Blackpool Displeasure Breach, redux

Over a year ago I blogged about a tweet by a member of the Oyston family connected with Blackpool FC:

a fan replies to a news item about the club’s manager, and calls the Oyston family “wankers”. Sam Oyston responds by identifying the seat the fan – presumably a season-ticket holder – occupies, and implies that if he continues to be rude the ticket will be withdrawn

For the reasons in that post I thought this raised interesting, and potentially concerning, data protection issues, and I mentioned that the Information Commissioner’s Office (ICO) had powers to take action. It was one of (perhaps the) most read posts (showing, weirdly, that football is possibly more of interest to most people than data protection itself) and it seemed that some people did intend complaining to the ICO. So, recently, I made an FOI request to the ICO for any information held by them concerning Blackpool FC’s data protection compliance. This was the reply

We have carried out thorough searches of the information we hold and have identified one instance where a member of the public raised concerns with the ICO in September 2014, about the alleged processing of personal data by Blackpool FC.

We concluded that there was insufficient evidence to consider the possibility of a s55 offence under the Data Protection Act 1998 (the DPA), and were unable to make an assessment as the individual had not yet raised their concerns with Blackpool FC direct.  We therefore advised the individual to contact the Club and to come back to us if they were still concerned, however we did not hear from them again.  As such, no investigation took place, nor was any assessment made of the issues raised.

This suggests the ICO appears wrongly to consider itself unable to undertake section 42 assessments under the Data Protection Act 1998 unless the data subject has complained to the data controller – a stance strongly criticised by Dr David Erdos on this blog, and one which has the potential to put the data subject further in dispute with the data controller (as I can imagine could have happened here, with a family some of whose members are ready to sue to protect their reputation). It also suggests though that maybe people weren’t quite as interested as the page views suggested. Nonetheless, I am posting this brief update, because a few people asked about it.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner

Complaint about Google’s Innuendo, redux

Some time ago I complained to the Information Commissioner’s Office (ICO) about the innuendo carried in the message that Google serves with search results on most personal names: “Some results may have been removed under data protection law in Europe”. I had already complained to Google UK, and wrote about it here. Google UK denied any responsibility or liability, and referred me to their enormous, distant, parents at 1600 Amphitheatre Parkway. I think they were wrong to do so, in light of the judgment of the Court of Justice of the European Union in the Google Spain case C‑131/12, but I will probably pursue that separately.

However, section 42 of the Data Protection Act 1998 (DPA) allows me to ask the ICO to assess whether a data controller has likely or not complied with its obligations under the DPA. So that’s what I did (pointing out that a search on “Jon Baines” or “Jonathan Baines” threw up the offending message).

In her response the ICO case officer did not address the jurisdiction point which Google had produced, and nor did she actually make a section 42 assessment (in fairness, I had not specifically cited section 42). What she did say was this

As you know, the Court of Justice of the European Union judgement in May 2014 established that Google was a data controller in respect of the processing of personal data to produce search results. It is not in dispute that some of the search results do relate to you. However, it is also clear that some of them will relate to other individuals with the same name. For example, the first result returned on a search on ‘Jonathan Baines’ is ‘LinkedIn’, which says in the snippet that there are 25 professionals named Jonathan Baines, who use LinkedIn.

It is not beyond the realms of possibility that one or more of the other individuals who share your name have had results about them removed. We cannot comment on this. However, we understand that this message appears in an overwhelming majority of cases when searching on any person’s name. This is likely to be regardless of whether any links have actually been removed.

True, I guess. Which is why I’ve reverted with this clarification of my complaint:

If it assists, and to extend my argument and counter your implied question “which Jon Baines are we talking about?”, if you search < “Jon Baines” Information Rights and Wrongs > (where the search term is actually what lies between the < >) you will get a series of results which undoubtedly relate to me, and from which I can be identified. Google is processing my personal data here (that is unavoidable a conclusion, given the ruling by the Court of Justice of the European Union in “Google Spain” (Case C‑131/12)). The message “Some results may have been removed under data protection law in Europe” appears as a result of the processing of my personal data, because it does not appear on every search (for instance < prime minister porcine rumours > or < “has the ICO issued the cabinet office an enforcement notice yet” >). As a product of the processing of my personal data, I argue that the message relates to me, and constitutes my personal data. As it carries an unfair innuendo (unfair because it implies I might have asked for removal of search results) I would ask that you assess whether Google have or have not likely complied with their obligation under section 4(4) to comply with the first and fourth data protection principles. (Should you doubt the innuendo point, please look at the list of results on a Twitter search for “Some results may have been removed”).

