practices.


Introduction and problem statement
Freedom of Information (FOI) and privacy are two concepts that are today inseparably linked to public sector information management. Both FOI and privacy are tools for greater societal goals that go beyond the value of accessibility of information and protection of privacy. FOI can be a tool for increased participation of citizens, trust, democratic control, and accountability of political decision makers and administration. It may also bring economic benefits. FOI makes the society more transparent. Transparent societies have advantage when nations are competing about investors and money. In addition, public sector information can be used to create new digital services and industry when it is freely accessible (Erkkilä, 2012). On the other hand, some information must be protected. In addition, privacy has societal value. People need privacy to be engaged in their personal relationships (Schonsheck, 1997). It is argued that a society without privacy would be suffocating. A society in which some level of privacy is present is better for everyone, not only for the individuals who assign value to their privacy (Hull, 2015).
When we think about access to information or protection of privacy, it seems obvious that citizens should be aware of the rights that they have and of the rules that public sector organizations are committed to follow in managing information. This raises the question of to what extent public sector organizations make the rights and the rules of information access known to citizens. FOI and privacy statements are broadly defined here as statements in which organizations inform citizens about the accessibility of the digital and analog information in their custody and the privacy policy that they have adopted. FOI and privacy statements have practical value for persons who consider accessing public sector information or worry about their privacy. On the other hand, FOI legislation alone does not suffice for transparency. For instance, a law may be enacted but never used. Governmental and organizational culture can also obstruct access. (Shepherd, 2015.) Still, FOI and privacy statements can be an indication of an organizational culture in which value of transparency and privacy has been recognized and taken seriously.
No previous studies examine both the availability and findability of FOI and privacy statements. In this study the question is examined via an analysis of Finnish municipalities' websites. Finnish municipalities offer an interesting context for studying privacy and Freedom of Information since the principle of publicity as well as privacy, are both fundamental rights that are strongly rooted in the Finnish legislation and written in The Constitution of Finland (731/1999).

Background
Freedom of Information is also known as Right to Access Information. It can be generally defined as a right to get information that is guaranteed in the law. The origins of FOI go back to Swedish Freedom of Press Act 1766 which marks also the beginning of Finnish FOI legislation. At that time Finland was an integral part of the Swedish Kingdom (see e.g. Riekkinen & Suksi, 2015). The first modern FOI law is the United States FOI Act of 1966. Today over 100 countries have introduced access to information legislation. (Shepherd, 2015.) The core objectives of FOI are to increase transparency, openness, and accountability (Worthy, 2010). The core objectives of FOI are believed to lead to the secondary objectives which are improving the quality of government decision-making, improving public understanding of decision-making, increasing public participation, and increasing public trust (Worthy, 2010). However, evidence is in part mixed when it comes to reaching the objectives (see e.g. Bannister & Connolly, 2011;Worthy, 2010).
FOI increases transparency. Transparency is a virtue of government whereas private citizens value privacy (Janssen & van den Hoven, 2015). Certain amount of transparency is needed to get government accountable for its actions and decisions (Janssen & van den Hoven, 2015) by providing a window from which citizens can monitor governmental processes (Meijer, 2013). Conceptions of transparency differ in Scandinavia from those of other European Union countries: there is extensive public access to official documents, files and registers (Grønbech-Jensen, 1998). Transparency is also connected to openness, and these two concepts can be seen as synonyms. However, Meijer (2012) argues that strong conceptualizations of transparency are still lacking. In this study transparency is seen as a mechanism to promote a more trustworthy and ethical society. Some scholars (see e.g. Holsen et al. 2007;here Morag & McMenemy, 2013) have argued that ordinary citizens most often are not familiar with the FOI legislation nor the purposes behind it and therefore media has become their primary source of information. This can add confusion and FOI legislation can even be misused. These negative impacts can be seen in citizens' bizarre requests to authorities or in media's sensational news with shocking headlines. (Morag & McMenemy 2013, p. 259). To avoid conflicts a pro-active approach is needed from governmental authorities and municipalities. As a solution, it has been suggested that governments should post more information on their websites that would impact trust and confidence in government leaders (Armstrong, 2011). As web browsing raises continuously concerns about privacy also clearly stated privacy statements are suggested to be posted on government websites (Miranda, Sanguino, & Bañegil, 2009, 437).

