Details about the wealth analysis subject to fines against RSPCA and British Heart Foundation

The request was refused by Information Commissioner's Office.

Dear ICO

These is a further question relating to the December 2016 civil monetary penalties levied on RSPCA and British Heart Foundation. This question is asked in order to better understand the exact nature of the practices which have been fined.

The penalties refer to wealth management companies which analysed the financial status of supporters. Please provide the names of the companies which did this. With this information it will be possible to understand the nature of the practices which have been fined, since different companies use different methodologies.

If you are unable to provide this information owing to ongoing investigations, please provide separately for each of the companies to whom data was passed the following information:

i. The fields which were passed by the charity to each company, and
ii. The fields which were appended to the data by each company and passed back to the charity.

Thank you.

Yours faithfully,

Madeline Bowles

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

 

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

 

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

 

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

 

If you have requested advice - we aim to respond within 14 days.

 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

 

Copied correspondence - we do not respond to correspondence that has been
copied to us.

 

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

 

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

 

Yours sincerely

 

The Information Commissioner’s Office

 

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...

 

Twitter

Find us on Twitter at [3]http://www.twitter.com/ICOnews

 

The ICO's mission is to uphold information rights in the public interest.
To find out more about our work please visit our website, or subscribe to
our e-newsletter at ico.org.uk/newsletter.

If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies without
passing to any third parties.

If you'd like us to communicate with you in a particular way please do let
us know, or for more information about things to consider when
communicating with us by email, visit ico.org.uk/email

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews

Information Commissioner's Office

17 February 2017

 

Case Reference Number IRQ0664461

 

Dear Ms Bowles,

I write in response to your email of 23 January 2017 in which you
submitted an information request to the ICO. Your request has been dealt
with under the Freedom of Information Act 2000 (FOIA) and our response is
below.
 
Your request
 
In your 23 January email you asked;
 
“These is a further question relating to the December 2016 civil monetary
penalties levied on RSPCA and British Heart Foundation. This question is
asked in order to better understand the exact nature of the practices
which have been fined.

The penalties refer to wealth management companies which analysed the
financial status of supporters. Please provide the names of the companies
which did this. With this information it will be possible to understand
the nature of the practices which have been fined, since different
companies use different methodologies.

If you are unable to provide this information owing to ongoing
investigations, please provide separately for each of the companies to
whom data was passed the following information:

i. The fields which were passed by the charity to each company, and ii.
The fields which were appended to the data by each company and passed back
to the charity.”
 
Our response
 
I can confirm we hold information within the scope of each aspect of your
request.
 
The names of the wealth management companies were redacted from the
published penalty notices and I can confirm we have a number of ongoing
investigations in this area. These names have been withheld from this
response to your request under section 31 of the FOIA for the reasons set
out in detail below.
 
In respect of your request for the data fields exchanged between each
charity and these wealth management companies this information was
provided to us by the charities during the course of our investigations
and has been withheld under both section 31 and section 44 of the FOIA.
 
Section 31(1)(g) of the FOIA refers to circumstances where the disclosure
of information “would, or would be likely to, prejudice – … the exercise
by any public authority of its functions for any of the purposes specified
in subsection (2).”
 
In this case the relevant purposes contained in subsection 31(2) are
31(2)(a) and 31(2)(c) which state;
 
“(a) the purpose of ascertaining whether any person has failed to comply
with the law” and
“(c) the purpose of ascertaining whether circumstances which would justify
regulatory action in pursuance of any enactment exist or may arise,”    

This exemption is not absolute and is subject to a public interest test. I
have therefore gone on to consider if the public interest in this instance
lies in favour of disclosure or maintaining the exemption.
 
Public interest arguments in favour of disclosure:
 

* There is a public interest in the ICO publishing information that
helps to demonstrate that we are complying with our duties.
* There is a public interest in the ICO being open and transparent about
our regulatory work. This helps promote public awareness and
understanding of our work. 
 

