SAR’s - Can organisations choose to exclude personal data, without informing requesters what is held on file?

Jt Oakley made this Freedom of Information request to Information Commissioner's Office

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was partially successful.

Dear Information Commissioner’s Office,

I am writing to make an open government request for all the
information to which I am entitled under the Freedom of Information Act 2000.

Please send me recorded information, which includes information
held on computers, in emails and in printed or handwritten
documents as well as images, video and audio recordings.

If this request is too wide or unclear, and you require a
clarification, I would be grateful if you could contact me as I
understand that under the Act, you are required to advise and
assist requesters.(Section 16 / Regulation 9).

If my request is denied in whole or in part, I ask that you justify
all deletions by reference to specific exemptions of the act. I
will also expect you to release all non-exempt material. I reserve
the right to appeal your decision to withhold any information or to
charge excessive fees.

If any of this information is already in the public domain, please
can you direct me to it, with page references and URLs if
necessary.

Please confirm or deny whether the requested information is held ( section (Section 1(1)(a) and consider whether information should be provided under section 1(1)(b), or whether it is subject to an exemption in Part II of the Act.

If the release of any of this information is prohibited on the
grounds of breach of confidence, I ask that you supply me with
copies of the confidentiality agreement and remind you that
information should not be treated as confidential if such an
agreement has not been signed.

I would like the above information to be provided to me as
electronic copies, via WDTK. The information should be immediately readable - and, as a freedom of Information request, not put in a PDF or any closed form, which some readers may not be able to access.

I understand that you are required to respond to my request within
the 20 working days after you receive this letter. I would be
grateful if you could confirm in writing that you have received
this request.

::::::::
Please consider the ICO's Decision on the provision original documents on file, rather than newly written letters of response.
https://ico.org.uk/media/action-weve-tak...

====

My understanding of a SAR is this:

A subject access request (SAR) is simply a written request made by or on behalf of an individual for the information which he or she is entitled to ask for under section 7 of the Data Protection Act 1998 (DPA). The request does not have to be in any particular form.

(—-The requester does not have to explain to the organisation why s/he has made a SAR, as it is not a condition of receiving one).

==

ICO note:

8. Supplying information to the requester
Information that must be supplied
The focus of a subject access request (SAR) is usually the supply of a copy of the requester’s personal data. In this chapter we consider a number of issues about supplying that information. However, you should remember that subject access entitles an individual to more than just a copy of their personal data. An individual is also entitled to be:
 told whether any personal data is being processed – so, if you hold no personal data about the requester, you must still respond to let them know this;
 given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people; and
 given details of the source of the data (if known).

===

In relation to the law, is an organisation, which is requested to simply provide an ALL DATA SAR, then allowed to ask the requester as to MOTIVE for wanting their SAR- before it responds?

Then subsequently narrow the SAR response as it sees fit, without informing the requester as to what personal data is held on file?

Being the choice of the organisation, according to the organisation’s interpretation of the ‘motive’ of the requester, rather than sensible factual narrowing of a request to reduce it to specific information.
- ie personal data collected within certain dates.

=

Or is the response to a SAR the clear provision of all personal data held on file - without questioning the requester as to their ‘motive?

Thus if the requester states they want ALL personal data held on file, can the organisation exclude data in the response, without informing the requester that it is doing so ...and the reasoning for it?

In other words, who controls the terms of the provision of personal information given due to a Subject Access Request.

The requester, or the responder?

Or does the organisation have to state to the requester what personal data is held on record, in order to assist the requester obtain a SAR? As indicated by the guidance above?

- Especially as a requester cannot be expected to know all personal data held on file in advance of making a SAR.

This FOIA Request is attempting to find out if organisations can:

1. Question the requester as to their ‘motive’ ( * not factual narrowing) for wanting a SAR ...before providing one.

2. Assume what personal data the requester requires, by determining the requesters ‘motive’, rather than following an ‘ALL DATA’ provision specified by the requester, in their SAR request.

3. Fail to return personal data, by determining the requester’s ‘Motive’ - instead of making the requester factually aware and informed as to what personal data is held on record.

(Organisational take- ‘The requester is not entitled to this personal data , as they have not specifically requested it ...and it doesn’t fit the organisation’s interpretation of the requester’s motive, even though they have requested ALL personal data,’)

===

Or does the law and therefore the ICO support the requester in that when ALL personal data held on record must be returned by the organisation, when the requester specifies this in their Request?

