ICO is wrong on back-ups

by | Oct 18, 2011 | FOI, ICO, Tribunal | 1 comment

A bout of insomnia drove me to the laptop, but I was too tired to do anything constructive. After some idle Guardian and Telegraph browsing, I gravitated to WhatDoTheyKnow – depending on your role, you may see it as a vital tool for democracy, or a sphincter-clenching irritant. From my lowly perspective in the private sector, I can see both sides, but my main use of WDTK is as the FOI equivalent of Jeremy Kyle. Spend a few minutes browsing, and you’re deep in the demented, the paranoid and the downright strange. What with WDTK’s fey new redesign, I decided that I would pass my sleepless hours with some whimsical musings on the site’s eccentricities for these pages.
And then as always I checked out the most recent requests on the Information Commissioner’s page, and I found something a lot more interesting. A request titled ‘Former ICO Head of Enforcement’ sounded entertaining, with the applicant worrying at the fact that the former head of ICO Enforcement is now working for a legal firm: http://tinyurl.com/6c9q2vp. This is, of course, not secret and not unusual – most people leave the ICO to become either FOI / DP Officers or private sector consultants (been there, doing that). I suspect that the applicant is barking up the wrong tree, but that’s not what really got my attention. It was this phrase, in the internal review, courtesy of Lesley Bett, the ICO’s Head of Internal Compliance (scroll down to the response on 13th October last week):
“I should mention that, in general, ICO takes the view that information on back up will not be regarded as ‘held’ for the purposes of the FOIA”
You’ve just heard the sound from Family Fortunes when the luckless cousin guesses wrong about something you find in the shower – if that answer’s there, I’ll give you the money myself.  In 2005, the Information Tribunal stated in Harper vs Royal Mail (http://tinyurl.com/6zaz5r3) that:
“The extent of the measures that could reasonably be taken by a Public Authority to recover deleted data will be a matter of fact and degree in each individual case. Simple restoration from a trash can or recycle bin folder, or from a back-up tape, should normally be attempted, as the Tribunal considers that such information continues to be held.” (my emphasis)
This case is one of the most well-known in FOI, because it is the one that established that documents that have been deleted from live systems are still held, with big impacts on email. Along with the John Connor Press Associates case about commercial prejudice, it was an early indication of how FOI might really bite.
More importantly, the idea that a certain kind of data is off-limits from FOI is counter-intuitive – the Act does not pick and choose which information is or isn’t covered (except when it grabs information held by other organisations). Thinking that back-up data isn’t covered goes against the way FOI works. Even if the time taken would probably put restoring from back-ups outside the cost limit in most cases, the data is still held. How could anyone in the ICO not know this?
I searched the Information Commissioner’s site for guidance that mention the view that back-ups aren’t covered, and couldn’t find anything. I asked a few people whose opinions I respect, and their view was that Harper undoubtedly applies. My search of the ICO website only turned up several cases where requested information was held on back up tapes – the ICO staff handling the cases did not rule them out as ‘not held’ but dealt with the request as normal (the reference numbers for some of the cases are: FS50169313, FS50092946, FS50121882, and FS50118129).
I did not start this blog purely to bash the Commissioner’s Office, and I enjoy praising their successes almost as much as I enjoy making fun of them. And maybe there is some basis for this new interpretation. Maybe it’s just a mis-statement in one FOI response. But it’s a big mis-statement, and one I can’t reconcile myself with. If it is the ICO’s settled view that back-ups are not covered by FOI, how have they come to this conclusion, contradicting logic, what the Act says, what the Tribunal says, and the conclusions of a brace of their own decisions? And if it is not the ICO’s settled view, why does the person ultimately responsible for the Commissioner’s compliance with FOI think that it is?

UPDATE: No change on back-ups, but the WDTK site is now un-pastellated and back to normal. Is there no end to my powers?