The ICO brought its first successful conviction under the Freedom of Information Act 2000 (“FOIA”).
An individual had made a Freedom of Information (“FOI”) request to the council for an audio recording of a council meeting. The requester was advised by the clerk that the recording had been deleted in line with council policy.
The clerk had been aware of the FOI request and had nevertheless then deleted the recording in the days that followed.
Section 77 of the FOIA states a person “is guilty of an offence if he alters, defaces, blocks, erases, destroys or conceals any record held by the public authority, with the intention of preventing the disclosure by that authority of all, or any part, of the information to the communication of which the applicant would have been entitled.”
A clerk at Whitchurch Town Council admitted to the criminal offence of blocking records with the intention of preventing disclosure, in breach of section 77 of FOIA. She was fined £400, ordered to pay costs of £1,493 and a victim surcharge of £40.
Mike Shaw, Group Manager in Enforcement at the ICO, stated that: “This case is about the public’s right to know, and we will not hesitate to take action to protect people’s right to access the information they are entitled to.”
Parallels with the Data Protection Act 2018
This section of FOIA holds an interesting parallel with section 173 of the Data Protection Act 2018 (“DPA18”) which created a new criminal offence for organisations to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure in the context of a data subject access request (“DSAR”).
A similar offence did not exist under the old regime (the 1998 version of the DPA) and was part of a general drive to bolster data subject rights as also established under the terms of the GDPR.
There is no difference in the penalties available: both are dealt with by way of fines, for which there is no limit to the sum that can be imposed. Of course, the FOIA offence is only available in respect of information held by public authorities, while the offence under the DPA18 relates to personal data and is applicable to all data controllers and those employed by them.
Defence under the DPA18 does not appear under the FOIA
Interestingly, there is a defence to section 173 of the DPA18 which simply does not exist in the FOIA s77 counterpart:
It is a defence for a person charged with an offence under subsection (3) to prove that (a) the alteration, defacing, blocking, erasure, destruction or concealment of the information would have occurred in the absence of a request made in exercise of a data subject access right, OR (b) the person acted in the reasonable belief that the person making the request was not entitled to receive the information in response to the request. (emphasis added)
These defences could arguably have been applicable to the clerk’s case, had they been available in the context of the FOIA offence.
It is interesting to note that public authorities are not afforded the benefit of the doubt under the FOIA that controllers are allowed under the DPA18.
An FOI request effectively freezes the status of the data as at the point of the application and prevents the recipient from altering/deleting it, even where it would (or should) have done so anyway. It is not clear why this is the case or should be the case in this context but not for the personal data equivalent.
The successful prosecution of this offence no doubt further bolsters the ICO’s argument for extended powers under FOIA, which it is also pushing for through its call for an extension to the scope of the FOI legislation, to include private contractors carrying out public functions, in its “Outsourcing Oversight?” report laid before Parliament on 28 January 2019