27 August 2019

Case Reference Number IRQ0868369

Dear Mr Booth

Thank you for your recent request for information. We received your
request on 22 August 2019.
 
We will be considering your request under the Freedom of Information Act
2000. You can expect us to respond in full by 20 September 2019. This is
20 working days from the date we received your request. If, for any
reason, we can’t respond by this date, we will let you know and tell you
when you can expect a response.
 
If you have any questions please contact me using the IRQ case reference
number above or by replying to this email and leaving the subject field
unchanged.
 
Thank you for your interest in the work of the Information Commissioner's
Office.
 
Yours sincerely
 
  
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Working pattern: Tuesday - Friday
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

19 September 2019

Case Reference Number IRQ0868369

Dear Mr Booth

Further to my letter dated 27 August 2019, I can confirm we are now in a
position to provide you with a response to your information request of 22
August.
 
We have dealt with your request in accordance with your ‘right to know’
under section 1(1) of the Freedom of Information Act 2000 (FOIA), which
entitles you to be provided with any information ‘held’ by a public
authority, unless an appropriate exemption applies.
 
Your Request
 
“I would like to make a request under the Freedom of Information Act. For
the purposes of the Act, please take the date of your receipt of this
request as 22 August 2019.
 
With reference to your 'beta sandbox' projects listed here:
 
[1]https://eur03.safelinks.protection.outlo...
 
Please provide a copy of the completed application forms (and any
supporting documents) for each of the 10 projects selected for the
sandbox.
 
Please do not delay your response on the basis that you cannot provide
some or any of the information for any one of the items above; I am happy
for you to provide partial information in a timely manner, on the
understanding that you will provide more complete information as soon as
it is available. I would be grateful if you would send me the requested
information promptly and in any event not later than the twentieth working
day following the date of receipt of my request. If my request is denied
in whole or in part, or if specific items within the responses are
withheld from disclosure, then (as you know) you must justify all
deletions by reference to specific exemptions of the Act, as per Section
17 of the Act. Where you rely on a qualified exemption to withhold
disclosure, you are obliged to consider the public interest in your
decision and any refusal notice must explain not only which exemption
applies and why, but also the public interest arguments addressed in
reaching the decision.”
 
Our Response
 
I can confirm we hold the information that falls in the scope of your
request. The information held constitutes application forms from the
organisations responsible for the first ten projects chosen to participate
in the beta phase of the ICO Sandbox.
 
We are unable to disclose any of the information that we hold that falls
in scope of your request as we consider it exempt from disclosure. I will
explain our decision in more detail below.
 
Section 44 – prohibitions on disclosure
 
Firstly, we consider that the applications submitted by the successful
applicant organisations is exempt under section 44 of the FOIA. This is an
absolute exemption and not subject to a public interest test. Section
44(1)(a) of the FOIA states:
 
“(1) Information is exempt information if its disclosure (otherwise than
under this Act) by the public authority holding it –
is prohibited by or under any enactment.”
 
In this case, the Data Protection Act 2018, Part 5, Section 132 prohibits
the disclosure of confidential information that:
 
“… (a) has been obtained by, or provided to, the Commissioner in the
course of, or for the purposes of, the discharging of the Commissioner’s
functions,
(b) relates to an identified or identifiable individual or business, and
(c) is not available to the public from other sources at the time of the
disclosure and has not previously been available to the public from other
sources,
 
unless the disclosure is made with lawful authority.”
 
We consider that this applies to completed application forms submitted to
the ICO for our consideration when choosing the projects to participate in
the beta phase of the ICO Sandbox. We do not have lawful authority to
disclose the requested information as it was provided to us with an
expectation of confidence.
 
It is important to understand that in order to fulfil our regulatory
function, the ICO relies on the co-operation of organisations in
participating in projects such as the ICO sandbox. If we were to release
all the information which we receive from organisations relating to their
applications to take part in schemes such as these, (and without consent),
this would be likely to deter them from engaging in initiatives such as
this which are designed to improve compliance with the legislation. It
would be likely to deter organisations from providing information to us in
future and would therefore undermine our regulatory function.
 
