Does information that has been deleted from a system fall within the scope of the Freedom of Information Act?
Within large organisations, information from IT systems is periodically deleted to prevent large build-ups of information and system crashes. The Freedom of Information legislation provides a right of access to information that is "held" by public authorities. What is the position in respect of information that has been deleted? Does the deleted information, which was once held by a public authority, fall within the scope of Freedom of Information? This issue was considered in a recent decision of the Information Tribunal in respect of the Freedom of Information Act 2000.
Harper v Information Commissioner
In this case, Mr Harper, an employee of the Royal Mail (a public authority) requested information from his personal file. Mr Harper wanted details of how often his personal file had been requested over a particular period. The Royal Mail claimed that they did not have this information and the Information Commissioner accepted this. Mr Harper then appealed his case to the Information Tribunal. The Tribunal found in favour of the Information Commissioner and provided some useful guidance in relation to the position of deleted information.
The Royal Mail claimed that although at one time they would have held this information, it had since been deleted from their system and were therefore unable to provide it to Mr Harper. The Royal Mail explained that they periodically deleted information from their system to prevent it from crashing. The Tribunal looked at the position of deleted electronic information. If the public authority had held information but that information had since been deleted, does that mean that the information requested no longer came within the scope of the Act?
Information that is "held" by public authorities
In reaching its decision, the Tribunal considered the right of an applicant to be informed by a public authority if it holds the information requested and the right for the information requested to be communicated to the applicant. This lead the Tribunal to consider what was meant by information "held" by a public authority. Information to which the Act applies includes any information that is "held at the time when the request is received, except that account may be taken of any amendment or deletion made between that time and the time when the information is to be communicated …….being an amendment or deletion that would have been made regardless of the receipt of the request".
Deletion of information – lawful or unlawful?
The Tribunal considered the situation where information is held at the time of the request but is deleted before compliance with the request is required. The Tribunal held that if information is routinely deleted, say on the 1st of January of each year, or on 31st of each month, and these dates fall between the request and the deadline for compliance, then the deletion of information by the public authority would be lawful. If, on the other hand, the public authority intentionally and specifically decided to delete relevant information between request and the time for compliance then this would be unlawful. Accordingly, routine deletions are permitted and these would have the effect that there should be no obligation to provide copies of deleted information to an applicant.
Recovery of deleted information
The Tribunal also looked at the potential for recovery of the deleted data. The Tribunal drew a distinction between (i) information that can be restored to its previous state from the computer's own operating system, e.g. from a trash can or recycle bin, (ii) information that has been saved in backup tapes and (iii) information that involves "un-delete" or "recovery" and requires specialist software. The Tribunal concluded that whether the recovery of information should be attempted will be a matter of fact and degree in each individual case. The Tribunal did however conclude that, in relation to information that falls under category (i) or (ii) above, that recovery should normally be attempted. It also advised that attempts to recover information that require specialist staff or software may not be required as public authorities are not obliged to comply with requests where the cost of them complying could exceed the threshold (currently £600). The Tribunal concluded by requesting that the Information Commissioner provide public authorities with further guidance on this area.
The Information Commissioners had previously published guidance on deleted information and how it should be dealt with. This decision goes further than that guidance and is tougher on public authorities in relation to what steps should be taken but despite this, the decision should in general be welcomed. This decision is clear in both its guidance and the underlying intention and this should make life easier for those dealing with these issues and setting policies.