First Prosecution For Deleting Files under S.77 FOI

Section 77 of the Freedom of Information Act 2000 (FOI) makes it a criminal offence for a person to do anything with the intention of preventing the disclosure of information pursuant to an FOI request. This offence is often briefly discussed in our FOI workshops. We say “briefly” because nobody has ever been prosecuted and our delegates reliably assure us that “that sort of thing never happens.” However, in March 2020, a town clerk became the subject of the first successful criminal prosecution under section 77 of FOI.

Nicola Young worked for Whitchurch Town Council in Shropshire. After pleading guilty to the charges, she was fined £400 and ordered to pay £1,493 costs and a victim surcharge of £40. The facts of the case are that a person had made an FOI request to Whitchurch Town Council for a copy of an audio recording of a council meeting.
They believed that the written minutes of the meeting had been fabricated and so they wanted to listen to the recording of the meeting. Ms Young deliberately deleted the audio recording a few days later and then advised the requestor that the audio file had been deleted as part of the council’s destruction policy. The Information Commissioner became involved when the requestor complained to her office. Readers may think that the fine is very low but it is important to remember that Ms Young now has a criminal conviction that will almost certainly affect her career prospects.

The Section 77 Offence

The S.77 offence requires three things to be proven:

  1. The information was requested by an applicant and they would have been entitled to receive the information (subject to the payment of any fee). If the deletion or alteration occurs before the information request is received, then no offence is committed.
  2. The person charged with the offence did one of the following things to the information; namely altered it, defaced it, blocked it, erased it or destroyed it.
  3. And the person charged, intended to prevent the public authority from disclosing some or all of the information to the applicant. In other words their actions were deliberate.

Section 77 does not provide any statutory defence. However, a prosecution will fail if the prosecution cannot prove that the defendant had the necessary intent (what lawyers call “mens rea”). Prosecutions are brought by the Information Commissioner or by or with the consent of the Director of Public Prosecutions. Cases can only be tried in the magistrates’ court. The offence can be committed by any public authority and any person who is employed by, is an officer of, or is subject to the direction of a public authority. Regulation 19 of the Environmental Information Regulations 2004 creates an identical offence, albeit with slightly different provisions governing government departments.

Why is this the First Prosecution?

There are two main reasons why we have not seen successful prosecutions under S.77 of FOI before this case.

Firstly, the ICO only has six months to bring a prosecution. This period runs from the date that the offence is committed, not from the date that the ICO becomes aware of it.  In practice the ICO will not be called to investigate a complaint until an applicant has exhausted a public authority’s internal review procedures. The Act doesn’t specify how quickly a public authority should complete an internal review, but the S.45 Code of Practice states that this should normally be within 20 working days. This effectively means that the ICO is unlikely to be investigating a complaint until at least a month, or probably two, has elapsed since the request. That assumes that the ICO can investigate as soon as the complaint is received, which is not normally the case.

Secondly, for a successful prosecution under S.77 there must be proof of intent to destroy, conceal, deface etc. Given that this is a criminal offence the proof must be “beyond reasonable doubt.” This may be difficult to do so long after the event and if there is insufficient evidence to prove that the destruction etc was deliberate. During an investigation, the ICO will almost certainly want to see a public authority’s information disposal schedule. Its guidance notes that a disposal schedule will also offer an authority a defence to any suggestion that a S.77 offence has been committed. It will be able to explain that a record containing the requested information was destroyed as part of its routine disposal process.

This is the first prosecution in 15 years under S.77 of FOI which demonstrates the difficulties mentioned above. It does not necessarily mean that offences have not been committed before, but more likely that the ICO’s investigations have not been conclusive within the six-month period.