Let’s hope this allows the ICO to make the assessment, without my having to consider whether I need to litigate against one of the biggest companies in world history.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Information Commissioner

When data security = national security

One of the options open to the Information Commissioner’s Office (ICO), when considering whether to take enforcement action under the Data Protection Act 1998 (DPA) is – as an alternative to such action – to invite an offending data controller to sign an “undertaking”, which will in effect informally commit it to taking, or desisting from, specified actions. An undertaking is a relatively common event (there have been fifty over the last year) – so much so that the ICO has largely stopped publicising them (other than uploading them to its website) – very rarely is there a press release or even a tweet.

There is a separate story to be explored about both ICO’s approach to enforcement in general, and to its approach to publicity, but I thought it was worth highlighting a rather remarkable undertaking uploaded to the ICO’s site yesterday. It appears that the airline Flybe reported itself to the ICO last November, after a temporary employee managed to scan another individual’s passport, and email it to his (the employee’s) personal email account. The employee in question was in possession of an “air side pass”. Such a pass allows an individual to work unescorted in restricted areas of airports and clearly implies a level of security clearance. The ICO noted, however, that

Flybe did not provide data protection training for all staff members who process personal data. This included the temporary member of staff involved in this particular incident…

This is standard stuff for DPA enforcement: lack of training for staff handling personal data will almost always land the data controller in hot water if something goes wrong. But it’s what follows that strikes me as remarkable

the employee accessed various forms of personal data as part of the process to issue air side passes to Flybe’s permanent staff. This data included copies of passports, banking details and some information needed for criminal record background checks. The Commissioner was concerned that such access had been granted without due consideration to carrying out similar background checks to those afforded to permanent employees. Given the nature of the data to which the temporary employee had access, the Commissioner would have expected the data controller to have had some basic checking controls in place.

Surely this raises concerns beyond the data protection arena? Data protection does not exist in isolation from a broader security context. If it was really the case that basic checking controls were not in place regarding Flybe’s temporary employees and data protection, might it raise concerns about how that impacts on national security?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, national security, undertaking

Anti-EU campaign database – in contravention of data protection laws?

The site reports that an anti-EU umbrella campaign called Leave.EU (or is it has been written to by the Information Commissioner’s Office (ICO) after allegedly sending unsolicited emails to people who appear to have been “signed up” by friends or family. The campaign’s bank-roller, UKIP donor Aaron Banks, reportedly said

We have 70,000 people registered and people have been asked to supply 10 emails of friends or family to build out (sic) database

Emails sent to those signed up in this way are highly likely to have been sent in breach of the campaign’s obligations under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), and the ICO is reported to have to written to the campaign to

inform them of their obligations under the PECR and to ask them to suppress [the recipient’s] email address from their databases

But is this really the main concern here? Or, rather, should we (and the ICO) be asking what on earth is a political campaign doing building a huge database of people, and identifying them as (potential) supporters without their knowledge? Such concerns go to the very heart of modern privacy and data protection law.

Data protection law’s genesis lie, in part, in the desire, post-war, of European nations to ensure “a foundation of justice and peace in the world”, as the preamble to the European Convention on Human Rights states. The first recital to the European Community Data Protection Directive of 1995 makes clear that the importance of those fundamental rights to data protection law.

The Directive is, of course, given domestic effect by the Data Protection Act 1998 (DPA). Section 2 of the same states that information as to someone’s political beliefs is her personal data: I would submit that presence on a database purporting to show that someone supports the UK”s withdrawal from the European Union is also her personal data. Placing someone on that database, without her knowledge or ability to object, will be manifestly “unfair” when it comes to compliance with the first data protection principle. It may also be inaccurate, when it comes to compliance with the fourth principle.

