24 September 2020
Case Reference IC-57122-J5C8
Dear George White
Thank you for contacting the Information Commissioner’s Office
(ICO). We received your information request on 28 August 2020.
Your request
Following a description of our casework management systems, you
asked us for:
“the terms of reference and the schematic”
We have considered your request under the Freedom of Information
Act 2000 (FOIA).
Our response
It is not entirely clear what you mean by “terms of reference”
beyond the description of our legacy and current casework
management systems given in our response to your request under
IC-45066-W6B5. The system is intended to effectively manage our
casework (enquires, complaints under various pieces of legislation,
reach reports, and information requests as well as related reviews).
No new cases are being set up on the legacy system and it will be
phased out for anything other than access to records when the last
of the active cases has been closed.
If you mean something specific by the phrase ‘terms of reference’
then please clarify this and I will be happy to provide a response.
I can confirm that we hold a relevant system database schematic,
however have to explain that the schematic is information which is
exempt from disclosure under the FOIA, as a result of the provision
laid out at section 36 of the Act.
This provision exempts information when its disclosure, in the
reasonable opinion of a qualified person, would likely prejudice the
effective conduct of public affairs.
I have expanded on this provision and why it applies to this request
below, along with details of how to seek an internal review of this
decision should one be desired.
FOIA section 36
Section 36(2)(c) provides that –
“Information to which this section applies is exempt information if,
in the reasonable opinion of a qualified person, disclosure of the
information under this Act- (c) would otherwise prejudice, or would be likely otherwise to
prejudice, the effective conduct of public affairs.” We consider that disclosure of the schema could cause serious
security implications in relation to the information we hold.
Disclosure would likely reveal the security details of our database
and factors such as the level of encryption, and in doing so expose
our information to a greater security risk.
The schematic itself runs to several hundreds of pages. As the
schematic only makes sense as an intact set of code, disclosing it
with redactions to information which we know would likely result in
prejudice would render the information useless. We are also
concerned that disclosing parts of the schematic which did not
appear ostensibly prejudicial could still be exploited nonetheless.
As a result we are withholding the entirety of the schematic:
releasing it would likely make our information more vulnerable to a
security risk and in so doing prejudice our ability to fulfil our role.
The exemption at section 36(2)(c) is not absolute and disclosure
can be made if, in all the circumstances of the case, the public
interest in maintaining the exemption does not outweigh the public
interest in disclosing the information.
To this end I have considered the following factors regarding the
public interest in disclosure against maintaining the exemption.
The public interest factor in favour of disclosure is that:
• There is a public interest in the ICO leading by example in
being a transparent regulator, and in this case disclosure of
the schematic would provide information into the public
domain regarding the systems we use to carry out our work in
the public interest.
With the public interest factors in favour of maintaining the
exemption being:
• The public interest in the ICO, as the UK regulator of data
protection legislation, being able to maintain the
confidentiality, integrity and appropriate access of the
information within our casework databases which would be
vulnerable in the event the schema was disclosed into the
public domain;
• That we already proactively publish regarding the casework
we handle through our website without needing to publish the
schematic of our casework systems that underpins this work;
• That it is not possible to disclose parts of the schematic in a
way that would improve public understanding of how our
systems work while preventing an increased security risk.
Our conclusion is that the weight in maintaining the exemption
outweighs that of disclosure as it would be likely prejudice the
effective conduct of public affairs.
This concludes our response.
Next steps
If you are dissatisfied with the response you have received and wish
to request a review of our decision or make a complaint about how
your request has been handled you should write to the Information
Access team at the address below or email
xxxxxxxxxxxxxxxxxxxx@xxx.xxx.xx Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request
received after this time will only be considered at the discretion of
the Commissioner.
If having exhausted the review process you are not content that
your request or review has been dealt with correctly, you have a
further right of appeal to this office in our capacity as the statutory
complaint handler under the legislation. To make such an
application, please write to the Customer Contact department, at
the address below or visit the ‘Complaints’ section of our website to
make a Freedom of Information Act or Environmental Information
Regulations complaint online.
A copy of our review procedure is availabl
e here. For information about what we do with personal data see our
privacy notice.
Yours sincerely,
Frederick Aspbury
Senior Information Access Officer, Risk and
Governance Department
Corporate Strategy and Planning Service
Information Commissioner’s Office, Wycliffe House, Water Lane,
Wilmslow, Cheshire SK9 5AF
T. 0330 4146397 F. 01625 524510
ico.org.uk twitter.com/iconews
For information about what we do with personal data see
our privacy
notice
Please consider the environment before printing this email