The request was successful.
From: Paul Chivers
Dear Information Commissioner’s Office,
Do you hold any information or could give advice on whether anyone
who gives a Data Controller their personal data solely on the basis
of consent, can later request this data be deleted or not processed
by any Data Processor the Data Controller contracts?
From: Internal Compliance Dept
Dear Mr Chilvers
Thank you for your e-mail of 3 January 2012.
Although you have indicated that you wish to make a request for information, further to your 'right to know' contained in section 1 of the Freedom of Information Act 2000 (FOIA), your email appears to be an enquiry rather than a request for recorded information held by the ICO.
Where a 'request for information' contains an enquiry, rather than a specific request for copies of information held by the ICO, we deal with such requests as a 'normal course of business' enquiry rather than a formal request for information under the FOIA.
This is in accordance with the guidance given in the ICO publication 'Freedom of Information & Environmental Information Regulations - Hints for Practitioners handling FOI/EIR requests', which states on page 6 "Requests which are not for recorded information, but instead ask questions, such as "please explain your policy on x" or "please explain your decision to do y" are not requests for recorded information and therefore should be treated as routine correspondence.". This publication is available on our website, and can be accessed via the following link:
We have therefore forwarded your enquiry to our Customer Services Team who will respond to you in due course.
Lead Internal Compliance Officer
Information Commissioner's Office
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
T. 01625 545346 F. 01625 524510 www.ico.gov.uk
Information Commissioner’s Office
26th January 2012
Case Reference Number ENQ0429778
Dear Mr Chivers
I refer to your email dated 30 January 2012 concerning the processing of
The Information Commissioner’s Office advises and enforces the Data
Protection Act 1998 (DPA) which is based on eight principles of good
information handling. The DPA is specifically concerned with ‘personal
data’ which is information which identifies a living individual and is all
about them. All organisations processing personal data must comply with
all of the provisions of the DPA including these 8 principles.
The first principle of the DPA requires that before commencing any
processing of personal data, a data controller needs to provide certain
information (not necessarily in writing) to the data subject. This would
usually be at the point of collection and would include:
* The identity of the Data Controller (the organisation processing the
* The purposes or purposes of the processing
* Any further information that is necessary.
In short, to ensure that processing is ‘fair’ a data controller should
inform the data subject, who they are, and broadly what will be happening
to that data.
The DPA provides conditions for processing personal information other that
consent and there are exemptions that allow for disclosures in certain
With respect to the processing of personal information by a Data
Processor, the DPA describes a Data Processor as, ‘any person (other than
an employee of the data controller) who processes the data on behalf of
the data controller’. Essentially, a data processor is a separate legal
entity who processes data on behalf of a data controller.
A data controller may employ a data processor providing that the data
controller complies with specific obligations when the processing of
personal data is carried out on their behalf by a data processor. The data
controller retains full responsibility for the actions of the data
processor and the same levels of security should be present when the data
is being processed by the data processor. Providing the requirements of
the DPA are followed it is unlikely that consent of the data subjects
(that is the individuals whose personal information is being processed) is
required for their personal information to be disclosed by a data
controller to a data processor.
Regarding a request to cease processing personal information, if an
individual believes that a data controller is processing personal data in
a way that causes, or is likely to cause, substantial unwarranted damage
or distress to them or to another, section 10 of the Act provides that the
individual has the right to send a notice to the data controller requiring
him, within a reasonable time, to stop the processing. Guidance on this
may be found on the following link: Prevent processing of information.
It would not be appropriate to send a section 10 notice to a Data
Processor as a Data Processor only acts on the instructions of the Data
Controller as explained above.
Finally it is important to note that if consent has previously been given
a section 10 notice is unlikely to be successful unless the individual can
show that the processing is causing or is likely to cause them or another
person substantial unwarranted damage and/or distress.
I hope that you found this helpful.
First Contact Group
Telephone 01625 545635
Would you like to provide anonymous feedback about your experience as an
We are committed to learning from the experiences of our customers. If you
would like to provide some anonymous feedback about your experience as an
ICO customer please click here. We use all feedback to help us
continuously improve our service, focussing on the things that are most
important to our customers. The survey contains three questions and we
expect that it takes no more than one minute to complete. No personal data
will be collected as part of completing this survey.
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk