(1) Top 20 risks and issues in strategic risk register, (2) Assurance letters from directors

The request was partially successful.

Dear Charity Commission for England and Wales,

Under the Freedom of Information Act, I would like to request the following information:

(1) With reference to the ‘strategic risk register’ that is referenced multiple times in the annual reports and accounts 2022/23 (hyperlink available here: https://assets.publishing.service.gov.uk... ), I can see what seem to be some themes but I’d like to request the ‘top 20’ risks and issues as they are recorded in your strategic risk register alongside: (a) assessments of initial probability/likelihood and impact (including any keys, scales and accompanying information for explaining what these assessments mean in practice), (b) date(s) of initial identification, where available/known/recorded, (c) initial compound/overall ratings and residual/current compound/overall ratings, (d) list of mitigations, controls, (e) recorded senior responsible officials/owners (insofar as this is disclosable) etc. in place for each of those risks and issues as they are recorded in the strategic risk register

(2) With reference to the ‘Accounting officer’s statement of effectiveness’ in the annual reports and accounts 2022/23 which states “I have reviewed the effectiveness of the Commission’s governance structures, risk management and internal controls. Taking into account: […] assurance letters from each of my directors summarising the effectiveness of their systems of governance, risk management and control; […]” - please can you share copies, insofar as they are disclosable, of the aforementioned ‘assurance letters from each of [the Accounting Officer’s] directors’.

Please do not hesitate to reach out to me if any aspect of my request requires clarification.

Yours faithfully,

Vishal Wilde

Dear Charity Commission for England and Wales,

Please can you acknowledge receipt of my FOI.

Yours faithfully,

Vishal Wilde

Dear Charity Commission for England and Wales,

Following up again to see if you can acknowledge receipt of my FOI.

Yours faithfully,

Vishal Wilde

FOI Requests, Charity Commission for England and Wales

 
Dear Mr Wilde
 
I acknowledge receipt of your FOI request and aim to respond as soon as
possible.
 
Yours sincerely
 
Mrs L Whitehurst
 
 

W: [1]https://www.gov.uk/charity-commission

[2]TwitterFollow us on Twitter | @ChtyCommission
[3]Bar
[4]Logo

[5]https://www.gov.uk/government/organisati...

show quoted sections

Dear Charity Commission,

I’m just following up on this to check the status as I believe 10 working days have elapsed.

Yours sincerely,

Vishal Wilde

Dear Charity Commission,

I'm following up on this again as it has been many working days since I made my initial request and, indeed, since you acknowledged receipt of it.

Yours sincerely,

Vishal Wilde

Vishal Wilde left an annotation ()

Complaint made to ICO as of today (14/10/2023).

FOI Requests, Charity Commission for England and Wales

Dear Mr Wilde
 
I am writing to apologise for the delay in sending the response to your
FOI request.  
 
Please be assured that I am aiming to respond to you as soon as possible.
 
Yours sincerely
 
 
Mrs L Whitehurst
Data Protection and Information Rights team
 
 

W: [1]https://www.gov.uk/charity-commission

[2]TwitterFollow us on Twitter | @ChtyCommission
[3]Bar
[4]Logo

[5]https://www.gov.uk/government/organisati...

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

References

Visible links
1. https://www.gov.uk/government/organisati...
5. https://www.gov.uk/government/organisati...

FOI Requests, Charity Commission for England and Wales

1 Attachment

Dear Mr Wilde

Thank you for your email.  Please find your Freedom of
Information response attached.

Please do not reply to this email.

PLEASE NOTE THAT USING THE REPLY FUNCTION MEANS THAT IT IS HIGHLY LIKELY
THAT YOUR EMAIL MAY NOT BE RESPONDED TO AS THE CASE WILL HAVE BEEN CLOSED.
 WE DO NOT MONITOR CLOSED CASES FOR ANY FURTHER COMMUNICATIONS.

Please email [1][email address] to submit another FOI
or [2][email address]  if you wish to contact the DPIR team
or request a review of your FOI response.
If you wish to contact the Commission about anything else please use the
contact details on the following link:
[3]https://www.gov.uk/government/organisati...