Public interest arguments in favour of maintaining the exemption:
 
 

* There is a strong public interest in the Information Commissioner
ensuring that no information is disclosed in a way that can likely
cause harm to current or future investigations.
* There is a public interest in the ICO being able to maintain effective
and productive relationships with the data controllers we regulate. It
is essential that organisations continue to engage with us in a
constructive and collaborative way without fear that the information
they provide to us will be made public prematurely, or as appropriate,
at all.  
* There is a public interest in maintaining our ability to conduct
investigations and carry out enforcement action in line with our
established processes and procedures without the risk of prejudicing
current or future investigations.
* There is a public interest in the ICO complying with the law. There is
expectation that it will comply with section 59(1)(a) of the Data
Protection Act 1998 (DPA) by ensuring that the information it receives
from data controllers in the course of its investigations remains
confidential.
* There is a public interest in the ICO providing a cost effective and
efficient regulatory function. This relies on the cooperation of data
controllers and we feel this is best achieved by an informal, open,
voluntary and uninhibited exchange of information with these
organisations. We feel that the cooperation of data controllers may be
adversely affected if all details that they provide us were made
public. This would be likely to make data controllers more cautious
about providing information to us in the future. Without the
cooperation of data controllers the ICO may have to resort to more
formal means of obtaining the information we reasonably require to
fulfil our regulatory function, for example, issuing information
notices under section 43 of the DPA. This would impact on our ability
to provide a cost effective and efficient regulatory function.
* There is a public interest in maintaining the ICO’s ability to conduct
investigations as it thinks fit without undue external influence.

 
Having considered the arguments both for and against disclosure, and our
‘[1]Communicating Regulatory Activity’ policy, we have concluded that the
arguments in favour of maintaining the exemption outweigh those in favour
of disclosure.
 
We are also of the view that the public interest arguments in favour of
disclosure have in part already been met by the information that we have
already published in respect of these penalties. This includes the
[2]monetary penalty notices themselves and the additional information on
our [3]website.  
 
In respect of the information you have requested regarding data fields
this information was provided to us by both the RSPCA and BHF as the
regulator of the DPA and we do not have consent to disclose this
information in response to this request. Consequently we find that the
exemption at section 44 of the FOIA is also engaged in respect of this
information. This is an absolute exemption and does not require
consideration of the public interest test.
 
Section 44 of the FOIA states;
 
“(1) Information is exempt information if it’s disclosure (otherwise than
under this Act) by the public authority holding it –
(a) is prohibited by or under any enactment”
 
The relevant enactment prohibiting the ICO from disclosing this
information is the Data Protection Act 1998 (DPA), specifically section 59
which states;
 
“(1) No person who is or has been the Commissioner, a member of the
Commissioner’s staff or an agent of the Commissioner shall disclose any
information which –
(a) has been obtained by, or furnished to, the Commissioner under or for
the purposes of the information Acts,
(b) relates to an identified or identifiable individual or business, and
(c) is not at the time of the disclosure, and has not previously been,
available to the public from other sources,
unless the disclosure is made with lawful authority”
 
As indicated above we rely on the co-operation of data controllers to
provide us with relevant information to enable us to fulfil our statutory
duties. If we were to release all of the information which we receive
during the course of our regulatory activities without lawful
authority this would be likely to deter organisations from providing
information to us in the future. This would ultimately undermine our
ability to carry out our regulatory function.
 
Section 59(2) of the DPA explains that there are five circumstances when
the ICO could have lawful authority to disclose information; this is an
exhaustive list. Having considered these circumstances we do not consider
in this instance that we have lawful authority to disclose this
information here.
 
This concludes our response to your request. I appreciate this response
will be disappointing however I hope the explanation of our decision is
helpful.
 
Next steps / review procedure
 
If you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Information Access team
at the address below or e-mail [4][ICO request email].

Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request received
after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please visit
the ‘Concerns’ section of our website to make a Freedom of Information Act
or Environmental Information Regulations complaint online.
 
A copy of our review procedure is available here
[5]https://ico.org.uk/media/about-the-ico/p...

Yours sincerely
 
Steven Johnston
Lead Information Access Officer
 

The ICO's mission is to uphold information rights in the public interest.
To find out more about our work please visit our website, or subscribe to
our e-newsletter at ico.org.uk/newsletter.

If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies without
passing to any third parties.

If you'd like us to communicate with you in a particular way please do let
us know, or for more information about things to consider when
communicating with us by email, visit ico.org.uk/email

References

Visible links
1. https://ico.org.uk/media/about-the-ico/p...
2. https://ico.org.uk/action-weve-taken/enf...
3. https://ico.org.uk/about-the-ico/news-an...
4. mailto:[ICO request email]
5. https://ico.org.uk/media/about-the-ico/p...

Dear Mr Johnston

I am writing to request an internal review of Information Commissioner’s Office's handling of my FOI request 'Details about the wealth analysis subject to fines against RSPCA and British Heart Foundation'.

I have read the various reasons you have given for not disclosing the information I have asked for. I understand that you do not wish to reveal the names of the wealth screening companies. This request for a review refers only to your refusal to reveal the processes involved in the fined activity.

I do not agree with your reasons for not disclosing this information for the following reasons:

* I have asked for no personal data to be disclosed
* The information you have published elsewhere on the internet, including in the recent document issued prior to the 21 February conference does not provide the detail necessary to understand fully the activities which you have fined. In particular, there is no differentiation anywhere in your published information about the extent to which the activity which has been fined constituted the provision of factual information -e.g. the value of someone's assets - and the extent to which the activity constituted modelling, prediction or opinion - e.g the amount that someone might give or the likelihood of giving. The information about the fines themselves refers to likelihood of giving whereas the later information, including the conference documentation makes no reference to this. It is therefore very hard for the public to understand what activity has actually been the subject of enforcement.
* You have not explained how the provision of this simple information could prejudice ongoing enforcement activity. Additionally, since the enforcement activity in respect of this request is now entirely completed it is difficult to understand why it can not be made public.
* ICO has persistently said that one of its purposes is to educate data users as to proper treatment of data. It is perverse that ICO itself is now refusing to reveal the exact nature of data processing which has been the cause of enforcement activity.
* You have argued that it is necessary to maintain trust between data processors and yourselves. Surely a way to build trust, especially in a context where you are alleging significant compliance failings in large parts of the charity sector, is to be open about what it is that, in your view, constitutes a lack of compliance.
* You have argued that Section 44 prohibits you from disclosing the names of the wealth screening companies. I understand this. But, as I have pointed out, I have not asked for any information about a named individual and since this request for a review only concerns the nature of the processing not the identity of the contractors which carried it out, I do not believe that section 44 applies in the way you have suggested.
* You have persistently argued that the public does not understand wealth screening. There is evidence that at least in one respect, ICO does not understand it either. The information on ICO's website about the BHF and RSPCA fines refer to activity carried out by "wealth management companies." But wealth management companies typically look after the assets and investments of high net worth individuals; wealth screening companies carry out the activity ICO has fined. In the light of this basic lack of understanding of nomenclature of the companies which carry out this activity, there arguably a public interest in a greater degree of clarity about the exact nature of the activity which has been subject to enforcement.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/d... and I would be grateful for a review of this decision.

Yours sincerely,

Madeline Bowles

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

 

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

 

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

 

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

 

If you have requested advice - we aim to respond within 14 days.

 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

 

Copied correspondence - we do not respond to correspondence that has been
copied to us.

 

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

 

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

 

Yours sincerely

 

The Information Commissioner’s Office

 

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...

 

Twitter

Find us on Twitter at [3]http://www.twitter.com/ICOnews

 

The ICO's mission is to uphold information rights in the public interest.
To find out more about our work please visit our website, or subscribe to
our e-newsletter at ico.org.uk/newsletter.

If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies without
passing to any third parties.

If you'd like us to communicate with you in a particular way please do let
us know, or for more information about things to consider when
communicating with us by email, visit ico.org.uk/email

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews

Information Commissioner's Office

2 March 2017

 

Case Reference Number RCC0670205

 

Dear Ms Bowles,

Request for Information 
 
Thank you for your correspondence dated 17 February 2017.
 
