Audit trail - is this included in a Subject Access Request reponse ?

The request was successful.

Dear Information Commissioner’s Office,

Could you please tell me whether an audit trail of PA records should be included in a Subject Access request response - or not?

My understanding- from a well known company - is that although records may be deleted or altered, the audit trail, still exists.

Therefore if a person's data - relating to past entries which may no longer exist on the main files, is held on the audit file, should this information be contained with in a SAR response, or not ?

Yours faithfully,

Jt Oakley

AccessICOinformation, Information Commissioner’s Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

 

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

 

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

 

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

 

If you have requested advice - we aim to respond within 14 days.

 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

 

Copied correspondence - we do not respond to correspondence that has been
copied to us.

 

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

 

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

 

Yours sincerely

 

The Information Commissioner’s Office

 

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...

 

Twitter

Find us on Twitter at [3]http://www.twitter.com/ICOnews

 

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews

AccessICOinformation, Information Commissioner’s Office

Dear [title redacted] Oakley,

Thank you for contacting the Information Commissioner's Office (ICO) through the whatdotheyknow.com (WDTK) website. The WDTK website was created to help people request information from public authorities under the Freedom of Information Act (FoIA) and the Environmental Information Regulations (EIRs).

The ICO is the regulator responsible for overseeing information rights legislation. We are also subject to the legislation we oversee. As a public authority the ICO is subject to the FoIA and EIRs and so if people want to request information we might hold about our work as a public body, they can do this through WDTK.

The correspondence you have sent to us is not a request for information we might hold. It is an enquiry about the legislation we oversee. We provide a range of advice services for organisations and for the public. However, we do not provide these through the WDTK website.

Please visit our website at www.ico.org.uk where you will find a great deal of advice about the legislation we oversee. You can also contact our helpline on 0303 123 1113 where a member of our team will be happy to help you.

If you would like to submit your enquiry in writing you should email it to [email address]. We respond to most of the enquiries we receive within 7 days.

Please do not reply to this message. We make no commitment to respond if you do.

Yours sincerely

Steven Johnston
Lead Information Access Officer

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

Dear AccessICOinformation,

Clarification

Thank you .

But my request is not about legislation, which I can read for myself.

I have found no exclusion of audit trails in the legislation - since they may contain data information on subjects - therefore I wondered why audit trails not included within SAR's.

My request is therefore for the internal guidance that the ICO holds on audit trails - given to its employees.

My understanding of your response is that you are stating that there are no internal guidance files given to employees on audit trails (and their inclusion in SAR's).

Could you please confirm that interpretation of your response.

Yours sincerely,

Jt Oakley

AccessICOinformation, Information Commissioner’s Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

 

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

 

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

 

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

 

If you have requested advice - we aim to respond within 14 days.

 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

 

Copied correspondence - we do not respond to correspondence that has been
copied to us.

 

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

 

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

 

Yours sincerely

 

The Information Commissioner’s Office

 

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...

 

Twitter

Find us on Twitter at [3]http://www.twitter.com/ICOnews

 

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews

AccessICOinformation, Information Commissioner’s Office

Dear [title redacted] Oakley,

Thank you for your email of 15 November 2015 in which you have submitted a request for information to the ICO. We understand from your email that you are seeking "any internal guidance that the ICO holds on audit trails - given to its employees".

This request is being dealt with in accordance with the Freedom of Information Act 2000. We will respond promptly, and no later than 14 December 2015 which is 20 working days from the day after we received your request.

Yours sincerely

Steven Johnston
Lead Information Access Officer

show quoted sections

Ian Howgate left an annotation ()

I am providing you the following as a professional with many years experience in managing SARs from both ends of the process. This is a professional opinion upon the law but obviously not an answer to your request to the ICO who may have processes or guidance that concurs with or contradicts the law or my personal interpretation of it.

Audit trails which contain personal identifiers about a data subject are naturally parts of 'relevant filing systems' and such parts of audit trails that give context to the personal information contained in the audit trail should hence be included in SAR responses.

In this way Audit trails are similar to archive back up files which firms often neglect to search (sometimes on purpose) in their attempted compliance with SAR requests. Most large business run disaster recovery and backup data storage in archive facilities off site to allow them to restore their systems in the case a of disaster or so as to show the state of play of data at the time of crucial decisions. These 'backup' records are often held for substantial periods of time.

As a result, rather like audit trails, if a data controller has deleted some personal information for one reason or another, from their current systems, then it does necessarily mean that they have deleted the record from the back up, archive, or disaster recovery files that they hold in reserve.

