The ICO exists to empower you through information.

Section 46 Code of Practice – records management

Share
Latest updates - 06 March 2024
  • This guidance was updated to align content with the new Code of Practice on Records Management which was published in July 2021.
  • We have included new sections to clarify how we expect you to manage information when using non-corporate channels of communications and when working in partnership with other public authorities or with private contractors. You can find these changes in the sections “Is there any official information you may hold on non-corporate communication channels?” and “Have you created information in the context of joint working with other authorities and outsourcing?”
  • We have clarified our role in promoting and monitoring observance of the Code. We have also included more information about how we work with The National Archives and the Public Record Office of Northern Ireland. You can find these changes in the section “Who monitos adherence to the Code and what is the role of The Information Commissioner?”.
  • We have clarified our position on the right of access under FOIA or the EIR to historical records. You can find these changes in the section “How do we handle historical records?”
  • We have included more examples from our decisions notices.

About this detailed guidance

Section 46 of the Freedom of Information Act 2000 (‘FOIA’) requires the Secretary of State to issue a code of practice to help authorities to establish a framework for the management of their records.

The section 46 Code of Practice (the Code) fulfils this duty.

A good information management framework for the keeping, management and destruction of records helps authorities to comply with their duties under FOIA.

This detailed guidance is written for the use by public authorities. It explains what we expect you to do to comply with the recommendations in the Code. It also outlines The Information Commissioner’s role in relation to the Code and signposts you to other relevant resources.

To help you understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.

Legislative requirements

Must refers to legislative requirements.

Good practice

Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.

Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.

In detail

What does FOIA say?

Section 46 of FOIA states:

46.-(1) The Secretary of State shall issue, and may from time to time revise, a code of practice providing guidance to relevant authorities as to the practice which it would, in his opinion, be desirable for them to follow in connection with the keeping, management and destruction of their records.

(2) For the purpose of facilitating the performance by the Public Record Office, the Public Record Office of Northern Ireland and other public authorities of their functions under this Act in relation to records which are public records for the purposes of the Public Records Act 1958 or the Public Records Act (Northern Ireland) 1923, the code may also include guidance as to –

(a) the practice to be adopted in relation to the transfer of records under section 3(4) of the Public Records Act 1958 or section 3 of the Public Records Act (Northern Ireland) 1923, and

(b) the practice of reviewing records before they are transferred under those provisions.

(3) In exercising his function under this section, the Secretary of State shall have regard to the public interest in allowing public access to information held by relevant authorities.

(4) The code may make different provision for different relevant authorities.

(5) Before issuing or revising any code under this section the Secretary of State shall consult –

(a) the Minister for the Cabinet Office,
(b) the Commissioner, and
(c) in relation to Northern Ireland, the appropriate Northern Ireland Minister.

(6) The Secretary of State shall lay before each House of Parliament any code or revised code made under this section.

(7) In this section “relevant authority” means –

(a) any public authority, and
(b) any office or body which is not a public authority but whose administrative and departmental records are public records for the purpose of the Public Records Act 1958 or the Public Records Act (Northern Ireland) 1923.

The Secretary of State is advised by the Advisory Council on National Records and Archives.

What is the purpose and status of the Code?

The Code is a statutory code issued under section 46 of FOIA, which provides you with good practice guidance about:

  • keeping, managing and destroying your information; and
  • reviewing and transferring records to public archives.

The Code sets out recommended, rather than mandatory, good practice. It is complemented by the Code of Practice issued under section 45 of FOIA.

The Code takes a principle-based approach. The three principles are:

  • Value
  • Integrity
  • Accountability

The principles provide a high-level framework for you to manage information and maintain a record of your activities. They apply to any format or medium of records that you hold, or another body holds on your behalf. The principles inform good practice in creating, managing and destroying information.

If you need more information on how to apply the principles in practice, refer to Part two of the Code.

Conforming to the Code can help you comply with the requirements of FOIA. How you meet the requirements of the Code depends on factors such as your own particular organisational size and circumstances.

You should read the Code in conjunction with current legislation governing information and records, such as the Public Records Act (‘PRA’) 1958. The Code sits alongside other professional codes of practice, codes of conduct, professional standards or regulations that impose duties to create and manage information. You have a duty to understand the regulatory framework you operate in and adhere to any requirement you are subject to.

Read Annex B of the Code for more detailed information about its status.

Who does the Code apply to?

The Code applies to all public authorities covered by FOIA. It also applies to any office or body that is not a public authority but whose administrative and departmental records are public records for the purpose of the PRA 1958 or the Public Records Act (Northern Ireland) 1923 (‘PRA NI’).

If you are a public authority for the purposes of the Environmental Information Regulations (‘EIR’) 2004, you should also observe its requirements, particularly for public records.

For more information on what are public records, you can visit The National Archives website.

Part 3 of the Code only applies to authorities that are subject to the PRA or PRA(NI). It describes the statutory procedure you must follow for selecting records of historic value for permanent preservation in The National Archives or a Place of Deposit.

If you are unsure if the Code applies to you, check Annex A for more information.

If you don’t know if you are subject to FOIA or the EIR, read our detailed guidance about Public authorities under the Freedom of Information Act and Public authorities under the EIR.

What are the benefits of following the Code?

Following the Code can help you establish and maintain a good standard of record keeping and information management. This enables you to act quickly in identifying and retrieving information that may be requested. It also helps you to comply with your duties under FOIA, the EIR and the UK General Data Protection Regulations (UK GDPR), as well as:

  • The Public Records Act 1958 (‘PRA’);
  • The Public Records Act (Northern Ireland) 1923 (‘PRA NI’); and
  • The Re-use of Public Sector Information Regulations 2015 (‘RPSI’).

Following the Code can also support the operation of your publication scheme. This is information you are required to proactively publish under FOIA and the EIR. You should keep your publication scheme up to date. Making sure you apply the same good practice to other information will help you to provide information upon request under FOIA and the EIR within the required statutory timelines.

Good information management is a benefit, not a burden. You might have to invest operational resources to establish your framework. However, this can help you achieve business efficiency by allowing you to easily retrieve information when you need it and properly document your activities.

Poor record management can expose you to the risk of complaints under FOIA when you are unable to either locate the information you hold or provide it promptly.

Example

In Dr N Dudley v the Information Commissioner (EA/2008/0089 20 April 2009), the Information Tribunal suggested that the inadequacy of the public authority’s record keeping resulted in lack of clarity about what information was held and by whom. This had contributed towards the applicant’s complaint to the ICO and further appeal to the Tribunal.

The above case can be contrasted with the example below.

Example

Decision notice FS50351754 concerned a request for an application for rate relief on a particular property made to the London Borough of Camden. The Borough replied they no longer held the information because unsuccessful applications were deleted after two years in accordance with their records management policy.

As result, the Commissioner concluded that, on the balance of probabilities, the information was not held.

Who monitors adherence to the Code and what is the role of The Information Commissioner?

Failure to conform to the Code is not in itself a breach of FOIA or the EIR. However, you should conform to the requirements of the Code. Doing so will help you to comply with your duties under FOIA, the EIR, the UK GDPR and other legislation. For example, good records management will support your determination of whether you hold information under section 1 of FOIA as mentioned above. This enables you to respond to requests within the statutory time limits, thereby avoiding breaches of section 10 and section 17.

The role of The National Archives and Public Record Office of Northern Ireland (PRONI)

The National Archives monitors compliance with the PRA and Part 3 of the Section 46 Code, which deals with your statutory duty to select historical records for permanent preservation. If you transfer records to The National Archives, you should already provide data on the volume and transfer status of the records you hold. This information is contained within The National Archive’s Information Management Report.

The National Archives provides guidance and best practice on information and records management on its website. It also offers practical support by providing training, events and an email help point. The National Archives have redeveloped their self-assessment tool following the 2021 publication of the updated section 46 Code of Practice. The tool supports you to achieve conformity alongside The National Archives’ existing Information Management Assessment programme.

PRONI provides records management advice and guidance to public authorities which deal with the records management function in their respective jurisdiction.