And the requester given an explanation as to what personal data is held on file ....and why the organisation has chosen to exclude sections of it, if it then chooses to do so.

Yours faithfully,
JtOakley

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[3]http://www.ico.org.uk/tools_and_resource...

Twitter

Find us on Twitter at [4]http://www.twitter.com/ICOnews

 

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. https://ico.org.uk/global/privacy-notice/
3. http://www.ico.org.uk/tools_and_resource...
4. http://www.twitter.com/ICOnews

Information Commissioner's Office

25 July 2018

 

Case Reference Number IRQ0768454

 

Dear J Oakley

Further to your request for information from the Information
Commissioner’s Office (ICO) which we received on 21 July; we are now ready
to respond to your request.
 
We have considered your request under the Freedom of Information Act 2000.
 
Your request
 
You asked us:
 
Can organisations choose to exclude personal data, without informing
requesters what is held on file?
 
 
Our response 
 
The Freedom of Information Act 2000 (FOIA) gives requesters the right to
request recorded information from public authorities.

This seems to be more of an enquiry rather than a request for recorded
information. You can normally direct enquiries to the helpline on 0303 123
1113, via our [1]Live chat, or via [2]email.
 
We do publish guidance on responding to subject access requests. See our
[3]SAR Code of Practice, which relates to the old Data Protection Act 1998
and will likely be updated in due course but which, nonetheless, is useful
in terms of specifying the requirements of controllers in replying to
requests. It also contains guidance on specific exemptions which may be of
interest to you.
 
You may also be interested in our [4]GDPR guidance on subject right of
access.
 
Alternatively, you could consult the data protection legislation itself.
Please see [5]https://gdpr-info.eu/ (GDPR) and
[6]http://www.legislation.gov.uk/ukpga/2018...
(DPA 2018).
 
                        
Next steps
 
If you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Information Access team
at the address below or email [7][ICO request email]
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response.  Any such request
received after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please write
to the Customer Contact department, at the address below or visit the
‘Complaints’ section of our website to make a Freedom of Information Act
or Environmental Information Regulations complaint online.
 
A copy of our review procedure is available [8]here.
 
For information about what we do with personal data see our [9]privacy
notice.
 
Yours sincerely,
 
 

Frederick Aspbury
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6397 F. 01625 524510  [10]ico.org.uk  [11]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [12]privacy
notice

 
 

References

Visible links
1. https://ico.org.uk/global/contact-us/liv...
2. https://ico.org.uk/global/contact-us/ema...
3. https://ico.org.uk/media/for-organisatio...
4. https://ico.org.uk/for-organisations/gui...
5. https://gdpr-info.eu/
6. http://www.legislation.gov.uk/ukpga/2018...
7. mailto:[ICO request email]
8. https://ico.org.uk/media/about-the-ico/p...
9. https://ico.org.uk/global/privacy-notice/
10. http://ico.org.uk/
11. https://twitter.com/iconews
12. https://ico.org.uk/global/privacy-notice/

Dear Information Commissioner’s Office,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Information Commissioner’s Office's handling of my FOI request 'SAR’s - Can organisations choose to exclude personal data, without informing requesters what is held on file?'.

Dear Information Commissioner’s Office - Mr Aspbury,

Thank you but I have already read this:

15Exemptions etc

(1)Schedules 2, 3 and 4 make provision for exemptions from, and restrictions and adaptations of the application of, rules of the GDPR.
(2)In Schedule 2—
(a)Part 1 makes provision adapting or restricting the application of rules contained in Articles 13 to 21 and 34 of the GDPR in specified circumstances, as allowed for by Article 6(3) and Article 23(1) of the GDPR;
(b)Part 2 makes provision restricting the application of rules contained in Articles 13 to 21 and 34 of the GDPR in specified circumstances, as allowed for by Article 23(1) of the GDPR;
(c)Part 3 makes provision restricting the application of Article 15 of the GDPR where this is necessary to protect the rights of others, as allowed for by Article 23(1) of the GDPR;
(d)Part 4 makes provision restricting the application of rules contained in Articles 13 to 15 of the GDPR in specified circumstances, as allowed for by Article 23(1) of the GDPR;
(e)Part 5 makes provision containing exemptions or derogations from Chapters II, III, IV, V and VII of the GDPR for reasons relating to freedom of expression, as allowed for by Article 85(2) of the GDPR;
(f)Part 6 makes provision containing derogations from rights contained in Articles 15, 16, 18, 19, 20 and 21 of the GDPR for scientific or historical research purposes, statistical purposes and archiving purposes, as allowed for by Article 89(2) and (3) of the GDPR.
(3)Schedule 3 makes provision restricting the application of rules contained in Articles 13 to 21 of the GDPR to health, social work, education and child abuse data, as allowed for by Article 23(1) of the GDPR.
(4)Schedule 4 makes provision restricting the application of rules contained in Articles 13 to 21 of the GDPR to information the disclosure of which is prohibited or restricted by an enactment, as allowed for by Article 23(1) of the GDPR.
(5)In connection with the safeguarding of national security and with defence, see Chapter 3 of this Part and the exemption in section 26.