I hope this is helpful - at least a little more helpful than the frustrating narrative you seem to be having with the ICO. I however repeated again that just because I may have provided you with this information does not change the fact that the ICO have a duty to disclose their version of this information to you, particularly as it may differ form the interpretation I have provided above.

Jt Oakley left an annotation ()

Thank you very much for your time and effort Ian Howgate.

That is what I thought -- but I thought I'd better clarify the issue since it seems that the PHSO doesn't consider this type of data to be relevant to SAR's.

::::

In general, my opinion is that the ICO has much more integrity than the Ombudsman.

I find the huge majority of their employees to be fair and independent ......... except where the Ombudsman is concerned..
(The PHSO investigates complaint cases against the ICO .)

Having stated that, it was the ICO which prised pre-court disclosure withheld documents from the Ombudsman before I went to court...files which harmed the ICO 's Decision Notice case.

(The PHSO had misinformed the ICO - which led to its wrongful Decision notice and evidential documents have to be presented to both parties in a court case).
::::

So my request is aimed at finding out why the PHSO never seems to supply these kind of files in answer to SAR's either.

Therefore I wondered if the PHSO could try and use some sort of weird FOIA exclusion again....as it seemingly thought it could before the Tribunal, when it told the ICO it was ' out of its remit' to investigate the accuracy of my compaint statement to the ICO before the Decision Notice - which forced me to to challenge the wrong information in court.

With the pre-court evidence that the ICO had been able to persuade the PHSO to hand over to me - my case was upheld.

So I regard the ICO as being weak when it comes to investigating a complaint about the PHSO. And a bit of a rubber stamp when it comes to PHSO complaint Decision Notices.

But, when it comes to pre- court disclosure, where documents are listed as evidence - but not provided to the appellant ( me) , very fair - even to its own detriment.

Therefore it's worth asking the ICO for the official guidance on the missing audit trails - before taking their non-appearance up with the PHSO.

:::::

The court case:

http://www.informationtribunal.gov.uk/DB...

Ian Howgate left an annotation ()

Wow that sounds like a really convoluted situation and a bit of a mockery; that the ICO are trying to handle your concerns about the data handling of their own ombudsman! There must be a huge conflict of interest in there - no man should be called in judgement upon themselves - and plainly here there is a circular line of authority.

In regard to get outs - the only exemption that I think the PSHO could be claiming is the government business exemption - because they are the parliamentary ombudsman. However their business in handling your personal data is plainly not a governmental matter and hence the exemption should not stand up to scrutiny. There are of course a number of other exemptions which without knowing more about the case I cannot rule out - but they all seem highly unlikely in the circumstances.

I am afraid that my experiences of the ICO vary like yours. They seem very good and fair in delivering to DPA and FoIA requests - though I have one in the pipe at the moment in which they are being a very long way from prompt and seem to be using the DPA time limit to delay disclosure to more than that of normal course of communications (ie within a week) and are pushing the matter to the full 40 days. Indeed in the issue I am talking about, data controller responses to the ICO regarding concerns raised by the public, I believe that the ICO should disclose the personal information contained in those responses without prompting as part of the disclosure process in the handling of public concerns. To deprive the public of these as a matter of course is ridiculous, in a court process then all communications would be cross disclosed - so why not here? Indeed in one of the ones I have asked for and which the ICO unnecessarily delayed disclosure for some months the data controller had made a number of highly derogatory and libellous, allegations against me, supposedly being disclosures of fact, which the ICO had not asked the DC why they were disclosing this information - which even if true would have breached my data rights in their act of disclosure to the ICO.

My other experience of the ICO is in handling data and information concerns and I have to say that my opinion has changed radically in recent years. The ICO used to be very sound and robust in handling data concerns and today they are practically useless. Their process seems to be 1) receive a concern, 2) write to data controller/PA, 3) receive DC/PA response, 4) a) if the DC/PA admit anything then rule against them on that, 4)b) if the DC/PA deny anything - accept their denial and notify the member of the public that you agree with them. This is just am means of trying to process lots of concerns quickly. The process reduces the likelihood of conflict as the public are unlikely to disagree with the ICO and hence whilst loads of DC/PA get away with some terrible behaviour the ICO move cases through quickly - generally to the public detriment. The ICO are also careful to neglect to explain to the public their right of review/appeal and if someone does find and push this review process they white wash the review.

The ICO simply cannot be doing their job properly if they knowingly let DC/PA's get away with bad practice simply to save themselves time by believing what the DC/PA says even when it conflicts directly with the statement of the public and is supported by no evidence.

Kind regards

Ian Howgate

Jt Oakley left an annotation ()

Thank you Ian,

As the court decided that the PHSO's case was basically pants - as it was - (and ridiculous extra-large embroidered frilly pants at that) ... I'm not too worried. Just shaken at its mode of cover-up.

I felt sorry for the ICO lawyer..the caseworker had no chance to do a fair investigation.

Everything I'd stated, that the PHSO wouldn't let her investigate was true. It was in the files.

...Even the fact that the PHSO's own external investigator upheld my complaint.

:::

But the slipping integrity that youve witnessed is exactly the same with the PHSO.

Its now target driven, not integrity driven,

Where the PHSO agree with NHS Trusts that - 'No..they can't possibly my have any relevant medical records' ( some of which magically appear before court in last minute pre-court disclosure) ...the ICO seems to quickly agree that PA's don't have any of the records that logically they must have.

To be fair, they are often destroyed by the negligent, so they may no longer exist.

That's why I'm interested in the audit files. Which apparently can be changed by 'administrators' and IT staff.

:::

But, other than turning up and rifling through the files, what can these organisations do?

I can't help but sympathise with the PHSO and ICO as Trusts and PA's can afford very expensive publically funded lawyers , who know all the tricks and can recommend delaying in the hope that the complaint /requester will just give up and go away - Which many do.

....While the PHSO /ICO are tasked with progressing more and more cases per person to show 'efficiency'.

At the moment, it's only the courts that seem to be sensible, probably because it's difficult to explain away the pre-court disclosures, but, if charges are levied for grc Tribunals - and it looks like they will be - how many people will then be able to obtain justice?

Ian Howgate left an annotation ()

I am sorry I can't sympathise with the ICO and the PSHO or any ombudsman/regulator who do a half hearted job. This is simple corruption, they know what they are doing, they have a public duty to do their job properly and by letting DC/PA's get away with things that the regulators know are wrong, they are just making their lot worse for themselves and us. It was the same with the FSA pre-banking collapse, they had a soft touch to regulation in the industry and it resulted in lots of firms breaking the rules and bringing down the banking system and who has ended up paying for it - the public. So the public were fiddled by the firms, the regulators let them be fiddled and the public had to pay the price to prop up the banking system because the regulators let the firms get away with blue murder all along.

The simple solution is for the regulators to draw their gums back and show their teeth and get on with penalising a few firms firmly. The message would soon get out and the firms would invest in better compliance and be less willing to let complainants go to the regulators. The result would be less cases for the regulators to deal with and less cost to the public in them having to do so. End result - firms behave, public get messed about less and the public don't have to pay so much for regulators to do a half-hearted job.

Why should you have to go through having to a) make a request and wait more than a months for a response, b) request an internal review, c) refer you case to the ICO, d) request a review at the ICO, e) refer your case to the PSHO, f) refer your case to court, just to get information that should have been handed out in the course of normal correspondence? The firms are using these Acts to slow disclosure when the Acts were written for the opposite purpose and the regulators and ombudsman are conspiring to delay and deter people from getting what is rightly theirs.
It is the same in just about every sector, the ombudsman is just there is delay or deflect the public from going to court.
What is your case number - do you have a link to the ruling - it sounds very interesting?

On a different subject from within your last - I note your comment that some information is destroyed by the negligent. This is a breach of the DPA, one of the principles is that information is collected for specific purposes and another is that it is processed only within those purposes. Consider why the information you have asked for was collected and then consider whether destroying it without your authority is within those purposes. If you believe that a DC has destroyed your personal information without it being part of a necessary process and without your permission, then you should complain to them about it and cite the fact that Anderson's Consulting (one of the UK's largest audit firms at the time) was forced to dissolve itself because it was caught destroying information without authority in regard to it's client World Com. If you can show on the balance of probabilities that the information ought to have existed and that it is not there now and that you have not given authority for the DC to destroy it then I think you have a good case against the DC.

Regarding costs for tribunal hearings - this is a major issue across the justice system - the current government are trying to design the system so that only the richest party wins any legal case and it does not take a genius to work out why they would want that. The few individuals who can stand up for themselves are a real pain in the proverbial to these plans and we just have to stick to our guns and not let them get away with it.