The role of The Information Commissioner

The Information Commissioner has a statutory duty under section 47 of FOIA to promote good practice and observance of the Code. This is in conjunction with The National Archives and the PRONI.

The Commissioner and The National Archives have signed a Memorandum of Understanding which supports how they will work together on promoting and monitoring the Code. The Commissioner also signed a Memorandum of Understanding with the Deputy Keeper of the PRONI to set out a framework to share knowledge and consult on matters of mutual interest.

The Commissioner has the power to issue a practice recommendation under section 48 of FOIA if he considers that you are not conforming to the Code. This would outline which parts of the Code you have not met and what we recommend you to do to put that right. Failure to follow a practice recommendation can lead to a failure to comply with FOIA and the EIR. It could also lead to an adverse comment in a report to Parliament laid by the Commissioner.

Examples of when we can issue a practice recommendation under section 48(1) for failure to follow the Code include:

  • The public authority does not have in place organisational arrangements that support records management.
  • The public authority does not adequately know what records it holds or where they are.
  • The public authority does not have effective arrangements in place to determine which records should be selected for permanent preservation.

When issuing a practice recommendation about an authority’s failure to follow the Code in relation to records which are considered public records under PRA or PRANI, the Commissioner has a duty under section 48 to consult The National Archives / PRONI before issuing the practice recommendation.

The consultation process for this is described within the ICO / The National Archives practice recommendation consultation process 2023. The consultation process between the Commissioner and PRONI is set out in the Memorandum of Understanding between The Information Commissioner and the Deputy Keeper of the Public Record Office of Northern Ireland.

The Commissioner also takes account of whether the Code has been observed when considering complaints. Under section 50 of FOIA, an applicant can complain to the ICO about how you dealt with a request for information. If we notice poor information management practice as part of our investigation on a complaint, we can record our concerns in the ‘Other matters’ part of decision notices or in a letter if the case is closed informally. We may recommend you review your current policies and practices to ensure you conform to the Code.

Systemic failure to follow recommendations at this stage could also result in the issuing of a formal practice recommendation under section 48.

Example

In decision notice IC-71239-F4G5, the Commissioner advised the Greater London Authority (‘GLA’) to review its current records management practices. He noted in the ‘Other matters’ part of the notice that the GLA did not use any electronic document and records management system, or any other corporate or central repository, to record any metadata concerning the creation, existence or disposal of its records. The Commissioner noted that this was not in accordance with the Code.

As a result, the Commissioner recommended the GLA to change its records management practices in relation to the destruction of information to fully conform to the Code.

Example

In decision notice IC-68252-G9X9, the Commissioner referred the Chief Constable of Sussex Police to the Code as a helpful tool to use for good records management. During the investigation, the police force had described there being ‘a plethora of issues’ when looking at the request and ‘extreme difficulty’ in sourcing data. The Commissioner acknowledged the existence of these issues in the ‘other matters’ part of the decision notice.

However, the Commissioner recommended the police force to follow the Code, which would ensure the creation, existence and disposal of information is properly documented. This would enable the authority to easily retrieve its information and records for FOIA purposes.

The Commissioner can use the powers under section 51 of FOIA to serve an information notice requiring you to provide us with specific information. If necessary, we will use this power if we need further information to decide whether you are conforming to the Code.

Under section 54 of FOIA, the Commissioner may seek an order for contempt of court should you fail to comply with an information notice.

We have developed resources which help you to assess your current FOI performance and provide indicators of where efforts should be focused in order to improve.

Under FOIA, the Commissioner can conduct an audit, with the consent of public authority, to assess whether the authority is following good practice.

For more information on the Commissioner’s regulatory responsibilities and powers, please see the FOI and Transparency regulatory manual 2023.

How do we put the Code into practice?

To ensure you manage your information and records in accordance with the Code, you must have appropriate governance, organisational capacity and technical measures in place.

