Internet access logs

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

. 

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days.

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...

Twitter

Find us on Twitter at [3]http://www.twitter.com/ICOnews

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews

7th November 2014

Case Reference Number IRQ0557954

Dear Mr Cross

Further to your correspondence of 12 October we are now in a position to
respond to your request. We have considered your request under the Freedom
of Information Act 2000 (FOIA).
 
Your request read:
 
“Please can you provide me with a copy of the ICO's internet access log
for September 2014.
 
I would expect the internet access log to include:
(1) the URL of each webpage accessed in the period
(2) the time and date that each webpage was accessed”
 
 
 
Unfortunately,we are not able to provide the information that you have
requested within the cost limit set out at section 12 FOIA. We will
explain why below.
 
First, we should explain that this type of information is normally
retained for 30 days .By the time of us handling your request we did not
hold much of September’s records and so we did not hold all of the
information that could fall into the scope of your request. However, we
were able to sample the information and clearly establish that we would
not be able to provide the information for any 30 day period within the
cost limit. We must also be clear that there is not a single log or report
which would show the ‘ICO’s internet access log’. We have tried to see if
it is possible for us to locate and extract the information you have
requested but can see that it is not possible for us to do this anywhere
near within the cost limit. There is simply no one report that we could
run which would be the ‘ICO’s internet access log’ that would fulfil your
request. The ICO employs some 400 people.
 
Our web monitoring tool logs a vast amount of information (websites and
its components visited, websites blocked, server health, link bandwidth
statistics are a few).  We could produce a report of the surfing
information for a single user, however a report against one randomly
selected user filled 167 data files at which point it was truncated, the
data in the report only accounted for about 7hrs of 1 day.
 
It may be possible to produce a number of reports to provide this
information, however this would involve producing multiple reports for
each individual for each day. Also, some websites may have been
deliberately visited, while others were not deliberately accessed. We
cannot easily see which websites or webpages have been deliberately
accessed compared with those that have been not deliberately accessed
because of the categories of information our web monitoring tool logs. To
extract this type of information would require a manual trawl through
thousands of data files. For this reason, the information we could extract
from the report would be of limited value in determining which web pages
were deliberately accessed by ICO staff.
 
 
Section 12 of the Freedom of Information Act 2000 (FOIA) makes clear that
a public authority (such as the Information Commissioner’s Office – the
ICO) is not obliged to comply with an FOIA request if the authority
estimates that the cost of complying with the request would exceed the
‘appropriate limit'.  The ‘appropriate limit’ for the ICO, as determined
in the ‘Freedom of Information and Data Protection (Appropriate Limit and
Fees) Regulations 2004’ is £450.  We have determined that £450 would
equate to 18 hours work. 
 
As a matter of advice and assistance – we could consider for disclosure a
report showing requests to the servers but this will not reflect the
actual webpages accessed. We should also state that the ICO has a personal
use policy which sets out the ways in which staff should use the internet.
If there are concerns about individual internet use it is possible for the
ICO to check individual access to assist in ascertaining whether this has
been done within the limitations of the policy.
 
 
I am sorry we were unable to provide you with the information you
requested on this occasion.
 
Yours sincerely

Iman Elmehdawy
Lead Information Governance Officer
 
 
Complaints/Reviews
 
If you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Information Access team
at the address below or e-mail [ICO request email].
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request received
after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please visit
the ‘Concerns’ section of our website to make a Freedom of Information Act
or Environmental Information Regulations complaint online.
 
A copy of our review procedure is available here
 [1]http://ico.org.uk/about_us/~/media/docum...
 
 
 

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

References

Visible links
1. http://ico.org.uk/about_us/~/media/docum...

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

. 

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days.

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...

Twitter

Find us on Twitter at [3]http://www.twitter.com/ICOnews

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews

14th November 2014

Case Reference Number RCC0561574

Dear Mr Cross

 
Thank you for your correspondence dated 10 November 2014. 
 
This correspondence will now be treated as a request for an internal
review of the response we provided to your recent request for information
under the Freedom of Information Act 2000.
  
We will aim to respond by 9 December 2014 which is 20 working days from
the day after we received your recent correspondence.  This is in
accordance with our internal review procedures which were provided with
our response.
 

Yours sincerely

Iman Elmehdawy
Lead Information Access Officer

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

9th December 2014

Case Reference Number RCC0561574

Dear Mr Cross

I have been asked to consider your request for an internal review of the
handling of your recent request for information.

Your request was for:

‘ a copy of the ICO’s internet access log for September 2014.’
You explained that you ‘would expect the internet access log to include:
(1) the URL of each webpage accessed in the period
(2) the time and date that each webpage was accessed.’
In your internal review request you made it clear that you wanted all of
the information which was included as part of the ICO’s internet access
log for September 2014 and that the URLs of each webpage accessed and the
time and date of access were simply examples of the types of information
which you would expect to see included in the log.

In order to carry out this internal review I have made further enquiries
about the information which falls within the scope of your request. It may
be helpful to provide some further explanation here.

Detailed information about all internet access is captured and recorded by
the ICO’s web monitoring tool. All internet traffic between the user’s PC
and the proxy server is logged in real time. This includes URLs visited
and any URLs needed to display a page for example  adverts and other
links. This detailed information is held for 30 days and then it is
automatically deleted. This detailed information is only held for a short
period of time and primarily as part of our forensic readiness
arrangements in case there is a need to investigate any incident relating
to internet access for example any incidents which may relate to malware
or viruses.  
  
