Back-ups, BYOD and FOI risks

February 22, 2012

An appeal under the Environmental Information Regulations 2004 (EIRs) to the First-Tier Tribunal (Information Rights) has highlighted important considerations relating to back-up data and the scope of freedom of information legislation.  The appeal related to a request made to the University of East Anglia’s Climate Research Unit for ‘any instructions or stipulations’ attached to an e-mail sent by the Director of CRU to Georgia Tech University.[i]  UEA had argued that the information was not held because:

  • the Director had deleted the e-mail from his personal computer as part of his usual practice of managing e-mails;
  • staff e-mails were backed up onto a back-up server, although UEA had no access to the server as it was in the possession of the police as part of their investigation into the ‘Climategate’ affair;
  • in any event, the covering e-mail did not contain any instructions or stipulations relevant to the request.

The Information Commissioner had held that, on the balance of probabilities, UEA did not hold the requested information.  In overturning the Commissioner, the Tribunal held that it was more probable than not that the e-mail contained instructions, as it ‘was a rather obvious place to set out such matters.’[ii]  In addition, the Tribunal concluded that it was more probable than not that the e-mail had been backed up to CRU’s server; it was critical of the UEA representative’s lack of knowledge of its back-up systems and the lack of any coherent deletion and retention policy. 

It then assessed whether an e-mail on a back-up server but deleted from the personal computer on which the original was composed was ‘held’ for the purposes of the EIRs.  It concluded that it was, dismissing UEA’s argument that because the e-mail had been intentionally deleted, it put it in a different position to an e-mail that the University intended to keep and which was backed up for disaster-recovery purposes.  While admitting that there was ‘some logic’ to the University’s position, the Tribunal noted that the purpose of a back-up is ‘precisely to ensure that a document is not lost.’[iii]  It commented again on the lack of any coherent retention and deletion policy, noting that any time-frames for retention in such policy should be reflected in the back-up programs.  The Tribunal noted a previous First-Tier Tribunal decision in which it had been concluded that ‘simple restoration from a…back-up tape should normally be attempted, as the Tribunal considers that such information continues to be held.’ [iv]

So what are the practical implications of this case?  Where it is more likely than not that information relevant to a Freedom of Information Act (FOIA) or EIRs request existed in a deleted e-mail, document or file, a public authority will need to search its back-up servers, unless the back-up copy has also been deleted consistent with the timelines in its retention policy.  Needless-to-day, it will be crucial for public authorities to actually have retention and deletion policies, for those policies to be enforced and to be reflected in back-up procedures. 

This may of course be easier said than done.  International Data Corporation figures indicate that the amount of unstructured data generated between 2005 and 2011 increased at a 63.7% compounded annual growth rate, twice the growth rate of structured data.[v]  Despite the existence of retention polices, employees may remain ‘loathe to delete e-mail or other files because they worry they will be required to produce them at a later date for compliance, auditing, or legal e-discovery purposes.’[vi]  With volumes of back-up data also increasing due to these concerns, restoration may not be a ‘simple’ process.  However, if back-up data is not regularly purged in line with a retention policy, this will increase the likelihood that a back-up copy of deleted, lost or destroyed information will be ‘held’ by a public authority for the purposes of a freedom of information request, thus requiring a potentially complex and time-consuming restoration to be carried out.

The situation may be further complicated by the use of private devices for work purposes.  Deloitte’s 2011 Global Security Study noted that ‘Another rapidly developing risk area is the consumerization trend (eg. ‘Bring Your Own Device’ (BYOD)) in which employees are allowed to use their own personal communication devices for work-related activities.’[vii]  43% of respondents said that they supported both corporate-provided mobile devices and personal devices.  BYOD is not confined to the private sector.  The socitm IT Trends in local public services survey 2011/12 found that more than 90% of respondents were happy to allow their workforce to use their home PC to carry out work functions.  60% allowed the use of the employee’s laptop and 30% allowed the use of smartphones.[viii]

Although, in many cases, information created on private devices may not be backed up to a public authority’s server, this is unlikely to take such information outside of the scope of the FOIA or EIRs.  A public authority that permits the use of private devices for work purposes and/or the creation of work-related documents or information outside of the employer’s system (for example, on a memory stick using a personal laptop) will therefore need to determine whether information relevant to a FOIA or EIRs request is likely to be held on a private device.  If it is, the individual should be asked to search their device.  An attempt by an organisation to insist on carrying out a search of a private device itself may well run up against substantial privacy, confidentiality and practical issues.

Records management policies should clarify the types of information and documents that would be regarded as ‘held’ on behalf of the authority, even if retained on a private device, and so subject to disclosure.  It would be highly advisable for those policies to clarify how such information is to be made subject to the authority’s retention and back-up policies and procedures.  What action would be required when an employee decides to leave the organisation for instance?

Ultimately, as the Information Commissioner has pointed out in his guidance on official information held in private e-mail accounts, ‘in order to avoid the complications of requesting searches of private e-mail accounts, and other private media, records management policies should make clear that information on authority-related business should be recorded on the authority’s record keeping systems in so far as reasonably practicable.’ [ix]

Marion Oswald is a Solicitor and is Senior Lecturer at the Centre for Information Rights, Department of Law, University of Winchester:

[i] Keiller v IC & University of East Anglia, EA/2011/0152, 18 January 2012

[ii] Note i, 11

[iii] Note i, 12

[iv] Harper v IC (EA/2005/0001)

[v] Dump that data, Engineering & Technology, January 2012, 52

[vi] Note v, 50

[vii] Deloitte Touche Tohmatsu Limited, Raising the Bar 2011, TMT Global Security Study – Key Findings, 14