Data Subject Identity checks

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit:

[1]https://ico.org.uk/about-the-ico/our-inf...

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days.

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found
[3]here.

Twitter

Find us on Twitter [4]here.

References

Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/global/privacy-notice/
3. https://ico.org.uk/about-the-ico/news-an...
4. http://www.twitter.com/ICOnews

9 November 2020

Case Reference: IC-66205-C9J2

Dear W Hunter

Further to your email of 16 October we can now provide a response to your
information request. We have handled your request under the Freedom of
Information Act 2000 (the FOIA).

Request

In your email you asked for:

“ 1. Please confirm if there is any information held by the ICO which
identifies or defines any "reasonable belief" or Reasonable doubt" issued
as guidance or detailed in any ICO decision regarding the identification
of a data subject and if so provide a copyof or a link to where that
information may be found,

2. Please specify if there is any current or indeed more up to date
guidance or information on what would constitute how to identify a data
subject in relation to information held, especially where all
communication within the "existing or ongoing relationship"between the
data subject and the data controller has been undertaken by electronic
communication only.

3. Please specify if there is any information or guidance held regarding
any requirement that a Data Controller must identify the applicant only in
relation to the records held rather than identifying the applicant as an
individual without reference to therecords at all.

4. Please specify if requesting ID information which cannot possibly
identify the applicant in relation to the records held, or requested
without any reasonable belief that the applicant was not entitled to
receive the information, would constitute an offenceunder the GDPR or DPA
and specify what the offence would be and how it could be investigated or
prosecuted.

In cases where the organisation has been in regular communication with
the data subject prior to a SAR being received, and the organisation
refuses to comply maintaining that they do not reasonably believe the data
subject is the person entitled to receivethat information, 5. please
specify any information held and or records available regarding ICO
decisions where any data controller has subsequently had any sanction
applied by the ICO for communicating information to an individual that
they now claim theydo not reasonable believe was entitled to receive it .

6. In cases where a data controller has refused to comply with a lawful
SAR citing a reasonable belief that the person communicating is not
entitled to receive that information until ID documentation is received,
please specify whether the continued communicationby that data controller
in the course of normal business with that data subject on the matters
concerned would constitute:

a. a breach of the DPA / GDPR in that the data controller is
communicating personal information to a person they claim they have reason
to believe is not entitled to receive that information. or

b. Proof of a section 173 offence in that the data controller is more
than willing to continue communication in the course of normal business
whilst falsely claiming a reasonable belief that they are communication
with someone not lawfully eligible to receivethat information.

Please provide copies of any information held or links to any guidance
available which apply.

7. In cases where a data controller claims a reasonable belief that a
data subject making an application is not eligible to receive that
information please specify if there is any requirement whatsoever for a
data controller to specify what any such reasonablebelief is based upon
and when that belief came to light.

8. please state any information held which details or explains any
possible reason or justification why the ICO will not prosecute data
controllers for section 173 offences on behalf of individual data
subjects.”

Our response

Unfortunately we are not able to provide you with the information you have
requested. I will explain in more detail below why this is the case, but
in brief, section 12 of the Freedom of Information Act 2000 (FOIA) makes
clear that a public authority (such as the Information Commissioner’s
Office – the ICO) is not obliged to comply with an FOIA request if the
authority estimates that the cost of complying with the request would
exceed the ‘appropriate limit'. The ‘appropriate limit’ for the ICO, as
determined in the ‘Freedom of Information and Data Protection (Appropriate
Limit and Fees) Regulations 2004’ is £450. We have determined that £450
would equate to 18 hours work.

Whilst the information you have requested is likely to sit within our
electronic case management system, this system is not set up to easily
provide us with the type of information you have requested. Generally
speaking this is not the sort of information we would need for our own day
to day business purposes.

The system allows us to search for the cases we have dealt with in a
number of different ways, such as by the unique reference number the case
was given, the name and address of the person who contacted us and the
name of any organisation that has been complained about. We can also
search for cases on the basis of the broad nature or sector of the
complaint, but we can only search on a limited number of fixed criteria.

Unfortunately we are not able to search for cases that relate to the
identification of data subjects. In order to establish any relevant
decisions made or actions taken we would need to access all the cases on
our case management system and read the relevant documents.

There are thousands of cases on our case management system and the time
required to access them all would be well in excess of the 18 hours which
would accrue a charge of £450.