Definitions of FOI and privacy statements
There is plenty of literature relating to FOI issues. The subject is most often approached through FOI acts. FOI laws are often problematic on paper and in practice (Michener, 2011). Therefore, there should be some written descriptions that would explain and translate the rights that are embedded in the laws in a more understandable manner for the citizens, that is, a FOI statement. In this study, FOI statements are seen important in this task.
Privacy statements or privacy policies are written descriptions of an organization's privacy practices, i.e. how citizen's privacy is taken into consideration in organization's daily practices of collecting and using citizens' personal data. The aim of the privacy statement is to increase trust between government and citizens, and this can be done simply by posting the privacy statement or the link to the statement on a website. (Dias, Gomes, & Zúquete, 2013, 88;Beldad, Jong, & Steehouder, 2010;Beldad et al. 2009.) The availability and the ease of finding the privacy statements on municipal website increases citizens' belief of a trustworthy municipality (Beldad et al. 2010), and this can be also seen as an ethical practice (Arcand, Nantel, Arles-Dufour, & Vincent, 2007).
In this study a trustworthy public sector organization is the one that understands the importance of both rights, FOI and privacy, and the tensions between these two. Therefore, a trustworthy public sector organization also takes care that FOI and privacy statements are both easily accessible and findable. Although public sector information management is today largely digital, the organizations have in their custody also older information that is on paper or microfilm and subject to same FOI legislation as digital information. Therefore, the FOI and privacy statements have to cover access and use of information regardless of its form.

Previous studies
The FOI laws in most countries have been enacted quite late, since the 1990s (Michener, 2011). This also explains why the study of FOI is in its infancy. Most previous studies on FOI have focused on the delivery, implementation, performance or impact of the FOI legislation (see e.g. Worthy, 2010), not on FOI statements. Privacy studies are also in early stages why there is a need for further research (Beldad et al., 2010). Empirical studies analyzing privacy statements on commercial websites have been conducted, while privacy statements posted on municipalities' websites have been largely ignored. (Dias et al., 2013;Beldad et al., 2009). While there are no previous studies in Finnish context, FOI and privacy statements have been subject to study elsewhere.
A Spanish study evaluated 84 municipal websites of the most populated European cities. Quality of web pages was analyzed by using Web Assessment Index (WAI) including the following categories: accessibility, speed, navigability and content. The study found out that only 55% of the websites included privacy policies on their websites. The study also reported that the kind of information that is most often available on the municipal website is related to buses, museums and libraries, touristic and culture. This does not support the idea of a transparent municipal website structure: "important information should be immediately accessible, basic contact information of the organization should be on the front page and related information should be grouped together rather than scattered in different sections of the site". (Miranda et al., 2009, p. 429, p. 437.) A Portuguese study surveyed 308 Portuguese municipalities' websites for privacy policy manifests. Observation of websites, conceptual and a content analysis was performed. Only 26 % (80 of 308) of the municipalities included privacy policy statements available on their websites. In addition, 5 % of the municipal websites had links pointing to nonexistent privacy policies, and 20 % of the total links pointed to privacy statements that did not include the word "privacy". The conclusion of the study was that privacy is not a priority for Portuguese municipalities. (Dias et al., 2013.) Beldad et al. (2009) analyzed the availability, the findability and the contents of privacy statements on Dutch municipal websites. 100 biggest municipalities were selected for the study. They found that not all municipal websites posted privacy statements on their websites, and most municipalities did not ensure that the privacy statements are findable. The study also revealed that privacy statements contained assurances and promises not aligned with the Dutch Personal Data Protection Act. (Beldad et al., 2009.) A scenario-based online survey of the same authors (Beldad et al., 2010) examined whether users read online privacy statements on municipal websites before supplied their personal data. They also examined whether the ease of finding and accessing privacy statements have an effect on users' perceptions of the trustworthiness of a municipal organization. The study showed that the availability and the ease of finding the privacy statements on municipal websites increased users' belief in the trustworthiness municipal organizations. The study also showed that the users' risk perceptions influence whether they read privacy statements on websites before they provide their personal data online. (Beldad et al., 2010.) A scenario-based Canadian study examined the impact of reading websites' privacy statements on the perceptions of control over privacy and trust in e-commerce. A fictional website was created and two experiment groups were recruited. The participants were asked to surf on the website and read the privacy statements. After that an online questionnaire was made. (Arcand et al., 2007.) The study showed that the mere presence of a privacy statement has a positive influence on perceived control whereas actually reading the privacy statements did not necessarily have a positive influence on trust. This is opposite to what has been assumed in privacy and trust literature. The authors suggested that it is important to consider the location of privacy statements. The statements should be placed in central locations on website -not in a periphery, because this ethical practice could be one key to increase users' perceptions of trust. (Arcand et al., 2007, p. 677.) West (2004) examined how e-government affects service delivery, democratic responsiveness and public opinion about government. Content analyses of city websites was performed excluding local or municipal offices. (West, 2004.) Though the focus was not on FOI and privacy statements, some findings are relevant. The results showed that information is often available, but if the website is structurally difficult to navigate, the site is not in fact actually open or accessible for citizens and the information is not findable. West (2004) suggested that governments should include the principle of ease-of-use in their website development as not all users have the equal technical or online capabilities. (West, 2004.) Armstrong (2011) examined the availability of public records and the level of transparency on county and school board websites via a content analysis of 134 local websites in Florida. Five undergraduate journalism students were asked to visit each site for no more than 15 minutes without using a search engine, as this is the maximum time most web surfers would spend when they want to find for a specific type of information that is clearly marked. (Armstrong, 2011.) The same idea of "easy to find" was also used in our study when examining Finnish municipalities' websites. Though Armstrong's (2011) study focused on the availability of public records, and not on FOI and privacy statements, the results are also relevant to mention. The study showed that online transparency is a more complex issue than just putting information online. It is crucial that the organizations also put emphasis on making the records available and easy to find. From transparency point of view it is important to pay attention to content and form of information and where it is placed on the site. The study showed that transparency is closely related to public outreach and professionalism. (Armstrong, 2011.) Hence, it seems that in general municipalities have paid seldom attention to keeping the great public informed about their privacy policy. Not all municipalities post privacy statements on their websites, and if there are privacy statements they are not easy to find. To increase citizens' belief on trustworthy municipal organization attention should be paid to the location and accessibility of the statements on a website, and the ease of findability.

