Application forms for 'beta sandbox' projects

Phil Booth made this Freedom of Information request to Swyddfa'r Comisiynydd Gwybodaeth

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

Roedd y cais yn rhannol lwyddiannus.

Dear Information Commissioner's Office,

I would like to make a request under the Freedom of Information Act. For the purposes of the Act, please take the date of your receipt of this request as 22 August 2019.

With reference to your 'beta sandbox' projects listed here:
https://ico.org.uk/for-organisations/the...

Please provide a copy of the completed application forms (and any supporting documents) for each of the 10 projects selected for the sandbox.

Please do not delay your response on the basis that you cannot provide some or any of the information for any one of the items above; I am happy for you to provide partial information in a timely manner, on the understanding that you will provide more complete information as soon as it is available.

I would be grateful if you would send me the requested information promptly and in any event not later than the twentieth working day following the date of receipt of my request.

If my request is denied in whole or in part, or if specific items within the responses are withheld from disclosure, then (as you know) you must justify all deletions by reference to specific exemptions of the Act, as per Section 17 of the Act. Where you rely on a qualified exemption to withhold disclosure, you are obliged to consider the public interest in your decision and any refusal notice must explain not only which exemption applies and why, but also the public interest arguments addressed in reaching the decision.

Yours faithfully,

Phil Booth

Swyddfa'r Comisiynydd Gwybodaeth

27 August 2019

 

Case Reference Number IRQ0868369

 

Dear Mr Booth

Thank you for your recent request for information. We received your
request on 22 August 2019.
 
We will be considering your request under the Freedom of Information Act
2000. You can expect us to respond in full by 20 September 2019. This is
20 working days from the date we received your request. If, for any
reason, we can’t respond by this date, we will let you know and tell you
when you can expect a response.
 
If you have any questions please contact me using the IRQ case reference
number above or by replying to this email and leaving the subject field
unchanged.
 
Thank you for your interest in the work of the Information Commissioner's
Office.
 
Yours sincerely
 
  
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Working pattern: Tuesday - Friday
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Swyddfa'r Comisiynydd Gwybodaeth

19 September 2019

 

Case Reference Number IRQ0868369

 

Dear Mr Booth

Further to my letter dated 27 August 2019, I can confirm we are now in a
position to provide you with a response to your information request of 22
August.
 
We have dealt with your request in accordance with your ‘right to know’
under section 1(1) of the Freedom of Information Act 2000 (FOIA), which
entitles you to be provided with any information ‘held’ by a public
authority, unless an appropriate exemption applies.
 
Your Request
 
“I would like to make a request under the Freedom of Information Act. For
the purposes of the Act, please take the date of your receipt of this
request as 22 August 2019.
 
With reference to your 'beta sandbox' projects listed here:
 
[1]https://eur03.safelinks.protection.outlo...
 
Please provide a copy of the completed application forms (and any
supporting documents) for each of the 10 projects selected for the
sandbox.
 
Please do not delay your response on the basis that you cannot provide
some or any of the information for any one of the items above; I am happy
for you to provide partial information in a timely manner, on the
understanding that you will provide more complete information as soon as
it is available. I would be grateful if you would send me the requested
information promptly and in any event not later than the twentieth working
day following the date of receipt of my request. If my request is denied
in whole or in part, or if specific items within the responses are
withheld from disclosure, then (as you know) you must justify all
deletions by reference to specific exemptions of the Act, as per Section
17 of the Act. Where you rely on a qualified exemption to withhold
disclosure, you are obliged to consider the public interest in your
decision and any refusal notice must explain not only which exemption
applies and why, but also the public interest arguments addressed in
reaching the decision.”
 
Our Response
 
I can confirm we hold the information that falls in the scope of your
request. The information held constitutes application forms from the
organisations responsible for the first ten projects chosen to participate
in the beta phase of the ICO Sandbox.
 
We are unable to disclose any of the information that we hold that falls
in scope of your request as we consider it exempt from disclosure. I will
explain our decision in more detail below.
 
Section 44 – prohibitions on disclosure
 
Firstly, we consider that the applications submitted by the successful
applicant organisations is exempt under section 44 of the FOIA. This is an
absolute exemption and not subject to a public interest test. Section
44(1)(a) of the FOIA states:
 
“(1) Information is exempt information if its disclosure (otherwise than
under this Act) by the public authority holding it –
is prohibited by or under any enactment.”
 
