Secondary legislation under the FOI Act

Letter to the Parliamentary Secretary at the Lord Chancellor’s Department.

Michael Wills MP
Parliamentary Secretary
Lord Chancellor’s Department
Selbourne House
54-60 Victoria Street
London SW1E 6QB

May 15, 2002

I said I would drop you a note about the opportunity to bring into force the offence of deliberately destroying information which has been requested under the Data Protection Act.

Section 77 of the FOI Act, not yet in force, will make it an offence for a person to destroy or alter a record which has been requested under either the FOI Act or the DP Act where this is done with the intention of preventing its disclosure.

The draft timetable on implementing the secondary FOI provisions acknowledges that this provision could be brought into force now (so that it would apply to the DPA) but says it “makes more sense” to delay commencement until the FOI right of access starts in January 2005.

I can’t see why this should be so. The provision merely penalises what public authorities must already recognise as unacceptable behaviour – the destruction of requested records in order to subvert an applicant’s right of access. There is no need for authorities to prepare or train for it or (except in the case of those deliberately flouting the law) to change existing procedures.

At present, an authority which destroys a record in order to prevent its disclosure does not commit an offence – but would breach the 6th data protection principle, which requires that data be processed in accordance with data subjects’ rights. If the Commissioner detects this, she could issue an enforcement notice under s 40 of the DPA, and any failure to comply with that notice (eg by destroying another record) would be an offence. This is a long-winded and unsatisfactory procedure which provides no deterrent against the initial infringement. A record which has been destroyed is lost for ever, and an enforcement notice after the event is of little use to the individual concerned. The s 77 offence would provide a realistic deterrent against the initial act.

An authority which destroys a record accidentally or for an innocent purpose would have nothing to fear, since the offence only applies if the destruction is done “with the intention of preventing the disclosure” [FOIA, s 77(1)]. In addition, the DPA already permits an authority to amend or delete information from the requested record if that amendment or deletion would have been made regardless of the request [DPA, s 8(6)]. So any normal updating of records which occurs before access is given would not be affected.

The only oddity of the section 77 offence is that it applies purely to public authorities and not to private bodies. The case for a similar offence for private bodies is compelling, but this cannot be done under FOI powers. However, this doesn’t provide grounds for deferring the provision, as the inconsistency will apply whether s 77 comes into force now, or in January 2005.

Bringing this offence into force would reflect the concern of the Performance and Innovation Unit report on data sharing, which repeatedly highlights the need to build public trust in authorities’ handling of personal data. The report uses the word “trust” more than 70 times, concluding that “if the public does not trust the way that the public sector handles personal information, then it will not be possible to achieve the potential benefits for individuals and for society from better use of that information…this would put at risk the potential gains for the public from the move to the electronic delivery of public services.”

Nothing is likely to be more corrosive of public trust than for people to discover that authorities can destroy requested records purely to cheat them of their rights. Given that a provision to prevent this has been enacted, its hard to see what could be gained by leaving it unimplemented for another two and a half years – whereas bringing it in now would have both practical and symbolic value.

Yours sincerely,

Maurice Frankel

Scroll to Top