GDPR

The request was partially successful.

Dear Information Commissioner’s Office,

Under FOI, please may you supply the following:

- Your GDPR policy (not the Guide to GDPR which is available to the public)
- Your information asset register
- Explanation on how you rate the risks on your risk register and any other relevant guidance related to this
- Your Record of Processing Activity
- your data sharing agreement template or equivalent
- your e-learning and/or classroom training and other training materials on FOI, EIR , PECR and GDPR
- explanation on how you manage your internal breaches and any other relevant guidance related to this
- your data flow map template and guidance to staff how to complete this
- your DPIA template which is used by your staff and guidance on how to complete this
- explanation how you rate risks on the DPIA and any other relevant guidance related to this

Thank you,

Sarah Evans

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[3]http://www.ico.org.uk/tools_and_resource...

Twitter

Find us on Twitter at [4]http://www.twitter.com/ICOnews

 

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. https://ico.org.uk/global/privacy-notice/
3. http://www.ico.org.uk/tools_and_resource...
4. http://www.twitter.com/ICOnews

Information Commissioner's Office

1 Attachment

30 October 2018

 

Case Reference Number IRQ0790867

 

Dear Ms Evans

Further to our acknowledgement of your information request which we sent
on 2 October; we are now in a position to partially respond to this
request. However, we will not be able to provide a full response at this
time; for which we apologise.
 
We have considered your request under the Freedom of Information Act 2000
(FOIA).
 
Your request
 
In your email you asked us (I have numerically divided your request for
clarity of response):
 
“Your GDPR policy (not the Guide to GDPR which is available to the public)
- Your information asset register - Explanation on how you rate the risks
on your risk register and any other relevant guidance related to this -
Your Record of Processing Activity - your data sharing agreement template
or equivalent - your e-learning and/or classroom training and other
training materials on FOI, EIR , PECR and GDPR - explanation on how you
manage your internal breaches and any other relevant guidance related to
this - your data flow map template and guidance to staff how to complete
this - your DPIA template which is used by your staff and guidance on how
to complete this - explanation how you rate risks on the DPIA and any
other relevant guidance related to this.”
 
Our response 
 
I can confirm that we hold information within scope of this request.
 
The information we can provide at this time is detailed below.
 
 

* “GDPR Policy”: We understand you mean our privacy policy, which is
published on our website and can be found [1]here. This information is
therefore exempt under section 21 the FOIA.
* GDPR and PECR training materials have been published on the disclosure
log on our website and can be found [2]here. This information is
therefore exempt under section 21 of the FOIA.
* Our FOIA and EIR training materials are attached to this response.
* I attach our Corporate Risk Management Policy which explains how we
rate risks in the risk register.
* I attach our Security Incident Management Standard. You will see that
some internal contact details have been redacted under section 31 of
the FOIA.
* We publish a DPIA template [3]here. It contains guidance on how to
complete it. I attach, also, our own template complete with guidance
as well as an explanation on how risks are rated in the annex and a
section on ‘data flows’ which comprises what we hold in response to
“data flow map.”
* In terms of “any other relevant guidance,” please see our [4]data
protection impact assessments page on our website.

 
Please see below for an explanation of the exemption used.
 
The size of the information files mean I have had to send several emails.
 
 
Explanation of FOIA Exemptions
 
Section 21
Information supplied in this response is available online it is
technically exempt from disclosure under section 21 of the FOIA because it
is ‘reasonably accessible to you by other means’ and thus we are not
obliged to provide it..
 
Section 31

The exemption at section 31(1)(g) of the FOIA refers to circumstances
where the disclosure of information “would, or would be likely to,
prejudice – … the exercise by any public authority of its functions for
any of the purposes specified in subsection (2).” 
 