It is worth noting that the Data Protection Act 2018 introduces a new criminal offence in almost identical terms. Under  S.173 DPA a person commits an offence where they, upon receiving a data subject access request, alter, deface, block, erase, destroy or conceal personal data with the intention of preventing disclosure. There are two defences available. Firstly it is a defence if the alteration, defacing, etc would have occurred in the absence of a subject access request. For example, if the information is destroyed as part of an organisation’s data destruction schedule. The second defence is where a person can prove that they acted in the reasonable belief that the person making the request was not entitled to receive the information. To the best of our knowledge there have been no prosecutions under S.173 to date. It remains to be seen whether the Information Commissioner will face the same problems, as under S.77 FOI, in relation to bringing proceedings. However, she has brought a successful prosecution under S.170 DPA 2018 which relates to the unlawful obtaining of personal data.

This and other FOI developments will be discussed in our FOI workshops which are now available as an online option. If you are looking for a qualification in freedom of information, our FOI Practitioner Certificate is ideal.

A Matter of Priorities: FOI and DP Deadlines in a Pandemic

Photo by Oladimeji Ajegbile on

Responding to the Covid-19 pandemic is stretching our public services. Most obviously the NHS is diverting all the resources it can to meeting critical health needs. But local authorities are also struggling to maintain vital services in the face of unprecedented demands and staff who, if not already ill and self-isolating, are obliged to comply with social distancing measures. Other public authorities are facing logistical challenges in maintaining services and some are even having to put some staff on HMRC-funded furlough.

In such challenging circumstances, where does dealing with information requests under Freedom of Information and DataProtection laws sit in the scheme of priorities? Many authorities who are fortunate enough to have staff dedicated to handling FOI requests or data subject access requests will have re-tasked them to undertake more business-critical roles. Where staff have information request handling as only part of their role, other more pressing duties are likely to trump FOI and DP timescales. And where staff are working from home and access to premises either discouraged or forbidden, manual records may remain inaccessible for weeks or months to come.  Where requests are made by post, they may be delivered to offices which will not be staffed for some time.

The response of the Scottish Government has been robust. On 1 April 2020, the Scottish Parliament passed the Coronavirus (Scotland) Bill which, while retaining the statutory requirement to “respond promptly”, extends the timescale for responding to requests under the Freedom of Information (Scotland) Act 2002 from twenty to sixty working days. Moreover, Part 2 of Schedule 6 provides a mechanism for the Scottish Ministers to allow Scottish public authorities to extend the timescale, subject to providing written notice to the applicant, by a further forty working days, where the authority “determines that it is not reasonably practicable to respond to the request within the relevant period because of…  (a) the volume and complexity of the information requested, or (b) the overall number of requests being dealt with by the authority at the time that the request is made.”

The emergency legislation also allows the Scottish Information Commissioner to find that a public authority has not failed in their duties under FOISA if he is satisfied that the failure to respond within timescales was due to the impact of coronavirus and reasonable in the circumstances. The Scottish Information Commissioner for his part is keen to remind public authorities that their duty to respond promptly remains, that the measures are temporary, and that they do not extend to the Environmental Information (Scotland) Regulations 2004 (EISR).

Of course, the Scottish Parliament cannot legislate with regard to data protection (where EU and UK legislation applies) nor can it amend the timescales for requests under the EISR as they implement the obligations of the Aarhus Convention. But as far as they can do so, the Scottish Government and Parliament have sought to relax the demands of information requests in the face of the pandemic.

For data subject access requests under GDPR (or s 45 of the Data Protection Act 2018 where they relate to law enforcement processing) and requests under the Freedom of Information Act 2000, there is no relaxation of the law. This was despite the call to do so from some quarters, including the Local Government Association who called on Parliament to include measures “temporarily relaxing the requirements on councils in regard to GDPR and FOI”. We rely instead on flexibility from the Information Commissioner as regulator.

While the UK Government did not take the opportunity of the Coronavirus Act to take extend time limits(and would be unable to do so in any case with regard to GDPR as we are still in the transition period), the ICO has made clear they will not penalise organisations who have made understandable decisions to prioritise other tasks. As they state on their website, “We are a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with information rights work when assessing a complaint brought to us during this period, we will take into account the compelling public interest in the current health emergency.”