It is for this reason, and in accordance with section 12 of the FOIA, that
we are not obliged to comply with your request for information.

However, if you are able to narrow the scope of your request we may be in
a position to provide information to you free of charge, if it will cost
us less than the appropriate limit to do so.

For example, you can narrow the scope of the request to specific data
controllers or consider a time frame.

I should point out that any reformulated request you may wish to make to
the ICO will be treated as a new FOI request, and the 20 working day time
limit will begin again.

Next steps

If you are dissatisfied with our response under the FOIA or wish to
complain about how your request has been handled please write to the
Information Access Team at the address below or email
[1][ICO request email]

A request for internal review should be submitted to us within 40 working
days of receipt by you of this response. Any such request received after
this time will only be considered at the discretion of the Commissioner.

If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation. To make such an application, please write
to our FOI Complaints & Appeals Department at the address below or visit
our website if you wish to make a complaint under the Freedom of
Information Act.

A copy of our review procedure can be accessed from our website.

[2]https://ico.org.uk/media/1883/ico-review...

Your information

Please note that our privacy notice explains what we do with the personal
data you provide to us and what your rights are:

[3]https://ico.org.uk/global/privacy-notice...

This includes entries regarding the specific purpose and legal basis for
the ICO processing information that people that have provided us with,
such as an information requester:

[4]https://ico.org.uk/global/privacy-notice...

The length of time we keep information is laid out in our retention
schedule, which can be found at:

[5]https://ico.org.uk/media/about-the-ico/p...

Yours sincerely

Adrian Hay

Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Directorate

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 03304146450 F. 01625 524510 ico.org.uk twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our privacy notice
at [6]https://ico.org.uk/global/privacy-notice/

References

Visible links
1. mailto:[ICO request email]
2. https://ico.org.uk/media/1883/ico-review...
3. https://ico.org.uk/global/privacy-notice...
4. https://ico.org.uk/global/privacy-notice...
5. https://ico.org.uk/media/about-the-ico/p...
6. https://ico.org.uk/global/privacy-notice/

To read this email in English click [1]here

I darllen yr ebost yn y Gymraeg, cliciwch [2]yma

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence. During the Coronavirus
pandemic, please see our [3]website for updates on the service you can
expect from us during this time. You can also call us on 0303 123 1113 or
contact us via live chat.

If you have asked us for advice - we will respond within 14 days. While
you wait, you should regularly check our [4]website for relevant
guidance, as we are updating this all the time. You should also read our
[5]GDPR myth busting blogs. If you have raised a question that we have
answered on our website, we may respond by sending you a link to it. But
we will do our best to provide you with the information you need.

If you have made a new complaint - we’re unlikely to look into it unless
you have raised it with the [6]responsible organisation (for a data
protection complaint) or the [7]responsible public authority (for a
freedom of information complaint) first. Please make sure you have sent
us a copy of their final response to you. We will assign your complaint to
a case officer as soon as we can, and they will contact you in due
course.

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer. If you believe
we have either failed to take appropriate steps to respond to your data
protection complaint, or we do not provide you with information about the
progress or outcome of your complaint within the next three months, you
may be able to apply to the [8]First-tier Tribunal to require us to
respond to your complaint or to provide you with information about its
progress.

If you represent an organisation and you are reporting a personal data
breach under the GDPR or the Data Protection Act 2018 - we aim to contact
you within seven days to confirm receipt and to provide you with a case
reference number. If you want advice urgently, you should telephone our
helpline on 0303 123 1113. If we consider the incident is minor or you
have indicated that you do not consider it meets the threshold for
reporting, you may not receive a response from us, or we may respond by
sending you a link to the relevant part of our guidance. You can find out
more about [9]data breach reporting on our website.

Where a significant cyber incident occurs, you may also need to report
this to the National Cyber Security Centre (the NCSC). To help you decide,
you should read the NCSC’s guidance about their role and the type of
incidents that you should consider reporting.

Incidents that might lead to a heightened risk of individuals being
affected by fraud, should be reported to Action Fraud – the UK’s national
fraud and cybercrime reporting centre. If your organisation is in
Scotland, then reports should be made to Police Scotland.

If you are a Communications Service Provider reporting a security breach
under the Privacy and Electronic Communications Regulations – you will
need to report the security breach via this [10]secure portal.