These will differ between authorities due to size and individual circumstances. However, the Code suggests you should have the following:

  • A governance framework for managing your information, responsibility for which should be at senior management level. This framework should clearly set out roles and lines of responsibility.
  • Clearly defined policies and procedures in place for all staff. These policies should explain how staff should access information, what information they should keep and when and how they should destroy information.
  • A designated manager who is responsible for all information and records management. They should be part of your governance structure and have sufficient resources to monitor your conformity to the Code. For further information on the role of the designated manager, read Annex C of the Code.
  • Appropriate tools, systems and policies to ensure you can manage, organise, and easily retrieve information for use and destroy or transfer it to The National Archives / PRONI in accordance with Code when that time comes.
  • Training for all staff involved in the creation and management of records.

Example

A very small public authority may only have one person responsible for records management and administrative duties. Without good records management, there is a risk that the ability to locate information depends almost entirely on that person’s knowledge. In the event of that person’s absence or leaving their position, it may be difficult to locate information required for both performing the authority’s own functions and for responding to requests in a timely manner.

The authority should put records management policies and processes in place that are appropriate to its size and the information it holds. This may not mean having the same number of policies, with the same level of complexity, as a much larger authority.

However, authorities should follow the principles-based approach in the Code to inform their own good practice in the creation, management and destruction of information.

How do we keep, find, use and dispose of information?

You should know what information you hold and where it is so you can easily retrieve it when you need it and then dispose of it appropriately when it is no longer of value.

You need to decide the format for the storage of your information. You should ensure you have appropriate arrangements for storage and preservation, especially if there are any specific legal requirements for particular records. You should take special care of fragile, delicate, and sensitive material, as well as paper files. You should routinely monitor their storage and preservation.

You should have the necessary tools to identify, locate and retrieve information when you need it and an effective search capability. This will help you to respond to freedom of information requests or subject access requests more efficiently.

The Code highlights the importance of authorities being able to trust their own information. You should know:

  • when the information was created; and
  • who created it.

You should have your own policies and procedures for information security.

You should have appropriate access and permission controls in place throughout the life of the information and the necessary provision to prevent any accidental loss, destruction or damage to your information.

If you need help with this, the ICO has produced separate resources on information security.

Is there any official information you may hold in non-corporate channels of communication?

The above applies also to any information or record you hold in non-corporate channels of communication (‘NCCCs’).

NCCCs include private email accounts, private message accounts and other similar channels (eg text messages). In recent years, the use of non-corporate communications channels for official business is an issue that has arisen across a range of sectors.

As a general rule, you should use corporate channels when conducting official business.

Using non-corporate channels can put your information at risk and create potential challenges to your compliance with FOIA and PRA, if you are subject to it. It could also make your adherence to good records management practice significantly more difficult. For example, the search and export functions on such channels may be limited, retention and deletion periods may not align with those of your official systems and access to official information is at risk of being lost when an individual leaves an organisation without transferring beforehand.

We accept that sometimes staff working in public authorities may use NCCCs to conduct official business in certain circumstances, for example whilst travelling or during an emergency when it’s important to communicate quickly.

If you have used non-corporate channels for official purposes, you should transfer and store any relevant official information or record on your corporate systems as soon as possible.

Following the Court of Appeal’s decision in the Good Law Project vs The Prime Minister ([2022] EWCA Civ 1580, 1 December 2022), The National Archives has clarified that any recorded information relating to a Department’s official business is a public record belonging to the Crown, wherever they are held. That includes records held on NCCCs.

The Keeper of Public Records issued guidance under section 3(2) of PRA explaining:

“it is necessary for departmental policies and criteria to be in place and observed to ensure that all records, including those in non-corporate communication channels, are brought within departmental records management governance. This will allow public records to be retained as long as required for departments’ appraisal decisions to be applied under the proper governance of their internal criteria and policies, including departmental retention policies, and The National Archives’ Records Collection Policy [RCP]. The consequence of not taking these steps, in my view, risks outcomes which may frustrate of the purpose of the Public Records Act.”

Similar rules apply under FOIA. Recorded information relating to a public authority’s official business falls within the scope of FOIA, even though it is held it on NCCCs.

This is by virtue of section 3(2)(b). Section 3(2)(b) says that information could fall within the scope of FOIA when another person holds it on your behalf. In that scenario, you would need to retrieve it to decide if you must disclose it or if you can withhold it under a FOIA exemption.

