Enforcement
Dear Information Commissioner’s Office,
I would like to request the following information.
According to information on the Information Commissioner’s Office website, the ICO has an Enforcement Department comprising a
• Civil Investigations Team
• Criminal Investigations Team
• PECR Investigations Team
For the purposes of my request, I am not asking for information about staff in Complaints Resolution, who I understand work on DPA and FOIA assessments / complaints, not enforcement.
Please do not provide me with any unrecorded information. If no recorded information is held in relation to my questions, please confirm that no information is held.
1) Which of the above teams deals with DPA enforcement?
2) Which of the above teams deals with FOIA enforcement?
3) What is the recorded threshold for taking enforcement action in a DPA case, in a FOIA case and in a PECR case?
4) How many FTE enforcement staff work on enforcement of the DPA?
5) How many FTE enforcement staff work on enforcement of the FOIA?
6) How many FTE enforcement staff work on enforcement of the PECRs?
7) How many DPA enforcement cases are currently being investigated?
8) How many FOI enforcement cases are currently being investigated?
9) How many PECR enforcement cases are currently being investigated?
Yours faithfully,
David Whitney
PROTECT
30 September 2013
Case Reference Number IRQ0514701
Dear Mr Whitney
Request for Information
Thank you for your correspondence dated 28 September 2013.
Your request is being dealt with in accordance with the Freedom of
Information Act 2000. We will respond promptly, and no later than 25
October 2013 which is 20 working days from the day after we received your
request.
Should you wish to reply to this email, please be careful not to amend the
information in the ‘subject’ field. This will ensure that the information
is added directly to your case. However, please be aware that this is an
automated process; the information will not be read by a member of our
staff until your case is allocated to a request handler.
If you require any further advice or assistance please contact our
Helpline on 0303 123 1113.
Yours sincerely
Michael Downs
Information Governance Officer
Information Commissioner’s Office
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk
PROTECT
23 October 2013
Case Reference Number IRQ0514701
Dear Mr Whitney
Request for Information
I am writing further to our 30 September acknowledgement of your
correspondence dated 28 September 2013.
As you know, your request is being dealt with in accordance with the
Freedom of Information Act 2000 (FOIA). We are now in a position to
provide our response.
You requested:
“the ICO has an Enforcement Department comprising a
* Civil Investigations Team
* Criminal Investigations Team
* PECR Investigations Team
[…]
1) Which of the above teams deals with DPA enforcement?
2) Which of the above teams deals with FOIA enforcement?
3) What is the recorded threshold for taking enforcement action in a DPA
case, in a FOIA case and in a PECR case?
4) How many FTE enforcement staff work on enforcement of the DPA?
5) How many FTE enforcement staff work on enforcement of the FOIA?
6) How many FTE enforcement staff work on enforcement of the PECRs?
7) How many DPA enforcement cases are currently being investigated?
8) How many FOI enforcement cases are currently being investigated?
9) How many PECR enforcement cases are currently being investigated?”
Our response will address these points in order:
1) Which of the above teams deals with DPA enforcement?
The Criminal Investigations Team* and the Civil Investigations Team.
2) Which of the above teams deals with FOIA enforcement?
The Criminal Investigations Team*.
3) What is the recorded threshold for taking enforcement action in a DPA
case, in a FOIA case and in a PECR case?
We publish information on the ICO website which explains how we decide
whether to undertake enforcement activity. You will find a lot of
information about the ICO’s enforcement activity on the Enforcement
section of our website:
[1]http://www.ico.org.uk/enforcement
and also at:
[2]http://www.ico.org.uk/what_we_cover/taki...
The following specific policies are relevant:
Data Protection Regulatory Action Policy
[3]http://www.ico.org.uk/about_us/~/media/d...
Freedom of Information Regulatory Action Policy
[4]http://www.ico.org.uk/about_us/~/media/d...
Guidance on Monetary Penalties
[5]http://www.ico.org.uk/enforcement/~/medi...
Guidance on enforcing the revised PECR
[6]http://www.ico.org.uk/what_we_cover/taki...
Information withheld
We also hold internal guidance and procedures in the form of Standard
Operating Procedures for a risk assessment process, used to assess the
risk associated with a data security incident or DPA breach, and which is
used to determine whether the matter should be taken up by the ICO. This
therefore relates to thresholds for taking enforcement action, however
this information is being withheld under the provisions of section 31 of
FOIA, as disclosure would prejudice the ICO’s regulatory activities. More
details of the application of this exemption are provided at the end of
this section.
4) How many FTE enforcement staff work on enforcement of the DPA?
There are 15 members of the Civil Investigations Team and six in the
Criminal Investigations Team.
5) How many FTE enforcement staff work on enforcement of the FOIA?