This correspondence will now be treated as a request for an internal
review of the response we provided to your recent request for information
under the Freedom of Information Act 2000.

We will aim to respond by 20 March 2017 which is 20 working days from the
day after we received your recent correspondence. This is in accordance
with our internal review procedures.
 
Yours sincerely
  
Steven Johnston
Lead Information Access Officer

The ICO's mission is to uphold information rights in the public interest.
To find out more about our work please visit our website, or subscribe to
our e-newsletter at ico.org.uk/newsletter.

If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies without
passing to any third parties.

If you'd like us to communicate with you in a particular way please do let
us know, or for more information about things to consider when
communicating with us by email, visit ico.org.uk/email

Information Commissioner's Office

20 March 2017

 

Case Reference Number RCC0670205

 

Dear Ms Bowles,

I write further to your email of 17 February 2017, in which you request an
internal review of the handling of your request, as set out in the
response sent to you on the same date; this was in response to your FOI
request of 23 January 2017, (reference IRQ0664461).

Your request for an internal review makes clear that your review request
refers only to “your refusal to reveal the processes involved in the fined
activity.” It does not seek a review of the withholding of the relevant
companies’ names.

I have been asked to review this element of the handling of your request
and the application of the exemptions at section 31(1)(g) of the Freedom
of Information Act 2000 (FOIA) by virtue of the purposes referred to in
subsection 31(2)(a) and (c); and, also the application of section 44 FOIA
by virtue of section 59 of the Data Protection Act 1998 (DPA). This will
be the focus of my review.

I am the principal adviser in Performance Improvement and can confirm that
I have had no prior involvement in the handling of your request.

In your original request you asked:

The penalties refer to wealth management companies which analysed the
financial status of supporters. Please provide the names of the companies
which did this. With this information it will be possible to understand
the nature of the practices which have been fined, since different
companies use different methodologies.

If you are unable to provide this information owing to ongoing
investigations, please provide separately for each of the companies to
whom data was passed the following information:

i. The fields which were passed by the charity to each company, and ii.
The fields which were appended to the data by each company and passed back
to the charity.
 
In relation to this internal review paragraphs 2 and 3 are the relevant
aspects of your request. I can confirm that the ICO holds information
relevant to these requests. I have carefully reviewed and considered the
content of that information.

My finding in relation to the relevant information contained in the two
investigations is that section 31(1)(g) is engaged by virtue of the
purposes referred to in section 31(2)(a) and (c). I have set out my
reasoning below.

The exemptions

Section 31(1)(g) provides that:
Information which is not exempt information by virtue of section 30 is
exempt information if its disclosure under this Act would, or would be
likely to, prejudice-
(g)  the exercise by any public authority of its functions for any of the
purposes specified in subsection (2)

Section 31(2)(a) and (c) provides that:
The purposes referred to in subsection (1)(g) to (i) are-
(a) the purpose of ascertaining whether any person has failed to comply
with the law,
(c) the purpose of ascertaining whether circumstances which would justify
regulatory action in pursuance of any enactment exist or may arise,

The ICO exercises a number of statutory functions for the purpose of
ascertaining whether a public authority/data controller has failed to
comply with the law and/or for the purpose of ascertaining whether
circumstances exist or may arise which would justify regulatory action in
relation to relevant legislation.

A considerable proportion of the ICO’s regulatory work is concerned with
ascertaining whether public authorities/data controllers have complied
with the statutory requirements placed upon them by both the DPA and FOIA.
Clearly the relevant information in these investigations is information
which the ICO needs to consider in determining whether a data controller
has complied with the DPA. It follows therefore that the purposes referred
to in subsection (a) and (c) above apply in relation to this information.
Disclosure of this information in relation to the ICO’s regulatory work
would, in my opinion, be likely to prejudice the ICO’s regulatory
functions.

