The Freedom of Information Act 2000 and data storage

Find out what the Freedom of Information Act 2000 requires of UK public bodies and what that means for their data classification and data retrieval practices.

The Freedom of Information Act 2000 grants members of the public, as well as businesses and journalists, a right to access information held by government bodies and some other types of organisations in the UK. But, which organisations does it affect, what does it require of those organisations in terms of data retrieval and publication, and what does it mean for data storage?

In this interview, Bureau Chief Antony Adshead speaks with Mathieu Gorge, CEO of Vigitrust, about the stipulations the Freedom of Information Act 2000 places on organisations and its implications for data storage.

Listen to the podcast on data storage for Freedom of Information Act 2000 or read the transcript. 

Play now:
Download for later:

The Freedom of Information Act 2000 and data storage

  • Internet Explorer: Right Click > Save Target As
  • Firefox: Right Click > Save Link As What stipulations with regard to data does the Freedom of Information Act 2000 place on organisations?

Gorge: First of all, it’s important to understand what the Freedom of Information Act is about. What it does is provide the public with a right to know in relation to public bodies. What the act aims at is to provide a mechanism whereby individuals and companies can request information from public bodies.

There are about 100,000 public bodies including government departments, schools and councils that are covered by the act, but it’s also important to understand that under some circumstances some organisations that are not necessarily seen as public bodies are covered. That includes publicly owned companies and companies designated under Section 5 [of the act].

So, altogether the idea behind the act is to make that sure if you’ve got a query you and want to access information that is not in the public domain that you feel should be in the public domain, you can put in a request to have that information disclosed to yourself. And, if you’re successful with the request, that information will be made public. What implications does the Freedom of Information Act 2000 have for data storage?

Gorge: The stipulations of the act clearly note that you should have a data classification policy, and that policy should clearly state which information might end up being accessed under [a Freedom of Information Act] request. So, you need to understand the type of information that you’re dealing with and classify that information.

Once you have done that, you can ask yourself, “What would happen if I had to provide that information? How quickly could I get it?”

There are technical implications with regard to storage here. The information must be accessible really fast, and it must be classified within the storage environment. If some of your storage is in the cloud, [it is advisable] to ensure that your cloud provider is aware of your duties under the Freedom of Information Act so that they don’t become a bottleneck in response time.

Bear in mind that the Information Commissioner has cited already the delay in responses to Freedom of Information requests, so it’s very important to make sure that your technical implementation in terms of storage enables you to access the data in the right way. This is very similar to an e-discovery request because at the end of the day from a technical perspective it is an e-discovery request. You have to have access to that data that is stored somewhere on your storage environment, it needs to be classified, you need a priority level for each type of data, and you also need to make sure the data you’re going to access, if it is confidential, is encrypted … and protected the right way.

This leads on to the idea of access to data from the technical perspective. Again, within the storage strategy, you need to make sure that only the right people have access to the right data at the right time. So when you build Freedom of Information Act response plan within your organisation, you need to include a storage strategy that will allow you to make sure that the right people will be able to get to the data in a timely manner.

Read more on Data protection regulations and compliance