In this case, the Data Protection Act 2018, Part 5, Section 132 prohibits
the disclosure of confidential information that:
 
“… (a) has been obtained by, or provided to, the Commissioner in the
course of, or for the purposes of, the discharging of the Commissioner’s
functions,
(b) relates to an identified or identifiable individual or business, and
(c) is not available to the public from other sources at the time of the
disclosure and has not previously been available to the public from other
sources,
 
unless the disclosure is made with lawful authority.”
 
We consider that this applies to completed application forms submitted to
the ICO for our consideration when choosing the projects to participate in
the beta phase of the ICO Sandbox. We do not have lawful authority to
disclose the requested information as it was provided to us with an
expectation of confidence.
 
It is important to understand that in order to fulfil our regulatory
function, the ICO relies on the co-operation of organisations in
participating in projects such as the ICO sandbox. If we were to release
all the information which we receive from organisations relating to their
applications to take part in schemes such as these, (and without consent),
this would be likely to deter them from engaging in initiatives such as
this which are designed to improve compliance with the legislation. It
would be likely to deter organisations from providing information to us in
future and would therefore undermine our regulatory function.
 
Section 132(3) of the DPA imposes a criminal liability on the Commissioner
and her staff not to disclose information relating to an identifiable
individual or business for the purposes of carrying out our functions,
such as the regulatory sandbox, unless we have the lawful authority to do
so. In this instance we do not consider that any of the gateways to lawful
disclosure envisaged by section 132 have been met, and as such the
information is exempt pursuant to FOIA section 44.
 
Section 31 – Law enforcement
 
We consider the information in scope of this request is exempt from
disclosure by virtue of section 31(1)(g) of the FOIA. This exemption
applies when disclosure would or would be likely to prejudice our ability
to carry out our regulatory function.
 
The exemption at section 31(1)(g) of the FOIA refers to circumstances
where the disclosure of information “would, or would be likely to,
prejudice – … the exercise by any public authority of its functions for
any of the purposes specified in subsection (2).” 
 
In this case the relevant purposes contained in subsection 31(2) are 31(2)
(c) which state;
 
“(c) the purpose of ascertaining whether circumstances which would justify
regulatory action in pursuance of any enactment exist or may arise,”    
 
Since part of the ICO Sandbox process involves ascertaining whether
circumstances may arise where regulatory action would be justified, we
consider that disclosure of the applications forms would be likely to
prejudice our regulatory functions. It therefore meets the exemption at
section 31(2)(c).
 
We consider that disclosure of this information, particularly while the
Sandbox is ongoing, would create a real risk of distracting from and
causing interference with the process, resulting in prejudice to the
functions of the ICO both in relation to the current Sandbox initiative
and any of its future iterations. For instance, disclosure of the
requested information here may reveal potentially commercially sensitive
or otherwise confidential information. This would therefore be likely to
inhibit effective and productive relationships with the various parties we
communicate with – it is essential that organisations continue to engage
with us in a constructive and collaborative way without fear that the
information they provide to us will be made public prematurely, or at a
later date, if it is inappropriate to do so.
 
As the exemption at section 31 is not absolute we must consider whether
the public interest lies in maintaining the exemption or in disclosure of
the list.
 
We find that the factors in favour of disclosing the completed application
forms are:
 
 

* transparency in the ICO Sandbox process we have initiated in line with
our mission to uphold information rights in the public interest which
includes promoting openness by public bodies; and
* providing insight to the public about the products and services, using
personal data, which are likely to come to market in the near future.

 
And the public interest factors we find in maintaining the exemption are:
 
 
 

* the ICO being able to operate the regulatory sandbox project in line
with its stated, publicly available strategies and goals without its
being undermined by disclosure of the specifics of the technologies
being tested;
* in preventing the undermining of the sandbox process by disclosure of
potentially commercially sensitive and/or confidential information,
particularly before the beta phase has been concluded;
* that no information had been provided to the organisations that these
applications would be placed in public domain, and indeed, mindful
that the completed applications would treated with the appropriate
level of confidence;
* that we are committed to transparency within the regulatory sandbox
process, and to that end have already published a number of blogs on
our website and entries in our e-newsletter, including a synopsis of
each of the ten successful projects that have been chosen to take part
in the Sandbox;
* that disclosure could have the overall effect of reducing compliance
with the laws we regulate.

 
On the balance of the factors listed above we consider that the public
interest lies in maintaining the exemption at this time.

This concludes our response to your request.
 
