Indepdence, Collaboration, and GDPR
Dear Information Commissioner’s Office,
I understand you are collaborating with "a cross selection of UK organisations" to "building consumers' trust and confidence".
The ICO are supposedly an "independent" body, and collaboration between an independent regulator and the organisations it is meant to regulate seems quite inappropriate.
Please could you list for me the organisations with which you are collaborating, and the measures you are taking to ensure that your independence is not compromised by concern to protect the interests of your collaborators?
Please could you also disclose the extent of that collaboration. For example, what correspondence has been exchanged, what meetings have taken place, and what agreements/memorandum of understandings have been reached in the course of that collaboration?
On a related note, could you confirm for me you still maintain a memorandum of understanding with BT? Has the ICO ever taken any enforcement action against BT?
Yours faithfully,
P. John
Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.
If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply
.
If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.
If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.
If you have requested advice - we aim to respond within 14 days.
If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.
Copied correspondence - we do not respond to correspondence that has been
copied to us.
For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.
If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.
Yours sincerely
The Information Commissioner’s Office
Our newsletter
Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...
Find us on Twitter at [3]http://www.twitter.com/ICOnews
References
Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews
1 February 2018
Case Reference Number IRQ0718535
Dear P John
Request for Information
We are now able to respond to you request for information of 4 January.
We have dealt with your request in accordance with your ‘right to know’
under section 1(1) of the Freedom of Information Act 2000 (FOIA).
Request
In your message you asked:
“I understand you are collaborating with "a cross selection of UK
organisations" to "building consumers' trust and confidence". The ICO are
supposedly an "independent" body, and collaboration between an independent
regulator and the organisations it is meant to regulate seems quite
inappropriate. Please could you list for me the organisations with which
you are collaborating, and the measures you are taking to ensure that your
independence is not compromised by concern to protect the interests of
your collaborators? Please could you also disclose the extent of that
collaboration. For example, what correspondence has been exchanged, what
meetings have taken place, and what agreements/memorandum of
understandings have been reached in the course of that collaboration? On a
related note, could you confirm for me you still maintain a memorandum of
understanding with BT? Has the ICO ever taken any enforcement action
against BT?”
Our response
I have provided our response to each part of your request as follows:
Request: “I understand you are collaborating with "a cross selection of UK
organisations" to "building consumers' trust and confidence". The ICO are
supposedly an "independent" body, and collaboration between an independent
regulator and the organisations it is meant to regulate seems quite
inappropriate. Please could you list for me the organisations with which
you are collaborating, and the measures you are taking to ensure that your
independence is not compromised by concern to protect the interests of
your collaborators?”
Response: We interpret your request as being in relation to an initiative
to increase public trust and confidence in how organisations store their
personal data and make it available, by working with such organisations to
engage with the public. Specific details have been placed on our website
and can be accessed via the link below:
[1]https://ico.org.uk/for-organisations/res...
It is intended that a list of the organisations the ICO is working with in
relation to this initiative will be published in due course. As a result
the information we hold falling within this part of your request falls
within the exemption at section 22 of the FOIA and is therefore withheld
at this time. I have provided some more detail regarding this part of the
Act and the accompanying public interest test below.
The only information held regarding the ‘measures you are taking to ensure
that your independence is not compromised by concern to protect the
interests of your collaborators’ is the statement entitled ‘Collaboration,
transparency and accessibility’ available on the webpage referred to
above.
Request: “Please could you also disclose the extent of that collaboration.
For example, what correspondence has been exchanged, what meetings have
taken place, and what agreements/memorandum of understandings have been
reached in the course of that collaboration?”
Response: I can confirm the extent of this correspondence which is a
letter containing the information published at the web link above sent out
to the relevant bodies. I attach copies of the three variants of our
outgoing letter which we are able to disclose to you.
I can confirm our letters have received replies. These replies fall within
the scope of your request. However as they were brought to the ICO with an
expectation of confidence and we have no lawful authority to disclose to
the world at large, we are withholding them pursuant to section 44 of the
FOIA. I have provided more detail regarding this part of the Act below.
I can also confirm that two meetings have been scheduled but have yet to
take place, and that no ‘agreements/Memorandum of understandings’ have
been recorded in relation to this project.
Request: On a related note, could you confirm for me you still maintain a
memorandum of understanding with BT?
Response: I can confirm we hold a memorandum of understanding (MoU) with
BT Security Investigations as agreed in 2010 and that this is the same
document disclosed to you previously.
Request: Has the ICO ever taken any enforcement action against BT?”
Response: The ICO has taken enforcement action against BT. You can see
details about any enforcement action we have taken on our webpage at
[2]https://ico.org.uk/action-weve-taken/enf.... Information
predating that which we have placed on our website will be available
through the archived versions of our website as held by The National
Archives (TNA). You will be able to find versions of our enforcement pages
covering the information we hold at the following links:
http://webarchive.nationalarchives.gov.u...
http://webarchive.nationalarchives.gov.u...
http://webarchive.nationalarchives.gov.u...
http://webarchive.nationalarchives.gov.u...
http://webarchive.nationalarchives.gov.u...
http://webarchive.nationalarchives.gov.u...
http://webarchive.nationalarchives.gov.u...
http://webarchive.nationalarchives.gov.u....
