One possible problem here is that the request is subjective. Asking the ICO to release an entire database without "any fields that might contain any personal data" is asking them to apply a judgement, and an FOI request based on subjective criteria isn't valid. It's for you as the applicant to describe the information you're requesting, and if you can't do that without asking the people dealing with your request to make a judgement, this is a time-wasting exercise that deserves a vexatious refusal.

Since the ICO has previously refused to reveal what fields are present in the database (https://www.whatdotheyknow.com/request/c...) and a request for the whole database minus fields that would need excessive redactions ( https://www.whatdotheyknow.com/request/c... ), it seems the requester has little choice but to ask the ICO to make the subjective judgement. The only other thing I could think of is asking for just fields of numerical/date/enumerate type. Though that could potentially miss some fields that could be disclosed.

As the requester has spelt out in the IR request, I don't think it would be difficult for someone who knows about the database to quickly judge whether a field *could* contain personal information. Once that's been done, it's unlikely other exemptions would apply to the remaining fields. Extraction of the data would be less than a couple of hour's work in writing an SQL or similar statement. So I think the basis for the refusal here is entirely unreasonable.

It doesn't really matter what you think is "reasonable", what matters is whether the request is valid under the law. You've acknowledged that it requires a subjective judgment to be taken forward, which means that it isn't valid, no matter how long or short a time it would take for the judgement to be made. You've actually identified two problems here - the fact that a judgement has to be made, and secondly, that it's "unlikely" that other exemptions would apply to the remaining fields, but in fact, you don't know. It's reasonable for the ICO to want to examine that data to find out whether that assumption is true, and because the request is for such an enormous quantity of data, quite likely that this would represent an oppressive burden.

The applicant doesn't have "little choice" but to ask the ICO to do something that the law doesn't require them to do. They could stop flogging this dead horse and admit that they don't know how to frame this request in such a way as it can be answered.

I don't think it's particularly well defined exactly how a request can come to be declared as oppressive.

It's obvious why the case law says that s14 can be used to reject requests where the only way to satisfy them would be to spend days on redaction, because the alternative would be unthinkable.

But how should it really operate? It's not formulated in statute. Does a requester always have to first start from a request that would be otherwise valid (well defined, does not engage s12) and then constrain it in a purely objective way? Or is there room for an element of flexibility and back-and-forth, particularly given the existence of s16?

I also don't think my original request was actually all that subjective, but we'll see what the Tribunal thinks if the case does go as far as a hearing.

Your request is ill-defined and irresponsible. You're asking for information that includes complaints from some of the most vulnerable people that the ICO deals with - care leavers, people fleeing from domestic violence, those being financially exploited - and expect the ICO to work out how to protect all of those people from the risk of exposure that your request threatens, all because you're incapable of formulating a valid request, or just leaving it alone.

I suppose that nothing can stop you from pursuing this self-indulgent and dangerous campaign, but you should be refused at every stage.

Err, yes, I do expect the ICO to be able to figure out what contains personal data. But if your argument is actually correct I'm sure the ICO will be able to explain that for themselves.

The task you're talking about here is gigantic. Removing names or fields containing names wouldn't be enough. They would have to remove any individual field or class of field that might contain data that could lead to identification of the complainant or other third parties that might be involved in a particular case. Your request doesn't take account of the risk of exposing vulnerable people, you're just asking for a dump of thousands of peoples' complaints, sanitised in an unspecific and subjective way that you expect the ICO to work out.

The ICO has to take a precautionary principle to ensure that disclosure doesn't put anyone at risk; your inability to accept the scale of the task shows a lack of concern for the privacy and confidentiality of the people whose complaints you seek to expose.

It's a bit hard to tell if you're actually trying to be constructive or just your usual grandstanding.

But on the assumption it's the former, that was the whole point in my first attempt of asking them to remove the whole of any field that would require extensive redaction. (If I was making the request in that form again, I might say "entry by entry review"). Equally, from the point of view of this request, even fields that might result in mosaic identification would also be ones that contain personal data.

As the other poster in this thread said, maybe I should just ask for certain kinds of fields. It's hard to know what there is exactly. In the end, the ICO should spell out the actual problem with my "caveated" requests, not just ignore them.

I'm certainly not trying to be "constructive" in the sense of helping you to make this request because I think it's inherently vexatious and should never succeed. But I am not grandstanding. I think you are refusing to acknowledge the risk of what you're trying to do here - putting thousands of complainants at risk and I am trying to make you understand that.

FOI is about holding public authorities to account; it is not about exposing the details of peoples' complaints to public scrutiny. The ICO has to adopt a very cautious approach in order to avoid the risk that your request creates. The fact that you can't see that (or don't care) is worrying, but I suspect that because you won't accept the problem with what you're doing, you'll keep making requests that are legally easy to refuse.

I would have expected that someone who was genuinely trying to make a helpful point would approach the discussion in a rather less confrontational way, but ok. If you have a (hypothetical) example in mind of a kind of case where someone would be put at risk, I'd be happy to hear it.

I think the ICO internal review answers your question quite well overall, but I don't need a hypothetical example. I know victims of domestic violence who have made complaints to the Commissioner's Office. I know people who have been financially exploited. I know multiple vulnerable people whose private information is part of what you are requesting. You are putting them at risk of exposure because you are asking for information about their complaints with vague caveats that you expect other people to make sense of. If I'm being confrontational, it's because you are casually delving into the private, painful circumstances of other people's lives. You should be, frankly, ashamed of yourself and mind your own business.

The ICO's reply is indeed very useful, whereas I have learnt precisely nothing from any of yours other than that you still like randomly abusing people on the Internet :-)