Enforcement for non-security related issues

Pete Grotowski made this Freedom of Information request to Information Commissioner's Office

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was refused by Information Commissioner's Office.

Pete Grotowski

Dear Information Commissioner’s Office,

The Information Commissioner has only issued fines under the Data Protection Act for self-reported security breaches. The vast majority of its enforcement action under the DPA has also been for self-reported security breaches. On this basis, I would like to ask the following questions under the Freedom of Information Act. Please note that I am not asking for views or descriptions – I am only interested in responses based on recorded information held by the Information Commissioner’s Office.

1 How many undertakings or enforcement notices has the Information Commissioner issued since 1 January 2009 for breaches of the Data Protection Principles other than principle 7?

2 What specific procedures does the Information Commissioner have to ensure that serious breaches of principles that do not involve a self-reported security breach are investigated with a view to taking enforcement action? If a specific documented procedure does not exist, please confirm this.

3 How many cases are currently being dealt with by the Enforcement / Investigations Team?

4 For question 3, how many of these cases are NOT cases involving self-reported security breaches?

Yours faithfully,

Pete Grotowski

Information Commissioner's Office

Link: [1]File-List

07 July 2011

Case Reference Number IRQ0402610

Dear Mr Grotowski

Request for Information

Thank you for your correspondence of 07 July 2011, entitled “Freedom
of Information request - Enforcement for non-security related issues”.

Your request is being dealt with in accordance with the Freedom of
Information Act 2000.  We will respond by 04 August 2011 which is 20
working days from the day after we received your request.

Should you wish to respond to this email please be careful not to amend
the information in the ‘subject’ field. This will ensure that the
information is added directly to your case. However, please be aware that
this is an automated process; the information will not be read by a member
of our staff until your case is allocated to a request handler.

Yours sincerely

Andrew Walsh

Lead Internal Compliance Officer

01625 545 363

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/rad600DF_files/filelist.xml

Information Commissioner's Office

2 Attachments

Link: [1]File-List

26th July 2011

Case Reference Number IRQ0402610

Dear Mr Grotowski

Further to our acknowledgement of 7 July 2011 we are now in a position to
provide you with a response to your request for information of the same
date.

As you know we have dealt with your request in accordance with your
‘right to know’ under section 1(1) of the Freedom of Information
Act 2000 (FOIA), which entitles you to be provided with a copy of any
information ‘held’ by a public authority, unless an appropriate
exemption applies.

Request

You requested:

1. How many undertakings or enforcement notices has the Information
Commissioner issued since 1 January 2009 for breaches of the Data
Protection Principles other than principle 7?

2. What specific procedures does the Information Commissioner have to
ensure that serious breaches of principles that do not involve a
self-reported security breach are investigated with a view to taking
enforcement action? If a specific documented procedure does not exist,
please confirm this.

3. How many cases are currently being dealt with by the Enforcement /
Investigations Team?

4. For question 3, how many of these cases are NOT cases involving
self-reported security breaches?

Information Held

Undertaking and Enforcements Notices

We have interpreted your request as concerning any undertakings or
enforcement notices having been served concerning a breach of the Data
Protection Act 1998 (DPA), rather than any breach for any of the other
legislation or regulations that the Information Commissioner regulates.
The time period for this request is 1 January 2009 to 7 July 2011.

All the undertaking and enforcements for 2010 and 2011 are published on
our website. Under section 21 of the FOIA we are not required to provide
information in response to a request if it is already reasonably
accessible to you from another source.  The information you have
requested is available from the website via the following link:

[2]http://www.ico.gov.uk/what_we_cover/prom...

However, there are two additional undertakings not published for this
period and I can confirm that these were both concerning a breach of
principle 7.

For the period of the 1 January 2009 to 31 December 2009 I can confirm
that there were 57 undertakings served for a breach of the 7^th Principle
and one that concerning the breach of the 1^st Principe.

For the period 1 January 2009 to 31 December 2009 there were two
enforcement notices served concerning a breach of the DPA.  Both of
these concerned a breach of principle 7.

Procedures

Cases are primarily brought to the attention of the Enforcement Department
in two ways:

1. By referral to the Enforcement Department on a request for assessment
file from the Complaint Resolution Department.
2. As a result of environmental scanning and the identification of an
issue.

More generally, Enforcement Deprtament members have a portfolio under
which they are encouraged to act as a lead for particular issues and to
liaise with specific teams. The frequency and attendance at these meetings
differs, but generally speaking case officers attend at least once a
quarter. At these meetings information is exchanged about cases and
Complaints Resolution staff are encouraged to let the Enforcement Officer
know if there is a case which they feel would warrant their attention.
Complaints Resolution staff are also encouraged to approach the team on an
ad-hoc basis to discuss cases of potential interest and this happens
regularly. In addition the First Contact Department regularly flag issues
of potential interest – a number of which come via the helpline from
members of the public.  These are however not formalised in a written
procedure.