Keeping information on non-corporate channels of communication can expose you to the risk of being unable to comply with a request. It is your responsibility to properly retain and manage your information.

You should provide specific information management training for any individual within your organisation who might use non-corporate communication channels for official business, eg whilst travelling. Such training should cover how frequently and routinely they are expected to record on your official record keeping systems any relevant information on authority-related business held on non-corporate channels.

Your records management policy should also detail measures to mitigate the risks of using non-corporate communications channels for official business in line with our guidance on official information held in non-corporate communications channels.

If you are a government department, you should also refer to guidance produced by Cabinet Office in March 2023 on ‘Using non-corporate communication channels (e.g. WhatsApp, private email, SMS) for government business’.

Have you created information in the context of joint working with other authorities or outsourcing?

Through the course of your business, you may work jointly with other authorities or outsource your functions or services to an external contractor. The Code sets out at para. 2.8 what you should do to manage your records appropriately in these situations.

Where you are working jointly with another authority, you should agree a lead authority who will remain responsible for ensuring information is managed in accordance with the Code.

If you work with an external contractor, information they hold on your behalf is also within the scope of your responsibility for information management purposes. This means you should ensure the contractor applies appropriate information management standards and procedures.

For both joint working and outsourcing situations, you should set out each party’s responsibilities in an information sharing agreement. The agreement should detail how information should be handled and what, if any, controls and requirements for security are required. It should also detail how to record any decisions that are taken about the information you share. For example, when and how it will be destroyed or transferred when no longer of use.

Example

In decision notice IC-183296-R6T7, The Information Commissioner noted that the public authority should have placed a records management framework in place for managing the information created by an ad hoc team set up by HM Treasury (‘HMT’) for the Independent Loan Charge Review.

The Chancellor appointed the former Comptroller and Auditor General and Chief Executive of the National Audit Office to carry out an independent review of the Government’s response to a particular tax avoidance scheme. Folders on HMT’s IT system were dedicated to the exclusive use of the review team.

Although this situation is rather unique, the issues raised are relevant to wider joint working and outsourcing scenarios.

Although the Commissioner found that the request could be refused on cost grounds, he highlighted a failure in the management of the records held by the review team once that team had completed its work and disbanded. HMT did not appear to know what information it still held, where it was stored, or who had access to it. In his decision, the Commissioner highlighted the importance of having policies in place to cover this type of work and ensuring those policies are followed.

Under ‘Other matters’ he commented:

“The Commissioner also considers that the public authority should have regard to the section 46 Code of Practice too – as well as his own guidance. When setting up semi-autonomous or autonomous work groups that will share its resources (such as IT servers), for the purpose of accomplishing a specific tasks [sic!], or set of tasks, but will disband once the work is complete, proper records management policies should be in place. Both parties should be clear on what records will be held, where they will be held and who will have responsibility for them.

“There should also be clear policies and procedures in place that govern what happens to records once the work group has finished its work. These should cover the records that will be destroyed, those which will be retained and who takes over responsibility for managing any records that are to be retained. Finally, responsibility for ensuring that the policies and procedures have been correctly followed should be designated to specific individuals – who are then held accountable for any gaps.” [para. 25 – 26].

If you are working with external contractors for delivering some of your functions, read our guidance on Outsourcing – FOIA and EIR obligations.

Disposal

You need to decide how long to keep the different categories of information you create and hold. You also need to decide how to dispose of them when they are no longer needed. Disposal means either the permanent destruction of records and information or the transfer of it to another body or to an archive.

It is important you only keep information for as long as it has value to your organisation. Disposal schedules are a clear and defined way of timetabling when information is due for review, transfer to archives or destruction. You should keep records detailing:

  • the location of the information you hold, and
  • why and when information is either transferred to archive or another body or destroyed.

This will help you manage your information effectively and assist in responding to information requests confidently. If the request relates to information you no longer hold, you will be able to explain why that is and when you disposed of the information.