In this case the relevant purposes contained in subsection 31(2)(c) which
states –
 
 “(c) the purpose of ascertaining whether circumstances which would
justify regulatory action in pursuance of any enactment exist or may arise
…”     
We consider that disclosure of the internal contact details of our
internal Information Security unit would be likely to cause prejudice to
our regulatory role. The redacted email address, for example, would, if
disclosed into the public domain, provide an alternative route for the
reporting of data protection concerns such as breaches of information
security from the data controllers that we support. As we have seen from
recent experience of the cases referred to the ICO, many such breaches may
be related to significant security incidents affecting many data subjects.
As a result, it is vital that such breaches are reported to the ICO
through our customer facing processes and where possible not to internal
mailboxes that are not monitored with the regularity that we monitor our
external mailboxes.  
 
Section 31 is a qualified exemption. This means it requires the
application of a public interest test.
 
I find that the public interest factor in disclosing these contact details
is the increased transparency in the way the ICO works. However the public
interest factors in favour of maintaining the exemption are that these are
internal contact details and that use by the public could delay our
ability to provide the required service and that it would also affect the
ability of our internal information security teams to focus on specific
issues relating to the ICO’s information and obligations as a data
controller. Having considered all of these factors we have taken the
decision that the public interest in withholding the information outweighs
the public interest in disclosing it.
         
The information we cannot provide at this time is detailed below.
 
Unfortunately we are not yet able to provide a response to your requests
for:
 
 

* our information asset register or
* our record of processing activity.

 
We will provide the remainder of our response as soon as possible and
apologise again for the inconvenience caused.
 
This concludes our response at this time. We hope you find this
information useful and that we can provide you with our full response
soon.
 
 
                        
Next steps
 
If you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Information Access team
at the address below or email [5][ICO request email]
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response.  Any such request
received after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please write
to the Customer Contact department, at the address below or visit the
‘Complaints’ section of our website to make a Freedom of Information Act
or Environmental Information Regulations complaint online.
 
A copy of our review procedure is available [6]here.
 
For information about what we do with personal data see our [7]privacy
notice.
 
Yours sincerely,
 
 

Frederick Aspbury
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6397 F. 01625 524510  [8]ico.org.uk  [9]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [10]privacy
notice

 
 
 

References

Visible links
1. https://ico.org.uk/global/privacy-notice/
2. https://ico.org.uk/about-the-ico/our-inf...
3. https://ico.org.uk/media/about-the-ico/c...
4. https://ico.org.uk/for-organisations/gui...
5. mailto:[ICO request email]
6. https://ico.org.uk/media/about-the-ico/p...
7. https://ico.org.uk/global/privacy-notice/
8. http://ico.org.uk/
9. https://twitter.com/iconews
10. https://ico.org.uk/global/privacy-notice/

Information Commissioner's Office

1 Attachment

30 October 2018

 

Case Reference Number IRQ0790867

 

Dear Ms Evans

 

Please find attached the second part of our response.
 
Yours sincerely
 

Frederick Aspbury
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6397 F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [3]privacy
notice

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Information Commissioner's Office

2 Attachments

30 October 2018

 

Case Reference Number IRQ0790867

 

Dear Ms Evans

Please find attached the third part of our response.
 
Yours sincerely
 

Frederick Aspbury
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6397 F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [3]privacy
notice

 
 
 

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Information Commissioner's Office

2 Attachments

30 October 2018

 

Case Reference Number IRQ0790867

 

Dear Ms Evans

 

Please find attached the fourth part of our response.
 
Yours sincerely
 

Frederick Aspbury
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6397 F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [3]privacy
notice

 
 
 

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Information Commissioner's Office

2 Attachments

30 October 2018

 

Case Reference Number IRQ0790867

 

Dear Ms Evans

Please find attached the fifth part of our response.
 
Yours sincerely
 

Frederick Aspbury
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6397 F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [3]privacy
notice

 
 
 

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Information Commissioner's Office

2 Attachments

30 October 2018

 

Case Reference Number IRQ0790867

 

Dear Ms Evans

Please find attached the sixth part of our response.
 
