Facts of the matter

On 11 March 2020, the ICO brought its first successful conviction under the Freedom of Information Act 2000 (“FOIA”).

An individual had made a Freedom of Information (“FOI”) request to the council for an audio recording of a council meeting. The requester was advised by the clerk that the recording had been deleted in line with council policy.

The clerk had been aware of the FOI request and had nevertheless then deleted the recording in the days that followed.

Section 77 of the FOIA states a person “is guilty of an offence if he alters, defaces, blocks, erases, destroys or conceals any record held by the public authority, with the intention of preventing the disclosure by that authority of all, or any part, of the information to the communication of which the applicant would have been entitled.”

A clerk at Whitchurch Town Council admitted to the criminal offence of blocking records with the intention of preventing disclosure, in breach of section 77 of FOIA. She was fined £400, ordered to pay costs of £1,493 and a victim surcharge of £40.

Mike Shaw, Group Manager in Enforcement at the ICO, stated that: “This case is about the public’s right to know, and we will not hesitate to take action to protect people’s right to access the information they are entitled to.”

Parallels with the Data Protection Act 2018

This section of FOIA holds an interesting parallel with section 173 of the Data Protection Act 2018 (“DPA18”) which created a new criminal offence for organisations to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure in the context of a data subject access request (“DSAR”).

A similar offence did not exist under the old regime (the 1998 version of the DPA) and was part of a general drive to bolster data subject rights as also established under the terms of the GDPR.

There is no difference in the penalties available: both are dealt with by way of fines, for which there is no limit to the sum that can be imposed.  Of course, the FOIA offence is only available in respect of information held by public authorities, while the offence under the DPA18 relates to personal data and is applicable to all data controllers and those employed by them.