Winchester Vacancies

Lost and found?

A recent First-Tier Tribunal EIR ruling is an important reminder for authorities to spend time reviewing their IT retention and deletion of data policies, writes Dan Lucas.

We readily press the 'delete' button on a daily basis. But what does it actually mean to “delete” an e-mail? And how does an authority know whether an item has indeed been “deleted”? After all it seems child’s play, does it not?

The First-Tier Tribunal was faced with such quandaries in the case of Keiller v Information Commissioner (1) and University of East Anglia (2) (EA/2011/0152) (18 Jan 2012) within the context of a request for information under the Environmental Information Regulations 2004.

The “Climategate” Scandal

The request before the Tribunal stemmed from what is now known as the “climategate” scandal. Those with good memories will recall the headlines surrounding the Copenhagen Summit of December 2009. In summary, the Climatic Research Unit (“CRU”) at the University of East Anglia (“UEA”) had its servers allegedly hacked in November 2009 and 160MB of data comprising 1,000 emails and 3,000 other documents were obtained and published. The security breach led to groups asserting that the information supported the theory that globing warming was a scientific conspiracy. To date Norfolk Constabulary retain the seized servers as part of their ongoing investigation. The request before the Tribunal was made to UEA by the Appellant Dr. Don Keiller and comprised two aspects, one of which was the concern of the Tribunal:

“I hereby request:

2) A copy of any instructions or stipulations accompanying the transmission of data to Peter Webster and/or any other person at Georgia Tech between 1 January 2007 and June 25 2009 limiting its further dissemination or disclosure.”

On 11 September 2009 UEA refused the Appellant’s request relying on Regulation 12(4)(a), stating that it did not hold the information requested. The Commissioner conducted an investigation between November 2009 and May 2011 and concluded by way of a decision notice dated 23 June 2011 that UEA did not hold the information requested and that UEA had been right to refuse the request in reliance of regulation 12(4)(a).

The Commissioner in forming his conclusions relied upon UEA’s submissions that: Prof. Jones of the CRU had sent emails to Georgia Tech during the requested period; that he had searched his own email inbox and had not found any emails; that he had in some time prior to the request deleted the relevant email as part of his usual practice of email management; that emails at CRU are held on individual terminals although they are backed-up to a server managed by CRU; that the back-up server was in the custody of Norfolk Constabulary due to their ongoing investigations and in any event the email did not contain any “instructions or stipulations”.

The Tribunal was tasked to examine the veracity of the “not held” decision.

The decision in Keiller

The resulting decision in Keiller does not tread new ground. Practitioners in the information rights field know that what is “held” for the purposes of the Freedom of Information Act 2000 (“FOI”) and the Environmental Information Regulations 2004 (“EIR”) is a relatively wide concept. We shall return to this point later.

For now however, Keiller seems to be more useful in illustrating how not to record manage. A pivotal finding by the Tribunal was the lack of a “coherent deletion/retention policy for emails” (para 24), alongside evidence (or lack of) about whether or not the e-mails requested had been deleted from servers. It seems the Tribunal’s hands were tied to conclude that the information was therefore “held” for the purposes of regulation 12(4)(a) of the EIR’s. Yes, the email may have been deleted by the user from their terminal, nevertheless, on balance it was still present on a back-up server.

The University advanced a novel argument and tried to create the distinction between information which was intentionally retained by the organisation and the fact that deletion by a user puts such information into a different class to the former. The point resting upon “back-up” servers existing for disaster recovery for intentionally held information.

Again the Tribunal whilst acknowledging some merit in the argument continued: “Whilst we can see some logic to this position, we noted that the purpose of back up is precisely to ensure that a document is not lost; the lack of any coherent policy on retention and deletion of documents, and that had there been timeframes in such a policy, we would have expected these to be reflected in the back up programs operated on the server.” (para 28).

Not only do such comments endorse the point that the creation of such deletion/retention policies are key, especially so for e-mails, but that those policies must be reflected in practice, via the operation of programs designed to purge the servers at specific times.