Jt Oakley left an annotation ()

IN THE FIRST-TIER TRIBUNAL Appeal

No: EA/2014/0093

GENERAL REGULATORY CHAMBER

:::

It's about the Executive office ( 5 employees) request where the the PHSO was stoutly maintaining ( presumably to get a Decision Notice ) that I'd asked for the contact names and addresses of ALL its 435 employees.

Ridiculous ( as if!) ....and I even state that on the request.

https://www.whatdotheyknow.com/request/e...

Easily checked by the court, as was the statement that my complaint case was closed.

( It wasn't ..it was upheld).

The PHSO's position was that I was 'harassing' FOIA staff - by attempting to tell the PHSO's senior officers that it had botched the then upheld case. By asking for contact emails etc.

Which was a tad embarassing for the PHSO when it's own external investigator called its investigation:

'substandard '

and stated :

...'the review team seems to have become 'locked' into a negative bureaucratic process, which it treated as unalterable, of refusing to consider the points made for review'.

I got a formal apology from the Ombudsman Dame Julie Mellor - which I presented to the court.

::::

It was concrete evidence that the PHSO had misinformed the ICO.

And concrete evidence that I'd been telling the truth to the ICO, when the PHSO informed the ICO that it didn't have 'the remit' to check that I had.

All I'd asked - before court - was for an apology and to withdraw the misinformation to the ICO.

But the supremely arrogant PHSO just wouldn't back off on its 'Vanity Vexing'.

.....Clearly thinking the court would just rubber-stamp anything it had stated - as the ICO had been forced into doing.

:::::

NB

The PHSO STILL maintains its service was impeccable, the court's verdict is wrong and I don't deserve an apology for the 'Vanity Vexing', - which must have cost the public around £10k.

What a waste of taxpayers' money.

::::

As for an Ombudsman's upheld verdict ..I'd already had one from the Welsh Ombudsman before the PHSO bungled my complaint.

( A case supported by 2 MP's, a Minister of Health and reported by local and national press including Private Eye, Daily Mail,Telegraph, ITV,BBC).

:::

It didn't change a thing on the ward where my father died.

A whistleblower alleges that everything went on as before -with nurses assaulting elderly patients and destroying medical notes.

So, basically, an Ombudsman's verdict doesn't mean diddly squat.

Ian Howgate left an annotation ()

It makes me feel sick to think this country is so corrupt - it is just one big cover up. I had a complaint case against HMRC, in which they told me four times that I had my maths wrong and then when I got the stage of the independent adjudicator's office, all of a sudden they said - ok you were right - here's a cheque for lots of money - and assured me they were going to correct their complaints process - which they never have and today I am going through the same process with them again.

I think we need a website - like this one but for complaints - which is called 'Judge for yourself' and allows a person to put their complaints about firms/PAs/cahrities up for the public to 'judge for themselves'. The organisations complained about could have a chance to put their defence and the public could even register their opinions having read all the information from both sides - it would save having to go through ridiculous lengths of complaint processes designed purely to wear a complainant down and tire their will to live in the process and if the complainant just wants an apology (which frankly they will never really get) and for the public to be able to know the truth - so that they go into a relationship with that body with their eyes wide open - then who needs all the costs and hassle of a complaints process, an ombudsman and a court. A simple 'judge for your selves' website would do the job just as well.

Jt Oakley left an annotation ()

Good idea - but unfortunately it wouldn't work .....on the grounds of libel.

The system ..as it is ,...makes people very cross, because basically they are Individuals ( who may have a justified case) vs Highly paid lawyers......working at public expense.

So libellous statements would be a risk for the complainant and the site manager/owner.

Ian Howgate left an annotation ()

Sorry don't agree with you on this one. The site manager is exactly that - an administrator of a computer system. If their code or their headers or site guidance included some form of libel then they are liable for that but not for content added by other users - unless they offer the service of vetting it. Plenty of newspapers allow a forum for chat which they host and there is no liability on them for stupid things said by their bloggers.

On the matter of the complainant, this is a different matter. If someone said something which was untrue it might be libel but only if they could not prove that it was their genuine belief or opinion at the time. The law of defamation has many very reasonable terms and one is that you cannot be done for libel if you a) are telling the truth, or b) express an opinion which you genuinely believe to be true. The site could coach people on making complaints that included phrases like 'I believe' and 'probably' or 'it seems' for matters where there is no real certainty because they are yet to be determined and leave the solid statements for the facts.