Complaint and Review Procedure
 
If you are dissatisfied with your request for information under FOI and
wish to request a review of our decision or make a complaint about how
your request has been handled you should write to the Information Access
Team at the address below or e-mail [2][ICO request email].
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request received
after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation. To make such an application, please write
to our Customer Contact Team at the address given or visit our website if
you wish to make a complaint under the Freedom of Information Act.
 
A copy of our review procedure can be accessed from our website [3]here.
 
Yours sincerely
 
 
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
F. 01625 524510  [4]ico.org.uk  [5]twitter.com/iconews
For information about what we do with personal data see our [6]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. https://eur03.safelinks.protection.outlo...
2. mailto:[ICO request email]
3. https://ico.org.uk/media/1883/ico-review...
4. http://ico.org.uk/
5. https://twitter.com/iconews
6. https://ico.org.uk/global/privacy-notice/

Dear Information Commissioner's Office,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Information Commissioner's Office's handling of my FOI request 'Application forms for 'beta sandbox' projects'.

The reason you give for refusing my request, quoting exemption under Section 44, is that: "We do not have lawful authority to disclose the requested information as it was provided to us *with an expectation of confidence*."

However, in your 'Sandbox application form' that is still publicly available at:
https://ico.org.uk/for-organisations/the... the text at the top of the first page of the form clearly states: "Please include all the information we need to assess your application within this Word document *and mark up any sections that are confidential or commercially sensitive*."

Unless you are claiming that every successful applicant marked every section of their application as confidential, I would like the partial information (as I first requested) that was not marked confidential by them, for each applicant who - having been given the choice, and clear instructions - clearly did NOT have an expectation of confidence for that unmarked information.

I would be content with copies of the 10 forms with any information that has been marked confidential or commercially sensitive by the applicant themselves redacted, as I had assumed would be done - and as is quite usual with such information. (At no point did I ask for "all the information" as your response seems to presume.)

With regard to your refusal quoting exemption under Section 31(2), it is self-evident that redaction of the information that applicants themselves marked as confidential or commercially sensitive would mean that two of your main public interest justifications for maintaining the exemption (i.e. disclosing "commercially sensitive and/or confidential information", and respecting "the appropriate level of confidence") fall away.

Furthermore, if it is the case that disclosure of the (redacted, so no longer confidential or commercially sensitive) application forms STILL provides evidence of circumstances "where regulatory action would be justified", then the ICO's regulatory functions could be discharged by (a) telling the applicant that what they intend to do would break the law(!), and (b) redacting that or those specific statements that would justify such regulatory action before disclosure.

Unless every successful applicant to the Sandbox made an entirely unlawful application, and/or marked it all as confidential (or commercially sensitive) then there is a clear public interest in knowing the remaining information - and no reasonable argument that the disclosure of 10 application forms, redacted as described, "could have the overall effect of reducing compliance with the laws we regulate".

If that were to be the case, then why risk compromising the ICO's regulatory independence and credibility by having a Sandbox at all?

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/a...

Yours faithfully,

Phil Booth

Information Access Inbox, Swyddfa'r Comisiynydd Gwybodaeth

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit:

[1]https://ico.org.uk/about-the-ico/our-inf...

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found
[3]here.

Twitter

Find us on Twitter [4]here.

 

References

Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/global/privacy-notice/
3. https://ico.org.uk/about-the-ico/news-an...
4. http://www.twitter.com/ICOnews

Swyddfa'r Comisiynydd Gwybodaeth

30 September 2019

 

Case Reference Number RCC0878241

 

Dear Mr Booth

Thank you for your correspondence dated 27 September 2019.
 
This correspondence will now be treated as a request for an internal
review of the response we provided to your recent request for information
under the Freedom of Information Act 2000.
 
We will aim to respond by 25 October 2019, which is 20 working days from
the day after we received your recent correspondence.  This is in
accordance with our internal review procedures which were provided with
our response.
 
Yours sincerely
 
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Usual working pattern – Tuesday to Friday
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF F. 01625 524510 [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Swyddfa'r Comisiynydd Gwybodaeth

Dear Mr Booth

I am the Group Manager for the Information Access team and I have received
your request for an information review. I will finalise your reply by
Friday 1 November 2019. My apologies for the delay in your reply.