Yours sincerely

Mrs L Whitehurst
Data Protection and Information Rights team
 
 
 

W: [4]https://www.gov.uk/charity-commission

[5]TwitterFollow us on Twitter | @ChtyCommission
[6]Bar
[7]Logo

[8]https://www.gov.uk/government/organisati...

show quoted sections

Dear Charity Commission for England and Wales,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Charity Commission for England and Wales's handling of my FOI request '(1) Top 20 risks and issues in strategic risk register, (2) Assurance letters from directors'.

Putting aside the fact that you don’t want to share those 7 strategic risks I’d requested (presumably because you’ve said you plan to publish them in the summer of 2024), I can see you’ve made no effort to response to part 2 of my request with respect to the assurance letters.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/1...

Yours faithfully,

Vishal Wilde

Dear Charity Commission,

Can you acknowledge receipt of my internal review request?

Yours sincerely,

Vishal Wilde

DPIR, Charity Commission for England and Wales

Dear Mr Wilde,
 
We acknowledge receipt of your request for an internal review.
 
Yours sincerely,
 
Data Protection and Information Rights team
 
 

W: [1]https://www.gov.uk/charity-commission

[2]TwitterFollow us on Twitter | @ChtyCommission
[3]Bar
[4]Logo

[5]https://www.gov.uk/government/organisati...

show quoted sections

Dear Charity Commission,

As nearly 20 working days have elapsed, I’m following up to ask about the expected timeline for your response.

Yours sincerely,

Vishal Wilde

DPIR, Charity Commission for England and Wales

1 Attachment

Dear Mr Wilde,
 
Please find attached the internal review of our FOI response.
 
Please accept our apologies for the delay in responding.
 
Yours sincerely,
 
Data Protection and Information Rights team

W: [1]https://www.gov.uk/charity-commission

[2]TwitterFollow us on Twitter | @ChtyCommission
[3]Bar
[4]Logo

[5]https://www.gov.uk/government/organisati...

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

References

Visible links
1. https://www.gov.uk/government/organisati...
5. https://www.gov.uk/government/organisati...

Dear Charity Commission,

Thank you for your email. In which case, I'd like to made additional request(s) under the Freedom of Information Act:

(1) With reference to the ‘strategic risk register’ that is referenced multiple times in the annual reports and accounts 2022/23 (hyperlink available
here: https://assets.publishing.service.gov.uk... ment_data/file/1168460/Charity_Commission_Annual_Report_and_Accounts.pdf ), I can see what seem to be some themes but I’d like to request the ‘top 20’ risks and issues as they are recorded in your strategic risk register alongside 'current assessment' and any accompanying information readily held/recorded and retrievable alongside this. I hope this will reduce

(2) A repeat request but which should be feasible now that I've revised request (1) and which I hope is readily retrievable, given that you've given no indication of time required for retrieving information from (2) in your response to my request for internal review. If you choose to combine these again, hopefully it will take less time: With reference to the ‘Accounting officer’s statement of effectiveness’ in the annual reports and accounts 2022/23 which states “I have reviewed the effectiveness of the Commission’s governance structures, risk management and internal controls. Taking into account: [...] assurance letters from each of my directors summarising the effectiveness of their systems of governance, risk management and control; [...]” - please can you share copies, insofar as they are disclosable, of the aforementioned ‘assurance letters from each of [the Accounting Officer’s] directors’.

In the interim, I will also be complaining to the Information Commissioner's Office about this.

Yours sincerely,

Vishal Wilde

Vishal Wilde left an annotation ()

Complaint made to ICO as of today (10/12/2023).

Dear Charity Commission,

Please can you acknowledge receipt of my follow-up requests?

Yours sincerely,

Vishal Wilde

DPIR, Charity Commission for England and Wales

Dear Mr Wilde,
 
Thank you for your email.
 
We acknowledge receipt of your email of 10 December 2023 which is
currently being considered.
 
Yours sincerely,
 
Data Protection and Information Rights tem
 

W: [1]https://www.gov.uk/charity-commission

[2]TwitterFollow us on Twitter | @ChtyCommission
[3]Bar
[4]Logo

[5]https://www.gov.uk/government/organisati...

show quoted sections

Dear Charity Commission,

Thanks - I see over 20 working days have elapsed since my follow-up requests. Please can you confirm how long it may take to respond?