Section 132(3) of the DPA imposes a criminal liability on the Commissioner
and her staff not to disclose information relating to an identifiable
individual or business for the purposes of carrying out our functions,
such as the regulatory sandbox, unless we have the lawful authority to do
so. In this instance we do not consider that any of the gateways to lawful
disclosure envisaged by section 132 have been met, and as such the
information is exempt pursuant to FOIA section 44.
 
Section 31 – Law enforcement
 
We consider the information in scope of this request is exempt from
disclosure by virtue of section 31(1)(g) of the FOIA. This exemption
applies when disclosure would or would be likely to prejudice our ability
to carry out our regulatory function.
 
The exemption at section 31(1)(g) of the FOIA refers to circumstances
where the disclosure of information “would, or would be likely to,
prejudice – … the exercise by any public authority of its functions for
any of the purposes specified in subsection (2).” 
 
In this case the relevant purposes contained in subsection 31(2) are 31(2)
(c) which state;
 
“(c) the purpose of ascertaining whether circumstances which would justify
regulatory action in pursuance of any enactment exist or may arise,”    
 
Since part of the ICO Sandbox process involves ascertaining whether
circumstances may arise where regulatory action would be justified, we
consider that disclosure of the applications forms would be likely to
prejudice our regulatory functions. It therefore meets the exemption at
section 31(2)(c).
 
We consider that disclosure of this information, particularly while the
Sandbox is ongoing, would create a real risk of distracting from and
causing interference with the process, resulting in prejudice to the
functions of the ICO both in relation to the current Sandbox initiative
and any of its future iterations. For instance, disclosure of the
requested information here may reveal potentially commercially sensitive
or otherwise confidential information. This would therefore be likely to
inhibit effective and productive relationships with the various parties we
communicate with – it is essential that organisations continue to engage
with us in a constructive and collaborative way without fear that the
information they provide to us will be made public prematurely, or at a
later date, if it is inappropriate to do so.
 
As the exemption at section 31 is not absolute we must consider whether
the public interest lies in maintaining the exemption or in disclosure of
the list.
 
We find that the factors in favour of disclosing the completed application
forms are:
 
 

* transparency in the ICO Sandbox process we have initiated in line with
our mission to uphold information rights in the public interest which
includes promoting openness by public bodies; and
* providing insight to the public about the products and services, using
personal data, which are likely to come to market in the near future.

 
And the public interest factors we find in maintaining the exemption are:
 
 
 

* the ICO being able to operate the regulatory sandbox project in line
with its stated, publicly available strategies and goals without its
being undermined by disclosure of the specifics of the technologies
being tested;
* in preventing the undermining of the sandbox process by disclosure of
potentially commercially sensitive and/or confidential information,
particularly before the beta phase has been concluded;
* that no information had been provided to the organisations that these
applications would be placed in public domain, and indeed, mindful
that the completed applications would treated with the appropriate
level of confidence;
* that we are committed to transparency within the regulatory sandbox
process, and to that end have already published a number of blogs on
our website and entries in our e-newsletter, including a synopsis of
each of the ten successful projects that have been chosen to take part
in the Sandbox;
* that disclosure could have the overall effect of reducing compliance
with the laws we regulate.

 
On the balance of the factors listed above we consider that the public
interest lies in maintaining the exemption at this time.

This concludes our response to your request.
 
Complaint and Review Procedure
 
If you are dissatisfied with your request for information under FOI and
wish to request a review of our decision or make a complaint about how
your request has been handled you should write to the Information Access
Team at the address below or e-mail [2][ICO request email].
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request received
after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation. To make such an application, please write
to our Customer Contact Team at the address given or visit our website if
you wish to make a complaint under the Freedom of Information Act.
 
A copy of our review procedure can be accessed from our website [3]here.
 
Yours sincerely
 
 
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
F. 01625 524510  [4]ico.org.uk  [5]twitter.com/iconews
For information about what we do with personal data see our [6]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. https://eur03.safelinks.protection.outlo...
2. mailto:[ICO request email]
3. https://ico.org.uk/media/1883/ico-review...
4. http://ico.org.uk/
5. https://twitter.com/iconews
6. https://ico.org.uk/global/privacy-notice/

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit:

[1]https://ico.org.uk/about-the-ico/our-inf...

