Guidance for ICO and OSIC officers #
- I am an officer at the Information Commissioner’s Office or the Office of the Scottish Information Commissioner. What is this site? #
Welcome! WhatDoTheyKnow is an online service that helps members of the public make requests for information, and easily track and share the responses from public bodies.
Since our beginnings, hundreds of thousands of requests have been sent, processed, and published on WhatDoTheyKnow. You can read more about the site here.
You may have come across us because one of our users has escalated their request to you, needing your services for resolution. We also sometimes have cause to report data breaches from authorities, released in error in response to requests sent by our users; and, finally, like all organisations, we are bound by the rules of GDPR and may be the subject of queries sent to you about our processing of personal data.
- I’m handling a complaint from a WhatDoTheyKnow user about an authority’s treatment of an FOI request. Do I need to do anything special? #
Every request for information sent through WhatDoTheyKnow has its own webpage, on which all correspondence between the requester and the authority from which they are asking for information is published. If a user decides to make a complaint to the ICO or OSIC, they may send you the URL of their request page so that you can see the history of correspondence between them and the authority.
You can handle this complaint as you would any other — but be aware that the user might copy and paste, or summarise, your responses onto their request’s webpage, to ensure that the complete history can be seen.
- I’m handling a complaint about information published on WhatDoTheyKnow #
We sometimes receive requests to remove part or all of a request or response. These are considered in accordance with our takedown policy. In most cases, an individual or authority who has referred our handling of data to the ICO or OSIC will have first made a complaint directly to us, and we will have considered it in line with these policies, balancing the impact on individuals’ rights, freedoms and interests against our legitimate interest in running the WhatDoTheyKnow service.
We are always happy to discuss such cases with you: please do get in touch.
- I’m handling a data protection breach that WhatDoTheyKnow reported to us #
With hundreds of requests processed by WhatDoTheyKnow every day, we don’t check the contents of every single one — but under our policy of reactive moderation, when we notice that an authority has accidentally released sensitive information or someone reports a serious data breach to us, we take it offline as soon as possible and report it to the ICO or OSIC where applicable.
In such cases, we are happy to help you understand what has happened and to provide any further details you require to help you handle the report. Note that we are neither the subject of the data breach nor the authority that released the sensitive data in such cases.
We try to help public bodies improve their processes so that accidental releases like this don’t happen, and, abiding by the ICO’s own guidance on when to do so, we report cases to you if applicable.
- I need you to transfer a large amount of personal data securely, for my investigations into a data breach #
Where appropriate, we can provide data to aid with your investigations. Before we do so, we require details of how it will be used and why it is needed, which will be considered according to our policies.
We have procedures to ensure that such data is transferred securely. Please get in touch with us to discuss details.
- I am trying to understand whether an authority is meeting its duties under the law #
Because requests and responses are published openly on the site, WhatDoTheyKnow can be a useful tool for assessing how authorities are dealing with requests over time. Please do get in touch if you would like to discuss this further.
- Some facts it’s useful for you to know #
- The process of publishing FOI responses on WhatDoTheyKnow is automatic. There is no human involvement, but we do promptly consider any concerns to which our attention is drawn.
- Requests are made by our users, not by the WhatDoTheyKnow.com admin team.
- If a request isn’t visible (say, you’ve clicked a link but it goes to a ‘page not found’), it may have been removed. This can be due to one of a number of reasons, including the removal of requests that are vexatious, contain personal information or are not FOI requests. Some requests, sent through our Pro service, may be hidden from the public until an embargo has expired.
- WhatDoTheyKnow can act as a useful verification tool for the ICO or OSIC. If you need to verify that a request was sent, and the precise time and date that it was submitted, look for the green tick on the request page. This only appears when the request has been received by the authority’s servers. On request we can provide the delivery status notification logs.
- Equally, responses from the public authority are published immediately, together with the date of receipt, providing you with a public record of exactly what was sent and when.
- Once a request or a response has been published, it cannot be removed by a user or by the public authority: this is a task that can only be performed by the WhatDoTheyKnow admin team, who will apply our Removal Of Information policy to the decision of whether or not to retain it.
- Sometimes authorities become aware of a data breach and raise concerns by responding to the user’s initial request. While this will alert the user, it does not automatically alert the WhatDoTheyKnow admin team.
- Finally, we welcome comments and thoughts from officers: please do get in touch.