Yours sincerely,

Vishal Wilde

Vishal Wilde left an annotation ()

Complaint made to ICO about follow-up request for info made on 10th December 2023

DPIR, Charity Commission for England and Wales

Dear Mr Wilde,
 
Thank you for your email.
 
We apologise for the delay in responding to your request.  It is receiving
attention and we hope to contact you with a response or further update by
25 January 2024.
 
Yours sincerely,
 
 
Data Protection and Information Rights team
 
 

W: [1]https://www.gov.uk/charity-commission

[2]TwitterFollow us on Twitter | @ChtyCommission
[3]Bar
[4]Logo

[5]https://www.gov.uk/government/organisati...

show quoted sections

Dear Charity Commission,

Please can you provide an update on my follow-up request?

Yours sincerely,

Vishal Wilde

DPIR, Charity Commission for England and Wales

Dear Mr Wilde,
Thank you for your email.
We can confirm that we are currently giving detailed consideration to your
request and working hard to respond by 14 February 2024.
Yours sincerely,

Data Protection and Information Rights team
 
 

W: [1]https://www.gov.uk/charity-commission

[2]TwitterFollow us on Twitter | @ChtyCommission
[3]Bar
[4]Logo

[5]https://www.gov.uk/government/organisati...

show quoted sections

DPIR, Charity Commission for England and Wales

3 Attachments

Dear Mr Wilde,
 
Please find attached our response to your request for information.
 
Yours sincerely,
 
Data Protection and Information Rights team

W: [1]https://www.gov.uk/charity-commission

[2]TwitterFollow us on Twitter | @ChtyCommission
[3]Bar
[4]Logo

[5]https://www.gov.uk/government/organisati...

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

References

Visible links
1. https://www.gov.uk/government/organisati...
5. https://www.gov.uk/government/organisati...

DPIR, Charity Commission for England and Wales

Dear Mr Wilde,
 
We have today sent you a response to your request for information, with
attachments.
 
We would be grateful if you could acknowledge receipt of the response and
attachments.  
 
Yours sincerely,
 
Data Protection and Information Rights team

W: [1]https://www.gov.uk/charity-commission

[2]TwitterFollow us on Twitter | @ChtyCommission
[3]Bar
[4]Logo

[5]https://www.gov.uk/government/organisati...

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

References

Visible links
1. https://www.gov.uk/government/organisati...
5. https://www.gov.uk/government/organisati...

Dear Charity Commission,

Thanks, yes I’ve received them but I’m still perusing them.

Yours sincerely,

Vishal Wilde

Vishal Wilde left an annotation ()

Decision Notice issued by ICO (dated 21 June 2024, Reference: IC-275813-M4C2):

Decision (including any steps ordered)

1. The complainant has requested information relating to the risks and issues recorded in the ‘strategic risk register’ as referenced in the
Charity Commission of England and Wales’s annual reports and accounts 2022/23. The Charity Commission of England and Wales (“CCEW”) relied on section 12 of FOIA (cost of compliance) to refuse the request.

2. The Commissioner’s decision is that the CCEW was entitled to aggregate the requests under section 12(4) of FOIA and is entitled to rely on section 12(1) of FOIA to refuse the requests.

3. The Commissioner also considers that CCEW has complied with its
obligations under section 16(1) of FOIA to provide adequate advice and assistance. However, CCEW has breached section 10(1) FOIA as it failed to respond within the statutory time for compliance.

4. The Commissioner does not require any further steps to be taken.

Request and response

5. On 20 August 2023, the complainant wrote to the public authority and requested information in the following terms:
“(1) With reference to the ‘strategic risk register’ that is referenced
multiple times in the annual reports and accounts 2022/23
(hyperlink available
here: https://assets.publishing.service.gov.uk... ), I can see what
seem to be some themes but I’d like to request the ‘top 20’ risks and issues as they are recorded in your strategic risk register alongside: (a) assessments of initial probability/likelihood and impact (including any keys, scales and accompanying information
for explaining what these assessments mean in practice), (b) date(s) of initial identification, where available/known/recorded, (c) initial compound/overall ratings and residual/current compound/overall ratings, (d) list of mitigations, controls, (e) recorded senior responsible officials/owners (insofar as this is disclosable) etc. in place for each of those risks and issues as they are recorded in the strategic risk register

(2) With reference to the ‘Accounting officer’s statement of
effectiveness’ in the annual reports and accounts 2022/23 which
states “I have reviewed the effectiveness of the Commission’s
governance structures, risk management and internal controls.
Taking into account: [...] assurance letters from each of my
directors summarising the effectiveness of their systems of
governance, risk management and control; [...]” - please can you
share copies, insofar as they are disclosable, of the aforementioned
‘assurance letters from each of [the Accounting Officer’s]
directors’.”