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found
[3]here.

Twitter

Find us on Twitter [4]here.

References

Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/global/privacy-notice/
3. https://ico.org.uk/about-the-ico/news-an...
4. http://www.twitter.com/ICOnews

30 September 2019

Case Reference Number RCC0878241

Dear Mr Booth

Thank you for your correspondence dated 27 September 2019.
 
This correspondence will now be treated as a request for an internal
review of the response we provided to your recent request for information
under the Freedom of Information Act 2000.
 
We will aim to respond by 25 October 2019, which is 20 working days from
the day after we received your recent correspondence.  This is in
accordance with our internal review procedures which were provided with
our response.
 
Yours sincerely
 
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Usual working pattern – Tuesday to Friday
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF F. 01625 524510 [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Dear Mr Booth

I am the Group Manager for the Information Access team and I have received
your request for an information review. I will finalise your reply by
Friday 1 November 2019. My apologies for the delay in your reply.

Regards

Elizabeth Baxter
Information Access Service Group Manager, Risk and Governance Department
 
Corporate Strategy and Planning Service
 
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 3131840  F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice
Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Dear Mr Booth

Further to my email of last week, I can confirm that I have undertaken a
review of your information request IRQ0868369. I can also confirm that,
whilst in agreement with the application of the two exemptions Section 44
and Section 31, I feel we could have been more helpful with your request.

As a result, The Information Commissioners Office are reconsidering your
request for information to ascertain if there is any further information
we can disclose to you in the interests of being helpful. We will be in
touch no later than the week commencing Monday 25 November 2019.

Kind Regards

Elizabeth Baxter
Information Access Service Group Manager, Risk and Governance Department
 
Corporate Strategy and Planning Service
 
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 3131840  F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice
Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

21 November 2019

Case Reference Number RCC0878241

Dear Mr Booth

I am have been asked by my colleague, Elizabeth Baxter to contact you to
provide you with an update on your request further to her email of 31
October.
I can advise that your request is continuing to be reconsidered and we
hope to make a disclosure of some of the information that you have
requested in due course.
 
I will continue to keep you updated on your request and will contact you
again no late than the week beginning 16 December.
 
Yours sincerely
 
 
 
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Usual working pattern – Tuesday to Friday
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

18 December 2019

Case Reference Number RCC0878241

Dear Mr Booth

I am have been asked by my colleague, Elizabeth Baxter to contact you to
provide you with an update on your request.

I can advise that your request is continuing to be reconsidered and we
hope to make a disclosure of some of the information that you have
requested in due course.
 
I will continue to keep you updated on your request and will contact you
again no late than the week beginning 14 January 2020.
 
Yours sincerely
  
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Usual working pattern – Tuesday to Friday
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

22 January 2020

Case Reference Number RCC0878241

Dear Mr Booth

Further to my email of 18 December 2019, I have been asked by my
colleague, Elizabeth Baxter to contact you to provide you with an update
on your request.
 
Please find attached a partial disclosure of five of the 10 Sandbox
applications. You will note that there are a number of redactions and I
can advise that all redactions have been made in line with the exemption
at s.44 of the FOIA, which I will explain in further detail below:
 
Section 44 – prohibitions on disclosure
 
Following a reconsideration of your request, we consider elements of the
applications submitted by the successful applicant organisations are
exempt under section 44 of the FOIA. This is an absolute exemption and not
subject to a public interest test. Section 44(1)(a) of the FOIA states:
 
“(1) Information is exempt information if its disclosure (otherwise than
under this Act) by the public authority holding it –
is prohibited by or under any enactment.”
 
In this case, the Data Protection Act 2018, Part 5, Section 132 prohibits
the disclosure of confidential information that:
 
“… (a) has been obtained by, or provided to, the Commissioner in the
course of, or for the purposes of, the discharging of the Commissioner’s
functions,
(b) relates to an identified or identifiable individual or business, and
(c) is not available to the public from other sources at the time of the
disclosure and has not previously been available to the public from other
sources,
 
unless the disclosure is made with lawful authority.”
 