:::

As far as I can see, the situation that I describe is not within this law. That organisations can withhold SAR information when none of the above apply. Therefore I would asume that there is some other mechanism where organisations can dismiss the terms of a SAR and withhold dara, without ever having told the requester that it exists.

Therefore I wished to read the guidance given to ICO caseworkers, on the subject (which may be more reader friendly)
to explain why organisations can make exclusions that do not fit the terms above.

This might be simple training guidance, or PowerPoint presentations or anything that clarifies the issue to which the caseworker can refer.

Because surely caseworkers must be given some guidance while training, if not while making decisions?

Yours faithfully,

Jt Oakley

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/s...

Yours faithfully,

Jt Oakley

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[3]http://www.ico.org.uk/tools_and_resource...

Twitter

Find us on Twitter at [4]http://www.twitter.com/ICOnews

 

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. https://ico.org.uk/global/privacy-notice/
3. http://www.ico.org.uk/tools_and_resource...
4. http://www.twitter.com/ICOnews

Information Commissioner's Office

31 July 2018

 

Case Reference Number IRQ0768454

 

Dear J Oakley

Further to your request for review from the Information Commissioner’s
Office (ICO) which we received on 25 July.
 
As I explained in my response, I consider your correspondence to be an
enquiry as you pose a series of open questions about a specific situation.
 
Open questions about a specific situation for which you require guidance
or advice are best handled as enquiries as they require a tailored
response to be produced.
 
As an enquiry, there is no recourse to review, despite the standard
template response which I used to respond to your query containing
guidance on ‘Next steps’, for which I apologise.  
 
Further to your query about training materials, the following link will
take you to the response to a request for our GDPR training materials
which we published on our website as part of our proactive disclosure
policy.
 
[1]https://ico.org.uk/about-the-ico/our-inf...
 
You are welcome to read the training materials pursuant to your queries
but I reiterate that any enquiries you wish to make, or advice you require
should follow the procedures I outlined in my last email.  
 
I hope you find this information helpful.
 
 
For information about what we do with personal data see our [2]privacy
notice.
 
Yours sincerely,
 
 

Frederick Aspbury
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6397 F. 01625 524510  [3]ico.org.uk  [4]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [5]privacy
notice

 
 

References

Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/global/privacy-notice/
3. http://ico.org.uk/
4. https://twitter.com/iconews
5. https://ico.org.uk/global/privacy-notice/

Dear Information Commissioner’s Office,

Thank you for eventually supplying the data that the ICO had an file.

I shall read it to see if it matches the request.

==

I am also glad you now know that you have a duty to help and assist those who make requests.

You may have overlooked this paragraph previously.....

‘If this request is too wide or unclear, and you require a
clarification, I would be grateful if you could contact me as I
understand that under the Act, you are required to advise and
assist requesters.(Section 16 / Regulation 9).’

.....Rather than just wrongly assuming that because you assume there may be questions within a request, that you don’t automatically throw the request into the Reject pile.

I’m sure that you now realise that requesters cannot know exactly what is on file and therefore may put questions in requests. Not everyone is as educated as those that respond to requests - and therefore the sensible S16 requirement, to aid and assist the public,

Especially in this case - because the description for specific data was implicit in the request that you first turned down..without any attempt to clarify the request, and redesign the request , if necessary, to one which you could readily answer.

Although I would have thought that it would have been obvious that the ICO produce some guidance for its employees on the matter. As, logically, this sort of issue would be a basic one

Yours faithfully,

Jt Oakley

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[3]http://www.ico.org.uk/tools_and_resource...

Twitter

Find us on Twitter at [4]http://www.twitter.com/ICOnews

 

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. https://ico.org.uk/global/privacy-notice/
3. http://www.ico.org.uk/tools_and_resource...
4. http://www.twitter.com/ICOnews