Does the ICO ever check that promised changes to ensure DPA compliance have been implemented?

COLIN WHITE made this Freedom of Information request to Information Commissioner's Office

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was refused by Information Commissioner's Office.

Dear Information Commissioner’s Office,

You made an assessment of non-compliance with the Data Protection Act by NHS Dumfries and Galloway.

This assessment was given the ref no. RFAO643O36.

Following receipt of this assessment NHS D&G wrote promising changes to ensure compliance with the Data Protection Act 1998 (DPA), such as easy read information pamphlets, that would be drawn up within two weeks by the head of the psychology department that provided information on consent and data sharing etc.

1. Please provide the documents that show these promises of changes were ever fulfilled.

2. Please provide the documents that show the ICO checked that these promises were ever fulfilled.

3. Please provide the documents that show the ICO checked that as a result of the promised changes having been implemented that NHS D&G were now in compliance with the DPA.

4. Does the ICO routinely take it on trust that promised changes by NHS D&G have been carried out without insisting on proof that they have been done?

5. Has the ICO EVER taken enforcement action against any Health Board or Council in Scotland for repeated assessments of non-compliance with the DPA?

6. How many times has NHS D&G been assessed as being in non-compliance with the Data Protection Act 1998 and 2018 in the last five years?

Yours faithfully,

Colin White

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[3]http://www.ico.org.uk/tools_and_resource...

Twitter

Find us on Twitter at [4]http://www.twitter.com/ICOnews

 

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. https://ico.org.uk/global/privacy-notice/
3. http://www.ico.org.uk/tools_and_resource...
4. http://www.twitter.com/ICOnews

Information Commissioner's Office

7 December 2018

 

Case Reference Number IRQ0805751

 

Dear Mr White

Thank you for your recent request for information. We received your
request on 30 November 2018.
 
We will be considering your request under the Freedom of Information Act
2000. You can expect us to respond in full by 3 January 2019. This is 20
working days from the date we received your request. If, for any reason,
we can’t respond by this date, we will let you know and tell you when you
can expect a response.
 
If you have any questions please contact me using the IRQ case reference
number above or by replying to this email and leaving the subject field
unchanged.
 
Thank you for your interest in the work of the Information Commissioner's
Office.
 
Yours sincerely
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Directorate
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 313 1886 F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Information Commissioner's Office

21 December 2018

 

Case Reference Number IRQ0805751

 

Dear Mr White

I am writing further to my correspondence of 7 December 2018.

In your email, sent via whatdotheyknow.com, you have referred to the ICO’s
case reference RFA0643036, which relates to a complaint to the ICO about
NHS Dumfries and Galloway. I understand that you were party to this
complaint.

As you might be aware, WDTK is a website designed to help people make
freedom of information requests to public authorities like the ICO.

Whilst some of the information you have asked for may be subject to the
Freedom of Information Act 2000 (FOIA), it is also likely that some of the
information within scope of your request may also include personal data
relating to a third party. 

Because of this we do not consider it appropriate to communicate with you
about this information request over the public website WDTK.  WDTK is a
forum designed solely for information requests made under the FOIA and the
Environmental Information Regulations 2004 (EIR), and which are
appropriate to be published on a public website.

As we will not disclose personal data on the WDTK website, I would
recommend that you contact us directly via our email address, which I have
provided below, to make your request for this information.

We can then make sure your request is considered under the rights to
non-personal information under the Freedom of Information Act, and the
rights to access personal data through the right of subject access laid
out in the GDPR. 

Should you object to this approach we shall respond to this request
exclusively under the FOIA, though in doing so will remind you that
personal information can be exempt under this law.  This means that you
might not be provided with all the information to which you may be
entitled.

The address to which to send your request is:
[1][email address]

Yours sincerely
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Directorate
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 313 1886 F. 01625 524510  [2]ico.org.uk  [3]twitter.com/iconews
For information about what we do with personal data see our [4]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. mailto:[email address]
2. http://ico.org.uk/
3. https://twitter.com/iconews
4. https://ico.org.uk/global/privacy-notice/

Dear Information Commissioner’s Office,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Information Commissioner’s Office's handling of my FOI request 'Does the ICO ever check that promised changes to ensure DPA compliance have been implemented?'.

