Responses to DPIAs that meet threshold

Lynn Wyeth made this Freedom of Information request to Information Commissioner's Office

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was partially successful.

Dear Information Commissioner's Office,

In your response on wdtk.com (ref IRQ0820973) re. DPIAs, you stated that 2 DPIAs had met the threshold. Could you please provide your responses to those 2 organsations, and any more responses to DPIAS that have met the threshold since that request to date, redacting any identifiers as I do not need to know who the organisations are.

Yours faithfully,

Lynn Wyeth

Information Access Inbox, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit:

[1]https://ico.org.uk/about-the-ico/our-inf...

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found
[3]here.

Twitter

Find us on Twitter [4]here.

 

References

Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/global/privacy-notice/
3. https://ico.org.uk/about-the-ico/news-an...
4. http://www.twitter.com/ICOnews

Information Commissioner's Office

23 July 2019

 

Case Reference Number IRQ0858417

 

Dear Ms Wyeth

Thank you for your recent request for information. We received your
request on 16 July 2019.
 
We will be considering your request under the Freedom of Information Act
2000. You can expect us to respond in full by 14 August 2019. This is 20
working days from the date we received your request. If, for any reason,
we can’t respond by this date, we will let you know and tell you when you
can expect a response.
 
If you have any questions please contact me using the IRQ case reference
number above or by replying to this email and leaving the subject field
unchanged.
 
Thank you for your interest in the work of the Information Commissioner's
Office.
 
Yours sincerely
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Directorate
Working pattern: Tuesday - Friday
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Information Commissioner's Office

1 Attachment

14 August 2019

 

Case Reference Number IRQ0858417

 

Dear Ms Wyeth

Further to my letter dated 23 July 2019, I can confirm we are now in a
position to provide you with a response to your information request of 16
July.
 
We have dealt with your request in accordance with your ‘right to know’
under section 1(1) of the Freedom of Information Act 2000 (FOIA), which
entitles you to be provided with any information ‘held’ by a public
authority, unless an appropriate exemption applies.
 
Your Request
 
“In your response on wdtk.com (ref IRQ0820973) re. DPIAs, you stated that
2 DPIAs had met the threshold. Could you please provide your responses to
those 2 organisations, and any more responses to DPIAS that have met the
threshold since that request to date, redacting any identifiers as I do
not need to know who the organisations are.”
 
Our Response
 
I confirm that we hold information in scope of your request.
 
You have requested the ICO’s responses to the two DPIAs referred to in a
previous Freedom of Information response (IRQ0820973). Since this response
was issued I can confirm that we have issued two further responses to
DPIAs, which met the threshold, following submission for prior
consultation under Article 36 of the General Data Protection Regulations
(GDPR). This makes a total of four DPIA submission responses that are in
scope of this request.
 
Please find attached a copy of the written advice submitted to Transport
for Greater Manchester (TfGM).  You might find it helpful to know that the
advice disclosed relates to the first request for consultation with the
ICO which engaged the criteria for prior consultation as provided for by
Article 36 of the GDPR and Section 65 of the Data Protection Act 2018. The
format of this advice has subsequently changed, with responses now
focusing on any observed ‘concerns’ or ‘observations’ identified by the
ICO when considering a DPIA any further information requested relating to
the intended processing operation.
 
You will note three redactions within the disclosed information. These
redactions have been made by virtue of sections 44 and 40(3) of the
Freedom of Information Act 2000. I will further explain my application of
these exemptions below.
 
Information withheld – section 44 (1) (a)
 
Some of the information within the response which was provided
to the ICO by TfGM has been withheld under Section 44 of FOIA. This is an
absolute exemption which means that it can be withheld without further
consideration if other legislation prevents its release, if it meets
certain conditions, and if none of the circumstances that would give us
lawful authority to release it apply.
 
Section 44(1)(a) of the FOIA states;
 
‘(1) Information is exempt information if its disclosure (otherwise than
under this Act) by the public authority holding it – 
 

 1. is prohibited by or under any enactment.

In this case, the Data Protection Act 2018, Part 5, Section 132 prohibits
the disclosure of confidential information that - 
 

* has been obtained by, or provided to, the Commissioner in the course
of, or for the purposes of, the discharging of the Commissioner’s
functions,
* relates to an identified or identifiable individual or business, and
* is not available to the public from other sources at the time of the
disclosure and has not previously been available to the public from
other sources, unless the disclosure is made with lawful authority.

We do not have lawful authority to disclose the requested information to
you as this was provided to us by in confidence. Section 132(3) imposes a
criminal liability on the Commissioner and her staff not to disclose
information relating to an identifiable individual or business for the
purposes of carrying out our regulatory functions, unless we have the
lawful authority to do so or it has been made public from another source.
 
