13/11/2020
J Roberts
By email only: xxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxxxxx.xxx
Ref:
Dear J
I am writing further to my correspondence of 10 November 2020 in which
I provided a response to your recent request for information dealt with in
accordance with your ‘right to know’ under section 1(1) of the Freedom of
Information Act 2000 (FOIA).
Following the issue of my correspondence I noted an error in my response
which I would like the opportunity to correct. Specifically, I cited the
provisions at section 30 (3) of the FOIA, which is incorrect, I should have
referred you to the provisions at 31 (3). I sincerely apologise for any
confusion caused.
In the interest of clarity I wil respond below in the same format as my
original response.
Request
“On 28 April 2020, the Belgian Data Protection Authority (“DPA”), fined a
Belgian company 50,000 EUR for breach of article 38 (6) of the GDPR.
The DPA’s Litigation Chamber found that the DPO was not in a position
that is sufficiently free from conflict of interest because the DPO also
fulfilled the function of director of audit, risk and compliance."
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fed
po.com%2Fnews%2Fdpo-and-conflict-of-interest-50-000e-fine-by-the-
belgian-
dpa%2F&data=01%7C01%7Cicoaccessinformation%40ico.org.uk%7
C81b287c15c204a96f75408d8564e23ef%7C501293238fab4000adc1c4cfe
bfa21e6%7C1&sdata=Gda6iWl8lPx2IU7PMt4z6h%2F%2FtKQsTk42f
MzhvXds7cU%3D&reserved=0
1. If you have investigated any public authority because of suspected
conflict of interest with the role of the DPO, please provide the number of
authorities investigated.
2. If you have fined any public authority because its DPO was not
sufficiently free from conflict of interest, please provide the number of
authorities fined and the size of the fines.
3. If you have created any information to assist public authorities protect
against a conflict of interest with the role of DPO, please provide.”
Response
In response to parts 1 and 2 of your request, we can neither confirm nor
deny that we hold information described in your request. This is in
accordance with the provisions of section 31 (3) of the FOIA, which I will
explain in more detail below:
Section 31 (1) states:
“(1) Information which is not exempt information by virtue of section 30
is exempt information if its disclosure under this Act would, or would be
likely to, prejudice—
(a) the prevention or detection of crime,
(b) the apprehension or prosecution of offenders,
(c) the administration of justice,
(d) the assessment or col ection of any tax or duty or of any
imposition of a similar nature
(e) the operation of the immigration controls,
(f)
the maintenance of security and good order in prisons or in other
institutions where persons are lawfully detained,
(g) the exercise by any public authority of its functions for any of the
purposes specified in subsection (2),
(h) any civil proceedings which are brought by or on behalf of a
public authority and arise out of an investigation conducted, for
any of the purposes specified in subsection (2), by or on behalf
of the authority by virtue of Her Majesty’s prerogative or by
virtue of powers conferred by or under an enactment, or
(i)
any inquiry held under the [F1Inquiries into Fatal Accidents and
Sudden Deaths etc. (Scotland) Act 2016] to the extent that the
inquiry arises out of an investigation conducted, for any of the
purposes specified in subsection (2), by or on behalf of the
authority by virtue of Her Majesty’s prerogative or by virtue of
powers conferred by or under an enactment.”
Section 31 (3) goes on to state:
“The duty to confirm or deny does not arise if, or to the extent that,
compliance with section 1(1)(a) would, or would be likely to, prejudice
any of the matters mentioned in subsection (1).”
It is likely that, if shown, that the data protection legislation has not been
adhered to, consequently, any information held by the ICO would satisfy
at least the requirement at section 31(1) (g) as it would be held for the
purposes of an investigation to ascertain whether a person has failed to
comply with data protection law and whether there were any
circumstances which might justify regulatory action.
It then follows that the duty to confirm or deny that this information is
held does not arise, by virtue of the provisions of section 31(3).
Section 31 is not an absolute exemption, however, and the duty to
confirm or deny depends on the balance of the public interest. It is our
view that the balance of the public interest supports the use of the
provision to neither confirm nor deny that the requested information is
held. This is because disclosure under FOIA is disclosure to the wider
world, and if the ICO were to reveal that it was conducting an
investigation about a named organisation, that might alert the
organisation and enable it to take steps to frustrate the ICO’s
investigations.
It is also necessary to adopt a consistent approach to our response to
requests for information about such matters, in the public interest,
because any inconsistency could lead to inferences being made about that
response, but also could inadvertently lead to conclusions being drawn
about other ‘neither confirm nor deny’ (NCND) responses.
In simple terms, if the ICO adopted a general policy of neither confirming
nor denying that it held information in the same or similar circumstances
to those in this case, then if it occasionally departed from that policy and
denied that it held information, this might enable parties to infer that in
previous NCND responses, the information was more likely to have been
held. Furthermore, the occasional confirmation that information was held
could enable conclusions to be drawn about other NCND responses, for
example where the information was of a broadly similar nature and, if
held for one, would have been likely to be held for the other.
The risk is that a confirmation or denial which in itself appears benign,
could enable somebody to deduce whether information was in fact held or
not in other circumstances, where an NCND response had been given, and
where that deduction could itself prejudice the investigations and
proceedings undertaken by the ICO.
Unfortunately, therefore, it is our view that, irrespective of the specific
public interest in transparency in any individual case, the importance of
maintaining the integrity of the NCND responses, past and present, is of
the greater public interest. Combine this with the public interest which
applies to the present circumstances and I trust it wil be clear why our
response in the present case must be to neither confirm nor deny that the
information you have requested is held by the ICO.
For the avoidance of doubt, therefore, nothing in the above should be
taken as being either confirmation or denial that the ICO holds
information about the organisations you describe in your request.
In respect of part 3 of your request, whilst I can advise that we there is
no specific guidance publication “
created … to assist public authorities
protect against a conflict of interest with the role of DPO” there is our
general guidance regarding the role of a DPO which does touch briefly on
the issue of conflicts of interest. This cab be found on our website here:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-
the-general-data-protection-regulation-gdpr/accountability-and-
governance/data-protection-officers/#ib8
You may wish to refer to the section titled:
“Can we assign other tasks to
a DPO”.
This concludes our response to your request. I once again apologise for
the error in my previous response and any subsequent confusion caused
by this.
Review Procedure
If you are dissatisfied with this response and wish to request a review of
our decision or make a complaint about how your request has been
handled you can write to the Information Access Team at the address
below or e-ma
il xxxxxxxxxxxxxxxxxxxx@xxx.xxx.xx.
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request
received after this time will only be considered at the discretion of the
Commissioner.
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint handler
under the legislation. To make such an application, please write to our
Customer Contact Team at the address given or visit our website if you
wish to make a complaint under the Freedom of Information Act.
A copy of ou
r review procedure can be accessed from our website.
Yours sincerely
Jessica Lalor
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9
5AF
T. 0330 414 6497 F. 01625 524510
ico.org.uk twitter.com/iconews
For information about what we do with personal data see our
privacy notice.
Please consider the environment before printing this email