It is also my opinion that disclosure would have the effect of inhibiting
open dialogue between the ICO and public authorities/data controllers.
With regard to consideration of the public interest test, for the reasons
set out clearly in my colleague, Mr Johnston’s, comprehensive response of
17 February 2017, I concur that in the particular circumstances of this
case the public interest in maintaining the exemption outweighs the public
interest factors in disclosure.

I consider the public interest arguments in favour of maintaining the
exemption, set out in Mr Johnston’s letter, comprehensively explains why
disclosure of the information requested here would be likely to prejudice
both current and future investigations. In order for the ICO to provide an
effective and efficient regulatory function it requires a degree of
co-operation and assistance from data controllers. If we were to routinely
disclose information provided to us on a collaborative and voluntary
basis, i.e. without the need for us having to resort to the use of formal
powers (for example, Information Notices), this would not only lengthen
the time it would take to conduct an investigation but it would be likely
to erode the trust and co-operation of data controllers and consequently
have a negative effect on our ability to undertake our regulatory
functions in the most effective way.

I would also concur with the original response to you that the amount of
information available, regarding the investigations and the activities of
the two charities, in the ICO press release, and in the two Penalty
Notices (links provided below), goes a long way to addressing the public
interest arguments of accountability, transparency and demonstrating that
the ICO is complying with its duties.
 
[1]https://ico.org.uk/about-the-ico/news-an...
 
[2]https://ico.org.uk/media/action-weve-tak...
 
[3]https://ico.org.uk/media/action-weve-tak...
 
Turning now to the application of section 44 of the FOIA.
 
Section 44 of the FOIA provides;
 
“(1) Information is exempt information if it’s disclosure (otherwise than
under this Act) by the public authority holding it –
(a) is prohibited by or under any enactment”
 
The relevant enactment prohibiting the ICO from disclosing this
information is the Data Protection Act 1998 (DPA), specifically section 59
which states;
 
“(1) No person who is or has been the Commissioner, a member of the
Commissioner’s staff or an agent of the Commissioner shall disclose any
information which –
(a) has been obtained by, or furnished to, the Commissioner under or for
the purposes of the information Acts,
(b) relates to an identified or identifiable individual or business, and
(c) is not at the time of the disclosure, and has not previously been,
available to the public from other sources,
unless the disclosure is made with lawful authority”
 
With regard to the application of section 44 FOIA, the withheld
information was provided to the Commissioner by the charities during the
course of her investigations, under the Data Protection Act 1998 (DPA),
and as such clearly engages the exemption by virtue of section 59 DPA.
  
Section 59(2) of the DPA sets out the circumstances where the ICO could
have lawful authority to disclose the requested information. However,
having carefully considered those particular circumstances in relation to
this request, I do not consider that the ICO has the necessary ‘lawful
authority’ to override the exemption and disclose the requested
information.
 
I hope that you find this response helpful. However, if you are
dissatisfied with the outcome of this review you may make a section 50
complaint to the ICO.

How to complain

Information on how to complain is available on the ICO website at:

[4]http://www.ico.gov.uk/complaints/freedom...

By post: If your supporting evidence is in hard copy, you can fill in the
Word version of our complaint form, print it out and post it to us with
your supporting evidence. A printable Freedom of Information Act
complaints form is available from the ICO website. Please send to:

First Contact Team
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

By email: If all your supporting evidence is available electronically, you
can fill in our online complaint form. Important: information included in
the form, and any supporting evidence will be sent to us by email.

Yours sincerely

Gerrard Tracey
Principal Adviser

The ICO's mission is to uphold information rights in the public interest.
To find out more about our work please visit our website, or subscribe to
our e-newsletter at ico.org.uk/newsletter.

If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies without
passing to any third parties.

If you'd like us to communicate with you in a particular way please do let
us know, or for more information about things to consider when
communicating with us by email, visit ico.org.uk/email

References

Visible links
1. https://ico.org.uk/about-the-ico/news-an...
2. https://ico.org.uk/media/action-weve-tak...
3. https://ico.org.uk/media/action-weve-tak...
4. http://www.ico.gov.uk/complaints/freedom...