Organisations should therefore be reassured that they are unlikely to face official censure or significant public criticism if they make reasonable decisions to prioritise other tasks to protect and serve the public ahead of normal levels of service for FOI requests and subject access requests. If your organisation, almost inevitably, is finding it difficult to meet the timescales at this difficult time, we would suggest you take a common-sense and measured approach:

  • Make a record of your decisions to re-allocate resources from handling information rights requests to other service-delivery priorities;
  • Document the practical challenges (such as inaccessibility of manual records or post, and unavailability of key colleagues) which mean that it is “reasonable in all the circumstances” that the organisation is not able to meet normal levels of performance;
  • Manage the expectations of applicants through your website and in your acknowledgements of requests and your automated email responses, and continue to communicate with applicants as far as you are able to do so;
  • At the point at which your organisation, and the rest of humanity, is beginning to recover from the Covid-19 emergency, develop and document an action plan for addressing any backlog of requests which has built up.

At Act Now, we are passionate about the importance of information rights: They are at the heart of our democracy and our human rights. But the right to life must take priority over others, and we would be the first to recognise that organisations and individuals must make decisions which put people first, particularly at a time of global emergency.

Be kind and stay safe.

More on this and other developments in our FREE GDPR update webinar. Looking for a GDPR qualification from the comfort of your home office? Our GDPR Practitioner Certificate is now available as an online option.

Calling all Information Governance Experts: We are Hiring

Are you an information governance expert with a proven track record of delivering engaging training on GDPR, FOI or Cyber Security? Act Now Training is recruiting trainers to join its team of experts who deliver in-house and external training courses throughout the UK.

Despite expanding our team recently, we are facing heavy demand for our courses and consultancy services from the both the public and private sector. With more courses planned for 2020, including some new ones like Key Skills For Data Protection Officers, we need more talented trainers who enjoy the challenge of explaining difficult concepts in a practical jargon-free way.

We have opportunities for full time trainers as well as those who wish to add an extra “string to their bow” without leaving their day job. What is important is that you are enthusiastic about GDPR, FOI or Cyber Security and want to deliver innovative training (not “death by PowerPoint”) to a range of audiences.

We are particularly interested in experienced Cyber Security trainers where we are facing a lot of demand after launching our Introduction to Cyber Security workshop. The health sector is also a focus area for us in 2020. Our workshops on GDPR, the role of SIROs and Caldicott Guardians have led to more interest in this area.

If you think you have what it takes to become an Act Now trainer, please get in touch with your CV explaining your knowledge and experience of delivering training and consultancy services in GDPR, FOI or Cyber Security. A full privacy policy can be read on our website.

Reflections of an Act Now FOI Trainer

Susan Wolf writes…

They say time flies when you are having fun. Well, I must have been having fun because I can’t quite believe I have been training with Act Now for over 12 months. Really where has the time gone? During my time at the University of Northumbria I developed the habit of keeping a journal in which I reflected on my teaching. Old habits die hard and I have continued this practice now that I am a regular Act Now training consultant. Looking back over my journal for the last 12 months a number of common themes became apparent. I thought it might be interesting to share these. However before I do, I just want to thank all the delegates I have met for challenging me, keeping me on my toes and reminding me how interesting life can be in Freedom of Information Land.

Training practitioners is not something new to me. For over 11 years I taught FOI practitioners on the Northumbria University LLM in Information Rights Law & Practice Degree. However, the Act Now courses, with their focus on practical training have exposed me to a wider range of people, from a wide range of public sector organisations, all trying to get to grips with broadly similar issues. From the most experienced practitioner who wants a ‘top up course’ to the absolute beginner who has just landed their first job in information rights, all practitioners appear to share some common concerns and worries.

