Major breach data
Dear Information Commissioner’s Office,
I wish to request the research underlying the recent investigations into the RSPCA and British Heart Foundation regarding their screening and profiling practices (which preceded the recent fines levied against them by the ICO). I also with to request any correspondence relating to the fines between the ICO and the two charities.
Yours faithfully,
Ben Rymer
Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.
If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply
.
If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.
If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.
If you have requested advice - we aim to respond within 14 days.
If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.
Copied correspondence - we do not respond to correspondence that has been
copied to us.
For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.
If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.
Yours sincerely
The Information Commissioner’s Office
Our newsletter
Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...
Find us on Twitter at [3]http://www.twitter.com/ICOnews
The ICO's mission is to uphold information rights in the public interest.
To find out more about our work please visit our website, or subscribe to
our e-newsletter at ico.org.uk/newsletter.
If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies without
passing to any third parties.
If you'd like us to communicate with you in a particular way please do let
us know, or for more information about things to consider when
communicating with us by email, visit ico.org.uk/email
References
Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews
10 January 2017
Case Reference Number IRQ0659171
Dear Mr Rymer,
I write in response to your email of 8 December 2016 in which you
submitted an information request to the ICO. Your request has been dealt
with in accordance with the Freedom of Information Act 2000 (FOIA) and our
response is below.
Your request
In your 8 December email you asked;
“I wish to request the research underlying the recent investigations into
the RSPCA and British Heart Foundation regarding their screening and
profiling practices (which preceded the recent fines levied against them
by the ICO). I also with to request any correspondence relating to the
fines between the ICO and the two charities.”
Our response
I can confirm we hold information within the scope of your request and a
copy of as much of this information as we are able to disclose is
attached. Some information has been withheld and this is explained further
below.
For context it may be helpful to first explain that a number of charities,
(including the RSPCA and BHF) came to our attention through media coverage
in 2015. In particular a Daily Mail article published on 31 August 2015.
You can read this article here
[1]http://www.dailymail.co.uk/news/article-....
Consequently we then wrote to a number of charities mentioned in the
article.
Decisions about regulatory action are made in accordance with our data
protection regulatory action policy and this may be of interest to you.
This is available on our website here
[2]https://ico.org.uk/media/about-the-ico/p....
In the case of monetary penalties we also have an additional procedure
available here
[3]https://ico.org.uk/media/about-the-ico/p....
In respect of the first aspect of your request for “research underlying
the recent investigations into the RSPCA and British Heart Foundation”
please find attached a redacted copy of a report concerning the charities
sector.
This report is the only information we hold that can be described as
“research underlying” these investigations. However as indicated above we
also corresponded with both the RSPCA and BHF about their practices as
part of our investigation. We have also therefore considered if this
correspondence can be disclosed in relation to both this and the second
aspect of your request.
Information in the attached report has been redacted under section 31 of
the FOIA. Additionally the correspondence we hold exchanged between us and
both the RSPCA and BHF has been withheld in full under section 31 and
section 44 of the FOIA.
The exemption at section 31 of the FOIA applies where disclosure would
prejudice our ability to carry out our regulatory function. In this case
we have a number of ongoing investigations into organisations in the
charity sector and the issue of compliance in the sector is still
therefore ‘live’.
Section 31(1)(g) of the FOIA refers to circumstances where the disclosure
of information “would, or would be likely to, prejudice – … the exercise
by any public authority of its functions for any of the purposes specified
in subsection (2).”
In this case the relevant purposes contained in subsection 31(2) are
31(2)(a) and 31(2)(c) which state;
“(a) the purpose of ascertaining whether any person has failed to comply
with the law” and
“(c) the purpose of ascertaining whether circumstances which would justify
regulatory action in pursuance of any enactment exist or may arise,”
This exemption is not absolute and is subject to a public interest test. I
have therefore gone on to consider if the public interest in this instance
lies in favour of disclosure or maintaining the exemption.
Public interest arguments in favour of disclosure
* There is a public interest in the ICO publishing information which
helps to demonstrate that we are complying with our duties.
* There is a public interest in the ICO being open and transparent about
our regulatory work. This helps promote public awareness and
understanding of our work.
Public interest arguments in favour of maintaining the exemption
* There is a strong public interest in the Commissioner ensuring that no
information is disclosed prematurely in a way that can likely cause
harm to current or future investigations.
* There is a public interest in maintaining our ability to conduct
investigations and carry out enforcement action in line with
established processes and procedures without the risk of prejudicing
these investigations and any subsequent enforcement action that we may
decide to take.
* There is a public interest in the ICO being able to maintain effective
and productive relationships with the data controllers we regulate. It
is essential that organisations continue to engage with us in a
constructive and collaborative way without fear that the information
they provide to us will be made public prematurely or, as appropriate
at all.