Research questions and methods
The study was made by analyzing websites of the Finnish municipalities. In the beginning of the year 2016 there were 313 municipalities in Finland. Most of the municipalities are in the Finnish speaking areas, but 16 municipalities operate in Swedish and 33 municipalities are officially bilingual.
The municipalities have a broad responsibility for providing basic services to citizens. They are locally governed and have a right levy taxes. Local administration in municipalities is based on the principles of openness and publicity that are central in the Finnish FOI context and access to documents. Central in both concepts, openness and publicity, is records publicity. (Erkkilä, 2012.) In Finnish legislation, The Act on the Openness of Government Activities (621/1999) includes instructions on the openness of the public records and also the secrecy obligations. Personal Data Act (523/1999) implements the processing of personal data, the protection of private life and the other basic rights which safeguard the right to privacy, as well as to promote the development of and compliance with good processing practice. Several sectoral Acts (e.g. health care), Administrative Procedure Act (434/2003) and Local Government Act (410/2015) give all complementary demands when implementing the fundamental principles of publicity and privacy into practice.
Ideas of good government and service-orientated authority who informs and gives pro-actively advice to citizens are embedded in the Finnish legislation. Therefore, it can be hypothesized that one would easily find FOI and privacy statements on municipalities' websites.
The aim of the study is to find out if Finnish municipalities post FOI and privacy statements on their websites. The research questions are: 1) How many of Finnish municipalities have incorporated FOI and privacy statements on their websites?
2) How easy or difficult is it to find FOI or privacy statements on Finnish municipal websites?
The first question was answered by looking at whether the statements were located on the front page or if there were direct links to them at the front page. If the website did not have FOI or privacy statement or a link to statements at the front page, then it was studied whether the statements could be found easily in the municipal website by a simple search.