Attached is a document which we hold entitled RAD referral brief. 
Whilst this recorded information falls within the scope of your request I
can confirm this document is no longer used. 

We also have case handling procedures and the following extract also falls
with the scope of your request. 

Request for Assessment (RFA) cases

Following evaluation of the compliance case work item, and where there are
substantive issues for the Enforcement Team to take forward, an
Enforcement (ENF) case will be created as above. Should it be a repeat of
an ongoing issue that we are already aware of the RFA case will be linked
to an existing ENF.

Request for Assessment (RFA) cases – s7 referrals

Where the only work the Enforcement Team is intending to do is log a delay
on the s7 monitoring spreadsheet, the work item can be completed without
creating an ENF case.

Ongoing Cases

Since January 2005 the details of all complaints and enquires received by
the ICO (known as ‘cases’) have been put onto on our electronic
case management system. The correspondence is scanned onto the system and
an electronic record is created for every case, every complainant and
every ‘complained about’ public authority or data controller.

The system allows us to search for the cases we have dealt with in a
number of different ways, such as by the unique reference number the case
was given, the name and address of the person who contacted us and the
name of any public authority that has been complained about. We can also
search for cases on the basis of the broad nature of the complaint, but we
can only search on a limited number of fixed criteria which are structured
around the main sections of the FOIA. However, self reported breaches
that are transferred to the Enforcement Department for consideration are
not recorded in a specific way, to identify them as a self report
breaches. Therefore in order to answer this request data has had to be
extracted manually from the individual cases. 

The Enforcement Department does however receive regular reports concerning
the number of ongoing cases.  The figures that have been provided to
you are basis of the latest regular report they received which was dated
18 July 2011, so slightly more up to date that the information would have
been at the date of your request.

This records that there are currently 485 ongoing cases with the
Enforcement Department.  There are also 43 ongoing cases with the
Investigations Team.   

295 of the cases currently with the Enforcement Department are data
protection related and of these 41(14%) are non self reported breaches.
Our Investigations Team are primarily tasked with investigating criminal
offences under the Act, rather than breaches of any of the principles. 
Therefore, they do not considered cases that solely focus on a breach of
principle 7.

Sometimes, recorded information relating to a complaint or enquiry will
change over time. This can occur if further information is provided by
either party which changes one of the relevant factors or because errors
in recording the information have been rectified.

The statistics we provide should be viewed as a snapshot of the recorded
information held at the date specified above.

I hope this information is of interest and assistance.  If you are
dissatisfied with the response you have received and wish to request a
review of our decision or make a complaint about how your request has been
handled you should write to the Internal Compliance Department at the
address below or e-mail [3][email address]

Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request
received after this time will only be considered at the discretion of the
Commissioner.

If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please
write to the First Contact Team, at the address below or visit the
‘Complaints’ section of our website to make a Freedom of
Information Act or Environmental Information Regulations complaint online.

 

A copy of our review procedure is attached.

Yours sincerely

Charlotte Powell

Internal Compliance Manager

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/radE7D75_files/filelist.xml
2. http://www.ico.gov.uk/what_we_cover/prom...
3. mailto:[email address]

Dear Information Commissioner’s Office,

I am emailing to ask for an internal review on some matters.

I would first like to register my disappointment at the nature of your response. Although I used numbered questions, your response ignores this. The technique of ignoring the numbers makes it far less clear as to what the answers are. I suspect that the Information Commissioner would criticise another public authority for operating this practice.

Your response also ignored my specific request not to include views or descriptions, especially in relation to question 2. Despite the fact that the response was headed 'Information Held', for question 2, your response provided sent me descriptions and a document no longer in use. You did not provide recorded information or deny that recorded information was held, other than to provide a redundant document which clearly has no relevance to my request. Question 2 was clearly about what the Information Commissioner does, not what he did.

I also note that although information has been withheld under question 1, you did not cite the relevant exemption (presumably Section 21).

I would like the review to look at why what appears to be unrecorded information was included in the response despite the fact that I had specifically asked not be given 'views or descriptions'. I would like to know why the question numbering was ignored, I would like to know why an exemption was not cited for question 1. I would like a clear answer to question number 2 and a clear explanation of why the first response did not provide a clear answer to question number 2.

Based on the answers provided, I would like to make a second FOI request, but for the sake of clarity I will do this separately.

Yours faithfully,

Pete Grotowski

new casework,

Thank you for emailing the Information Commissioner's Office (ICO). This
is an automatic acknowledgement to tell you we have received your email
safely. Please do not reply to this email.

If your email was about a new complaint or request for advice it will be
considered by our Customer Contact Department. One of our case officers
will be in touch as soon as possible.

If your email was about an ongoing case we are dealing with it will be
allocated to the person handling your case.

If your email was about a case you have already submitted, but is yet to
be allocated to one of our case officers your email will be added to your
original correspondence and will be considered when your case is
allocated.

