Thank you for your email of 19 November in which you refined your request for fields 4, 5, 6, 7 and 9 from Ofsted's access log reports.

Following this clarification I received further advice. Unfortunately that advice considers that fields 5 and 9 will contain personal data and are therefore exempt from release (see below).

The report containing fields 4, 6 and 7 has now been uploaded to the “What do they know” website. These fields contain the following information.

Field 4: The time that the server finished processing the request.

Field 6: The status code that the server sends back to the client.

Field 7: The size of the object returned to the client.

Summary of withheld information

The fields that have been withheld from this report contain the following information.

Field 5: The request line from the client in double quotes.

I am informed that disclosure of field 5 would allow private data to be viewed.

Field 9: The "User-Agent". This is the information that the client browser reports about itself.

As well as identifying the browser field 9 also identifies any additional 3rd party plug-ins which the user may have installed. Therefore releasing these details might provide information that may lead to the identity of the client being known.

We feel that this decision is supported by Section 40(2) and (3) of the Freedom of Information Act. Section 40 of the FOI Act states:

Any information to which a request for information relates is also exempt information if it constitutes personal data which do not fall within subsection (and), (…) that the disclosure of the information to a member of the public otherwise than under this Act would contravene any of the data protection principles, 

Section 40(2) protects from release personal data of a third party. It is likely that the data described above in the access log could identify individuals. We feel that to release this information would contravene the rights of these individuals under the Data Protection Act, as the First Data Protection principle would be breached. We therefore consider this information exempt.

The First Data Protection principle states that:

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—

(a) at least one of the conditions in Schedule 2 is met,

As none of the conditions in Schedule 2 are applicable we are withholding this information. Schedule 2 is attached as an annex to this letter.

I appreciate that you may find some parts of this response disappointing. If you are unhappy with the handling of your request, you may request an internal review by writing to:

The Deputy Director of Corporate Services,

Ofsted,

Alexandra House,

33 Kingsway

London

WC2B 6SE

If you are not content with the outcome of the internal review, you have the right to apply to the Information Commissioner for a decision as to whether or not we have complied with our obligations under the Act with respect to your request. The Information Commissioner can be contacted at:

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire, SK9 5AF

Yours sincerely

Julie Cotterill

ANNEX

SCHEDULE 2 Conditions relevant for purposes of the first principle: processing of any personal data

1 The data subject has given his consent to the processing.

2 The processing is necessary—

(a) for the performance of a contract to which the data subject is a party, or

(b) for the taking of steps at the request of the data subject with a view to entering into a contract.

3 The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

4 The processing is necessary in order to protect the vital interests of the data subject.

5 The processing is necessary—

(a) for the administration of justice,

(b) for the exercise of any functions conferred on any person by or under any enactment,

(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or

(d) for the exercise of any other functions of a public nature exercised in the public interest by any person.

6 (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

(2) The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied.