The Information Commissioners Office (ICO) has pledged to take a tougher approach to (FoI) enforcement, but unless major changes in archival processes are made, this could be difficult to achieve.

Under the new measures, organisations will face action from the ICO if they regularly fail to issue a response on time, refuse to disclose information without specifying an exemption, or if they fail to respond to a request altogether.

Despite the fact that FoI requests can be a burden on an organisation, and perhaps even perceived negatively as a dirt-finding mission, the ICO rightly sees them as vital in building public trust.

As I see it, there are several major reasons behind the FoI bottlenecks. The first is that there is a often a lack of internal policies about how to deal with these requests, which are constantly growing in number, and the second is that data archives have usually been designed to store not to retrieve. They are not designed to be well indexed and easily searched, and as such retrieving data can be resource consuming and expensive.

There are also the issues of access, data integrity and security to consider. Data in motion is the most common vector for data leakage and this is what organisations are most afraid of: sensitive personal data being sent to the wrong person or being sent unprotected. This applies to the data in FoI responses and, requests for data leakage – being the ones that will probably cause the most damage to organisations.

Ultimately, it's still better to know if something has been sent out that shouldn't have, than for the recipient to hold it up at a later date and throw it back at you, with their copy of the transmission. Similarly, it's better to know exactly what was sent and perhaps then easier to show that you were acting correctly and in accordance with the regulations.

By accurately archiving email and having easy access to it, organisations can ensure that data privacy is maintained and records cannot be altered in the process.

Information Commissioner: security still on alert

Previously, the only time a company may attempt to access their data archives, apart from running integrity checks, would be to restore information after some kind of problem with the live system, or for an audit. Both of these scenarios require data to be retrieved in large, sequential blocks within a relatively narrow date range. This is entirely contrary to an FoI request, which instead needs to search a large portion the of the data and pick out individual records based on specific key words or topics.

For a start, organisations need better guidelines about how to process these requests but, more importantly, how to store data in such a way that it eases these commitments and ensures regulations can be met. Better indexing of this data at the backup stage can be implemented relatively easily and will improve results dramatically.

When it comes to implementing these measures, I think the onus should be on the archival provider to ensure that suitable measures are in place.

FoI requests are only going to rise and the ICO's call to crack down on tardy responses means that now is perfect time for all organisations to take a close look at how they backup and store their information.

About the author:

Andres Kohn is VP of email archiving at Proofpoint