If you require any further assistance please contact our Helpline on 0303
123 1133 or 01625 545745 if you prefer to use a national rate number.

Thank you for contacting the Information Commissioner's Office

Yours sincerely

ICO Customer Contact Department

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

Information Commissioner's Office

Link: [1]File-List

28th July 2011

Case Reference Number RCC0406995

Dear Mr Grotowski

Thank you for your correspondence of 27 July 2011

This correspondence will now be treated as a request for review of your
recent request for information under the Freedom of Information Act 2000.

We will respond by 24 August 2011which is 20 working days from the day
after we received your recent correspondence.  This is in accordance
with our internal review procedures.

If you wish to add further information or evidence to your request for an
internal review please reply to this email, being careful not to amend the
information in the ‘subject’ field. This will ensure that the
information is added directly to your case.

Yours sincerely

Charlotte Powell

Internal Compliance Manager

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/rad09105_files/filelist.xml

Information Commissioner's Office

Link: [1]File-List

15th August 2011

Reference: RCC0406995

Dear Mr Grotowski,

Your request for an internal review of the handling of your information
request (case reference number IRQ0402610) has been passed to me to
undertake. I have considered the scope of your request, the response sent
to you and the specific points you have raised.

Your request was considered under the Freedom of Information Act 2000
(FOIA).  

You specifically asked for:

1) How many undertakings or enforcement notices has the Information
Commissioner issued since 1 January 2009 for breaches of the Data
Protection Principles other than Principle 7?

2) What specific procedures does the Information Commissioner have to
ensure that serious breaches of principles that do not involve a self
reported security breach are investigated with a view to taking
enforcement action? If a specific documented procedure does not exist,
please confirm this.

3) How many cases are currently being dealt with by the
Enforcement/Investigations Team?

4) For question 3, how many of these cases are NOT cases involving
self-reported breaches?   

I understand from your email dated 27 July 2011 that you would like this
internal review to address the following points. I have numbered them for
ease of reference.

1. Why what appears to be unrecorded information was included in the
response despite the fact that I had specifically asked not to be
given ‘views or descriptions’.
2. I would like to know why the question numbering was ignored.
3. I would like to know why an exemption was not cited for question 1.
4. I would like a clear answer to question number 2 and a clear
explanation of why the first response did not provide a clear answer
to question number 2.

I will deal with each of the above points in turn.  

1) In addition to providing the recorded information which falls within
the scope of requests for information, further clarification or
explanation may be provided where it is felt that this will assist the
requestor. I am satisfied that you have been provided with all of the
recorded information which falls within the scope of your request in
compliance with section 1(1) of FOIA. However, I acknowledge that you were
also provided with unrecorded information which need not have been
provided.        

2) The FOIA is not prescriptive about the manner in which responses are
compiled and there is no specific obligation for a public authority to
follow the numbering system used by the requestor. In her response
Charlotte Powell provided answers to your requests under 3 headings which
clearly linked to your specific requests.  

3) Your request was for the number of undertakings or enforcement
notices that the Information Commissioner has issued since 1 January 2009
for breaches of the Data protection Principles other than Principle 7.
This number was provided to you. In addition it was explained to you that
all of the undertakings and enforcements for 2010 and 2011 are published
on our website and a link was provided, with section 21 stated as the
reason for not supplying copies of the undertakings to you. However,
whilst I recognise that it was considered that this additional information
may have been of use to you, I have concluded that, in any event, it fell
outside the scope of your request.

4) I am satisfied that you were provided with all of the recorded
information which fell within the scope of this aspect of your request
namely 2 extracts from our case handling procedures and the RAD referral
brief. Your request was for the ‘specific procedures the Information
Commissioner has to ensureÂ….Â’ The RAD referral brief provided to
you is held as recorded information and although not in use currently,
does fall within the scope of your request. It was clearly explained that
this document is no longer in use.

I should inform you that if you are unhappy with the outcome of this
internal review then you do have a right to appeal to ICO in our capacity
as the statutory regulator for the FOIA.

How to complain

Information on how to complain is available on the ICO website at:

[2]http://www.ico.gov.uk/complaints/freedom...

By post: If all your supporting evidence is in hard copy you can fill in
the online Complaint Form, print it and post it to us with your supporting
evidence. Please send to:

First Contact Team

Information CommissionerÂ’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

By email: if all your supporting evidence is available electronically, you
can fill in our online complaint form. Information included in the form
and any supporting evidence will be sent to us by email.

Yours sincerely

Hannah Burling

Sent on behalf of

Lesley Bett

Head of Internal Compliance

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/rad91FF0_files/filelist.xml
2. http://www.ico.gov.uk/complaints/freedom...

Pete Grotowski left an annotation ()

I have said this request was refused because WDTK does not offer an option of 'They agreed with themselves'.

Looking for an EU Authority?

You can request documents directly from EU Institutions at our sister site AskTheEU.org . Find out more .

AskTheEU.org