The ICO exists to empower you through information.

Latest updates

03 April 2023 - the section “What if we think that the request is vexatious, manifestly unreasonable or would exceed the cost limit?” has been amended to remind public authorities;

  • of the provision with section 77 FOIA; and
  • of their responsibilities under the Public Records Act 1958 (if a public records body);

when considering the deletion of information.

About this detailed guidance

This guidance discusses, in detail, the retention and destruction of information. It is written for use by public authorities. Read it if you have questions not answered in the Canllaw i Ryddid Gwybodaeth, the Guide to the EIR, or if you need a deeper understanding to help you to decide whether to destroy or retain information.

This guidance complements the Secretary of State’s Code of Practice on records management issued under section 46 of the Freedom of Information Act 2000 (FOIA).

In detail

What does this guidance cover?

This guidance is designed to help you understand when it’s ok to delete information someone has requested and when you need to keep it.

It is not possible or practical to retain every piece of information that you create or acquire. Deleting records that you no longer need, or are not proportionate to retain any longer, is an essential part of a good records management system. If you are planning to delete information that someone has made an information request for, you should be careful as doing so could be a criminal offence.

Managing records effectively is essential to the efficient running of the an organisation. The ICO recommends that all public authorities should be aware of the Secretary of State’s Code of Practice on records management issued under section 46 of the FOIA (“the code”).

The guidance covers what you should do if you are considering deleting information before or after you have received an information request, and what the legislation says about each situation.

It also covers situations where you may wish to delete or amend information that is already the subject of a complaint to the ICO.

Do we need policies that govern what records we keep and what records we destroy?

Information can become a liability if it is not properly managed. You should know what information you hold, why you hold it, how sensitive it is, and how it should be managed. You should keep information for as long as you need it and dispose of it when you no longer have a reason to keep it. You can dispose of information by destroying it, transferring it to another body or by transferring it to an archive.

Section 2.3 of the code contains a series of recommendations and good practice advice about keeping, finding and using information. For example, paragraph 2.3.1 provides guidance on destroying and disposal of information:

“Authorities must define how long to keep information and dispose of it when it is no longer needed. Authorities can dispose of information by destroying it, transferring it to another body, or by transferring it to an archive. Authorities must be able to explain why information is no longer held either by reference to a record of its destruction or by reference to the authority’s policy.

“Section 77 FOIA has provision for authorities to be charged with destroying records to prevent disclosure, and data protection legislation contains further provisions on transparency of retention, so it is important that any disposition decision is properly documented.”

The ICO considers that disposal of records should be undertaken in accordance with clearly established policies. Disposal schedules form a key part of this process. They are sets of rules determining when individual records or groups of records are due for review, for transfer to an archives service or for destruction. Having a set of rules will assist you in discovering the location of information you hold, or have transferred to archives, or destroyed and, if so, why and when.

The rules of a disposal schedule should identify:

  • classes of records;
  • the retention period for each class of record; and
  • what should happen at the end of the retention period.

Having a comprehensive disposal schedule and applying it consistently is good records management practice. It provides efficient records management and a defence to any suggestion of a criminal offence where information is destroyed as part of your routine disposal process.

Is it a criminal offence to delete or alter information someone has requested?

Section 77 of FOIA states:

“(1) Where—

(a) a request for information has been made to a public authority, and

(b)  under section 1 of this Act or section 7 of the Data Protection Act 1998, the applicant would have been entitled (subject to payment of any fee) to communication of any information in accordance with that section,

any person to whom this subsection applies is guilty of an offence if he alters, defaces, blocks, erases, destroys or conceals any record held by the public authority, with the intention of preventing the disclosure by that authority of all, or any part, of the information to the communication of which the applicant would have been entitled.

“(2) Subsection (1) applies to the public authority and to any person who is employed by, is an officer of, or is subject to the direction of, the public authority.”

Regulation 19 of the Environmental Information Regulations 2004 (EIR) makes the actions listed in section 77(1) of the FOIA an offence where environmental information has been requested under the EIR.

These provisions mean it is an offence for you to intentionally  prevent disclosure of information if someone has already requested it, and they would have been entitled to receive it.

The offence under section 77 or regulation 19 is a summary matter, which means it is triable only in the Magistrates’ Court.

Example

In March 2020, a Town Clerk was convicted of an offence under section 77 of the FOIA and fined £400.

The Clerk had deleted an audio recording of a council meeting, despite knowing that someone had made a FOIA request for the recording.