It is also not defamation to publish something that later turns out to be untrue if you believe there was a genuine need for the public to be aware of the issue at the time. And the site I am thinking of would be specifically for people with that important objective in mind. Complaint processes delay press publication for sometimes many years - and this is part of the purpose of them - often even if the person manages to work all their way to a fair result in their favour at a court the issue is stale in the public eyes by then and the firm/PA has moved it's staff around and can claim that they have made changes over the last x years to make sure the same does not happen again - it is not the same as the public knowing when the thing happens. How many people suffered the same way as your father before you got your result and it ended up in the press? How much more difficult would it have been for them to have destroyed the documents if you have been in the press immediately with the public eye on them - they complaints are all in the public interest and the public have the right to know - just as the firms/PAs have the right of response and then the public can 'judge for themselves' and have the right to avoid a potentially dangerous situation if they feel it is just that - because the firm/PA's response does not stack up.

I have just won a case against my local police force who, the facts suggest, have been systematically suppressing my complaints and probably loads of other complaints too. It has taken many months to get a solid answer but the facts were overwhelming. I had made a complaint and the force claimed it was the same one as a previous complaint I had made and that I was trying to abuse the system. However the event I had complained about occurred three months after they had claimed to have resolved the earlier complaint which they said was the same complaint. The IPCC had no hesitation in ruling in my favour and the public would have seen the same idiocy in the police justification for excluding, as the IPCC eventually did. I have another case against the FCA who refused to deal with a major disclosure, I made to them, effectively and who have then refused to register my complaint on that subject; claiming that there was nothing illegal or improper in them ignoring the issues which I had claimed allowed hundreds of thousands of members of the public to be ripped off by the firms concerned and encouraged the firms to continue the behaviour which I had pointed out had disadvantaged the public and breached FSMA2000. The office of the complaints commissioner (the FSCC) immediately told me, on referral to them, that the FCA had decided to review their complaint handling because it was not up to their usual standard. But this was a no brainer - the FCA knew very well that they had to deal with the complaint but chose to try their luck that I would be stupid and go away because they were the regulator and if they told me they were entitled to let firms defraud the public then I was wrong to challenge them. End result lots of time wasted and public money - but if it was already on a complaints web site then the public would already know about the risk posed by the firm and the apparent collusion of the FCA in the cover up.

I have had many large organisations threaten me with defamation cases and it is all just hot air. They certainly don't have a case because what I write is the truth, I base my statements on things I have in hand and can prove on the balance of probabilities are true. They will not sue, even though they know that they have more money and can beat me up with it, because they also know that their lawyers and the courts have a special duty to a person who aims to represent themselves and hence their costs will rack up against them, not against me. Also because I will win, in the end. And because the process of proving that what I say is true will be an enormous embarrassment for them as it will create a public forum for the case, which they are hoping to delay in complaint and ombudsman processes, allowing them to wear me down. Making the step to claim libel would be a shot in the foot, as it would basically give the complainant a shortcut to the justice of the courts and put the cost burden on the infringing company.

I regularly offer firms to 'take me to court for libel, if what I am saying is untrue and let's have it out in front of a judge' and they never do - it is safer to hope I will go away than wage a public war in front of a judge (over which they ought to have little influence).

The question for the complainant would be - do you want to have your say in front of an independent adjudicator? Are you confident of your facts? If so then the website is for you as either the public will 'judge for themselves' and the firm will want to be seen to resolve the matter swiftly and fairly rather than face a public judgement. Or ignorant firms/PAs will pretend that they are right all along and try to scare you with defamation allegations and the worse that can do, is to give you the court hearing you have been looking for all along. But remember only include what you know is true and claim what you believe to be the case. If you make things up and present them as facts then you could get caught out.

I can hear what you are saying - well what are the potential financial consequences of a defamation case if it went wrong? Well here we have to look at the fact that we give the firm/PA the right of response - indeed we don't publish until we have given them a reasonable time to respond, perhaps after the initial complaint has been registered and they have given their response. At this stage, if they have failed to justify their decision properly, any loss of face is their own fault and they will be seen to have contributed to the damage (and little if anything will be claimable) and if they have justified their case well then, as the publication includes both sides of the story, the damage done will be minimal (because the public will be able to judge for themselves) and they will have little to claim by way of damages.

People are scared of the defamation laws but they should not be - so long as you do your best to tell the truth - it is not you who should be scared of this law.

Jt Oakley left an annotation ()

As a former newspaper editor, this is a good updated guide for you:

http://www.channel4.com/producers-handbo...

Information Commissioner’s Office

9 December 2015

 

Case Reference Number IRQ0605540

 

Dear Ms [first name redacted] Oakley

Request for Information
 
Further to our email of 16 November 2015, in which we acknowledged receipt
of your request for information held by the Information Commissioner’s
Office (ICO), as you know we have dealt with your request in accordance
with your ‘right to know’ under section 1(1) of the Freedom of Information
Act 2000 (FOIA).
 
As you know, you asked us to provide you with any “… internal guidance
that the ICO holds on audit trails – given to its employees”.
 
We do not hold any specific guidance or advice, either for the benefit of
ICO staff or all data controllers, about this issue.  The ICO’s Subject
Access Code of Practice, available on our website [1]here, doesn’t address
the issue specifically as you have described, but there is a section
titled ‘Finding and retrieving the relevant information’, within section
6, which you may find of interest.
 
We hope this is helpful, but if you are dissatisfied with this response
and wish to request a review of our decision or make a complaint about how
your request has been handled you should write to the Information Access
Team at the address below or e-mail [2][ICO request email].
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response.  Any such request
received after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please write
to our Customer Contact Team at the address given or visit our website if
you wish to make a complaint under either the Freedom of Information Act
or Environmental Information Regulations.
 
A copy of our review procedure can be accessed from our website [3]here.
 
Yours sincerely
 
 
 

Antonia Swann
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 01625 545894  F. 01625 524510  [4]ico.org.uk  [5]twitter.com/iconews
Please consider the environment before printing this email

 
 
 

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

References

Visible links
1. https://ico.org.uk/media/for-organisatio...
2. mailto:[ICO request email]
3. https://ico.org.uk/media/about-the-ico/p...
4. http://ico.org.uk/
5. https://twitter.com/iconews

Dear Information Commissioner’s Office,

Thank you but there is no link to your site.

It doesn't matter to me ....but others with the same request may wish to read it.

You may like to know that it's also impossible for me to copy the title for a Google search, or indeed any other part of the document, ( for a search to the ICO's guidance)

Yours faithfully,

Jt Oakley

casework, Information Commissioner’s Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

 

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days. 

 

Please note that if you are concerned about the way an organisation is
handling your personal information, we will not usually look into it
unless you have raised it with the organisation first. For more
information please see our webpage ‘raising a concern with an
organisation’ (go to our homepage and follow the link ‘for the public’).
You can also call the number below.

 

If you have requested advice - we aim to respond within 14 days.

 

If you have made a request for information held by the ICO - we will
contact you as soon as possible if we need any further information to
enable us to answer your request. If we don't need any further information
we will respond to you within our published, and statutory, service
levels. For more information please visit our webpage 'access information
about the ICO' (go to our homepage and follow the link for ‘about the
ICO’).

 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer. 

 

Copied correspondence - we do not respond to correspondence that has been
copied to us. 

 

For more information about our services, please see our webpage ‘service
standards and what to expect’ (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

 

If you have a matter you would like to discuss with us, please call our
helpline on 0303 123 1113 (local rate).

 

Yours sincerely

 

The Information Commissioner’s Office

 

Our newsletter 

Details of how to sign up for our monthly e-newsletter can be found at
[1]http://www.ico.org.uk/tools_and_resource...

 

Twitter 

Find us on Twitter at [2]http://www.twitter.com/ICOnews

 

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

References

Visible links
1. http://www.ico.org.uk/tools_and_resource...
2. http://www.twitter.com/ICOnews

Jt Oakley left an annotation ()

This seems to answer the question: if your name is on it it can't be excluded.....

The DPA does not permit you to exclude information from your response to a SAR merely because it is difficult to access.

:::::

The Act deals with the situation where supplying information in permanent form to the requester is impossible or would involve disproportionate effort (see chapter 8). But it does not place any express limits on your duty to search for and retrieve the information they want.

You should be prepared to make extensive efforts to find and retrieve the requested information. Even so, you are not required to do things that would be unreasonable or disproportionate to
the importance of providing subject access to the information. Any decision on these matters should reflect the fact that the right of subject access is fundamental to data protection. It will always be reasonable and proportionate to search your records in the manner recommended in this chapter, and to review the information found with a view to disclosing it; and it will never be reasonable to deny access to the requested information merely because responding to the request may be labour-intensive or inconvenient.

:::::

In most cases, information stored in electronic form can easily be found and retrieved. However, as it is very difficult to truly erase all electronic records, it is arguable that a requester might be entitled to request access to personal data that you do not have ready access to – because you still hold the data and, with time and varying degrees of technical expertise, you could retrieve it.

You are likely to have removed information from your ‘live’ systems in a number of different ways. The information may have been:

• ‘archived’ to storage;
• copied to back-up files; or • ‘deleted’.

Archived information and back-up records

Generally speaking, information is archived because, although you wish to remove it from your live systems, you decide to retain a copy in case it is needed in the future.

You should have procedures in place to find and retrieve personal data that has been electronically archived or backed up. The process of accessing electronically archived or backed-up data may be more complicated than the process of accessing ‘live’ data. However, as you have decided to retain copies of the data for future reference, you will presumably be able to find the data, possibly with the aid of location information from the requester. So you will be required to provide such information in response to a SAR.

Electronic archive and back-up systems might not use such sophisticated search mechanisms as ‘live’ systems, and you may ask a requester to give you enough context about their request to enable you to make a targeted search. The requester’s ability to provide it may significantly affect whether you can find what they want. Nevertheless, to the extent that your search mechanisms allow you to find archived or backed-up data for your own purposes, you should use the same effort to find information in order to respond to a SAR.

If a request relates specifically to back-up copies of information held on your ‘live’ systems, it is reasonable to consider whether thereis any evidence that the back-up data differs materially from that which is held on the ‘live’ systems and which has been supplied to the requester. If there is no evidence that there is any material difference, the Information Commissioner would not seek to enforce the right of subject access in relation to the back-up records.

https://ico.org.uk/media/for-organisatio...

Information Commissioner’s Office

9 December 2015

 

Case Reference Number IRQ0605540

 

Dear Ms [first name redacted] Oakley

Thank you for your reply of 9 December 2015, and apologies that the link
to the Subject Access Code of Practice didn’t work.
 
I’ve provided the link again below, and hopefully this one will work for
you:
 
[1]https://ico.org.uk/media/for-organisatio...
 
Alternatively, the Code is available on our website by following these
options from our home page:
 
 

* For organisations
* Guide to data protection
* Principle 6 – rights
* Subject access request – scroll down to the section headed ‘What is a
valid subject access request’ and click on the link to ‘Subject Access
Code of Practice’.

 
I hope this is helpful.
 
Yours sincerely
 
 
 

Antonia Swann
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 01625 545894  F. 01625 524510  [2]ico.org.uk  [3]twitter.com/iconews
Please consider the environment before printing this email

 
 
 
 
 
 
 

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

References

Visible links
1. https://ico.org.uk/media/for-organisatio...
2. http://ico.org.uk/
3. https://twitter.com/iconews

Ian Howgate left an annotation ()

A good response and it concurs with my knowledge of the SAR process.

This said do not overlook the fact that it does not need to include your name to be your data, it can include any personal identifier that the data controller can use to connect it with you, hence your phone number, your address, your date of birth, and any reference number they have allocated to you on any of their systems. Hence an audit file may well contain only a reference number for you and none of your actual personal information which would probably be held on a main live systems file but which is linked to the audit file by the common reference.

Don't let them squeeze out of doing their proper duty simply because they have carefully segregated off the personal identifiers that you would know by applying a reference number, for a case or you as a person, to the record.

Dear Information Commissioner’s Office,

Thank you.

Yours faithfully,

Jt Oakley

casework, Information Commissioner’s Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

 

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days. 

 

Please note that if you are concerned about the way an organisation is
handling your personal information, we will not usually look into it
unless you have raised it with the organisation first. For more
information please see our webpage ‘raising a concern with an
organisation’ (go to our homepage and follow the link ‘for the public’).
You can also call the number below.

 

If you have requested advice - we aim to respond within 14 days.

 

If you have made a request for information held by the ICO - we will
contact you as soon as possible if we need any further information to
enable us to answer your request. If we don't need any further information
we will respond to you within our published, and statutory, service
levels. For more information please visit our webpage 'access information
about the ICO' (go to our homepage and follow the link for ‘about the
ICO’).

 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer. 

 

Copied correspondence - we do not respond to correspondence that has been
copied to us. 

 

For more information about our services, please see our webpage ‘service
standards and what to expect’ (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

 

If you have a matter you would like to discuss with us, please call our
helpline on 0303 123 1113 (local rate).

 

Yours sincerely

 

The Information Commissioner’s Office

 

Our newsletter 

Details of how to sign up for our monthly e-newsletter can be found at
[1]http://www.ico.org.uk/tools_and_resource...