Regards

 

Elizabeth Baxter
Information Access Service Group Manager, Risk and Governance Department
 
Corporate Strategy and Planning Service
 
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 3131840  F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice
Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Swyddfa'r Comisiynydd Gwybodaeth

Dear Mr Booth

Further to my email of last week, I can confirm that I have undertaken a
review of your information request IRQ0868369. I can also confirm that,
whilst in agreement with the application of the two exemptions Section 44
and Section 31, I feel we could have been more helpful with your request.

As a result, The Information Commissioners Office are reconsidering your
request for information to ascertain if there is any further information
we can disclose to you in the interests of being helpful. We will be in
touch no later than the week commencing Monday 25 November 2019.

Kind Regards

 

Elizabeth Baxter
Information Access Service Group Manager, Risk and Governance Department
 
Corporate Strategy and Planning Service
 
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 3131840  F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice
Please consider the environment before printing this email

 
 

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Swyddfa'r Comisiynydd Gwybodaeth

21 November 2019

 

Case Reference Number RCC0878241

 

Dear Mr Booth

I am have been asked by my colleague, Elizabeth Baxter to contact you to
provide you with an update on your request further to her email of 31
October.
I can advise that your request is continuing to be reconsidered and we
hope to make a disclosure of some of the information that you have
requested in due course.
 
I will continue to keep you updated on your request and will contact you
again no late than the week beginning 16 December.
 
Yours sincerely
 
 
 
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Usual working pattern – Tuesday to Friday
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Swyddfa'r Comisiynydd Gwybodaeth

18 December 2019

 

Case Reference Number RCC0878241

 

Dear Mr Booth

I am have been asked by my colleague, Elizabeth Baxter to contact you to
provide you with an update on your request.

I can advise that your request is continuing to be reconsidered and we
hope to make a disclosure of some of the information that you have
requested in due course.
 
I will continue to keep you updated on your request and will contact you
again no late than the week beginning 14 January 2020.
 
Yours sincerely
  
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Usual working pattern – Tuesday to Friday
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Swyddfa'r Comisiynydd Gwybodaeth

1 Atodiad

22 January 2020

 

Case Reference Number RCC0878241

 

Dear Mr Booth

Further to my email of 18 December 2019, I have been asked by my
colleague, Elizabeth Baxter to contact you to provide you with an update
on your request.
 
Please find attached a partial disclosure of five of the 10 Sandbox
applications. You will note that there are a number of redactions and I
can advise that all redactions have been made in line with the exemption
at s.44 of the FOIA, which I will explain in further detail below:
 
Section 44 – prohibitions on disclosure
 
Following a reconsideration of your request, we consider elements of the
applications submitted by the successful applicant organisations are
exempt under section 44 of the FOIA. This is an absolute exemption and not
subject to a public interest test. Section 44(1)(a) of the FOIA states:
 
“(1) Information is exempt information if its disclosure (otherwise than
under this Act) by the public authority holding it –
is prohibited by or under any enactment.”
 
In this case, the Data Protection Act 2018, Part 5, Section 132 prohibits
the disclosure of confidential information that:
 
“… (a) has been obtained by, or provided to, the Commissioner in the
course of, or for the purposes of, the discharging of the Commissioner’s
functions,
(b) relates to an identified or identifiable individual or business, and
(c) is not available to the public from other sources at the time of the
disclosure and has not previously been available to the public from other
sources,
 
unless the disclosure is made with lawful authority.”
 
We consider that this applies to the sections of the completed application
forms where we do not have lawful authority to disclose the information,
which was provided to us in confidence by the submitting organisation .
 
It is important to understand that in order to fulfil our regulatory
function, the ICO relies on the co-operation of organisations in
participating in projects such as the ICO sandbox. If we were to release
confidential information which we receive from organisations relating to
their applications to take part in schemes such as these, (and without
consent), this would be likely to deter them from engaging in initiatives
such as this which are designed to improve compliance with the
legislation. It would be likely to deter organisations from providing
information to us in future and would therefore undermine our regulatory
function.
 
Section 132(3) of the DPA imposes a criminal liability on the Commissioner
and her staff not to disclose information relating to an identifiable
individual or business for the purposes of carrying out our functions,
such as the regulatory sandbox, unless we have the lawful authority to do
so. In the instance of these redactions, we do not consider that any of
the gateways to lawful disclosure envisaged by section 132 have been met,
and as such the information is exempt pursuant to FOIA section 44.
 
I can advise that we are continuing to consider the remaining applications
and we hope to make a further disclosure of some of the information that
you requested in due course.
 
I will continue to keep you updated on your request and will contact you
again no late than the week beginning 11 February 2020. 

