Feeds

Watchdog: Gov bods should rummage through BINS for FOI data

Files sitting in electronic trash cans fair game for disclosure – ICO

Choosing a cloud hosting partner with confidence

Public sector bodies will generally be required to disclose information even if it is stored in computer 'recycle bins', the Information Commissioner's Office (ICO) has said. The watchdog has issued new guidance (25-page/350KB PDF) to help public bodies which are subject to the UK freedom of information (FOI) or environmental information laws to determine whether they hold information that should be disclosed when requested.

Under UK FOI laws and the Environmental Information Regulations (EIR) individuals have a right to ask for and, generally, be provided with certain information held by government departments and public bodies.

The ICO said that, notwithstanding some exceptions to this general rule on disclosure, public sector bodies will have to disclose information that is held in a computer "recycle bin". It said, though, that whilst information that is deleted from recycle bins can "technically be recovered until it has been overwritten", public bodies will not generally be said to 'hold' the information for the purposes of disclosure.

If information is deleted from a computer recycle bin unintentionally, however, public bodies could still have to disclose it under FOI or EIR, the watchdog said.

"There are situations where information that is still required for a business purpose is mistakenly deleted through user error, virus or disaster," the ICO said in its guidance. "In these circumstances, the public authority will intend to recover the information for its own purposes and so the information should still be regarded as held by the public authority. As a general rule, information that is capable of being overwritten and has been intentionally deleted will not be held."

The ICO said that it "recognises" that its view differs from that taken in a ruling by the Information Rights Tribunal in 2005. It said that deciding whether public bodies hold deleted information should be determined by public authority's intentions, and not on the "practicalities of restoring the information".

"Public authorities are entitled to delete information they no longer require, and indeed they should do so in accordance with good records management practice," it said. "If information was still said to be held when it had been intentionally deleted in line with the public authority’s disposal schedule it would undermine the principle of good records management."

The ICO said that, generally, public bodies will not be said to hold information that is subject to disclosure under the FOI or EIR regimes if it is merely stored on "backup" systems. This, it admitted, contrasts with the view of the Lord Chancellor in his code of practice issued to public bodies, under the terms of the FOI Act, on the management of records.

"As a general rule, the Commissioner considers that information contained on a backup is not held," the ICO said. "This is because, generally, the public authority will have no intention of accessing the information on the backup. Again the Commissioner’s focus is on the intention of the public authority rather than whether the records can actually be recovered."

"There are, as always, exceptions. Where data has been lost from the main computer and the public authority intends to use the backup to restore that data, the Commissioner considers that the information is held. There have also been situations where, in the absence of a proper records management policy, the backup has been used for all intents and purposes as an archive," it added.

In its guidance the ICO also said that 'metadata' and "style settings" associated with documents will only be disclosable under FOI or EIR if the information is specifically requested. The watchdog described metadata as "information on the properties of electronic documents" that includes details about the "author, dates, editing history, size, file paths, security settings and any email routing history".

"If an applicant specifically requests information on the properties of an electronic document, public authorities will be obliged to provide it, subject to other provisions in the relevant legislation," the ICO said. "However, if it is not requested there is no expectation that public authorities will provide it."

The ICO said that it will determine "on the balance of probabilities" whether public bodies hold information but have not disclosed it when they ought to have under the FOI and EIR regime. It said it would "consider the scope, quality, thoroughness and results of the searches" that public sector bodies conducted for the information requested, and/or any "other explanations offered as to why the information is not held".

If public authorities can show that there was not a "business need" for them to store information that is sought under the FOI or EIR laws, then the ICO may be "persuaded that no information is held," it said.

The ICO's guidance also outlined that in circumstances where public bodies are asked to provide "lists or schedules" of information that they have not themselves compiled, they could still be said to hold the information and have, generally, to disclose it.

"If the public authority had already produced a list for its own business needs, the information is clearly held," the ICO said. "However, usually the public authority will not hold an actual list. It will hold the correspondence referred to in the request and the information required to produce the schedule will be contained in that correspondence. It is simply a case of extracting the relevant information (the individual building blocks) from the correspondence and organising them into a schedule. The extraction of existing information and presenting it as a schedule is not the creation of new information."

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Security for virtualized datacentres

More from The Register

next story
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.