* There is a public interest in the ICO complying with the law. For
example, there is expectation that it will comply with section
59(1)(a) of the Data Protection Act 1998 (DPA) by ensuring that the
details it receives about data controllers in the course of its
investigations remain confidential
* There is a public interest in the ICO providing a cost effective and
efficient regulatory function. This relies on the cooperation of data
controllers and we feel this is best achieved by an informal, open,
voluntary and uninhibited exchange of information with these
organisations. We feel that the cooperation of data controllers may be
adversely affected if all details that they provide us were routinely
made public. This would be likely to make data controllers more
cautious about providing information to us which would in turn
prejudice our ability to deliver the levels of service required of us.
* There is a public interest in maintaining the ICO’s ability to conduct
investigations as it thinks fit without undue external influence.
Having considered the arguments both for and against disclosure, and our
published ‘[4]Communicating Regulatory Activity’ policy, we have concluded
that the arguments in favour of maintaining the exemption outweigh those
in favour of disclosure.
We are also of the view that the public interest in disclosure of
information about our investigations into both BHF and the RSPCA has in
part already been met by the information that we have already published.
This includes the monetary penalty notices themselves and the additional
information on our website.
You can read the two monetary penalty notices here
[5]https://ico.org.uk/action-weve-taken/enf... and further
information about our investigations is available here
[6]https://ico.org.uk/about-the-ico/news-an...
and here
[7]https://ico.org.uk/for-the-public/charit....
Aspects of the correspondence have also been withheld under section 44 of
the FOIA which places prohibitions on the disclosure of information by the
ICO.
Section 44 of the FOIA states;
“(1) Information is exempt information if it’s disclosure (otherwise than
under this Act) by the public authority holding it –
(a) is prohibited by or under any enactment”
The relevant enactment prohibiting the ICO from disclosing this
information is the Data Protection Act 1998 (DPA), specifically section 59
which states;
“(1) No person who is or has been the Commissioner, a member of the
Commissioner’s staff or an agent of the Commissioner shall disclose any
information which –
(a) has been obtained by, or furnished to, the Commissioner under or for
the purposes of the information Acts,
(b) relates to an identified or identifiable individual or business, and
(c) is not at the time of the disclosure, and has not previously been,
available to the public from other sources,
unless the disclosure is made with lawful authority”
The withheld information was provided to us by both BHF and the RSPCA as
the regulator of the DPA and it is not information that is available to
the public from another source.
It is important to understand that we rely on the co-operation of
organisations to provide us with relevant information to enable us to
fulfil our duty to provide guidance and influence behaviour regarding the
processing of personal data. If we were to release all of the information
which we receive during the course of our regulatory activities this would
be likely to deter organisations from providing information to us and this
would be likely to undermine our regulatory function.
Section 59(2) of the DPA explains that there are five circumstances when
the ICO could have lawful authority to disclose information; this is an
exhaustive list. Having considered these circumstances we do not consider
in this instance that we have lawful authority to disclose this
information here.
This concludes our response to your request. I appreciate this response
may be disappointing however I hope the above explanation is helpful.
Next steps / review procedure
If you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Information Access team
at the address below or e-mail [8][ICO request email].
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request received
after this time will only be considered at the discretion of the
Commissioner.
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation. To make such an application, please visit
the ‘Concerns’ section of our website to make a Freedom of Information Act
or Environmental Information Regulations complaint online.
A copy of our review procedure is available here
[9]https://ico.org.uk/media/about-the-ico/p...
Yours sincerely
Steven Johnston
Lead Information Access Officer
The ICO's mission is to uphold information rights in the public interest.
To find out more about our work please visit our website, or subscribe to
our e-newsletter at ico.org.uk/newsletter.
If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies without
passing to any third parties.
If you'd like us to communicate with you in a particular way please do let
us know, or for more information about things to consider when
communicating with us by email, visit ico.org.uk/email
References
Visible links
1. http://www.dailymail.co.uk/news/article-...
2. https://ico.org.uk/media/about-the-ico/p...
3. https://ico.org.uk/media/about-the-ico/p...
4. https://ico.org.uk/media/about-the-ico/p...
5. https://ico.org.uk/action-weve-taken/enf...
6. https://ico.org.uk/about-the-ico/news-an...
7. https://ico.org.uk/for-the-public/charit...
8. mailto:[ICO request email]
9. https://ico.org.uk/media/about-the-ico/p...
Dear Information Commissioner’s Office,
Please pass this on to the person who conducts Freedom of Information reviews.
I am writing to request an internal review of Information Commissioner’s Office's handling of my FOI request 'Major breach data'.
