By John Lettice for The Register
This article has been reproduced with permission.
But don't get too excited although in theory this means
that data that can be undeleted, restored from backups or
reconstructed by specialists can still be supplied in
response to FOIA requests, in practice the whole show will still
collapse when it encounters the haphazard shambles that UK
Government backup regimes amount to.
Information Tribunal chairman John Angel indulges in a
substantial philosophical digression on the nature of deleted in
this recent adjudication, which involved a
request to the Royal Mail for personnel data which had been
'deleted'. The Tribunal's conclusion in this case was that the data
really had been deleted anyway (so it couldn't be handed over,
anyway), but the ruling also tries to nail down the extent to which
deleted data can still be counted as "held".
First, the good news: "The Tribunal understands that information
which is held electronically and then deleted (and even emptied
later from a 'recycle bin' or 'trash can') is still in fact
retained in its original form on the computer system until it is
subsequently and actually overwritten by other information." In
view of this "it may be incumbent on a Public Authority to make
attempts to retrieve deleted information. Accordingly the authority
should establish whether information is completely eliminated, or
merely deleted."
The Tribunal's setting down of this obligation is certainly
progress, because it means that authorities subject to FOIA
requests can't simply say that, as the data no longer exists on a
live system, it doesn't exist, full stop. The Tribunal doesn't
philosophise on the extent to which backups are archive data or
deleted data (bit of both, depends, right?) but here it doesn't
really need to, because for the purposes of the Act it's
effectively deeming all backup data as archived until it is
completely deleted.
This overturns guidance from both the Information Commissioner
and the Department of Constitutional Affairs. The Commissioner has
regarded information on backups as not being "held by a
public authority for the purposes of FOI", and that "information
sent to the back-up server is no longer readily retrievable for
business purposes" (ah, but see below...). The DCA, meanwhile,
humorously tells us "where it is the intention that data should be
permanently deleted, and this is not achieved only because the
technology will not permit it, authorities may regard such data as
having been permanently deleted."
But you'll have noted the Tribunal said "it may be incumbent..."
That "may" is the catch. "If information has been deleted but can
be recovered by various technical means, is that information still
held by the public authority? The Tribunal finds that the answer to
this question will be a matter of fact and degree depending on the
circumstances of the individual case... Simple restoration from a
'trash can' or 'recycle bin' folder, or from a back-up tape, should
normally be attempted, as the Tribunal considers that such
information continues to be held." But beyond that, attempted
restoration involving "the use of specialist staff time" would be
subject to the cost exemptions in the Act. A local authority can
refuse a request if the retrieval cost would be more than £450,
while for a Government department the limit is £600.
So if it costs more than a few hundred pounds to undelete the
data, you can be legally told to push off anyway. When it talks
airily of restoring backups, one suspects that the Tribunal is not
entirely in tune with the real world here. Even in a well run
network restoration will often be a non-trivial task involving
specialist staff (which, actually, it should be), and it
seems perfectly feasible that an authority could successfully argue
that simple restoration from a backup tape might in some cases
exceed the cost limit. The Tribunal also suggests that "the Restore
facility in Windows will restore the system to the way it existed
on a previous date chosen by the operator" we presume
they've never been foolish enough to try this.
We should note an unpleasant little truth that springs from the
Tribunal's conclusions. If there are no coherent groundrules or
minimum standards governing public authority retention and archive
policies (there aren't), then the worse the IT system is at dealing
with retention, archive and backup, the less likely it is to have
to respond positively to FOIA requests. There's a pay-off for bad
IT strategy; 'I've deleted it' or 'It might be in there somewhere
but it'll cost thousands to retrieve it' are deemed valid excuses,
rather offences punishable by large fines, so that's all right
then, and no, you can't have the information.