After pleading guilty to blocking records with the intention of preventing disclosure, the Clerk was fined £400. She was also ordered to pay costs of £1,493 and a victim surcharge £40.

You must confirm that you hold the information and consider its disclosure, subject to any exemption or exception. Therefore, if information you held at the time of the request is destroyed outside of your normal disposal schedule, this is likely to be a breach of the FOIA or the EIR.

You will only commit an offence if the requested information is altered, concealed or destroyed with the intention of preventing disclosure under either FOIA or the EIR.

Individual employees can be guilty of this offence as well as the organisation itself. Government departments cannot commit section 77 or regulation 19 offences but civil servants can.

What happens if we have already deleted the information someone has asked for?

Under FOIA and EIR, a person is only entitled to receive information you hold at the time you receive the request. If you receive a request for information that you held in the past, and has now been destroyed, you no longer hold that information. In order to comply with FOIA or the EIR, you only need to reply stating you do not hold the information.

If you held the deleted information electronically and it has not been permanently overwritten or is recoverable, you may still hold that information for the purposes of the legislation. You can consult our guidance on determining whether information is held for more detailed considerations.

Section 16 of FOIA and regulation 9 of the EIR place a duty on you to provide advice and assistance to people making information requests. You should advise the requestor whether the information is, or may be, available elsewhere and whether you hold any similar or related information which you can provide instead.

If you are following good records management practice you should also be able to explain when and why the information was destroyed. This conforms with section 2.7.6 of the code which states “Authorities should be able to explain why they no longer hold information, either by reference to a record of its destruction or by reference to the authority’s policy.”

If we are due to delete information, but someone requests it, what do we need to provide?

You should be cautious about deleting any information that is subject to an information request as you may be legally obliged to communicate that information to the requestor.

You should preserve any information you identify as falling within the scope of an information request to prevent its deletion or amendment. The ICO recognises this is not always possible. If you fail to do so, you will leave yourself open to accusations that you have committed a criminal offence.

The exact information you need to provide may depend on whether a request has been submitted under FOIA or the EIR.

If you are following good records management practices, you should have a disposal schedule. It should identify and describe the records which you can dispose of in accordance with a defined timetable. Having a defined, consistently followed, policy is the best way to avoid committing a criminal offence.

When the request is made under FOIA

Section 1(4) of the FOIA states that:

“The information—

(a) in respect of which the applicant is to be informed under subsection (1)(a), or

(b) which is to be communicated under subsection (1)(b),

“is the information in question held at the time when the request is received, except that account may be taken of any amendment or deletion made between that time and the time when the information is to be communicated under subsection (1)(b), being an amendment or deletion that would have been made regardless of the receipt of the request.”

You won’t usually have to release information under FOIA if it is scheduled to be destroyed under your usual disposal schedule before the time for compliance with the request expires.   

This doesn’t apply to situations where your decision to delete or destroy is prompted by the request, or if destruction is scheduled for after the deadline for responding. If the information is not already due for deletion, or if it is not due to be deleted until after you are required to have issued your response, you should consider the request in the usual way.

Example

In the case of Harper v the Information Commissioner and the Royal Mail (EA/2005/0001), the Information Tribunal provided an example (at paragraph 17) of a situation in which a public authority could take account of deletion.

A request is made on 1 January for information that is held on a database which is completely erased every six months. This erasure occurs on 10 January. The time for compliance with the request is the end of January, and so the public authority, if it complies with the request after 10 January, may inform the requestor that the information is not held. [Note, however, that section 10 requires you to comply with section 1 promptly, and no later than the twentieth working day following receipt.]

In contrast, should a public authority decide to delete relevant requested information when this is not in the normal course of business, it would be acting unlawfully. In particular, in such circumstances, a public authority would be likely to commit an offence under section 77 of FOIA.

In the context of section 1(4), the ICO interprets the reference to “promptly” in section 10 of FOIA to mean:

  • where requested information is scheduled for deletion before a response is due to be issued; and
  • you are in a position to respond earlier than the statutory twenty working day time limit, you should provide the information before it is deleted.

As a matter of good practice, you should delay the destruction of the information if it is known to be the subject of a request.

Section 1(4) of FOIA also refers to the scheduled “amendment” of information that is requested. You will often hold types of information which you amend on a regular basis; eg statistical information that you update every month.