 

Twitter 

Find us on Twitter at [2]http://www.twitter.com/ICOnews

 

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

References

Visible links
1. http://www.ico.org.uk/tools_and_resource...
2. http://www.twitter.com/ICOnews

Jt Oakley left an annotation ()

Thank you too Ian.

It's odd that you should mention the strategy of using reference numbers rather than names, as my recent SAR's from the PHSO seem to have quite a lot missing.

::::

For instance, some specialist request responses seem to come direct from the FOIA department personnel, rather than via the specialist.
....Erudite they may be, but surely not to that standard,

So reading the above responses, the Request reference number( although this request above doesn't seem to have been allocated one ) would clearly be part of my data, as it is linked only to me. And is logged - as such - on WDTK.

So any witheld files would presumably be illegal if this is the method used. Therefore any correspondence with an FOIA reference number must surely be returned within a SAR?

:::::

Also missing is any information on the additional influence that the External Affairs department had on requests.

Since it is stated - in the PHSO's quarterly reports - that this department must have sight of any FOIA responses.....presumably for reputational defence and enhancement.

https://www.whatdotheyknow.com/request/2...

(Which is quite obvious on some responses as they are not straightforward - but give extra pro-reputational PHSO information which was simply not requested).

Yet traces of this external affairs internal input also seem to be missing from my SAR. But every request should leave a papertrail between the departments.

:::

It has been alleged that the Cabinet Office has been to be avoiding responding to requests by using Post-It notes.

http://www.thesun.co.uk/sol/homepage/new...

I am now wondering If the PHSO's officers are either mistakenly communicating by any of these methods... or are practiced at semaphore.

Ian Howgate left an annotation ()

Absolutely, all reference numbers are discoverable in a SAR, as is anything that is linked to a reference number that is specific to you.

Note that reference numbers don't need to be something visible to you. So you may not know it actually exists. One regular method for avoiding discovery is to create a reference number or code name on one system (like a card file index) held against a customer's ID details and then use that reference number on all other systems (or just those where they are saying things they don't want discovered) and in correspondence they want kept quite. Hence if an organisation has a practice of calling you 'that chap' in correspondence then all correspondence with 'that chap' in it is potentially discoverable and they need to determine if it relates to you or some other chap.

I worked in a well known firm where a senior official had everyone refer to a particularly persistent complainant as 'the bastard' in all internal correspondence. The poor chap was not only being completely and unjustifiably messed about by the organisation but they were maligning him behind his back and corrupting the audit trail on his case records and he was just a worried elderly gent in his eighties who didn't know how he was going to pay the bills. (NB I made sure he was sorted out - even though it made me immensely unpopular). But it is a good example.

So they can use very clever methods to dodge a bullet.

Using post-it notes is a new one to me however. It may be helpful in DPA SAR cases, but only if the post-it notes are not in any referenced filing system. Hence if they are inside or on the front of a folder with a person's name on it - they are disclosable. Or if the post-it notes have a filing system of their own which allows staff to link them to a particular person then again they are discoverable under a SAR.

In regard to a FoIA request I don't think Post-it notes do much to help (though the PAs may well think it does and be frigging the system behind our backs) as the regulation questions whether the information is 'held' by the PA. It does not specify how the information is held and hence my understanding of the law says that even if it is held in the head of an employee of the PA (and is used in a professional capacity rather than a personal one - this is the same as records held on a personal phone or email account for instance) then it is held by the PA and must be disclosed on request.

If this interests you take a look at my applications to the major UK universities seeking information on the principles of physics and Einstein's theory of Relativity. The answer is almost certainly held in the head of one of their academic staff, who may well have never considered it and hence put it down in writing, but regardless it still amounts to information held by the university. If it was held by such an academic on scruffy post-it note (which might be quite legitimate in the case of an academic) or maybe as a jotting on a white board, then it would still be 'held' by the university and is disclosable.

Jt Oakley left an annotation ()

Thanks ....very interesting.

The official need to get round the FOIA doesn't seem to be confined to a few negligent, or failing organisations.

Appreciate the Descriptions of the strategies used ...although the fly in the ointment is how wouid a FOIA officer send the white board, or indeed, the information in someone's head to a requester?

If you have a link to yr arguments I will try and read it/them.

Ian Howgate left an annotation ()

They have to transcribe the information into a form that can be supplied in writing. So long as that will not take longer than the time defined by the statutory cost limit then that is what they need to do to meet the request.

Looking for an EU Authority?

You can request documents directly from EU Institutions at our sister site AskTheEU.org . Find out more .

AskTheEU.org