Feeds

Watchdog: Gov bods should rummage through BINS for FOI data

Files sitting in electronic trash cans fair game for disclosure – ICO

Combat fraud and increase customer satisfaction

Public sector bodies will generally be required to disclose information even if it is stored in computer 'recycle bins', the Information Commissioner's Office (ICO) has said. The watchdog has issued new guidance (25-page/350KB PDF) to help public bodies which are subject to the UK freedom of information (FOI) or environmental information laws to determine whether they hold information that should be disclosed when requested.

Under UK FOI laws and the Environmental Information Regulations (EIR) individuals have a right to ask for and, generally, be provided with certain information held by government departments and public bodies.

The ICO said that, notwithstanding some exceptions to this general rule on disclosure, public sector bodies will have to disclose information that is held in a computer "recycle bin". It said, though, that whilst information that is deleted from recycle bins can "technically be recovered until it has been overwritten", public bodies will not generally be said to 'hold' the information for the purposes of disclosure.

If information is deleted from a computer recycle bin unintentionally, however, public bodies could still have to disclose it under FOI or EIR, the watchdog said.

"There are situations where information that is still required for a business purpose is mistakenly deleted through user error, virus or disaster," the ICO said in its guidance. "In these circumstances, the public authority will intend to recover the information for its own purposes and so the information should still be regarded as held by the public authority. As a general rule, information that is capable of being overwritten and has been intentionally deleted will not be held."

The ICO said that it "recognises" that its view differs from that taken in a ruling by the Information Rights Tribunal in 2005. It said that deciding whether public bodies hold deleted information should be determined by public authority's intentions, and not on the "practicalities of restoring the information".

"Public authorities are entitled to delete information they no longer require, and indeed they should do so in accordance with good records management practice," it said. "If information was still said to be held when it had been intentionally deleted in line with the public authority’s disposal schedule it would undermine the principle of good records management."

The ICO said that, generally, public bodies will not be said to hold information that is subject to disclosure under the FOI or EIR regimes if it is merely stored on "backup" systems. This, it admitted, contrasts with the view of the Lord Chancellor in his code of practice issued to public bodies, under the terms of the FOI Act, on the management of records.

"As a general rule, the Commissioner considers that information contained on a backup is not held," the ICO said. "This is because, generally, the public authority will have no intention of accessing the information on the backup. Again the Commissioner’s focus is on the intention of the public authority rather than whether the records can actually be recovered."

"There are, as always, exceptions. Where data has been lost from the main computer and the public authority intends to use the backup to restore that data, the Commissioner considers that the information is held. There have also been situations where, in the absence of a proper records management policy, the backup has been used for all intents and purposes as an archive," it added.

In its guidance the ICO also said that 'metadata' and "style settings" associated with documents will only be disclosable under FOI or EIR if the information is specifically requested. The watchdog described metadata as "information on the properties of electronic documents" that includes details about the "author, dates, editing history, size, file paths, security settings and any email routing history".

"If an applicant specifically requests information on the properties of an electronic document, public authorities will be obliged to provide it, subject to other provisions in the relevant legislation," the ICO said. "However, if it is not requested there is no expectation that public authorities will provide it."

The ICO said that it will determine "on the balance of probabilities" whether public bodies hold information but have not disclosed it when they ought to have under the FOI and EIR regime. It said it would "consider the scope, quality, thoroughness and results of the searches" that public sector bodies conducted for the information requested, and/or any "other explanations offered as to why the information is not held".

If public authorities can show that there was not a "business need" for them to store information that is sought under the FOI or EIR laws, then the ICO may be "persuaded that no information is held," it said.

The ICO's guidance also outlined that in circumstances where public bodies are asked to provide "lists or schedules" of information that they have not themselves compiled, they could still be said to hold the information and have, generally, to disclose it.

"If the public authority had already produced a list for its own business needs, the information is clearly held," the ICO said. "However, usually the public authority will not hold an actual list. It will hold the correspondence referred to in the request and the information required to produce the schedule will be contained in that correspondence. It is simply a case of extracting the relevant information (the individual building blocks) from the correspondence and organising them into a schedule. The extraction of existing information and presenting it as a schedule is not the creation of new information."

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

SANS - Survey on application security programs

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.