Yours sincerely
 

Frederick Aspbury
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6397 F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [3]privacy
notice

 
 
 

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Information Commissioner's Office

3 Attachments

30 October 2018

 

Case Reference Number IRQ0790867

 

Dear Ms Evans

Please find attached the seventh part of our response.
 
Yours sincerely
 

Frederick Aspbury
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6397 F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [3]privacy
notice

 
 
 

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Information Commissioner's Office

2 Attachments

30 October 2018

 

Case Reference Number IRQ0790867

 

Dear Ms Evans

 

Please find attached the eighth part of our response.
 
Yours sincerely
 

Frederick Aspbury
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6397 F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [3]privacy
notice

 
 
 

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Information Commissioner's Office

2 Attachments

30 October 2018

 

Case Reference Number IRQ0790867

 

Dear Ms Evans

Please find attached the ninth part of our response.
 
Yours sincerely
 

Frederick Aspbury
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6397 F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [3]privacy
notice

 
 
 

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Information Commissioner's Office

2 Attachments

30 October 2018

 

Case Reference Number IRQ0790867

 

Dear Ms Evans

 

Please find attached the tenth part of our response.
 
Yours sincerely
 

Frederick Aspbury
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6397 F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [3]privacy
notice

 
 
 

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Information Commissioner's Office

1 Attachment

30 October 2018

 

Case Reference Number IRQ0790867

 

Dear Ms Evans

Please find attached the eleventh and final part of our response to your
request at this time.
 
Yours sincerely
 

Frederick Aspbury
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6397 F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [3]privacy
notice

 
 
 

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Information Commissioner's Office

3 Attachments

15 February 2019

 

Case Reference Number IRQ0790867

 

Dear Ms Evans
 

Thank you for contacting the Information Commissioner’s Office (ICO). We
received your information request on 2 October and we provided a
substantial, but incomplete, response on 30 October.
 
We are now ready to provide the remainder of our response. We apologise
for the delay.
 
 
Your request
 
The remainder of your request was for:
 
 

* our information asset register
* our record of processing activity

 
We have considered your request under the Freedom of Information Act 2000
(FOIA).
 
 
Our response 
 
I can confirm that the ICO does hold an information asset register, but
this document has been superseded by our record of processing activities.
I attach a copy for your convenience.
 
I can confirm that, pursuant to Article 30 of the General Data Protection
Regulations 2016 (GDPR), the ICO holds a record of processing activity for
its general processing, and a record of processing activity for its law
enforcement processing.
 
These documents are currently under review and when the review is
complete, revised versions will be published on our website.
 
I attach both documents to this response.
 
You may find our [1]GDPR documentation guidance useful.
 
This concludes our response. May I apologise again for the sizable delay
in providing a complete response to your request.
 
Thank you for our interest in the work of the ICO.
 
 
                        
Next steps
 
If you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Information Access team
at the address below or email [2][ICO request email]
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response.  Any such request
received after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please write
to the Customer Contact department, at the address below or visit the
‘Complaints’ section of our website to make a Freedom of Information Act
or Environmental Information Regulations complaint online.
 
A copy of our review procedure is available [3]here.
 
For information about what we do with personal data see our [4]privacy
notice.
 
Yours sincerely,
 
 

Frederick Aspbury
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6397 F. 01625 524510  [5]ico.org.uk  [6]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [7]privacy
notice

 
 

References

Visible links
1. https://ico.org.uk/for-organisations/gui...
2. mailto:[ICO request email]
3. https://ico.org.uk/media/about-the-ico/p...
4. https://ico.org.uk/global/privacy-notice/
5. http://ico.org.uk/
6. https://twitter.com/iconews
7. https://ico.org.uk/global/privacy-notice/

Dear Information Commissioner’s Office,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Information Commissioner’s Office's handling of my FOI request 'GDPR'.

The delay in responding within the 20 working days and not providing an adequate response to my request.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/g...

Yours faithfully,

Sarah Evans

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit:

[1]https://ico.org.uk/about-the-ico/our-inf...

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found
[3]here.

Twitter

Find us on Twitter [4]here.