Remember that you have a duty to advise and assist the requestor. If you know that particular information requested is due to be amended or updated, you should ask the requestor to clarify which version of the information they want – the old version, the new version or both. Clarifying the request at the outset is more likely to produce a satisfactory outcome for the requestor and can save you time.

If the requestor wants the old version of the information, you should attempt to preserve this version, if it is reasonably practicable to do so. You should also be aware that you may still hold electronic information that has not been completely deleted and overwritten. You may wish to consult our guidance on determining whether information is held for more detailed considerations.

When the request falls under the EIR

Environmental information under the EIR is different, as there is no equivalent to section 1(4) of FOIA. Regulation 5(1) requires you to make information that you hold available on request. Regulation 12(4)(a) provides an exception from disclosure for information you don’t hold at the point you receive a request.

If you are aware that the requested environmental information is likely to be amended before the response deadline, you should clarify with the requestor which version of the information they want.

There is no exception for information that is held when the request is received but is due for routine destruction shortly afterwards. If the requestor insists on the original version of the information, you should therefore delay destruction or amendment of the requested information and consider the request in the usual way.

As with FOIA, you may still hold information if you have deleted it, but it is not permanently destroyed or overwritten.

Can we destroy or amend information after we have responded to the request?

Records should be kept for as long as they are needed. As a matter of good practice, you should keep a copy of any requested information for a period of time after the date of the last communication concerning the request. This is particularly important if you have refused to disclose any part of the information.

The ICO considers that where information is known to be the subject of a request, destruction should be delayed until all relevant complaint and appeal provisions have been exhausted. This will include internal reviews, any complaints made to the ICO, and any appeals from decision notices.

Your refusal notice should set out the time limit for requesting an internal review. The ICO would then normally expect any subsequent complaint to be made within three months of the internal review decision. Following the issuing of a decision notice, there are rights of appeal to the Information Rights Tribunal and then, potentially, to the courts.

It is recommended that you retain the requested information for at least six months after your internal review and after you are confident that no further action will take place.

You should also consider the need to maintain the integrity of the withheld information pending the conclusion of the appeal. For example, the information that has been requested may include statistical information that is constantly changing. If you withhold information and this becomes a complaint, you should ensure that you retain a copy of the withheld information and do not allow it to be overwritten by more recent data.

The fact a request was made may indicate wider interest and future requests for the same information. If the information was scheduled for destruction, you may want to reconsider whether it is still appropriate to destroy it. It is recommended that you retain the information for a minimum of six months. If you decide to proceed with the destruction, you should keep a record of the reasons for that decision.

What if we think that the request is vexatious, manifestly unreasonable or would exceed the cost limit?

You do not have to delay the deletion of information until the relevant complaints and appeal procedures have been exhausted where:

  • you have relied on either section 12 or section 14 to refuse the request; or
  • if the request is for environmental information and you have relied on regulation 12(4)(b) of the EIR to refuse the request; and
  • it would be an onerous exercise for you to extract and isolate either the information caught by that request, or the records known to contain that information.

In the above scenarios you can delete material falling within the scope of the request where this is required in line with your records management practice. You can do this, regardless of whether the decision has been challenged.

The functions of Section 12, Section 14(1) and Regulation 12(4)(b), are  to protect you from the burden of collating the information. The ICO recognises it would defeat the provisions’ purpose if you were obliged to put considerable resource into locating and setting aside the requested material, just in case the original decision should later be overturned.

Remember:

  • if you are a public records body under the Public Records Act 1958 your responsibilities will remain in relation to the preservation of records;
  • as previously explained, you should remain aware that section 77 FOIA has provision for you to be charged with the intentional prevention of disclosure of information if someone has already requested it, and they would have been entitled to receive it;
  • all public authorities should be aware of the Secretary of State’s Code of Practice on records management issued under section 46 FOIA.

Other considerations

This guidance has been developed drawing on ICO experience. It may provide more detail on the sort of issues that are regularly referred to the ICO than on those we rarely see.

We will review the guidance in line with our decisions and those of the Tribunals and courts. It is a guide to our general recommended approach, although we will always decide individual cases on the basis of their particular circumstances.

If you need any more information about this or any other aspect of freedom of information, please see our website ico.org.uk for further guidance and our contact details.

Further reading

Section 46 Code of Practice on records management

You might also want to consider the ICO’s guidance on:

Further guidance on records management is available from the National Archives.

Additional guidance is available on our guidance pages if you need further information on engaging the public interest test, other FOIA exemptions, or the EIR exceptions.