Yours sincerely
 
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 313 1886 F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Swyddfa'r Comisiynydd Gwybodaeth

13 February 2020

 

Case Reference Number RCC0878241

 

Dear Mr Booth

I am writing further to my letter of 22 January 2020.
 
We are continuing to review the request and hope to provide a further and
final disclosure within the next two weeks.
 
Yours sincerely
 
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Swyddfa'r Comisiynydd Gwybodaeth

1 Atodiad

9 June 2020

 

Case Reference Number RCC0878241

Dear Mr Booth
 
Further to my email of 22 January 2020, I have been asked by my colleague,
Elizabeth Baxter to contact you to provide you with an update on your
request. I am sorry that you have experienced a further delay in this
receiving this disclosure.
 
Please find attached the disclosure of final five Sandbox applications.
You will note that there are a number of redactions and I can advise that
all redactions have been made in line with the exemption at s.44 of the
FOIA, which I will explain in further detail below:
 
Section 44 – prohibitions on disclosure
 
Following a reconsideration of your request, we consider elements of the
applications submitted by the successful applicant organisations are
exempt under section 44 of the FOIA. This is an absolute exemption and not
subject to a public interest test. Section 44(1)(a) of the FOIA states:
 
“(1) Information is exempt information if its disclosure (otherwise than
under this Act) by the public authority holding it –
is prohibited by or under any enactment.”
 
In this case, the Data Protection Act 2018, Part 5, Section 132 prohibits
the disclosure of confidential information that:
 
“… (a) has been obtained by, or provided to, the Commissioner in the
course of, or for the purposes of, the discharging of the Commissioner’s
functions,
(b) relates to an identified or identifiable individual or business, and
(c) is not available to the public from other sources at the time of the
disclosure and has not previously been available to the public from other
sources,
 
unless the disclosure is made with lawful authority.”
 
We consider that this applies to the sections of the completed application
forms where we do not have lawful authority to disclose the information,
which was provided to us in confidence by the submitting organisation .
 
It is important to understand that in order to fulfil our regulatory
function, the ICO relies on the co-operation of organisations in
participating in projects such as the ICO sandbox. If we were to release
confidential information which we receive from organisations relating to
their applications to take part in schemes such as these, (and without
consent), this would be likely to deter them from engaging in initiatives
such as this which are designed to improve compliance with the
legislation. It would be likely to deter organisations from providing
information to us in future and would therefore undermine our regulatory
function.
 
Section 132(3) of the DPA imposes a criminal liability on the Commissioner
and her staff not to disclose information relating to an identifiable
individual or business for the purposes of carrying out our functions,
such as the regulatory sandbox, unless we have the lawful authority to do
so. In the instance of these redactions, we do not consider that any of
the gateways to lawful disclosure envisaged by section 132 have been met,
and as such the information is exempt pursuant to FOIA section 44.
 
This concludes our disclosure in response to your request for information.
Once again I sincerely apologise for the delays in getting this to you.

Yours sincerely
 
 
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice. Please consider the environment before printing this email

 
 

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Gadawodd J Roberts anodiad ()

From page 25 of the annual report:

'What we did

We reviewed existing Sandboxes, talking to the Financial Conduct Authority who have operated a Sandbox for several years. We also took inspiration from work done looking at how regulation needs to evolve to handle innovation before consulting on our intended approach. We then developeda detailed discussion paper on how the service would operate before running workshops with potential end-users to test our approach.

We launched the Sandbox beta phase in March 2019 for a sample of organisations to try out the service. We then chose 10 organisations to work with us; developing an understanding of their product and service and putting in place a bespoke plan for their involvement in the Sandbox.

All plans are now underway, and we are working with the organisations in a range of activities including workshops, written advice, site visits, process mapping and detailed considerations of how our guidance needs to be applied in each of the organisation’s specific contexts.

What the outcomes were

Whilst still a work in progress we have already gained insight through workshops and offered advice on how our existing guidance should be used in their unique circumstances. The has pushed us to consider where additional guidance may help organisations with compliance.'

https://ico.org.uk/media/about-the-ico/d...

Gadawodd J Roberts anodiad ()

'First reports published from the Regulatory Sandbox

23 July 2020

The first reports from participants in our regulatory sandbox have been published, revealing the outcomes of collaborations between the ICO and two of the organisations who were among the participants in the pilot phase of the scheme.'

https://ico.org.uk/about-the-ico/news-an...