Data collection
The data was collected in two phases in 2016. At the first phase front pages of municipal websites (n=313) were observed to find out the availability of the statements. After preliminary examination four websites were left out from the study because the front page did not work properly, the page was not found or the page was being updated. Finally, 309 municipalities were selected for the first phase. The analysis examined whether FOI and privacy statements could be found at the front page and what concepts were used in this connection. The study also examined whether there were direct links to these subjects. Only clearly marked items were searched at this point.
The second phase focused on simple search inquiries. Findings from the study by Beldad et al. (2009) show that the size of the municipality does not automatically correlate with better privacy statement practices. Therefore, to obtain information from municipalities with different population sizes, ten biggest municipalities and after that every tenth municipality were chosen for the second phase. Two municipalities did not have a search possibility on their websites and were left out. Eventually the total number of the websites studied at the second phase was 38. Majority (87 % of 38) of them belong to a municipality in a Finnish speaking area.
Search words were formed by combining the concepts found at the first phase in municipal websites (tietosuoja, data protection; tietosuojaseloste, privacy description; and yksityisyyden suoja, privacy protection) with legal concepts found from Finlex Data Bank and the concepts recommended in YSA Finnish Thesaurus. YSA Thesaurus is generally used in Finnish libraries and it covers concepts both in Finnish and Swedish. As Finland is a bilingual country, search words were formed separately for the websites of Finnish and Swedish speaking municipalities. The search words are presented in the Table 1. Search inquiry was chosen as a method to see how easy or difficult it would be to find the information by search words. It was hypothesized that the relevant information would be found easily and quickly within first twenty search results. This phase followed the ideas of West's (2004) "easy-to-use" and Armstrong's (2011) "clearly-marked-items", though strict time limits were not used in this study.
As websites change rapidly it was impossible to go back to a certain moment in time and see how the web page looked at that moment. This was a challenge for the analyzing process. Therefore, print screens from municipalities' websites were captured to document the results of the search. Also, the number of the search results and short notes of search enquiry sessions were documented in an excel sheet.

Findings
Research findings of the study provide information on how Finnish municipalities inform citizens on their FOI and privacy practices on their websites. There were no direct links to FOI statements at the municipal front pages (n=0 of 309). Only four of the municipalities (n=4 of 309; 1.3 %) had a direct link on the front page to a privacy statement. All four municipalities represented Finnish speaking areas. They were not of the same size. The smallest municipality had nearly 2000 and the biggest over 100 000 inhabitants.
The four links that were found at the first phase were labelled: tietosuoja (data protection), tietosuojaseloste (privacy description) and yksityisyyden suoja (privacy protection). The links included information on register, privacy or system descriptions, and online-privacy issues, such as how the organizations collect data of the persons who visit their website, how they collect GIS data, and how they use cookies. However, these were not FOI and privacy statements looked for in this study.
The results from the second phase show that at web pages of nine municipalities (n=9 of 38; 8 Finnish (Fi) / 1 Swedish (Sw)) one could find no information via searches by the search words. Five municipalities (n=5 of 38; 5 Fi) gave search results with every search word. Twenty-four municipalities (n=24 of 38; 20 Fi / 4 Sw) provided search results with some but not all words. The words that were recommended by YSA Finnish Thesaurus did not provide as many search results as commonly used or legal concepts. The number of the search results varied between big and small municipalities. Websites of the big municipalities could give even thousands results whereas in smaller municipalities the number was no more than some dozens. Big cities had search engines that provided keyword suggestions or the possibility to conduct advanced searches.
Search results led to various kinds of webpages which had something to do with privacy. For instance, at one of the webpages (number of inhabitants nearly 100 000) search word tietosuoja (data protection) lead to the city administration's site where the principles and practices of the usage of health records were briefly explained. At another webpage (number of inhabitants in the municipality less than 10 000) the same search word directed to the city's Information Management unit where concepts of data protection, information security and privacy protection were defined in plain language. Also the legislation behind the concepts was briefly explained with links to the Finnish legislative database Finlex.
Finding relevant policy documents in the search results was not easy. Large search results often included links to websites external to the municipal administration. For instance, there could be a link to the home page of the local library or a list of pages retrieved randomly by Google. In addition, large search results included outdated documents the purpose of which was not to give guidance on FOI and privacy issues. There were e.g. municipal decisions in matters that were closed years ago.
In summary, FOI and privacy statements could not be easily found on the analyzed municipal websites. Direct links to FOI statements or other clearly marked items to this subject were not available on the municipal front pages (n=0 of 309). Only four of the municipalities (n=4 of 309; 1.3 %) provided direct links on their front pages to a privacy statement, but they were not FOI and privacy statements looked for in this study. The search inquiry phase of the study also revealed that even when an effort had been made to provide information on municipal FOI and privacy practices, the information tended to be scattered on the website and not easy to find.

Discussion
The aim of the study was to find out whether Finnish municipalities post FOI and privacy statements on their websites and whether these statements are easy to find. The findings showed that municipal front pages did not contain FOI and privacy statements in the sense that were looked for in this study. The results are in line with previous findings (e.g. Dias et al., 2013;Beldad et al., 2009 andMiranda et al., 2009) that have indicated that not all municipalities regard FOI and privacy issues as a priority, and that not all municipalities bother to post the statements on their website. Although the Finnish FOI tradition has longer roots than the FOI practices in most countries, there were no differences in how FOI and privacy statements were presented at municipal websites.
The second research question was whether FOI or privacy statements could be found by making a simple search enquiry. The finding was that even when there was an effort to provide information on municipal FOI and privacy practices, finding this information was time consuming and challenging as the information tended to be scattered and behind several mouse clicks. A large search result did not necessarily mean that the information retrieved was relevant, because a large search result often provided useless, outdated and irrelevant information. This is again in line with previous findings which have demonstrated that municipal websites have links that point to nonexistent privacy policies (Dias et al., 2013); most municipalities do not ensure the findability of privacy statements (Beldad et al., 2009); most often information that is available on a municipal website is related to buses, museums, libraries, touristic and culture (Miranda et al., 2009); and, websites are structurally difficult to navigate, and therefore the sites are in fact not open or accessible for citizens and the information they need cannot be found (West, 2004).
The study also showed that the size of the municipality did not correlate with better FOI and privacy practices, which again is in line with previous findings (e.g. Beldad et al., 2009). It can be argued that more important than the size of the municipality is whether organizations regard FOI and privacy important, and what actions they have chosen for making these topics visible for the citizens.
Overall, if citizens are required to have sophisticated information retrieval skills to find crucial information on municipal websites, such as practices and rules relating to FOI and privacy issues, then we are far away from the ideal of good government, a transparent municipal and transparent municipal website structure (see e.g. Miranda et al., 2009, p. 429, p. 437). Neither is the idea of "ease-of-use" then actualized (see e.g. West, 2004).
The study has several limitations. Firstly, releasing website FOI and privacy statements in the web is only one possible indicator of the attitudes of municipal authorities towards FOI and privacy issues. Secondly, lack of statements does not necessarily mean that citizens do not know their rights. Thirdly, the study does not conclusively show that FOI and privacy statements are totally missing from the websites. It only shows that they cannot be found easily by a direct link from the front page or with a simple search inquiry.

Conclusion
Poor visibility of FOI and privacy statements on Finnish municipal websites might be explained in several ways. At this point one can only speculate what the reasons are. Is the legislation so complex that it makes the whole picture even for the authorities difficult to understand and summarize shortly? Is it a question of organizational information culture, failed records management practices, unclear division of responsibilities or other structural issues? Or is it a question of differences between professional groups in the organization; i.e. how they understand and value such things as FOI and privacy? These questions are difficult to answer and they are out of the scope of this study.
Do the results tell something about Finnish municipalities' trustworthiness? This study does not answer this question. However, previous studies argue that ethical practice, i.e. availability and ease of finding privacy statements on central locations on municipal websites would increase citizens' perceptions of trust and belief in the trustworthiness of a municipal organization (Beldad et al., 2010, 238;Arcand et al., 2007, p. 677). The absence of the FOI and privacy statements on municipalities' websites can be significant since trust is an important factor for egovernment adoption (Dias et al., 2013, p. 94-95). Are Finnish citizens able to evaluate the trustworthiness of Finnish municipalities if the FOI and privacy statements are not available and easily findable on municipalities' websites? From where do they get information about their rights? If the information comes from the media, is it always based on objective facts and can it be trusted? Previous studies have concluded that problems and misunderstandings often occur if the media is the only source of information for citizens about FOI (see e.g. Holsen et al., 2007; here Morag & McMenemy, 2013). For this reason, municipalities need to adopt a proactive approach.
Lack of information about FOI and privacy policies generates some further questions. Future studies should examine how aware Finnish citizens are about their rights and whether citizens trust municipal organizations to handle information correctly respecting the privacy of citizens. The reasons why municipalities have not posted FOI and privacy statements on websites are also interesting. Generally, citizens in the Nordic countries are said to have a high degree of trust in public administration. Therefore, the lack of information at the websites does not necessarily mean that there is also lack of trust in public sector information management. The citizens may trust on authorities even though the authorities have not explicitly committed themselves to the principles of FOI and privacy, and-on the other hand-the authorities may find informing the citizens unnecessary because they believe that the policies are self-evident. However, as long as there is no research on the subject we cannot say whether this is the case.