Thank you for your response. However, I see no reason why 3,4,5 and 6 cannot be answered. As these are more general questions, not about a specific complaint.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/d...

Yours faithfully,

COLIN WHITE

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[3]http://www.ico.org.uk/tools_and_resource...

Twitter

Find us on Twitter at [4]http://www.twitter.com/ICOnews

 

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. https://ico.org.uk/global/privacy-notice/
3. http://www.ico.org.uk/tools_and_resource...
4. http://www.twitter.com/ICOnews

Dear Information Commissioner’s Office,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Information Commissioner’s Office's handling of my FOI request 'Does the ICO ever check that promised changes to ensure DPA compliance have been implemented?'.

Dear ICO

The information requested is not about the complaint of breach of the DPA, it is about how the ICO took action to ensure NHS D&G implemented changes to ensure FUTURE COMPLIANCE.

Thus, the information is about the ICO and NHS D&G and other public bodies in Scotland.

So, the FOI should have been answered, as this is not about personal data.

It is in the public interest to know how the ICO deals with DPA non-compliance by public bodies or fails to deal with non-compliance, so please comply with the FOI or it will be appealed to the FOI Commissioner for Scotland.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/d...

Yours faithfully,

COLIN WHITE

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[3]http://www.ico.org.uk/tools_and_resource...

Twitter

Find us on Twitter at [4]http://www.twitter.com/ICOnews

 

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. https://ico.org.uk/global/privacy-notice/
3. http://www.ico.org.uk/tools_and_resource...
4. http://www.twitter.com/ICOnews

Information Commissioner's Office

21 May 2019

 

Case Reference Number IRQ0805751

 

Dear Mr White

I am writing further to my correspondence of 21 December 2018. I am now in
a position to respond to your request for information. Please accept my
sincere apologies for the delay in responding.
 
We have considered your request under the Freedom of Information Act
(FOIA) 2000.
 
Your request
 
You have asked:
 
“You made an assessment of non-compliance with the Data Protection Act by
NHS Dumfries and Galloway.
 
This assessment was given the ref no. RFAO643O36. Following receipt of
this assessment NHS D&G wrote promising changes to ensure compliance with
the Data Protection Act 1998 (DPA), such as easy read information
pamphlets, that would be drawn up within two weeks by the head of the
psychology department that provided information on consent and data
sharing etc.
 
1. Please provide the documents that show these promises of changes were
ever fulfilled.
 
2. Please provide the documents that show the ICO checked that these
promises were ever fulfilled.
 
3. Please provide the documents that show the ICO checked that as a result
of the promised changes having been implemented that NHS D&G were now in
compliance with the DPA.
 
4. Does the ICO routinely take it on trust that promised changes by NHS
D&G have been carried out without insisting on proof that they have been
done?
 
5. Has the ICO EVER taken enforcement action against any Health Board or
Council in Scotland for repeated assessments of non-compliance with the
DPA?
 
6. How many times has NHS D&G been assessed as being in non-compliance
with the Data Protection Act 1998 and 2018 in the last five years?
 
Our response 
 
In the interest of clarity I will respond to the numbered points of your
request in the order in which you raise them.
In consideration of points 1-3 I consider that these are questions
relating directly to the related case handled under reference RFA0643036
and so a response via WhatDoTheyKnow.com would not be appropriate as the
information required to respond to your questions would be inextricably
linked with personal data.   
 
In relation to point 4, I consider this to be an enquiry rather than a
request for recorded information and therefore this would not be a valid
request for the purposes of the Freedom of Information Act 2000. You can
raise an enquiry with the ICO by emailing [1][email address]
 
In relation to point 5, after conducting reasonable searches I can confirm
that in November 2014 we published an Enforcement Notice regarding
Grampian Health Board (NHS Grampian). Although the notice is no longer
available on our website, in line with our retention schedule (a copy of
which can be found [2]here) I have located a copy which can be found at
the following link, listed below:
 
[3]https://ico.org.uk/media/about-the-ico/d...
 
