The watchdog has issued new guidance (25-page / 350KB PDF) to help public bodies which are subject to the UK freedom of information (FOI) or environmental information laws to determine whether they hold information that should be disclosed when requested.
Under UK FOI laws and the Environmental Information Regulations (EIR) individuals have a right to ask for and, generally, be provided with certain information held by Government departments and public bodies.
The ICO said that, notwithstanding some exceptions to this general rule on disclosure, public sector bodies will have to disclose information that is held in a computer "recycle bin". It said, though, that whilst information that is deleted from recycle bins can "technically be recovered until it has been overwritten", public bodies will not generally be said to 'hold' the information for the purposes of disclosure.
If information is deleted from a computer recycle bin unintentionally, however, public bodies could still have to disclose it under FOI or EIR, the watchdog said.
"There are situations where information that is still required for a business purpose is mistakenly deleted through user error, virus or disaster," the ICO said in its guidance. "In these circumstances, the public authority will intend to recover the information for its own purposes and so the information should still be regarded as held by the public authority. As a general rule, information that is capable of being overwritten and has been intentionally deleted will not be held."
The ICO said that it "recognises" that its view differs from that taken in a ruling by the Information Rights Tribunal in 2005. It said that deciding whether public bodies hold deleted information should be determined by public authority's intentions, and not on the "practicalities of restoring the information".
"Public authorities are entitled to delete information they no longer require, and indeed they should do so in accordance with good records management practice," it said. "If information was still said to be held when it had been intentionally deleted in line with the public authority’s disposal schedule it would undermine the principle of good records management."
The ICO said that, generally, public bodies will not be said to hold information that is subject to disclosure under the FOI or EIR regimes if it is merely stored on "backup" systems. This, it admitted, contrasts with the view of the Lord Chancellor in his code of practice issued to public bodies, under the terms of the FOI Act, on the management of records.
"As a general rule, the Commissioner considers that information contained on a backup is not held," the ICO said. "This is because, generally, the public authority will have no intention of accessing the information on the backup. Again the Commissioner’s focus is on the intention of the public authority rather than whether the records can actually be recovered."
"There are, as always, exceptions. Where data has been lost from the main computer and the public authority intends to use the backup to restore that data, the Commissioner considers that the information is held. There have also been situations where, in the absence of a proper records management policy, the backup has been used for all intents and purposes as an archive," it added.
In its guidance the ICO also said that 'metadata' and "style settings" associated with documents will only be disclosable under FOI or EIR if the information is specifically requested. The watchdog described metadata as "information on the properties of electronic documents" that includes details about the "author, dates, editing history, size, file paths, security settings and any email routing history".
"If an applicant specifically requests information on the properties of an electronic document, public authorities will be obliged to provide it, subject to other provisions in the relevant legislation," the ICO said. "However, if it is not requested there is no expectation that public authorities will provide it."
The ICO said that it will determine "on the balance of probabilities" whether public bodies hold information but have not disclosed it when they ought to have under the FOI and EIR regime. It said it would "consider the scope, quality, thoroughness and results of the searches" that public sector bodies conducted for the information requested, and/or any "other explanations offered as to why the information is not held".
If public authorities can show that there was not a "business need" for them to store information that is sought under the FOI or EIR laws, then the ICO may be "persuaded that no information is held," it said.
The ICO's guidance also outlined that in circumstances where public bodies are asked to provide "lists or schedules" of information that they have not themselves compiled, they could still be said to hold the information and have, generally, to disclose it.
"If the public authority had already produced a list for its own business needs, the information is clearly held," the ICO said. "However, usually the public authority will not hold an actual list. It will hold the correspondence referred to in the request and the information required to produce the schedule will be contained in that correspondence. It is simply a case of extracting the relevant information (the individual building blocks) from the correspondence and organising them into a schedule. The extraction of existing information and presenting it as a schedule is not the creation of new information."