Freedom of Information compliance adds to public sector IT managers' hefty burden

IT chiefs must provide access and security to comply with the Freedom of Information Act.

IT chiefs must provide access and security to comply with the Freedom of Information Act.

The Freedom of Information Act is set to have a significant impact on the 75,000 or so bodies discharging public functions in the UK when it comes into force at the start of 2005.

While the Act has been criticised by some for not going far enough, there can be no doubt that it presents a hefty additional burden for IT managers across the public sector.

The Act, which is being phased in across the public sector, is designed to enable public access to information held by organisations discharging public services, such as councils, health authorities, central government and even private firms under contract to public bodies.

However, not all information is to be made available to the public. Organisations still have a duty to maintain the security and confidentiality of sensitive data.

Records management is likely to become a huge issue for public organisations. With the trend towards electronic storage and delivery of information, it is almost inevitable that the daily responsibility for effective document management falls on the shoulders of the IT manager.

The sheer volume of information generated and held over long periods, together with the public's right to access it, is problem enough. Add to this the need to maintain confidentiality, the need to ensure security of the system and the time pressures imposed by the Act and you create a real IT headache.

Many organisations previously rushing to deal with the short-term problem of having to draft their Freedom of Information Act publication schemes are only now beginning to realise the impact their chosen compliance strategies will have on managing data.

For IT managers, compliance with the Freedom of Information Act means finding a balance between providing easy access to the right information, while also establishing the necessary technical and other measures to maintain the integrity of any data held.

The relative ease with which electronic documents can be "tampered" with, such as defacing or changing text, or even attaching viruses, increases the likelihood of them being used maliciously.

While some organisations have identified that they can reduce the number of incoming information requests by publishing data into the public domain through their website, they also need to guard against the heightened risk of a security breach through hacking.

The fact that hitherto private documents must now be disclosed will place a premium on good document management and storage. The new legislature requires that public authorities must provide access to all information not exempt from disclosure - even documents that may be embarrassing. We are all familiar with the scandal of document shredding at certain US private sector companies over the past few years.

The following measures are recommended: a clear communication to employees that they have a duty to maintain the integrity of all information held by the organisation, and a condition in the contract of employment that staff comply with the guidance.

A policy of dealing with offenders should be in place, while IT managers should also consider using software that will prevent documents being tampered with.

Nathan Millard, a senior solicitor at law firm Morgan Cole, and software supplier PolicyMatter

Read more on IT legislation and regulation