Information withheld – section 40 (2)
 
I also considered whether disclosure of one section of the information
would be fair under the first data protection principle.  I concluded that
it would not be fair to disclose this information; this is with particular
regard to the expectations of the data subject(s) in question.  Disclosure
would contravene the first data protection principle and this information
is therefore exempt under section 40(2) of the Freedom of Information Act
2000 by virtue of section 40(3)(a)(i).  
 
This section of the Act states:-
 
Section 40 
 
“(2)   Any information to which a request for information relates is also
exempt information if 
 
a) it constitutes personal data which do not fall within subsection (1),
and 
 
b) either the first or the second condition below is satisfied. 
 
 
(3)  The first condition is – 
 
a) in a case where the information falls within any of paragraphs (a) to
(d) of the definition of “data” in section 1(1) of the Data Protection Act
1998, that the disclosure of the information to a member of the public
otherwise than under this Act would contravene –   
 

 1. any of the data protection principles …”

The responses to the additional three DPIA submissions are being withheld
in their entirety. I will explain my reasoning below.
 
One of the three responses is withheld by virtue of Section 44 of the
FOIA. The explanation that I have provided above regarding this exemption
is also applicable in this instance.
 
The remaining two of the three responses are withheld by virtue of
sections 44 and 31. With regard to Section 44 the explanation provided
above again applies but I will explain my reasoning for the application of
section 31 below.
 
Information withheld – section 31(1)(g)
 
The exemption at section 31(1)(g) of the FOIA refers to circumstances
where the disclosure of information “would, or would be likely to,
prejudice - …the exercise by any public authority of its functions for any
of the purposes specified in subsection (2).”
 
In this case the relevant purposes contained in subsection 31(2) are
31(2)(a) and (c) which state;
 
“(a) the purpose of ascertaining whether any person has failed to comply
with the law”…and
“(c) the purpose of ascertaining whether circumstances which would justify
regulatory action in pursuance of any enactment exist or may arise,”   
 
Clearly, these purposes apply when the Information Commissioner is
considering whether or not organisations are complying with Data
Protection legislation. We consider that disclosure of further information
in response to this request would create a real risk of distracting from
and causing interference with our consultation process, resulting in
prejudice to the functions of the ICO.

Specifically, we have concerns that disclosing the responses would have a
“chilling effect” with regard to future engagement of controllers with the
ICO and the resultant impact on the ICO’s regulatory role. There may be a
reluctance to engage if controllers knew that prior consultation – i.e.
where they come to the ICO for advice before commencing processing – could
result in the disclosure of our formal responses.

This exemption is not absolute. When considering whether to apply it in
response to a request for information, there is a ‘public interest test’.
That is, we must consider whether the public interest favours withholding
or disclosing the information. 

In this case the public interest factors in favour of disclosing the
information are as follows –

 

* Increased transparency in the way in which we carry out the Article 36
prior consultation process.
* The interest of the public in being able to see and understand the
precise nature of the DPIAs provided to the ICO and the advice and/or
action we have taken in response to it.

The public interest factors in maintaining the exemption are as follows
-  
 

* There is a public interest in maintaining the ICO’s ability to consult
with organisations as it sees fit without undue external influence and
with the ability to make recommendations and decisions without a high
degree of scrutiny which might affect our decision making or divert
our resources.
* There is a public interest in us being able to maintain effective and
productive relationships with the various organisations we communicate
with. It is essential that organisations continue to engage with us in
a constructive and collaborative way without fear that the information
they provide to us will be made public if it is inappropriate to do
so.

Having considered the arguments both for and against disclosure we do not
find that there is sufficient weight in the arguments that favour
disclosure.
 
Disclosure of the requested information would be likely to be prejudicial
to our regulatory function as it would impact upon our ability to
effectively carry out future DPIA consultations in the future.
 
This concludes our response to your request.
 
Complaint and Review Procedure
 
If you are dissatisfied with your request for information under FOI and
wish to request a review of our decision or make a complaint about how
your request has been handled you should write to the Information Access
Team at the address below or e-mail [1][ICO request email].
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request received
after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation. To make such an application, please write
to our Customer Contact Team at the address given or visit our website if
you wish to make a complaint under the Freedom of Information Act.
 
A copy of our review procedure can be accessed from our website [2]here.
 
Yours sincerely
 
 
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Directorate
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
F. 01625 524510  [3]ico.org.uk  [4]twitter.com/iconews
For information about what we do with personal data see our [5]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. mailto:[ICO request email]
2. https://ico.org.uk/media/1883/ico-review...
3. http://ico.org.uk/
4. https://twitter.com/iconews
5. https://ico.org.uk/global/privacy-notice/