6. On 3 November 2023, CCEW responded. It relied on section 12 of FOIA to refuse the request and stated that it did not hold some of the
information in relation to parts 1(a) and 1(b) of the requests as follows: “Providing information requested in item 1a and 1b of your request would require more than 24 staff hours. This is because the
Commission does not hold a single record that outlines the initial
assessment and initial date of identification of the strategic risks.
While the strategic risk register contains current assessment, initial
assessments and date of identification are not included. Therefore, reviewing several documents dating back to 2019 is needed.”

7. On 3 November 2023, the complainant requested an internal review of his request as follows: “Putting aside the fact that you don’t want to share those 7 strategic risks I’d requested (presumably because you’ve said you plan to publish them in the summer of 2024), I can see you’ve made no effort to response to part 2 of my request with respect to the assurance letters.”

8. On 7 December 2023, CCEW upheld is position at internal review. It
explained that it had aggregated the time required to locate, retrieve
and examine information for parts 1 and 2 of the request stating: “We treated your initial email as containing two separate requests –
that is, items numbered 1 and 2 – under section 12(4) of the FOIA.
I am sorry that we failed to explain that we had combined them,
and that section 12 applied to both 1 and 2. When combined
together, it would take us over the costs limit to confirm whether
we held the information. The estimated cost of complying with any
of the requests is taken to be the estimated total cost of complying
with all of them.”

9. Additionally, CCEW stated that any refined request would be treated as a new and separate request under FOIA.

Scope of the case

10. The complainant contacted the Commissioner on 11 December 2023 to complain about the way their request for information had been handled stating: “I disagree with their combining the two separate requests and subsequently not even providing an estimate of time required for (2). It seems unnecessarily evasive.”.

11. The Commissioner has noted that the complainant revised their request for information and sent a new request under FOIA to CCEW on 10 December 2023. CCEW have since disclosed some information for both request 1 and 2 in this regard.

12. The Commissioner therefore considers the scope of this case to be to determine if the public authority correctly cited section 12(1) FOIA in response to the original request of 20 August 2023. He has also considered whether CCEW complied with its duty to provide advice and assistance under section 16 of FOIA.

Reasons for decision

Section 12(4) – Aggregation of related requests

13. When a public authority is estimating whether the appropriate limit is likely to be exceeded, it can include the costs of complying with two or more requests if the conditions laid out in regulation 5 of the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004 (“the Fees Regulations”) can be satisfied.

14. Section 12(4) of FOIA states:
“The Secretary of State may by regulations provide that, in such
circumstances as may be prescribed, where two or more requests for
information are made to a public authority –
(a) by one person, or
(b) by different persons who appear to the public authority to be
acting in concert or in pursuance of a campaign, the estimated
cost of complying with any of the requests is to be taken to be
the estimated total cost of complying with all of them.”

15. Regulation 5 of the Fees Regulations states:
“(1) In circumstances in which this regulation applies, where two or
more requests for information to which section 1(1) of the 2000 Act
would, apart from the appropriate limit, to any extent apply, are made to a public authority –
(a) by one person, or
(b) by different persons who appear to the public authority to be
acting in concern or in pursuance of a campaign, the estimated cost of complying with any of the requests is to be taken to be the total costs which may be taken into account by the authority, under regulation 4, of complying with all of them.
(2) This regulation applies in circumstances in which –
(a) the two or more requests referred to in paragraph (1) relate,
to any extent, to the same or similar information, and
(b) those requests are received by the public authority within any
period of sixty consecutive working days.
(3) In this regulation, “working day” means any day other than a
Saturday, a Sunday, Christmas Day, Good Friday or a day which is a
bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom.”

16. The Commissioner has reviewed the complainant’s requests aggregated by CCEW, which were submitted on 20 August 2023 on one item of correspondence and is satisfied, that as the requests were made by the same complainant and within 60 working days of each other, they fulfil the criteria at regulations 5(1)(a) and 5(2)(b).