Deleted electronic records

Returning to whether an electronic document or file is “held”, guidance does come from the ICO. Awareness Guidance 8 (v.2, 9 Aug 2006) foretells the predicament that an organisation may face as a result of poor electronic records management: “Information located in desktop recycle bins is clearly subject to the FOIA as this continues to be held and is easily accessible. Once deleted from the recycle bin the information will also continue to be held unless the electronic record is completely erased from the computer system.”

So it seems the position has always been that even deleted e-mails from an inbox and a recycle bin can be held if still present on servers. Keiller moves the goalposts in that the Tribunal has now expressed the view that where deletion/retention policies include timeframes, action to purge items should put the theory into practice.

In Bromley & Others v Information Commissioner (EA/2006/0072) the Tribunal expressed the view that there can “seldom be certainty” that information relevant to a request does not remain somewhere within an organisation, but that in deciding whether on a balance it does, numerous factors are pertinent. Accordingly, for ease of reference the Tribunal in Bromley identified the following factors:

  1. Size of the organisation;
  2. Quality of the authority’s analysis of the request;
  3. Consequent scope of the search following the analysis;
  4. Rigour and efficiency of the resulting search.

Keiller also deals with the Tribunal decision of Harper v Information Commissioner (EA/2005/0001). Time would be well spent reading the Harper decision concerning deletion/retention of electronic items, not only to expand upon the points discussed, but to understand how the Tribunal unravels the concept of “held” in the context of electronic records and the measures an authority should go to for retrieval.

Harper concludes that it is a matter of “fact and degree” depending upon the circumstances of a particular case. For ease, to assist those with less time, Harper points to the following retrieval methodologies: Use of the “restore” facility to put a terminal back in the original position it was (in a moment in time) prior to deletion; “back-up tapes” and how networked terminals are preserved for specific periods; and finally, “undelete” or “recovery” via specialist software. The Tribunal was hesitant in offering a view (relying upon fact and degree), nevertheless it did proffer that in “simple” cases restoration or retrieval from back-up sources should be attempted.

Synthesising Harper, Bromley and Keiller

So where does this leave authorities now? This especially rings true given that the Tribunal in Harper expressed in very strong terms that: “The Information Commissioner should give serious consideration to issuing guidance to Public Authorities on this matter, and to enquiring himself, where appropriate, in relation to complaints made to him, whether an authority has considered the recovery of deleted material” (para 28).

The ICO in its Awareness Guidance Number 8 (alluded to above) acknowledges that its “position on this issue has been modified in light of the Tribunal decision in Mr P Harper v The Information Commissioner”. Nevertheless, very little is offered by the Commissioner by way of guidance other than simply stating that consideration should be made as to what exists in deleted files may still be “held”.

The combined decisions in Harper, Bromley and Keiller signify in my submission that an authority must now be prepared for forensic scrutiny when relying on the not “held” exemption/exceptions. The bare minimum seems to suggest a coherent policy(ies) which alludes to deleted material and retention via servers. Of course, this may mean signposting in a policy used for information/records management purposes to IT policies and time-periods used for the elimination and purging of IT infrastructure. Better still, making it abundantly clear in FOI/EIR procedures/policies how such retrieval shall be attempted and when servers will be interrogated and timeframes. As Keiller illustrates if a policy is in place, then programs must follow-through and implement the same.

Conclusions

Whilst this is not a new matter to come before the Tribunal, the battle-field is definitely evolving. We have moved on from fact and degree and recovery strategies (Harper), to further guidance concerning what factors a tribunal shall consider when tasked with enquiring about an authority’s “not held” response (Bromley), to the inference that a policy must exist which considers the deletion/retention of electronic items and the implementation of the same (Keiller). Suffice it to say that it may now be worth revisiting such policies given that the season of spring-cleaning is drawing upon us. And whilst, you are in the mood, check those servers!

Dan Lucas is Havant Borough Council’s Senior Litigation Lawyer. He has worked for local government legal teams for more than six years.