The six members of the Criminal Investigations Team also work on FOIA
enforcement. No civil investigations are undertaken for FOIA within the
ICO Enforcement team.
6) How many FTE enforcement staff work on enforcement of the PECRs?
There are six members of the PECR investigations team.
7) How many DPA enforcement cases are currently being investigated?
According to the records held, 284 cases were allocated to enforcement
staff for investigation in the Civil Investigations Team (and a further
316 cases were awaiting either risk assessment or allocation to a team
member for investigation). The Criminal Investigations Team currently has
33 cases under investigation.
8) How many FOI enforcement cases are currently being investigated?
Two cases are under investigation by the Criminal Investigations Team.
9) How many PECR enforcement cases are currently being investigated?”
There are currently 75 cases under investigation.
*Additional information:
With regard to questions 1) and 2) the Criminal Investigations Team works
on DPA enforcement in relation to offences committed under section 17
and/or section 55 of the DPA; it works on FOIA enforcement in relation to
offences committed under section 77 of FOIA.
Withheld information
We consider that, beyond the publicly-available guidance which we already
make available, if we were to disclose material which gave information on,
for example, the circumstances in which we do not anticipate taking
enforcement action, and the circumstances in which we would expect to take
enforcement action, then this might encourage data controllers and public
authorities to relax their compliance in the knowledge that the ICO would
not take action against them. It might also allow less scrupulous data
controllers to manipulate the information they report to us in the event
of a data breach, to make it appear that the circumstances of the data
breach did not pass the threshold for the ICO to take regulatory action.
Section 31
The exemption at section 31(1)(g) of the FOIA refers to circumstances
where the disclosure of information “would, or would be likely to,
prejudice – … the exercise by any public authority of its functions for
any of the purposes specified in subsection (2).”
The purposes referred to in sections 31(2)(a) and (c) are –
“(a) the purpose of ascertaining whether any person has failed to comply
with the law” and
“(c) the purpose of ascertaining whether circumstances which would
justify regulatory action in pursuance of any enactment exist or may arise
…”
Clearly, these purposes apply when the Information Commissioner is
considering, for example, whether or not a data security incident by a
data controller has breached the DPA, or whether a public authority has
failed to comply with FOIA, and whether this is sufficiently serious that
regulatory action is warranted.
However this exemption is not absolute. When considering whether to apply
it in response to a request for information, there is a ‘public interest
test’. That is, we must consider whether the public interest favours
withholding or disclosing the information.
In this case the public interest factors in disclosing the information are
–
* increased transparency in the way in which the ICO conducts its
regulatory functions;
* facilitating a public debate about the ICO’s approach to its
regulatory activities.
The factors in withholding the information are –
* the public interest in maximising the ICO’s effectiveness as a
regulator, by encouraging regulated bodies to do more than simply meet
the minimum acceptable standards;
* the public interest in preventing regulated bodies from manipulating
their submissions with the intention of avoiding regulatory action;
* the public interest in maintaining the ICO’s ability to conduct is
regulatory functions as it thinks fit, and making the best use of the
finite resources available to it.
Having considered all of these factors we have taken the decision that the
public interest in withholding the information outweighs the public
interest in disclosing it. We believe that the information already
disclosed meets the public interest in disclosure identified above, and
that the information being withheld will not substantially add to this.
However, disclosure of the withheld information would have the potential
to adversely affect the ICO’s ability to be an effective regulator,
contrary to the public interest factors identified above. I am sorry,
therefore, that in this instance we are unable to provide you with some of
the information we hold relating to the recorded threshold for taking
enforcement action in a DPA case, in a FOIA case and in a PECR case.
This completes our response to your request.
If you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Information Governance
Department at the address below or e-mail
[7][ICO request email]
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request received
after this time will only be considered at the discretion of the
Commissioner.
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation. To make such an application, please write
to the First Contact Team, at the address below or visit the ‘Complaints’
section of our website to make a Freedom of Information Act or
Environmental Information Regulations complaint online.
A copy of our review procedure is available [8]here.
Yours sincerely
Steven Dickinson Lead Information Governance Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF.
T. 01625 545676 F. 01625 524510 [9]www.ico.org.uk
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk
References
Visible links
1. http://www.ico.org.uk/enforcement
2. http://www.ico.org.uk/what_we_cover/taki...
3. http://www.ico.org.uk/about_us/~/media/d...
4. http://www.ico.org.uk/about_us/~/media/d...
5. http://www.ico.org.uk/enforcement/~/medi...
6. http://www.ico.org.uk/what_we_cover/taki...
7. mailto:[ICO request email]
8. http://www.ico.org.uk/about_us/~/media/d...
9. http://www.ico.org.uk/
We work to defend the right to FOI for everyone
Help us protect your right to hold public authorities to account. Donate and support our work.
Donate Now