17. The Commissioner must now consider whether both requests relate, to any extent, to the same or similar information. The Commissioner’s view on aggregating requests can be found in the guidance on requests where the cost of compliance exceeds the appropriate limit. Paragraphs 44 and 45 state: “Regulation 5(2) of the Fees Regulations requires that the requests which are aggregated relate “to any extent” to the same or similar information. This is quite a wide test, but public authorities should still ensure that the requests meet this requirement. A public authority needs to consider each case on its own facts, but requests are likely to relate to the same or similar information where, for example, the requestor has expressly linked the requests, or where there is an overarching theme or common thread running between the requests in terms of the nature of the information that has been requested.”

18. The Fees Regulations’ wording of “relate, to any extent, to the same or similar information” makes clear that the requested information does not need to be closely linked to be aggregated, only that the requests can be linked.

19. Having reviewed the wording of both requests made within a 60-day period, the Commissioner is satisfied that there is an overarching theme in that although in addition to being submitted on one single letter or item of correspondence, they both request information contained in the annual reports and accounts 2022/23 and strategic risk register.

20. The Commissioner, therefore, finds that CCEW was entitled to rely on section 12(4) of FOIA to aggregate both requests.

Section 12 – cost of compliance

21. The following analysis covers whether complying with the request would have exceeded the appropriate limit.

22. Section 12(1) of the FOIA states that a public authority is not obliged to comply with a request for information if the authority estimates that the cost of complying with the request would exceed the “appropriate limit” as set out in the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004 (“the Fees Regulations”)

23. The appropriate limit is set in the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004 at £600 for central government, legislative bodies and the armed forces and at £450 for all other public authorities. The appropriate limit for the public authority is £450.

24. The Fees Regulations also specify that the cost of complying with a request must be calculated at the rate of £25 per hour, meaning that section 12(1) effectively imposes a time limit of 18 hours for the public authority.

25. Regulation 4(3) of the Fees Regulations states that a public authority can only take into account the cost it reasonably expects to incur in carrying out the following permitted activities in complying with the request:
• determining whether the information is held;
• locating the information, or a document containing it;
• retrieving the information, or a document containing it; and
• extracting the information from a document containing it.

26. A public authority does not have to make a precise calculation of the costs of complying with a request; instead only an estimate is required. However, it must be a reasonable estimate. The Commissioner considers that any estimate must be sensible, realistic and supported by cogent evidence. The task for the Commissioner in a section 12 matter is to determine whether CCEW made a reasonable estimate of the cost of complying with the request.

27. Section 12 is not subject to a public interest test; if complying with the request would exceed the cost limit then there is no requirement under FOIA to consider whether there is a public interest in the disclosure of the information.

28. Where a public authority claims that section 12 of FOIA is engaged it should, where reasonable, provide advice and assistance to help the requester refine the request so that it can be dealt with under the appropriate limit, in line with section 16 of FOIA.

The public authority’s position

29. The Commissioner asked the CCEW to provide a detailed estimate of the time/cost taken to provide the information falling within the scope of this request.

30. CCEW explained to the Commissioner that all information about
strategic risks and the Strategic Risk Register (SRR) is held
electronically on the Commission’s Electronic Document Records
Management System (EDRMS). This is a live document that is regularly updated to monitor risks that could affect the Commission’s functions, internal controls, and administration.

31. CCEW in its internal review responses to the complainant stated:

32. “As we explained in our initial response, the Commission does not hold a single record that outlines the initial assessment and initial date of identification of the strategic risks. While the strategic risk register contains current assessment, initial assessments and date of identification are not included. Therefore, reviewing documents dating back to 2019 is needed, including Board and other committee papers. We think this would take more than 24 hours work because we estimate that there are over 600 Board papers alone to consider. Allowing for 5 minutes per document, this would mean it would take us about 50 hours to confirm whether we hold the information.”

33. In its submission to the Commissioner CCEW confirmed that it had searched its EDRMS to locate relevant documents, including records of meetings where strategic risk is mentioned using key words and restricting searches to Corporate Office and Governance folders (Corporate Office and Governance/Board/Board Committees/Board Committee Risk/2019/2020/2021/2022)

34. For the above reasons, to provide the information requested in item 1a and 1b would require 87 hours of staff time or 3.61 days if working continuously without breaks.