I would urge the ICO to look much more closely at this – the compiling of (query inaccurate) of secret databases of people’s political opinions has very scary antecedents.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection, Directive 95/46/EC, Europe, human rights, Information Commissioner

ICO discloses names of Operation Motorman journalists

In August this year the Upper Tribunal dismissed an appeal by the Information Commissioner’s Office (ICO) of a prior ruling that he must disclose the names of certain journalists who appeared on a list 305 names seized by the ICO during a raid in 2003 on the home of private investigator Steve Whittamore. The raid was part of “Operation Motorman”, an investigation which forms part of the background to the various civil and criminal proceedings generated by the phone-hacking scandals, and to the establishment of the Leveson Inquiry.

The names which have been ordered to be disclosed have now been provided by the ICO to the requester, the clearly indefatigable Chris Colenso-Dunne. Chris has kindly given the list to me, and I make it available in the attachment below. One name stands out in particular: Rebekah Wade (as she then was), now Brooks, who has always denied knowledge of the phone-hacking which took place while she was editor of the now defunct News of the World (and who was, of course, acquitted in 2014 of conspiring to hack phones when editor of that paper and of making corrupt payments to public officials when editor of The Sun, as well as of all other charges).

It is important to be aware, as the Upper Tribunal said, that presence on the list means nothing more than that the journalists in question

had commissioned Mr Whittamore to obtain information… The information did not carry with it any assertion as to the actual or alleged commission of any crime by those journalists [para 38]

No doubt the list will generate further comment, though.

ICO Motorman List

[this post was edited to remove a paragraph where I’d mistakenly taken the list to mean that Wade was working for “Femail” at the time]

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.


Filed under Data Protection, Freedom of Information, Information Commissioner, Information Tribunal, journalism, Upper Tribunal

Easy as 1-2-3…?

Has the ICO got its FOI sums wrong?

I wrote recently about a decision of the Information Tribunal where the Tribunal held that the Information Commissioner’s Office (ICO) had wrongly calculated the time for compliance with a request made under the Freedom of Information Act 2000 (FOIA) and consequently had said that the public authority in question had contravened its obligations under section 10(1) of FOIA, when in fact it had complied on time. 

One might have thought the ICO would have made sure that it didn’t make this counting mistake again, particularly in cases where an error can make the difference between requests being either compliant or not compliant with FOIA. I was rather surprised, therefore, to notice  a recently published decision notice by the ICO in which (if my calculations are correct) they have again wrongly calculated the time for compliance and consequently issued a decision against a public authority when in fact the public authority had complied with its obligations under section 10(1). As I have noted before, the 20 working day time for compliance with a FOIA request does not include bank holidays even where the bank holiday in question applies only in one part of the UK. So, for instance, a bank holiday in Scotland (say, St Andrew’s Day), but not in the rest of the UK, is still classed as a non-working day for the purposes of FOIA. In this instance one of the requests for information was made on March 16, 2014 and responded to on April 14 2014. The ICO said this meant that the public authority in question – the Student Loans Company – had taken 21 working days to respond. However this seems to overlook the fact that March 17 is a bank holiday in Northern Ireland, where it marks St Patrick’s Day. Accordingly it should not have been counted as a working day by the ICO for the purposes of FOIA. 

By my calculations the public authority responded on the 20th working day, they complied with their obligations under FOIA, and the ICO has issued a defective decision notice. I wonder if an appeal has been lodged.

There are a surprising number of bank holidays throughout the year, when one takes into account those in all parts of the UK, and it is worth bearing in mind that if one of those days falls within any of the putative 20 working days for compliance with a FOIA request then it will push the time for compliance back that one extra day. I reckon (and as nerdy as I am I’m not so nerdy as to have (yet) worked it out) that there’s probably something like a 50% chance that a FOIA request will actually contain a day that is a bank holiday, and maybe one that is not one that applies uniformly throughout the UK. All FOIA requesters, practitioners and, indeed, regulators, should bear this in mind.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.