We consider that this applies to the sections of the completed application
forms where we do not have lawful authority to disclose the information,
which was provided to us in confidence by the submitting organisation .
 
It is important to understand that in order to fulfil our regulatory
function, the ICO relies on the co-operation of organisations in
participating in projects such as the ICO sandbox. If we were to release
confidential information which we receive from organisations relating to
their applications to take part in schemes such as these, (and without
consent), this would be likely to deter them from engaging in initiatives
such as this which are designed to improve compliance with the
legislation. It would be likely to deter organisations from providing
information to us in future and would therefore undermine our regulatory
function.
 
Section 132(3) of the DPA imposes a criminal liability on the Commissioner
and her staff not to disclose information relating to an identifiable
individual or business for the purposes of carrying out our functions,
such as the regulatory sandbox, unless we have the lawful authority to do
so. In the instance of these redactions, we do not consider that any of
the gateways to lawful disclosure envisaged by section 132 have been met,
and as such the information is exempt pursuant to FOIA section 44.
 
I can advise that we are continuing to consider the remaining applications
and we hope to make a further disclosure of some of the information that
you requested in due course.
 
I will continue to keep you updated on your request and will contact you
again no late than the week beginning 11 February 2020. 

Yours sincerely
 
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 313 1886 F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

13 February 2020

Case Reference Number RCC0878241

Dear Mr Booth

I am writing further to my letter of 22 January 2020.
 
We are continuing to review the request and hope to provide a further and
final disclosure within the next two weeks.
 
Yours sincerely
 
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

9 June 2020

Case Reference Number RCC0878241

Dear Mr Booth
 
Further to my email of 22 January 2020, I have been asked by my colleague,
Elizabeth Baxter to contact you to provide you with an update on your
request. I am sorry that you have experienced a further delay in this
receiving this disclosure.
 
Please find attached the disclosure of final five Sandbox applications.
You will note that there are a number of redactions and I can advise that
all redactions have been made in line with the exemption at s.44 of the
FOIA, which I will explain in further detail below:
 
Section 44 – prohibitions on disclosure
 
Following a reconsideration of your request, we consider elements of the
applications submitted by the successful applicant organisations are
exempt under section 44 of the FOIA. This is an absolute exemption and not
subject to a public interest test. Section 44(1)(a) of the FOIA states:
 
“(1) Information is exempt information if its disclosure (otherwise than
under this Act) by the public authority holding it –
is prohibited by or under any enactment.”
 
In this case, the Data Protection Act 2018, Part 5, Section 132 prohibits
the disclosure of confidential information that:
 
“… (a) has been obtained by, or provided to, the Commissioner in the
course of, or for the purposes of, the discharging of the Commissioner’s
functions,
(b) relates to an identified or identifiable individual or business, and
(c) is not available to the public from other sources at the time of the
disclosure and has not previously been available to the public from other
sources,
 
unless the disclosure is made with lawful authority.”
 
We consider that this applies to the sections of the completed application
forms where we do not have lawful authority to disclose the information,
which was provided to us in confidence by the submitting organisation .
 
It is important to understand that in order to fulfil our regulatory
function, the ICO relies on the co-operation of organisations in
participating in projects such as the ICO sandbox. If we were to release
confidential information which we receive from organisations relating to
their applications to take part in schemes such as these, (and without
consent), this would be likely to deter them from engaging in initiatives
such as this which are designed to improve compliance with the
legislation. It would be likely to deter organisations from providing
information to us in future and would therefore undermine our regulatory
function.
 
Section 132(3) of the DPA imposes a criminal liability on the Commissioner
and her staff not to disclose information relating to an identifiable
individual or business for the purposes of carrying out our functions,
such as the regulatory sandbox, unless we have the lawful authority to do
so. In the instance of these redactions, we do not consider that any of
the gateways to lawful disclosure envisaged by section 132 have been met,
and as such the information is exempt pursuant to FOIA section 44.
 
This concludes our disclosure in response to your request for information.
Once again I sincerely apologise for the delays in getting this to you.

Yours sincerely
 
 
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/