If you represent an organisation and are reporting a potential incident
under the NIS Directive - we will contact you as soon as we can. You can
find out more about the [11]NIS Regulations on our website.

If you represent an organisation and you are reporting a security breach
within the definition of the eIDAS regulation – we will contact you as
soon as we can. You can find out more about the [12]eIDAS regulation on
our website.

If you have reported spam email – we are unlikely to need to contact you
again, unless we need more information to help with our investigations. We
publish details about the [13]action we've taken on nuisance messages on
our website.

If you have asked for information you think we might hold - we will
contact you if we need any more information to help us respond. Otherwise,
we will respond within our [14]public and statutory service levels.

If you have only copied your correspondence to us - we will not respond.

There is more information on our [15]service standards and what to expect
webpage. You can also call 0303 123 1113. We welcome calls in Welsh on
0330 414 6421. You can also contact us on [16]live chat.

For information about what we do with personal data please see our
[17]privacy notice.

Yours sincerely

The Information Commissioner’s Office

Our newsletter
You can [18]sign up to our monthly e-newsletter

Pwnc: Mae’ch neges ebost wedi dod i law

Diolch yn fawr ichi am gysylltu â Swyddfa’r Comisiynydd Gwybodaeth. Yn
ystod y pandemig Coronafeirws, gweler [19]ein gwefan am ddiweddariadau ar
y gwasanaeth sydd ar gael i’r cyhoedd ar hyn o bryd. Hefyd, mae’n bosib
ein ffonio ar 0303 123 1113, neu gysylltu â ni trwy sgwrs fyw.

Os ydych wedi gofyn am gyngor – byddwn yn ymateb o fewn 14 diwrnod. Tra
byddwch yn aros, dylech edrych yn rheolaidd ar ein [20]gwefan i chwilio am
ganllawiau perthnasol, gan eu bod yn cael eu diweddaru drwy’r amser. Hefyd
dylech ddarllen ein [21]blogiau ynghylch mythau’r GDPR. Os ydych wedi codi
cwestiwn sydd wedi’i ateb ar ein gwefan, mae’n bosibl y byddwn yn ymateb
drwy anfon dolen atoch i gysylltu â’r ateb. Ond fe wnawn ein gorau glas i
roi’r wybodaeth angenrheidiol ichi

Os ydych wedi gwneud cwyn newydd – dydyn ni ddim yn debygol o edrych i
mewn iddo oni bai eich bod wedi’i godi’n gyntaf gyda’r [22]sefydliad
cyfrifol (cwyn am ddiogelu data) neu’r [23]awdurdod cyhoeddus cyfrifol
(cwyn am ryddid gwybodaeth). Gofalwch eich bod wedi anfon copi aton ni o’u
hymateb terfynol ichi. Byddwn yn rhoi’ch achos i swyddog achosion cyn
gynted ag y gallwn, a bydd y swyddog yn cysylltu â chi maes o law.

Os yw’ch gohebiaeth yn ymwneud ag achos sydd eisoes yn bod - byddwn yn ei
hychwanegu at eich achos ac fe gaiff ei hystyried ar ôl cael ei dyrannu i
swyddog achosion. Os ydych yn credu ein bod ni naill ai wedi methu cymryd
camau priodol i ymateb i'ch cwyn diogelu data, neu heb ddarparu gwybodaeth
ichi am gynnydd neu ganlyniad eich cwyn o fewn y tri mis nesaf, efallai y
byddwch yn gallu gwneud cais i'r [24]Tribiwnlys Haen Gyntaf i’w gwneud yn
ofynnol inni ymateb i'ch cwyn neu ddarparu gwybodaeth ichi am gynnydd eich
cwyn.

Os ydych yn cynrychioli sefydliad a’ch bod yn rhoi gwybod am drosedd data
personol o dan y GDPR neu Ddeddf Diogelu Data 2018 – rydym yn anelu at
gysylltu â chi o fewn saith niwrnod calendr i gadarnhau bod eich neges
wedi dod i law ac i roi rhif cyfeirnod achos ichi. Os oes arnoch eisiau
cyngor ar frys, dylech ffonio’n llinell gymorth ar 0303 123 1113. Os ydym
o’r farn bod y digwyddiad yn un mân neu os ydych chi wedi nodi nad ydych
o’r farn bod y digwyddiad yn cyrraedd y trothwy i roi gwybod amdano, mae’n
bosibl na chewch ymateb gennym, neu efallai y byddwn yn ymateb drwy anfon
dolen atoch i gysylltu â’r rhan berthnasol o'n canllawiau. Cewch ragor o
wybodaeth am [25]roi gwybod am droseddau data ar ein gwefan.