Filed under Freedom of Information, Information Commissioner, Information Tribunal, Uncategorized

Zero rating for fairness

It’s a long time since I took a flight, but when I used to do so, I too would have the experience, when purchasing items in airport shops, of being asked to produce my boarding pass and having it scanned by the retailer. I now know that the reason for this is, contrary to my assumptions, nothing to do with security, and everything to do with the retailer’s VAT pricing structure

I don’t particularly object to the practice itself, but what does concern me, from a privacy and data protection perspective, is the lack of information traditionally given to passengers about the reason for it, and what happens with the information gathered.

The third data protection principle, in Schedule 1 of the Data Protection Act 1998 (DPA) states, in relevant part, that personal data should be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Is the processing by retailers compliant with their obligations under this principle?When retailers scan boarding passes they will be at least potentially collecting (“processing”) passengers’ names, flight numbers and travel destination. The last is the purpose of the exercise: if the passenger is travelling outside the European Union the purchase is zero-rates for the purposes of VAT. But is it necessary therefore to collect all the boarding pass data? Well, HMRC guidance suggests that it is:

Information from the boarding cards or travel documents presented by entitled passengers should be retained by retailers as part of their export evidence.

This suggests that, in order to satisfy any HMRC inspector that zero-rated purchases have been made legitimately, proof of the details of the purchase will need to be retained and provided. 

If that is the case then there’s a good argument that retailers could satisfy the requirements of the third DPA principle. But there is a more fundamental requirement, in the first Schedule One principle, to process personal data fairly, and fairness will not be achieved unless

in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him… [inter alia]…the purpose or purposes for which the data are intended to be processed

And there we are back to the start of this post: I didn’t know what the purpose was of scanning my boarding pass, and it’s very clear from the recent media coverage of the issue that many, probably most, passengers didn’t or don’t realise. In my view this, coupled with the retention of the data for HMRC purposes, renders the processing unfair and unlawful. Whether the relevant data controller is the retailer, who does the act, or HMRC, who appear to require it, is another question (it’s probable that they are acting as joint data controllers) but I think the Information Commissioner’s Office should take a look.

(Thanks to Rich Greenhill for pointing out the HMRC guidance).

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, privacy notice

Big Brother is misleading you

The best books… are those that tell you what you know already…

Big Brother Watch (BBW) is a campaigning organisation, a spin-off from the right-wing lobby group The Taxpayers’ Alliance, described as a “poorly disguised Conservative front”, a large part of whose funds come “from wealthy donors, many of whom are prominent supporters of the Conservative party“. To an extent, that doesn’t matter to me: BBW has done a lot to highlight privacy issues which chime with some of my own concerns – eg excessive use of CCTV, biometrics in schools – but regularly they rail against local authority “databreaches” in a way I think is both unhelpful and disingenuous.

The latest example is a report issued this week (on 11th August 2015) entitled “A Breach of Trust – how local authorities commit 4 data breaches every day”. Martin Hoskins has already done an excellent job in querying and critiquing the findings

At first glance, it looks impressive. It’s almost 200 pages long. But, and this is a big but, there are only a few pages of analysis – once you get past page 12, a series of annexes contain the responses from each local authority, revealing how minor the vast majority of the reported incidents (occurring between April 2011 and April 2014) actually were.

BBW started work on this report by submitting FOI requests to each local authority in June 2014. Quite why it has taken so to publish the results, bearing in mind that FOI requests should be returned within 20 days, is beyond me. Although BBW claims to have received a 98% response rate, some 212 authorities either declined to provide information, or claimed that they had experienced no data breaches between 2011 and 2014.

But plenty of media outlets have already uncritically picked the report up and run stories such as the BBC’s “Council data security ‘shockingly lax'” and the Mail’s “Councils losing personal data four times a day”. Local news media also willingly ran stories about their local councils’ data.

However, my main criticism of this BBW report is a fundamental one: their methodology was so flawed that the results are effectively worthless. Helpfully, although at the end of the report, they outline that methodology:

A Freedom of Information request was sent to all local authorities beginning on the 9th June 2014.

We asked for the number of individuals that have been convicted for breaking the Data Protection Act, the number that had had their employment terminated as the result of a DPA breach, the number that were disciplined internally, the number that resigned during proceedings and the number of instances where no action was taken.

