Deleted e-mails are governed by the Freedom of Information Act, report Edward Wilding and Anthony Riem

The recent decision of the Information Tribunal – the final court of appeal for freedom of information requests – that e-mails and documents that have been deleted are subject to the Freedom of Information Act 2000 (FOIA) has sent a shockwave through Whitehall. The ground-breaking ruling comes from three related cases at the end of last year, the most important of which is P Harper v Information Commissioner 15 November 2005, EA 2005/0001, which establishes a right for the public to see e-mails deleted by civil servants, overturning previous restrictions on the Act.


In Harper, a Royal Mail employee wanted to know how often his personal file had been requested over a certain period. The tribunal found that the Royal Mail did not hold the information and rejected the appeal on the circumstances, but issued a judgment about deleted information. It said: ‘Simple restoration from a trash can or recycling bin folder, or from a back-up tape, should normally be attempted, as the tribunal considers that such information continues to be held.’


The government and Information Commissioner are now having to revise the guidelines issued to public bodies, to take account of the treatment of deleted material. This latest ruling follows hard on the heels of a similar amendment to the Civil Procedures Rules (CPR). In October 2005, the practice direction to CPR 31 was amended to make specific reference to the disclosure of electronic documents. The definition includes: e-mail and other electronic communications; word-processed documents; databases; documents readily accessible from computer systems and other electronic devices and media, such as memory sticks, CDs and mobile telephones; documents stored on servers and back-up systems; electronic documents that have been deleted; and metadata.


As a result, any lawyer seeking disclosure, or conversely, anyone charged with complying with a disclosure order, must now think carefully about the range of this exercise.


In computer forensic investigations, typically some 60% of the total evidence gathered in contemplation of legal proceedings comprises of deleted computer data, with e-mails and Microsoft Office documents predominating. This evidence is usually gathered prior to an application to the court, and tends to be ruled admissible.


In cases of serious fraud and wrongdoing, search order applications – which specify deleted material and other forms of encrypted and camouflaged data to be disclosed – have been granted by the court. Search orders often include the right for the applicant’s experts to conduct a full computer forensic investigation to uncover deleted, concealed and encrypted information, over and above the extant files and folders found on computers and data-storage media.


However, prior to these latest rulings, deleted data was not specified as potentially subject to disclosure in routine litigation or FOIA applications.


There is a misconception that deleted files may be recovered at the press of a button. While this is occasionally true – where, for instance, files are simply placed in the ‘trash can’ – the recovery of deleted information is generally far more complex and time-consuming. This is particularly the case where files have become fragmented or are unallocated on the disk, where certain data formats or deleted mail messages require recovery, or where data-erasure software has been used.


There is also the old chestnut of definition; for example, does an isolated fragment – a paragraph perhaps – found in an unallocated cluster on a disk constitute a deleted document? The recovery of such material is an involved technical task, requiring specialist skills and tools, far beyond the capability or remit of the typical IT department.


Many weeks may be spent in the laboratory reconstituting the contents of just one computer. Imagine a disclosure exercise involving tens, hundreds, or even thousands of machines. In a recent case, more than 130,000 deleted files were recovered from a single desktop computer, of which 90% were standard system files irrelevant to the litigation. Instructing a client’s IT department, therefore, to ‘undelete everything’ is guaranteed to cause grievous dissent and, in all likelihood, mayhem. The issues of proportionality, relevance and reasonableness all continue to apply, and clearly pertain in determining what constitutes a reasonable search for deleted data.


Technically, deleted information may be recovered using a variety of specialist software and hardware tools. Exact copies of the evidential data stream are made using a process known as disk imaging. But the fact that the entirety of the data, extant and deleted, belonging to the respondent or defendant is copied indiscriminately has inevitably led to legal arguments about privilege, commercial confidentiality and self-incrimination. In practice, this is resolved through independent adjudication – typically, the forensic expert gives an undertaking not to disclose any information that may fall within these categories, and it is assessed by an independent solicitor or court appointee. In a standard disclosure exercise, where information is volunteered, the parties may remove such material prior to its submission.


It was only a matter of time before deleted data was formally included for consideration in disclosure. Given the significant technical and procedural burden this can place on a party subject to a disclosure order, businesses would be well advised to review the ways in which their data is processed, stored and retained.


Edward Wilding is co-founder of IT forensics company DGI (Data Genetics International). Anthony Riem, partner at City firm Philippsohn Crawfords Berwald, also contributed to the article