Pan fo digwyddiad seibr arwyddocaol yn digwydd, mae’n bosibl y bydd angen
ichi roi gwybod amdano hefyd i’r Ganolfan Seiberddiogelwch Genedlaethol
(yr NCSC). I’ch helpu i benderfynu, dylech ddarllen canllawiau’r NCSC ar
eu rôl a’r math o ddigwyddiadau y dylech ystyried rhoi gwybod amdanyn nhw.

Dylai digwyddiadau a allai arwain at risg uwch y bydd twyll yn effeithio
ar unigolion gael eu cyfleu i Action Fraud – sef canolfan genedlaethol y
Deyrnas Unedig ar gyfer rhoi gwybod am dwyll a seiberdroseddau. Os yw eich
sefydliad yn yr Alban, yna i Heddlu’r Alban y dylech chi roi gwybod.

Os ydych yn Ddarparwr Gwasanaethau Cyfathrebu sy’n rhoi gwybod am dor
diogelwch o dan y Rheoliadau Preifatrwydd a Chyfathrebu Electronig – bydd
angen ichi roi gwybod am y tor diogelwch drwy’r [26]porth diogel hwn.

Os ydych yn cynrychioli sefydliad a’ch bod yn rhoi gwybod am ddigwyddiad
posibl o dan Gyfarwyddeb yr NIS – byddwn yn cysylltu â chi cyn gynted ag y
gallwn. Cewch ragor o wybodaeth am [27]Reoliadau’r NIS ar ein gwefan.

Os ydych yn cynrychioli sefydliad a’ch bod yn rhoi gwybod am dor diogelwch
o fewn y diffiniad yn Rheoliad eIDAS – byddwn yn cysylltu â chi cyn gynted
ag y gallwn. Cewch ragor o wybodaeth am [28]Reoliad eIDAS ar ein gwefan.

Os ydych wedi rhoi gwybod am ebost sbam – mae’n annhebygol y bydd angen
inni gysylltu â chi eto, oni bai bod arnon ni angen rhagor o wybodaeth i
helpu yn ein hymchwiliad. Rydym yn cyhoeddi gwybodaeth am [29]y camau
rydyn ni wedi’u cymryd ynghylch negeseuon niwsans ar ein gwefan.

Os ydych wedi gofyn am wybodaeth yr ydych yn credu ei bod gennyn ni –
byddwn yn cysylltu â chi os bydd arnom angen rhagor o wybodaeth i’n helpu
i ymateb. Fel arall, byddwn yn ymateb ichi o fewn ein [30]lefelau
gwasanaeth statudol a chyhoeddus.

Os ydych wedi anfon copi o’ch gohebiaeth aton ni ond dim byd arall –
fyddwn ni ddim yn ymateb.

Mae rhagor o wybodaeth ar ein tudalen gwe [31]safonau gwasanaeth a beth
i’w ddisgwyl. Gallwch ffonio hefyd ar 0330 414 6421, neu yn Saesneg ar
0303 123 1113. Gallwch gysylltu â ni hefyd i gael [32]sgwrs fyw.

I gael gwybodaeth am yr hyn rydyn ni’n ei wneud â data personol, gweler
ein [33]hysbysiad preifatrwydd.

Yn gywir

Swyddfa’r Comisiynydd Gwybodaeth

Ein cylchlythyr

Gallwch [34]gofrestru i gael ein e-gylchlythyr misol

References

25 November 2020

Case Reference: IC-66205-C9J2

Dear W Hunter

Thank you for your correspondence dated 20 November.

This correspondence will now be treated as a request for an internal
review of the response we provided to your recent request for information
under the Freedom of Information Act 2000.

We will aim to respond by 21 December which is 20 working days from the
day after we received your recent correspondence. This is in accordance
with our internal review procedures which were provided with our response.

Yours sincerely

Adrian Hay

Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Directorate

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 03304146450 F. 01625 524510 ico.org.uk twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our privacy notice
at [1]https://ico.org.uk/global/privacy-notice/

References

Visible links
1. https://ico.org.uk/global/privacy-notice/