The FOI request itself asked for

a list of the offences committed by the individual in question

The flaw is this: individuals within an organisation can not, in general terms “break” or “breach” the Data Protection Act 1998 (DPA). An employee is a mere agent of his or her employer, and under the DPA the legal person with the general obligations and liabilities is the “data controller”: an employee of an organisation does not have any real status under the DPA – the employer will be the “person who determines the purposes for which and the manner in which personal data are processed”, that is, the data controller. An individual employee could, in specific terms, “break” or “breach” the DPA but only if they committed an offence under section 55, of unlawfully obtaining etc. personal data without the consent of the data controller. There is a huge amount of confusion, and sloppy thinking, when it comes to what is meant by a data protection “breach”, but the vast majority of the incidents BBW report on are simply incidents in which personal data has been compromised by the council in question as data controller. No determination of whether the DPA was actually contravened will have been made (if only because the function of determining whether the Act has been contravened is one which falls to the Information Commissioner’s Office, or the police, or the courts). And if BBW wanted a list of offences committed, that list would be tiny.

To an extent, therefore, those councils who responded with inaccurate information are to blame. FOI practitioners are taught (when they are well taught) to read a request carefully, and where there is uncertainty or ambiguity, to seek clarification from the requester. In this instance, I did in fact advise one local authority to do so. Regrettably, rather than clarifying their request, BBW chose not to respond, and the council is listed in the report as “no response received”, which is both unfair and untrue.

I am not saying that data security and data protection in councils is not an area of concern. Indeed, I am sure that in some places it is lax. But councils deal with an enormous amount of sensitive personal data, and mistakes and near misses will sometimes happen. Councils are encouraged to (and should be applauded for) keeping registers of such incidents. But they shouldn’t disclose those registers in response to ill-informed and badly worded FOI requests, because the evidence here is that they, and the facts, will be misleadingly represented in order to fit a pre-planned agenda.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.


Filed under Data Protection, Freedom of Information

Carphone Warehouse and the DPA risks

According to my less-than-reliable memory, I once purchased a mobile phone from Carphone Warehouse about twelve years ago. I seem to also remember buying a phone from a company with a name like around the same time (we’re they even going then?). Since then, my telephone number, postal address and email address have all changed, but my main banking details have not. So when the news emerged in recent days that Carphone Warehouse and various subsidiaries and partners had been affected by a data security breach involving the data of 2.4m customers I was understandably concerned. I have asked Carphone Warehouse several times how far back they held data which has been compromised, and explained that my contact details will have changed from any they might hold, but I have just been referred to generic information on their website which says that affected customers will be sent an email or text message (which is clearly useless to me).

I think Carphone Warehouse need urgently to clarify how far back they were retaining customer data that was compromised in this incident: I will be extremely unhappy if my c.12 year old data was in fact involved, because as far as I can see there would have been no reason to retain it that long. The fifth principle in Schedule One of the Data Protection Act 1998 (DPA) states that personal data should not be kept for longer than is necessary to fulfil the original purpose for which it was gathered – I doubt that retaining for twelve-odd years would comply with Carphone Warehouse’s obligations under the DPA.

But on a more general, less personal, note, what might this incident mean in DPA terms for Carphone Warehouse and its customers? I note that the generic information referred to above states that the cause was “a sophisticated cyber-attack” and that such attacks are “part of the reality of the modern world”. This is true, but not all organisations suffer such a serious breach of their systems that more than two million people are affected. Carphone Warehouse, as a data controller with obligations to process customer data in accordance with their obligations under the DPA will have to satisfy the Information Commissioner’s Office (which is investigating) and its customers that it complied with the seventh data protection principle, and had appropriate technical and organisational measures in place to safeguard personal data. Failure to have done so would open Carphone Warehouse up to the risk of an ICO monetary penalty to a maximum of£500,000. But the reason I mentioned satisfying customers as to the appropriate measures in place is that the DPA affords individual data subjects the right to bring a compensation claim against a data controller for a contravention of the Act. Traditionally, this right only applied where the data subject had suffered quantifiable damage (in the form of monetary loss), but, since the decision of the Court of Appeal earlier this year in Google Inc v Vidal-Hall & ors. [2015] EWCA Civ 311, such claims can be made on the basis purely of the distress suffered as a result of the contravention. I’ve got to say, I’m feeling a certain level of distress just now at the thought that my data might have been compromised. If it transpires that it was, the distress will only increase. Although such distress payments are unlikely ever to be particularly large, when one then considers the emergence of group litigation of DPA claims, the financial risks to data controllers who suffer huge breaches of customer data is palpable: purely hypothetically, if Carphone Warehouse were found to have failed to comply with their DPA obligations, and half of the customers affected brought a money claim worth £100, they would be facing an exposure of more than £100 million. One wonders if the market’s continuing current confidence in the company allows for that.

