Why does the ICO give personal nfirmation out to stakeholders without permission from a complainant?

Jt Oakley made this Freedom of Information request to Information Commissioner's Office

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

Waiting for an internal review by Information Commissioner's Office of their handling of this request.

Dear Information Commissioner’s Office,

Following on from a previous request:Disclosure Log :

Please could you explain why, if the DP Act covers the release of ICO employees' information.....why is it perfectly acceptable for the ICO to divulge a requestor / complainant's files and information to:

1. A non-ICO- employed person, personally involved in the complaint.

2. An ICO Stakeholder...as stakeholders are not ICO employees.

....without requesting complainant's permission to do so.

As I have not been able to find any reference to those using the ICO's services signing away their rights to privacy under the DP Act.

4. I would also like to know whether the ICO provides any case details eg internal files, to external bodies - without complainant's permission.

5. And if the ICO sells any details of cases to private commercial companies, some of whom may be stakeholders.

6. The names of any stakeholders that the ICO has provided information freely to in the last year.

7. The names of any stakeholders that the ICO has charged for case information in the last year.

Yours faithfully,

Jt Oakley

Dear Information Commissioner’s Office,

WDTK stating that this request is out of time.

Yours faithfully,

Jt Oakley

Dear Information Commissioner’s Office,

Please respond.

WDTK says the ICO is nice past the date required.

Yours faithfully,

Jt Oakley

Jt Oakley left an annotation ()

On 16 May 2014, at 11:03, casework@ico.org.uk wrote:

16th May 2014

Case Reference Number IRQ0507567

Dear Ms O

Thank you for your correspondence of 11 May 2014. You have complained because we did not respond to your 9 February 2014 correspondence submitted on the whatdotheyknow website. This is also a response to your 12 February email. I apologise for the delay in responding to you.

Your questions are about the process we follow when we receive a request for information under the FoIA. In particular the process we follow when we need to consult with third parties when compiling our response to a request.

We receive many requests for information, some of which will be for information which has been provided to us by third parties. Before we disclose this type of information we will generally consult with these third parties.

It is important to note that when we consult with a third party it is not always to ask their permission to disclose information. Sometimes it might be appropriate to simply inform a person or organisation that information about them has been or will be disclosed. This is in line with the section 45 Code of Practice issued alongside the FoIA 2000. You can read the Code here.

As you might know, the ICO is also subject to section 59 of the Data Protection Act 1998 (DPA 1998). This prevents us from disclosing information provided to us by organisations when conducting our regulatory business without a lawful basis to do so. Getting the consent of these organisations is often the only way we are able to disclose information they have provided to us when we are responding to requests for information.

As you correctly point out we also have obligations under the DPA to treat the information we hold about those who make requests for information with appropriate confidentiality.

Where a consultation is needed before responding to a request under the FoIA we do not usually provide the name of the requester to the third party we are consulting with. However, where the request was made through a website like whatdotheyknow the third party is able to identify the requester if they visit the website. In these circumstances the requester themselves is making their association with the request known to anyone.

If a consultation is required for a subject access request we will need to provide the name of the requester to the third party. This is so the third party can correctly identify the personal data belonging to that requester and give an appropriately informed view about its future disclosure.

During a consultation copies of documentation held by the ICO might be disclosed to the third parties we are consulting with. This is done so both parties are clear about the information we are considering for disclosure. The information will usually be copies of material that the third party provided to the ICO and therefore have already seen.

The final decision whether to disclose information provided to us by third parties rests with us. However, we will often take into account the views of those third parties when making our decision.

I hope this helps to clarify our process for you.

Yours sincerely

Helen Ward
Information Governance Manager


Thank you.

But you have used my personal email address.

Also you have my name wrong.

Please do not use my personal address - unless I make a SAR request.

I have asked previously that FoI responses go via the WDTK website.

Replies to FoI requests made from the WDTK website,should go back to that site..... which complies with the ICO's own Decision.

This response also does not have my reference on it..which is the WDTK website reference title, so it makes it difficult for me, especially since the WDTK website counts down the number of days allowed for responses.

I will put your response on the website this time but please could you comply with the correct procedure......especially since I have had to write the same response to the ICO before.

Moray left an annotation ()

i can help you see here