In refusing part of my original request, you said "the correspondence we hold exchanged between us and
both the RSPCA and BHF has been withheld in full under section 31 and section 44 of the FOIA. The exemption at section 31 of the FOIA applies where disclosure would prejudice our ability to carry out our regulatory function". As Operation Cinnebar has now concluded, releasing the requested correspondence would now not prejudice your ability to carry out your regulator function, and I wish to renew my request for you to release this correspondence.
A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/m...
Yours faithfully,
Ben Rymer
Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.
If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply
.
If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.
If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.
If you have requested advice - we aim to respond within 14 days.
If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.
Copied correspondence - we do not respond to correspondence that has been
copied to us.
For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.
If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.
Yours sincerely
The Information Commissioner’s Office
Our newsletter
Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...
Find us on Twitter at [3]http://www.twitter.com/ICOnews
The ICO's mission is to uphold information rights in the public interest.
To find out more about our work please visit our website, or subscribe to
our e-newsletter at ico.org.uk/newsletter.
If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies without
passing to any third parties.
If you'd like us to communicate with you in a particular way please do let
us know, or for more information about things to consider when
communicating with us by email, visit ico.org.uk/email
References
Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews
9 February 2017
Case Reference Number IRQ0659171
Dear Mr Rymer,
Thank you for your emails received on 5 February 2017 in which you have
requested internal reviews of our responses to your information requests
IRQ0660341 and IRQ0659171. You have also stated that you wish to renew one
of your requests which we understand to be you asking that we reconsider
the matter as a new information request.
In both of your emails you have referred to Operation Cinnabar being
concluded and this seems to be the basis upon which you are requesting
these internal reviews.
We should clarify that whilst this investigation is complete the decision
making about enforcement action is not. If regulatory action is taken by
us there may also be an appeal period to consider. Consequently our
position on the disclosure of the information you have requested is likely
to remain unchanged at this time.
We understand that this may change your view on whether you wish to pursue
internal reviews at this time and in light of this we would be grateful if
you could clarify how you wish us to proceed by responding to this email.
Thank you for your assistance.
Yours sincerely
Information Access Team
The ICO's mission is to uphold information rights in the public interest.
To find out more about our work please visit our website, or subscribe to
our e-newsletter at ico.org.uk/newsletter.
If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies without
passing to any third parties.
If you'd like us to communicate with you in a particular way please do let
us know, or for more information about things to consider when
communicating with us by email, visit ico.org.uk/email
Dear Information Commissioner’s Office,
Thanks for this clarification. It would be helpful to know when the appeal decision-making/period ends, as I do think there is significant public interest in releasing the information I originally requested but do not want to initiate a review within the appeal period as it is likely to be fruitless.
Yours faithfully,
Ben Rymer
Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.
If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply
.
If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.
If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.
If you have requested advice - we aim to respond within 14 days.
If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.
Copied correspondence - we do not respond to correspondence that has been
copied to us.
For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.
If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.
Yours sincerely
The Information Commissioner’s Office
Our newsletter
Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...
Find us on Twitter at [3]http://www.twitter.com/ICOnews
The ICO's mission is to uphold information rights in the public interest.
To find out more about our work please visit our website, or subscribe to
our e-newsletter at ico.org.uk/newsletter.
If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies without
passing to any third parties.
If you'd like us to communicate with you in a particular way please do let
us know, or for more information about things to consider when
communicating with us by email, visit ico.org.uk/email
References
Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews
9 March 2017
Case Reference Number IRQ0659171
Dear Mr Rymer,
In response to your enquiry I can advise that there is a 28 day period for
a data controller to appeal a CMP notice. In respect of the penalties
issued to the RSPCA and the British Heart Foundation this period has now
lapsed.
However you may be aware that the ICO has recently issued eleven
additional charities with notices of intent to issue them with monetary
penalties. There is further information available about this on our
website here:
[1]https://ico.org.uk/about-the-ico/news-an...
As you will see the charities are given 28 days to respond to the ICO’s
notices of intent. We will then consider representations made by each
charity before making a final decision about enforcement action in each
case. Unfortunately I am not able to provide a definitive timeframe for
how long that process may take as this can vary depending on the
complexity of each individual case.
I hope this clarification is helpful.
Yours sincerely
Steven Johnston
Lead Information Access Officer
The ICO's mission is to uphold information rights in the public interest.
To find out more about our work please visit our website, or subscribe to
our e-newsletter at ico.org.uk/newsletter.
If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies without
passing to any third parties.
If you'd like us to communicate with you in a particular way please do let
us know, or for more information about things to consider when
communicating with us by email, visit ico.org.uk/email
References
Visible links
1. https://ico.org.uk/about-the-ico/news-an...
We work to defend the right to FOI for everyone
Help us protect your right to hold public authorities to account. Donate and support our work.
Donate Now