I’ve been running this blog for about 15 years now. I’m not a records manager, but I recognise that information has a lifecycle. Maybe I could weed some older posts, but the thing is, I occasionally find some of the old posts useful. For instance when news broke of recent nasty data breaches involving police forces (including the Police Service of Northern Ireland, or “PSNI”) and freedom of Information disclosures, I was able to point to a ten-year-old post on this blog which illustrated that concerns about such disclosures have been around for a long time.
So I was rather surprised to see the Information Commissioner’s Office (ICO) saying – in response to claims from two former anti-terrorist officers that the recent incidents were part of a pattern of serious mistakes, and that their information had previously been compromised (albeit not by PSNI itself) – that
Having checked with relevant teams, we do not appear to have record of an investigation regarding this data controller for the time frame noted. This may be due to our retention policy
The retention policy in question says (at page 28) that information in relation to regulatory investigations will normally be retain for five or six years, but that in civil enforcement cases where no action was taken information will be destroyed after two years.
There is nothing inherently “wrong” about this; unless there is a statutory requirement to retain information it will fall to each public body to determine what is an appropriate retention period. However, the ICO elsewhere emphasises the need to consider patterns in compliance. The regulatory action policy, for instance, says that an organisation’s “prior regulatory history” including the “pattern…of complaints” might be an aggravating factor when it comes to taking enforcement action, and that “as issues or patterns of issues escalate in frequency or severity then we will issue more significant powers in response”. But the retention policy means that, unless formal action has been taken against an organisation, such patterns might only be able to be taken into account when they involve incidents occurring within the previous two years. Is that sufficient or adequate?
I would suggest not. The policy’s version history illustrates that it is regularly reviewed (including an annual review). I would hope that the next review consider whether there is compelling evidence to suggest that retaining investigation information for longer than two years is warranted, especially in light of recent events.
informationrightsandwrongs 