To give you some idea of the volume of detailed information captured by
the web monitoring tool a report was run for a single randomly selected
user as part of the work carried out to consider your information request.
The data filled 167 pages of a report at which point it was truncated
because of the sheer volume of data being retrieved. The report only
accounted for around seven hours of one day.  

Your request for information was received on 12 October 2014. Therefore,
any detailed information captured between1 to 11 September would already
have been routinely deleted by the time your request was received. All of
the detailed information for September had been routinely deleted by the
end of 30 October 2014.

Work began on your information request on 23 October. All requests are
dealt with in chronological order. This means that only six working days
were available to investigate and comply with your request before the
routine deletion of the detailed information. By the time that the
investigation was completed and your request was responded to on 7
November 2014 I am satisfied that all of the detailed information had been
routinely deleted.
You will be aware that section 1(4) of FOIA states that account may be
taken of any amendment or deletion made between the time of the request
and the time when the information is to be communicated if the amendment
or deletion would have been made regardless of the receipt of the request.
This was the situation here. 
  
However, my further enquiries have established that some “summary”
information relating to internet access is retained for longer than 30
days and I apologise that this was not made clear in our response.
The “summary” information includes user browse time activity, route (eg
from internal group to external category), spyware requests, internet
sites visited, categories, threats, activity from internal machines (IPs),
content rules and user browsing activity. 

A user browsing activity report has been run for a single user in a role
where internet access is not a major part of that role. For the month of
September, 421 entries were logged. The ICO has in excess of 400 staff and
on site suppliers and contractors who will be using the internet on a
daily basis. If we use 421 as an average number of entries logged in the
“summary information” for a single user, we can estimate that for the
whole of the ICO during September there will be more than 168,400 logged
entries. 
I have considered whether the “summary” information for September which
falls within the scope of your request can be disclosed. 
Firstly, I have considered the effort which would be required to comply
with this request. I have established that:
 

* It is not possible to run a single report to extract the information
within the scope of this request because of the volume of information 
involved
* It would be necessary to engage our IT supplier to run batches of
reports for up to 8 users at a time
* It is possible that a report for 8 users would truncate if there were
more entries logged than for an average user and in this case further
steps would be necessary to rerun the report by further splitting the
batch into fewer users
* As explained above the final number of  entries logged in the user
activity reports for 400 users would be in excess of 168,400 entries
* It is estimated that the processing time to run the reports would be
at least one working week during which no other use could be made of
the reporting software
* It would divert IT supplier resources away from management of the
ICO’s IT environment
* Every entry in the log would need to be manually reviewed to determine
whether it could be disclosed or whether an exemption applies
* It is certain that exemptions will apply (for example s31 law
enforcement and s40 personal data).Exemptions will  apply to some
information about internet access relating to the ICO’s regulatory
activity including ongoing criminal investigations, ongoing casework, 
personal data, and information which relates to the protection and
security of the ICO’s IT environment. Potentially exempt information
cannot easily be isolated because it will be scattered throughout the
information  
* The request handler would not understand the context of every log
entry and would need to consult every individual member of staff and
contractor and/or their line manager

Secondly, I have considered the nature of the request and its value
weighed against the impact on the ICO in complying with this request as
described above.
 

* The scope of the request is exceptionally wide consisting as it does
of records of the internet access of every member of staff and
contractor  relating to the work being carried out across the ICO on a
daily basis for the whole of the month of September
* The request lacks any clear focus pointing to a ‘box of information’
without any clear idea of what might be contained within it and it is
doubtful whether this type of request was intended to be caught by
FOIA
* The request does not relate to any specific issue, case, policy or
procedure or indeed any particular area of work carried out by the ICO
and it is not clear what useful purpose or wider public interest would
be served by complying with it
* The request does not appear to have adequate or proper justification
* The entries in the log provided without any context would lack meaning
and be of limited value

After very careful consideration I have concluded that the limited purpose
and value of the request and the lack of any wider public interest
arguments do not justify the disproportionate and unjustified level of
disruption which would be caused by complying with it. It would impose a
significant burden on the ICO, involve a large number of staff in the
review of the information to consider exemptions and redactions and thus
divert resources away from the ICO’s core functions. As a result I am
refusing this request under s14 (1) of the Freedom of Information Act.
Section 14(1) states
‘Section 1(1) does not oblige a public authority to comply with a request
for information if the request is vexatious.’
In dealing with this internal review I have taken account of the guidance
contained within the ICO’s guidance on Dealing with Vexatious Requests
[1]https://ico.org.uk/for_organisations/gui...
 
If, after you have considered the contents of this internal review, you
are able to, or would be willing to provide any further information about
any particular areas of interest I would of course be very happy to
consider further how we might be able to assist you.
 
 
 
Yours sincerely
 
Lesley Bett
Information Governance Group Manager 
 
How to complain under section 50 of the FOIA
If you are not satisfied with the review response you can complain to the
ICO in its capacity as the FOIA regulator.
Information on how to complain is available on the ICO website at:
[2]http://www.ico.gov.uk/complaints/freedom...  
By post: If your supporting evidence is in hard copy, you can fill in the
Word version of our complaint form, print it out and post it to us with
your supporting evidence. A printable Freedom of Information Act
complaints form is available from the ICO website. Please send to:
First Contact Team
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
By email: If all your supporting evidence is available electronically, you
can fill in our online complaint form.

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

References

Visible links
1. https://ico.org.uk/for_organisations/gui...
2. blocked::http://www.ico.gov.uk/complaints/freedom...
http://www.ico.gov.uk/complaints/freedom...