Google has been granted permission to appeal Vidal-Hall to the Supreme Court, but pending that the Court of Appeal’s judgment remains good law. And, as I have predicted previously, I think there may be a number of law firms eyeing the case, and potential clients, expectantly.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under 7th principle, Data Protection, data security, Fifth principle, Information Commissioner

Non-compliant FOI compliance?

What does it mean to “comply” with an FOI request? This would appear to be a rather arid question, but when the provisions of section 14(2) of the Freedom of Information Act 2000 (FOIA) come into play, it is not perhaps as unambiguous as one might think.

Section 14(2) provides that

Where a public authority has previously complied with a request for information which was made by any person, it is not obliged to comply with a subsequent identical or substantially similar request from that person unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request [emphasis added]

I confess that, until recently, as both a practitioner and an observer, I had never given this too much thought: surely a public authority complies with a request by complying with its general obligations under FOIA? Namely, confirming whether requested information is held, and, where it is, either communicating it to the requester or providing a refusal notice, while at the same time providing appropriate advice and assistance.

However, it appears (and apologies to anyone who’s known this for ages – I didn’t) that the Information Commissioner’s Office (ICO) take a different view on section 14(2). Their approach, reflected in guidance, is that for the purposes of section 14(2) at least, a public authority has only previously complied with a request when it has either disclosed the information, or confirmed that it is not held:

A public authority may only apply Section 14(2) where it has either;
– previously provided the same requester with the information in response to an earlier FOIA request; or
– previously confirmed the information is not held in response to an earlier FOIA request from the same requester.
If neither of these conditions applies then the public authority must deal with the request in the normal manner.

So, if the authority has previously refused to disclose information, on the valid basis of the application of an exemption or exemptions, it cannot refuse to deal with a subsequent identical request, and it must (one assumes, and unless circumstances have changed) issue a fresh, identical, refusal notice.

This approach is also reflected in a recent decision notice relating to a request to the Department for Work and Pensions (DWP) for the names of charities and companies who have given placements to Mandatory Work Activity or Help to Work participants. DWP had replied to a previous almost identical request, refusing to disclose the information on the basis of the exemptions at section 29(1)(a), 29(1)(b), 36(2)(c) and 43(2) of FOIA. This time, they refused to reply to the request citing section section 14(2). Not on, said ICO:

the DWP can only rely on section 14(2) if, inter alia, it had previously complied with the same or substantially similar request by supplying the requested information to the complainant or confirming it was not held

As the previous request had resulted in the applications of exemptions to refuse disclosure, section 14(2) was not engaged. This was despite the fact that – as DWP pointed out – a previous ICO decision notice had actually said that its position was that

the term ‘previously complied with a request for information’ refers to whether an authority has responded to the previous requests by either providing information or by issuing a refusal notice (emphasis added)

ICO explained this discrepancy by saying first, they were not bound by previous decisions, and second, that the earlier decision was “erroneous” and contrary to their own guidance.

I suspect the ICO are drawing a distinction between the concepts of “complying with a request” (i.e. fulfilling it) and “complying with FOIA obligations”. and I’m not completely sure I’m in disagreement with the ICO’s settled position. But I think I am, if only because, followed to its logical extension, we would be saying that a public authority has not “complied” with any request for information, if it has validly applied exemptions and refused to disclose the information. This lacks logic: it will be interesting to see if DWP appeal.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with..


Filed under Freedom of Information, Information Commissioner