This is an HTML version of an attachment to the Freedom of Information request 'New Case Management System'.

24 September 2020 
 
Case Reference IC-57122-J5C8 
 
Dear George White 
 
Thank you for contacting the Information Commissioner’s Office 
(ICO). We received your information request on 28 August 2020.  
 
 
Your request 
 
Following a description of our casework management systems, you 
asked us for: “the terms of reference and the schematic” 
 
We have considered your request under the Freedom of Information 
Act 2000 (FOIA).  
 
Our response   
 
It is not entirely clear what you mean by “terms of reference” 
beyond the description of our legacy and current casework 
management systems given in our response to your request under 
IC-45066-W6B5. The system is intended to effectively manage our 
casework (enquires, complaints under various pieces of legislation, 
reach reports, and information requests as well as related reviews). 
No new cases are being set up on the legacy system and it will be 
phased out for anything other than access to records when the last 
of the active cases has been closed. 
 
If you mean something specific by the phrase ‘terms of reference’ 
then please clarify this and I will be happy to provide a response.  
 
I can confirm that we hold a relevant system database schematic, 
however have to explain that the schematic is information which is 
exempt from disclosure under the FOIA, as a result of the provision 
laid out at section 36 of the Act.  
  
This provision exempts information when its disclosure, in the 
reasonable opinion of a qualified person, would likely prejudice the 
effective conduct of public affairs.  
  
I have expanded on this provision and why it applies to this request 
below, along with details of how to seek an internal review of this 
decision should one be desired.   
  
FOIA section 36 

  
Section 36(2)(c) provides that – 
  
“Information to which this section applies is exempt information if, 
in the reasonable opinion of a qualified person, disclosure of the 
information under this Act- 
 
  
(c) would otherwise prejudice, or would be likely otherwise to 
prejudice, the effective conduct of public affairs.” 
 
  
We consider that disclosure of the schema could cause serious 
security implications in relation to the information we hold. 
Disclosure would likely reveal the security details of our database 
and factors such as the level of encryption, and in doing so expose 
our information to a greater security risk. 
  
The schematic itself runs to several hundreds of pages. As the 
schematic only makes sense as an intact set of code, disclosing it 
with redactions to information which we know would likely result in 
prejudice would render the information useless. We are also 
concerned that disclosing parts of the schematic which did not 
appear ostensibly prejudicial could still be exploited nonetheless.  
As a result we are withholding the entirety of the schematic: 
releasing it would likely make our information more vulnerable to a 
security risk and in so doing prejudice our ability to fulfil our role. 
  
The exemption at section 36(2)(c) is not absolute and disclosure 
can be made if, in all the circumstances of the case, the public 
interest in maintaining the exemption does not outweigh the public 
interest in disclosing the information. 
  
To this end I have considered the following factors regarding the 
public interest in disclosure against maintaining the exemption.   
  
The public interest factor in favour of disclosure is that:  
  
•  There is a public interest in the ICO leading by example in 
being a transparent regulator, and in this case disclosure of 
the schematic would provide information into the public 
domain regarding the systems we use to carry out our work in 
the public interest. 
  
With the public interest factors in favour of maintaining the 
exemption being: 
  
   

•  The public interest in the ICO, as the UK regulator of data 
protection legislation, being able to maintain the 
confidentiality, integrity and appropriate access of the 
information within our casework databases which would be 
vulnerable in the event the schema was disclosed into the 
public domain; 
 
•  That we already proactively publish regarding the casework 
we handle through our website without needing to publish the 
schematic of our casework systems that underpins this work;  
 
•  That it is not possible to disclose parts of the schematic in a 
way that would improve public understanding of how our 
systems work while preventing an increased security risk. 
  
Our conclusion is that the weight in maintaining the exemption 
outweighs that of disclosure as it would be likely prejudice the 
effective conduct of public affairs. 
 
 
This concludes our response. 
 
 
 
Next steps  
 
If you are dissatisfied with the response you have received and wish 
to request a review of our decision or make a complaint about how 
your request has been handled you should write to the Information 
Access team at the address below or email 
xxxxxxxxxxxxxxxxxxxx@xxx.xxx.xx  
 
Your request for internal review should be submitted to us within 40 
working days of receipt by you of this response.  Any such request 
received after this time will only be considered at the discretion of 
the Commissioner. 
  
If having exhausted the review process you are not content that 
your request or review has been dealt with correctly, you have a 
further right of appeal to this office in our capacity as the statutory 
complaint handler under the legislation.  To make such an 
application, please write to the Customer Contact department, at 
the address below or visit the ‘Complaints’ section of our website to 
make a Freedom of Information Act or Environmental Information 
Regulations complaint online. 
  


A copy of our review procedure is available here. 
 
For information about what we do with personal data see our 
privacy notice. 
 
Yours sincerely, 
 
 
  
 
Frederick Aspbury 
Senior Information Access Officer, Risk and 
Governance Department  
Corporate Strategy and Planning Service 
 
Information Commissioner’s Office, Wycliffe House, Water Lane, 
Wilmslow, Cheshire SK9 5AF 
T. 0330 4146397  F. 01625 524510  ico.org.uk  twitter.com/iconews 
For information about what we do with personal data see our privacy 
notice 
Please consider the environment before printing this email