You will also be able to see details regarding BT enforcement cases on
which we hold information through our published casework data sets. These
are on our website at the link below. Filtering “Submitted about party” to
‘BT Group PLC’ and “Case Type” to ‘Enforcement’ will provide a summary of
all the enforcement cases we have undertaken regarding that organisation
in the relevant time period.
https://ico.org.uk/about-the-ico/our-inf...
Finally, I can also confirm that in one case dating from June 2017 but not
available on the links above, we fined BT £1,000 following a breach of
regulation 5a of the Privacy and Electronic Communications Regulations
2004 (PECR). Regulation 5a concerns obligations on communication service
providers such as BT. In this instance we found that BT had failed to
report a personal data security breach to the ICO within a 24 hour
timescale.
FOIA section 22
Section 22 of the Act states that information is exempt from disclosure in
response to an information request if:
“(a) the information is held by the public authority with a view to its
publication, by the authority or any other person, at some future date
(whether determined or not),
(b) the information was already held with a view to such publication at
the time when the request for information was made, and
(c) it is reasonable in all the circumstances that the information should
be withheld from disclosure until the date referred to in paragraph (a).”
In this case we find that the exemption at section 22 of the FOIA applies
to the names of bodies we are working with in respect of the initiative
described above and explained in depth at the provided link to our
website.
The exemption at section 22 is qualified by the public interest test,
meaning that the information should be disclosed if the public interest in
the maintenance of the exemption does not outweigh the public interest in
disclosure.
In this case the public interest factors in disclosing the information
are:
* Ensuring transparency in respect of ICO activity and in particular as
regards its working with external data controllers it has statutory
responsibilities to regulate.
The factors in withholding the information are:
* We consider that publication of the list now could undermine the
initiative’s impact. It is in the public interest that the ICO explore
the best way to promote messages regarding information rights
generally and the changing legal framework in respect of data
protection in particular.
* We regularly work with external stakeholders where we think there are
opportunities to improve information rights.
* That external organisations are working with the ICO to promote core
messages into the public domain will inherently mean that the list of
external stakeholders in relation to this piece of work would be
transparent.
* The ICO has committed to publishing a list of the organisations
involved in this work.
* Earlier disclosure is not necessary to satisfy any pressing public
interest at the present time.
Having considered the public interest arguments, we have decided to
withhold this information in reference to section 22 of FOIA.
FOIA section 44
Information provided by external stakeholders was provided ‘in confidence’
for the purposes of our work. It is being withheld by the ICO under the
provisions of section 44 of the FOIA which places prohibitions on
disclosure.
Section 44(1)(a) of the FOIA states;
‘(1) Information is exempt information if its disclosure (otherwise than
under this Act) by the public authority holding it -
(a) is prohibited by or under any enactment’
The enactment in question is the Data Protection Act 1998 (DPA) and
specifically section 59 of that Act. Section 59 states that neither the
Commissioner nor her staff shall disclose:
“any information which:
a. has been obtained by, or furnished to, the Commissioner under or
for the purposes of the information Acts.
b. relates to an identified or identifiable individual or business,
and
c. is not at the time of disclosure, and has not been available to
the public from other sources, unless the disclosure is made with lawful
authority.”
This prevents us from disclosing the information which has been collected
in the course of our work unless we have lawful authority to do so. We do
not have lawful authority on the basis that this information was provided
to us with ‘in confidence’.
Review Procedure
I understand that parts of this response may be disappointing but I hope
our explanation and external links are helpful. However, if you are
dissatisfied with this response and wish to request a review of our
decision or make a complaint about how your request has been handled you
should write to the Information Access Team at the address below or e-mail
[3][ICO request email].
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request received
after this time will only be considered at the discretion of the
Commissioner.
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation. To make such an application, please write
to our Customer Contact Team at the address given or visit our website if
you wish to make a complaint under the Freedom of Information Act.
A copy of our review procedure can be accessed from our website.
[4]here.
Yours sincerely
Danny Langley
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 01625 545784 F. 01625 524510 [5]ico.org.uk [6]twitter.com/iconews
Please consider the environment before printing this email
References
Visible links
1. https://ico.org.uk/for-organisations/res...
2. https://ico.org.uk/action-weve-taken/enf...
3. mailto:[ICO request email]
4. https://ico.org.uk/media/about-the-ico/p...
5. http://ico.org.uk/
6. https://twitter.com/iconews
Dear Information Commissioner’s Office,
thank you for your response to my FoIA request seeking information about your collaboration with industry over the GDPR.
I'm disappointed that you refuse to release details of the participants, particularly so given the few details you release say; "A principle of transparency will apply throughout and the ICO will communicate ongoing details of the initiative through all their external channels and ongoing updates to industry. Hub participants will also be responsible for onward sharing of updates to their nominated contacts".
I think - as a stakeholder in the protection of personal information about me - I have an interest in knowing who you are "collaborating" with when you claim to be an independent regulator...
Yours faithfully,
P. John
Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.
If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply
.
If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.
If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.
If you have requested advice - we aim to respond within 14 days.
If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.
Copied correspondence - we do not respond to correspondence that has been
copied to us.
For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.
If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.
Yours sincerely
The Information Commissioner’s Office
Our newsletter
Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...
Find us on Twitter at [3]http://www.twitter.com/ICOnews
References
Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews
We work to defend the right to FOI for everyone
Help us protect your right to hold public authorities to account. Donate and support our work.
Donate Now