There are also some widely shared misconceptions which still seem to cause the odd debate, despite the Freedom of Information Act 2000 being almost 15 years old. For instance, I have heard some delegates say that the ‘clock start’s ticking’ on a FOI request on the day it is received by a public authority. I have also heard delegates talk about fines that the ICO can impose for breaches of the Freedom of Information Act. Those are always good to correct, and it is nice to hear the sigh of relief when they are advised correctly on these points.

However, I also frequently get asked questions that there are, quite simply, no definitive answers to. In good ‘lawyer’ tradition I could say ‘well that depends’ but that isn’t always what people want to hear. For example, I have been asked questions about how far a public authority must go in advising and assisting an applicant, or how many times they need to go back to the applicant to clarify a tricky request. Another question that taxes people is how long it is reasonable to wait between requests before engaging S. 14 (2) for repeated requests. These are always good for some discussion, but often time is limited on a one-day course, particularly when delegates quite rightly expect we cover all the course content.

Other misconceptions or worries centre on issues relating to the redaction of staff names in email correspondence; how to distinguish between ‘business as usual’ questions and FOI requests; or the significance of ‘confidentiality’ markings on information provided by third party contractors. The ‘new’ Freedom of Information 2018 Code of Practice addresses some of these issues. However not all FOI practitioners are necessarily aware of the provisions of the new Code. Of course, it is difficult for practitioners, who are undoubtedly over-burdened, to keep up to date and on top of things, or indeed for us to cover these issues in detail in a one-day course. One way of keeping up to date is to read our Act Now blogs, which are all written by Act Now consultants and which deal with new developments and case law. However, this journey of reflection has made me realise that it would be useful to write some ‘Back to Basics’ blogs that address some of the issues and concerns that I know FOI practitioners share. Over the coming months we will be publishing a series of ‘FOI Basics Blogs’ on the issues raised during our one-day FOI courses starting with a blog on ‘Business as Usual or FOI Request’?

For those FOI practitioners who want to take their training and understanding to the next level, Act Now Training now offer a 4-day FOI Practitioner Certificate this course is modelled on the highly successful GDPR Practitioner Certificate and was launched in May 2019. We have now delivered it seven times and it is absolutely clear this model enables FOI practitioners to develop a more detailed knowledge and understanding of the FOI in practice. It gives delegates the chance to explore the exemptions in far more detail over two days, with Day 3 focussing on the most frequently used exemptions, including Sections 40 and 43. The course also prepares delegates for writing a Refusal Notice which forms part of the final assessment.

Delegates have given very positive feedback:

“The course was very well structured and well timed. The length of the course was ideal as this gave sufficient time to discuss all areas relating to FOI and also gave candidates ample time for discussion and study. The trainer was very supportive and the knowledge that has been imparted has enabled me to develop the FOI function with our organisation. Highly Recommended.”
JW, Heywood Middleton and Rochdale NHS

“The course was excellent and really sets you up for the exam, I would recommend it to others working in the field. I have put what I learned on the course to good use as I am a FOI and DPA Manager in a very busy post with lots of business each and every day; many of the requests are unusual. The course and now passing the exam have given me the confidence to do my job.”
JH, NI Courts and Tribunals Service

“Thank you for a great course – as always all the trainers at Act Now are extremely knowledgeable, approachable and make the learning experience really enjoyable.”
KF, St Helens Council

As you can see Delegates are enjoying the course content and delivery style. Most importantly they are able to take away their gained knowledge and apply it to their everyday role with confidence. After all, that is the purpose and objective of a course such as this. It makes me immensely proud and pleased to be able to be a part of the team that helps delegates in this way everyday and I look forward to the next 12 months.

Susan Wolf is a trainer for Act Now Training. She has over ten years experience teaching information rights practitioners on the LLM Information Rights Law & Practice at Northumbria University. All our trainers are available to deliver customised in house training, health checks and audits. Please read the testimonials from satisfied clients and get in touch for a quote.

Exit mobile version