With regard to point 6 of your request and in line with our case-work
retention schedule (which can be found [4]here) I was able to establish
that we have received 6 complaints about NHS Dumfries and Galloway in the
last two years.
 
 

+------------------------------------------------------------------------+
|Case Ref|Case type |Created |Nature |Case outcome|Party Name|
| | |Date | | | |
|--------+----------------+-----------+----------+------------+----------|
| |DPA Compliance -| | | |NHS |
|684285 |Request For |2 June 2017|Subject |DC action |Dumfries |
| |Assessment | |access |required |and |
| | | | | |Galloway |
|--------+----------------+-----------+----------+------------+----------|
| |DPA Compliance -| | |Compliance |NHS |
|708438 |Request For |30 October |Disclosure|advice given|Dumfries |
| |Assessment |2017 |of data |to DC |and |
| | | | | |Galloway |
|--------+----------------+-----------+----------+------------+----------|
| |DPA Compliance -| | | |NHS |
|715046 |Request For |6 December |Subject |DC action |Dumfries |
| |Assessment |2017 |access |required |and |
| | | | | |Galloway |
|--------+----------------+-----------+----------+------------+----------|
| |DPA Compliance -| | | |NHS |
|722202 |Compliance |24 January |Security |No action |Dumfries |
| |Request |2018 | |for DC |and |
| | | | | |Galloway |
|--------+----------------+-----------+----------+------------+----------|
| |DPA Compliance -| | |Compliance |NHS |
|793136 |Request For |11 October |Subject |advice given|Dumfries |
| |Assessment |2018 |access |to DC |and |
| | | | | |Galloway |
|--------+----------------+-----------+----------+------------+----------|
| |DPA Compliance -| | |Concern to |NHS |
|808140 |Request For |17 December|Subject |be raised |Dumfries |
| |Assessment |2018 |access |with DC |and |
| | | | | |Galloway |
+------------------------------------------------------------------------+

 
Complaint data relating prior to May 2017 is available on our website and
so considered exempt from disclosure by virtue of section 21 of the FOIA
as it is accessible by other means. However, for ease of reference I have
provided the link [5]here where you may view the “Complaints and concerns
data sets” in order to establish if we have received further complaints
about Dumfries and Galloway NHS. This link also provides a breakdown of
the definition for each case outcome which you may find helpful.
 
Next steps
 
I hope this response is clear. If you would like me to clarify anything
about the way your request has been handled please contact me.
 
You can ask us to review the way we have handled your request. Please see
our review procedure [6]here.
 
Following our internal review, if you remain dissatisfied with the way we
have handled your request, there is a statutory complaints process and you
can report your concern to the regulator. I have included information
about how to do this separately.
 
Your information
 
Please note that our [7]Privacy notice explains what we do with the
personal data you provide to us and what your rights are.
 
This includes entries regarding the specific purpose and legal basis for
the ICO processing information that people that have provided us with,
such as an [8]information requester.
 
The length of time we keep information is laid out in our retention
schedule, which can be found [9]here.
 
Yours sincerely
 
 
 
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Directorate
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
F. 01625 524510  [10]ico.org.uk  [11]twitter.com/iconews
For information about what we do with personal data see our [12]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. mailto:[email address]
2. https://ico.org.uk/media/about-the-ico/p...
3. https://ico.org.uk/media/about-the-ico/d...
4. https://ico.org.uk/media/about-the-ico/p...
5. https://ico.org.uk/about-the-ico/our-inf...
6. https://ico.org.uk/media/about-the-ico/p...
7. https://ico.org.uk/global/privacy-notice...
8. https://ico.org.uk/global/privacy-notice...
9. https://ico.org.uk/media/about-the-ico/p...
10. http://ico.org.uk/
11. https://twitter.com/iconews
12. https://ico.org.uk/global/privacy-notice/