 

References

Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/global/privacy-notice/
3. https://ico.org.uk/about-the-ico/news-an...
4. http://www.twitter.com/ICOnews

Information Commissioner's Office

Dear Ms Evans

Thank you for your recent correspondence requesting a review of your
information request IRQ0790867. I can confirm that this review has been
allocated to me and I will be dealing with your request. I understand your
dissatisfaction is in relation to the time scales to undertake the review
and also the response itself. You stated it was "not an adequate response"
so may I ask whether you are still seeking further information? If you
could clarify your dissatisfaction this will assist the review.

Regards

 

Elizabeth Baxter
Information Access Group Manager
 
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 3131840  F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice
Please consider the environment before printing this email

 
 

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Information Commissioner's Office

06 April 2019
 
Case Reference Number RCC0830889
 
Review of response to information request
 
I write further to your email of 19 March 2019 in which you requested a
review of the handling of your request dealt with under the reference
number IRQ0790867.  I am the Group Manager in the Information Access
service team and I have been asked to review the way we handled your
request for information. I can confirm that I have had no prior
involvement in the handling of this request.
 
 
Your information request
 
Your request for review concerns the handling of your request of 2 October
2018. You had asked:
 
“DPR Dear Information Commissioner?s Office, Under FOI, please may you
supply the following: - Your GDPR policy (not the Guide to GDPR which is
available to the public) - Your information asset register - Explanation
on how you rate the risks on your risk register and any other relevant
guidance related to this - Your Record of Processing Activity - your data
sharing agreement template or equivalent - your e-learning and/or
classroom training and other training materials on FOI, EIR , PECR and
GDPR - explanation on how you manage your internal breaches and any other
relevant guidance related to this - your data flow map template and
guidance to staff how to complete this - your DPIA template which is used
by your staff and guidance on how to complete this - explanation how you
rate risks on the DPIA and any other relevant guidance related to this
Thank you, Sarah Evans”
 
Our response
 
On 30 October 2018 my colleague Fred Aspbury wrote to you in response to
your request and provided you with a partial response excluding the
information you requested on the information asset register and the
Records of processing activities. This further information was provided to
you on 15 February 2019.
 
On 19 March 2019 you wrote to us again via What Do They Know and stated:
 
“GDPR Dear Information Commissioner?s Office, Please pass this on to the
person who conducts Freedom of Information reviews. I am writing to
request an internal review of Information Commissioner?s Office's handling
of my FOI request 'GDPR'. The delay in responding within the 20 working
days and not providing an adequate response to my request. A full history
of my FOI request and all correspondence is available on the Internet at
this address:
https://emea01.safelinks.protection.outl...
Yours faithfully, Sarah Evans
-------------------------------------------------------------------“
 
 
 
Our internal review
 
I replied to your request on 23 March 2019 and asked for clarification as
you felt your response was “inadequate” but I am not aware of what aspect
of the response you were dissatisfied with. Unfortunately as I have not
received a reply I am unable to review this part of your request.
 
Insofar as your complaint regarding the timescales, I uphold this part of
your complaint and my colleague Fred Aspbury has already made apologies to
you for the delay in responding to two parts of your request.
 
 
This concludes my internal review and all matters have been addressed.

 
Complaint procedure
 
If you are dissatisfied with the outcome of this review you can make a
formal complaint with the ICO in its capacity as the regulator of The
Freedom of Information Act 2000. Please follow the link below to submit
your complaint:

[1]https://ico.org.uk/concerns/

 
Yours sincerely
 
 
 
 
 
 
 

Elizabeth Baxter
Information Access Group Manager
 
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 3131840  F. 01625 524510  [2]ico.org.uk  [3]twitter.com/iconews
For information about what we do with personal data see our [4]privacy
notice
Please consider the environment before printing this email

 
 

References

Visible links
1. https://ico.org.uk/concerns/
2. http://ico.org.uk/
3. https://twitter.com/iconews
4. https://ico.org.uk/global/privacy-notice/