35. However, CCEW conducted a dip sampling exercise which revealed additional documents for review and varying review times for different documents due to their page lengths revising its calculations to those provided to the complainant on both 03 November 2023 and 07 December 2023.

36. CCEW determined that it that would now take an average of 4 minutes per paper to review 1300 records which equates to 87 hours staff time. (1300 x 4 minutes per record or a total of 5,200 minutes divided by 60 minutes = 87 hours). CCEW provided a breakdown of its calculations and sampling exercise as follows:
“In 2019, a total of 70 Board papers were identified as potentially
falling within the scope of the request 1a and 1b. We opted to
randomly review the Board meeting papers in March and April 2019
to assess the time needed to review.

In Board Meeting March 2019 – there were 12 papers for this meeting, which averaged 4 minutes per paper. The time varied due to the differing length of the individual papers with 8 minutes taken to read through an 18-page document to 1 minute for an agenda.

In April 2019’s Board meeting, we found 16 papers. Through a
sampling exercise, we calculated that it required an average of
more than 3 minutes per paper to review.

In 2022, a total of 52 Board papers were identified as potentially
falling within the scope of the request 1a and 1b.

We opted to randomly review the Board meeting papers in March
and June 2022 to assess the time needed to review these papers.

In March 2022’s Board meeting, we found 10 papers.

In June 2022’s Board meeting, we identified 17 papers.

37. CCEW also stated: “Alternatively, if the Commission opted for the lowest estimated review time of 2 minutes per document, providing the information requested in request 1a and 1b would still exceed the cost limit as it would take 43.3 hours for the Commission to provide the requested information.”

The Commissioner’s view

38. The Commissioner is satisfied that complying with this request would exceed the appropriate limit.

39. The Commissioner notes that, even if CCEW’s alternative estimate was slightly high, for it to comply with the request without exceeding the cost limit, it would need to review the revised estimate of 1300 documents following its dip sampling exercise in under a minute, which the Commissioner does not consider feasible.

40. The Commissioner considers that CCEW estimated reasonably that it would take significantly more than the 18 hours / £450 limit to respond to the request. CCEW was therefore correct to apply section 12(1) of FOIA to the complainant’s request.

Procedural matters

Section 16 – advice and assistance

41. Section 16(1) of FOIA provides that a public authority should give advice and assistance to any person making an information request. Section 16(2) clarifies that, providing an authority conforms to the recommendations as to good practice contained within the section 45 code of practice in providing advice and assistance, it will have complied with section 16(1).

42. Where a public authority claims that section 12 of FOIA is engaged it should, where reasonable, provide advice and assistance to help the requestor refine the request so that it can be dealt with under the appropriate limit in line with section 16 of FOIA.

43. On 3 November 2023, CCEW advised the complainant that they
currently only have 7 strategic risks in the annual reports and accounts for the period 2023 to 2024 which they intend to publish during the summer of 2024. It offered the following advice and assistance to the complainant to refine the request as follows.
“Item 1a of the request, as advised above, we do not hold a single
document that records the initial and current assessment of
probability/likelihood of impact. You may therefore wish to consider
asking for the current assessment instead, removing any reference
to the initial assessment. For Item 1b of the request, for the same reasons mentioned above, it may be advisable to remove references to the initial date of identification of strategic risks. Regarding item 1c of the request, please clarify what you mean by "initial compound/overall ratings and residual/current compound/overall ratings”.

44. The complainant subsequently revised his request and CCEW provided copies of information for items 1, 1d, 1e and 2 on 14 February 2024.

45. The Commissioner is therefore satisfied that CCEW met its obligations under section 16 of FOIA.

Section 10 - time for compliance

46. Section 10(1) provides that: “Subject to subsections (2) and (3), a public authority must comply with section 1(1) promptly and in any event not later than the twentieth working day following the date of receipt.”

47. Section 1(1) provides that: “Any person making a request for information to a public authority is entitled – (a) to be informed in writing by the public authority whether it holds information of the description specified in the request, and (b) if that is the case, to have that information communicated to him.

48. The original request was made on 20 August 2023 and a response was not provided by CCEW until 3 November 2023. The Commissioner therefore finds that the CCEW breached section 10(1) in failing to provide a response within 20 working days.