Example

In the decision notice discussed earlier (IC-71239-F4G5), The Information Commissioner noted that it had been unfortunate the Greater London Authority (‘GLA’) did not have appropriate records of destroyed information. This would have clarified in this case whether any information had been previously held. Had the GLA had such records, it would have enabled it to provide a more comprehensive response to the request and potentially avoided a complaint to the ICO.

This example can be compared with the case involving the London Borough of Camden example. In the Camden case, the London Borough of Camden was able to reference its record management policy to demonstrate that the requested information would have been destroyed before the request was received.

You should ensure your staff destroy material that has no continuing value on a regular basis. They should delete trivial emails and messages as soon as possible after they have read them. They should also not keep multiple or personal copies of documents.

You should ensure you have the appropriate measures in place to safely and securely transfer information, if you have selected the information for permanent preservation. For example, to a successor body or to an archive. You must ensure any decisions to transfer information are in line with your policy and the security classification of the record.

Likewise, you should ensure any information scheduled for destruction is permanently destroyed in a secure manner and in accordance with the security classification. All decisions to destroy information should be carried out by those authorised to do so and in accordance with your policies and procedures.

For personal information, the UK GDPR addresses when you should destroy data. For further details, you should check the relevant legislation. You might also find helpful reading our UK GDPR guidance on the storage limitation principle.

For more information on records’ transfer, The National Archives have produced several resources which can help you make decisions about the disposal or retention of your records.

Monitoring compliance

You must regularly monitor and assess your compliance with your policies and procedures and ensure you are meeting the requirements of the Code. You should consider what the risks are for your organisation if you do not adhere to the Code and include these in your governance framework for managing risk.

How do we handle historical records?

The historical records section of the Code (Part 3) only applies if you are subject to the PRA or PRA(NI). Part 3 says you should have appropriate procedures for reviewing a record to determine if you should destroy, retain or select it for permanent preservation. If you are preserving the record, you must take the necessary steps to transfer the record to an archive. Under the Code you are required to transfer your records to The National Archives, an approved place of deposit or PRONI.

You must make and implement the decisions you reach on the management of your records by the statutory deadline, ie no later than 20 years after their creation.

Under the PRA, you must first apply to the Advisory Council on National Records and Archives and seek approval from the Secretary of State if you want to:

  • keep records for longer than 20 years; or
  • transfer records to an archive as a closed record because you believe a FOIA exemption or EIR exception still applies.

In Northern Ireland, you need to contact PRONI.

If you believe exemptions or exceptions apply to the historical record, you must submit a schedule to the body you are transferring it to. The schedule should identify the exempt information, which exemption is engaged and an explanation of the rationale for keeping the record closed.

Before transferring, you should also consult with any authorities likely to be affected by the access decisions you make. The Code highlights that this is particularly important for records you transfer before they have reached 20 years.

The Code recommends all authorities not subject to the PRA regularly review and identify any records that have permanent or historical value and ensure they transfer them appropriately to an accredited archive service or a storage provider that adheres to the relevant Standards.

The Keeper of Public Records and Chief Executive of The National Archives have a legal responsibility to provide guidance and supervision to bodies subject to the PRA. You can access this guidance on The National Archive’s website. Several resources are also linked in Annex E of the Code.

The guidance is useful for bodies that are not subject to the PRA / PRA (NI).

PRONI also provides resources.

How do we manage access to transferred historical records?

The general rule is that records are transferred as open to archives to ensure public access.

If you have transferred a record as a closed record, this does not affect the statutory rights of access established under FOIA or the EIR. Anyone has the right to make a request to access these records to The National Archives, a place of deposit or PRONI.

If The National Archives, the place of deposit or PRONI receives a request to access a closed record, it will consult you prior to disclosure. This is required by Section 66 of FOIA. You are also responsible for reviewing the information for remaining sensitivities and for making any further representations about whether it should continue to be withheld. When doing so, bear in mind that different rules for exempting information from disclosure apply to historical records. For example, some absolute exemptions become qualified whilst some exemptions cease to apply.

You can find more information about the duration of exemptions and exceptions in TNA’s guidance on Freedom of Information exemptions.

Further reading

The Information Commissioner’s guidance: